A Simple Model Checker for CTL

1 / 20

A Simple Model Checker for CTL - PowerPoint PPT Presentation

A Simple Model Checker for CTL. (Lecture Notes from Marcello Bonsangue, LIACS - Leiden University http://www.liacs.nl/~marcello/). The problem. We need efficient algorithms to solve the problems [1] M,s  [2] M,s  where M should have finitely many states,

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

PowerPoint Slideshow about ' A Simple Model Checker for CTL' - hamish-preston

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

A SimpleModel Checker for CTL

(Lecture Notes from

Marcello Bonsangue, LIACS - Leiden University

http://www.liacs.nl/~marcello/)

The problem
• We need efficient algorithms to solve the problems

[1] M,s 

[2] M,s 

where M should have finitely many states,

and  is a CTL formula.

• We concentrate to solution of [2], as [1] can be easily derived from it.

?

?

The solution
• Input:A CTL model M and CTL formula 
• Output: The set of states of M which satisfy 
• Basic principles:
• Translate any CTL formula  in terms of the connectives AF,EU,EX, ,, and .
• Label the states of M with sub-formulas of  that are satisfied there, starting from the smallest sub-formulas and working outwards towards 
• Output the states labeled by 
The labelling
• An immediatesub-formula of a formula  is any maximal-length formula y other than  itself
• Let y be a sub-formula of  and assume the states of M have been already labeled by all immediate sub-formulas of y.

Which states have to be labeled by y?

We proceed by case analysis

The basic labeling
• no states are labeled
• p label a state s with p if p  l(s)
• y1y2 label a state s with y1y2 if s is already labeled with both y1 and y2
• y label a state s with y if s is not already labeled with y
The AF labeling
• AFy 1. Label with AFy any state s already labeled with y

2. Repeat until no change: label any state s with AFy if all successors of s are already labeled with Afy

repeat

AFy

AFy

AFy

AFy

AFy

AFy

AFy

… until no change

The EU labeling
• E[y1Uy2] 1. Label with E[y1Uy2] any state s already labeled with y2

2. Repeat until no change: label any state s with E[y1Uy2] if it is labeled with y1 and at least one of its successor is already labeled with E[y1Uy2]

repeat

E[y1Uy2]

E[y1Uy2]

y1

E[y1Uy2]

y1

… until no change

The EX labeling
• EXy Label with EXy any state s with one of its successors already labeled with y

y

y

EXy

The EG labeling (direct)
• EGy 1. Label all the states with EGy

2. Delete the label EGy from any state s not labeled with y

3. Repeat until no change: delete the label Egy from any state s if none f its successors is labeled with EGy

repeat

y

EGy

y

EGy

EGy

y

EGy

y

EGy

… until no change

Complexity

The complexity of the model checking algorithm is

O(f*V*(V+E))

where f = number of connectives in 

V = number of states of M

E = number of transitions of M

It can be easily improved to an

algorithm linear both in the size of the formula and of the model

Example: Input

p

q

p

q

 = AF(E[q U p] v EXq)

Example: EU - step 1

P

E[qUp]

q

P

E[qUp]

q

1. Label with E[qUp] all states which satisfy p

Example: EU-step 2.1

E[qUp]

P

E[qUp]

q

E[qUp]

P

E[qUp]

q

2.1 label any state s with E[qUp] if it is labeled with q and at least one of its successor is already labeled with E[qUp]

Example: EU-step 2.2

E[qUp]

E[qUp]

P

E[qUp]

q

E[qUp]

P

E[qUp]

q

No!

2.2 label any state s with E[qUp] if it is labeled with q and at least one of its successor is already labeled with E[qUp]

Example: EX-step 3

E[qUp]

EXq

E[qUp]

q

EXq

P

E[qUp]

EXq

E[qUp]

P

E[qUp]

q

3. Label with EXq any state s with one of its successors already labeled with q

Example: -step 4

E[qUp]

EXq

E[qUp]

EXq

E[qUp]

P,

E[qUp]

,q

EXq

,P

E[qUp]

q

4. Label with  = E[qUp] v EXq any state s already labeled with E[qUp] or EXq

Example: AF-step 5.1

f,

E[qUp]

f,

EXq

f,

E[qUp]

f,

EXq

f,

E[qUp]

P,f,

E[qUp]

f,,q

EXq

f,,P

E[qUp]

q

5.1. Label with f= AF(E[qUp]vEXq) any state already labeled with = E[qUp]vEXq

Example: AF-step 5.2

f,

E[qUp]

f,

EXq

f,

E[qUp]

f,

EXq

f,

E[qUp]

P,f,

E[qUp]

f,,q

EXq

f,,P

E[qUp]

f,q

5.2. label any state s with f if all successors of s are already labeled with f

Example: Output

p

q

p

q

All states satisfy AF(E[q U p] v EXq)

State explosion
• The algorithm is linear in the size of the model but the size of the model is exponential in the number of variables, components, etc.

Can we reduce state explosion?

• Abstraction (what is relevant?)
• Induction (for ‘similar’ components)
• Composition (divide and conquer)
• Reduction (prove semantic equivalence)
• Ordered binary decision diagrams