1 Bettina KΓΆnighofer January 24, 2020 Graz University of Technology Institute for Applied Information Processing and Communications CTL Model Checking Bettina KΓΆnighofer Model Checking SS21 May 5 th 2021 A B C X A A B C
1
Bettina KΓΆnighofer
January 24, 2020
Graz University of Technology
Institute for Applied Information
Processing and Communications
CTL Model Checking
Bettina KΓΆnighofer
Model Checking SS21 May 5th 2021
A B
CX
A A B
C
Homework Nr 6The Dining-Philosophers Verification-Problem
05.05.2021
Institute for Applied Information Processing and Communications
2
We consider a variant of the dining philosophers problem.
There are π philosophers sitting at a round table.
There is one chopstick between each pair of adjacent philosophers.
Because each philosopher needs two chopsticks to eat, adjacent
philosophers cannot eat simultaneously. We are interested in schedulers
that use input variables βπ signifying that philosopher π is hungry
and output variables ππ signifying that philosopher π is eating.
Solutions HomeworkThe Dining-Philosophers Verification-Problem
06.05.2021
Institute for Applied Information Processing and Communications
3
[4 Points] Formulate the following requirements in LTL.
Guarantee 1: An eating philosopher prevents her neighbours from eating.
Guarantee 2: An eating philosopher eats until she is no longer hungry.
Guarantee 3: Every hungry philosopher eats eventually.
Assumption: An eating philosopher eventually loses her appetite.
Solutions HomeworkThe Dining-Philosophers Verification-Problem
05.05.2021
Institute for Applied Information Processing and Communications
4
[6 Points] Your Task: Design a system as Moore machine or Mealy
machine for 5 dining philosophers that is
β’ Correct, i.e., it satisfies the specification
β’ and Robust in the sense that if one philosopher is hungry forever,
she eats forever and the only two other philosophers starve.
06.05.2021
Institute for Applied Information Processing and Communications
5
CTL Model Checking
05.05.2021
Institute for Applied Information Processing and Communications
6
The Model Checking Problem
05.05.2021
Institute for Applied Information Processing and Communications
7
βͺ Given a Kripke structure M and a CTL formula f
βͺ Model Checking Problem:
βͺ M β¨ f, i.e., M is a model for f
βͺ Alternative Definition
βͺ Compute β¦fβ§M = { s S | M,s β¨ f }, i.e., all states satisfying f
βͺ Check S0 β¦fβ§M to conclude that M β¨ f
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
8
βͺ Two processes with a joint Boolean signal sem
βͺ Each process Pi has a variable vi describing its state:
βͺ vi = N Non-critical
βͺ vi = T Trying
βͺ vi = C Critical
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
9
βͺ Each process runs the following program:
Pi :: while (true) {
if (vi == N) vi = T;
else if (vi == T && sem) { vi = C; sem = 0; }
else if (vi == C) {vi = N; sem = 1; }
}
βͺ The full program is: P1||P2
βͺ Initial state: (v1=N, v2=N, sem)
βͺ The execution is interleaving
Atomic
action
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
10
v1=N, v2=N, sem
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
11
v1=N, v2=N, sem
v1=T, v2=N, sem v1=N, v2=T, sem
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
12
v1=N, v2=N, sem
v1=T, v2=N, sem v1=N, v2=T, sem
v1=C, v2=N, sem v1=N, v2=C, semv1=T, v2=T, sem
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
13
v1=N, v2=N, sem
v1=T, v2=N, sem v1=N, v2=T, sem
v1=C, v2=N, sem v1=N, v2=C, semv1=T, v2=T, sem
v1=C, v2=T, sem v1=T, v2=C, sem
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
14
v1=N, v2=N, sem
v1=T, v2=N, sem v1=N, v2=T, sem
v1=C, v2=N, sem v1=N, v2=C, semv1=T, v2=T, sem
v1=C, v2=T, sem v1=T, v2=C, sem
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
15
v1=N, v2=N, sem
v1=T, v2=N, sem v1=N, v2=T, sem
v1=C, v2=N, sem v1=N, v2=C, semv1=T, v2=T, sem
v1=C, v2=T, sem v1=T, v2=C, sem
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
16
v1=N, v2=N, sem
v1=T, v2=N, sem v1=N, v2=T, sem
v1=C, v2=N, sem v1=N, v2=C, semv1=T, v2=T, sem
v1=C, v2=T, sem v1=T, v2=C, sem
βͺ We define atomic propositions: AP={C1,C2,T1,T2)
βͺ A state is labeled with Ti if vi=T
βͺ A state is labeled with Ci if vi=C
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
17
v1=N, v2=N, sem
v1=T, v2=N, sem v1=N, v2=T, sem
v1=C, v2=N, sem v1=N, v2=C, semv1=T, v2=T, sem
v1=C, v2=T, sem v1=T, v2=C, sem
βͺ We define atomic propositions: AP={C1,C2,T1,T2)
βͺ A state is labeled with Ti if vi=T
βͺ A state is labeled with Ci if vi=C
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
18
βͺ We define atomic propositions: AP={C1,C2,T1,T2)
βͺ A state is labeled with Ti if vi=T
βͺ A state is labeled with Ci if vi=C
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
19
βͺ Does it hold that M β¨ f?
βͺ Property 1: f := AG(C1C2)
βͺ Compute β¦fβ§M = { s S | M,s β¨ f } and check S0 β¦fβ§M
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
20
βͺ Does it hold that M β¨ f?
βͺ Property 1: f := AG(C1C2)
βͺ Si β‘ reachable states from an initial state after i steps
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
21
βͺ Does it hold that M β¨ f?
βͺ Property 1: f := AG(C1C2)
βͺ Si β‘ reachable states from an initial state after i steps
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
S0
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
22
βͺ Does it hold that M β¨ f?
βͺ Property 1: f := AG(C1C2)
βͺ Si β‘ reachable states from an initial state after i steps
C1,T2
T1
C1T1,T2
T1,C2
C2
T2 S1
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
23
βͺ Does it hold that M β¨ f?
βͺ Property 1: f := AG(C1C2)
βͺ Si β‘ reachable states from an initial state after i steps
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
S2
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
24
βͺ Does it hold that M β¨ f?
βͺ Property 1: f := AG(C1C2)
βͺ Si β‘ reachable states from an initial state after i steps
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
S3
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
25
βͺ Does it hold that M β¨ f?
βͺ Property 1: f := AG(C1C2)
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
M β¨ AG (C1C2)
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
26
βͺ Does it hold that M β¨ f?
βͺ Property 2: f := AG(T1T2)
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
27
βͺ Does it hold that M β¨ f?
βͺ Property 1: f := AG(T1T2)
βͺ Si β‘ reachable states from an initial state after i steps
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
S0
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
28
βͺ Does it hold that M β¨ f?
βͺ Property 1: f := AG(T1T2)
βͺ Si β‘ reachable states from an initial state after i steps
C1,T2
T1
C1T1,T2
T1,C2
C2
T2 S1
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
29
βͺ Does it hold that M β¨ f?
βͺ Property 1: f := AG(T1T2)
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
S3
M β AG (T1T2)
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
30
βͺ Does it hold that M β¨ f?
βͺ Property 1: f := AG(T1T2)
βͺ Model checker returns a counterexample
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
S3
M β AG (T1T2)
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
31
βͺ Does it hold that M β¨ f?
βͺ Property 3: f := AG ((T1 β F C1) (T2 β F C2))
βͺ In case M β f, compute a counterexample
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
32
βͺ Does it hold that M β¨ f?
βͺ Property 3: f := AG ((T1 β F C1) (T2 β F C2))
βͺ In case M β f, compute a counterexample
C1,T2
T1
C1T1,T2
T1,C2
C2
T2
M β AG (( T1 β F C1) ( T2 β F C2))
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
33
βͺ Does it hold that M β¨ f?
βͺ Property 4: f := AG EF (N1 N2 S0)
βͺ How would you express property 4 in natural language?
βͺ In case M β f, compute a counterexample
T1,T2 ,S0
T1,C2,S1
N1,C2,S1
N1,T2,S0
N1,N2,S0
T1,N2,S0
C1,N2,S1
C1,T2,S1
Illustrative Example: Mutual Exclusion
05.05.2021
Institute for Applied Information Processing and Communications
34
T1,T2 ,S0
T1,C2,S1
N1,C2,S1
N1,T2,S0
N1,N2,S0
T1,N2,S0
C1,N2,S1
C1,T2,S1
βͺ Does it hold that M β¨ f?
βͺ Property 4: f := AG EF (N1 N2 S0)
βͺ No matter where you are
there is always a way
to get to the initial state (restart)
Explicit Model Checking for CTL
05.05.2021
Institute for Applied Information Processing and Communications
35
Explicit Model Checking for CTL
06.05.2021
Institute for Applied Information Processing and Communications
36
βͺ Explicit MC uses Kripke structure M as a graph:
(S, R) with labeling L
βͺ Use graph traversal algorithms (e.g., Depth First Search (DFS) or
Breadth First Search (BFS)) to traverse states and paths of M
CTL Model Checking
05.05.2021
Institute for Applied Information Processing and Communications
37
Receives:
βͺ A Kripke structure M, modeling a system
βͺ A CTL formula f, describing a property
βͺ Determines whether M β¨ f
βͺ Alternatively, it returns β¦fβ§ = { s S | M,s β¨ f }
βͺ M is omitted from β¦fβ§M when clear from the context
CTL Model Checking M β¨ f
05.05.2021
Institute for Applied Information Processing and Communications
38
The goal of MC is to compute β¦gβ§M
for every subformula g of f, including β¦fβ§M
CTL Model Checking M β¨ f
05.05.2021
Institute for Applied Information Processing and Communications
39
The goal of MC is to compute β¦gβ§M
for every subformula g of f, including β¦fβ§M
βͺ Work iteratively on subformulas of f
βͺ from simpler to complex subformulas
CTL Model Checking M β¨ f
05.05.2021
Institute for Applied Information Processing and Communications
40
The goal of MC is to compute β¦gβ§M
for every subformula g of f, including β¦fβ§M
βͺ Work iteratively on subformulas of f
βͺ from simpler to complex subformulas
βͺ For checking AG( request β AF grant)
βͺ Check grant, request
βͺ Then check AF grant
βͺ Next check request β AF grant
βͺ Finally check AG( request β AF grant)
CTL Model Checking M β¨ f
05.05.2021
Institute for Applied Information Processing and Communications
41
βͺ For each s, computes label(s), which is
the set of subformulas of f that are true in s
CTL Model Checking M β¨ f
05.05.2021
Institute for Applied Information Processing and Communications
42
βͺ For each s, computes label(s), which is
the set of subformulas of f that are true in s
βͺ We check subformula g of f only after
all subformulas of g have already been checked
CTL Model Checking M β¨ f
05.05.2021
Institute for Applied Information Processing and Communications
43
βͺ For each s, computes label(s), which is
the set of subformulas of f that are true in s
βͺ We check subformula g of f only after
all subformulas of g have already been checked
βͺ For subformula g, the algorithm adds g to label(s) for
every state s that satisfies g
CTL Model Checking M β¨ f
05.05.2021
Institute for Applied Information Processing and Communications
44
βͺ For each s, computes label(s), which is
the set of subformulas of f that are true in s
βͺ We check subformula g of f only after
all subformulas of g have already been checked
βͺ For subformula g, the algorithm adds g to label(s) for
every state s that satisfies g
βͺ When we finish checking g, the following holds:
βͺ g label(s) M,s β¨ g
CTL Model Checking M β¨ f
05.05.2021
Institute for Applied Information Processing and Communications
45
βͺ For each s, computes label(s), which is
the set of subformulas of f that are true in s
βͺ M β¨ f if and only if f label(s) for all initial states s of M
βͺ M β¨ f if and only if S0 β¦fβ§M
Minimal set of operators for CTL
05.05.2021
Institute for Applied Information Processing and Communications
46
βͺ All CTL formulas can be transformed to use only the
operators:
βͺ , , EX, EU, EG
βͺ MC algorithm needs to handle AP and , , EX, EU, EG
Model Checking Atomic Propositions
05.05.2021
Institute for Applied Information Processing and Communications
47
βͺ Procedure for labeling the states satisfying p AP:
p label(s) p L(s)
Held by alg Defined by M
Model Checking , - Formulas
05.05.2021
Institute for Applied Information Processing and Communications
48
βͺ Let π1 and π2 be subformulas that have
already been checked
βͺ added to label(s), when needed
βͺ Give the procedures for labeling the states satisfying
Β¬π1 and π1π2
Model Checking , - Formulas
05.05.2021
Institute for Applied Information Processing and Communications
49
βͺ Let π1 and π2 be subformulas that have
already been checked
βͺ added to label(s), when needed
βͺ Give the procedures for labeling the states satisfying
Β¬π1 and π1π2βͺ π1 add to label(s) if and only if π1 πππππ π
βͺ π1π2 add to label(s) if and only if
π1 ππππππ (π ) or π2 πππππ(π )
Model Checking π = πΈπ π1
05.05.2021
Institute for Applied Information Processing and Communications
50
βͺ Give the procedures for labeling states satisfying Eππ1
Model Checking π = πΈπ π1
05.05.2021
Institute for Applied Information Processing and Communications
51
βͺ Give the procedures for labeling states satisfying Eππ1βͺ Add g to label(s) if and only if s has a successor t such
that f1 label(t)
procedure CheckEX (f1)
T := { t | f1 label(t) }
while T do
choose t T; T := T \ {t};
for all s such that R(s,t) do
if EX f1 label(s) then
label(s) : = label(s) { EX f1};
Model Checking π = πΈ(π1π π2)
05.05.2021
Institute for Applied Information Processing and Communications
52
βͺ Procedures for labeling states satisfying πΈ(π1π π2)
βͺ Think how you can rewrite the procedure CheckEX
procedure CheckEX (f1)
T := { t | f1 label(t) }
while T do
choose t T; T := T \ {t};
for all s such that R(s,t) do
if EX f1 label(s) then
label(s) : = label(s) { EX f1};
procedure CheckEU (f1,f2)T := { t | f2 label(t) }
for all tT dolabel(t) := label(t) { E(f1 U f2) }
while T dochoose t T; T := T \ {t};for all s such that R(s,t) do
if E(f1 U f2) label(s) and f1 label(s) then
label(s) : = label(s) {E(f1 U f2) };
T : = T {s}
Model Checking π = πΈ(π1π π2)
05.05.2021
Institute for Applied Information Processing and Communications
53
βͺ Procedures for labeling states satisfyingπΈ(π1π π2)
βͺ Rewriting the procedure CheckEX
procedure CheckEX (f1)
T := { t | f1 label(t) }
while T do
choose t T; T := T \ {t};
for all s such that R(s,t) do
if EX f1 label(s) then
label(s) : = label(s) { EX f1};
procedure CheckEU (f1,f2)T := { t | f2 label(t) }
for all tT dolabel(t) := label(t) { E(f1 U f2) }
while T dochoose t T; T := T \ {t};for all s such that R(s,t) do
if E(f1 U f2) label(s) and f1 label(s) then
label(s) : = label(s) {E(f1 U f2) };
T : = T {s}
Model Checking π = πΈ(π1π π2)
05.05.2021
Institute for Applied Information Processing and Communications
54
βͺ Procedures for labeling states satisfyingπΈ(π1π π2)
βͺ Rewriting the procedure CheckEX
procedure CheckEX (f1)
T := { t | f1 label(t) }
while T do
choose t T; T := T \ {t};
for all s such that R(s,t) do
if EX f1 label(s) then
label(s) : = label(s) { EX f1};
procedure CheckEU (f1,f2)T := { t | f2 label(t) }
for all tT dolabel(t) := label(t) { E(f1 U f2) }
while T dochoose t T; T := T \ {t};for all s such that R(s,t) do
if E(f1 U f2) label(s) and f1 label(s) then
label(s) : = label(s) {E(f1 U f2) };
T : = T {s}
Model Checking π = πΈ(π1π π2)
05.05.2021
Institute for Applied Information Processing and Communications
55
βͺ Procedures for labeling states satisfyingπΈ(π1π π2)
βͺ Rewriting the procedure CheckEX
procedure CheckEX (f1)
T := { t | f1 label(t) }
while T do
choose t T; T := T \ {t};
for all s such that R(s,t) do
if EX f1 label(s) then
label(s) : = label(s) { EX f1};
procedure CheckEU (f1,f2)T := { t | f2 label(t) }
for all tT dolabel(t) := label(t) { E(f1 U f2) }
while T dochoose t T; T := T \ {t};for all s such that R(s,t) do
if E(f1 U f2) label(s) and f1 label(s) then
label(s) : = label(s) {E(f1 U f2) };
T : = T {s}
Model Checking π = πΈ(π1π π2)
05.05.2021
Institute for Applied Information Processing and Communications
56
βͺ Procedures for labeling states satisfyingπΈ(π1π π2)
βͺ Rewriting the procedure CheckEX
procedure CheckEX (f1)
T := { t | f1 label(t) }
while T do
choose t T; T := T \ {t};
for all s such that R(s,t) do
if EX f1 label(s) then
label(s) : = label(s) { EX f1};
procedure CheckEU (f1,f2)T := { t | f2 label(t) }
for all tT dolabel(t) := label(t) { E(f1 U f2) }
while T dochoose t T; T := T \ {t};for all s such that R(s,t) do
if E(f1 U f2) label(s) and f1 label(s) then
label(s) : = label(s) {E(f1 U f2) };
T : = T {s}
Example: Model Checking π Formulas
05.05.2021
Institute for Applied Information Processing and Communications
57
procedure CheckEU (f1,f2)T := { t | f2 label(t) }
for all tT dolabel(t) := label(t) { E(f1 U f2) }
while T dochoose t T; T := T \ {t};for all s such that R(s,t) do
if E(f1 U f2) label(s) and f1 label(s) then
label(s) : = label(s) {E(f1 U f2) };
T : = T {s}
s1
s2 s5
s3 s4
s6
a s0a,b,c
a,b,ca
a,c
ba
Does it hold that M β¨ f?
β’ π βΆ= πΈ(πππ)
Example: Model Checking π Formulas
05.05.2021
Institute for Applied Information Processing and Communications
58
procedure CheckEU (f1,f2)T := { t | f2 label(t) }
for all tT dolabel(t) := label(t) { E(f1 U f2) }
while T dochoose t T; T := T \ {t};for all s such that R(s,t) do
if E(f1 U f2) label(s) and f1 label(s) then
label(s) : = label(s) {E(f1 U f2) };
T : = T {s}
s1
s2 s5
s3 s4
s6
a s0a,b,c
a,b,ca
a,c
ba
Does it hold that M β¨ f?
β’ π βΆ= πΈ(πππ)
Example: Model Checking π Formulas
05.05.2021
Institute for Applied Information Processing and Communications
59
procedure CheckEU (f1,f2)T := { t | f2 label(t) }
for all tT dolabel(t) := label(t) { E(f1 U f2) }
while T dochoose t T; T := T \ {t};for all s such that R(s,t) do
if E(f1 U f2) label(s) and f1 label(s) then
label(s) : = label(s) {E(f1 U f2) };
T : = T {s}
s1
s2 s5
s3 s4
s6
a s0a,b,c
a,b,ca
a,c
ba
Does it hold that M β¨ f?
β’ π βΆ= πΈ(πππ)
Example: Model Checking π Formulas
05.05.2021
Institute for Applied Information Processing and Communications
60
procedure CheckEU (f1,f2)T := { t | f2 label(t) }
for all tT dolabel(t) := label(t) { E(f1 U f2) }
while T dochoose t T; T := T \ {t};for all s such that R(s,t) do
if E(f1 U f2) label(s) and f1 label(s) then
label(s) : = label(s) {E(f1 U f2) };
T : = T {s}
s1
s2 s5
s3 s4
s6
a s0a,b,c
a,b,ca
a,c
ba
Does it hold that M β¨ f?
β’ π βΆ= πΈ(πππ)
M β¨ E(aUb)[[E(aUb)]] = {0,3,5,4}
Model Checking π = πΈπΊπ1
05.05.2021
Institute for Applied Information Processing and Communications
61
Observation:
s β¨ EG f1iff
There is a path , starting at s, such that β¨ G f1
Model Checking π = πΈπΊπ1
05.05.2021
Institute for Applied Information Processing and Communications
62
Observation:
s β¨ EG f1iff
There is a path , starting at s, such that β¨ G f1
iff
There is a path from s to a strongly connected
component, where all states satisfy f1
Model Checking π = πΈπΊπ1
06.05.2021
Institute for Applied Information Processing and Communications
63
βͺ A Strongly Connected Component (SCC) in a graph
is a subgraph C such that every node in C is reachable
from any other node in C via nodes in C
βͺ An SCC C is maximal (MSCC) if it is not contained in
any other SCC in the graph
βͺ Possible to find all MSCC in linear time O(|S|+|R|) (Tarjan)
βͺ C is nontrivial if it contains at least one edge.Otherwise, it is trivial
Model Checking π = πΈπΊπ1
06.05.2021
Institute for Applied Information Processing and Communications
64
βͺ Reduced structure for M and f1:
βͺ Remove from M all states such that f1 label(s)
βͺ Resulting model: M = (S, R, L )
βͺ S = { s | M, s β¨ f1 }
βͺ R = ( S x S ) R
βͺ L(s) = L(s) for every s S
Model Checking π = πΈπΊπ1
06.05.2021
Institute for Applied Information Processing and Communications
65
βͺ Reduced structure for M and f1:
βͺ Remove from M all states such that f1 label(s)
βͺ Resulting model: M = (S, R, L )
βͺ S = { s | M, s β¨ f1 }
βͺ R = ( S x S ) R
βͺ L(s) = L(s) for every s S
βͺ Theorem: M,s β¨ EG f1 iff
1. π π and
2. There is π πππ‘β in π from π to some state π‘ in a nontrivial
MSCC of π
Model Checking π = πΈπΊπ1
06.05.2021
Institute for Applied Information Processing and Communications
66
procedure CheckEG (f1)S := {s | f1 label(s) }MSCC := { C | C is a nontrivial MSCC of M }T := C MSCC { s | s C}
for all tT dolabel(t) := label(t) { EG f1}
while T dochoose t T; T := T \ {t};for all s Sβ such that Rβ(s,t) do
if EG f1 label(s) then
label(s) : = label(s) {EG f1};
T : = T {s}
Model Checking π = πΈπΊπ1
06.05.2021
Institute for Applied Information Processing and Communications
67
procedure CheckEG (f1)S := {s | f1 label(s) }MSCC := { C | C is a nontrivial MSCC of M }T := C MSCC { s | s C}
for all tT dolabel(t) := label(t) { EG f1}
while T dochoose t T; T := T \ {t};for all s Sβ such that Rβ(s,t) do
if EG f1 label(s) then
label(s) : = label(s) {EG f1};
T : = T {s}
Model Checking Complexity
06.05.2021
Institute for Applied Information Processing and Communications
68
βͺ MC Atomic Propositions
βͺ O(|S|) steps
βͺ MC , formulas
βͺ O(|S|) steps
βͺ MC g = EX f1βͺ Add g to label(s) iff s has a successor t such that f1 label(t)
βͺ O(|S| + |R|)
βͺ MC π = πΈ(π1π π2)βͺ O(|S| + |R|)
βͺ MC π = πΈπΊπ1
Steps per Subformula
Model Checking Complexity
06.05.2021
Institute for Applied Information Processing and Communications
69
βͺ MC Atomic Propositions
βͺ O(|S|) steps
βͺ MC , formulas
βͺ O(|S|) steps
βͺ MC g = EX f1βͺ Add g to label(s) iff s has a successor t such that f1 label(t)
βͺ O(|S| + |R|)
βͺ MC π = πΈ(π1π π2)βͺ O(|S| + |R|)
βͺ MC π = πΈπΊπ1
Steps per Subformula
Model Checking Complexity
06.05.2021
Institute for Applied Information Processing and Communications
70
βͺ MC Atomic Propositions
βͺ O(|S|) steps
βͺ MC , formulas
βͺ O(|S|) steps
βͺ MC g = EX f1βͺ Add g to label(s) iff s has a successor t such that f1 label(t)
βͺ O(|S| + |R|)
βͺ MC π = πΈ(π1π π2)βͺ O(|S| + |R|)
βͺ MC π = πΈπΊπ1
Steps per Subformula
Model Checking Complexity
06.05.2021
Institute for Applied Information Processing and Communications
71
βͺ MC Atomic Propositions
βͺ O(|S|) steps
βͺ MC , formulas
βͺ O(|S|) steps
βͺ MC g = EX f1βͺ Add g to label(s) iff s has a successor t such that f1 label(t)
βͺ O(|S| + |R|)
βͺ MC π = πΈ(π1π π2)βͺ O(|S| + |R|)
βͺ MC π = πΈπΊπ1
Steps per Subformula
Model Checking Complexity
06.05.2021
Institute for Applied Information Processing and Communications
72
βͺ MC Atomic Propositions
βͺ O(|S|) steps
βͺ MC , formulas
βͺ O(|S|) steps
βͺ MC g = EX f1βͺ Add g to label(s) iff s has a successor t such that f1 label(t)
βͺ O(|S| + |R|)
βͺ MC π = πΈ(π1π π2)βͺ O(|S| + |R|)
βͺ MC π = πΈπΊπ1
Steps per Subformula
Model Checking Complexity
06.05.2021
Institute for Applied Information Processing and Communications
73
βͺ MC π = πΈπΊπ1
βͺ Computing M : O (|S| + |R|)
βͺ Computing MSCCs using Tarjanβs algorithm:
O (|S| + |R|)
βͺ Labeling all states in MSCCs: O (|S| )
βͺ Backward traversal: O (|S| + |R|)
βͺ => Overall: O (|S| + |R|)
Steps per Subformula
Model Checking Complexity
06.05.2021
Institute for Applied Information Processing and Communications
74
βͺ MC Atomic Propositions
βͺ O(|S|) steps
βͺ MC , formulas
βͺ O(|S|) steps
βͺ MC g = EX f1βͺ Add g to label(s) iff s has a successor t such that f1 label(t)
βͺ O(|S| + |R|)
βͺ MC π = πΈ(π1π π2)βͺ O(|S| + |R|)
βͺ MC π = πΈπΊπ1βͺ O(|S| + |R|)
Steps per Subformula
Model Checking Complexity
06.05.2021
Institute for Applied Information Processing and Communications
75
βͺ Each subformula
βͺ O(|S|+ |R|) = O(|M|)
βͺ What is the total complexity for checking f?
Model Checking Complexity
06.05.2021
Institute for Applied Information Processing and Communications
76
βͺ Each subformula
βͺ O(|S|+ |R|) = O(|M|)
βͺ Number of subformulas in f:
βͺ O(|f|)
βͺ Total
βͺ O(|M| |f|)
βͺ For comparison
βͺ Complexity of MC for LTL and CTL* is O( |M| 2|f| )
Microwave Example
06.05.2021
Institute for Applied Information Processing and Communications
77
Start
ErrorClose
Close
Heat
Start
Close
Error
Start
Close
Start
Close
Heat
1
2
5 6 7
43
start
close open reset start start
warmup
done
cookopen
openclose
βͺ Use the proposed algorithm to compute if M β¨ f?
βͺ f := AG (Start β AF Heat)
Microwave Example
06.05.2021
Institute for Applied Information Processing and Communications
78
βͺ Step 1: Rewrite the formula
βͺ AG (Start β AF Heat)
βͺ EF (Start EG Heat)
βͺ E (true U (Start EG Heat))
Microwave Example
06.05.2021
Institute for Applied Information Processing and Communications
79
Start
ErrorClose
Close
Heat
Start
Close
Error
Start
Close
Start
Close
Heat
1
2
5 6 7
43
start
close open reset start start
warmup
done
cookopen
openclose
βͺ Use the proposed algorithm to compute if M β¨ f?
βͺ f := E (true U (Start EG Heat))
π βΆ= πΈ (π‘ππ’π π (ππ‘πππ‘ πΈπΊ π»πππ‘))
06.05.2021
Institute for Applied Information Processing and Communications
80
Start
ErrorClose
Close
Heat
Start
Close
Error
Start
Close
Start
Close
Heat
1
2
5 6 7
43
start
close open reset start start
warmup
done
cookopen
openclose
β¦startβ§ = {2,5,6,7}
β¦Heat β§ = {1,2,3,5,6}
π βΆ= πΈ (π‘ππ’π π (ππ‘πππ‘ πΈπΊ π»πππ‘))
06.05.2021
Institute for Applied Information Processing and Communications
81
Start
ErrorClose
Close
Heat
Start
Close
Error
Start
Close
Start
Close
Heat
1
2
5 6 7
43
start
close open reset start start
warmup
done
cookopen
openclose
β¦startβ§ = {2,5,6,7}
β¦Heat β§ = {1,2,3,5,6}
π βΆ= πΈ (π‘ππ’π π (ππ‘πππ‘ πΈπΊ π»πππ‘))
06.05.2021
Institute for Applied Information Processing and Communications
82
Start
ErrorClose
Close
Heat
Start
Close
Error
Start
Close
Start
Close
Heat
1
2
5 6 7
43
start
close open reset start start
warmup
done
cookopen
openclose
β¦startβ§ = {2,5,6,7}
β¦Heat β§ = {1,2,3,5,6}
β¦(EG Heat β§ = {1,2,3,5}
π βΆ= πΈ (π‘ππ’π π (ππ‘πππ‘ πΈπΊ π»πππ‘))
06.05.2021
Institute for Applied Information Processing and Communications
83
Start
ErrorClose
Close
Heat
Start
Close
Error
Start
Close
Start
Close
Heat
1
2
5 6 7
43
start
close open reset start start
warmup
done
cookopen
openclose
β¦startβ§ = {2,5,6,7}
β¦Heat β§ = {1,2,3,5,6}
β¦(EG Heat β§ = {1,2,3,5}
β¦ Start EG Heat β§ = {2, 5}
π βΆ= πΈ (π‘ππ’π π (ππ‘πππ‘ πΈπΊ π»πππ‘))
06.05.2021
Institute for Applied Information Processing and Communications
84
Start
ErrorClose
Close
Heat
Start
Close
Error
Start
Close
Start
Close
Heat
1
2
5 6 7
43
start
close open reset start start
warmup
done
cookopen
openclose
β¦startβ§ = {2,5,6,7}
β¦Heat β§ = {1,2,3,5,6}
β¦(EG Heat β§ = {1,2,3,5}
β¦ Start EG Heat β§ = {2, 5}
β¦ EU β§ = {1,2,3,4,5,6,7}
π βΆ= πΈ (π‘ππ’π π (ππ‘πππ‘ πΈπΊ π»πππ‘))
06.05.2021
Institute for Applied Information Processing and Communications
85
Start
ErrorClose
Close
Heat
Start
Close
Error
Start
Close
Start
Close
Heat
1
2
5 6 7
43
start
close open reset start start
warmup
done
cookopen
openclose
β¦startβ§ = {2,5,6,7}
β¦Heat β§ = {1,2,3,5,6}
β¦(EG Heat β§ = {1,2,3,5}
β¦ Start EG Heat β§ = {2, 5}
β¦ EU β§ = {1,2,3,4,5,6,7}
β¦ f β§ =
05.05.2021
Institute for Applied Information Processing and Communications
86