Temporal Logic and Model Checking
Reactive Systems

We often classify systems into two types:



Transformational: functions from inputs available at the start of the
computation to outputs provided on termination
Reactive: behaviour is in general infinite: a process in a reactive system is
usually non terminating continuously responding to stimuli from its
environment
Implication – these different systems need different techniques for
reasoning about system correctness
Reasoning about Correctness





A system state is a snapshot of the system’s variables at some
point in time
System changes state in response to stimuli
A pair of states, one before action, one after is called a transition
The computation of a reactive system is a possibly infinite
sequence of states, each obtained from the previous state via a
transition
Clarke slides

http://www-2.cs.cmu.edu/~emc/15-820A/reading/lecture_0.pdf
Example: Microwave Oven
Start
Close
Heat
Error
start oven
close door
open door
open door
cook
Start
Close
Heat
Error
Start
Close
Heat
Error
open door
close door
Start
Close
Heat
Error
reset
done
start cooking
start oven
Start
Close
Heat
Error
Start
Close
Heat
Error
warmup
Start
Close
Heat
Error
CTL Specification

We would like the microwave to have the following properties
(among others):

No heat while door is open


If oven starts, it will eventually start cooking


AG (Start → AF Heat)
It must be possible to correct errors


AG( Heat → Close):
AG( Error → AF ¬ Error):
Does it? How do we prove it?
Model Checking Problem


Given a Kripke structure M = (S,R,L) that represents a finitestate transition graph and a temporal logic formula f
Find all states in S that satisfy f:


{s  S | M,s ╞ f }
and check that initial states are among these.
CTL Model Checking Algorithm

Iterate over subformulas of f from smallest to largest


For each s  S, if subformula is true in s, add it to labels(s)
When algorithm terminates

M,s ╞ f iff f  labels(s)
Checking Subformulas
Any CTL formula can be expressed in terms of:

¬, , EX, EU, and EG,
Therefore must consider 6 cases:

Atomic proposition


¬f1

if ap  L(s), add to labels(s)

f1 f2


if f1 labels(s) or f1 labels(s), add f1 f2 to labels(s)
EX f1


if f1 labels(s), add ¬f1 to labels(s)
add EX f1 to labels(s) if successor of s, s', has f1labels(s')
Checking Subformulas
E[f1 U f2]




Find all states s for which f2  labels(s)
Follow paths backwards from s finding all states that can reach s
on a path in which every state is labeled with f1
Label each of these states with E[f1 U f2]
Checking Subformulas

EG f1


Basic idea – look for one infinite path on which f1 holds.
Decompose M into nontrivial strongly connected components

A strongly connected component (SCC) C is


C is nontrivial iff either



a maximal subgraph such that every node in C is reachable by every other
node in C on a directed path that contained entirely within C.
it has more than one node or
it contains one node with a self loop
Create M' = (S’,R’,L’) from M by removing all states s  S in
which f1 labels(s) and updating S, R, and L accordingly
Checking Subformulas

Lemma M,s ╞ EG f1 iff
1.
s  S'
2.
There exists a path in M' that leads from s to some node t in a
nontrivial strongly connected component of the graph (S', R').
Proof left as exercise, but basic idea is




Can’t have an infinite path over finite states without cycles
So if we find a path from s to a cycle and f1 holds in every state (by
construction)
Then we’ve found an infinite path over which f1 holds
Checking EF f1
procedure CheckEG(f1)
S' = {s | f1  labels(s)};
SCC = {C | C is a nontrivial SCC of S'};
T = C  SCC {s | s  C};
for all s  T do labels(s) = labels(s)  {EG f1};
while T ≠  do
choose s  T;
T = T \ {s};
for all t such that t  S' and R(t,s) do
if EG f1  labels(t) then
labels(t) = labels(t)  {EG f1};
T = T  {t};
end if;
end for all;
end while;
end procedure;
Checking a Property

Checking AG(Start → AF Heat)



Rewrite as ¬EF(Start  EG ¬Heat)
Rewrite as ¬ E[ true U (Start  EG ¬Heat)]
Compute labels for smallest subformulas


Start, Heat
¬ Heat
Formulas/States
1
Start
2
3
x
Heat
¬ Heat
EG ¬Heat
Start  EG ¬Heat
E[true U(Start  EG ¬Heat)]
¬ E[true U(Start  EG ¬Heat)]
4
5
6
7
x
x
x
x
x
x
x
x
x
x
Checking a Property






Compute labels for EG ¬Heat
S’ = {1,2,3,5,6}
SCC = {{1,2,3,5}}
T = {1,2,3,5}
No other state in S’ can reach a state in T along a path in S’.
Computation terminates. States 1,2,3, and 5 labelled with EG ¬Heat
Formulas/States
1
Start
2
3
4
x
Heat
5
6
7
x
x
x
x
x
¬ Heat
x
x
x
x
EG ¬Heat
x
x
x
x
Start  EG ¬Heat
E[true U(Start  EG ¬Heat)]
¬ E[true U(Start  EG ¬Heat)]
x
Checking a Property

Compute labels for Start  EG ¬Heat
Formulas/States
1
Start
2
3
4
x
Heat
5
6
7
x
x
x
x
x
¬ Heat
x
x
x
x
EG ¬Heat
x
x
x
x
Start  EG ¬Heat
E[true U(Start  EG ¬Heat)]
¬ E[true U(Start  EG ¬Heat)]
x
x
x
Checking a Property



E[true U(Start  EG ¬Heat)]
Start with set of states in which Start  EG ¬Heat holds i.e., {2,5}
Work backwards marking every state in which true holds
Formulas/States
1
Start
2
3
4
x
Heat
5
6
7
x
x
x
x
x
¬ Heat
x
x
x
x
EG ¬Heat
x
x
x
x
Start  EG ¬Heat
E[true U(Start  EG ¬Heat)]
¬ E[true U(Start  EG ¬Heat)]
x
x
x
x
x
x
x
x
x
x
Checking a Property


Check ¬ E[true U(Start  EG ¬Heat)]
Leaves us with the empty set, so safety property doesn’t hold over
microwave oven
Formulas/States
1
Start
2
3
4
x
Heat
5
6
7
x
x
x
x
x
¬ Heat
x
x
x
x
EG ¬Heat
x
x
x
x
Start  EG ¬Heat
E[true U(Start  EG ¬Heat)]
¬ E[true U(Start  EG ¬Heat)]
x
x
x
x
x
x
x
x
x
x