CTL Model Checking

Sayan MitraVerifying cyberphysical systems

mitras@illinois.edu

Verification thus far: Invariants and safety

Given a hybrid automaton 𝒜 = ⟨𝑋, Θ, 𝐴,𝓓, 𝑻⟩ and a candidate invariant 𝐼 ⊆ 𝑣𝑎𝑙(𝑋) we can check whether 𝐼 is an inductive invariant.

In which case 𝑅𝑒𝑎𝑐ℎ𝒜 Θ ⊆ 𝐼

Given an unsafe set 𝑈 ⊆ 𝑣𝑎𝑙(𝑋) we can check whether 𝐼 ∩ 𝑈 = ∅ to infer that 𝑅𝑒𝑎𝑐ℎ𝒜 Θ ∩ 𝑈 = ∅

Lecture Slides by Sayan Mitra mitras@illinois.edu

What about more general types of requirements, e.g.,

“Eventually the light turns red and prior to that the orange light blinks”

“After failures, eventually there is just one token in the system”

How to express and verify such properties?

Outline

• Temporal logics• Computational Tree Logic (CTL)

• CTL model checking• Setup• CTL syntax and semantics• Model checking algorithms• Example

• References: Model Checking, Second Edition, by Edmund M. Clarke, Jr., Orna Grumberg, Daniel Kroening, Doron Peled and Helmut Veith

• Principles of Model Checking, by Christel Baier and Joost-Pieter Katoen

Introduction to temporal logicsTemporal logics give a formal language for representing, and reasoning about, propositions qualified in terms of time or in a sequence

Amir Pnueli received the ACM Turing Award (1996) for seminal work introducing temporal logic into computer science and for outstanding contributions to program and systems verification.

Large follow-up literature, e.g., different temporal logics MTL, MITL, PCTL, ACTL, STL, applications in synthesis and monitoring

Setup: States are labeled

We have a set of atomic propositions (AP)

These are the properties that hold in each state, e.g., “light is green”, “has 2 tokens”

We have a labeling function that assigns to each state, a set of propositions that hold at that state

𝐿: 𝑄 → 2>?

Notations

Automata with state labels but no action labels

𝒜 = 𝑄,𝑄@, 𝑇, 𝐿

Executions (have no actions) 𝛼 = 𝑞@ 𝑞D …𝑞F = 𝛼. 𝑙𝑠𝑡𝑎𝑡𝑒

𝛼[𝑖] = 𝑞M𝐸𝑥𝑒𝑐𝒜 set of all executions

𝐴𝑃 = 𝑎, 𝑏, 𝑐

𝐿 𝑞@ = {𝑎, 𝑏}

𝑞@{𝑎, 𝑏}

𝑞D{𝑏, 𝑐}

𝑞T{𝑐}

Computational tree logic (CTL)

Unfolding the automaton

We get a tree

A CTL formula allows us to specify subsets of paths in this tree

𝑞@{𝑎, 𝑏}

𝑞D{𝑏, 𝑐}

𝑞T{𝑐}

{𝑎, 𝑏}

{𝑏, 𝑐} {𝑐}

{𝑎, 𝑏} {𝑐} {𝑐}

{𝑏, 𝑐} {𝑐} {𝑐} {𝑐}Lecture Slides by Sayan Mitra mitras@illinois.edu

CTL quantifiers

Path quantifiersE: Exists some pathA: All paths

Temporal operatorsX: Next stateU: UntilF: EventuallyG: Globally (Always)

CTL syntaxCTL syntax𝑆𝑡𝑎𝑡𝑒 𝐹𝑜𝑟𝑚𝑢𝑙𝑎 𝑆𝐹 ∷= 𝑡𝑟𝑢𝑒 𝑝 ¬𝑓D 𝑓D ∧ 𝑓T 𝐸 𝜙 | 𝐴 𝜙𝑃𝑎𝑡ℎ 𝐹𝑜𝑟𝑚𝑢𝑙𝑎 𝑃𝐹 ∷= 𝑋𝑓D 𝑓D𝑈 𝑓T 𝐺𝑓D| 𝐹 𝑓D

where 𝑝 ∈ 𝐴𝑃, 𝑓D, 𝑓T ∈ 𝑆𝐹, 𝜙 ∈ 𝑃𝐹

Depth of formula: number of production rules used

Examples (depth)E𝑋 𝑎; AXE𝑋 𝑎; AXE𝑋𝑎 U b; AG AF green; AF AG single tokenDepth 3, 5, …

Non-examplesAX𝑋 𝑎; path and state operators must alternate in CTL

CTL semanticsGiven automaton 𝒜 = 𝑄,Q@, 𝑇, 𝐿 , 𝑞 ∈ 𝑄 and a CTL formula 𝜙, 𝑞 ⊨ 𝜙denotes that 𝑞 satisfies 𝜙; 𝛼 ⊨ 𝜙 denotes that path (execution) 𝛼 satisfies 𝜙.The relation ⊨ is defined inductively as:

𝒜, 𝑞 ⊨ 𝑝 ⇔ 𝑝 ∈ 𝐿(𝑞) for 𝑝 ∈ 𝐴𝑃𝒜, 𝑞 ⊨ ¬𝑓D ⇔ 𝒜, 𝑞 ⊨ 𝑓D𝒜, 𝑞 ⊨ 𝑓D ∧ 𝑓T ⇔ 𝒜, 𝑞 ⊨ 𝑓D ∧ 𝒜, 𝑞 ⊨ 𝑓T𝒜, 𝑞 ⊨ 𝐸𝜙 ⇔ ∃ 𝛼, 𝛼. 𝑓𝑠𝑡𝑎𝑡𝑒 = 𝑞,𝒜, 𝛼 ⊨ 𝜙𝒜, 𝑞 ⊨ 𝐴𝜙 ⇔ ∀ 𝛼, 𝛼. 𝑓𝑠𝑡𝑎𝑡𝑒 = 𝑞,𝒜, 𝛼 ⊨ 𝜙𝒜, 𝑞 ⊨ 𝑋𝑓 ⇔ 𝒜, 𝛼 1 ⊨ 𝑓𝒜, 𝛼 ⊨ 𝑓D 𝑈 𝑓T ⇔ ∃𝑖 ≥ 0,𝒜, 𝛼 𝑖 ⊨ 𝑓T 𝑎𝑛𝑑 ∀𝑗 < 𝑖 𝛼 𝑗 ⊨ 𝑓D𝒜, 𝛼 ⊨ 𝐹 𝑓D ⇔ ∃𝑖 ≥ 0,𝒜, 𝛼 𝑖 ⊨ 𝑓D𝒜, 𝛼 ⊨ 𝐺 𝑓D ⇔ ∀𝑖 ≥ 0,𝒜, 𝛼 𝑖 ⊨ 𝑓D

Automaton satisfies property: 𝒜 ⊨ 𝑓 iff ∀𝑞 ∈ 𝑄@,𝒜, 𝑞 ⊨ 𝑓Lecture Slides by Sayan Mitra mitras@illinois.edu

Universal CTL operators𝑿,𝑼, 𝑮 can be used to derive other operators

𝑡𝑟𝑢𝑒 𝑈 𝑓 ≡ 𝐹 𝑓

𝐺𝑓 ≡ ¬𝐹(¬𝑓)

All ten combinations can be expressed using 𝑬𝑿, 𝑬𝑼, 𝑬𝑮

𝐴𝑋𝑓 𝐴𝐺𝑓 𝐴𝐹𝑓 𝐴𝑈𝑓 𝐴𝑅𝑓¬𝐸𝑋(¬𝑓) ¬𝐸𝐹(¬𝑓) ¬𝐸𝐺(¬𝑓)

𝐸𝑋 𝐸𝐺 𝐸𝐹 𝐸𝑈 𝐸𝑅𝐸𝑋 𝐸𝐺 𝐸(𝑡𝑟𝑢𝑒 𝑈 𝑓) 𝐸𝑈

Visualizing semantics

𝑞 𝑞

𝑞𝑞

𝑞 ⊨ 𝐴𝐺 𝑟𝑒𝑑

𝑞 ⊨ 𝐸𝐺 𝑟𝑒𝑑

𝑞 ⊨ 𝐴𝐹 𝑟𝑒𝑑

𝑞 ⊨ 𝐸𝐹 𝑟𝑒𝑑

Algorithm for deciding 𝒜 ⊨ 𝑓

Algorithm works by structural induction on the depth of the formula

Explicit state model checking

Compute the subset 𝑄� ⊆ 𝑄 such that ∀𝑞 ∈ 𝑄� 𝑤𝑒 ℎ𝑎𝑣𝑒 𝒜, q ⊨ 𝑓

If 𝑄@⊆ 𝑄� then we can conclude 𝒜 ⊨ 𝑓

Induction on depth of formula

Algorithm computes a function 𝑙𝑎𝑏𝑒𝑙: 𝑄 → 𝐶𝑇𝐿(𝐴𝑃) that labels each state with a CTL formula

• Initially, 𝑙𝑎𝑏𝑒𝑙 𝑞 = 𝐿(𝑞) for each 𝑞 ∈ Q

• At 𝑖�� iteration 𝑙𝑎𝑏𝑒𝑙(𝑞) contains all sub-formulas of 𝑓 of depth (𝑖 − 1) that 𝑞satisfies

At termination 𝑓 ∈ 𝑙𝑎𝑏𝑒𝑙 𝑞 ⇔ 𝒜, 𝑞 ⊨ 𝑓

Structural induction on formulaSix cases to consider based on structure of 𝑓

𝑓 = 𝑝, for some 𝑝 ∈ 𝐴𝑃, ∀𝑞, 𝑙𝑎𝑏𝑒𝑙 𝑞 ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞 ∪ 𝑓𝑓 = ¬𝑓D if 𝑓D ∉ 𝑙𝑎𝑏𝑒𝑙(𝑞) then 𝑙𝑎𝑏𝑒𝑙 𝑞 ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞 ∪ 𝑓𝑓 = 𝑓D ∧ 𝑓T if 𝑓D, 𝑓T ∈ 𝑙𝑎𝑏𝑒𝑙(𝑞) then 𝑙𝑎𝑏𝑒𝑙 𝑞 ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞 ∪ 𝑓𝑓 = 𝐸𝑋𝑓D if ∃𝑞� ∈ Q such that 𝑞, 𝑞� ∈ 𝑇 and 𝑓D ∈ 𝑙𝑎𝑏𝑒𝑙 𝑞� then 𝑙𝑎𝑏𝑒𝑙 𝑞 ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞 ∪ 𝑓

𝑓 = 𝐸 𝑓D𝑈𝑓T 𝐶ℎ𝑒𝑐𝑘𝐸𝑈(𝑓D, 𝑓T, 𝑄, 𝑇, 𝐿) [next slide]𝑓 = 𝐸𝐺𝑓D 𝐶ℎ𝑒𝑐𝑘𝐸𝐺(𝑓D, 𝑄, 𝑇, 𝐿) [next slide]

𝐶ℎ𝑒𝑐𝑘𝐸𝑈(𝑓D, 𝑓T, 𝑄, 𝑇, 𝐿)Let 𝑆 = 𝑞 ∈ 𝑄 𝑓T ∈ 𝑙𝑎𝑏𝑒𝑙(𝑞)}for each 𝑞 ∈ 𝑆𝑙𝑎𝑏𝑒𝑙 𝑞 ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞 ∪ {𝐸[𝑓D𝑈𝑓T]}

while 𝑆 ≠ ∅for each 𝑞′ ∈ 𝑆𝑆 ≔ 𝑆 ∖ 𝑞�

for each 𝑞 ∈ 𝑇�D(𝑞�)if 𝑓D ∈ 𝑙𝑎𝑏𝑒𝑙(𝑞) then 𝑙𝑎𝑏𝑒𝑙 𝑞 ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞 ∪ {𝐸[𝑓D𝑈𝑓T]}

𝑆 ≔ 𝑆 ∪ {𝑞}

Proposition. For any state 𝑙𝑎𝑏𝑒𝑙 𝑞 ∋ 𝐸[𝑓D𝑈𝑓T] iff 𝑞 ⊨ 𝐸[𝑓D𝑈𝑓T].

Proposition. Finite 𝑄 therefore terminates and in 𝑂 𝑄 + 𝑇 steps.

𝐶ℎ𝑒𝑐𝑘𝐸𝐺(𝑓D, 𝑄, 𝑇, 𝐿)

From 𝒜 we construct a new automaton 𝒜� = ⟨𝑄�, 𝑇�, 𝐿�⟩ such that

𝑄� = 𝑞 ∈ 𝑄 𝑓D ∈ 𝑙𝑎𝑏𝑒𝑙 𝑞 }

𝑇� = 𝑞D, 𝑞T ∈ 𝑇 𝑞D ∈ 𝑄�} = 𝑇 | 𝑄�

𝐿�: 𝑄� → 2>? ∀ 𝑞� ∈ 𝑄�, 𝐿� 𝑞� : = 𝐿 𝑞�

Claim. 𝒜, q ⊨ 𝐸𝐺𝑓D iff(1) 𝑞 ∈ 𝑄�(2) ∃𝛼 ∈ 𝐸𝑥𝑒𝑐𝑠𝒜� with 𝛼. 𝑓𝑠𝑡𝑎𝑡𝑒 = 𝑞 and 𝛼. 𝑙𝑠𝑡𝑎𝑡𝑒 is in a nontrivial Strongly Connected

Components 𝐶 of the graph ⟨𝑄�, 𝑇�⟩

Claim. 𝒜, q ⊨ 𝐸𝐺𝑓D iff(1) 𝑞 ∈ 𝑄� and(2) ∃𝛼 ∈ 𝐸𝑥𝑒𝑐𝑠𝒜� with 𝛼. 𝑓𝑠𝑡𝑎𝑡𝑒 = 𝑞 and 𝛼. 𝑙𝑠𝑡𝑎𝑡𝑒 is in a nontrivial SCC 𝐶 of the

graph 𝑄�, 𝑇�

Proof. Suppose 𝒜, q ⊨ 𝐸𝐺𝑓DConsider any execution 𝛼 with 𝛼. 𝑓𝑠𝑡𝑎𝑡𝑒 = 𝑞. Obviously, 𝑞 ⊨ 𝑓D and so, 𝑞 ∈ 𝑄�.Since 𝑄 is finite 𝛼 can be written as 𝛼 = 𝛼@𝛼D where 𝛼@ is finite and every state in 𝛼Drepeats infinitely many times. Let 𝐶 be the states in 𝛼D. 𝐶 ∈ 𝑄�.Consider any two 𝑞D and 𝑞T states in 𝐶, we observe that 𝑞D ⇄ 𝑞T, and therefore 𝐶 is a SCC.

Consider (1) and (2). We will construct a path 𝛼 = 𝛼@𝛼D such that 𝛼@. 𝑓𝑠𝑡𝑎𝑡𝑒 = 𝑞 and 𝛼@ ∈ 𝑄�and 𝛼Dvisits some states infinitely often.

𝐶ℎ𝑒𝑐𝑘𝐸𝐺(𝑓D, 𝑄, 𝑇, 𝐿)Let 𝑄′ = 𝑞 ∈ 𝑄 𝑓D ∈ 𝑙𝑎𝑏𝑒𝑙(𝑞)}Let ℂ be the set of nontrivial SCCs of ⟨𝑄�, 𝑇�⟩𝑻 = ∪� ∈ ℂ 𝑞 𝑞 ∈ 𝐶}for each 𝑞 ∈ 𝑻𝑙𝑎𝑏𝑒𝑙 𝑞 ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞 ∪ {𝐸𝐺𝑓D}

while 𝑻 ≠ ∅for each 𝑞′ ∈ 𝑻𝑻 ≔ 𝑻 ∖ 𝑞�

for each 𝑞′ ∈ 𝑄� such that 𝑞�, 𝑞 ∈ 𝑇′if E𝐺𝑓D ∉ 𝑙𝑎𝑏𝑒𝑙(𝑞′) then 𝑙𝑎𝑏𝑒𝑙 𝑞′ ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞� ∪ {𝐸𝐺𝑓D}

𝑻 ≔ 𝑻 ∪ {𝑞}

Proposition. For any state 𝑙𝑎𝑏𝑒𝑙 𝑞 ∋ 𝐸𝐺𝑓D iff 𝑞 ⊨ 𝐸𝐺𝑓D.

Proposition. Finite 𝑄 therefore terminates and in 𝑂 𝑄 + 𝑇 steps.Lecture Slides by Sayan Mitra mitras@illinois.edu

Summary

𝑓 = 𝑝, for some 𝑝 ∈ 𝐴𝑃, ∀𝑞, 𝑙𝑎𝑏𝑒𝑙 𝑞 ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞 ∪ {𝑝}𝑓 = ¬𝑓D if 𝑓D ∉ 𝑙𝑎𝑏𝑒𝑙(𝑞) then 𝑙𝑎𝑏𝑒𝑙 𝑞 ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞 ∪ 𝑓𝑓 = 𝑓D ∧ 𝑓T if 𝑓D, 𝑓T ∈ 𝑙𝑎𝑏𝑒𝑙(𝑞) then 𝑙𝑎𝑏𝑒𝑙 𝑞 ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞 ∪ 𝑓𝑓 = 𝐸𝑋𝑓D if ∃𝑞� ∈ Q such that 𝑞, 𝑞� ∈ 𝑇 and 𝑓D ∈ 𝑙𝑎𝑏𝑒𝑙 𝑞�

then 𝑙𝑎𝑏𝑒𝑙 𝑞 ≔ 𝑙𝑎𝑏𝑒𝑙 𝑞 ∪ 𝑓𝑓 = 𝐸 𝑓D𝑈𝑓T 𝐶ℎ𝑒𝑐𝑘𝐸𝑈(𝑓D, 𝑓T, 𝑄, 𝑇, 𝐿)𝑓 = 𝐸𝐺𝑓D 𝐶ℎ𝑒𝑐𝑘𝐸𝐺(𝑓D, 𝑄, 𝑇, 𝐿)

Explicit model checking algorithm input𝒜 ⊨ 𝑓?Structural induction over CTL formula

Proposition. Overall complexity of CTL model checkign 𝑂( 𝑓 𝑄 + 𝑇 ) steps.

1!Start!Close!Heat !Error

2Start

!Close!Heat Error

3! StartClose!Heat !Error

4!StartCloseHeat !Error

6StartClose!Heat !Error

5StartClose!Heat Error

7StartCloseHeat !Error

Start oven Open door

Close doorOpen door

Start oven

Warmup

Start cookingReset

Open door

Close door

2Start

!Close!Heat Error

Close doorOpen door

Start oven

Warmup

Start cookingReset

Open door

Close door

AG (Start -> AF Heat)

2Start

!Close!Heat Error

Close doorOpen door

Start oven

Warmup

Start cookingReset

Open door

Close door

! EF (Start ∧ EG ! Heat)

! [True EU (Start ∧ EG ! Heat)]

2Start

!Close!Heat Error

Close doorOpen door

Start oven

Warmup

Start cookingReset

Open door

Close door

! EF (Start ∧ EG ! Heat)

! [True EU (Start ∧ EG ! Heat)]

2Start

!Close!Heat Error

Close doorOpen door

Start oven

Warmup

Start cookingReset

Open door

Close door

! EF (Start ∧ EG ! Heat)Start, ! HeatEG ! Heat

Nontrivial SCC of ! Heat

2Start

!Close!Heat Error

Close doorOpen door

Start oven

Warmup

Start cookingReset

Open door

Close door

Set of states that can reach nnontrivial SCC of ! Heat

EG ! Heat

Start ∧ EG ! Heat

2Start

!Close!Heat Error

Close doorOpen door

Start oven

Warmup

Start cookingReset

Open door

Close door

EG ! Heat

Start ∧ EG ! Heat

2Start

!Close!Heat Error

Close doorOpen door

Start oven

Warmup

Start cookingReset

Open door

Close door

EG ! Heat

Start ∧ EG ! Heat

EF (Start ∧ EG ! Heat)

2Start

!Close!Heat Error

Close doorOpen door

Start oven

Warmup

Start cookingReset

Open door

Close door

EG ! Heat

Start ∧ EG ! Heat

2Start

!Close!Heat Error

Close doorOpen door

Start oven

Warmup

Start cookingReset

Open door

Close door

EG ! Heat

Start ∧ EG ! Heat

EF (Start ∧ EG ! Heat)EF (Start ∧ EG ! Heat)

Set of states that can reach Start ∧ EG ! Heat

2Start

!Close!Heat Error

Close doorOpen door

Start oven

Warmup

Start cookingReset

Open door

Close door

EG ! Heat

Start ∧ EG ! Heat

EF (Start ∧ EG ! Heat)EF (Start ∧ EG ! Heat)

None of the states are labeled with ! EF (Start ∧ EG ! Heat)

CTL Model Checking - sayanmitracode.github.io

Transcript of CTL Model Checking - sayanmitracode.github.io

CTL Model Checking - sayanmitracode.github.io

Documents

Transcript of CTL Model Checking - sayanmitracode.github.io

A new linear algorithm for checking a graph for 3-edge-connectivity

LTL Software Model Checking in CPAchecker · 2021. 1. 21. · Spec Parser & Results CFA Builder CEGAR Algorithm CPA Algorithm DCA CPA Location CPA Callstack CPA Predicate CPA Func.Pt.

ECBS 2013 SMT-Bounded Model Checking of C++ Programs · 2021. 1. 25. · Bounded Model Checking (BMC) Idea: check negation of given property up to given depth. . . M0 M1 M2 Mk-1 Mk

ME 304 CONTROL SYSTEMSusers.metu.edu.tr/unlusoy/ME304_ColorSlides/Ch4_Stability.pdfROUTH’S STABILITY CRITERION The first step in checking the stability of a system using RouthRouth

Model Airplane Plan Downloaded From Aerofred...Modern Vintage and Old-Timers Model Airplanes Plans Keywords old-timer, vintage model airplane, rc airplane plans, aerofred rc model

Model Aljabar

Monte Carlo Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka.

SOAR Model: Levels ofSOAR Model: Levels of β …

Q 6 SERVICE MANUAL E Model Australian Model Tourist · PDF fileE Model Australian Model Tourist Model SERVICE MANUAL FM STEREO/FM-AM RECEIVER MICROFILM SPECIFICATIONS ... 150 + 150

Lecture 4. Checking Model Adequacy - Purdue University

Multi-Valued Symbolic Model-Checkingsme/papers/2003/TOSEM-mvmodelchecking.pdf · Combining these ideas yields a clean extension of the theory of classical model-checking, applicable

Branching Processes of High-Level Petri Nets and Model Checking of Mobile Systems

CTL Equine Infectious Anemia Virus-Specific Recognition of Gag ...

Compiler support for lightweight concurrencymoby.cs.uchicago.edu/papers/2002/tm-lightweight-concur.pdfperform runtime checking to avoid executing buggy code: it assumes that the language

Checking univariate normality Normal probability plots ...

model distribusi.pdf

Multi-Valued Symbolic Model-Checkingsme/papers/2003/TOSEM-mvmodelchecking.pdf · Multi-Valued Symbolic Model-Checking MARSHA CHECHIK, BENET DEVEREUX, STEVE EASTERBROOK AND ARIE GURFINKEL

Model Checking Business Processesib249/research/BCTCS06.Ioannis.Baltopoulos.pdf · Introduction Theoretical Background WS-BPEL Language Concepts Translations Introduction The Business

MZ-E60 - minidisc.org€¦ · MZ-E60 SERVICE MANUAL PORTABLE MINIDISC PLAYER SPECIFICATIONS US Model Canadian Model AEP Model E Model System Audio playing system MiniDisc digital

Randomized, controlled trial of TNF-α antagonist in CTL ...