Computation tree logic

Computation tree logic

Computation tree logic (CTL) is a branching-time logic, meaning that its model of time is a tree-like structure in which the future is not determined; there are different paths in the future, any one of which might be an actual path that is realised. It is used in formal verification of software or hardware artifacts, typically by software applications known as model checkers which determine if a given artifact possesses safety or liveness properties. For example, CTL can specify that when some initial condition is satisfied (e.g., all program variables are positive or no cars on a highway straddle two lanes), then all possible executions of a program avoid some undesirable condition (e.g., dividing a number by zero or two cars colliding on a highway). In this example, the safety property could be verified by a model checker that explores all possible transitions out of program states satisfying the initial condition and ensures that all such executions satisfy the property. Computation tree logic is in a class of temporal logics that include linear temporal logic (LTL). Although there are properties expressible in only one of CTL and LTL, all properties expressible in either logic can also be expressed in CTL*.

Contents

Syntax of CTL

The language of well formed formulas for CTL is generated by the following grammar:

\phi::=\bot |\top |p|(\neg\phi)|(\phi\and\phi)|(\phi\or\phi)|
(\phi\Rightarrow\phi)|(\phi\Leftrightarrow\phi)|AX\phi|EX\phi|AF\phi|EF\phi|AG\phi|EG\phi|
A[\phi U \phi]|E[\phi U \phi]

where p ranges over a set of atomic formulas. Not all of these connectives are needed – for example, \{\neg, \and, AX, AU, EU\} comprises a complete set of connectives, and the others can be defined using them.

  • A means 'along All paths' (Inevitably)
  • E means 'along at least (there Exists) one path' (possibly)

For example, the following is a well-formed CTL formula:

EF EG p \Rightarrow AF r

The following is not a well-formed CTL formula:

EF \big(r U q\big)

The problem with this string is that U can occur only when paired with an A or an E. It uses atomic propositions as its building blocks to make statements about the states of a system. CTL then combines these propositions into formulas using logical operators and temporal logics.

Operators

Logical operators

The logical operators are the usual ones: \neg,\or,\and,\Rightarrow and \Leftrightarrow. Along with these operators CTL formulas can also make use of the boolean constants true and false.

Temporal operators

The temporal operators are the following:

  • Quantifiers over paths
    • A ϕ – All: ϕ has to hold on all paths starting from the current state.
    • E ϕ – Exists: there exists at least one path starting from the current state where ϕ holds.
  • Path-specific quantifiers
    • X ϕ – Next: ϕ has to hold at the next state (this operator is sometimes noted N instead of X).
    • G ϕ – Globally: ϕ has to hold on the entire subsequent path.
    • F ϕ – Finally: ϕ eventually has to hold (somewhere on the subsequent path).
    • ϕ U ψ – Until: ϕ has to hold at least until at some position ψ holds. This implies that ψ will be verified in the future.
    • ϕ W ψ – Weak until: ϕ has to hold until ψ holds. The difference with U is that there is no guarantee that ψ will ever be verified. The W operator is sometimes called "unless".

In CTL*, the temporal operators can be freely mixed. In CTL, the operator must always be grouped in two: one path operator followed by a state operator. See the examples below. CTL* is strictly more expressive than CTL.

Minimal set of operators

In CTL there is a minimal set of operators. All CTL formulas can be transformed to use only those operators. This is useful in model checking. One minimal set of operators is: {false, \or, \neg, EG, EU, EX}.

Some of the transformation used for temporal operator are:

  • EFϕ == E[trueU(ϕ)] ( because Fϕ == [trueU(ϕ)] )
  • AXϕ == \negEX(\negϕ)
  • AGϕ == \negEF(\negϕ) == \neg E[trueU(\negϕ)]
  • AFϕ == A[trueUϕ] == \negEG(\negϕ)
  • A[ϕUψ] == \neg( E[(\negψ)U\neg(ϕ\orψ)] \or EG(\negψ) )

Semantics of CTL

Definition

CTL formulae are interpreted over Transition Systems. A transition system is a triple \mathcal{M}=(S,\rightarrow,L), where S is a set of states, \rightarrow \subseteq S \times S is a transition relation, assumed to be serial, i.e. every state has at least one successor, and L is a labelling function, assigning propositional letters to states. Let \mathcal{M}=(S,\rightarrow,L) be such a transition model

with s \in S, \phi \in F where F is the set of wffs over the Language of \mathcal{M}.

Then the relation of semantic entailment (\mathcal{M}, s \models \phi) is defined by Structural Induction on ϕ:

  1. \Big( (\mathcal{M}, s) \models \top \Big) \land \Big( (\mathcal{M}, s) \not\models \bot \Big)
  2. \Big( (\mathcal{M}, s) \models p \Big) \Leftrightarrow \Big( p \in L(s) \Big)
  3. \Big( (\mathcal{M}, s) \models \neg\phi \Big) \Leftrightarrow \Big( (\mathcal{M}, s) \not\models \phi \Big)
  4. \Big( (\mathcal{M}, s) \models \phi_1 \land \phi_2 \Big) \Leftrightarrow \Big( \big((\mathcal{M}, s) \models \phi_1 \big) \land \big((\mathcal{M}, s) \models \phi_2 \big) \Big)
  5. \Big( (\mathcal{M}, s) \models \phi_1 \lor \phi_2 \Big) \Leftrightarrow \Big( \big((\mathcal{M}, s) \models \phi_1 \big) \lor \big((\mathcal{M}, s) \models \phi_2 \big) \Big)
  6. \Big( (\mathcal{M}, s) \models \phi_1 \Rightarrow \phi_2 \Big) \Leftrightarrow \Big( \big((\mathcal{M}, s) \not\models \phi_1 \big) \lor \big((\mathcal{M}, s) \models \phi_2 \big) \Big)
  7. \bigg( (\mathcal{M}, s) \models \phi_1 \Leftrightarrow \phi_2 \bigg) \Leftrightarrow \bigg( \Big( \big((\mathcal{M}, s) \models \phi_1 \big) \land \big((\mathcal{M}, s) \models \phi_2 \big) \Big) \lor \Big( \neg \big((\mathcal{M}, s) \models \phi_1 \big) \land \neg \big((\mathcal{M}, s) \models \phi_2 \big) \Big) \bigg)
  8. \Big( (\mathcal{M}, s) \models AX\phi \Big) \Leftrightarrow \Big( \forall \langle s \rightarrow s_1 \rangle \big( (\mathcal{M}, s_1) \models \phi \big) \Big)
  9. \Big( (\mathcal{M}, s) \models EX\phi \Big) \Leftrightarrow \Big( \exists \langle s \rightarrow s_1 \rangle \big( (\mathcal{M}, s_1) \models \phi \big) \Big)
  10. \Big( (\mathcal{M}, s) \models AG\phi \Big) \Leftrightarrow \Big( \forall \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \forall i \big( (\mathcal{M}, s_i) \models \phi \big) \Big)
  11. \Big( (\mathcal{M}, s) \models EG\phi \Big) \Leftrightarrow \Big( \exists \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \forall i \big( (\mathcal{M}, s_i) \models \phi \big) \Big)
  12. \Big( (\mathcal{M}, s) \models AF\phi \Big) \Leftrightarrow \Big( \forall \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \exists i \big( (\mathcal{M}, s_i) \models \phi \big) \Big)
  13. \Big( (\mathcal{M}, s) \models EF\phi \Big) \Leftrightarrow \Big( \exists \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \exists i \big( (\mathcal{M}, s_i) \models \phi \big) \Big)
  14. \bigg( (\mathcal{M}, s) \models A[\phi_1 U \phi_2] \bigg) \Leftrightarrow \bigg( \forall \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \exists i \Big( \big( (\mathcal{M}, s_i) \models \phi_2 \big) \land \big( \forall (j < i) (\mathcal{M}, s_j) \models \phi_1 \big) \Big) \bigg)
  15. \bigg( (\mathcal{M}, s) \models E[\phi_1 U \phi_2] \bigg) \Leftrightarrow \bigg( \exists \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \exists i \Big( \big( (\mathcal{M}, s_i) \models \phi_2 \big) \land \big( \forall (j < i) (\mathcal{M}, s_j) \models \phi_1 \big) \Big) \bigg)

Characterisation of CTL

Rules 10–15 above refer to computation paths in models and are what ultimately characterise the "Computation Tree"; they are assertions about the nature of the infinitely deep computation tree rooted at the given state s.

Semantic equivalences

The formulae ϕ and ψ are said to be semantically equivalent if any state in any model which satisfies one also satisfies the other. This is denoted \phi \equiv \psi

It can be seen that A and E are duals, being universal and existential computation path quantifiers respectively: \neg A\phi \equiv E \neg \phi .

Furthermore so are G and F.

Hence an instance of De Morgan's Laws can be formulated in CTL:

\neg AF\phi \equiv EG\neg\phi
\neg EF\phi \equiv AG\neg\phi
\neg AX\phi \equiv EX\neg\phi

It can be shown using such identities that a subset of the CTL temporal connectives is adequate if it contains EU, at least one of {AX,EX} and at least one of {EG,AF,AU} and the boolean connectives.

The important equivalences below are called the expansion laws; they allow to unfold the verification of a CTL connective towards its successors in time.

AG\phi \equiv \phi \land AX AG \phi
EG\phi \equiv \phi \land EX EG \phi
AF\phi \equiv \phi \lor AX AF \phi
EF\phi \equiv \phi \lor EX EF \phi
A[\phi U \psi] \equiv \psi \lor (\phi \land AX A [\phi U \psi])
E[\phi U \psi] \equiv \psi \lor (\phi \land EX E [\phi U \psi])

Examples

Let "P" mean "I like chocolate" and Q mean "It's warm outside."

  • AG.P
"I will like chocolate from now on, no matter what happens."
  • EF.P
"It's possible I may like chocolate some day, at least for one day."
  • AF.EG.P
"It's always possible (AF) that I will suddenly start liking chocolate for the rest of time." (Note: not just the rest of my life, since my life is finite, while G is infinite).
  • EG.AF.P
"This is a critical time in my life. Depending on what happens next (E), it's possible that for the rest of time (G), there will always be some time in the future (AF) when I will like chocolate. However, if the wrong thing happens next, then all bets are off and there's no guarantee about whether I'll ever like chocolate."
  • A(PUQ)
"From now until it's warm outside, I will like chocolate every single day. Once it's warm outside, all bets are off as to whether I'll like chocolate anymore. Oh, and it's guaranteed to be warm outside eventually, even if only for a single day."
  • E((EX.P)U(AG.Q))
"It's possible that: there will eventually come a time when it will be warm forever (AG.Q) and that before that time there will always be some way to get me to like chocolate the next day (EX.P)."

Relations with other logics

Computation tree logic (CTL) is a subset of CTL* as well as of the modal µ calculus. CTL is also a fragment of Alur, Henzinger and Kupferman's Alternating-time Temporal Logic (ATL).

Computation tree logic (CTL) and Linear temporal logic (LTL) are both a subset of CTL*. CTL and LTL are not equivalent and they have a common subset, which is a proper subset of both CTL and LTL.

  • FG.P exists in LTL but not in CTL.
  • AG(P\Rightarrow((EX.Q)\land(EX¬Q))) exists in CTL but not in LTL.

See also

References

  • Michael Huth and Mark Ryan (2004). Logic in Computer Science (Second Edition). Cambridge University Press. p. 207. ISBN 0-521-54310-X. 
  • Emerson, E. A. and Halpern, J. Y. (1985). "Decision procedures and expressiveness in the temporal logic of branching time". Journal of Computer and System Sciences 30 (1): 1–24. doi:10.1016/0022-0000(85)90001-7. 
  • Clarke, E. M., Emerson, E. A., and Sistla, A. P. (1986). "Automatic verification of finite-state concurrent systems using temporal logic specifications". ACM Transactions on Programming Languages and Systems 8 (2): 244–263. doi:10.1145/5397.5399. 
  • Emerson, E. A. (1990). "Temporal and modal logic". In Jan van Leeuwen. Handbook of Theoretical Computer Science, vol. B. MIT Press. pp. 955–1072. ISBN 0-262-22039-3. 

External links


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать реферат

Look at other dictionaries:

  • Computation Tree Logic — Die Computation Tree Logic (kurz CTL) ist eine Temporale Logik, die speziell zur Spezifikation und Verifikation von Computersystemen dient. Meist wird sie auch mit CTL* bezeichnet. CTL bezeichnet dann eine spezielle Teilmenge der CTL* Formeln.… …   Deutsch Wikipedia

  • Computation Tree Logic* — Die Computation Tree Logic (kurz CTL) ist eine Temporale Logik, die speziell zur Spezifikation und Verifikation von Computersystemen dient. Meist wird sie auch mit CTL* bezeichnet. CTL bezeichnet dann eine spezielle Teilmenge der CTL* Formeln.… …   Deutsch Wikipedia

  • computation tree logic — noun A particular modal logic of branching time with operators next , globally , finally or eventually , until , and weak until . Syn: computational tree logic, CTL …   Wiktionary

  • Computational tree logic — Computation tree logic (CTL) is a branching time logic, meaning that its model of time is a tree like structure in which the future is not determined; there are different paths in the future, any one of which might be an actual path that is… …   Wikipedia

  • Category:Logic in computer science — Logic in computer science is that branch of mathematical logic which is approximately the intersection between mathematical logic and computer science. It contains: Those investigations into logic that are guided by applications in computer… …   Wikipedia

  • Logic programming — is, in its broadest sense, the use of mathematical logic for computer programming. In this view of logic programming, which can be traced at least as far back as John McCarthy s [1958] advice taker proposal, logic is used as a purely declarative… …   Wikipedia

  • Linear temporal logic — Lineare temporale Logik (LTL oder Linear temporal logic) ist ein Modell temporaler Logik mit zeitlichen Modalitäten. In LTL, können Formeln über die Zukunft von Pfaden aufgestellt werden, wie dass eine Bedingung irgendwann wahr wird, eine… …   Deutsch Wikipedia

  • Temporal logic — In logic, the term temporal logic is used to describe any system of rules and symbolism for representing, and reasoning about, propositions qualified in terms of time. It is sometimes also used to refer to tense logic, a particular modal logic… …   Wikipedia

  • Linear Time Temporal Logic — Die Computation Tree Logic (kurz CTL) ist eine Temporale Logik, die speziell zur Spezifikation und Verifikation von Computersystemen dient. Meist wird sie auch mit CTL* bezeichnet. CTL bezeichnet dann eine spezielle Teilmenge der CTL* Formeln.… …   Deutsch Wikipedia

  • Modal logic — is a type of formal logic that extends classical propositional and predicate logic to include operators expressing modality. Modals words that express modalities qualify a statement. For example, the statement John is happy might be qualified by… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”