Stationary states in the reinfection case

Temporal logic model checking is a fully automatic verification technique.

It refers to the question of whether a model of a software system satisfies certain temporal logic correctness requirements. In common approaches, a Kripke structure [90] is used to model the state space of the system under consideration.

Definition 2.1 (Kripke Structure).

A Kripke structure over a set of atomic predicates AP is a tuple K = (S, R, L, F) where

• S is a finite set of states,

• R : S × S → {true, f alse} is a total transition function, i.e. ∀s ∈ S : ∃s⁰∈ S : R(s, s⁰) = true,

• L : S × AP → {true, f alse} is a labelling function that associates a truth value with each predicate in each state,

• F ⊆ P(R⁻¹({true}))is a set of fairness constraints where each constraint F∈ F is a set of true transitions.

A path π of a Kripke structure K is an infinite sequence of states s0s₁s₂. . .with R(s_i, s_i+1) = true. πidenotes the i-th state of π and Πsdenotes the set of all

2.1 Classical Temporal Logic Model Checking 15 paths starting in s ∈ S. A path π is fair if it takes infinitely often a transition from every F ∈ F. By Πs^{f air} we denote the set of all fair paths starting in s∈ S. Fairness constraints in Kripke structures are used to rule out unrealistic (i.e. unfair) behaviour of the modelled system. In Chapter 3 we will provide more details on unrealistic system behavior, and moreover, show how fairness constraints can be derived from a given system. Henceforth, we solely focus on fair paths. For illustration of the aforementioned definitions, we consider the Kripke structure K₁in Figure 2.1.

s0

K1::

s1

s3

s4

s2

s5

p= f q= f

p= t q= f

p= t q= f

p= t q= f

p= t q= t

p= t q= t

Fig. 2.1 Kripke structure K1 over AP = {p, q} with fairness constraint F = {F} where F= {(s2, s2), (s3, s3), (s5, s5)}. In the labelling, t abbreviates true, and f abbreviates f alse.

As we can see, the infinite sequence π = s0s₁s₁s₁. . .is a path of K₁. However, since π does not take any transition from the set F infinitely often, this path is not fair. A fair path of K₁is e.g. π⁰= s₀s₁s₂s₂. . ..

Requirements, i.e. desirable properties of systems represented as Kripke struc-tures can be formalised in temporal logic, an extension of the classical propo-sitional logic. The computation tree logic (CTL) [37] is a branching-time logic for specifying such properties. The syntax of CTL can be defined in two steps.

We can distinguish CTL state and path formulae:

Definition 2.2 (Syntax of CTL).

Let AP be a set of atomic predicates. The syntax of CTL state formulae is given by the following grammar:

ψ ::= p | ¬ψ | ψ ∧ ψ | ψ ∨ ψ | Eφ | Aφ

where p ∈ AP and φ is a CTL path formula. Thus, state formulae permit the logical connectives ¬, ∧, ∨ as well as the existential (E) or universal (A) quantification over path formulae. The syntax of CTL path formulae is given by the following grammar:

φ ::= Xψ | Fψ | Gψ | ψ Uψ

where ψ is a CTL state formula. State formulae refer to properties of states and their branching structure, whereas path formulae characterise temporal properties of paths. As temporal operators, we have next (X), eventually (F), globally (G) and until (U). The formal semantics of these operators follows from Definition 2.3. In the evaluation of CTL formulae on Kripke structures only state formulae are considered – which, however, may be composed of path formulae. Henceforth, we refer to CTL state formulae just as CTL formulae.

Definition 2.3 (Fair Evaluation of CTL).

Let K = (S, R, L, F) be a Kripke structure over a set of atomic predicates AP.

Then the fair evaluation of a CTL formula ψ in a state s of K, written [K, s |= ψ], is inductively defined as follows

[K, s |= p] := ^W

π ∈Π_s^{f air}L(π0, p) [K, s |= ¬ψ] := ^W

π ∈Πs^{f air}¬ [K, π0|= ψ]

[K, s |= ψ ∧ ψ⁰] := ^W

π ∈Πs^{f air}[K, π0|= ψ] ∧ [K, π0|= ψ⁰] [K, s |= ψ ∨ ψ⁰] := ^W

π ∈Π_s^{f air}[K, π0|= ψ] ∨ [K, π0|= ψ⁰] [K, s |=EXψ] := ^W

π ∈Πs^{f air}[K, π1|= ψ]

[K, s |=EGψ] := ^W

π ∈Πs^{f air}

V

i∈N[K, πi|= ψ]

[K, s |=E(ψUψ⁰)] := ^W

π ∈Π_s^{f air} W

i∈N [K, πi|= ψ⁰] ∧^V_{0≤ j<i}[K, πj|= ψ]
If [K, s |= ψ] evaluates to true then the system modelled by K satisfies the property formalised by ψ. In case the evaluation yields false, the modelled system violates the property. The evaluation of the remaining CTL operators can be derived by the following equivalences

EFψ ≡ E(trueUψ), AFψ ≡ A(trueUψ), EGψ ≡ ¬AF¬ψ, AGψ ≡ ¬EF¬ψ,

AXψ ≡ ¬EX¬ψ

where two CTL formulae ψ1, ψ2are equivalent, written ψ1≡ ψ2, iff for all Kripke structures K and for all states s of K: [K, s |= ψ1] = [K, s |= ψ2].

For our example Kripke structure K₁we e.g. have that [K₁, s₀|=AFp] yields true, i.e. for all fair paths starting in s₀eventually p holds. It is sufficient to consider the substructure πK1 of K₁depicted in Figure 2.2 in order to validate [K₁, s₀|=AFp]. Such a substructure that proves the validity of a temporal logic formula ψ is called a witness for ψ.

2.1 Classical Temporal Logic Model Checking 17

s0

πK₁::

s1

s3

s₄ p= f

q= f

p= t q= f

p= t q= f

p= t q= f

Fig. 2.2 Witness πK₁for [K1, s0|=AFp] in the Kripke structure K1.

As another example, [K₁, s₀|=AG(AF(EXq))] evaluates to false. This can be disproved by the fair path π_K⁰₁ = s₀s₃s₃. . .in K₁, a path where at some time p never holds next. We call such a path that refutes a CTL formula ψ a counterexample for ψ. Counterexamples for temporal logic properties are not necessarily paths, i.e. linear traces. Since CTL is a branching-time logic, counterexamples may also have a tree-like structure. Moreover, there is a duality between witnesses and counterexamples. A substructure π of a Kripke structure is a counterexample for a temporal logic formula ψ if and only if π is a witness for the formula ¬ψ . Thus, the tree-like witness πK₁ forAFp is also a counterexample for the negated property EG¬p, and the linear counterexample π_K⁰

1 forAG(AF(EXq)) is a witness for EF(EG(AX¬q)).

Conversely to the equivalence between CTL formulae, we have that two states of Kripke structures are equivalent with respect to the branching-time logic iff they satisfy the same set of CTL formulae. Such an equivalence relation on states of Kripke structures is denoted as a bisimulation.

Definition 2.4 (Bisimulation).

Let K₁= (S₁, R₁, L₁, F1)and K₂= (S₂, R₂, L₂, F2)be two Kripke structures, both defined over the same set of atomic predicates AP. Then a bisimulation be-tween K₁and K₂is the greatest relation ∼_b⊆ S₁× S₂such that s₁∼_bs₂implies

• ∀p ∈ AP : L₁(s₁, p) = L₂(s₂, p),

• ∀s⁰₁∈ S₁such that R₁(s₁, s⁰₁)there is a state s⁰₂∈ S₂with R₂(s₂, s⁰₂)and s⁰₁∼_bs⁰₂,

• ∀s⁰₂∈ S₂ such that R₂(s₂, s⁰₂) there is a state s⁰₁∈ S₁ with R₁(s₁, s⁰₁) and s⁰₁∼_bs⁰₂.

We say, the Kripke structures K₁and K₂are bisimilar, denoted by K₁∼_bK₂, if there exists such a bisimulation between them. Moreover, two paths π¹ in K₁and π²in K₂are bisimilar iff ∀k ∈ N : π_k¹∼_bπ_k². Then we also say, the path π¹simulates the path π²and vice versa. Since bisimulation is reflexive,

transitive and symmetric, it is an equivalence relation. So far, there is no notion of fairness in this basic definition of a bisimulation relation. However, a bisimulation can be easily extended with fairness constraints [41]:

Definition 2.5 (Fair Bisimulation).

Let K₁= (S₁, R₁, L₁, F1)and K₂= (S₂, R₂, L₂, F2)be two Kripke structures, both defined over the same set of atomic predicates AP. Then a fair bisimulation between K₁ and K₂ is the greatest relation ∼_b⊆ S₁× S₂ such that s₁∼_bs₂ implies

• ∀p ∈ AP : L₁(s₁, p) = L₂(s₂, p).

• For every fair path π¹∈ Π_s^{f air}₁ in K₁exists a fair path π²∈ Π_s^{f air}₂ in K₂such that ∀k ∈ N : π_k¹∼_bπ_k².

• For every fair path π²∈ Π_s^{f air}₂ in K₂exists a fair path π¹∈ Π_s^{f air}₁ in K₁such that ∀k ∈ N : π_k¹∼_bπ_k².

Two Kripke structures are fair bisimilar if there exists such a fair bisimulation between them. Henceforth, we just write bisimulation when we refer to the fair bisimulation. In Figure 2.3 we see a Kripke structure K₂that is bisimilar to the structure K₁in Figure 2.1.

s⁰₀ K2::

s⁰₁

s⁰₃

s⁰₂ p= f

q= f

p= t q= f

p= t q= f

p= t q= t

Fig. 2.3 Kripke structure K2 over AP = {p, q} with fairness constraint F = {F} where F= {(s⁰₂, s⁰₂), (s⁰₃, s⁰₃)}.

The bisimulation between K₁and K₂is defined by ∼_b= {(s₀, s⁰₀), (s₁, s⁰₁), (s₂, s⁰₂), (s₃, s⁰₃),(s₄, s⁰₁), (s₅, s⁰₂)}. We have that the path π²= s⁰₀s⁰₁s⁰₂. . .in K₂simulates the paths π¹= s₀s₁s₂. . .and π⁰¹= s₀s₄s₅. . .in K₁ and vice versa. Moreover, we can observe that K₂is significantly smaller, with respect to the number of states and transitions, than the bisimilar K₁. From [41] we get the following result for bisimilar Kripke structures:

Theorem 2.1.

Let K₁= (S₁, R₁, L₁, F1)and K₂= (S₂, R₂, L₂, F2)be two bisimilar Kripke struc-tures and let ∼_b⊆ S₁× S₂be the respective bisimulation. Moreover, let s₁∈ S₁,

2.1 Classical Temporal Logic Model Checking 19 s₂∈ S₂. Then

s1∼_bs2iff (∀ CTL formulae ψ : [K1, s₁|= ψ] = [K2, s₂|= ψ]) .

This theorem can be exploited to reduce the complexity of temporal logic model checking. Assume there is a verification task given by [K₁, s₁|= ψ]. Then the general approach is to find a smaller Kripke structure K₂with K₁∼_bK₂, a state s₂in K₂with s₁∼_bs₂, and then evaluate [K₂, s₂|= ψ]. By Theorem 2.1 the obtained result can be transferred to the original verification task. Due to the smaller K₂this approach is usually more efficient than directly evaluating [K₁, s₁|= ψ]. For our running example with the Kripke structure K2in Figure 2.3 we have that [K₂, s⁰₀|=AFp] = true and [K2, s⁰₀|=AG(AF(EXq))] = f alse, which is compliant with the results obtained for the larger bisimilar Kripke structure K₁in Figure 2.1.

However, given a Kripke structure K₁, then the smallest bisimilar K₂might be still too large for an efficient verification. A less restrictive relation on Kripke structures is the simulation.

Definition 2.6 (Simulation).

Let K₁= (S₁, R₁, L₁, F1)and K₂= (S₂, R₂, L₂, F2)be two Kripke structures, both defined over the same set of atomic predicates AP. Then a simulation between K₁and K₂is the greatest relation _s⊆ S₁× S₂such that s₁_ss₂implies

• ∀p ∈ AP : L₁(s₁, p) = L₂(s₂, p),

• ∀s⁰₁∈ S₁ such that R₁(s₁, s⁰₁) there is a state s⁰₂∈ S₂ with R₂(s₂, s⁰₂) and s⁰₁_ss⁰₂,

As we can see, a bisimulation corresponds to a simulation which additionally relates transitions of K₂to transitions of K₁. Hence, every bisimulation is also a simulation. The basic definition of simulation can be extended with fairness constraints [41]:

Definition 2.7 (Fair Simulation).

Let K₁= (S₁, R₁, L₁, F1)and K₂= (S₂, R₂, L₂, F2)be two Kripke structures, both defined over the same set of atomic predicates AP. Then a fair simulation between K₁ and K₂ is the greatest relation _s⊆ S₁× S₂ such that s₁_s s₂ implies

• ∀p ∈ AP : L₁(s₁, p) = L₂(s₂, p).

• For every fair path π¹∈ Π_s^{f air}₁ in K₁there exists a fair path π²∈ Π_s^{f air}₂ in K₂ such that ∀k ∈ N : π_k¹_sπ_k².

Henceforth, we just write simulation when we refer to the fair simulation. If there exists such a relation _sbetween K₁and K₂then we say, K₁is simulated by K₂or, conversely, K₂simulates K₁. Simulation is not an equivalence relation

but a preorder. Thus, it is reflexive, transitive but not symmetric. For two states s₁ in K₁ and s₂ in K₂ with s₁_ss₂ every path starting in s₁ can be simulated by a path starting in s₂, but not vice versa. Hence, CTL properties are generally not preserved under simulation. Nevertheless, we will see that simulation preserves properties from the universal fragment of CTL (ACTL).

ACTL is restricted to universal quantification, and moreover, negation is solely permitted for atomic predicates.

Definition 2.8 (Syntax of ACTL).

Let AP be a set of atomic predicates. The syntax of ACTL state formulae is given by the following grammar:

ψ ::= p | ¬ p | ψ ∧ ψ | ψ ∨ ψ | Aφ where p ∈ AP and φ is a CTL path formula.

The semantics of ACTL is the same as for CTL. Note that we have the same equivalences as before, and thus, an ACTL formula can be transferred into an equivalent CTL formula which may contain existential quantification as well.

From [41] we get the following result:

Theorem 2.2.

Let K1= (S₁, R₁, L₁, F1)and K2= (S₂, R₂, L₂, F2)be two Kripke structures with K1_sK2and let s⊆ S₁× S₂be the respective simulation. Moreover, let s1∈ S₁, s₂∈ S₂. Then

s₁_ss₂iff (∀ ACTL formulae ψ : [K2, s₂|= ψ] ⇒ [K1, s₁|= ψ]) .

Thus, given a verification task [K₁, s₁|= ψ], a common approach is to find a smaller Kripke structure K₂that simulates K₁, a state s₂in K₂with s₁_ss₂, and then evaluate [K₂, s₂|= ψ]. In case [K2, s₂|= ψ] yields true, this result can be transferred to the original verification task, whereas a false result for K₂tells us nothing about K₁. However, since the simulation relation is less restrictive than the bisimulation, finding a small Kripke structure that simulates the original one is usually easier than finding a bisimilar Kripke structure. And moreover, many verification tasks can already be successfully accomplished under simulation.

We want to consider an example for such a simulation. In Figure 2.4 we have a Kripke stucture K₃ that simulates the structure K₂from Figure 2.3 – and due to transitivity also K₁ from Figure 2.1. The simulation between K₂and K₃is defined by _s= {(s⁰₀, s⁰⁰₀), (s⁰₁, s⁰⁰₁), (s⁰₂, s⁰⁰₂), (s⁰₃, s⁰⁰₁)}. Again we get [K₃, s⁰⁰₀|=AFp] = true, which conforms to the results obtained for the simulated Kripke structures K₁and K₂. However, for the non-ACTL formulaAG(AF(EXq)) we have [K₃, s⁰⁰₀|=AG(AF(EXq))] = true, which is not compliant with our for-mer results for K₁and K₂. This illustrates that under a simulation K₂_sK₃ there might be feasible paths in K₃that are not feasible in the simulated K₂. In our example, π = s⁰⁰₀s⁰⁰₁s⁰⁰₁s⁰⁰₁. . .in K₃is such a spurious path.

In document Semilinear hyperbolic equations and the dynamics of gut bacteria (página 54-64)