Semantically Equivalent Formulas

About This Presentation

Title:

Semantically Equivalent Formulas

Description:

Satisfiable formulas ... Then F is satisfiable iff F is not valid. 10. function CNF(F) ... return satisfiable' end function. 20. Theorem ... – PowerPoint PPT presentation

Number of Views:84

Avg rating:3.0/5.0

Slides: 208

Provided by: alim88

Category:

more less

Transcript and Presenter's Notes

Title: Semantically Equivalent Formulas

1
Semantically Equivalent Formulas

Let F and ? be formulas of propositional logic.
We say that F and ? are semantically equivalent
iff
F ?
? F
hold. In that case we write F ?.
Further, we call F valid if
F
holds.

2
Examples of equivalent formulas

p ? q p ? q
p ? q q ? p
p ? q ? p r ? r
p ? q ? r p ? (q ?r)

3
Lemma

Given propositional logic formulas F1, F2, ,
Fn, ?, we have
F1, F2, , Fn ?
iff
F1 ?(F2 ? (F3 ? ? (Fn ? ?)))

4
Literal

A literal is either an atom p or the negation of
an atom p.

5
Conjunctive Normal Form (CNF)

A formula F is in conjunctive normal form (CNF)
if it is of the form
?1 ? ?2 ? . ? ?n
for some n 1, such that ?i is a literal, or
a disjunction of literal, for all 1 i n.

6
Examples for CNF formulas

(q ? p ? r) ? (p ? r) ? q
(p ? r) ? (p ? r) ? (p ? r)

7
Lemma

A disjunction of literals L1 ? L2 ? . ? Lm is
valid (i.e., L1 ? L2 ? . ? Lm) iff there are
1 i, j m such that Li is Lj.

8
Satisfiable formulas

Given a formula F in a propositional logic, we
say that F is satisfiable if there exists an
assignment of truth values to its propositional
atoms such that F is true.

9
Proposition

Let F be a formula of propositional logic. Then
F is satisfiable iff F is not valid.

10
function CNF(F)

/ pre-condition F implication free and in NNF/
/ post-condition CNF(F) computes an equivalent
CNF for F /
begin function
case
F is a literal return F
F is F1 ? F2 return CNF(F1) ? CNF(F2)
F is F1 ? F2 return DISTR(CNF(F1), CNF(F2) )
end case
end function

11
function DISTR(?1, ?2)

/ pre-condition ?1 and ?2 are in CNF /
/ post-condition DISTR(?1, ?2) computes a CNF
for ?1? ?2 /
begin function
case
?1 is ?11 ? ?12 return DISTR(?11 , ?2) ?
DISTR(?12 , ?2)
?2 is ?21 ? ?22 return DISTR(?1 , ?21) ?
DISTR(?1 , ?22)
otherwise ( no conjunction) return ?1?
?2
end case
end function

12
function NNF(F)

/ pre-condition F is implication free /
/ post-condition NNF(F) computes a NNF for F /
begin function
case
F is a literal return F
F is F1 return NNF(F1)
F is F1 ? F2 return NNF(F1) ? NNF(F2)
F is F1 ? F2 return NNF(F1) ? NNF(F2)
F is (F1 ? F2) return NNF(F1 ? F2)
F is (F1 ? F2) return NNF(F1 ? F2)
end case
end function

13
F p ? q ? p ? (r ? q)

IMPL_FREE F IMPL_FREE (p ? q ) ? IMPL_FREE
(p ?(r ? q))
((IMPL_FREE p ) ? (IMPL_FREE q )) ? IMPL_FREE
(p ?(r ? q))
((p ) ? IMPL_FREE q ) ? IMPL_FREE (p ?(r ?
q))
(p ? q ) ? IMPL_FREE (p ?(r ? q))
(p ? q ) ? ((IMPL_FREE (p) ? IMPL_FREE (r ?
q))
(p ? q ) ? (p ? IMPL_FREE (r ? q))
(p ? q ) ? (p ? ( (IMPL_FREE r) ? IMPL_FREE
(q)))
(p ? q ) ? (p ? ( r ? IMPL_FREE (q)))
(p ? q ) ? (p ? ( r ? q))

14
IMPL_FREE F (p ? q ) ? (p ? ( r ? q))
NNF (IMPL_FREE F )

NNF ( (p ? q )) ? NNF (p ? ( r ? q))
NNF ( (p ) ? q )) ? NNF (p ? ( r ? q))
(NNF (p )) ? (NNF (q )) ? NNF (p ? ( r ?
q))
(p ? (NNF (q ))) ? NNF (p ? ( r ? q))
(p ? q ) ? NNF (p ? ( r ? q))
(p ? q ) ? ((NNF p) ? (NNF ( r ? q)))
(p ? q ) ? ( p ? (NNF ( r ? q)))
(p ? q ) ? ( p ? ((NNF ( r)) ? (NNF q)))
(p ? q ) ? ( p ? ( r ? (NNF q)))
(p ? q ) ? ( p ? ( r ? q))

15
NNF (IMPL_FREE F) (p ? q ) ? ( p ? ( r ?
q))CNF(NNF (IMPL_FREE F))

CNF ((p ? q ) ? ( p ? (r ? q)))
DISTR ( CNF (p ? q ), CNF (p ? ( r ? q)))
DISTR (p ? q , CNF (p ? ( r ? q)))
DISTR (p ? q , p ? ( r ? q))
DISTR (p ? q , p) ? DISTR (p ? q , r ? q)
(p ? q ? p) ? DISTR (p ? q , r ? q)
(p ? q ? p) ? (p ? q ? r ? q)

16
Horn Formula F

is a formula F of propositional logic if it is
of the form ?1 ? ?2 ... ? ?n for some n 1 such
that ?i is of the form
p1 ? p2 ... ? pki ? qi
for some ki 1, where p1, p1, , pki, qi are
atoms, - or T. We call such ?i a Horn clause.

17
Examples of Horn formulas

(p ? q ? s ? p) ? (q ? r ? p) ? (p ? s ? s)
(p ? q ? s ? -) ? (q ? r ? p) ? (T ? s)
(p2 ? p3 ? p5 ? p13) ?(T? p2) ? (p5 ? p11 ? -)

18
Examples of non-Horn formulas

(p ? q ? s ? p) ? (q ? r ? p) ? (p ? s ? s)
(p ? q ? s ? -) ? (q ? r ? p) ? (T ? s)
(p2 ? p3 ? p5 ? p13 ? p27) ? (T? p2) ? (p5 ? p11
? -)
(p2 ? p3 ? p5 ? p13 ) ?(T? p2) ? (p5 ? p11 ? -)

19
function HORN(F)

/ Pre-condition F is a Horn formula/
/ Post-condition HORN(F) decides the
satisfiability for F /
begin function
mark all atoms p where T ? p is a
sub-formula of F
while there is a sub-formula p1 ? p2 ... ?
pki ? qi of F such that all pj
are marked but qi is not do
if qi - then return
unsatisfiable
else mark qi for all such
subformulas
end while
return satisfiable
end function

20
Theorem

The algorithm HORN is correct for the
satisfiability decision problem of Horn formulas
and has no more than n cycles in its while-loop
if n is the number of atoms in F. HORN always
terminates on correct input.

21
Kripke structure

Let AP be a set of atomic propositions. A Kripke
structure M
over AP is a four tuple M (S, S0, R, L) where
S is a finite set of states
S0 S is the set of initial states.
R S S is a transition relation that must be
total, that is for every state s S there is a
state s S such that R (s, s).
L S ? 2 AP is a function that labels each state
with the set of atomic proposition in that state.
A path in the structure M from a state s is an
infinite sequence of states
? s0 s1 s2 such that s0 s and R (si, si1)
holds for all i 0.

22
First order representationof Kipke structures

We use interpreted first order formulas to
describe concurrent systems.
We use usual logical connectives (and ?, or ?,
implies ?, not ?, and so on) and universal ( )
and existential ( ) quantifications.
Let V v1, , vn be the set of system
variables. We assume that the variables in V
range over a finite set D.
A valuation for V is a function that associated
a value in D with each variable v in V. Thus, s
is a valuation for V when s V ? D.
A state of a concurrent system can be viewed as a
valuation for the set of its variables V.
Let V v1, , vn. We think of the
variables in V as present state variables and the
variables in V as next state variables.

23
First order representationof Kipke structures

Let M (S, S0, R, L) be a Kripke structure.
S is the set of all valuations for all variables
of the system which can be described by a
proposition S. Usually, S True.
The set of initial states S0 can be described by
a proposition (on the set of variables) S0.
R can be described by a proposition R such that
for any two states s and s, R(s, s) holds if R
evaluates to True when each variable v is
assigned the value s(v) and each variable v is
assigned the value s(v).
The labeling function LS ? 2AP is defined so
that L(s) is the subset of all atomic
propositions true in s which can be described by
some appropriate proposition.

24
A simple example

We consider a simple system with variables x and
y that range
over D 0, 1. Thus, a valuation for the
variables x and y is
just a pair (d1, d2) D D where d1 is the
value for x and d2 is
the value for y. The system consists of one
transition
x (x y)
mod 2,
Which starts from the state in which x 1 and y
1.

25
A simple example with transition x (x y)
mod 2

S True
S0 (x, y) x 1 ? y 1
R (x, y, x, y) x (x y) mod 2 ? y y

26
A simple example with transition x (x y)
mod 2

The Kripke structure M (S, S0, R, L) for this
system is simply
S D D.
S0 (1,1)
R ((1,1), (0,1)), ((0,1), (1,1)), ((1,0),
(1,0)), ((0,0), (0,0)).
L(1,1) x 1, y 1, L(0,1) x 0, y 1,
L(1,0) x 1, y 0, L(0,0) x 0, y 0.
The only path in the Kripke structure that
starts in the initial state is
(1,1) (0,1) (1,1) (0,1) .

27
Concurrent systems

A concurrent system consists of a set of
components that execute together.
Normally, the components have some means of
communicating with each other.

28
Modes of execution

We will consider two modes of execution
Asynchronous or interleaved execution, in which
only one component makes a step at a time, and
synchronous execution, in which all of the
components make a step at the same time

29
Modes of communication

We will also distinguish three modes of
communication. Components can either communicate
by changing the value of shared variables or by
exchanging messages using queues or some
handshaking protocols.

30
A modulo 8 counter
31
Synchronous circuitA modulo 8 counter

The transitions of the circuit are given by
v0 ?v0
v1 v0 v1
v2 (v0 ? v1) v2
R0 (v, v) (v0 ? ?v0)
R1 (v, v) (v1 ? v0 v1)
R2 (v, v) (v2 ? (v0 ? v1) v2)
R (v, v) R0 (v, v) ? R1 (v, v) ? R2 (v, v)

32
Synchronous circuitGeneral case

Let V v0, ., vn-1 and V v0, ., vn-1
Let vi fi (V), 1 0, , n-1.
Define Ri (v, v) ( vi ? fi (V)).
Then, the transition relation can be described as
R (v, v) R0 (v, v) ? ? Rn-1 (v, v).

33
Asynchronous circuitGeneral case

In this case, the transition relation can be
described as
R (v, v) R0 (v, v) ? ? Rn-1 (v, v),
Where
Ri (v, v) ( vi ? fi (V)) ?j ? i (vj ? vj
)).

34
Example

Let V v0, v1, v0 v0 v1 and v1 v0
v1.
Let s be a state with v0 1 ? v1 1.
For the synchronous model, the only successor of
s is the state v0 0 ? v1 0.
For the asynchronous model, the state s has two
successors
1. v0 0 ? v1 1 ( the assignment to v0 is
taken first).
2. v0 1 ? v1 0 ( the assignment to v1 is
taken first).

35
Labeled program

Given a statement P, the labeled statement PL
is defined as follows
If P is not a composite statement then P PL. .
If P P1 P2 then PL P1L l P2L.
If P if b then P1 else P2 end if, then
PL if b then l1 P1L else l2 P2L end if.
If P while b do P1 end while, then PL while b
do l1 P1L end while.

36
Some assumptions

We assume that P is a labeled statement and that
the entry and exit points of P are labeled by m
and m, respectively.
Let pc be a special variable called the program
counter that ranges over the set of program
labels and an additional value - called the
undefined value.
Let V denote the set of program variables, V the
set of primed variables for V, and pc the primed
variables for pc.
Let same (Y) ?y e Y (y y).

37
The set of initial states of P

Given some condition pre (V) on the initial
variables for P,
S0 (V, pc) pre (V) ? pc m.

38
The transition relation for P

C (l, P, l) describes the set of transitions in
P as a disjunction of all transitions in the set.
Assignment
C ( l, v ? e, l) pc l ? pc l ? v
e ? same (V \ v)
Skip
C ( l, skip, l) pc l ? pc l ? same
(V)
Sequential composition
C ( l, P1 l P2, l) C ( l, P1, l) ?
C ( l, P2, l)

39
The transition relation for P (continued)

Conditional
C (l, if b then l1 P1 else l2 P2 end if,
l) is the disjunction of the following
formulas
pc l ? pc l1 ? b ? same (V)
pc l ? pc l2 ? ?b ? same (V)
C (l1, P1, l)
C (l2, P2, l)

40
The transition relation for P (continued)

While
C (l, while b do l1 P1 end while, l) is
the disjunction of the following formulas
pc l ? pc l1 ? b ? same (V)
pc l ? pc l ? ?b ? same (V)
C (l1, P1, l)

41
Concurrent programs

A concurrent program consists of a set of
processes that can be executed in parallel. A
process is a sequential program.
Let Vi be the set of variables that can be
changed by process Pi. V is the set of all
program variables.
pci is the program counter of process Pi. PC is
the set of all program counters.
A concurrent program has the form
cobegin P1 P2 Pn coend
where P1, , Pn are processes.

42
Labeling transformation

We assume that no two labels are identical and
that the entry and exit points of P are labeled m
and m, respectively.
If P cobegin P1 P2 Pn coend, then
PL cobegin l1 P1L l1 l2 P2L l2
ln PnL ln coend.

43
The set of initial states of P

S0 (V, pc) pre (V) ? pc m ? ?i 1, n (pci
- )

44
The transition relation for P

C (l, cobegin l1 P1L l1 ln PnL ln
coend, l)
Is the disjunction of three formulas
pc l ? pc1 l1 ? ? pcn ln ? pc -
pc - ? pc1 l1 ? ? pcn ln ? pc l
? ?i 1, n (pci -)
?i 1, n (C (li, Pi, li) ? (same (V \ Vi) ?
same (PC \ pci))

45
Shared variables

Wait
C (l, wait (b), l) is a disjunction of the
following two formulas
(pci l ? pci l ? ?b ? same (Vi))
(pci l ? pci l ? b ? same (Vi))
Lock (v) ( wait (v 0))
C (l, lock (v), l) is a disjunction of the
following two formulas
(pci l ? pci l ? v 1 ? same (Vi))
(pci l ? pci l ? v 0 ? v 1 ?
same (Vi \ v))
Unlock (v)
C (l, unlock (v), l) pci l ? pci
l ? v 0 ? same (Vi \ v)

46
A simple mutual exclusion programP m cobegin
P0 P1 coend m

P0 l0 while True do
NC0 wait (turn 0)
CR0 turn 1
end while
l0
P1 l1 while True do
NC1 wait (turn 1)
CR1 turn 0
end while
l1

47
Kripke structure

pc takes values in the set m, m, - .
pci takes values in the set li, li, NCi, CRi,
- .
V V0 V1 turn.
PC pc, pc0, pc1.

48
The set of initial states of P

S0 (V, PC) pc m ? pc0 - ? pc1 -.

49
The transition relation for P

R (V, PC, V, PC) is the disjunction of the
following four formulas
pc m ? pc0 l0 ? pc1 l1 ? pc -.
pc0 l0 ? pc1 l1 ? pc m ? pc0 -
? pc1 -.
C (l0, P0, l0) ? same (pc, pc1).
C (l1, P1, l1) ? same (pc, pc0).

50
The transition relation of Pi

For each process Pi, C (li, Pi, li) is the
disjunction of
pci li ? pci NCi ? True ? same (turn)
pci NCi ? pci CRi ? turn i ? same (turn)
pci CRi ? pci li ? turn (i1) mod 2
pci NCi ? pci NCi ? turn ? i ? same (turn)
pci li ? pci li ? False ? same (turn)

51
(No Transcript)
52
Syntax of Computational Tree Logic (CTL)

F - T p (F) (F ? F) (F ? F)
(F ? F) AX F EX F AF U F
EF U F AG F EG F AF F EG F
where p ranges over atomic formulas.

53
Convention

The unary connectives (consisting of and the
temporal connectives AG, EG, AF, AX and EX) bind
most tightly. Next in the order come ? and ?
and after that come ? , AU and EU.

54
Some examples of well-formed CTL formulas

(EG r)
AG (q ? EG r)
(AG q) ? (EG r)
EF Er U q
Ap U EF r
EF EG p ? AF r
(EF EG p) ? AF r
EF EG (p ? AF r)

55
Some examples of not well-formed CTL formulas

FG r
A Gp
Fr U q
EF (r U q)
AEF r
AF (r U q) ? (p U q)

56
CTL Subformulas

Definition A subformula of a CTL formula F is
any formula ? whose parse tree is a subtree of
Fs parse tree.

57
The parse tree for AAX p U EEX (p ? q) U p
AU
AX
EU
EX

?
p
p
p
q
58
Semantics of Computational Tree Logic (CTL)

Let M (S, R, L) be a Kripke structure. Given
any state s in S, we define whether a CTL formula
F holds in state s. We denote this by
M, s F,
where is the satisfaction relation.

59
The satisfaction relation is defined by
structural induction on all CTL formulas

M, s T and (M, s -) for all s e S.
M, s p iff p e L(s).
M, s F iff (M, s F).
M, s F1 ? F2 iff M, s F1 and M, s F2.
M, s F1 ? F2 iff M, s F1 or M, s F2.
M, s F1 ? F2 iff (M, s F1) or M, s F2.
M, s AX F iff for all s1 such that (s, s1) e R,
we have M, s1 F . Thus, AX says in every
next state.
M, s EX F iff for some s1 such that (s, s1) e
R, we have M, s1 F . Thus, EX says in some
next state.

60
The satisfaction relation is defined by
structural induction on all CTL formulas
(continued)

M, s AG F iff for all paths s1 s2 s3 where s1
equals s, and all si along the path, we have such
that (si, si1) e R, we have M, si F . Thus,
AG says for all computation paths beginning s
the property F holds globally.
M, s EG F iff there is a path s1 s2 s3 where
s1 equals s, and all si along the path, we have
such that (s, s1) e R, we have M, si F . Thus,
AG says there exists a computation path
beginning s such that F holds globally along the
path.
M, s AF F iff for all paths s1 s2 s3 where s1
equals s, there is some si such that M, si F.
Thus, AF says for all computation paths
beginning in s there will be some future state
where F holds.

61
The satisfaction relation is defined by
structural induction on all CTL formulas
(continued)

M, s EF F iff there is a path s1 s2 s3 where
s1 equals s, and for some si along the path, we
have M, si F. Thus, EF says there exists a
computation path beginning in s such that F holds
in some future state.
M, s AF1 U F2 iff for all paths s1 s2 s3
where s1 equals s, that path satisfies F1 U F2,
i.e., there is some si along the path, such that
M, si F2, and, for each j lt i, we have M,
sj F1. Thus, AF1 U F2 says all computation
paths beginning in s satisfy that F1 until F2
holds on it.
M, s EF1 U F2 iff there is a path s1 s2 s3
where s1 equals s, and that path satisfies F1 U
F2, i.e., there is some sj along the path, such
that M, si F2, and, for each j lt i, we have M,
sj F1. Thus, EF1 U F2 says there exists a
computation path beginning in s such that F1
until F2 holds on it.

62
A system whose starting state satisfies EF F
F
63
A system whose starting state satisfies EG F
F
F
F
64
A system whose starting state satisfies AG F
F
F
F
F
F
F
F
F
F
F
65
A system whose starting state satisfies AF F
F
F
F
F
F
66
Some examples for the following system M
p, q
s0

M, s0 p ? q
M, s0 r
M, s0 T
M, s0 EX (q ? r)
M, s0 AX (q ? r)
M, s0 EF (p ? r)
M, s2 EG r
M, s2 AG r
M, s0 AF r
M, s0 E(p ? q) U r
M, s0 Ap U r

q, r
r
s1
s2
67
Other examples for CTL logic

It is possible to get a state where started holds
but ready does not hold EF (started ? ready)
For any state, if a request (of some resource)
occurs, then it will eventually be acknowledged
AG (requested ? AF
acknowledged)
A certain process is enabled indefinitely often
on every computation path
AG (AF enabled)
Whatever happens, a certain process will
eventually be permanently deadlocked AF (AG
deadlocked)

68
Other examples for CTL logic (continued)

From any state it is possible to get a restart
state AG (EF restart)
An upwards traveling elevator at the second floor
does not change its direction when it has
passengers wishing to go to the fifth floor
AG (floor2 ? directionup ? ButtonPressed5
? Adirectionup U floor5)
The elevator can remain idle on the third floor
with its doors closed
AG (floor3 ? idle ? doorclosed ? EG (floor3 ?
idle ? doorclosed))

69
Semantically equivalent CTL formulas

Definition Two CTL formulas F and ? are said to
be semantically equivalent if any state in any
Kripke structure which satisfies one of them also
satisfies the other we denote this by F ?.

70
Important equivalences between CTL formulas

AF F EG F
EF F AG F
AX F EX F
AF F AT U F
EF F ET U F
Ap U q (Eq U (p ? q) ? EG q)

71
Theorem

The set of operators -, and ? together with AF,
EU and EX are adequate for CTL any CTL formula
can be transformed into a semantically equivalent
CTL formula which uses only those logical
connectives.

72
Other interesting equivalences

AG F F ? AX AG F
EG F F ? EX EG F
AF F F ? AX AF F
EF F F ? EX EF F
AF U ? ? ? (F ? AX AF U ?)
EF U ? ? ? (F ? EX EF U ?)

73
Example mutual exclusion

When concurrent processes share a resource, it
may be necessary to ensure that they do not have
access to it at the same time.
We therefore identify certain critical sections
of each process code and arrange that only one
process can be in its critical section at a time.
The problem we are faced with is to find a
protocol for determining which process is allowed
to enter its critical section at which time.

74
Some expected properties for mutual exclusion

Safety The protocol allows only one process to
be in its critical section at a time.
Liveness Whenever any process wants to enter its
critical section, it will eventually be permitted
to do so.
Non-blocking A process can always request to
enter its critical section.
No strict sequencing Processes need not enter
their critical section in strict sequence.

75
A simple example of two processes

n a process is in a non-critical state
t a process tries to enter in its critical
section
c a process is in its critical section

76
A first-attempt model for mutual exclusion
s0
n1n2
s1
s5
n1t2
t1n2
t1t2
n1c2
c1n2
s2
s3
s6
t1c2
c1t2
s4
s7
77
CTL formulas for the system properties

Safety F1 AG (c1 ? c2). (o.k.)
Liveness F2 AG (t1 ? AF c1). (not o.k.)
because there exists a computation path,
namely, s1 ? s3 ? s7 ? s1 ? on which c1 is
always false.
Non-blocking F3 AG (n1 ? EX t1). (o.k.)
No strict sequencing EF (c1 ? Ec1 U (c1 ?
Ec2 U c1)). (o.k.)

78
A second-attempt model for mutual exclusion
s0
n1n2
s1
s5
n1t2
t1n2
t1t2
n1c2
t1t2
c1n2
s2
s3
s6
s9
t1c2
c1t2
s4
s7
79
Syntax of Linear-time temporal logic (LTL)

Definition Linear-time temporal logic (LTL) has
the following syntax given in Backus Naur form
F p (F) (F ? F) (F U F) (G F)
(F F) (X F) where p is any propositional atom.

80
Semantics of Linear Tree Logic (LTL)

Let M (S, R, L) be a Kripke structure. Given a
path s s1 s2 s3 in M, where s1 is the initial
state, and for all si along the path, such that
(si, si1) e R, we define whether a LTL formula
F holds in the path s denoted as
M, s F,
where is the satisfaction relation.
Let si si si1 ... denote the suffix of s
starting at si.

81
The satisfaction relation is defined by
structural induction on all of LTL formulas

M, s T and (M, s -) for all s e S.
M, s p iff p e L(s1).
M, s F iff (M, s F).
M, s F1 ? F2 iff M, s F1 and M, s F2.
M, s X F iff M, s2 F,
M, s G F iff, for all i 1, M, si F,
M, s F F iff, for some i 1, M, si F,
M, s F U ? iff, there is some i 1 such that
M, si ? and for all j 1 i-1 we have M, sj
F.

82
Semantically equivalent LTL formulas

Definition Two LTL formulas ? and ? are
semantically equivalent, writing as ? ?, if
they are true for the same paths in each model.
An LTL formula ? is satisfied in a state s of a
model if ? is satisfied in every path starting at
s.

83
Some semantically equivalent LTL formulas

G ? F ?
F ? G ?
F(? ? ?) F ? ? F ?
G(? ? ?) G ? ? G ?
? U ? ( ? U (? ? ?)) ? F ?

84
Syntax of CTL

The CTL formulas are divided into two classes
state formulas, which are evaluated in states
F p T (F) (F ? F) Aa Ea
where p is any atomic formula and any path
formula and
path formulas, which are evaluated along paths
a F (a) (a ? a) (a U a) (G a) (F
a) (X a)
where F is any state formula.

85
Semantics of CTL(f1 and f2 are state formulas
and g1 and g2 are path formulas)

M, s p iff p e L(s).
M, s f1 iff (M, s f1).
M, s f1 ? f2 iff M, s f1 and M, s f2 .
M, s E g1 iff there exists a path s from s
such that M, s g1.
M, s A g1 iff for every path s starting from
s, M, s g1.
M, s f1 iff s is the first state of s and M,
s f1 .
M, s g1 iff (M, s g1).
M, s g1 ? g2 iff M, s g1 and M, s g2 .

86
Semantics of CTL (continued)(f1 and f2 are
state formulas and g1 and g2 are path formulas)

M, s X g1 iff M, s1 g1 .
M, s F g1 iff there exists a k 0 such that
M, sk g1.
M, s G g1 iff for all k 0 , M, sk g1.
M, s g1 U g2 iff there exists a k 0 such
that M, sk g2 and for all 0 j lt k, M, sj
g1.

87
Theorem

The set of operators -, and ? together with X,
U and E are adequate for CTL any CTL formula
can be transformed into a semantically equivalent
CTL formula which uses only those logical
connectives.

88
Some interesting equivalences

f ? g (f ? g)
F f - U f
G f F f
A(f) E(f)

89
LTL and CTL as subsets of CTL

Although the syntax of LTL does not include A and
E, the semantic viewpoint of LTL is that we
consider all paths. Therefore, the LTL formula a
is equivalent to the CTL formula Aa
CTL is the fragment of CTL in which we restrict
the form of path formulas to
a (F U F) (G F) (F F) (X
F).

90
Example of in CTL but not in LTL ?1 AG EF p

Whenever we have got to, we can always get back
to a state in which p is true. This is useful,
e.g., in finding deadlocks in protocols.

M
M
s
t
s
p
p
p
91
Example of in CTL, but neither in CTL nor in
LTL ?2 EGF p

Saying, there is a path with infinitely many p.

92
Example of in LTL but not in CTL ?3 AGF p ?
F q)

Saying that if there are infinitely many p along
the path, then there is an occurrence of q.
This is an interesting thing to be able to say
for example, many fairness constraints are of the
form infinitely often requested implies
eventually acknowledged.

93
Example of in LTL and CTL ?4 AG (p ? AF q) in
CTL, or G (p ? F q) in LTL

Saying, any p is eventually followed by a q.

94
Example

FG p and AF AG p are not semantically equivalent,
since FG p is satisfied, whereas AF AG p is not
satisfied, in the model

p
p
p
95
weak until W

The formula Ap W q is true in a state if, along
all paths from that state, p is true from the
present state until the first state in which q is
true, if any. In particular, if there is no q
state on a path, then p needs to hold for all
states of that path.

96
weak until W (continued)

In LTL and CTL, weak Until may be defined in
terms of the ordinary Until, as follows
p W q (p U q) ? G p
For CTL, we have
Ep W q Ep U q ? EG p
Ap W q Eq U (p ? q)

97
Model of Computation
98
Model of Computation (Cont.)
99
CTL
100
Path Formulas and State Formulas
101
Sate Formulas (Cont.)
102
Path Formulas (Cont.)
103
Standard Abbreviations
104
CTL and LTL
105
Expressive Power
106
Basic CTL Operators
107
Basic CTL Operators
108
Typical CTL Formulas
109
A model-checking algorithm for CTL

INPUT a Kripke structure M (S, R, L) and a CTL
formula ?.
OUTPUT the set of states of M which satisfy ?.

110
function TRANSLATE

which takes as input an arbitrary CTL formula ?
and returns as output an equivalent CTL formula ?
whose only operators are among the set -, , ?,
AF, EU, EX.

111
A model-checking algorithm for CTL

INPUT a Kripke structure M (S, R, L) and a CTL
formula ?.
OUTPUT the set of states of M which satisfy ?.

112
The labeling algorithm

First, change ? to the output of TRANSLATE(?).
Next, label the states of M with sub-formulas of
? that are satisfied there, starting with the
smallest formulas and working outwards towards ?.

113
The labeling algorithm (continued)

Suppose ? is a sub-formula of ? and states
satisfying all immediate sub-formulas of ? have
already been labeled (An immediate sub-formula of
? is any maximal-length sub-formula other than ?
itself.) We determine by a case analysis which
states to label with ? as follows. If ? is

114
The labeling algorithm (continued)

- then no states are labeled with -.
p then label s with p if p e L(s).
?1 ? ?2 label s with ?1 ? ?2 if s is already
labeled with ?1 and with ?2.
?1 label s with ?1 if it is not already
labeled with ?1.
EX ?1 label any state with EX ?1 if one of its
successors is labeled with ?1.

115
The labeling algorithm (continued)

AF ?1
If any state s is labeled with ?1, label it with
AF ?1.
Repeat label any state with AF ?1 if all
successors states are labeled with AF ?1, until
there is no change. This step is illustrated in
the figure of the next page.

116
The iteration step of the procedure for labeling
states with sub-formulas of the form AF?1.
AF ?1
AF ?1
AF ?1
AF ?1
AF ?1
AF ?1
AF ?1
until no change.
117
The labeling algorithm (continued)

E?1 U ?2
If any state is labeled with ?2, label it with
E?1 U ?2.
Repeat label any state with E?1 U ?2 if it is
labeled with ?1 and at least one of its
successors is labeled with E?1 U ?2, until
there is no change. This step is illustrated in
the figure of the next page.

118
The iteration step of the procedure for labeling
states with sub-formulas of the form E?1 U ?2.
E?1 U ?2
E?1 U ?2
?1
E?1 U ?2
?1
until no change.
119
The time complexity of the labeling algorithm

O(f . V . (V E)), where f is the number of
connectives in the formula, V is the number of
states and E is the number of transitions.
The algorithm is linear in the size of the
formula and quadratic in the size of the model.

120
A more efficient algorithm

Instead of using EX, EU and AF as the adequate
set, we use EX, EU and EG.
For EX and EU we do as before.

121
For the case of EG, we have

restrict the graph to states satisfying ?, i.e.,
delete all other states and their transitions.
find the maximal strongly connected components
(SCC) there are maximal regions of the state
space in which every state is linked with ( has
a finite path to) every other one in that region.
use backwards breadth-first searching on the
restricted graph to find any state that can reach
an SCC. See the figure in the next page.

122
A better way of handling EG
SCC
EG ?
SCC
SCC
states satisfying ?
123
The time complexity of the more efficient
labeling algorithm

O(f . (V E)), where f is the number of
connectives in the formula, V is the number of
states and E is the number of transitions.
The algorithm is linear both in the size of the
formula and the size of the model.

124
The Time complexity of model checking algorithm
for CTL formulas

Theorem 1 There is an algorithm for determining
whether a CTL formula f is true in a state s of
the structure M (S, R, L) that runs in time O
(f. (S R )) or O(f. M).

125
An example run of the labeling algorithm in our
second model of mutual exclusion applied to the
formula Ec2 U c1.
s0
0 n1 n2 3 Ec2 U c1
s5
s1
0 t1 n2 2 Ec2 U c1
0 n1 t2
s6
s2
s3
s8
0 n1 c2
0 t1 t2
0 c1 n2 1 Ec2 U c1
0 t1 t2 2 Ec2 U c1
s7
s4
0 t1 c2
0 c1 t2 1 Ec2 U c1
126
The pseudo-code of the model checking algorithm

function SAT (F)
/ determines the set of states satisfying F /
begin
case
F is T return S
F is - return Ø
F is atomic return s e S F e
L(s)
F is ?F1 return S SAT(F1)
F is F1 ? F2 return SAT(F1) n
SAT(F2)
F is EX F1 return SATEX(F1)
F is AF F1 return SATAF(F1)
F is EU F1 return SATEU(F1)
end case
end function

127
The function SATEX

function SATEX(F)
/ determines the set of states satisfying EX F
/
local var X, Y
begin
X SAT(F)
Y s0 e S (s0, s1) e R for some s1 e
X
return Y
end

128
The function SATAF

function SATAF(F)
/ determines the set of states satisfying AF F
/
local var X, Y
begin
X S
Y SAT(F)
repeat until X Y
begin
X Y
Y Y U s e S (s, s) e R for
all s e Y
end
return Y
end

129
The function SATEU

function SATEU(F, ?)
/ determines the set of states satisfying EF U
?) /
local var W, X, Y
begin
W SAT(F)
X S
Y SAT(?)
repeat until X Y
begin
X Y
Y Y U (W n s e S (s, s) e R
for some s e Y
end
return Y
end

130
Fairness

Definition Let C ?1, ?2, , ?n be a set of
fairness constraints. A computation s0 s1 is
fair with respect to these fairness constraints
if for each i, i 1, , n, there are infinitely
many j, j 0, 1, , such that sj ?i, that is,
each ?i is true infinitely often along the path.

131
Model checking with fairness

Let AC and EC denote A and E restricted to fair
paths.
Example M,s0 ACG? iff ? is true in every state
along all fair paths and similarly for ACF, ACU,
etc.
It can be shown that ECG, ECU, and ECX form an
adequate set.
We can also show
EC? U ? E? U (? ? ECG T)
ECX ? EX(? ? ECG T).

132
An algorithm for ECG?with time complexity O(n .
f. (VE))

Restrict the graph to states satisfying ? of the
resulting graph, we want to know from which
states there is a fair path.
Find the maximal strongly connected components
(SCC) of the restricted graph
Remove an SCC if, for some ?i, it does not
contain a state satisfying ?i. The resulting
SCCs are the fair SCCs. Any state of the
restricted graph that can reach one has a fair
path from it.
Use backwards breadth-first searching to find the
states on the restricted graph that can reach a
fair SCC.

133
Example C ?1, ?2, ?3
fair SCC
EC G?
fair SCC
?1
?2
?3
states satisfying ?
134
Microwave Oven Example
135
Check the CTL formula AG(Start ? AF Heat)

The above formula can be written as
EF (Start ? EG Heat)
S(Start) 2, 5, 6, 7
S(Heat) 1, 2, 3, 5, 6
S S(Heat) , SCC 1, 2, 3, 5
S(EG Heat) 1, 2, 3, 5
S(Start ? EG Heat) 2, 5
S(EF(Start ? EG Heat)) 1, 2, 3, 4, 5, 6, 7
S( EF(Start ? EG Heat)) Ø

136
Consider fairness with C Start ? Close ?
Error

S(Start) and S(Heat) remain as before.
S S(Heat) , but the previous 1, 2, 3, 5 is
not fair because none of its states satisfies
Start ? Close ? Error. Thus
S(EG Heat) Ø which implies that
S( EF(Start ? EG Heat)) 1, 2, 3, 4, 5, 6,
7.
Thus, the program satisfies the formula under the
given constraints.

137
Time complexity of model checking algorithms for
fair CTL formulas

Theorem 2 There is an algorithm for determining
whether a CTL formula f is true with respect to a
fair semantics C in a state s of the structure M
(S, R, L, C) that runs in time O (f. (S
R ). C) or O(f. M. C).

138
Model-checking Problem for LTL

Given a Kripke structure M (S, R, L), s e S,
and a LTL formula A g, where g is an
unrestricted path formula.
Determine whether M,s A g.
M,s A g iff M,s E g
Thus, it suffices to check the truth of formulas
of the form E f where f is an unrestricted path
formula.

139
Model-checking Problem for LTL (Cont.)

In general, the problem can be shown to be
PSPACE-complete, the proof of which is rather
involved.
It is easy to show that the problem is NP-hard.

140
Model-checking Problem for LTL (Cont.)

Consider an arbitrary directed graph G (V, A)
where V v1, , vn.
We show that the problem of determining whether G
has a directed Hamiltonian path is reducible to
the problem of determining M, s f where M and
f are to be defined later.

141
Model-checking Problem for LTL (Cont.)

f is the formula (using the atomic propositions
p1 , , pn)
EF p1 ? ? pn ? G(p1 ? XG p1) ? ? G(pn ?
XG pn)

142
Model-checking Problem for LTL (Cont.)

Let the Kripke structure M (W, B, L) consist
of
W V U w1, w2 where (w1,w2 e V).
B A U (w1, vi) vi e V U (vi, w2) vi e V
U (w1, w2)
L is an assignment of propositions to states such
that
pi is true in vi for 1 i n
pj is false in vi for 1 i, j n, i ? j
pi is false in w1, w2 for 1 i n

143
Model-checking Problem for LTL (Cont.)

It is easy to show that M, w1 f if and only if
there is a directed infinite path in M starting
at w1 that goes through all vi e V exactly once
and ends in the loop through w2.

144
A model-checking algorithm for LTL

INPUT a Kripke structure M (S, R, L), s e S,
and a LTL formula ?.
OUTPUT Determine whether M,s ?.

145
Basic Strategy
146
Basic Strategy (Cont.)
147
Basic Strategy (Cont.)
148
Example Let? (a U b)andM is as follows
149
Automaton accepting traces satisfying F a U b
150
M redrawn with an expanded state space
151
The expanded M and AaUb
152
Time complexity of model checking algorithm for
LTL formulas

Theorem 3 There is an algorithm for determining
whether a LTL formula f is true in a state s of
the structure M (S, R, L) that runs in time M
2O(f).

153
Time complexity of model checking algorithm for
CTL formulas

Theorem 4 There is an algorithm for determining
whether a CTL formula f is true in a state s of
the structure M (S, R, L) that runs in time M
2O(f).

154
Binary Decision Trees

Definition A binary decision tree is a tree
whose non-terminal nodes are labelled with
boolean variables x, y, z, and whose terminal
nodes are labelled with either 0 or 1. Each
non-terminal node has two edges, one dashed line
and one solid line.

x
y
y
1
0
0
0
155
Binary Decision Trees (continued)

Definition Let T be a finite binary decision
tree. Then T determines a unique Boolean
function of the variables in non-terminal nodes,
in the following way. Given an assignment of 0s
and 1s to the Boolean variables occurring in T,
we start at the root of T and take the dashed
line whenever the value at the current node is 0
otherwise, we travel along the solid line. The
function value is the value of the terminal node
we reach.

156
An example

f(x, y) (x y)

x
y
y
1
0
0
0
157
Some optimization techniquesBinary Decision
Diagrams (BDDs)
x
y
y
1
0
158
Some optimization techniques (continued)
x
y
1
0
159
A BDD with duplicated sub-BDDs
z
x
x
y
y
y
y
0
1
160
After removal of one of the duplicate y-nodes
z
x
x
y
y
y
0
1
161
After removal of another duplicate y-nodes and
then a redundant x-decision point
z
x
y
y
0
1
162
Three ways of reducing a BDD

Removal of a duplicate terminals.
Removal of a redundant tests.
Removal of duplicate non-terminals.

163
Directed Acyclic Graphs (DAGs)

A directed acyclic graph (dag) is a directed
graph that does not have any cycles. A node of a
dag is initial if there are no edges pointing to
that node. A node is terminal if there are no
edges out of that node.

164
Binary Decision Diagram (BDD)

Definition A binary decision diagram (BDD) is a
finite dag with a unique initial node, where all
terminal nodes are labeled with 0 or 1 and all
non-terminal nodes are labeled with a Boolean
variable. Each non-terminal node has exactly two
edges from that node to others one labeled 0 and
one labeled 1 ( we represent them as a dashed
line and a solid line, respectively). A BDD is
said to be reduced if none of the earlier three
optimization techniques can be applied (i.e., no
more reductions are possible).

165
Ordered Binary Decision Diagrams (OBDDs)

Definition Let x1, , xn be an ordered list of
variables without duplications and let B be a BDD
all of whose variables occur somewhere in the
list. We say B has the ordering x1, , xn if
all variables labels of B occur in that list and,
for every occurrence of xj followed by xj along
any path in B, we have i lt j.
An ordered BDD (OBDD) is a BDD which has an
ordering for some list of variables.

166
Examples of a BDD (left) and an OBDD (right)
x
x
y
z
y
y
x
y
x
z
1
0
0
1
167
Reduced OBDDs as Canonical forms

Theorem The reduced OBDD representing a given
function f is unique. That is to say, let B1 and
B2 be two reduced OBDDs with a compatible
variable orderings. If B1 and B2 represent the
same boolean function, then they have identical
structure.

168
An OBDD for the even parity function for four bits
x
y
y
z
z
w
w
1
0
169
The OBDD for (x y) . (z w) . (u v) with
variable ordering x, y, z, w, u, v
x
y
z
w
u
v
1
0
170
The OBDD for (x y) . (z w) . (u v) with
variable ordering x, z, u, y, w, v
x
z
z
u
u
u
u
y
y
y
y
w
w
v
1
0
171
The importance of canonical representation

Absence of redundant variables.
Test for semantic equivalence.
Test for validity.
Test for implication.
Test for satisfiability.

172
The algorithm reducein general terms

If the ordering of B is x1, x2, , xl, then B
has at most l 1 layers. The algorithm reduce
now traverses B layers in a bottom-up fashion
(beginning with the terminal nodes). In
traversing B, it assigns an integer label id(n)
to each node n of B, in such a way that subOBDDs
with root nodes n and m denote the same boolean
function if, and only if, id(n) equals id(m).

173
The algorithm reduce

Definition Given a non-terminal node n in a BDD,
we define lo(n) to be the node pointed to via the
dashed line from n. Dually, hi(n) is the node
pointed to via the solid line from n.
Let us assume that reduce has already assigned
integer labels to all nodes of a layer gt i
(i.e., all terminal nodes and xj-nodes with j gt
i). We describe how nodes of layer i (i.e.,
xi-nodes) are being handled as follows.

174
The algorithm reduce (continued)

Given an xi-node n, there are three ways in which
it may get its label
If the label id(lo(n)) is the same as id(hi(n)),
then we set id(n) to be that label
If there is another node m such that n and m have
the same variable xi, and id(lo(n)) id(lo(m))
and id(hi(n)) id(hi(m)), then we set id(n) to
be id(m).
Otherwise, we set id(n) to the next unused
integer label.

175
An example execution of the algorithm reduce
4
4
x1
x1
3
2
x2
x2
3
x2
2
2
x3
x3
x3
2
0
1
1
0
1
0
0
1
0
1
0
1
176
The algorithm applyin general terms

Given OBDDs Bf and Bg for Boolean formulas f and
g, respectively, the call apply (op, Bf, Bg)
computes the reduced OBDD of the Boolean formula
f op g, where op denotes any function from 0, 1
X 0, 1 to 0, 1.

177
The algorithm apply

The algorithm operates recursively on the
structure of
the two OBDDs
Let v be the variable highest in the ordering (
leftmost in the list) which occurs in Bf or Bg.
Split the problem into sub-problems for v being 0
and v being 1 and solve recursively
At the leaves, apply the Boolean operation op
directly.

178
restrictions of f

Definition Let f be a Boolean formula and x a
variable. We denote by f0/x the Boolean
formula obtained by replacing all occurrences of
x in f by 0. The formula f1/x is defined
similarly. The f0/x and f1/x are called
restrictions of f.

179
Shannon expansion

Lemma For all Boolean formulas f and all Boolean
variables x (even those not occurring in f) we
have
f x . f0/x x . f1/x.
The function apply is based on the above lemma
for f op g
f op g xi . (f0/xi op g0/xi) xi .
(f1/xi op g1/xi).

180
The algorithm restrictin general terms

Given an OBDD Bf representing a boolean formula
f, the call restrict (0, x, Bf) computes the
reduced OBDD representing f0/x using the same
variable ordering as Bf.

181
The algorithm restrict

The algorithm restrict(0, x, Bf) works as
follows. For each node n labelled with x,
incoming edges are redirected to lo(n) and n is
removed. Then we call reduce on the resulting
OBDD. The call restrict(1, x, Bf) proceeds
similarly, only we now redirect incoming edges to
hi(n).

182
Time complexity
Algorithm
Input OBDD(s)
Output OBDD
Time complexity
reduced B
O(B . Log B)
reduce
B
apply
Bf, Bg (reduced)
Bf op g (reduced)
O(Bf . Bg)
Bf0/x or Bf1/x (reduced)
restrict
Bf (reduced)
O(Bf . Log Bf)
183
Symbolic Model Checking

Model checking using OBDDs is called symbolic
model checking.
The term emphasizes that individual states are
not represented rather, sets of states are
represented symbolically, namely, those which
satisfy the formula being checked.

184
Representing subsets of the set of states

Let S be a finite set of states. The task is to
represent the various subsets of S as OBDDs.
The way to do this in general is to assign to
each element s e S a unique vector of boolean
values (v1, v2, , vn), each vi e 0, 1. Then,
we represent a subset T by the boolean function
fT which maps (v1, v2, , vn) onto 1 if s e T and
maps it onto 0 otherwise.
Note that 2n-1 lt S 2n .
The function fT 0, 1n ? 0, 1 which tells us,
for each s, represented by (v1, v2, , vn),
whether it is in the set T or not, is called the
characteristic function of T.

185
An example of a Kripke structure (S, R, L)

S s0, s1,s2
R (s0, s1), (s1, s2), (s2, s0), (s2, s2)
L(s0) x1
L(s1) x2
L(s2) Ø

x1
x2
s0
s1
s2
186
Representation of subsets of states of the
previous example
187
Two OBDDs for the set s0, s1 of previous
example
x1
x1
x2
x2
x2
0
1
0
1
x1 .x2 x1 .x2
x1 x2
188
Representing transition relations

The transition relation R of a Kripke structure
(S, R, L) is a subset of S S. So, as a subset
of a given set, it may be represented as an OBDD.
Thus, a transition (s, s) e R can be represented
by a pair of Boolean vectors (v1, , vn), (v1,
, vn), where (v1, , vn) represents s and (v1,
, vn) represents s.

189
The Boolean function representation for the
transition relation of the previous example

fR x1 .x2 . x1 .x2 x1 .x2 .x1 .x2
x1 .x2 . x1 .x2 x1 .x2 .x1 .x2

190
The truth table for the transition relation of
the previous example with ordering x1, x2, x1,
x2
191
The truth table for the transition relation of
the previous example with ordering x1, x1, x2,
x2
192
An OBDD for the transition relation of the
previous example.
x1
X1
X1
x2
X2
X2
0
1
193
Fixpoint Representation

Let M (S, R, L) be an arbitrary finite Kripke
structure. The set P(S) of all subsets of S form
a lattice under the set inclusion ordering.
Each element S of the lattice can be thought as
a predicate on S, where the predicate is viewed
as being true for exactly the states in S.
A function that maps P(S) to P(S) is called a
predicate transformer.

194
Fixpoint theory

Let t P(S) ? P(S) be a predicate transformer
then
t is monotonic provided that P Q implies t(P)
t(Q)
t is U-continuous provided P1 P2
implies t(Ui Pi) Ui t(Pi)
t is n-continuous provided P1 P2
implies t(ni Pi) ni t(Pi).

195
Fixpoint theory (continued)

Let t i (Z) denote i applications of t to Z.
According to Tarski, any monotonic predicate
transformer t on P(S) always has a least fixpoint
µZ .t(Z), and a greatest fixpoint ?Z .t(Z) where
µZ .t(Z) nZ t(Z) Z and ?Z .t(Z) UZ
t(Z) Z.
Additionally, if t is U-continuous µZ .t(Z) Ui
t i (False) and if t is n-continuous ?Z .t(Z)
ni t i (True).

196
Some properties

Lemma 1 If S is finite and t is monotonic, then
t is also U-continuous and n-continuous .
Lemma 2 If t is monotonic, then for every i, t i
(False) t i1 (False) and t i (True) t
i1 (True).
Lemma 3 If t is monotonic and S is finite, then
there is an integer i0 such that for every j
i0, t j (False) t i0 (False). Similarly, there
is some j0 such that for every j j0, t j (True)
t j0 (True).
Lemma 4 If t is monotonic and S is finite, then
there is an integer i0 such that µZ .t(Z) t i0
(False). Similarly, there is some j0 such that
?Z .t(Z) t j0 (True).

197
Procedure for computing least fixpoint

function Lfp(Tau PredicateTransformer)
Predicate
Q False
Q Tau(Q)
while (Q ? Q) do
Q Q
Q Tau(Q)
end while
return(Q)
end function

198
Procedure for computing greatest fixpoint

function Gfp(Tau PredicateTransformer)
Predicate
Q True
Q Tau(Q)
while (Q ? Q) do
Q Q
Q Tau(Q)
end while
return(Q)
end function

199
CTL operators as greatest or least fixpoints

If we identify each CTL formula f with the
predicate s M, s f, then each of the basic
CTL operators may be characterized as a least or
greatest fixpoint of an appropriate predicate
transformer as follows
AF f1 µZ . f1 ? AX Z
EF f1 µZ . f1 ? EX Z
AG f1 ?Z . f1 ? AX Z
EG f1 ?Z . f1 ? EX Z
Af1 U f2 µZ . f2 ? (f1 ? AX Z)
Ef1 U f2 µZ . f2 ? (f1 ? EX Z)

200
Sequence of approximations for Ep U q
p
q
q
p
s0
p
p
s0
t 1 (False)
Kripke structure
p
q
q
p
p
s0
s0
p
t 3 (False)
t 2 (False)
201
Quantified Boolean Formulas (QBF)

Given a set V v0, , vn-1 of propositional
variables, QBF(V) is the smallest set of formulas
such that
Every variable in V is a formula.
If f and g are formulas, then f, f ? g, f ? g
are formulas.
If f and g are formulas, then v f and v f
are formulas.

202
Truth Assignment