Computational Tree Logic and Model Checking

A simple introduction

F. Raimondi

I am Franco Raimondi, [email protected]

Slides, coursework, coursework solutions can be found online:
http://www.cs.ucl.ac.uk/staff/f.raimondi/ (choose
Teaching).
Text book: M. Huth and M. Ryan, Logic in computer science, (the
pages mentioned below are for the second edition).
Structure of the lectures:
Lectures on CTL and NuSMV (2 or 3 hours, 1.20)
Lab class on NuSMV (1 or 2 hours, 4.06)
Coursework (will be given next Friday, deadline Friday 2 Feb,
electronic submission by email)
Thanks to Dr. Alessio Lomuscio (now at Imperial College) for
various material in these slides.
A simple introduction to CTL and model checking

Slide 2

Reference material for CTL

pp. 207 217 (Section 3.4): Syntax, Semantics, Specification
Patterns, Equivalence of Formulas.
pp. 221 230 (Section 3.6.1): Model checking algorithms.
Reference material for NuSMV
Lecture notes based on NuSMV tutorial available online.

A simple introduction to CTL and model checking

Slide 3

Introduction
There is a great advantage in being able to verify the correctness of
computer systems, whether they are hardware, software, or a
combination. This is most obvious in the case of safety-critical
systems, but also applies to those that are commercially critical (such
as mass-produced chips), mission critical (think of NASA rovers),
etc.
In this lecture: verification using model checking.
Model checking is an automatic, model-based, property verification
approach.

A simple introduction to CTL and model checking

Slide 4

Model checking: definition

Given a model M and a formula , model checking is the problem of
verifying whether or not is true in M (written M |= : dont
worry, it will be much clearer by the end of these slides).

A simple introduction to CTL and model checking

Slide 5

Model checking: definition

Given a model M and a formula , model checking is the problem of
verifying whether or not is true in M (written M |= : dont
worry, it will be much clearer by the end of these slides).
Distributed system

Required property

A simple introduction to CTL and model checking

Slide 5

Model checking: definition

Given a model M and a formula , model checking is the problem of
verifying whether or not is true in M (written M |= : dont
worry, it will be much clearer by the end of these slides).
Distributed system
abstract
Logical model M

Required property
represent
Logical formula

A simple introduction to CTL and model checking

Slide 5

Model checking: definition

Given a model M and a formula , model checking is the problem of
verifying whether or not is true in M (written M |= : dont
worry, it will be much clearer by the end of these slides).
Distributed system

Required property

abstract
Logical model M

represent
Logical formula

M |= ?

A simple introduction to CTL and model checking

Slide 5

Model checking and temporal logic

Model checking is based on mainly temporal logic. There are
various kinds of temporal logic: Linear Temporal Logic (LTL),
Computational Tree Logic (CTL), CTL*, -calculus, etc.
In this lecture we will cover CTL, a logic to reason about sequence of
events. For instance, we will write formally statements such as:
There exists an execution of the system such that, if the proposition p
is true, then in the next computation step q is true
(at the end of this lecture: try to encode this in CTL).

A simple introduction to CTL and model checking

Slide 6

Basic concepts: syntax and semantics

Syntax tells how to write formulas: syntax gives the rules to
write correct (i.e., well-formed ) formulas (wff).
Semantics gives a meaning to well-formed formulas. Semantics is
used to decide whether or not a given wff is true or false.

A simple introduction to CTL and model checking

Slide 7

CTL Syntax
We start from a set of atomic propositions AP = {p, q, . . .}. Atomic
propositions stand for atomic facts which may hold in a system, e.g.
Printer ps706 is busy, Process 1486 is idle, The value of x is
5, etc.
The Backus-Naur form form CTL formulae is the following:

::= | | p | | | | | AX | EX |
AF | EF | AG | EG | A[U ] | E[U ]

IF YOU DONT KNOW THE MEANING OF THIS

EXPRESSION PLEASE RAISE YOUR HAND NOW!!!

A simple introduction to CTL and model checking

Slide 8

CTL Syntax
Each CTL operator is a pair of symbols. The first one is either A
(for All paths), or E (there Exists a path). The second one is
one of X (neXt state), F (in a Future state), G (Globally in the
future) or U (Until).
NOTICE: U is a binary operator, it could be written EU (, ) or
AU (, ). Notice that the quantifier is graphically separated (e.g.,
E[pU q]), but it is in fact a single operator EU , which could be
written EU (p, q).
Example: AG(p (EF q)) is read as It is Globally the case that, if
p is true, then there Exists a path such that at some point in the
Future q is true.

A simple introduction to CTL and model checking

Slide 9

CTL Syntax: parse trees

Parse trees are very useful to understand CTL formulas. For instance:
(EF (EGp)) E[pU q]

A simple introduction to CTL and model checking

Slide 10

CTL Syntax: parse trees

Parse trees are very useful to understand CTL formulas. For instance:
(EF (EGp)) E[pU q]

EF

EG

EU

A simple introduction to CTL and model checking

Slide 10

CTL Syntax: EXERCISE

Build the parse tree of the following formula:
A[pU q] (AF (EGr))

A simple introduction to CTL and model checking

Slide 11

CTL Syntax: EXERCISE

Build the parse tree of the following formula:
A[pU q] (AF (EGr))

AU

AF

q
EG

A simple introduction to CTL and model checking

Slide 11

CTL Syntax: EXERCISE

Is it a wff? Why?
1. EF Gr
2. AGp
3. A[pU (EF r)]
4. F [rU q]
5. EF (rU q)
6. AEF r
7. A[rU A[pU q]]
8. A[(rU q) (pU r)]

A simple introduction to CTL and model checking

Slide 12

CTL Syntax: EXERCISE

Answers
1. EF Gr NO
2. AGp NO
3. A[pU (EF r)] YES
4. F [rU q] NO
5. EF (rU q) NO
6. AEF r NO
7. A[rU A[pU q]] YES
8. A[(rU q) (pU r)] NO

A simple introduction to CTL and model checking

Slide 13

CTL Semantics
You should be able to identify well-formed CTL formulae. Now: how
to evaluate formulae, i.e., how to decide whether or not a formula is
true.

A simple introduction to CTL and model checking

Slide 14

CTL Semantics
You should be able to identify well-formed CTL formulae. Now: how
to evaluate formulae, i.e., how to decide whether or not a formula is
true.
You should know the meaning of tautology and unsatisfiable formulae:
AG(p p) : tautology
AG(p p): unsatisfiable

A simple introduction to CTL and model checking

Slide 14

CTL Semantics
You should be able to identify well-formed CTL formulae. Now: how
to evaluate formulae, i.e., how to decide whether or not a formula is
true.
You should know the meaning of tautology and unsatisfiable formulae:
AG(p p) : tautology
AG(p p): unsatisfiable
But what about EF p? it may be true or not, depending on how we
evaluate formulae.

A simple introduction to CTL and model checking

Slide 14

CTL Semantics: transition systems

We evaluate formulae in transition systems. A transition system
model a system by means of states and transitions between states.
Formally:
A transition system M = (S, Rt , L) is a set of states S with a binary
relation Rt S S and a labelling function L : S 2AP (AP is a
set of atomic propositions, see above). The relation Rt is serial, i.e.,
for every state s S, there exists a state s s.t. sRt s .

A simple introduction to CTL and model checking

Slide 15

CTL Semantics: transition systems

An example M = (S, Rt , L)
s0
p,q
s2
q,r

r
s1

Here S = {s0 , s1 , s2 }, Rt = {(s0 , s1 ), (s0 , s2 ), (s1 , s0 ), (s1 , s2 ), (s2 , s2 )},

and L(s0 ) = {p, q}, L(s1 ) = {q, r}, L(s2 ) = {r}.

A simple introduction to CTL and model checking

Slide 16

CTL semantics: from transition systems to computation

paths
It is useful to visualise all possible computation paths by unwinding
the transition system:
s0
p,q
s2
q,r

r
s1
s2

p,q s0

s2
q,r
s1

s2

s2
r

s2
r

A simple introduction to CTL and model checking

Slide 17

CTL semantics: computation paths EXERCISE

Unwind the following transition systems
s0

s2

p,q

s3
q,r

q,r
s1

A simple introduction to CTL and model checking

Slide 18

CTL semantics: computation paths EXERCISE SOLUTION

s0
p,q

s2
q,r

s1

s3
p,q

q,r

s0
s3

s2
q,r
s1

q,r

r
s3

p,q

q,r

s3
q,r

s0

A simple introduction to CTL and model checking

Slide 19

Short summary
You should be able to recognise well-formed CTL formulas.
You know what a transition system is (M = (S, Rt , L)).
You know how to unwind a transition system and obtain
computation paths.
Next: Given a CTL formula and a transition system M , establish
whether or not is true at a given state s in M , written as:
M, s |=

A simple introduction to CTL and model checking

Slide 20

CTL semantics (finally!)

Let M = (S, Rt , L) be a transition system (also called a model for
CTL). Let be a CTL formula and s S. M, s |= is defined
inductively on the structure of , as follows (Im using the first
transition system of today as an example on the board):
M, s |=
M, s 6|=
M, s |= p

iff

p L(s)

M, s |=

iff

M, s 6|=

M, s |=

iff

M, s |= and M, s |=

M, s |=

iff

M, s |= or M, s |=

A simple introduction to CTL and model checking

Slide 21

CTL Semantics (temporal operators)

M, s |= AX

iff

s s.t. sRt s , M, s |=

M, s |= EX

iff

s s.t. sRt s and M, s |=

M, s |= AG

iff

for all paths (s, s2 , s3 , s4 , . . .) s.t. si Rt si+1 and for all i,

it is the case that M, si |=

M, s |= EG

iff

there is a path (s, s2 , s3 , s4 , . . .) s.t. si Rt si+1 and for all i

it is the case that M, si |=

M, s |= AF

iff

for all paths (s, s2 , s3 , s4 , . . .) s.t. si Rt si+1 , there is

a state si s.t. M, si |=

M, s |= EF

iff

there is a path (s, s2 , s3 , s4 , . . .) s.t. si Rt si+1 , and there is

a state si s.t. M, si |=

A simple introduction to CTL and model checking

Slide 22

CTL Semantics (temporal operators)

M, s |= A[U ]

iff

for all paths (s, s2 , s3 , s4 , . . .) s.t. si Rt si+1 there is

a state sj s.t. M, sj |= and M, si |= for all i < j.

M, s |= E[U ]

iff

there exists a path (s, s2 , s3 , s4 , . . .) s.t. si Rt si+1 and there is

a state sj s.t. M, sj |= and M, si |= for all i < j.

A simple introduction to CTL and model checking

Slide 23

CTL semantics: EXERCISE

Consider the following transition system:
s0

s2

p,q

s3
q,r

q,r
s1

Verify whether or not: (1) M, s0 |= EX(p); (2) M, s0 |= EXEG(r);

(3) M, s1 |= AG(q r); (4) M, s2 |= A[rU q]; (5) M, s1 A[qU AG(r)];
(6) M, s1 E[qU EG(r)]; (7) M, s0 |= EG(q); (8) M, s1 |= EF AG(q).

A simple introduction to CTL and model checking

Slide 24

CTL semantics: EXERCISE SOLUTIONS

(1) YES; (2) YES; (3) YES ; (4) YES; (5) NO (because AG(r) is
never true if you keep looping between s0 and s1 ); (6) YES; (7) YES;
(8) YES.

A simple introduction to CTL and model checking

Slide 25

Equivalences between CTL formulas

In the syntax of CTL we introduced all the operators AX, EX, AF,
EF, AG, EG, AU, and EU. However, some formulas are equivalent:

AX EX
AG

EF

AF

EG

Moreover, EF E[U ]. Therefore, only three operators are

required to express all the remaining: EX, EG, EU (this is called an
adequate set of operators. This is useful when developing algorithms
for model checking.

A simple introduction to CTL and model checking

Slide 26

Specification patterns
Temporal logics are useful to express requirements of systems.
Typically, requirements have common and recurring patterns. For
instance, two example of patterns:
Liveness: Something good will eventually happen. For
instance: Whenever any process requests to enter its critical
section, it will eventually be permitted to do so. In CTL:
AG(request AF (critical))
Safety: Nothing bad will happen. For instance, Only one
process is in its critical section at any time. In CTL (with 2
processes only):
AG((critical1 critical2 ))
A simple introduction to CTL and model checking

Slide 27

Specification patterns: EXERCISE

Write in CTL the following requirements:
1. From any state it is possible to get a reset state
2. Event p precedes s and t on all computation paths (try to
encode the negation of this).
3. On all computation paths, after p, q is never true.

A simple introduction to CTL and model checking

Slide 28

Specification patterns: EXERCISE

Write in CTL the following requirements:
1. From any state it is possible to get a reset state
2. Event p precedes s and t on all computation paths (try to
encode the negation of this).
3. On all computation paths, after p, q is never true.
1. AGEF (reset)
2. The negation: there exists in the future a state in which p follows
s t: EF ((s t) EF (p)). Its negation:
EF ((s t) EF (p)) AG(((s t) EF (p)))
3. AG(p (EF (q)))

A simple introduction to CTL and model checking

Slide 28

Summary
You are able to recognise and write well-formed CTL formulas.
You are able to unwind a transition system in computation paths.
You are able to evaluate whether or not a given CTL formula is
true at a given state of a transition system M .
You are able to recognise (simple) equivalent CTL formulas.
You are able to translate simple requirements from plain English
into CTL syntax.

A simple introduction to CTL and model checking

Slide 29

Model checking algorithms

A simple introduction to CTL and model checking

Slide 30

Model checking CTL: introduction

We have seen very simple example in these slides. However, real
systems may be composed of hundred of thousand states. Efficient
algorithms are needed to verify M, s |= .
We will see example of systems using NuSMV (a model checker) later
in the course.
How do you verify a formula in a model? What we did: unwind the
transition system M . However, a computer cannot check infinite
data structures: we need to check finite data structure.
Next: an algorithm to compute the set of states of a model M in
which holds, the labelling algorithm.

A simple introduction to CTL and model checking

Slide 31

The labelling algorithm

INPUT: a CTL model M = (S, Rt , L) and a CTL formula .
OUTPUT: the set of states of M which satisfy .
Sketch: (1) express using the adequate set of operators EX, EG,
EU ; (2) operate recursively on the structure of , starting from
sub-formulas.

A simple introduction to CTL and model checking

Slide 32

The labelling algorithm, informally

Suppose all the subformulas of have already been labelled. If is:
p: label s with p if p L(s).
1 2 : label s with 1 2 if s is already labelled both with 1 and
2 .
1 : label s with 1 if s is not already labelled with 1 .
EX1 : label s with EX1 if one of its successor is labelled with 1 .

A simple introduction to CTL and model checking

Slide 33

The labelling algorithm for EG

If is EG1 :
Label all states with EG1 .
If any state s is not labelled with 1 , delete the label EG1 .
Repeat: delete the label EG from any state if none of its
successors is labelled with EG1 , until there is no change.
If is E[1 U 2 : see book.
See the code at page 227 of the book for the procedure SAT () (the
pages 225 231 are optional).

A simple introduction to CTL and model checking

Slide 34

Summary
You should be able to understand and to solve exercises about:
CTL syntax and parse trees.
CTL semantics: transition systems, computation paths, establish
whether or not a formula is true at a state in a model.
Recognise (simple) equivalent formulas.
Formalise in CTL temporal requirements expressed in plain
English.
Basic ideas about model checking algorithms.

A simple introduction to CTL and model checking

Slide 35

Additional material if you are interested in the subject

All chapter 3 of the book is worth reading (it introduces LTL and
CTL* and the details of model checking algorithms).
M. B. Dwyer and G. S. Avrunin and J. C. Corbett, Property
Specification Patterns for Finite-State Verification, Proceedings
of FSMP, 1998.
E. M. Clarke and O. Grumberg and D. A. Peled, Model
Checking, The MIT Press, 1999.
F. Raimondi, Model Checking Multi-Agent Systems, PhD thesis
2006.
Please feel free to contact me for further information.

A simple introduction to CTL and model checking

Slide 36