\documentclass[11pt,twoside]{scrartcl} %opening \newcommand{\lecid}{15-414} \newcommand{\leccourse}{Bug Catching: Automated Program Verification} \newcommand{\lecdate}{} %e.g. {October 21, 2013} \newcommand{\lecnum}{21} \newcommand{\lectitle}{Branching-Time Properties} \newcommand{\lecturer}{Matt Fredrikson} \usepackage{lecnotes} \usepackage[irlabel]{bugcatch} \usepackage{tikz} % \usetikzlibrary{automata,shapes,positioning,matrix,shapes.callouts,decorations.text,patterns,trees} \usetikzlibrary{automata,shapes,positioning,matrix,shapes.callouts,decorations.text} %% \traceget{v}{i}{\zeta} is the state of trace v at time \zeta of the i-th discrete step \newcommand{\traceget}[3]{{#1}_{#2}(#3)} \def\limbo{\mathrm{\Lambda}} %% the last state of a trace \DeclareMathOperator{\tlast}{last} %% the first state of a trace \DeclareMathOperator{\tfirst}{first} \begin{document} %% the name of a trace \newcommand{\atrace}{\sigma}% %% the standard interpretation naming conventions \newcommand{\stdI}{\dTLint[state=\omega]}% \newcommand{\Ip}{\dTLint[trace=\atrace]}% \def\I{\stdI}% \let\tnext\ctnext \let\tbox\ctbox \let\tdiamond\ctdiamond \newcommand{\model}[1]{\lenvelope#1\renvelope} \newcommand{\ctmodel}[1]{\model{#1}}%{M(#1)} \newcommand{\somenextop}[1]{\tau_{\mathbf{EX}}(#1)} \newcommand{\allnextop}[1]{\tau_{\mathbf{AX}}(#1)} \tikzset{ treenode/.style = {align=center}, root/.style = {treenode, font=\footnotesize}, env/.style = {treenode, font=\footnotesize}, dummy/.style = {treenode} } \maketitle \thispagestyle{empty} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \section{Introduction} Linear temporal logic is a very important logic for model checking \cite{DBLP:books/el/leeuwen90/Emerson90,ClarkeGrumberg_MC_1999,BaierKL08} but has the downside that its verification algorithms are rather complex. Additionally, the formulas of LTL can only describe a particular type of temporal property over individual traces, with the assumption that an entire system satisfies an LTL formula if and only if \emph{all} its traces satisfy the formula. It might be useful in some situations to describe properties that quantify over possible traces of a system, both universally and existentially, to account for the fact that computations often branch among many possible paths during execution. Today we will discuss Computation Tree Logic (CTL), another temporal logic that is suited to the goals described above. CTL formulas describe properties that switch to a new trace every time a temporal operator is used, requiring either the existence of a satisfying trace, or universal satisfaction among all possible traces, depending on a \emph{path quantifier}. CTL has the advantage of having a pretty simple model checking algorithm, and it describes an incomparable set of properties from LTL. \section{Review} Recall the definition of a computation structure, which is a transition system describing a set of infinite traces over states labeled with atomic propositions. \begin{definition}[Computation structure] \label{def:computation} A Kripke structure \(K=(W,\stepto,v)\) is called a \emph{computation structure} if $W$ is a finite set of states and every element $s\in W$ has at least one direct successor $t\in W$ with $s \stepto t$. A (computation) \emph{path} in a computation structure is an infinite sequence \(s_0,s_1,s_2,s_3,\dots\) of states $s_i\in W$ such that \(s_i \stepto s_{i+1}\) for all $i$. The mapping $v$ labels each state with a set of atomic propositions, or basic formulas that are true in the state. \end{definition} Figure~\ref{fig:kripke} shows an example of a computation structure for a simple beverage vending machine. We saw how to use LTL formulas to describe useful properties of computation structures, so that all of their traces satisfy a given formula (Definitions~\ref{def:ltl-semantics-ts} and \ref{def:ltl-semantics-ts}). \begin{definition}[LTL semantics (traces)] \label{def:ltl-semantics} The truth of LTL formulas in a trace $\atrace$ is defined inductively as follows: \begin{enumerate} \item \(\atrace \models F\) iff \(\atrace_0 \models F\) for state formula $F$ provided that $\atrace_0\neq\limbo$ \item \(\atrace \models \lnot\ausfml\) iff \(\atrace \nonmodels \ausfml\), i.e. it is not the case that \(\atrace \models \ausfml\) \item \(\atrace \models \ausfml\land\busfml\) iff \(\atrace \models \ausfml\) and \(\atrace \models \busfml\) \item \(\atrace \models \tnext{\ausfml}\) iff \(\atrace^1 \models \ausfml\) \item \(\atrace \models \ltbox{\ausfml}\) iff \(\atrace^i \models \ausfml\) for all $i\geq0$ \item \(\atrace \models \ltdiamond{\ausfml}\) iff \(\atrace^i \models \ausfml\) for some $i\geq0$ \item \(\atrace \models \tuntil{\ausfml}{\busfml}\) iff there is an $i\geq0$ such that \(\atrace^i \models \busfml\) and \(\atrace^j \models \ausfml\) for all $0\leq j=1pt, node distance=2.5cm, on grid, auto, /tikz/initial text={}, font=\footnotesize ] \node[state,initial,inner sep=1pt,text width=1cm,align=center] (q_0) {$\mathit{coin}$ \\ $\mathbf{s_0}$}; \node[state,inner sep=1pt,text width=1cm,align=center] (q_1) [below=of q_0] {$\mathit{select}$ \\ $\mathbf{s_1}$}; \node[state,inner sep=1pt,text width=1cm,align=center] (q_2) [below left=of q_1] {$\mathit{coffee}$ \\ $\mathbf{s_2}$}; \node[state,inner sep=1pt,text width=1cm,align=center] (q_3) [below right=of q_1] {$\mathit{tea}$ \\ $\mathbf{s_3}$}; \path[->] (q_0) edge (q_1) (q_1) edge (q_2) (q_1) edge (q_3); \path[->,bend left] (q_2) edge (q_0); \path[->,bend right] (q_3) edge (q_0); \end{tikzpicture} \caption{Computation structure describing the operation of a vending machine.}\label{fig:kripke} \end{figure} \section{Computation Tree Logic} We have seen that LTL universally quantifies over paths in a computation. However, we may also want to quantify existentially over paths, requiring that at least one way of executing the computation satisfies a given property. CTL incorporates this by introducing \emph{path quantifiers} $\mathbf{E}$ (existential) and $\mathbf{A}$ (universal). Path quantifiers are evaluated in a particular state of a transition structure, and so we refer to formulas constructed from them as \emph{state formulas}. \begin{itemize} \item $\mathbf{E} P$ is a state formula where for a given Kripke structure $K$ we have the following: \[ K, s \models \mathbf{E} P \leftrightarrow \textrm{~there \textbf{exists} a path~} \pi \textrm{~starting at~} s \textrm{~where~} \pi \models P \] \item $\mathbf{A} P$ is a state formula where for a given Kripke structure $K$ we have the following: \[ K, s \models \mathbf{A} P \leftrightarrow \textrm{~for \textbf{all} paths~} \pi \textrm{~starting at~} s, \pi \models P \] \end{itemize} The temporal operators for next, future, globally, and until are \textbf{always} paired with a path quantifier in CTL. It is also conventional to use the letter $\textbf{G}$ in place of $\ltbox{\ }$, and $\textbf{F}$ in place of $\ltdiamond{\ }$, when writing CTL formulas. The semantics of the logic is shown in Definition~\ref{def:ctl-semantics}. \begin{definition} \label{def:ctl-semantics} In a fixed computation structure \(K=(W,\stepto,v)\), the truth of CTL formulas in state $s$ is defined inductively as follows: \begin{enumerate} \item \(s \models p\) iff \(v(s)(p)=\mtrue\) for atomic propositions $p$ \item \(s \models \lnot\ausfml\) iff \(s \nonmodels \ausfml\), i.e. it is not the case that \(s \models \ausfml\) \item \(s \models \ausfml\land\busfml\) iff \(s \models \ausfml\) and \(s \models \busfml\) \item \(s \models \allpath{\tnext{\ausfml}}\) iff all successors $t$ with $s \stepto t$ satisfy \(t \models \ausfml\) \item \(s \models \somepath{\tnext{\ausfml}}\) iff at least one successor $t$ with $s \stepto t$ satisfies \(t \models \ausfml\) \item \(s \models \allpath{\tbox{\ausfml}}\) iff all paths $s_0,s_1,s_2,\dots$ starting in $s_0=s$ satisfy \(s_i \models \ausfml\) for all $i\geq0$ \item \(s \models \allpath{\tdiamond{\ausfml}}\) iff all paths $s_0,s_1,s_2,\dots$ starting in $s_0=s$ satisfy \(s_i \models \ausfml\) for some $i\geq0$ \item \(s \models \somepath{\tbox{\ausfml}}\) iff some path $s_0,s_1,s_2,\dots$ starting in $s_0=s$ satisfies \(s_i \models \ausfml\) for all $i\geq0$ \item \(s \models \somepath{\tdiamond{\ausfml}}\) iff some path $s_0,s_1,s_2,\dots$ starting in $s_0=s$ satisfies \(s_i \models \ausfml\) for some $i\geq0$ \item \(s \models \allpath{\tuntil{\ausfml}{\busfml}}\) iff all paths $s_0,s_1,s_2,\dots$ starting in $s_0=s$ have some $i\geq0$ such that \(s_i \models \busfml\) and \(s_j \models \ausfml\) for all $0\leq j=1pt, node distance=1.5cm, on grid, auto, /tikz/initial text={}, font=\footnotesize ] %% Until \node[state,initial,inner sep=1pt,minimum size=0.5cm] (q_0) {}; \node[state,inner sep=1pt,minimum size=0.5cm] (q_1) [right=of q_0] {}; \node[state,inner sep=1pt,minimum size=0.5cm,draw=none] (q_2) [right=of q_1] {$\cdots$}; \node[state,inner sep=1pt,minimum size=0.5cm] (q_3) [right=of q_2] {}; \node[state,inner sep=1pt,minimum size=0.5cm] (q_4) [right=of q_3] {}; \node[state,inner sep=1pt,minimum size=0.5cm, draw=none] (q_5) [right=of q_4] {$\cdots$}; \path[->] (q_0) edge (q_1) (q_1) edge (q_2) (q_2) edge (q_3) (q_3) edge (q_4) (q_4) edge (q_5); \node [above of=q_0,yshift=-2.8em] {\scriptsize $P \land \lnot Q$}; \node [above of=q_1,yshift=-2.8em] {\scriptsize $P \land \lnot Q$}; \node [above of=q_3,yshift=-2.8em] {\scriptsize $P \land \lnot Q$}; \node [above of=q_4,yshift=-2.8em] {\scriptsize $Q$}; % \node [left of=q_0,xshift=-2em] {$\tuntil{F}{G}$}; \end{tikzpicture} \caption{Visualization of a LTL formula: $P \mathbf{U} Q$}\label{fig:ltl} \end{figure} \begin{figure}[p] \begin{center} \begin{tikzpicture} [ level distance=0.75cm, level/.style={sibling distance=40mm/#1}, font=\footnotesize ] \node[circle,draw,minimum size=0.5cm] (q0) {$p$} child {node[circle,draw,minimum size=0.5cm] (q1) {$q$} child {node[circle,draw,minimum size=0.5cm] (q3) {} child {node[circle,draw,minimum size=0.5cm] (q10) {} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } child {node[circle,draw,minimum size=0.5cm] (q11) {} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } } child {node[circle,draw,minimum size=0.5cm] (q4) {} child {node[circle,draw,minimum size=0.5cm] (q9) {} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } } } child {node[circle,draw,minimum size=0.5cm] (q2) {$p$} child {node[circle,draw,minimum size=0.5cm] (q5) {$p$} child {node[circle,draw,minimum size=0.5cm] (q7) {$q$} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } child {node[circle,draw,minimum size=0.5cm] (q8) {$q$} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } } child {node[circle,draw,minimum size=0.5cm] (q6) {$q$} child {node[circle,draw,minimum size=0.5cm] (q12) {} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } child {node[circle,draw,minimum size=0.5cm] (q13) {} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } } }; \end{tikzpicture} \end{center} \caption{Visualization of a CTL formula: $\allpath{[\tuntil{P}{Q}]}$}\label{fig:ctl1} \end{figure} \begin{figure}[p] \begin{center} \begin{tikzpicture} [ level distance=0.75cm, level/.style={sibling distance=40mm/#1}, font=\footnotesize ] \node[circle,draw,minimum size=0.5cm] (q0) {} child {node[circle,draw,minimum size=0.5cm] (q1) {} child {node[circle,draw,minimum size=0.5cm] (q3) {} child {node[circle,draw,minimum size=0.5cm] (q10) {} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } child {node[circle,draw,minimum size=0.5cm] (q11) {} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } } child {node[circle,draw,minimum size=0.5cm] (q4) {} child {node[circle,draw,minimum size=0.5cm] (q9) {} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } } } child {node[circle,draw,minimum size=0.5cm] (q2) {} child {node[circle,draw,minimum size=0.5cm] (q5) {} child {node[circle,draw,minimum size=0.5cm] (q7) {} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } child {node[circle,draw,minimum size=0.5cm] (q8) {} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } } child {node[circle,draw,minimum size=0.5cm] (q6) {} child {node[circle,draw,minimum size=0.5cm] (q12) {} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } child {node[circle,draw,minimum size=0.5cm] (q13) {$p$} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } } }; \end{tikzpicture} \end{center} \caption{Visualization of a CTL formula: $\somepath{\tdiamond{P}}$} \end{figure} % \begin{figure}[p] % \centering % \vspace*{-1.5cm} % \includegraphics[width=0.4\textwidth]{figs/ctl2.pdf} % \vspace*{-1.5cm} % \caption{Visualization of a CTL formula: $\mathbf{AE} P Q$}\label{fig:ctl2} % \end{figure} \subsection{Useful equivalences} Some of the CTL formulas are redundant in the sense that they are definable with other CTL formulas already. But the meaning of the original formulas is usually much easier to understand than the meaning of its equivalent. \begin{lemma} The following are valid CTL equivalences: \begin{enumerate} \item \(\somepath{\tdiamond{\ausfml}} \lbisubjunct \somepath{[\tuntil{\ltrue}{\ausfml}]}\) \item \(\allpath{\tdiamond{\ausfml}} \lbisubjunct \allpath{[\tuntil{\ltrue}{\ausfml}]}\) \item \(\somepath{\tbox{\ausfml}} \lbisubjunct \lnot\allpath{\tdiamond{\lnot\ausfml}}\) %\lnot(\somepath{\tuntil{\ltrue}{\lnot\ausfml}})\) \item \(\allpath{\tbox{\ausfml}} \lbisubjunct \lnot\somepath{\tdiamond{\lnot\ausfml}}\) \item \(\allpath{\tnext{\ausfml}} \lbisubjunct \lnot\somepath{\tnext{\lnot\ausfml}}\) \item \(\allpath{[\tuntil{\ausfml}{\busfml}]} \lbisubjunct \lnot\somepath{[\tuntil{\lnot\busfml}{(\lnot\ausfml\land\lnot\busfml)}]} \,\land\,\lnot\somepath{\tbox{\lnot\busfml}}\) \end{enumerate} \end{lemma} Most of these cases except the last are quite easy to prove. So as not to confuse ourselves, we will definitely make use of the finally and globally operators in applications. But thanks to these equivalences, when developing reasoning techniques we can simply pretend next and until would be the only temporal operators to worry about. In fact, we can even pretend only the existential path quantifier $\somepath{}$ is used, never the universal path quantifier $\allpath{}$, but this reduction in the number of different operators comes at quite some expense in the size and complexity in the resulting formulas. \subsection{Comparison with LTL} LTL and CTL are incomparable in terms of expressiveness. There are formulas in both logics that cannot be expressed in the other. Consider the LTL formula $\ltdiamond{\ltbox{P}}$, which is satisfied by the automaton in Figure~\ref{fig:ex-ltl}. What is the equivalent CTL formula? One idea is to take the fact that LTL formulas ``implicitly'' have universal path quantifiers before every temporal operator, and propose the formula $\mathbf{AF} \mathbf{AG} P$. However, this formula illustrates that the ``quantifiers'' that our intuition might tell us are implicit in LTL do not mean the same thing as the semantics of CTL, because this automaton does not satisfy $\mathbf{AF} \mathbf{AG} P$. Note that we can visualize the unrolling of Figure~\ref{fig:ex-ltl} in Figure~\ref{fig:ex-ctl}, where we can see that there is a run in which the system will always be in the state from which a run finally goes in a non $P$ state. This corresponds to staying in the initial state of Figure~\ref{fig:ex-ltl} for arbitrarily long, maintaining the existence of an alternate path in which $p$ does not hold globally. An example of a CTL formula that cannot be expressed in LTL is $\mathbf{AG} (\mathbf{EF} P)$. This formula states that there is always the possibility that a state can be reached during a run, even if it is never actually reached. However, the natural corresponding LTL formula $\ltbox{\ltdiamond{P}}$ states that at all times, $P$ will eventually be reached. Note that this formula is stronger than the previous one since we just need the possibility of returning to $P$. \begin{figure} % \centering % \vspace*{-1.5cm} % \includegraphics[width=0.4\textwidth]{figs/ex-ltl.pdf} % \vspace*{-3cm} \begin{center} \begin{tikzpicture} [ highlight/.style={draw=blue, text=blue}, shorten >=1pt, node distance=1.5cm, on grid, auto, /tikz/initial text={}, font=\footnotesize ] \node[state,initial,inner sep=1pt,minimum size=0.5cm] (q0) {$p$}; \node[state,inner sep=1pt,minimum size=0.5cm] (q1) [right=of q0] {$q$}; \node[state,inner sep=1pt,minimum size=0.5cm] (q2) [right=of q1] {$p$}; \path[->] (q0) edge (q1) (q1) edge (q2); \path[->,out=45, in=135, looseness=4] (q0.north east) edge (q0.north west); \path[->,out=45, in=135, looseness=4] (q2.north east) edge (q2.north west); % \node [left of=q_0,xshift=-1em] {$\nextt g$}; \end{tikzpicture} \end{center} \caption{An example of an automaton that satisfies $\ltdiamond{\ltbox{P}}$}\label{fig:ex-ltl} \end{figure} \begin{figure} % \centering % \vspace*{-1.5cm} % \includegraphics[width=0.4\textwidth]{figs/ex-ctl.pdf} % \vspace*{-2cm} \begin{center} \begin{tikzpicture} [ level distance=0.75cm, level/.style={sibling distance=40mm/#1}, font=\footnotesize ] \node[circle,draw,minimum size=0.5cm] (q0) {$p$} child {node[circle,draw,minimum size=0.5cm] (q1) {$p$} child {node[circle,draw,minimum size=0.5cm] (q3) {$p$} child {node[circle,draw,minimum size=0.5cm] (q10) {$p$} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } child {node[circle,draw,minimum size=0.5cm] (q11) {$q$} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } } child {node[circle,draw,minimum size=0.5cm] (q4) {$q$} child {node[circle,draw,minimum size=0.5cm] (q9) {$p$} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } } } child {node[circle,draw,minimum size=0.5cm] (q2) {$q$} child {node[circle,draw,minimum size=0.5cm] (q5) {$p$} child {node[yshift=1em] (q14) {$\vdots$} edge from parent[draw=none]} } }; \end{tikzpicture} \end{center} \caption{Unrolling the branches of Figure~\ref{fig:ex-ltl}}\label{fig:ex-ctl} \end{figure} \section{Example: Mutual Exclusion} Temporal logic is particularly helpful to verify properties of distributed systems. For example, we may want to reason about safety or liveness. Safety properties state that ``nothing bad would ever happen'', whereas liveness properties state that ``something good always happens''. We will how we can encode safety and liveness using CTL for a mutual exclusion protocol. The notation in the following transition diagram is $nt$ for: the first process is in the noncritical section while the second process is trying to get into its critical section. \begin{tabular}{ll} n & noncritical section of an abstract process\\ t & trying to enter critical section of an abstract process\\ c & critical section of an abstract process \end{tabular} \\ Those atomic propositional letters are used with suffix $1$ to indicate that they apply to process 1 and with suffix $2$ to indicate process 2. For example the notation $nt$ indicates a state in which \(n_1 \land t_2\) is true (and no other propositional letters). Consider Kripke structure %MUTEX \begin{center} \begin{tikzpicture}[thick,->,> =stealth, every node/.style={draw,black,circle,fill=blue!10,minimum width=12pt}, every label/.style={draw=none,fill=none,text=red!140}, level 1/.style={sibling distance=30mm}, level 2/.style={sibling distance=20mm}] \node[label=above right:0] (m) {nn} child { node[label=above:1] {tn} child { node[label=left:2] {cn} child[missing] {node{}} child {node[label=below:4] {ct}} } child { node[label=below:3] {tt} } } child { node[label=above:5] {nt} child { node[label=below:6] {tt} child[missing] {node{}} child {node[label=below:8] {tc}} } child { node[label=below:7] {nc} } }; \draw[<-] (m) -- +(90:1); \draw (m-1-2) -- (m-1-1-2); \draw (m-2-2) -- (m-2-1-2); \draw (m-1-1) to[bend left=40] (m); \draw (m-2-2) to[bend right=40] (m); \draw (m-1-1-2) to[bend left=40] (m-2); \draw (m-2-1-2) to[bend right=40] (m-1); \end{tikzpicture} \end{center} \begin{enumerate} \item Safety: \(\lnot\somepath{\tdiamond{(c_1\land c_2)}}\) is trivially true since there is no state labelled $cc$x. \item Liveness: \(\allpath{\tbox{(t_1 \limply \allpath{\tdiamond{c_1}})}} \land \allpath{\tbox{(t_2 \limply \allpath{\tdiamond{c_2}})}}\) \end{enumerate} \bibliography{platzer,bibliography} \end{document}