1 / 20

# A Simple Model Checker for CTL - PowerPoint PPT Presentation

A Simple Model Checker for CTL. (Lecture Notes from Marcello Bonsangue, LIACS - Leiden University http://www.liacs.nl/~marcello/). The problem. We need efficient algorithms to solve the problems [1] M,s  [2] M,s  where M should have finitely many states,

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' A Simple Model Checker for CTL' - hamish-preston

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### A SimpleModel Checker for CTL

(Lecture Notes from

Marcello Bonsangue, LIACS - Leiden University

http://www.liacs.nl/~marcello/)

• We need efficient algorithms to solve the problems

[1] M,s 

[2] M,s 

where M should have finitely many states,

and  is a CTL formula.

• We concentrate to solution of [2], as [1] can be easily derived from it.

?

?

• Input:A CTL model M and CTL formula 

• Output: The set of states of M which satisfy 

• Basic principles:

• Translate any CTL formula  in terms of the connectives AF,EU,EX, ,, and .

• Label the states of M with sub-formulas of  that are satisfied there, starting from the smallest sub-formulas and working outwards towards 

• Output the states labeled by 

• An immediatesub-formula of a formula  is any maximal-length formula y other than  itself

• Let y be a sub-formula of  and assume the states of M have been already labeled by all immediate sub-formulas of y.

Which states have to be labeled by y?

We proceed by case analysis

• no states are labeled

• p label a state s with p if p  l(s)

• y1y2 label a state s with y1y2 if s is already labeled with both y1 and y2

• y label a state s with y if s is not already labeled with y

• AFy 1. Label with AFy any state s already labeled with y

2. Repeat until no change: label any state s with AFy if all successors of s are already labeled with Afy

repeat

AFy

AFy

AFy

AFy

AFy

AFy

AFy

… until no change

• E[y1Uy2] 1. Label with E[y1Uy2] any state s already labeled with y2

2. Repeat until no change: label any state s with E[y1Uy2] if it is labeled with y1 and at least one of its successor is already labeled with E[y1Uy2]

repeat

E[y1Uy2]

E[y1Uy2]

y1

E[y1Uy2]

y1

… until no change

• EXy Label with EXy any state s with one of its successors already labeled with y

y

y

EXy

• EGy 1. Label all the states with EGy

2. Delete the label EGy from any state s not labeled with y

3. Repeat until no change: delete the label Egy from any state s if none f its successors is labeled with EGy

repeat

y

EGy

y

EGy

EGy

y

EGy

y

EGy

… until no change

The complexity of the model checking algorithm is

O(f*V*(V+E))

where f = number of connectives in 

V = number of states of M

E = number of transitions of M

It can be easily improved to an

algorithm linear both in the size of the formula and of the model

p

q

p

q

 = AF(E[q U p] v EXq)

P

E[qUp]

q

P

E[qUp]

q

1. Label with E[qUp] all states which satisfy p

E[qUp]

P

E[qUp]

q

E[qUp]

P

E[qUp]

q

2.1 label any state s with E[qUp] if it is labeled with q and at least one of its successor is already labeled with E[qUp]

E[qUp]

E[qUp]

P

E[qUp]

q

E[qUp]

P

E[qUp]

q

No!

2.2 label any state s with E[qUp] if it is labeled with q and at least one of its successor is already labeled with E[qUp]

E[qUp]

EXq

E[qUp]

q

EXq

P

E[qUp]

EXq

E[qUp]

P

E[qUp]

q

3. Label with EXq any state s with one of its successors already labeled with q

Example: -step 4

E[qUp]

EXq

E[qUp]

EXq

E[qUp]

P,

E[qUp]

,q

EXq

,P

E[qUp]

q

4. Label with  = E[qUp] v EXq any state s already labeled with E[qUp] or EXq

Example: AF-step 5.1

f,

E[qUp]

f,

EXq

f,

E[qUp]

f,

EXq

f,

E[qUp]

P,f,

E[qUp]

f,,q

EXq

f,,P

E[qUp]

q

5.1. Label with f= AF(E[qUp]vEXq) any state already labeled with = E[qUp]vEXq

Example: AF-step 5.2

f,

E[qUp]

f,

EXq

f,

E[qUp]

f,

EXq

f,

E[qUp]

P,f,

E[qUp]

f,,q

EXq

f,,P

E[qUp]

f,q

5.2. label any state s with f if all successors of s are already labeled with f

p

q

p

q

All states satisfy AF(E[q U p] v EXq)

• The algorithm is linear in the size of the model but the size of the model is exponential in the number of variables, components, etc.

Can we reduce state explosion?

• Abstraction (what is relevant?)

• Induction (for ‘similar’ components)

• Composition (divide and conquer)

• Reduction (prove semantic equivalence)

• Ordered binary decision diagrams