

# Timed CTL Model Checking

## Lecture #16 of Advanced Model Checking

*Joost-Pieter Katoen*

Lehrstuhl 2: Software Modeling & Verification

E-mail: [katoen@cs.rwth-aachen.de](mailto:katoen@cs.rwth-aachen.de)

January 24, 2011

## Timed CTL

Syntax of TCTL *state-formulas* over  $AP$  and set  $C$ :

$$\Phi ::= \text{true} \quad | \quad a \quad | \quad \textcolor{red}{g} \quad | \quad \Phi \wedge \Phi \quad | \quad \neg \Phi \quad | \quad \exists \varphi \quad | \quad \forall \varphi$$

where  $a \in AP$ ,  $\textcolor{red}{g} \in ACC(C)$  and  $\varphi$  is a *path-formula* defined by:

$$\varphi ::= \Phi \mathbin{U^J} \Phi$$

where  $\textcolor{red}{J} \subseteq \mathbb{R}_{\geq 0}$  is an interval whose bounds are naturals

abbreviate  $[c, \infty)$  by  $x > c$ ,  $(c_1, c_2]$  by  $c_1 < x \leq c_2$  etc.

## TCTL-semantics for timed automata

- Let  $TA$  be a timed automaton with clocks  $C$  and locations  $Loc$
- For TCTL-state-formula  $\Phi$ , the *satisfaction set*  $Sat(\Phi)$  is defined by:

$$Sat(\Phi) = \{ s \in Loc \times Eval(C) \mid s \models \Phi \}$$

- $TA$  satisfies TCTL-formula  $\Phi$  iff  $\Phi$  holds in all initial states of  $TA$ :

$$TA \models \Phi \quad \text{if and only if} \quad \forall \ell_0 \in Loc_0. \langle \ell_0, \eta_0 \rangle \models \Phi$$

where  $\eta_0(x) = 0$  for all  $x \in C$

## TCTL model checking

- TCTL model-checking problem:  $TA \models \Phi$  for non-Zeno  $TA$

$$\underbrace{TA \models \Phi}_{\text{timed automaton}} \quad \text{iff} \quad \underbrace{TS(TA) \models \Phi}_{\text{infinite transition system}}$$

- Idea: consider a finite quotient of  $TS(TA)$  wrt. a bisimulation
  - $TS(TA)/\cong$  is a *region* transition system and denoted  $RTS(TA)$
  - dependence on  $\Phi$  is ignored for the moment . . .
- Transform TCTL formula  $\Phi$  into an “equivalent” CTL-formula  $\widehat{\Phi}$
- Then:  $TA \models_{TCTL} \Phi$  iff  $\underbrace{RTS(TA)}_{\text{finite transition system}} \models_{CTL} \widehat{\Phi}$

## Eliminating timing parameters

- Eliminate all intervals  $J \neq [0, \infty)$  from TCTL formulas
  - introduce a fresh clock,  $z$  say, that does not occur in  $TA$
- Formally: for any state  $s$  of  $TS(TA)$  it holds:

$$s \models \exists \diamond^J \Phi \quad \text{iff} \quad \underbrace{s\{z := 0\}}_{\text{state in } TS(TA \oplus z)} \models \exists \diamond((z \in J) \wedge \Phi)$$

- where  $TA \oplus z$  is  $TA$  (over  $C$ ) extended with  $z \notin C$

atomic clock constraints are atomic propositions, i.e., a CTL formula results

## Correctness

Let  $TA = (Loc, Act, C, \hookrightarrow, Loc_0, Inv, AP, L)$ . For clock  $z \notin C$ , let

$$TA \oplus z = (Loc, Act, C \cup \{z\}, \hookrightarrow, Loc_0, Inv, AP, L).$$

For any state  $s$  of  $TS(TA)$  it holds that:

1.  $s \models \exists(\Phi \cup^J \Psi)$  iff  $\underbrace{s\{z := 0\}}_{\text{state in } TS(TA \oplus z)} \models \exists((\Phi \vee \Psi) \cup ((z \in J) \wedge \Psi))$
2.  $s \models \forall(\Phi \cup^J \Psi)$  iff  $\underbrace{s\{z := 0\}}_{\text{state in } TS(TA \oplus z)} \models \forall((\Phi \vee \Psi) \cup ((z \in J) \wedge \Psi))$

## Clock equivalence $\cong$

(A) Equivalent clock valuations satisfy the same clock constraints  $g$ :

$$\eta \cong \eta' \Rightarrow (\eta \models g \text{ iff } \eta' \models g)$$

(B) Time-divergent paths of equivalent states are “equivalent”

- this property guarantees that equivalent states satisfy the same path formulas

(C) The number of equivalence classes under  $\cong$  is finite

## Clock equivalence

- Correctness criteria (A) and (B) are ensured if equivalent states:
  - agree on the integer parts of all clock values, and
  - agree on the ordering of the fractional parts of all clocks

⇒ This yields a denumerable infinite set of equivalence classes

- Observe that:
  - if clocks exceed the maximal constant with which they are compared their precise value is not of interest

⇒ The number of equivalence classes is then finite (C)

## Clock equivalence: definition

Clock valuations  $\eta, \eta' \in \text{Eval}(C)$  are *equivalent*, denoted  $\eta \cong \eta'$ , if either:

- for all  $x \in C$ :  $\eta(x) > c_x$  and  $\eta'(x) > c_x$ , or
- for any  $x, y \in C$  with  $\eta(x) \leq c_x$  and  $\eta'(x) \leq c_x$ , and  $\eta(y) \leq c_y$  and  $\eta'(y) \leq c_y$  it holds:
  - $\lfloor \eta(x) \rfloor = \lfloor \eta'(x) \rfloor$  and  $\text{frac}(\eta(x)) = 0$  iff  $\text{frac}(\eta'(x)) = 0$ , and
  - $\text{frac}(\eta(x)) \leq \text{frac}(\eta(y))$  iff  $\text{frac}(\eta'(x)) \leq \text{frac}(\eta'(y))$ .

$$s \cong s' \quad \text{iff} \quad \ell = \ell' \quad \text{and} \quad \eta \cong \eta'$$

# Regions

- The *clock region* of  $\eta \in \text{Eval}(C)$ , denoted  $[\eta]$ , is defined by:

$$[\eta] = \{ \eta' \in \text{Eval}(C) \mid \eta \cong \eta' \}$$

- The *state region* of  $s = \langle \ell, \eta \rangle \in \text{TS(TA)}$  is defined by:

$$[s] = \langle \ell, [\eta] \rangle = \{ \langle s, \eta' \rangle \mid \eta' \in [\eta] \}$$

**Example**  $c_x=2, c_y=1$

## Bounds on the number of regions

The *number of clock regions* is bounded from below and above by:

$$|C|! * \prod_{x \in C} c_x \leq | \underbrace{\text{Eval}(C) / \cong}_{\text{number of regions}} | \leq |C|! * 2^{|C|-1} * \prod_{x \in C} (2c_x + 2)$$

where for the upper bound it is assumed that  $c_x \geq 1$  for any  $x \in C$

the number of state regions is  $|Loc|$  times larger

# Proof

## Preservation of atomic properties

1. For  $\eta, \eta' \in \text{Eval}(C)$  such that  $\eta \cong \eta'$ :

$\eta \models g$  if and only if  $\eta' \models g$  for any  $g \in \text{ACC}(\text{TA} \cup \Phi)$

2. For  $s, s' \in \text{TS}(\text{TA})$  such that  $s \cong s'$ :

$s \models a$  if and only if  $s' \models a$  for any  $a \in AP'$

where  $AP'$  includes all propositions in  $\text{TA}$  and atomic clock constraints in  $\text{TA}$  and  $\Phi$

## Clock equivalence is a bisimulation

Clock equivalence is a bisimulation equivalence over  $AP'$

# Proof

## Region automaton: intuition

- Region automaton = quotient of  $TS(TA)$  under  $\cong$
- State regions are states in quotient transition system under  $\cong$
- Transitions in region automaton “mimic” those in  $TS(TA)$
- Delays are **abstract**
  - the exact delay is not recorded, only that some delay took place
  - if any clock  $x$  exceeds  $c_x$ , delays are self-loops
- Discrete transitions correspond to **actions**

## A simple example



## Unbounded and successor regions

- Clock region  $r_\infty = \{ \eta \in \text{Eval}(C) \mid \forall x \in C. \eta(x) > c_x \}$  is *unbounded*
- $r'$  is the *successor (clock) region* of  $r$ , denoted  $r' = \text{succ}(r)$ , if either:
  1.  $r = r_\infty$  and  $r = r'$ , or
  2.  $r \neq r_\infty$ ,  $r \neq r'$  and  $\forall \eta \in r:$

$$\exists d \in \mathbb{R}_{>0}. (\eta + d \in r' \quad \text{and} \quad \forall 0 \leq d' \leq d. \eta + d' \in r \cup r')$$

- The *successor region*:  $\text{succ}(\langle \ell, r \rangle) = \langle \ell, \text{succ}(r) \rangle$
- Note: the location invariants are ignored so far!

# Example

## Characterizing time convergence

For non-zeno  $TA$  and  $\pi = s_0 s_1 s_2 \dots$  a path in  $TS(TA)$ :

(a)  $\pi$  is *time-convergent*  $\Rightarrow \exists$  state region  $\langle \ell, r \rangle$  such that for some  $j$ :

$$s_i \in \langle \ell, r \rangle \text{ for all } i \geq j$$

(b) If  $\exists$  state region  $\langle \ell, r \rangle$  with  $r \neq r_\infty$  and an index  $j$  such that:

$$s_i \in \langle \ell, r \rangle \text{ for all } i \geq j$$

then  $\pi$  is *time-convergent*

time-convergent paths are paths that only perform delays from some time instant on

## Region automaton

For non-zeno  $TA$  with  $TS(TA) = (S, Act, \rightarrow, I, AP, L)$  let:

$$RTS(TA, \Phi) = (S', Act \cup \{\tau\}, \rightarrow', I, AP', L') \quad \text{with}$$

- $S' = S / \cong = \{ [s] \mid s \in S \}$  and  $I' = \{ [s] \mid s \in I \}$ , the state regions
- $L'(\langle \ell, r \rangle) = L(\ell) \cup \{ g \in AP' \setminus AP \mid r \models g \}$

- $\rightarrow'$  is defined by: 
$$\frac{\ell \xleftarrow{g:\alpha, D} \ell' \quad r \models g \quad \text{reset } D \text{ in } r \models \text{Inv}(\ell')}{\langle \ell, r \rangle \xrightarrow{\alpha}^{\tau} \langle \ell', \text{reset } D \text{ in } r \rangle}$$

and 
$$\frac{r \models \text{Inv}(\ell) \quad \text{succ}(r) \models \text{Inv}(\ell)}{\langle \ell, r \rangle \xrightarrow{\tau}^{\tau} \langle \ell, \text{succ}(r) \rangle}$$

## Example: simple light switch



## Correctness theorem [Alur and Dill, 1989]

For non-Zeno timed automaton  $TA$  and  $\text{TCTL}_\diamond$  formula  $\Phi$ :

$$\underbrace{TA \models \Phi}_{\text{TCTL semantics}} \quad \text{iff} \quad \underbrace{RTS(TA, \Phi) \models \Phi}_{\text{CTL semantics}}$$

# Proof

## Characterizing timelock freedom

Non-zeno  $TA$  is timelock-free iff no reachable state in  $RTS(TA)$  is terminal

timelocks can thus be checked by a reachability analysis of  $RTS(TA)$

# Example



## TCTL model-checking algorithm

Main ideas:

- Equip  $TA$  with a single clock
  - as opposed to a single clock for each (timed) subformula  $\Phi \cup^J \Psi$
- Introduce atomic proposition for each timed subformula
- Convert timed CTL formula  $\Phi$  into  $\widehat{\Phi}$
- And check  $\widehat{\Phi}$  on  $RTS(TA)$ 
  - using standard CTL model checking

## Extra atomic propositions

$$\text{TCTL formula } \Phi = \forall \square^{\leq 3} \left( \underbrace{\exists \diamond^{[2,6]} a}_{=\Psi_1} \wedge \underbrace{\exists \square^{]2,5[} \forall \diamond^{\geq 3} \left( \underbrace{b \wedge (x=9)}_{=\Psi_2} \right)}_{=\Psi_3} \right) \underbrace{\Psi_3}_{=\Psi_4} \underbrace{\Psi_4}_{=\Psi_5}$$

The set of propositions of  $R$  contains:

- the propositions  $a$  and  $b$ , and the clock constraint  $x=9$
- the propositions  $a_{\Psi_1}$  through  $a_{\Psi_5}$ , and  $a_{\Phi}$
- the clock constraints  $z \leq 3$ ,  $z \in [2, 6]$ ,  $z \in ]2, 5[$  and  $z \geq 3$

*Input:* non-zeno, timelock-free timed automaton  $TA$  and TCTL formula  $\Phi$

*Output:* “yes” if  $TA \models \Phi$ , “no” otherwise.

---

```

 $R := RTS(TA \oplus z, \Phi);$  (* with state space  $S_{rts}$  and labeling  $L_{rts}$  *)
for all  $i \leq |\Phi|$  do
  for all  $\Psi \in Sub(\Phi)$  with  $|\Psi| = i$  do

    switch( $\Psi$ ):
      true :  $Sat_R(\Psi) := S_{rts};$ 
       $a$  :  $Sat_R(\Psi) := \{s \in S_{rts} \mid a \in L_{rts}(s)\};$ 
       $\Psi_1 \wedge \Psi_2$  :  $Sat_R(\Psi) := \{s \in S_{rts} \mid \{a_{\Psi_1}, a_{\Psi_2}\} \subseteq L_{rts}(s)\};$ 
       $\neg \Psi'$  :  $Sat_R(\Psi) := \{s \in S_{rts} \mid a_{\Psi'} \notin L_{rts}(s)\};$ 
       $\exists(\Psi_1 \cup^J \Psi_2)$  :  $Sat_R(\Psi) := Sat_{CTL}(\exists((a_{\Psi_1} \vee a_{\Psi_2}) \cup ((z \in J) \wedge a_{\Psi_2})));$ 
       $\forall(\Psi_1 \cup^J \Psi_2)$  :  $Sat_R(\Psi) := Sat_{CTL}(\forall((a_{\Psi_1} \vee a_{\Psi_2}) \cup ((z \in J) \wedge a_{\Psi_2})));$ 
    end switch

    (* add  $a_{\Psi}$  to the labeling of all state regions where  $\Psi$  holds *)
    forall  $s \in S_{rts}$  with  $s\{z := 0\} \in Sat_R(\Psi)$  do  $L_{rts}(s) := L_{rts}(s) \cup \{a_{\Psi}\}$  od;
    od
od
if  $I_{rts} \subseteq Sat_R(\Phi)$  then return “yes” else return “no” fi
  
```

---

## Time complexity

For timed automaton  $TA$  and TCTL formula  $\Phi$ , the model-checking problem

$TA \models \Phi$  can be determined in time  $\mathcal{O}((N+K) \cdot |\Phi|)$ ,

where  $N$  and  $K$  are the number of states and transitions in  $RTS(TA, \Phi)$

## Other verification problems

1. The TCTL model-checking problem is **PSPACE-complete**
2. Model checking safety, reachability, or  $\omega$ -regular properties in TA is **PSPACE-complete**
3. Model checking LTL and CTL against TA is **PSPACE-complete**
4. The model-checking problem for timed LTL is **undecidable**
5. The satisfaction problem for TCTL is **undecidable**

*all facts without proof*