Branching time models & veriﬁcation

(1)

Branching time models & verification

C ˘at ˘alin Dima LACL, Universit ´e Paris 12

(2)

Why tree models?

Model-checking CTL

2 CTL, extensions and automata

(3)

Temporal properties

Safety, termination, mutual exclusion – LTL.

Liveness, reactiveness, responsiveness, infinitely repeated behaviors – LTL.

Available choices, strategies, adversial situations?

CNIL

Tout utilisateurpeutdemander le retrait de ses donn ´ees...

How do we interpretpeut?

◮ p=demander le retrait...

◮ Then formula =p??

◮ NO!

Strategy to win a game

Black has a strategy to put the game in a situation from which White king will never get close to Black pawn.

Not specifiable in LTL either!

(4)

Branching time

p AUq

q

q p

p p q

q

p p

p

p EUq

q p

p

(5)

CTL syntax

Computational tree logic:

φ::=p|φ∧φ| ¬φ|Aφ|φAUφ|φEUφ

◮ p∈AP, set of atomic propositions.

The usual abbreviations:

E♦φ=true EUφ Aφ=¬E♦¬φ

A♦φ=true AUφ Eφ=¬A♦¬φ

Eφ=¬Aφ

(6)

Semantics

AP-labeled trees t:N^∗→◦2^AP.

“States” for interpreting CTL operators = positions in the tree: x∈supp(t).

(t,x)|=p if p∈t(x)

(t,x)|=φ1∧φ2 if(t,x)|=φjfor both j=1,2 (t,x)|=¬φ if(t,x)6|=φ

(t,x)|=Aφ if for all i∈Nwith xi∈supp(t),(t,xi)|=φ (t,x)|=φ1AUφ2 if for any infinite path(xk)k≥1in t with x1=x

there exists k0≥1 with(t,xk₀)|=φ2

and(t,xj)|=φ1for all 1≤j≤k0−1

(t,x)|=φ1EUφ2 if there exists a finite path(xj)1≤j≤k₀in t with x1=x, (t,xk₀)|=φ2and(t,xj)|=φ1for all 1≤j≤k0−1

(7)

Property specification

CNIL

Tout utilisateurpeutdemander le retrait de ses donn ´ees...

How do we interpretpeut?

◮ p=demander le retrait...

◮ AE♦p !

Strategy to win a game

Black has a strategy to put the game in a situation from which White king will never get close to Black pawn.

q=White king never gets close to Black pawn.

E♦Aq !

(8)

The model-checking problem

Given a CTL formulaφand afinitely presentablemodel M, does M |=φhold?

◮ Finitely presentable tree =B ¨uchi automatonover AP.

◮ The tree = theunfoldingofA.

State labeling algorithm:

◮ Given formulaφ, split Q intoQφandQ¬φ

◮ Structural induction on the syntactic tree ofφ.

◮ Add a new propositional symbol pφfor each analyzedφ.

◮ Label Qφwith pφand do not label Q¬φwith pφ.

(9)

CTL model-checking (2)

Forφ=Ap

QAp=˘

q∈Q| ∀q^′∈δ(q),p∈π(q^′)¯ Q¬Ap=˘

q∈Q| ∃q^′∈δ(q),p6∈π(q^′)¯

φ=p1AUp2

◮ Q_¬(p₁AUp₂)contains q iff∃Qq⊆Q strongly connected s.t.:

⋆ q

p1∧ ¬p2

Qq

◮ Qp₁AUp₂=Q\Q_¬(p₁AUp₂). φ=p1EUp2

◮ Qp₁EUp₂contains q iff∃q^′∈Q s.t.:

⋆

p1

p2

q^′ q

◮ Q_¬(p₁EUp₂)=Q\Qp₁EUp₂.

(10)

Fixpoints

E♦p≡...?

A♦p≡...?

Ep≡...?

Ap≡...?

p AUq≡q∨`

p∧A(p AUq)´ p EUq≡...?

Which is aµX and which is aνX ?

(11)

Tree automata

B ¨uchi automata only give oneset of options.

A formula may incorporate several sets of options!

Tree automata:(Q,Σ, δ,Q0,R)where

◮ δ⊆Q× P(Q).

Acceptstrees.

◮ Each run has to satisfy the requirement R (repeated sets like B ¨uchi).

Emptiness, intersection, complementation (harder than B ¨uchi!).