CTL May Be Ambiguous when Model Checking Moore Machines - Sed
CHARME 2003. From Moore to Kripke. Third translation scheme. Input signals into source state of transitions. 5 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1 ...
CTL May Be Ambiguous when Model Checking Moore Machines Cédric Roux and Emmanuelle Encrenaz Université Pierre et Marie Curie Laboratoire d’Informatique de Paris 6 Architecture des Systèmes Intégrés et Micro−électronique Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
Modeling versus Verification
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
Modeling versus Verification
Modeling world
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
Modeling versus Verification
Modeling world Moore or Mealy machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
Modeling versus Verification
Verification world
Modeling world Moore or Mealy machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
Modeling versus Verification
Verification world Kripke structures
Modeling world Moore or Mealy machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
Modeling versus Verification
Verification world Kripke structures
Tr
an
sla
tio
n
Modeling world Moore or Mealy machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
From Moore to Kripke
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
2
From Moore to Kripke
i
i
i
i
i
i
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
2
From Moore to Kripke First translation scheme
i
i
i
i
i
i
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
3
From Moore to Kripke First translation scheme Remove the input signals
i
i
i
i
i
i
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
3
From Moore to Kripke First translation scheme Remove the input signals
i
i
i
i
i
i
Simple
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
3
From Moore to Kripke First translation scheme Remove the input signals
i
i
i
i
i
i
Simple Impossible to express properties including input signals
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
3
From Moore to Kripke Second translation scheme
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
4
From Moore to Kripke Second translation scheme Input signals into target state of transitions
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
4
From Moore to Kripke Second translation scheme Input signals into target state of transitions
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
Composition of Moore machines lost
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
4
From Moore to Kripke Third translation scheme
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
5
From Moore to Kripke Third translation scheme Input signals into source state of transitions
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
5
From Moore to Kripke Third translation scheme Input signals into source state of transitions
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
We can compose Moore machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
5
From Moore to Kripke Third translation scheme Input signals into source state of transitions
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
We can compose Moore machines This may introduce ambiguities when using CTL
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
5
Possible CTL ambiguities
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p states verifying p
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p states verifying EX p
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
6
Possible CTL ambiguities Checking the property AX EX p states verifying p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
6
Possible CTL ambiguities Checking the property AX EX p states verifying EX p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
6
Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
6
Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
6
Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
«AX EX p does not have the same truth value in both structures»
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities A first ambiguity
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
7
Possible CTL ambiguities A first ambiguity states verifying EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
7
Possible CTL ambiguities A first ambiguity states verifying EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
States b0 and b1 should verify EX p, as state b does
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
7
Possible CTL ambiguities A first ambiguity states verifying EX p
E
states verifying
i EX p a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
States b0 and b1 should verify EX p, as state b does E
We introduce
i to remove this ambiguity
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
7
Possible CTL ambiguities A second ambiguity
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
8
Possible CTL ambiguities A second ambiguity states verifying AX EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
8
Possible CTL ambiguities A second ambiguity states verifying AX EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
b0 (and b1) should not verify AX EX p, and a0 and a1 should
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
8
Possible CTL ambiguities A second ambiguity states verifying AX EX p
a0
a i
A
states verifying
i AX EX p
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
b0 (and b1) should not verify AX EX p, and a0 and a1 should A
We introduce
i to remove this ambiguity
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
8
Possible CTL ambiguities E
A
Checking the property
i AX i EX p
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
9
Possible CTL ambiguities E
A
Checking the property
i AX i EX p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
9
Possible CTL ambiguities E
A
Checking the property
i AX i EX p
states verifying p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
9
Possible CTL ambiguities A
i AX i EX p
E
states verifying
E
Checking the property
i EX p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
9
Possible CTL ambiguities E
A
i AX i EX p
a0
b0
d0
d1
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
i AX i EX p
a1
b1
e0
A
states verifying
E
Checking the property
f0
c1
f1
CHARME 2003
g0
g1
9
Possible CTL ambiguities Comparison with AX EX p
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
10
Possible CTL ambiguities Comparison with AX EX p
a0
a i
A
states verifying
E
states verifying AX EX p
i AX i EX p
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
10
Possible CTL ambiguities Comparison with AX EX p
a0
a i
A
states verifying
E
states verifying AX EX p
i AX i EX p
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
The ambiguities have been removed
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
10
iCTL
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract)
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines E
A
i and i are not relevant for LTL
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines E
A
i and i are not relevant for LTL E
A
i AX and
i EX seem similar to [ * ] and < * > of the mu−calculus
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines E
A
i and i are not relevant for LTL E
i EX seem similar to [ * ] and < * > of the mu−calculus
but what about
A
A
i AX and
i EX ?
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
Thank you
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
