1 / 20

A Simple Model Checker for CTL

A Simple Model Checker for CTL. The problem. We need efficient algorithms to solve the problems [1] M,s  [2] M,s  where M should have finitely many states, and  is a CTL formula. We concentrate to solution of [2], as [1] can be easily derived from it. ?. ?. The solution.

vance
Download Presentation

A Simple Model Checker for CTL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A SimpleModel Checker for CTL

  2. The problem • We need efficient algorithms to solve the problems [1] M,s  [2] M,s  where M should have finitely many states, and  is a CTL formula. • We concentrate to solution of [2], as [1] can be easily derived from it. ? ?

  3. The solution • Input:A CTL model M and CTL formula  • Output: The set of states of M which satisfy  • Basic principles: • Translate any CTL formula  in terms of the connectives AF,EU,EX, ,, and . • Label the states of M with sub-formulas of  that are satisfied there, starting from the smallest sub-formulas and working outwards towards  • Output the states labeled by 

  4. The labelling • An immediatesub-formula of a formula  is any maximal-length formula y other than  itself • Let y be a sub-formula of  and assume the states of M have been already labeled by all immediate sub-formulas of y. Which states have to be labeled by y? We proceed by case analysis

  5. The basic labeling • no states are labeled • p label a state s with p if p  l(s) • y1y2 label a state s with y1y2 if s is already labeled with both y1 and y2 • y label a state s with y if s is not already labeled with y

  6. The AF labeling • AFy 1. Label with AFy any state s already labeled with y 2. Repeat until no change: label any state s with AFy if all successors of s are already labeled with Afy repeat AFy AFy AFy AFy AFy AFy AFy … until no change

  7. The EU labeling • E[y1Uy2] 1. Label with E[y1Uy2] any state s already labeled with y2 2. Repeat until no change: label any state s with E[y1Uy2] if it is labeled with y1 and at least one of its successor is already labeled with E[y1Uy2] repeat E[y1Uy2] E[y1Uy2] y1 E[y1Uy2] y1 … until no change

  8. The EX labeling • EXy Label with EXy any state s with one of its successors already labeled with y y y EXy

  9. The EG labeling (direct) • EGy 1. Label all the states with EGy 2. Delete the label EGy from any state s not labeled with y 3. Repeat until no change: delete the label Egy from any state s if none f its successors is labeled with EGy repeat y EGy y EGy EGy y EGy y EGy … until no change

  10. Complexity The complexity of the model checking algorithm is O(f*V*(V+E)) where f = number of connectives in  V = number of states of M E = number of transitions of M It can be easily improved to an algorithm linear both in the size of the formula and of the model

  11. Example: Input p q p q  = AF(E[q U p] v EXq)

  12. Example: EU - step 1 P E[qUp] q P E[qUp] q 1. Label with E[qUp] all states which satisfy p

  13. Example: EU-step 2.1 E[qUp] P E[qUp] q E[qUp] P E[qUp] q 2.1 label any state s with E[qUp] if it is labeled with q and at least one of its successor is already labeled with E[qUp]

  14. Example: EU-step 2.2 E[qUp] E[qUp] P E[qUp] q E[qUp] P E[qUp] q No! 2.2 label any state s with E[qUp] if it is labeled with q and at least one of its successor is already labeled with E[qUp]

  15. Example: EX-step 3 E[qUp] EXq E[qUp] q EXq P E[qUp] EXq E[qUp] P E[qUp] q 3. Label with EXq any state s with one of its successors already labeled with q

  16. Example: -step 4  E[qUp]  EXq  E[qUp]  EXq  E[qUp] P, E[qUp] ,q EXq ,P E[qUp] q 4. Label with  = E[qUp] v EXq any state s already labeled with E[qUp] or EXq

  17. Example: AF-step 5.1 f, E[qUp] f, EXq f, E[qUp] f, EXq f, E[qUp] P,f, E[qUp] f,,q EXq f,,P E[qUp] q 5.1. Label with f= AF(E[qUp]vEXq) any state already labeled with = E[qUp]vEXq

  18. Example: AF-step 5.2 f, E[qUp] f, EXq f, E[qUp] f, EXq f, E[qUp] P,f, E[qUp] f,,q EXq f,,P E[qUp] f,q 5.2. label any state s with f if all successors of s are already labeled with f

  19. Example: Output p q p q All states satisfy AF(E[q U p] v EXq)

  20. State explosion • The algorithm is linear in the size of the model but the size of the model is exponential in the number of variables, components, etc. Can we reduce state explosion? • Abstraction (what is relevant?) • Induction (for ‘similar’ components) • Composition (divide and conquer) • Reduction (prove semantic equivalence) • Ordered binary decision diagrams

More Related