A Simple Model Checker for CTL The problem
A Simple Model Checker for CTL
The problem n We need efficient algorithms to solve the problems [1] [2] ? M, s where M should have finitely many states, and is a CTL formula. n We concentrate to solution of [2], as [1] can be easily derived from it.
The solution n Input: A CTL model M and CTL formula Output: The set of states of M which satisfy Basic principles: u Translate any CTL formula in terms of the connectives AF, EU, EX, , , and . u Label the states of M with sub-formulas of that are satisfied there, starting from the smallest sub-formulas and working outwards towards u Output the states labeled by
The labelling n n An immediate sub-formula of a formula is any maximal-length formula y other than itself Let y be a sub-formula of and assume the states of M have been already labeled by all immediate sub-formulas of y. Which states have to be labeled by y? We proceed by case analysis
The basic labeling n no states are labeled n p label a state s with p if p l(s) ywith state s 2 alabel n y 1 1 y n y already labeled with both y 1 and y 2 label a state s with y if s is not already labeled with y
The AF labeling n AFy 1. Label with AFy any state s already labeled with y 2. Repeat until no change: label any state s with AFy if all successors of s are already labeled with Afy AFy AFy repeat AFy … until no change AFy
The EU labeling n E[y 1 Uy 2] 1. Label with E[y 1 Uy 2] any state s already labeled with y 2 2. Repeat until no change: label any state s with E[y 1 Uy 2] if it is labeled with y 1 and at least one of its successor is already labeled with E[y 1 Uy 2] y 1 repeat y 1 E[y 1 Uy 2] … until no change E[y 1 Uy 2]
The EX labeling n EXy Label with EXy any state s with one of its successors already labeled with y y y EXy
The EG labeling (direct) n EGy 1. Label all the states with 2. Delete the label EGy from any state s not labeled with y 3. Repeat until no change: delete the label Egy from any state s if none f its successors is labeled with EGy repeat EGy y EGy … until no change y EGy
Complexity The complexity of the model checking algorithm is O(f*V*(V+E)) where f = number of connectives in V = number of states of M E = number of transitions of M It can be easily improved to an algorithm linear both in the size of the formula and of the model
Example: Input p q = AF(E[ q U p] v EXq)
Example: EU - step 1 P E[ q. Up] q q 1. Label with E[ q. Up] all states which satisfy p
Example: EU-step 2. 1 E[ q. Up] P E[ q. Up] q 2. 1 label any state s with E[ q. Up] if it is labeled with q and at least one of its successor is already labeled with E[ q. Up]
Example: EU-step 2. 2 E[ q. Up] P E[ q. Up] q No! 2. 2 label any state s with E[ q. Up] if it is labeled with q and at least one of its successor is already labeled with E[ q. Up]
Example: EX-step 3 E[ q. Up] EXq E[ q. Up] P E[ q. Up] q EXq q 3. Label with EXq any state s with one of its successors already labeled with q
Example: -step 4 E[ q. Up] EXq E[ q. Up] P, E[ q. Up] , P E[ q. Up] EXq , q EXq q 4. Label with = E[ q. Up] v EXq any state s already labeled with E[ q. Up] or EXq
Example: AF-step 5. 1 , E[ q. Up] , , EXq E[ q. Up] P, , E[ q. Up] , , P E[ q. Up] , , , q EXq q 5. 1. Label with = AF(E[ q. Up]v. EXq) any state already labeled with = E[ q. Up]v. EXq
Example: AF-step 5. 2 , E[ q. Up] , , EXq E[ q. Up] P, , E[ q. Up] , , P E[ q. Up] , , , q EXq , q 5. 2. label any state s with if all successors of s are already labeled with
Example: Output p q All states satisfy AF(E[ q U p] v EXq)
State explosion n The algorithm is linear in the size of the model but the size of the model is exponential in the number of variables, components, etc. Can we reduce state explosion? n n n Abstraction (what is relevant? ) Induction (for ‘similar’ components) Composition (divide and conquer) Reduction (prove semantic equivalence) Ordered binary decision diagrams
- Slides: 20