CTL Model Checking

CTL Model Checking Prof. P.H. Schmitt <ul style="display: flex;"><li style="flex:1">Institut fur Theoretische Informatik </li><li style="flex:1">¨</li></ul><ul style="display: flex;"><li style="flex:1">Fakultat fur Informatik </li><li style="flex:1">¨</li><li style="flex:1">¨</li></ul><ul style="display: flex;"><li style="flex:1">Universitat Karlsruhe (TH) </li><li style="flex:1">¨</li></ul>Formal Systems II <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">1 / 26 </li></ul>Fixed Point Theory <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">2 / 26 </li></ul>Fixed Points Definition Definition Let f : P(G) → P(G) be a set valued function and Z a subset of G. 1. Z is called a fixed point of f if f(Z) = Z . 2. Z is called the least fixed point of f is Z is a fixed point and for all other fixed points U of f the relation Z ⊆ U is true. 3. Z is called the greatest fixed point of f is Z is a fixed point and for all other fixed points U of f the relation U ⊆ Z is true. <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">3 / 26 </li></ul>Finite Fixed Point Lemma Let G be an arbitrary set, Let P(G) denote the power set of a set G. A function f : P(G) → P(G) is called monotone of for all X, Y ⊆ G X ⊆ Y ⇒ f(X) ⊆ f(Y ) Let f : P(G) → P(G) be a monotone function on a finite set G. 1. There is a least and a greatest fixed point of f. S2. n≥1 fn(∅) is the least fixed point of f. T3. n≥1 fn(G) is the greatest fixed point of f. <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">4 / 26 </li></ul>Proof of part (2) of the finite fixed point Lemma Monotonicity of f yields ∅ ⊆ f(∅) ⊆ f2(∅) ⊆ . . . ⊆ fn(∅) ⊆ . . . Since G is finite there must be an i such that fi(∅) = fi+1(∅). SThen Z = n≥1 fn(∅) = fi(∅) is a fixed point of f: f(Z) = f(fi(∅)) = fi+1(∅) = fi(∅) = Z Let U be another fixed point of f. From ∅ ⊆ U be infer by monotonicity of f at first f(∅) ⊆ f(U) = U. By induction on n we conclude fn(∅) ⊆ U for all n. Thus also Z = fi(∅) ⊆ U. <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">5 / 26 </li></ul>Continuous Functions Definition A function f : P(G) → P(G) is called 1. ∪-continuous (upward continuous), if for every ascending sequence M1 ⊆ M2 ⊆ . . . ⊆ Mn ⊆ . . . <ul style="display: flex;"><li style="flex:1">[</li><li style="flex:1">[</li></ul><ul style="display: flex;"><li style="flex:1">f( </li><li style="flex:1">Mn) = </li><li style="flex:1">f(Mn) </li></ul><ul style="display: flex;"><li style="flex:1">n≥1 </li><li style="flex:1">n≥1 </li></ul>2. ∩-continuous (downward continuous) , if for every descending sequence M1 ⊇ M2 ⊇ . . . ⊇ Mn ⊇ . . . <ul style="display: flex;"><li style="flex:1">\</li><li style="flex:1">\</li></ul><ul style="display: flex;"><li style="flex:1">f( </li><li style="flex:1">Mn) = </li><li style="flex:1">f(Mn) </li></ul><ul style="display: flex;"><li style="flex:1">n≥1 </li><li style="flex:1">n≥1 </li></ul><ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">6 / 26 </li></ul>Fixed Points For Continuous Functions Let f : P(G) → P(G) be an upward continuous functions and g : P(G) → P(G) a downward continuous function. The for all M, N ∈ P(G) such that M ⊆ f(M) and g(N) ⊆ N the following is true. S1. n≥1 fn(M) is the least fixed point of f containing M, T2. n≥1 gn(M) is the greatest fixed point of g contained in M. <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">7 / 26 </li></ul>Proof of (1) By monotonicity we first obtain M ⊆ f(M) ⊆ f2(M) ⊆ . . . ⊆ fn(M) ⊆ . . . Let P = n≥1 fn(M). This immediately gives M ⊆ P. Furthermore S Sf(P) = f( n≥1 fn(M)) Sn+1 === P f(M) by continuity since f(M) ⊆ f2(M) n≥1 Sn≥1 fn(M) Assume now that Q is another fixed point of f satisfying M ⊆ Q. By Monotonicity and the fixed point property f(M) ⊆ f(Q) = Q and furthermore for every n ≥ 1 also fn(M) ⊆ Q. SThus we obtain P = n≥1 fn(M) ⊆ Q <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">8 / 26 </li></ul>Knaster-Tarski-Fixed-Points Theorem Let f : P(G) → P(G) be a monotone function. Then f has a least and a greatest fixed point. Note, G need not be finite. <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">9 / 26 </li></ul>Proof Fixed Point Let L = {S ⊆ G | f(S) ⊆ S}, e.g., G ∈ L. TLet U = L. Show f(U) = U! For all S ∈ L by the property of an intersection: U ⊆ S. By monotonicity and definition of L f(U) ⊆ f(S) ⊆ S. TThus f(U) ⊆ L = U and we have already established half of our claim. By monotonicity f(U) ⊆ U implies f(f(U)) ⊆ f(U) which yields f(U) ∈ L and futhermore U ⊆ f(U). We thus have indeed U = f(U). <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">10 / 26 </li></ul>Proof Least Fixed Point Now assume W is another fixed point of f,i.e., f(W) = W. This yields W ∈ L= {S ⊆ G | f(S) ⊆ S} and TU = L ⊆ W. Thus U is the least fixed point of f. Following the same line of argument one can show that S{S ⊆ G | S ⊆ f(S)} is the greatest fixed point of f. <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">11 / 26 </li></ul>CTL Model Checking Algorithm <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">12 / 26 </li></ul>Two Auxiliary Concepts Let T = (S, R, v) be a transition system and F an CTL formula. The set τ(F) = {s ∈ S | s |= F} is called the characteristic region of F in T . The universal and existential next step functions fAX, fEX : P(S) → P(S) are defined by fAX(Z) = {s ∈ S | for all t with sRt we get t ∈ Z} fEX(Z) = {s ∈ S | there exists a t with sRt and t ∈ Z} <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">13 / 26 </li></ul>CTL Model Checking Algorithm Let T = (S, R, v) be a transition system and F an CTL formula. τ(F) is computed by the following high-level recursive algorithm: 123456789τ(p) =========={s ∈ S | v(s, p) = 1} τ(F1) ∩ τ)F2) τ(F1 ∧ F2) τ(F1 ∨ F2) τ(¬F1) τ(F1) ∪ τ(F2) S \ τ(F1) τ(A(F1 U F2)) τ(E(F1 U F2)) τ(AFF1) τ(EFF1) lfp[τ(F2) ∪ (τ(F1) ∩ fAX(Z))] lfp[τ(F2) ∪ (τ(F1) ∩ fEX(Z)] lfp[τ(F1) ∪ fAX(Z)] lfp[τ(F1) ∪ fEX(Z)] gfp[τ(F1) ∩ fEX(Z)] gfp[τ(F1) ∩ fAX(Z)] τ(EGF1) 10 τ(AGF1) <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">14 / 26 </li></ul>Correctness Proof Case 10 AG F1 By definition τ(AG F1) = {s ∈ S | s ∈ τ(F1) and h ∈ τ(AG F1) for all h with gRh} Using Definition of the universal next step function: τ(AG F1) = τ(F1) ∩ fAX(τ(AG F1)) So, τ(AG F1) is a fixed point of the function τ(F1) ∩ fAX(Z). It remains to see that it is the greatest fixed point. <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">15 / 26 </li></ul>Correctness Proof Case 10 AG F1 (continued) Let H be another fixed point, i.e., H = τ(F1) ∩ fAX(H). We need to show H ⊆ τ(AG F1)). Consider g0 ∈ H with the aim of showing that for all n ≥ 0 and all gi satisfying gi−1Rgi for all 1 ≤ i ≤ n we obtain gn ∈ τ(F1). Observe H = τ(F1) ∩ fAX(H) ⊆ τ(F1). Thus it suffices to show for all n ≥ 0 that gn ∈ H. For n = 0 that is true by assumptions. Assume gn−1 ∈ H. gn−1 ∈ H ⊆ fAX(H) = {g | for all h with gRh we have h ∈ H}. Thus gn ∈ H. <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">16 / 26 </li></ul>Correctness Proof Case 6 E(F1 U F2) By definition τ(E(F1 U F2)) = {g ∈ S | s |= F2 or s |= F1 and there exists h with gRh and h |= F2} Using next step function: τ(E(F1 U F2)) = τ(F2) ∪ (τ(F1) ∩ fEX(τ(E(F1 U F2))) Thus τ(E(F1 U F2)) is a fixed point of the function τ(F2) ∪ (τ(F1) ∩ fEX(Z)). It remains to show that it is the least fixed point. <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">17 / 26 </li></ul>Correctness Proof Case 6 E(F1 U F2) (continued) Consider H ⊆ S with H = τ(F2) ∪ (τ(F1) ∩ fEX(H)). We need τ(E(F1 U F2)) ⊆ H. Fix g0 ∈ τ(E(F1 U F2)), try to arrive at g0 ∈ H. There is an n ∈ N and there are gi for 1 ≤ i ≤ n satisfying 1. giRgi+1 for all 0 ≤ i < n. 2. gn ∈ τ(F2). 3. gi ∈ τ(F1) for all 0 ≤ i < n. We set out to prove gn ∈ H by induction on n. n = 0 Since H = τ(F2) ∪ (τ(F1) ∩ fEX(H)) ⊇ τ(F2) and g0 = gn ∈ τ(F2). n − 1 Ã n By induction hypothesis we have g1 ∈ H Since g0 ∈ τ(F1) and g0Rg1 we obtain g0 ∈ (τ(F1) ∩ fEX(H)) ⊆ H and thus also g0 ∈ H. <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">18 / 26 </li></ul>CTL Model Checking Example <ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">19 / 26 </li></ul>Transition System s0 n1n2 <ul style="display: flex;"><li style="flex:1">s1 </li><li style="flex:1">s5 </li><li style="flex:1">n1t2 </li><li style="flex:1">t1n2 </li></ul><ul style="display: flex;"><li style="flex:1">s3 </li><li style="flex:1">s8 </li></ul><ul style="display: flex;"><li style="flex:1">s2 c1n2 </li><li style="flex:1">n1c2 s6 </li><li style="flex:1">t1t2 </li><li style="flex:1">t1t2 </li></ul><ul style="display: flex;"><li style="flex:1">s4 </li><li style="flex:1">s7 </li></ul><ul style="display: flex;"><li style="flex:1">t1c2 </li><li style="flex:1">c1t2 </li></ul><ul style="display: flex;"><li style="flex:1">Prof. P.H. Schmitt </li><li style="flex:1">CTLMC </li></ul><ul style="display: flex;"><li style="flex:1">Summer 2009 </li><li style="flex:1">20 / 26 </li></ul>

CTL Model Checking

Details

Download

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

Support