CTL Model Checking Prof. P.H. Schmitt Institut fur¨ Theoretische Informatik Fakult¨at fur¨ Informatik Universit¨at Karlsruhe (TH) Formal Systems II Prof. P.H. Schmitt CTLMC Summer 2009 1 / 26 Fixed Point Theory Prof. P.H. Schmitt CTLMC Summer 2009 2 / 26 Fixed Points Definition Definition Let f : P(G) → P(G) be a set valued function and Z a subset of G. 1. Z is called a fixed point of f if f(Z) = Z . 2. Z is called the least fixed point of f is Z is a fixed point and for all other fixed points U of f the relation Z ⊆ U is true. 3. Z is called the greatest fixed point of f is Z is a fixed point and for all other fixed points U of f the relation U ⊆ Z is true. Prof. P.H. Schmitt CTLMC Summer 2009 3 / 26 Finite Fixed Point Lemma Let G be an arbitrary set, Let P(G) denote the power set of a set G. A function f : P(G) → P(G) is called monotone of for all X, Y ⊆ G X ⊆ Y ⇒ f(X) ⊆ f(Y ) Let f : P(G) → P(G) be a monotone function on a finite set G. 1. There is a least and a greatest fixed point of f. S n 2. n≥1 f (∅) is the least fixed point of f. T n 3. n≥1 f (G) is the greatest fixed point of f. Prof. P.H. Schmitt CTLMC Summer 2009 4 / 26 Proof of part (2) of the finite fixed point Lemma Monotonicity of f yields ∅ ⊆ f(∅) ⊆ f 2(∅) ⊆ ... ⊆ f n(∅) ⊆ ... Since G is finite there must be an i such that f i(∅) = f i+1(∅). S n i Then Z = n≥1 f (∅) = f (∅) is a fixed point of f: f(Z) = f(f i(∅)) = f i+1(∅) = f i(∅) = Z Let U be another fixed point of f. From ∅ ⊆ U be infer by monotonicity of f at first f(∅) ⊆ f(U) = U. By induction on n we conclude f n(∅) ⊆ U for all n. Thus also Z = f i(∅) ⊆ U. Prof. P.H. Schmitt CTLMC Summer 2009 5 / 26 Continuous Functions Definition A function f : P(G) → P(G) is called 1. ∪-continuous (upward continuous), if for every ascending sequence M1 ⊆ M2 ⊆ ... ⊆ Mn ⊆ ... [ [ f( Mn) = f(Mn) n≥1 n≥1 2. ∩-continuous (downward continuous) , if for every descending sequence M1 ⊇ M2 ⊇ ... ⊇ Mn ⊇ ... \ \ f( Mn) = f(Mn) n≥1 n≥1 Prof. P.H. Schmitt CTLMC Summer 2009 6 / 26 Fixed Points For Continuous Functions Let f : P(G) → P(G) be an upward continuous functions and g : P(G) → P(G) a downward continuous function. The for all M, N ∈ P(G) such that M ⊆ f(M) and g(N) ⊆ N the following is true. S n 1. n≥1 f (M) is the least fixed point of f containing M, T n 2. n≥1 g (M) is the greatest fixed point of g contained in M. Prof. P.H. Schmitt CTLMC Summer 2009 7 / 26 Proof of (1) By monotonicity we first obtain M ⊆ f(M) ⊆ f 2(M) ⊆ ... ⊆ f n(M) ⊆ ... S n Let P = n≥1 f (M). This immediately gives M ⊆ P . Furthermore S n f(P ) = f( n≥1 f (M)) S n+1 = n≥1 f (M) by continuity S n 2 = n≥1 f (M) since f(M) ⊆ f (M) = P Assume now that Q is another fixed point of f satisfying M ⊆ Q. By Monotonicity and the fixed point property f(M) ⊆ f(Q) = Q and furthermore for every n ≥ 1 also f n(M) ⊆ Q. S n Thus we obtain P = n≥1 f (M) ⊆ Q Prof. P.H. Schmitt CTLMC Summer 2009 8 / 26 Knaster-Tarski-Fixed-Points Theorem Let f : P(G) → P(G) be a monotone function. Then f has a least and a greatest fixed point. Note, G need not be finite. Prof. P.H. Schmitt CTLMC Summer 2009 9 / 26 Proof Fixed Point Let L = {S ⊆ G | f(S) ⊆ S}, e.g., G ∈ L. Let U = T L. Show f(U) = U! For all S ∈ L by the property of an intersection: U ⊆ S. By monotonicity and definition of L f(U) ⊆ f(S) ⊆ S. Thus f(U) ⊆ T L = U and we have already established half of our claim. By monotonicity f(U) ⊆ U implies f(f(U)) ⊆ f(U) which yields f(U) ∈ L and futhermore U ⊆ f(U). We thus have indeed U = f(U). Prof. P.H. Schmitt CTLMC Summer 2009 10 / 26 Proof Least Fixed Point Now assume W is another fixed point of f,i.e., f(W ) = W . This yields W ∈ L= {S ⊆ G | f(S) ⊆ S} and U = T L ⊆ W . Thus U is the least fixed point of f. Following the same line of argument one can show that S{S ⊆ G | S ⊆ f(S)} is the greatest fixed point of f. Prof. P.H. Schmitt CTLMC Summer 2009 11 / 26 CTL Model Checking Algorithm Prof. P.H. Schmitt CTLMC Summer 2009 12 / 26 Two Auxiliary Concepts Let T = (S, R, v) be a transition system and F an CTL formula. The set τ(F ) = {s ∈ S | s |= F } is called the characteristic region of F in T . The universal and existential next step functions fAX , fEX : P(S) → P(S) are defined by fAX (Z) = {s ∈ S | for all t with sRt we get t ∈ Z} fEX (Z) = {s ∈ S | there exists a t with sRt and t ∈ Z} Prof. P.H. Schmitt CTLMC Summer 2009 13 / 26 CTL Model Checking Algorithm Let T = (S, R, v) be a transition system and F an CTL formula. τ(F ) is computed by the following high-level recursive algorithm: 1 τ(p) = {s ∈ S | v(s, p) = 1} 2 τ(F1 ∧ F2) = τ(F1) ∩ τ)F2) 3 τ(F1 ∨ F2) = τ(F1) ∪ τ(F2) 4 τ(¬F1) = S \ τ(F1) 5 τ(A(F1 U F2)) = lfp[τ(F2) ∪ (τ(F1) ∩ fAX (Z))] 6 τ(E(F1 U F2)) = lfp[τ(F2) ∪ (τ(F1) ∩ fEX (Z)] 7 τ(AFF1) = lfp[τ(F1) ∪ fAX (Z)] 8 τ(EFF1) = lfp[τ(F1) ∪ fEX (Z)] 9 τ(EGF1) = gfp[τ(F1) ∩ fEX (Z)] 10 τ(AGF1) = gfp[τ(F1) ∩ fAX (Z)] Prof. P.H. Schmitt CTLMC Summer 2009 14 / 26 Correctness Proof Case 10 AG F1 By definition τ(AG F1) = {s ∈ S | s ∈ τ(F1) and h ∈ τ(AG F1) for all h with gRh} Using Definition of the universal next step function: τ(AG F1) = τ(F1) ∩ fAX (τ(AG F1)) So, τ(AG F1) is a fixed point of the function τ(F1) ∩ fAX (Z). It remains to see that it is the greatest fixed point. Prof. P.H. Schmitt CTLMC Summer 2009 15 / 26 Correctness Proof Case 10 AG F1 (continued) Let H be another fixed point, i.e., H = τ(F1) ∩ fAX (H). We need to show H ⊆ τ(AG F1)). Consider g0 ∈ H with the aim of showing that for all n ≥ 0 and all gi satisfying gi−1Rgi for all 1 ≤ i ≤ n we obtain gn ∈ τ(F1). Observe H = τ(F1) ∩ fAX (H) ⊆ τ(F1). Thus it suffices to show for all n ≥ 0 that gn ∈ H. For n = 0 that is true by assumptions. Assume gn−1 ∈ H. gn−1 ∈ H ⊆ fAX (H) = {g | for all h with gRh we have h ∈ H}. Thus gn ∈ H. Prof. P.H. Schmitt CTLMC Summer 2009 16 / 26 Correctness Proof Case 6 E(F1 UF2) By definition τ(E(F1 U F2)) = {g ∈ S | s |= F2 or s |= F1 and there exists h with gRh and h |= F2} Using next step function: τ(E(F1 U F2)) = τ(F2) ∪ (τ(F1) ∩ fEX (τ(E(F1 U F2))) Thus τ(E(F1 U F2)) is a fixed point of the function τ(F2) ∪ (τ(F1) ∩ fEX (Z)). It remains to show that it is the least fixed point. Prof. P.H. Schmitt CTLMC Summer 2009 17 / 26 Correctness Proof Case 6 E(F1 UF2) (continued) Consider H ⊆ S with H = τ(F2) ∪ (τ(F1) ∩ fEX (H)). We need τ(E(F1 U F2)) ⊆ H. Fix g0 ∈ τ(E(F1 U F2)), try to arrive at g0 ∈ H. There is an n ∈ N and there are gi for 1 ≤ i ≤ n satisfying 1. giRgi+1 for all 0 ≤ i < n. 2. gn ∈ τ(F2). 3. gi ∈ τ(F1) for all 0 ≤ i < n. We set out to prove gn ∈ H by induction on n. n = 0 Since H = τ(F2) ∪ (τ(F1) ∩ fEX (H)) ⊇ τ(F2) and g0 = gn ∈ τ(F2). n − 1 Ã n By induction hypothesis we have g1 ∈ H Since g0 ∈ τ(F1) and g0Rg1 we obtain g0 ∈ (τ(F1) ∩ fEX (H)) ⊆ H and thus also g0 ∈ H. Prof. P.H. Schmitt CTLMC Summer 2009 18 / 26 CTL Model Checking Example Prof. P.H. Schmitt CTLMC Summer 2009 19 / 26 Transition System s0 n1n2 s1 t1n2 n1t2 s5 s3 s8 s2 c1n2 t1t2 t1t2 n1c2 s6 s4 c1t2 s7 t1c2 Prof. P.H. Schmitt CTLMC Summer 2009 20 / 26 The Task s0 n1n2 0 1 2 3 4 5 6 7 8 s1 t1n2 n1t2 s5 N1 1 0 0 0 0 1 1 0 0 N2 1 1 1 0 0 0 0 0 0 T1 0 1 0 1 0 0 0 1 1 s3 s8 T2 0 0 0 1 1 1 0 0 1 s2 c1n2 t1t2 t1t2 n1c2 s6 C1 0 0 1 0 1 0 0 0 0 C2 0 0 0 0 0 0 1 1 0 Check if the following the formula is true in state 1.