CTL Model Update for System Modifications
aa r X i v : . [ c s . A I] O c t Journal of Artificial Intelligence Research 31 (2008) 113-155 Submitted 08/07; published 01/08
CTL Model Update for System Modifications
Yan Zhang [email protected]
Intelligent Systems LaboratorySchool of Computing and MathematicsUniversity of Western Sydney, Australia
Yulin Ding [email protected]
Department of Computer ScienceUniversity of Adelaide, Australia
Abstract
Model checking is a promising technology, which has been applied for verification ofmany hardware and software systems. In this paper, we introduce the concept of model up-date towards the development of an automatic system modification tool that extends modelchecking functions. We define primitive update operations on the models of ComputationTree Logic (CTL) and formalize the principle of minimal change for CTL model update.These primitive update operations, together with the underlying minimal change princi-ple, serve as the foundation for CTL model update. Essential semantic and computationalcharacterizations are provided for our CTL model update approach. We then describe aformal algorithm that implements this approach. We also illustrate two case studies of CTLmodel updates for the well-known microwave oven example and the Andrew File System 1,from which we further propose a method to optimize the update results in complex systemmodifications.
1. Introduction
Model checking is one of the most effective technologies for automatic system verifications.In the model checking approach, the system behaviours are modeled by a Kripke structure,and specification properties that we require the system to meet are expressed as formulasin a propositional temporal logic, e.g., CTL. Then the model checker, e.g., SMV, takes theKripke model and a formula as input, and verifies whether the formula is satisfied by theKripke model. If the formula is not satisfied in the Kripke model, the system will reporterrors, and possibly provides useful information (e.g., counterexamples).Over the past decade, the model checking technology has been considerably developed,and many effective model checking tools have been demonstrated through provision of thor-ough automatic error diagnosis in complex designs e.g., (Amla, Du, Kuehlmann, Kurshan,& McMillan, 2005; Berard, Bidoit, Finkel, Laroussinie, Petit, Petrucci, & Schnoebelen,2001; Boyer & Sighireanu, 2003; Chauhan, Clarke, Kukula, Sapra, Veith, & Wang, 2002;Wing & Vaziri-Farahani, 1995). Some current state-of-the-art model checkers, such asSMV (Clarke, Grumberg, & Peled, 1999), NuSMV (Cimatti, Clarke, Giunchiglia, & Roveri,1999) and Cadence SMV (McMillan & Amla, 2002), employ SMV specification language forboth Computational Tree Logic (CTL) and Linear Temporal Logic (LTL) variants (Clarkeet al., 1999; Huth & Ryan, 2004). Other model checkers, such as SPIN (Holzmann, 2003),use Promela specification language for on-the-fly LTL model checking. Additionally, the c (cid:13) hang & Ding MCK (Gammie & van der Meyden, 2004) model checker was developed by integratinga knowledge operator into CTL model checking to verify knowledge-related properties ofsecurity protocols.Although model checking approaches have been used for verification of problems in largecomplex systems, one major limitation of these approaches is that they can only verify thecorrectness of a system specification. In other words, if errors are identified in a systemspecification by model checking, the task of correcting the system is completely left to thesystem designers. That is, model checking is generally used only to verify the correctness ofa system, not to modify it. Although the idea of repair has been indeed proposed for model-based diagnosis, repairing a system is only possible for specific cases (Dennis, Monroy, &Nogueira, 2006; Stumptner & Wotawa, 1996).
Since model checking can handle complex system verification problems and as it may beimplemented via fast algorithms, it is quite natural to consider whether we can developassociated algorithms so that they can handle system modification as well. The idea ofintegrating model checking and automatic modification has been investigated in recentyears. Buccafurri, Eiter, Gottlob, and Leone (1999) have proposed an approach wherebyAI techniques are combined with model checking such that the enhanced algorithm can notonly identify errors for a concurrent system, but also provide possible modifications for thesystem.In the above approach, a system is described as a Kripke structure M , and a modificationΓ for M is a set of state transitions that may be added to or removed from M . If a CTLformula ϕ is not satisfied in M i.e., the system contains errors with respect to property ϕ ,then M will be repaired by adding new state transitions or removing existing ones specifiedin Γ. As a result, the new Kripke structure M ′ will then satisfy formula ϕ . The approachof Buccafurri et al. (1999) integrates model checking and abductive theory revision toperform system repairs. They also demonstrate how their approach can be applied torepair concurrent programs.It has been observed that this type of system repair is quite restricted, as only relationelements (i.e., state transitions) in a Kripke model can be changed . This implies that errorscan only be fixed by changing system behaviors. In fact, as we will show in this paper,allowing change to both states and relation elements in a Kripke structure significantlyenhances the system repair process in most situations. Also, since providing all admissiblemodifications (i.e., the set Γ) is a pre-condition of any repair, the approach of Buccafurriet al. lacks flexibility. Indeed, as stated by the authors themselves, their approach may notbe general enough for other system modifications.On the other hand, knowledge-base update has been the subject of extensive study inthe AI community since the late 1980s. Winslett’s Possible Model Approach (PMA) isviewed as pioneering work towards a model-based minimal change approach for knowledge-base update (Winslett, 1988). Many researchers have since proposed different approachesto knowledge system update (e.g., see references from Eiter & Gottlob, 1992; Herzig &
1. NB: No state changes occur in the specified system repairs (see Definitions 3.2 and 3.3 in Buccafurriet al., 1999).
TL Model Update for System Modifications
Rifi, 1999). Of these works, Harris and Ryan (2002, 2003) considered using an updateapproach for system modification, where they designed update operations to tackle featureintegration, performing theory change and belief revision. However, their study focusedmainly on the theoretical properties of system update, and practical implementation oftheir approach in system modification remains unclear.Baral and Zhang (2005) recently developed a formal approach to knowledge updatebased on single-agent S5 Kripke structures observing that system modification is closelyrelated to knowledge update. From the knowledge dynamics perspective, we can view thefinite transition system, which represents a real time complex system, to be a model of aknowledge set (i.e., a Kripke model). Thus the problem of system modification is reducedto the problem of updating this model so that a new updated model satisfies the knowledgeformula.This observation motivated the initial development of a general approach to updatingKripke models, which can be integrated into model checking technology, towards a moregeneral automatic system modification. Ding and Zhang’s work (2005) may be viewed as thefirst attempt to apply this idea to LTL model update. The LTL model update modifies theexisting LTL model of an abstracted system to automatically correct the errors occurringwithin this model.Based on the investigation described above, we intend to integrate knowledge updateand CTL model checking to develop a practical model updater, which represents a generalmethod for automatic system repairs.
The overall aim of our work is to design a model updater that improves model checkingfunction by adding error repair (see schematic in Figure 1). The outcome from the updateris a corrected Kripke model. The model updater’s function is to automatically correcterrors reported (possibly as counterexamples) by a model checking compiler. Eventually,the model updater is intended to be a universal compiler that can be used in certain commonsituations for model error detection and correction.
SystemKripke ModelDesign CTLKripke ModelModel checking& UpdatingCorrected
Figure 1: CTL model update.The main contributions of this paper are described as follows: hang & Ding
1. We propose a formal framework for CTL model update. Firstly, we define primi-tive CTL model update operations and, based on these operations, specify a minimalchange principle for the CTL model update. We then study the relationship betweenthe proposed CTL model update and traditional propositional belief update. Interest-ingly, we prove that our CTL model update obeys all Katsuno and Mendelzon updatepostulates (U1) - (U8). We further provide important characterizations for specialCTL model update formulas such as EX φ , AG φ and EG φ . These characterizationsplay an important role in optimization of the update procedure. Finally, we study thecomputational properties of CTL model update and show that, in general, the modelchecking problem for CTL model update is co-NP-complete. We also classify a usefulsubclass of CTL model update problems that can be performed in polynomial time.2. We develop a formal algorithm for CTL model update. In principle, our algorithmcan perform an update on a given CTL Kripke model with an arbitrary satisfiableCTL formula and generate a model that satisfies the input formula and has a minimalchange with respect to the original model. The model then can be viewed as a possiblecorrection on the original system specification. Based on this algorithm, we implementa system prototype of CTL model updater in C code in Linux.3. We demonstrate important applications of our CTL model update approach by twocase studies of the well-known microwave oven example (Clarke et al., 1999) andthe Andrew File System 1 (Wing & Vaziri-Farahani, 1995). Through these casestudies, we further propose a new update principle of minimal change with maximalreachable states, which can significantly improve the update results in complex systemmodification scenarios.In summary, our work presented in this paper is an initial step towards the formal studyof the automatic system modification. This approach may be integrated into existing modelcheckers so that we may develop a unified methodology and system for model checkingand model correction. In this sense, our work will enhance the current model checkingtechnology. Some results presented in this paper were published in ECAI 2006 (Ding &Zhang, 2006).The rest of the paper is organized as follows. An overview of CTL syntax and seman-tics is provided in Section 2.1. Primitive update operations on CTL models are definedin Section 3, and a minimal change principle for CTL model update is then developed.Section 4 consists of a study of the relationship between CTL model update and Katsunoand Mendelzon’s update postulates (U1) - (U8), and various characterizations for some spe-cial CTL model updates. In Section 5, a general computational complexity result of CTLmodel update is proved, and a useful tractable subclass of CTL model update problems isidentified. A formal algorithm for the proposed CTL model update approach is describedin Section 6. In Section 7, two update case studies are illustrated to demonstrate appli-cations of our CTL model update approach. Section 8 proposes an improved CTL modelupdate approach which can significantly optimize the update results in complex systemmodification scenarios. Finally, the paper concludes with some future work discussions inSection 9. TL Model Update for System Modifications
2. Preliminaries
In this section, we briefly review the syntax and semantics of Computation Tree Logic andbasic concepts of belief update, which are the foundation for our CTL model update.
To begin with, we briefly review CTL syntax and semantics (refer to Clarke et al., 1999 andHuth & Ryan, 2004 for details).
Definition 1
Let AP be a set of atomic propositions. A Kripke model M over AP is atriple M = ( S, R, L ) where:1. S is a finite set of states;2. R ⊆ S × S is a binary relation representing state transitions;3. L : S → AP is a labeling function that assigns each state with a set of atomicpropositions. An example of a finite Kripke model is represented by the graph in Figure 2, whereeach node represents a state in S , which is attached to a set of propositional atoms beingassigned by the labeling function, and an edge represents a state transition - a relationelement in R describing a system transition from one state to another. S2p, qq, r rS0S1
Figure 2: Transition state graph.Computation Tree Logic (CTL) is a temporal logic allowing us to refer to the future.It is also a branching-time logic, meaning that its model of time is a tree-like structure inwhich the future is not determined but consists of different paths, any one of which mightbe the ‘actual’ path that is eventually realized (Huth & Ryan, 2004).
Definition 2
CTL has the following syntax given in Backus-Naur form: φ ::= ⊤ |⊥| p | ( ¬ φ ) | ( φ ∧ φ ) | ( φ ∨ φ ) | φ → ψ | AX φ | EX φ | AG φ | EG φ | AF φ | EF φ | A[ φ U φ ] | E[ φ U φ ] where p is any propositional atom. hang & Ding A CTL formula is evaluated on a Kripke model. A path in a Kripke model from a stateis a(n) (infinite) sequence of states. Note that for a given path, the same state may occuran infinite number of times in the path (i.e., the path contains a loop). To simplify ourfollowing discussions, we may identify states in a path with different position subscripts,although states occurring in different positions in the path may be the same. In this way,we can say that one state precedes another in a path without much confusion. Now we canpresent useful notions in a formal way. Let M = ( S, R, L ) be a Kripke model and s ∈ S . A path in M starting from s is denoted as π = [ s , s , · · · , s i − , s i , s i +1 , · · · ], where s = s and( s i , s i +1 ) ∈ R holds for all i ≥
0. We write s i ∈ π if s i is a state occurring in the path π .If a path π = [ s , s , · · · , s i , · · · , s j , · · · ] and i < j , we also denote s i < s j . Furthermore fora given path π , we use notion s ≤ s i to denote a state s that is the state s i or s < s i . Forsimplicity, we may use succ ( s ) to denote state s ′ if there is a relation element ( s, s ′ ) in R . Definition 3
Let M = ( S, R, L ) be a Kripke model for CTL. Given any s in S , we definewhether a CTL formula φ holds in M at state s . We denote this by ( M, s ) | = φ . Thesatisfaction relation | = is defined by structural induction on all CTL formulas:1. ( M, s ) | = ⊤ and ( M, s ) = ⊥ for all s ∈ S .2. ( M, s ) | = p iff p ∈ L ( s ) .3. ( M, s ) | = ¬ φ iff ( M, s ) = φ .4. ( M, s ) | = φ ∧ φ iff ( M, s ) | = φ and ( M, s ) | = φ .5. ( M, s ) | = φ ∨ φ iff ( M, s ) | = φ or ( M, s ) | = φ .6. ( M, s ) | = φ → φ iff ( M, s ) | = ¬ φ , or ( M, s ) | = φ .7. ( M, s ) | = AX φ iff for all s such that ( s, s ) ∈ R , ( M, s ) | = φ .8. ( M, s ) | = EX φ iff for some s such that ( s, s ) ∈ R , ( M, s ) | = φ .9. ( M, s ) | = AG φ iff for all paths π = [ s , s , s , · · · ] where s = s and ∀ s i , s i ∈ π , ( M, s i ) | = φ .10. ( M, s ) | = EG φ iff there is a path π = [ s , s , s , · · · ] where s = s and ∀ s i , s i ∈ π , ( M, s i ) | = φ .11. ( M, s ) | = AF φ iff for all paths π = [ s , s , s , · · · ] where s = s and ∃ s i , s i ∈ π , ( M, s i ) | = φ .12. ( M, s ) | = EF φ iff there is a path π = [ s , s , s , · · · ] where s = s and ∃ s i , s i ∈ π , ( M, s i ) | = φ .13. ( M, s ) | = A[ φ U φ ] iff for all paths π = [ s , s , s , · · · ] where s = s , ∃ s i ∈ π , ( M, s i ) | = φ and for each j < i , ( M, s j ) | = φ .14. ( M, s ) | = E[ φ U φ ] iff there is a path π = [ s , s , s , · · · ] where s = s , ∃ s i ∈ π , ( M, s i ) | = φ and for each j < i , ( M, s j ) | = φ . TL Model Update for System Modifications
From the above definition, we can see that the intuitive meaning of A, E, X, and G arequite clear: A means for all paths, E means that there exists a path, X refers to the nextstate and G means for all states globally. Then the semantics of a CTL formula is easy tocapture as follows.In the first six clauses, the truth value of the formula in the state depends on the truthvalue of φ or φ in the same state. For example, the truth value of ¬ φ in a state onlydepends on the truth value of φ in the same state. This contrasts with clauses 7 and 8 forAX and EX. For instance, the truth value of AX φ in a state s is determined not by φ ’struth value in s , but by φ ’s truth values in states s ′ where ( s, s ′ ) ∈ R ; if ( s, s ) ∈ R , thenthis value also depends on the truth value of φ in s .The next four clauses (9 - 12) also exhibit this phenomenon. For example, the truth valueof AG φ involves looking at the truth value of φ not only in the immediately related states,but in indirectly related states as well. In the case of AG φ , we must examine the truth valueof φ in every state related by any number of forward links (paths) to the current state s . Inclauses 13 and 14, symbol U may be explained as “until”: a path π = [ s , s , s , · · · ] satisfies φ U φ if there is a state s i ∈ π such that for all s < s i , ( M, s ) | = φ until ( M, s i ) | = φ .Clauses 9 - 14 above refer to computation paths in models. It is, therefore, useful tovisualize all possible computation paths from a given state s by unwinding the transitionsystem to obtain an infinite computation tree. This greatly facilitates deciding whether astate satisfies a CTL formula. The unwound tree of the graph in Figure 2 is depicted inFigure 3 (note that we assume s is the initial state in this Kripke model). S2p, qq,rp,qq,r r r r rrS0S1S0S1 S2 S2S2 S2
Figure 3: Unwinding the transition state graph as an infinite tree.In Figure 3, if φ = r , then AX r is true; if φ = q , then EX q is true. In the same figure,if φ = r , then AF r is true because some states on all paths will satisfy r some time in thefuture. If φ = q , EF q is true because some states on some paths will satisfy q some timein the future. The clauses for AG and EG can be explained in Figure 4. In this tree, allstates satisfy r . Thus, AG r is true in this Kripke model. There is one path where all statessatisfy φ = q . Thus, EG q is true in this Kripke model. hang & Ding (cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1) (cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1) φ= p, qq,rp,qq,r r r r rrS0S1S0S1 S2 S2S2 S2S2 , r, rAG EG φφ φ When = r; When q.
Figure 4: AG φ and EG φ in an unwound tree.The following De Morgan rules and equivalences (Huth & Ryan, 2004) will be useful forour CTL model update algorithm implementation: ¬ AF φ ≡ EG ¬ φ ; ¬ EF φ ≡ AG ¬ φ ; ¬ AX φ ≡ EX ¬ φ ;AF φ ≡ A[ ⊤ U φ ];EF φ ≡ E[ ⊤ U φ ];A[ φ U φ ] ≡ ¬ (E[ ¬ φ U( ¬ φ ∧ φ )] ∨ EG ¬ φ ) . In the rest of this paper, without explicit declaration, we will assume that all CTLformulas occurring in our context will be satisfiable. For instance, if we consider updatinga Kripke model to satisfy a CTL formula φ , we already assume that φ is satisfiable.From Definition 3, we can see that for a given CTL Kripke model M = ( S, R, L ), if(
M, s ) | = φ and φ is a propositional formula, then φ ’s truth value solely depends on thelabeling function L ’s assignment on state s . In this case we may simply write L ( s ) | = φ ifthere is no confusion from the context. Belief change has been a primary research topic in the AI community for almost two decadese.g., (Gardenfors, 1988; Winslett, 1990). Basically, it studies the problem of how an agentcan change its beliefs when it wants to bring new beliefs into its belief set. There are twotypes of belief changes, namely belief revision and belief update . Intuitively, belief revisionis used to modify a belief set in order to accept new information about the static world,
TL Model Update for System Modifications while belief update is to bring the belief set up to date when the world is described by itschanges.Katsuno and Mendelzon (1991) have discovered that the original AGM revision postu-lates cannot precisely characterize the feature of belief update. They proposed the followingalternative update postulates, and argued that any propositional belief update operatorsshould satisfy these postulates. In the following (U1) - (U8) postulates, all occurrences of T , µ , α , etc. are propositional formulas.(U1) T ⋄ µ | = µ .(U2) If T | = µ then T ⋄ µ ≡ T .(U3) If both T and µ are satisfiable then T ⋄ µ is also satisfiable.(U4) If T ≡ T and µ ≡ µ then T ⋄ µ ≡ T ⋄ µ .(U5) ( T ⋄ µ ) ∧ α | = T ⋄ ( µ ∧ α ).(U6) If T ⋄ µ | = µ and T ⋄ µ | = µ then T ⋄ µ ≡ T ⋄ µ .(U7) If T is complete (i.e., has a unique model) then( T ⋄ µ ) ∧ ( T ⋄ µ ) | = T ⋄ ( µ ∨ µ ).(U8) ( T ∨ T ) ⋄ µ ≡ ( T ⋄ µ ) ∨ ( T ⋄ µ ).As shown by Katsuno and Mendelzon (1991), postulates (U1) - (U8) precisely capturethe minimal change criterion for update that is defined based on certain partial orderingon models. As a typical model based belief update approach, here we briefly introduceWinslett’s Possible Models Approach (PMA) (Winslett, 1990). We consider a proposi-tional language L . Let I and I be two Herband interpretations of L . The symmetricdifference between I and I is defined as dif f ( I , I ) = ( I − I ) ∪ ( I − I ). Then for agiven interpretation I , we define a partial ordering ≤ I as follows: I ≤ I I if and only if dif f ( I, I ) ⊆ dif f ( I, I ). Let I be a collection of interpretations, we denote M in ( I , ≤ M )to be the set of all minimal models from I with respect to ordering ≤ M , where model M is fixed. Now let φ and µ be two propositional formulas, the update of φ with µ using thePMA, denoted as φ ⋄ pma µ , is defined as follows: M od ( φ ⋄ pma µ ) = S M ∈ Mod ( φ ) M in ( M od ( µ ) , ≤ M ),where M od ( ψ ) denotes the set of all models of formula ψ . It can be proved that the PMAupdate operator ⋄ pma satisfies all postulates (U1) - (U8).Our work of CTL model update has a close connection to the idea of belief update. Aswill be shown in this paper, in our approach, we view a CTL Kripke model as a description ofthe world that we are interested in, i.e., the description of a system of dynamic behaviours,and the update on this Kripke model occurs when the setting of the system of dynamicbehaviours has to change to accommodate some desired properties. Although there isa significant difference between classical propositional belief update and our CTL modelupdate, we will show that Katsuno Mendelzon’s update postulates (U1) - (U8) are alsosuitable to characterize the minimal change principle for our CTL model update.
3. Minimal Change for CTL Model Update
We would like to extend the idea of minimal change in belief update to our CTL modelupdate. In principle, when we need to update a CTL Kripke model to satisfy a CTL formula, hang & Ding we expect the updated model to retain as much information as possible represented in theoriginal model. In other words, we prefer to change the model in a minimal way to achieveour goal. In this section, we will propose formal metrics of minimal change for CTL modelupdate.
Given a CTL Kripke model and a (satisfiable) CTL formula, we consider how this modelcan be updated in order to satisfy the given formula. From the discussion in the previoussection, we try to incorporate a minimal change principle into our update approach. As thefirst step towards this aim, we should have a way to measure the difference between twoCTL Kripke models in relation to a given model. We first illustrate our initial considerationof this aspect through an example.
Example 1
Consider a simple CTL model M = ( { s , s , s } , { ( s , s ), ( s , s ), ( s , s ),( s , s ), ( s , s ), ( s , s ) } , L ), where L ( s ) = { p, q } , L ( s ) = { q, r } and L ( s ) = { r } . M isdescribed as in Figure 5. rs0 s2s1 p,qq,r Figure 5: Model M .Now consider formula AG p . Clearly, ( M, s ) = AG p . One way to update M to satisfyAG p is to update states s and s so that both updated states satisfy p . Therefore,we obtain a new CTL model M ′ = ( { s , s , s } , { ( s , s ) , ( s , s ) , ( s , s ), ( s , s ), ( s , s ),( s , s ) } , L ′ ), where L ′ ( s ) = L ( s ) = { p, q } , L ′ ( s ) = { p, q, r } and L ′ ( s ) = { p, r } . In thisupdate, we can see that the labeling function has been changed to associate different truthassignments with states s and s . Another way to update M to satisfy formula AG p is tosimply remove relation elements ( s , s ) and ( s , s ) from M , this gives ( M ′′ , s ) | = AG p ,where M ′′ = ( { s , s , s } , { ( s , s ) , ( s , s ) , ( s , s ) , ( s , s ) } , L ). This more closely resemblesthe approach of Buccafurri et al. (Buccafurri et al., 1999), where no state changes occur.It is interesting to note that the first of the updated models retains the same “structure”as the original, while it is significantly changed in the second. These two possible resultsare described in Figure 6. ✷
2. Precisely, we update the labeling function L that changes the truth assignments to s and s . TL Model Update for System Modifications s0 s0s1 s2p,qp,q,r p,r p,qq,r rs1 s2
Figure 6: Two possible results of updating M with AG p .The above example shows that in order to update a CTL model to satisfy a formula, wemay apply different kinds of operations to change the model. From all possible operationsapplicable to a CTL model, we consider five basic ones where all changes on a CTL modelcan be achieved. PU1: Adding one relation element
Given M = ( S, R, L ), its updated model M ′ = ( S ′ , R ′ , L ′ ) is obtained from M by addingonly one new relation element. That is, S ′ = S , L ′ = L , and R ′ = R ∪ { ( s i , s j ) } , where( s i , s j ) R for two states s i , s j ∈ S . PU2: Removing one relation element
Given M = ( S, R, L ), its updated model M ′ = ( S ′ , R ′ , L ′ ) is obtained from M by removingonly one existing relation element. That is, S ′ = S , L ′ = L , and R ′ = R − { ( s i , s j ) } , where( s i , s j ) ∈ R for two states s i , s j ∈ S . PU3: Changing labeling function on one state
Given M = ( S, R, L ), its updated model M ′ = ( S ′ , R ′ , L ′ ) is obtained from M by changinglabeling function on a particular state. That is, S ′ = S , R ′ = R , ∀ s ∈ ( S − { s ∗ } ), s ∗ ∈ S , L ′ ( s ) = L ( s ), and L ′ ( s ∗ ) is a set of true variable assigned in state s ∗ where L ′ ( s ∗ ) = L ( s ∗ ). PU4: Adding one state
Given M = ( S, R, L ), its updated model M ′ = ( S ′ , R ′ , L ′ ) is obtained from M by addingonly one new state. That is, S ′ = S ∪ { s ∗ } , s ∗ S , R ′ = R , and ∀ s ∈ S , L ′ ( s ) = L ( s ) and L ′ ( s ∗ ) is a set of true variables assigned in s ∗ . PU5: Removing one isolated state
Given M = ( S, R, L ), its updated model M ′ = ( S ′ , R ′ , L ′ ) is obtained from M by removingonly one isolated state: S ′ = S − { s ∗ } , where s ∗ ∈ S and ∀ s ∈ S such that s = s ∗ , neither( s, s ∗ ) nor ( s ∗ , s ) is not in R , R ′ = R , and ∀ s ∈ S ′ , L ′ ( s ) = L ( s ).We call the above five operations primitive since they express all kinds of changes to aCTL model. Figure 7 illustrates examples of applying some of these operations on a model.In the above five operations, PU1, PU2, PU4 and PU5 represent the most basic oper-ations on a graph. Generally, using these four operations, we can perform any changes toa CTL model. For instance, if we want to substitute a state in a CTL model, we do the hang & Ding following: (1) remove all relation elements associated to this state, (2) remove this isolatedstates, (3) add a state that we want to replace the original one, and (4) add all relevantrelation elements associated to this new state.Although these four operations are sufficient enough to represent all changes on a CTLmodel, they sometimes complicate the measure on the changes of CTL models. Considerthe case of a state substitution. Given a CTL model M , if one CTL model M ′ has exactlythe same graphical structure as M except that M ′ only has one particular state differentfrom M , then we tend to think that M ′ is obtained from M with a single change of statereplacement, instead of from a sequence of operations PU1, PU2, PU4 and PU5.This motivates us to have operation PU3. PU3 has an effect of state substitution, but itis fundamentally different from the combination of PU1, PU2, PU4 and PU5, because PU3does not change the state name and relation elements in the original model, it only assignsa different set of propositional atoms to that state in the original model. In this sense,the combination of PU1, PU2, PU4 and PU5 cannot replace operation PU3. Using PU3to represent state substitution significantly simplifies our measure on the model differenceas will be illustrated in Definition 4. In the rest of the paper, we assume that all statesubstitutions in a CTL model will be achieved through PU3 so that we have a unique wayto measure the differences on CTL model changes in relation to states substitutions.We should also note that having operation PU3 as a way to substitute a state in a CTLmodel, PU5 becomes unnecessary, because we actually do not need to remove an isolatedstate from a model. All we need is to remove relevant relation element(s) in the model,so that this state becomes unreachable from the initial state. Nevertheless, to remain ourdiscussions to be coherent with all primitive operations described above, in the followingdefinition on the CTL minimal change, we still consider the measure on changes caused byapplying PU5 in a CTL model update. S0S3 S1S2M M1 S3 S0S1S2 S0S3’ S1S2M2After PU2 is applied to M. After PU2, PU2, PU5, PU4,PU1 and PU1 are applied to M.
Figure 7: Illustration of primitive updates.
Following traditional belief update principle, in order to make a CTL model to satisfy someproperty, we would expect that the given CTL model is changed as little as possible. Byusing primitive update operations, a CTL Kripke model may be updated in different ways:
TL Model Update for System Modifications adding or removing state transitions, adding new states, and changing the labeling functionfor some state(s) in the model. Therefore, we first need to have a method to measure thechanges of CTL models, from which we can develop a minimal change criterion for CTLmodel update.Given two CTL models M = ( S, R, L ) and M ′ = ( S ′ , R ′ , L ′ ), for each operation P U i ( i = 1 , · · · , Diff
P Ui ( M, M ′ ) denotes the differences between the two models where M ′ is an updated model from M , which makes clear that several operations of type P U i haveoccurred. Since PU1 and PU2 only change relation elements, we define
Diff
P U ( M, M ′ ) = R ′ − R (adding relation elements only) and Diff
P U ( M, M ′ ) = R − R ′ (removing rela-tion elements only). For operation PU3, since only labeling function is changed, the dif-ference measure between M and M ′ for PU3 is defined as Diff
P U ( M, M ′ ) = { s | s ∈ S ∩ S ′ and L ( s ) = L ′ ( s ) } . For operations PU4 and PU5, on the other hand, we define Diff
P U ( M, M ′ ) = S ′ − S (adding states) and Diff
P U ( M, M ′ ) = S − S ′ (removing states).Let M = ( M, s ) and M ′ = ( M ′ , s ′ ), for convenience, we also denote Diff ( M , M ′ ) =( Diff
P U ( M, M ′ ) , Diff
P U ( M, M ′ ) , Diff
P U ( M, M ′ ) , Diff
P U ( M, M ′ ) , Diff
P U ( M, M ′ )).It is worth mentioning that given two CTL Kripke models M and M ′ , there is noambiguity to compute Diff
P Ui ( M, M ′ ) ( i = 1 , · · · , ≤ M on CTL models. Definition 4 ( Closeness ordering ) Let M , M and M be three CTL Kripke models.We say that M is at least as close to M as M , denoted as M ≤ M M , if and only if foreach set of PU1-PU5 operations that transform M to M , there exists a set of PU1-PU5operations that transform M to M such that the following conditions hold:(1) for each i ( i = 1 , · · · , ), Diff P Ui ( M, M ) ⊆ Diff
P Ui ( M, M ) , and(2) if Diff P U ( M, M ) = Diff
P U ( M, M ) , then for each s ∈ Diff
P U ( M, M ) , dif f ( L ( s ) , L ( s )) ⊆ dif f ( L ( s ) , L ( s )) .We denote M < M M if M ≤ M M and M M M . Definition 4 presents a measure on the difference between two models with respect toa given model. Intuitively, we say that model M is closer to M relative to model M , if(1) M is obtained from M by applying all primitive update operations that cause fewerchanges than those applied to obtain model M ; and (2) if the set of states in M affectedby applying PU3 is the same as that in M , then we take a closer look at the differenceon the set of propositional atoms associated with the relevant states. Having the orderingspecified in Definition 4, we can define a CTL model update formally. Definition 5 ( Admissible update ) Given a CTL Kripke model M = ( S, R, L ) , M =( M, s ) where s ∈ S , and a CTL formula φ , a CTL Kripke model U pdate ( M , φ ) is calledan admissible model (or admissible updated model) if the following conditions hold: (1) U pdate ( M , φ ) = ( M ′ , s ′ ) , ( M ′ , s ′ ) | = φ , where M ′ = ( S ′ , R ′ , L ′ ) and s ′ ∈ S ′ ; and, (2) theredoes not exist another updated model M ′′ = ( S ′′ , R ′′ , L ′′ ) and s ′′ ∈ S ′′ such that ( M ′′ , s ′′ ) | = φ and M ′′ < M M ′ . We use Poss ( U pdate ( M , φ )) to denote the set of all possible admissiblemodels of updating M to satisfy φ . hang & Ding Example 2
In Figure 8, model M is updated in two different ways. Model M is the resultof updating M by applying PU1. Model M is another update of M resulting by applyingPU1, PU2 and PU5. Then we have Diff
P U ( M, M ) = { ( s , s ) } , and Diff
P U ( M, M ) = { ( s , s ) , ( s , s ) } , which results in Diff
P U ( M, M ) ⊂ Diff
P U ( M, M ). Also, it is easy tosee that Diff
P U ( M, M ) = ∅ and Diff
P U ( M, M ) = { ( s , s ) , ( s , s ) } , so Diff
P U ( M, M ) ⊂ Diff
P U ( M, M ). Similarly, we can see that Diff
P U ( M, M ) = Diff
P U ( M, M ) = ∅ ,and Diff
P U ( M, M ) = Diff
P U ( M, M ) = ∅ . Finally, we have Diff
P U ( M, M ) = ∅ and Diff
P U ( M, M ) = { s } . According to Definition 4, we have M < M M . ✷ s2M M1 M2s0s3 s1s2 s0s1s3 s2 s0 s1 Figure 8: Illustration of minimal change rules.We should note that in a CTL model update, if we can simply replace the initial stateby another existing state in the model to satisfy the formula, then this model actually hasnot been changed, and it is the unique admissible model according to Definition 5. In thiscase, all other updates will be ruled out by Definition 5. For example, consider the CTLmodel M described in Figure 9: If we want to update ( M, s ) with AX p , we can see that p S0S1S2 Figure 9: A special model update scenario.(
M, s ) becomes the only admissible updated model according to our definition: we simplyreplace the initial state s by s . Nevertheless, we would expect that some other update TL Model Update for System Modifications may also be equally reasonable. For instance, we may change the labeling function of M to make L ′ ( s ) = { p } . In both updates, we have changed something in M , but the changecaused by the first update is not represented in our minimal change definition.We can overcome this difficulty by creating a dummy state ♯ into a CTL Kripke model M ,and for each initial state s in M , we add relation element ( ♯, s ) into M . In this way, a changeof initial state from s to s ′ will imply a removal of relation element ( ♯, s ) and an additionof a new relation element ( ♯, s ′ ). Such changes will be measured by our minimal changedefinition. With this treatment, both updated models described above are admissible. Inthe rest of the paper, without explicit declaration, we will assume that each CTL Kripkemodel contains a dummy state ♯ and special state transitions from ♯ to all initial states.
4. Semantic Properties
In this section, we first explore the relationship between our CTL model update and tra-ditional belief update, and then provide useful semantic characterizations on some typicalCTL model update cases.
First we show the following result about ordering ≤ M defined in Definition 4. Proposition 1 ≤ M is a partial ordering. Proof:
From Definition 4, it is easy to see that ≤ M is reflexive and antisymmetric. Nowwe show that ≤ M is also transitive. Suppose M ≤ M M and M ≤ M M . Accord-ing to Definition 4, we have Dif f
P Ui ( M, M ) ⊆ Dif f
P Ui ( M, M ), and Dif f
P Ui ( M, M ) ⊆ Dif f
P Ui ( M, M ) ( i = 1 , · · · , Dif f
P Ui ( M, M ) ⊆ Dif f
P Ui ( M, M )( i = 1 , · · · , Dif f
P U ( M, M ) = Dif f
P U ( M, M )and Dif f
P U ( M, M ) = Dif f
P U ( M, M ) (note that all other cases will directly imply Dif f
P U ( M, M ) ⊆ Dif f
P U ( M, M ) and Dif f
P U ( M, M ) = Dif f
P U ( M, M )). In thiscase, it is obvious that for all s ∈ Dif f
P U ( M, M ) = Dif f
P U ( M, M ), dif f ( L ( s ) , L ( s )) ⊆ dif f ( L ( s ) , L ( s )). So we have M ≤ M M . ✷ It is also interesting to consider a special case of our CTL model update where the updateformula is a classical propositional formula. The following proposition indicates that whenonly propositional formula is considered in CTL model update, the admissible model canbe obtained through the traditional model based belief update approach (Winslett, 1988).
Proposition 2
Let M = ( S, R, L ) be a CTL model and s ∈ S . Suppose that φ is asatisfiable propositional formula and ( M, s ) = φ , then an admissible model of updating ( M, s ) to satisfy φ is ( M ′ , s ) , where M ′ = ( S, R, L ′ ) , for each s ∈ ( S −{ s } ) , L ′ ( s ) = L ( s ) , L ′ ( s ) | = φ , and there does not exist another M ′′ = ( S, R, L ′′ ) such that L ′′ ( s ) | = φ and dif f ( L ( s ) , L ′′ ( s )) ⊂ dif f ( L ( s ) , L ′ ( s )) . Proof:
Since φ is a propositional formula, the update on ( M, s ) to satisfy φ will not affectany relation elements and all other states except s . Since L ( s ) = φ , it is obvious that hang & Ding by applying PU3, we can change the labeling function L to L ′ that assigns s a new set ofpropositional atoms to satisfy φ . Then from Definition 5, we can see that the model specifiedin the proposition is indeed a minimally changed CTL model with respect to ordering ≤ M . ✷ We can see that the problem addressed by our CTL model update is essentially differentfrom the problem concerned in traditional propositional belief update. Nevertheless, theidea of model based minimal change for CTL model update is closely related to belief update.Therefore, it is worth investigating the relationship between our CTL model update andtraditional propositional belief update postulates (U1) - (U8). In order to make such acomparison possible, we should lift the update operator occurring in postulates (U1) - (U8)beyond the propositional logic case.For this purpose, we first introduce some notions. Given a CTL formula φ and Kripkemodel M = ( S, R, L ), let
Init ( S ) ⊆ S be the set of all initial states in M . ( M, s ) is calleda model of φ iff ( M, s ) | = φ , where s ∈ Init ( S ). We use M od ( φ ) to denote the set of allmodels of φ . Now we specify an update operator ⋄ c to impose on CTL formulas as follows:given two CTL formulas ψ and φ , we define that ψ ⋄ c φ to be a CTL formula whose modelsare defined as: M od ( ψ ⋄ c φ ) = S ( M,s ) ∈ Mod ( ψ ) Poss ( U pdate (( M, s ) , φ )). Theorem 1
Operator ⋄ c satisfies all Katsuno and Mendelzon update postulates (U1) -(U8). Proof:
From Definitions 4 and 5, it is easy to verify that ⋄ c satisfies (U1)-(U4). We provethat ⋄ c satisfies (U5). To prove ( ψ ⋄ c µ ) ∧ α | = ψ ⋄ c ( µ ∧ α ), it is sufficient to prove that for eachmodel ( M, s ) ∈ M od ( ψ ), Poss ( U pdate (( M, s ) , µ )) ∩ M od ( α ) ⊆ Poss ( U pdate (( M, s ) , µ ∧ α )).In particular, we need to show that for any ( M ′ , s ′ ) ∈ Poss ( U pdate (( M, s ) , µ )) ∩ M od ( α ),( M ′ , s ′ ) ∈ Poss ( U pdate (( M, s ) , µ ∧ α )). Suppose ( M ′ , s ′ ) Poss ( U pdate (( M, s ) , µ ∧ α )).Then we have (1) ( M ′ , s ′ ) = µ ∧ α ; or (2) there exists a different admissible model ( M ′′ , s ′′ ) ∈ M od ( µ ∧ α ) such that M ′′ < M M ′ . If it is case (1), then ( M ′ , s ′ ) Poss ( U pdate (( M, s ) , µ )) ∩ M od ( α ). So the result holds. If it is case (2), it also implies that ( M ′′ , s ′′ ) | = µ and M ′′ < M M ′ . That means, ( M ′ , s ′ ) Poss ( U pdate (( M, s ) , µ )). The result still holds.Now we prove that ⋄ c satisfies (U6). To prove this result, it is sufficient to prove that forany ( M, s ) ∈ M od ( ψ ), if Poss ( U pdate (( M, s ) , µ )) ⊆ M od ( µ ) and Poss ( U pdate (( M, s ) , µ )) ⊆ M od ( µ ), then Poss ( U pdate (( M, s ) , µ )) = Poss ( U pdate (( M, s ) , µ )). We first prove Poss ( U pdate (( M, s ) , µ )) ⊆ Poss ( U pdate (( M, s ) , µ )). Let ( M ′ , s ′ ) ∈ Poss ( U pdate (( M, s ), µ )). Then ( M ′ , s ′ ) | = µ . Suppose ( M ′ , s ′ ) Poss ( U pdate (( M, s ) , µ )). Then there exists adifferent admissible model ( M ′′ , s ′′ ) ∈ Poss ( U pdate (( M, s ) , µ )) such that M ′′ < M M ′ . Alsonote that ( M ′′ , s ′′ ) | = µ . This contradicts the fact that ( M ′ , s ′ ) ∈ Poss ( U pdate (( M, s ) , µ )).So we have Poss ( U pdate (( M, s ) , µ )) ⊆ Poss ( U pdate (( M, s ) , µ )). Similarly, we can provethat Poss ( U pdate (( M, s ) , µ )) ⊆ Poss ( U pdate (( M, s ) , µ )).To prove that ⋄ c satisfies (U7), it is sufficient to prove that Poss ( U pdate (( M, s ) , µ )) ∩ Poss ( U pdate (( M, s ) , µ )) ⊆ Poss ( U pdate (( M, s ) , µ ∨ µ )), where ( M, s ) is the unique modelof T (note that T is complete). Let ( M ′ , s ′ ) ∈ Poss ( U pdate (( M, s ) , µ )) ∩ Poss ( U pdate (( M, s ), µ )). Suppose ( M ′ , s ′ ) Poss ( U pdate (( M, s ) , µ ∨ µ )). Then there exists an admissi-ble model ( M ′′ , s ′′ ) ∈ Poss ( U pdate (( M, s ) , µ ∨ µ )) such that M ′′ < M M ′ . Note that TL Model Update for System Modifications ( M ′′ , s ′′ ) | = µ ∨ µ . If ( M ′′ , s ′′ ) | = µ , then it implies that ( M ′ , s ′ ) Poss ( U pdate (( M, s ) , µ )).If ( M ′′ , s ′′ ) | = µ , then it implies ( M ′ , s ′ ) Poss ( U pdate (( M, s ) , µ )). In both cases, wehave ( M ′ , s ′ ) Poss ( U pdate (( M, s ) , µ )) ∩ Poss ( U pdate (( M, s ) , µ )). This proves the re-sult.Finally, we show that ⋄ c satisfies (U8). From Definition 5, we have that M od (( ψ ∨ ψ ) ⋄ c µ ) = S ( M,s ) ∈ Mod ( ψ ∨ ψ ) Poss ( U pdate (( M, s ) , µ )) = S ( M,s ) ∈ Mod ( ψ ) Poss ( U pdate (( M, s ) , µ )) ∪ S ( M,s ) ∈ Mod ( ψ ) Poss ( U pdate (( M, s ) , µ )) = M od ( ψ ⋄ c µ ) ∪ M od ( ψ ⋄ c µ ). This completesour proof. ✷ From Theorem 1, it is evident that Katsuno and Mendelzon’s update postulates (U1) -(U8) characterize a wide range of update formulations beyond the propositional logic case,where model based minimal change principle is employed. In this sense, we can view thatKatsuno and Mendelzon’s update postulates (U1) - (U8) are essential requirements for anymodel based update approaches.
From previous description, we observe that, for a given CTL Kripke model M and formula φ , there may be many admissible models satisfying φ , where some are simpler than others.In this section, we provide various results that present possible solutions to achieve admis-sible updates under certain conditions. In general, in order to achieve admissible updateresults, we may have to combine various primitive operations during an update process.Nevertheless, as will be shown below, a single type primitive operation will be enough toachieve an admissible updated model in many situations. These characterizations also playan essential role in simplifying CTL model update implementation.Firstly, the following proposition simply shows that during a CTL update only reachablestates will be taken into account in the sense that unreachable state will never be removedor newly introduced. Proposition 3
Let M = ( S, R, L ) be a CTL Kripke model, s ∈ S an initial state of M , φ a satisfiable CTL formula and ( M, s ) = φ . Suppose ( M ′ , s ′ ) is an admissible model afterupdating ( M, s ) with φ , where M ′ = ( S ′ , R ′ , L ′ ) . Then the following properties hold:1. if s is a state in M (i.e. s ∈ S ) and is not reachable from s (i.e. there does not exista path π = [ s , · · · ] in M such that s ∈ π ), then s must also be a state in M ′ (i.e. s ∈ S ′ );2. if s ′ is a state in M ′ and is not reachable from s ′ , then s ′ must also be a state in M . Proof:
We only give the proof of result 1 since the proof for result 2 is similar. Suppose s is not in M ′ . That is, s has been removed from M during the generation of ( M ′ , s ′ ). FromDefinitions 4 and 5, we know that the only way to remove s from M is to apply operationPU5 (and possibly other associated operations such as PU2 - removing transition relations,if s is connected to other states).Now we construct a new CTL Kripke model M ′′ in such a way that M ′′ is exactly thesame as M ′ except that s is also in M ′′ . That is, M ′′ = ( S ′′ , R ′′ , L ′′ ), where S ′′ = S ′ ∪ { s } , R ′′ = R ′ , for all s ∗ ∈ S ′ , L ′′ ( s ∗ ) = L ′ ( s ∗ ), and L ′′ ( s ) = L ( s ). Note that in M ′′ , state s is hang & Ding an isolated state, not connecting to any other states. Since s is in M , from Definition 4 wecan see that M ′′ < M M ′ . Now we will show that ( M ′′ , s ′ ) | = φ . We prove this by showinga bit more general result:Result: For any satisfiable CTL formula φ and any state s ∗ ∈ S ′ , ( M ′′ , s ∗ ) | = φ iff ( M ′ , s ∗ ) | = φ .This can be showed by induction on the structure of φ . (a) Suppose φ is a propositionalformula. In this case, ( M ′′ , s ∗ ) | = φ iff L ′′ ( s ∗ ) | = φ . Since L ′′ ( s ∗ ) = L ′ ( s ∗ ), and ( M ′ , s ∗ ) | = φ iff L ′ ( s ∗ ) | = φ , we have ( M ′′ , s ∗ ) | = φ iff ( M ′′ , s ∗ ) | = φ . (b) Assume that the result holds forformula φ . (c) We consider variours cases for formulas constructed from φ . (c.1) Suppose φ is of the form AG φ . ( M ′ , s ∗ ) | = AG φ iff for every path from s ∗ π ′ = [ s ∗ , · · · , ], and forevery state s ′ ∈ π ′ , ( M ′ , s ′ ) | = φ . From the construction of M ′′ , it is obvious that everypath from s ∗ in M ′ must be also a path in M ′′ , and vice versa. Also from the inductionassumption, we have ( M ′ , s ′ ) | = φ iff ( M ′′ , s ′ ) | = φ . This follows that ( M ′ , s ∗ ) | = AG φ iff( M ′′ , s ∗ ) | = AG φ . Proofs for other cases such as AF φ , EG φ , etc. are similar.Thus, we can find another model M ′′ such that ( M ′′ , s ′ ) | = φ and M ′′ < M M ′ . Thiscontradicts to the fact that ( M ′ , s ′ ) is an admissible model from the update of ( M, s ) by φ . ✷ Theorem 2
Let M = ( S, R, L ) be a Kripke model and M = ( M, s ) = EX φ , where s ∈ S and φ is a propositional formula. Let M ′ = Update ( M , EX φ ) be the model obtained fromthe update of M with EX φ through the following 1 or 2, then M ′ is an admissible model.1. PU3 is applied to one succ ( s ) to make L ′ ( succ ( s )) | = φ anddiff ( L ( succ ( s )) , L ′ ( succ ( s ))) minimal, or, PU4 and PU1 are applied once succes-sively to add a new state s ∗ such that L ′ ( s ∗ ) | = φ and a new relation element ( s , s ∗ ) ;2. if there exists some s i ∈ S such that L ( s i ) | = φ and s i = succ ( s ) , PU1 is appliedonce to add a new relation element ( s , s i ) . Proof:
Consider case 1 first. After PU3 is applied to change the assignment on succ ( s ),or PU4 and PU1 are applied to add a new state s ∗ and a relation element ( s , s ∗ ), the newmodel M ′ contains a succ ( s ) such that L ′ ( succ ( s )) | = φ . Thus, M ′ = ( M ′ , s ) | = EX φ . IfPU3 is applied once, then Diff ( M , M ′ ) = ( ∅ , ∅ , { succ ( s ) } , ∅ , ∅ ); if PU4 and PU1 are ap-plied once successively, Diff ( M , M ′ ) = ( { ( s , s ∗ ) } , ∅ , ∅ , { , s ∗ } , ∅ ). Thus, updates by a singleapplication of PU3 or applications of PU4 and PU1 once successively are not compatiblewith each other. For PU3, if any other update is applied in combination, Diff ( M , M ′′ ) willeither be not compatible with Diff ( M , M ′ ) or contain Diff ( M , M ′ ) (e.g., another PU3together with its predecessor). A similar situation occurs with the applications of PU4and PU1. Thus, applying either PU3 once or PU4 and PU1 once successively representsa minimal change. For case 2, after PU1 is applied to connect s and L ( s i ) | = φ , the newmodel M ′ has a successor which satisfies φ . Thus, M ′ = ( M ′ , s ) | = EX φ . If PU1 is applied, Diff ( M , M ′ ) = ( { ( s , s i ) } , ∅ , ∅ , ∅ , ∅ ). Note that this case remains a minimal change of therelation element on the original model M and is not compatible with case 1. Hence, case 2 TL Model Update for System Modifications also represents a minimal change. ✷ Theorem 2 provides two cases where admissible CTL model update results can beachieved for formula EX φ . It is important to note that here we restrict φ to be a proposi-tional formula. The first case says that we can either select one of the successor states of s and change its assignment minimally to satisfy φ (i.e., apply PU3 once), or simply adda new state and a new relation element that satisfies φ as a successor of s (i.e., apply PU4and PU1 once successively). The second case indicates that if some state s i in S alreadysatisfies φ , then it is enough to simply add a new relation element ( s , s i ) to make it asuccessor of s . Clearly, both cases will yield new CTL models that satisfy EX φ . Theorem 3
Let M = ( S, R, L ) be a Kripke model and M = ( M, s ) = AG φ , where s ∈ S , φ is a propositional formula and s | = φ . Let M ′ = Update ( M , AG φ ) be a model obtainedfrom the update of M with AG φ through the following way, then M ′ is an admissible model.For each path starting from s : π = [ s , · · · , s i , · · · ] :1. if for all s < s i in π , L ( s ) | = φ but L ( s i ) = φ , PU2 is applied to remove relationelement ( s i − , s i ) ; or2. PU3 is applied to all states s in π not satisfying φ to change their assignments suchthat L ′ ( s ) | = φ and diff ( L ( s ) , L ′ ( s )) is minimal. Proof:
Case 1 is simply to cut path π from the first state s i that does not satisfy φ . Clearly,there is only one minimal way to cut π : remove relation element ( s i − , s ) (i.e., apply PU2once). Case 2 is to minimally change the assignments for all states belonging to π that donot satisfy φ . Since the changes imposed by case 1 and case 2 are not compatible with eachother, both will generate admissible update results. ✷ In Theorem 3, case 1 considers a special form of the path π where the first i statesstarting from s already satisfy formula φ . Under this condition, we can simply cut off thepath to disconnect all other states not satisfying φ . Case 2 is straightforward: we minimallymodify the assignments of all states belonging to π that do not satisfy formula φ . Theorem 4
Let M = ( S, R, L ) be a Kripke model, M = ( M, s ) = EG φ , where s ∈ S and φ is a propositional formula. Let M ′ = Update ( M , EG φ ) be a model obtained from theupdate of M with EG φ through the following way, then M ′ is an admissible model: Selecta path π = [ s , s , · · · , s i , · · · , s j , · · · ] from M which contains minimal number of differentstates not satisfying φ , and then1. if for all s ′ ∈ π such that L ( s ′ ) = φ , there exist s i , s j ∈ π satisfying s i < s ′ < s j and ∀ s ≤ s i or ∀ s ≥ s j , L ( s ) | = φ , then PU1 is applied to add a relation element ( s i , s j ) ,or PU4 and PU1 are applied to add a state s ∗ such that L ′ ( s ∗ ) | = φ and new relationelements ( s i , s ∗ ) and ( s ∗ , s j ) ;2. if ∃ s i ∈ π such that ∀ s ≤ s i , L ( s ) | = φ , and ∃ s k ∈ π ′′ , where π ′′ = [ s , · · · , s k , · · · ] suchthat ∀ s ≥ s k and L ( s ) | = φ , then PU1 is applied to connect s i and s k ;
3. Note that although a path may be infinite, it will only contain finite number of different states. hang & Ding
3. if ∃ s i ∈ π ( i > ) such that for all s ′ < s i , L ( s ′ ) | = φ , L ( s i ) = φ , then,a. PU1 is applied to connect s i − and s ′ to form a new transition ( s i − , s ′ ) ;b. if s i is the only successor of s i − , then PU2 is applied to remove relation element ( s i − , s i ) ;4. if ∃ s ′ ∈ π , such that L ( s ′ ) = φ , then PU3 is applied to change the assignments forall states s ′ such that L ′ ( s ′ ) | = φ and diff ( L ( s ) , L ′ ( s ′ )) is minimal. Proof:
In case 1, without loss of generality, we assume for the selected path π , thereexist states s ′ that do not satisfy φ , and all other states in π satisfy φ . We also assumethat such s ′ are in the middle of path π . Therefore, there are two other states s i , s j in π such that s i < s ′ < s j . That is, π = [ s , · · · , s i − , s i , · · · , s ′ , · · · , s j , s j +1 , · · · ]. We firstconsider applying PU1. It is clear that by applying PU1 to add a new relation element( s i , s j ), a new path is formed: π ′ = [ s , · · · , s i − , s i , s j , s j +1 , · · · ]. Note that each statein π ′ is also in path π and s ′ π ′ . Accordingly, we know that EG φ holds in the newmodel M ′ = ( S, R ∪ { ( s i , s j ) } , L ) at state s . Consider M = ( M, s ) and M ′ = ( M ′ , s ′ ).Clearly, Diff ( M , M ′ ) = ( { ( s i , s j ) } , ∅ , ∅ , ∅ , ∅ ), which implies that ( M ′ , s ) must be a mini-mally changed model with respect to ≤ M that satisfies EG φ .Now we consider applying PU4 and PU1. In this case, we will have a new model M ′ = ( S ∪ { s ∗ } , R ∪ { ( s i , s ∗ ) , ( s ∗ , s j ) } , L ′ ) where L ′ is an extension of L on new state s ∗ that satisfies φ . We can see that π ′ = [ s , · · · , s i , s ∗ , s j , · · · ] is a path in M ′ which sharesall states with path π except the state s ∗ in π ′ and those states between s i +1 and s j − including s ′ in π . So we also have ( M ′ , s ) | = EG φ . Furthermore, we have Diff ( M , M ′ ) =( { ( s i , s ∗ ) , ( s ∗ , s j ) } , ∅ , ∅ , { s ∗ } , ∅ ). Obviously, ( M ′ , s ) is a minimally changed model withrespect to ≤ M that satisfies EG φ .It is worth mentioning that in case 1, the model obtained by only applying PU1 is notcomparable to the model obtained by applying PU4 and PU1, because no set inclusionrelation holds for the changes on relation elements caused by these two different ways.In case 2, consider two different paths π = [ s , · · · , s i , · · · ] and π ′ = [ s , · · · , s k , · · · ] suchthat all states before state s i in path π satisfy φ , and all states after state s k in path π ′ satisfy φ , then PU1 is applied to form a new transition ( s i , s k ). This transition thereforeconnects all states from s to s i in path π and all states after s k in path π ′ . Hence all statesin the new path [ s , · · · , s i , s k · · · ] satisfy φ . Thus, M ′ | = EG φ . Such change is also minimal,because after PU1 is applied, Diff ( M , M ′ ) = ( { ( s i , s k ) } , ∅ , ∅ , ∅ , ∅ ) is minimum and ( M ′ , s )is a minimally changed model with respect to ≤ M that satisfies EG φ .In case 3, there are two situations. (a) If PU1 is applied to form a new transi-tion ( s i − , s ′ ), then a new path containing [ s , · · · , s ′ , · · · , s i − , s ′ , · · · , s i − , s ′ , · · · ] consistsof Strongly Connected Components where all states satisfy φ , and Diff ( M , M ′ ) = ( { ( s i − , s ′ ) } , ∅ , ∅ , ∅ , ∅ ) is minimum. Thus, ( M ′ , s ) is a minimally changedmodel with respect to ≤ M that satisfies EG φ .(b) If PU2 is applied, then, a new path π ′ containing [ s , · · · , s ′ , · · · , s i − ] is derivedwhere all states satisfy φ and Dif f ( M, M ′ ) = ( ∅ , { ( s i − , s i ) } , ∅ , ∅ , ∅ ) is minimal. Obviously,( M ′ , s ) is a minimally changed model with respect to ≤ M that satisfies EG φ .In case 4, suppose that there are n states on the selected path π that do not satisfy φ .After PU3 is applied to all these states, Diff ( M , M ′ ) = ( ∅ , ∅ , { s ′ , s ′ , · · · , s ′ n } , ∅ , ∅ ), wherefor each s ′ ∈ { s ′ , · · · , s ′ n } , dif f ( L ( s ′ ) , L ′ ( s ′ )) is minimal. Diff ( M , M ′ ) in this case is not TL Model Update for System Modifications compatible with those in cases 1, 2 and 3. Thus, ( M ′ , s ) is a minimally changed modelwith respect to ≤ M that satisfies EG φ . ✷ Theorem 4 characterizes four typical situations for the update with formula EG φ where φ is a propositional formula. Basically, this theorem says that in order to make formulaEG φ true, we first select a path, then we can either make a new path based on this path sothat all states in the new path satisfy φ (i.e., case 1, case 2 and case 3(a)), or trim the pathfrom the state where all previous states satisfy φ (i.e., case 3(b)), if the previous state hasonly this state as its successor; or simply change the assignments for all states not satisfying φ in the path (i.e., case 4). Our proof shows that models obtained from these operationsare admissible.It is possible to provide further semantic characterizations for updates with other specialCTL formulas such as EF φ , AX φ , and E[ φ U ψ ]. In fact, in our prototype implementation,such characterizations have been used to simplify the update process whenever certainconditions hold.We should also indicate that all characterization theorems presented in this section onlyprovide sufficient conditions to compute admissible models. There are other admissiblemodels which will not be captured by these theorems.
5. Computational Properties
In this section, we study computational properties for our CTL model update approach insome detail. We will first present a general complexity result, and then we identify a usefulsubclass of CTL model updates which can always be achieved in polynomial time.
Given two CTL Kripke models M = ( S, R, L ) and M ′ = ( S ′ , R ′ , L ′ ) , where s ∈ S and s ′ ∈ S ′ , and a CTL formula φ , it is co-NP-complete to decide whether ( M ′ , s ′ ) is an admissible model of the update of ( M, s ) to satisfy φ . The hardness holds even if φ is of the form EX ψ where ψ is a propositional formula. Proof:
Membership proof: Firstly, we know from Clarke et al. (1999) that checkingwhether ( M ′ , s ′ ) satisfies φ or not can be performed in time O ( | φ | · ( | S | + | R | )). In orderto check whether ( M ′ , s ′ ) is an admissible update result, we need to check whether M ′ isa minimally updated model with respect to ordering ≤ M . For this purpose, we considerthe complement of the problem by checking whether M ′ is not a minimally updated model.Therefore, we do two things: (1) guess another updated model of M : M ′′ = ( S ′′ , R ′′ , L ′′ )satisfying φ for some s ′′ ∈ S ′′ ; and, (2) test whether M ′′ < M M ′ . Step (1) can be donein polynomial time. To check M ′′ < M M ′ , we first compute dif f ( S, S ′ ), dif f ( S, S ′′ ), dif f ( R, R ′ ) and dif f ( R, R ′′ ). All these can be computed in polynomial time. Then, ac-cording to these sets, we identify Dif f
P Ui ( M, M ′ ) and Dif f
P Ui ( M, M ′′ ) ( i = 1 , · · · ,
5) interms of PU1 to PU5. Again, these steps can also be completed in polynomial time. Finally,by checking
Dif f
P Ui ( M, M ′′ ) ⊆ Dif f
P Ui ( M, M ′ ) ( i = 1 , · · · , dif f ( L ( s ) , L ′ ( s )) ⊆ dif f ( L ( s ) , L ′′ ( s )) for all s ∈ Dif f
P U ( M, M ′′ ) (if Dif f
P U ( M, M ′′ ) = Dif f
P U ( M, M ′ )), hang & Ding we can decide whether M ′′ < M M ′ . Thus, both steps (1) and (2) can be achieved inpolynomial time with a non-deterministic Turing machine.Hardness proof: It is well known that the validity problem for a propositional formulais co-NP-complete. Given a propositional formula φ , we construct a transformation fromthe problem of deciding φ ’s validity to a CTL model update in polynomial time. Let X bethe set of all variables occurring in φ , and a, b two new variables do not occur in X . Wedenote ¬ X = V x i ∈ X ¬ x i . Then, we specify a CTL Kripke model based on the variable set X ∪ { a, b } : M = ( { s , s } , { ( s , s ) , ( s , s ) } , L ), where L ( s ) = ∅ (i.e., all variables are as-signed false), L ( s ) = X (i.e., variables in X are assigned true, while a, b are assigned false).Now we define a new formula µ = EX((( φ ⊃ a ) ∧ ( ¬ X ∧ b )) ∨ ( ¬ φ ∧ a )). Clearly, formula (( φ ⊃ a ) ∧ ( ¬ X ∧ b )) ∨ ( ¬ φ ∧ a ) is satisfiable and s = (( φ ⊃ a ) ∧ ( ¬ X ∧ b )) ∨ ( ¬ φ ∧ a ). So ( M, s ) = µ .Consider the update U pdate (( M, s ) , µ ). We define M ′ = ( { s , s } , { ( s , s ) , ( s , s ) } , L ′ ),where L ′ ( s ) = L ( s ) and L ′ ( s ) = { a, b } . Next, we will show that φ is valid iff ( M ′ , s ) isan admissible update result from U pdate (( M, s ) , µ ).Case 1: We show that if φ is valid, then ( M ′ , s ) is an admissible update result from U pdate (( M, s ) , µ ). Since φ is valid, we have ¬ X | = φ . Thus, L ′ ( s ) | = ( φ ⊃ a ) ∧ ( ¬ X ⊃ b )).This leads to ( M ′ , s ) | = µ . Also note that M ′ is obtained by applying PU3 to change L ( s )to L ′ ( s ). dif f ( L ( s ) , L ′ ( s )) = X ∪ { a, b } , which presents a minimal change from L ( s ) inorder to satisfy ( φ ⊃ a ) ∧ ( ¬ X ∧ b ).Case 2: Suppose that φ is not valid. Then, X ⊆ X exists such that X | = ¬ φ . We con-struct M ′′ = ( { s , s } , { ( s , s ) , ( s , s ) } , L ′′ ), where L ′′ ( s ) = L ( s ) and L ′′ ( s ) = X ∪ { a } .It can be seen that L ′′ ( s ) | = ( ¬ φ ∧ a ), hence ( M ′′ , s ) | = µ . Now we show that ( M ′ , s ) | = µ implies M ′′ < M M ′ . Suppose ( M ′ , s ) | = µ . Clearly, both M ′ and M ′′ are each ob-tained from M by applying PU3 once to change the assignment on s . However, we have dif f ( L ( s ) , L ′′ ( s )) = ( X − X ) ∪ { a } ⊂ X ∪ { a, b } = dif f ( L ( s ) , L ′ ( s )). Thus, we concludethat ( M ′ , s ) is not an admissible updated model. ✷ Theorem 5 implies that it is probably not feasible to develop a polynomial time algorithmto implement our CTL model update. Indeed, our algorithm described in the next section,generally runs in exponential time.
In the light of the complexity result of Theorem 5, we expect to identify some useful casesof CTL model updates which can be performed efficiently. First, we have the followingobservation.
Observation : Let M = ( S, R, L ) be a CTL Kripke model, φ a CTL formula and ( M, s ) = φ where s ∈ S . If an admissible model U pdate (( M, s ) , φ ) is obtained by only applyingoperations PU1 and PU2 to M , then this result can be computed in polynomial time.Intuitively, if an admissible updated model can be obtained by only using PU1 and PU2,then it implies that we only need to at most visit all states and relation elements in M , andeach operation involving PU1 or PU2 can be completed by just adding or removing relationelements, which obviously can be done in linear time. TL Model Update for System Modifications
This observation tells us that under certain conditions, operations PU1 and PU2 may beefficiently applied to compute an admissible model. This is quite obvious because both PU3and PU4 are involved in finding models for some propositional formulas, while applyingPU3 usually needs to further find the minimal change on the assignment on the state,both of these operations may cost exponential time in the size of input updating formula φ . However, the above observation does not tell us what kinds of CTL model updates canreally be achieved in polynomial time. In the following, we will provide a sufficient conditionfor a class of CTL model updates which can always be solved in polynomial time.We first specify a subclass of CTL formulas AEClass : (1) formulas AX φ , AG φ , AF φ ,A[ φ U φ ], EX φ , EG φ , EF φ and E[ φ U φ ] are in AEClass , where φ , φ and φ are propo-sitional formulas; (2) if ψ and ψ are in AEClass , then ψ ∧ ψ and ψ ∨ ψ are in AEClass ; (3) no formulas other than those specified in (1) and (2) are in
AEClass . Wealso call formulas of the forms specified in (1) are atomic
AEClass formulas.Note that
AEClass is a class of CTL formulas without nested temporal operators.Although this is somewhat restricted, as we will show next, updates with this kind of CTLformulas may be much simpler than other cases. Now we define valid states and paths for
AEClass formulas with respect to a given model.
Definition 6 ( Valid state and path for AEClass ) Let M = ( S, R, L ) be a CTL Kripkemodel, ψ ∈ AEClass , and ( M, s ) = ψ , where s ∈ S . We define ψ ’s valid state or validpath in ( M, s ) as follows.1. If ψ is of the form AX φ , then state s ∈ S is a valid state of ψ in ( M, s ) if ( s , s ) ∈ R and L ( s ) | = φ ;2. If ψ is of the form (a) AG φ , (b) AF φ or (c) A[ φ U φ ] , then a path π = [ s , · · · ] isa valid path of ψ in ( M, s ) if ∀ s ∈ π , L ( s ) | = φ (case (a)); ∃ s ∈ π and s > s , L ( s ) | = φ (case (b)); or ∃ s ∈ π , s | = φ and ∀ s ′ < s L ( s ′ ) | = φ (case (c)) respectively;3. If ψ is of the form EX φ , then state s ∈ S is a valid state of ψ in ( M, s ) if L ( s ) | = φ ;4. If ψ is of the form (a) EG φ , (b) EF φ or (c) E[ φ U φ ] , then a path π = [ s ′ , · · · ] ( s ′ = s ) is a valid path of ψ in ( M, s ) if ∀ s ∈ π , L ( s ) | = φ and L ( s ) | = φ (case(a)); ∃ s ∈ π and s > s ′ , L ( s ) | = φ (case (b)); or L ( s ) | = φ and ∃ s ∈ π , L ( s ) | = φ and ∀ s ′ < s L ( s ′ ) | = φ (case (c)) respectively.For an arbitrary ψ ∈ AEClass , we say that ψ has a valid witness in ( M, s ) if every atomic AEClass formula occurring in ψ has a valid state or path in ( M, s ) . Intuitively, for formulas AX φ , AG φ , AF φ and A[ φ U φ ], a valid state or path in aCTL model represents a local structure that partially satisfies the underlying formula. Forformulas EX φ , EG φ , EF φ and E[ φ U φ ], on the other hand, a valid state or path alsorepresents a local structure which will satisfy the underlying formula if a relation elementis added to connect this local structure and the initial state. Example 3
Consider the CTL Kripke model M in Figure 10 and formula EX( p ∧ q ).Clearly, ( M, s ) = EX( p ∧ q ). Since p, q ∈ L ( s ), s is a valid state of EX( p ∧ q ). Then hang & Ding S0 S1S2 S3S4p qr r,p p,q
Figure 10: A simple CTL model update.we can simply add one relation element ( s , s ) into M to form a new model M ′ so that( M ′ , s ) | = EX( p ∧ q ). Obviously, ( M ′ , s ) is an admissible updated model. ✷ From the above example, we observe that if we update a CTL model with an
AEClass formula and this formula has a valid witness in the model, then it is possible to compute anadmissible model by only adding or removing relation elements (i.e. operations PU1 andPU2). The following results confirm that a CTL model update with an
AEClass formulamay be achieved in polynomial time if the formula has a valid witness in the model.
Theorem 6
Let M = ( S, R, L ) be a CTL Kripke model, ψ ∈ AEClass , and ( M, s ) = ψ . Deciding whether ψ has a valid witness in ( M, s ) can be solved in polynomial time.Furthermore, if ψ has a valid witness in ( M, s ) , then all valid states and paths of atomic AEClass formulas occurring in ψ can be computed from ( M, s ) in time O ( | ψ |· ( | S | + | R | ) ) . Proof:
To prove this theorem, we show that by using CTL model checking algorithm SAT(Huth & Ryan, 2004), which takes a CTL Kripke model and an
AEClass formula as inputs,we can generate all valid states and paths of atomic
AEClass formulas occurring in ψ (ifany). We know that the complexity of algorithm SAT is O ( | ψ | · ( | S | + | R | )). We considereach case of atomic AEClass formulas. ψ is AX φ . We use SAT to check whether ( M, s ) | = EX φ . If ( M, s ) = EX φ , thenAE φ does not have a valid state in ( M, s ). Otherwise, SAT will return a state s such that L ( s ) | = φ and ( s , s ) ∈ R . Then remove relation element ( s , s ) from M , and continuechecking formula EX φ in the model. By the end of this process, we obtain all valid statesin ( M, s ) for formula AX φ . Altogether, there are at most | S | SAT calls. ψ is AG φ . We use SAT to check whether ( M, s ) | = EG φ . If ( M, s ) | = EG φ , then wecan obtain a path in M from SAT π = [ s , s , · · · ] such that ∀ s ∈ π , L ( s ) | = φ . Clearly,such π is a valid path of AG φ . Now if there does not exist a state s ∗ such that s ∗ π and ( s, s ∗ ) ∈ R for some s ∈ π , i.e. state s connects to state s ∗ leading to a different path, TL Model Update for System Modifications then the process stops, and π is the only valid path for AG φ . Otherwise, Then we removeone relation element ( s, s ′ ) from π (i.e. s, s ′ ∈ π ) such that for all states s ′′ ∈ π where s ′ < s ′′ , there is no relation element ( s ′′ , s ∗ ) leading to a different path (i.e. s ∗ π ). Inthis way, we actually disable path π to satisfy formula EG φ without affecting other paths.Then we continue checking formula EG φ in the newly obtained model. By the end of thisprocess, we will obtain all paths that make EG φ true, and these paths are all valid pathsfor AG φ . Since for each generated valid path, we need to remove one relation element fromthis path before we generate the next valid path, there are at most | R | such valid pathsto be generated. So all together, there are at most | R | SAT calls to find all valid paths ofAG φ .In the cases of AF φ and A[ φ U φ ], all valid paths for these formulas can be generatedin a similar way as described above for formula AG φ . The only different point is that forthe case of A[ φ U φ ], once a valid path π has been generated, we need to find the last state s ∈ π before φ becomes true, such that s connects to a state s ∗ π leading to a differentpath, then we disable π by removing relation element ( s, succ ( s )) from π . Then we continuethe procedure to generate the next valid path for A[ φ U φ ]. If no such s exists in π , thenthe process stops. ψ is EX φ . In this case, each valid state s can be found by checking whether L ( s ) | = φ .At most we need to visit | S | states for this checking. ψ is EG φ . Similarly, we can find a valid path by selecting a state s ∈ S ( s = s ), suchthat ( M, s ) | = EG φ . At most, we need to visit | S | states, and have | S | SAT calls to check(
M, s ) | = EG φ .Finally, valid paths for EF φ and E[ φ ∪ φ ] can be found in a similar way. ✷ Theorem 7
Let M = ( S, R, L ) be a CTL Kripke model, ψ ∈ AEClass , and ( M, s ) = ψ .An admissible model U pdate (( M, s ) , ψ ) can be computed in polynomial time if ψ has a validwitness in ( M, s ) . Proof:
From the proof of Theorem 6, we can obtain all valid states and paths for all atomic
AEClass formulas in ψ in time O ( | ψ | · ( | S | + | R | ) ). Now we consider each case of atomic AEClass formulas ψ , while the cases of conjunctive and disjunctive AEClass formulas areeasy to justify. ψ is AX φ . Let S ∗ = { s , · · · , s k } be all valid states for AX φ . Then we remove all relationelements ( s , s ) where s S ∗ . In this way, we obtain a new model M ′ = ( S, R ′ , L ), where R ′ = R − { ( s , s ) | s S ∗ } . Obviously, we have ( M ′ , s ) | = AX φ . It is also easy to see thatthe change between M and M ′ is minimal in order to satisfy AX φ . So ( M ′ , s ) is also anadmissible model. ψ is AG φ . Let S ∗ be the set of all states that are in some valid paths of AG φ . For eachstate s ′ ∈ S such that L ( s ′ ) = φ , we check whether s ′ is reachable from s . If it is reachable,then we remove a relation element ( s , s ) from M so that s ′ becomes unreachable from s and ( s , s ) is not a relation element in a valid path of AG φ . Clearly, model ( M ′ , s )will then satisfy AG φ . Also, checking whether a state is reachable from s can be done inpolynomial time by computing a spanning tree of M rooted at s (Pettie & Ramachandran,2002). hang & Ding ψ is AF φ . In this case, we need to cut all those paths starting from s that are notvalid paths for AF φ in ( M, s ). For doing this, it is sufficient to disconnect all states thatare reachable from s but not occur in any of AF φ ’s valid paths in ( M, s ). Let S ∗ be theset of all these states, and R ∗ be the set of all relation elements that are directly connectedto these states, i.e. ( s , s ) ∈ R ∗ iff s ∈ S ∗ or s ∈ S ∗ . Then we remove a minimal subsetof R ∗ from M such that removing them will disconnect all states in S ∗ from s . The set S ∗ can be identified in polynomial time by computing a spanning tree of M rooted at s ,and the minimal subset of R ∗ that disconnects all states S ∗ from s can be found in time O ( | R ∗ | ). So the entire process can be completed in polynomial time.The case of A[ φ U φ ] can be handled in a similar way as described above for AF φ .Now we consider that ψ is EX φ . In this case, we only need to select one valid state s forEX φ , and add relation element ( s , s ) into M . Then the model ( M ′ , s ) satisfies EX φ . Forthe case of EG φ , we also select a valid path π = [ s, · · · ] for EG φ , and then add a relationelement ( s , s ), so we have ( M ′ , s ) | = EG φ . The other two cases of EF φ and E[ φ U φ ] canbe handled in a similar way. ✷ We should emphasize that although the above results characterize a useful subclass ofCTL model update scenarios in which some admissible updated models can be computedthrough simple operations of adding or removing relation elements, it does not mean thatall such admissible models represent intuitive modifications from a practical viewpoint.Sometimes, for the same update problem, using other operations such as PU3 and PU4 areprobably more preferred in order to generate a sensible system modification. This will beillustrated in Section 7.
6. CTL Model Update Algorithm
We have implemented a prototype for the CTL model update. In this implementation, theCTL model update algorithm is designed in line with the CTL model checking algorithmused in SAT (Huth & Ryan, 2004), where an updated formula is parsed according to itsstructure and recursive calls to appropriate functions are used. This recursive call usageallows the checked property φ to range from nested modalities to atomic propositionalformulas. In this section, we will focus our discussions on the key ideas of handling CTLmodel update and provide high level pseudo code for major functions in the algorithm. Since the satisfaction of a propositional formula does not involve any relation elementsin a CTL Kripke model, we implement the update with a propositional formula directlythrough operation PU3 with a minimal change on the labeling function of the truth assign-ment on the relevant state. This procedure is outlined as follows. ∗ function Update prop (( M, s ) , φ ) ∗ input: ( M, s ) and φ , where M = ( S, R, L ) and s ∈ S ;output: ( M ′ , s ′ ), where M ′ = ( S ′ , R ′ , L ′ ), s ′ ∈ S ′ and L ′ ( s ′ ) | = φ ; TL Model Update for System Modifications begin apply PU3 to change labeling function L on state s to form a new model M ′ =( S ′ , R ′ , L ′ ): S ′ = S ; R ′ = R ; ∀ s ∈ S that s = s , L ′ ( s ) = L ( s ); L ′ ( s ) is defined such that L ′ ( s ) | = φ , and dif f ( L ′ ( s ) , L ( s )) is minimal; return ( M ′ , s ); end It is easy to observe that this procedure is implemented as the PMA belief update(Winslett, 1988). It is used in the lowest level in our CTL model update prototype.
Handling modal formulas AF φ , EX φ and E [ φ ∪ φ ]From the De Morgan rules and equivalences displayed in Section 2.1, we know that allCTL formulas with modal operators can be expressed in terms of these three typical CTLmodal formulas. Hence it is sufficient to only give the update functions for these three typesof formulas without considering other types of CTL modal formulas. ∗ function UpdateAF(( M, s ) , AF φ ) ∗ input: ( M, s ) and AF φ , where M = ( S, R, L ), s ∈ S , and ( M, s ) = AF φ ;output: ( M ′ , s ′ ), where M ′ = ( S ′ , R ′ , L ′ ), s ′ ∈ S ′ and ( M ′ , s ′ ) | = AF φ ; begin if for all s ∈ S , ( M, s ) = φ , then select a state s ∈ S that is reachable from s , ( M ′ , s ∗ ) = CTLUpdate(( M, s ) , φ ) ; else select a path π starting from s where for all s ∈ π , ( M, s ) = φ , do (a) or (b): (a) select a state s ∈ π , ( M ′ , s ′ ) = CTLUpdate(( M, s ) , φ ); (b) apply PU2 to disable path π and form a new model: remove a relation element from π that does not affect other paths; form a new model M ′ = ( S ′ , R ′ , L ′ ): S ′ = S , R ′ = R − { ( s i , s i +1 ) } (note ( s i , s i +1 ) ⊆ π ), and ∀ s ∈ S ′ , L ′ ( s ) = L ( s ); if ( M ′ , s ′ ) | = AF φ , then return ( M ′ , s ′ ) ; else UpdateAF(( M ′ , s ′ ) , AF φ ); end Function UpdateAF handles the update of formula AF φ as follows: if no state in themodel satisfies formula φ , UpdateAF will first update the model on one state to satisfy φ ;otherwise, for each path in the model that fails to satisfy AF φ , UpdateAF either disablesthis path in some minimal way, or updates this path to make it valid for AF φ . ∗ function UpdateEX(( M, s ) , EX φ ) ∗ input: ( M, s ) and EX φ , where M = ( S, R, L ), s ∈ S , and ( M, s ) = EX φ ;output: ( M ′ , s ′ ), where M ′ = ( S ′ , R ′ , L ′ ), s ′ ∈ S ′ and ( M ′ , s ′ ) | = EX φ ; begin do one of (a), (b) and (c):
4. Here CTLUpdate((
M, s ) , φ ) is the main update function that we will describe later.5. Here s ′ is the corresponding state of s in the updated model M ′ , and the same for other functionsdescribed next. hang & Ding (a) apply PU1 to form a new model: select a state s ∈ S such that ( M, s ) | = φ ; add a relation element ( s , s ) to form a new model M ′ = ( S ′ , R ′ , L ′ ): S ′ = S ; R ′ = R ∪ { ( s , s ) } ; ∀ s ∈ S , L ′ ( s ) = L ( s ); (b) select a state s = succ ( s ), ( M ′ , s ∗ ) = CTLUpdate(( M, s ) , φ ); (c) apply PU4 and PU1 to form a new model M ′ = ( S ′ , R ′ , L ′ ): S ′ = S ∪ { s ∗ } ; R ′ = R ∪ { ( s , s ∗ } ; ∀ s ∈ S , L ′ ( s ) = L ( s ), L ′ ( s ∗ ) is defined such that ( M ′ , s ∗ ) | = φ ; if ( M ′ , s ′ ) | = EX φ , then return ( M ′ , s ′ ); else UpdateEX(( M ′ , s ′ ) , EX φ ); end Function UpdateEX may be viewed as the implementation algorithm of the character-ization for EX φ in Theorem 2 in Section 4. However, it is worth to mentioning that thisalgorithm illustrates the difference in φ in all update functions from those in the updatecharacterizations and demonstrates the wider application of the algorithm compared withtheir corresponding characterizations. The usage of recursive calls in the algorithm allows φ to be an arbitrary CTL formula rather than a propositional formula as demonstrated inthe characterizations. This is the major difference between the characterizations and thealgorithmic implementation. ∗ function UpdateEU(( M, s ) , E[ φ U φ ]) ∗ input: ( M, s ) and E[ φ U φ ], where M = ( S, R, L ), s ∈ S , and ( M, s ) = E[ φ U φ ];output: ( M ′ , s ′ ), where M ′ = ( S ′ , R ′ , L ′ ), s ′ ∈ S ′ and ( M ′ , s ′ ) | = E[ φ U φ ]; begin if ( M, s ) = φ , then ( M ′ , s ′ ) = CTLUpdate(( M, s ) , φ ); else do (a) or (b): (a) if ( M, s ) | = φ , and there is a path π = [ s ∗ , · · · ] ( s = s ∗ ) such that ( M, s ∗ ) | = E[ φ U φ ], then apply PU1 to form a new model M ′ = ( S ′ , R ′ , L ′ ): S ′ = S ; R ′ = R ∪ { ( s , s ∗ } ; ∀ s ∈ S L ′ ( s ) = L ( s ); (b) select a path π = [ s , · · · , s i , · · · , s j , · · · ]; if ∀ s s < s < s i , ( M, s ) | = φ , ( M, s j ) | = φ , but ∀ s ′ s i +1 < s ′ < s j − , ( M, s ′ ) = φ ∨ φ then apply PU1 to form a new model M ′ = ( S ′ , R ′ , L ′ ): S ′ = S ; R ′ = R ∪ { ( s i , s j ) } ; ∀ s ∈ S , L ′ ( s ) = L ( s ); if ∀ s s < s i , ( M, s ) | = φ , and ∀ s ′ s ′ > s i +1 , ( M, s ′ ) = φ ∨ φ , then apply PU4 to form a new model M ′ = ( S ′ , R ′ , L ′ ): S ′ = S ∪ { s ∗ } ; R ′ = R ∪ { ( s i − , s ∗ ) , ( s ∗ , s i ) } ; ∀ s ∈ S , L ′ ( s ) = L ( s ), L ( s ∗ ) is defined such that ( M ′ , s ∗ ) | = φ ; if ( M ′ , s ′ ) | = E[ φ U φ ], then return ( M ′ , s ′ ); else UpdateEU(( M ′ , s ′ ) , E[ φ U φ ]); end To update (
M, s ) to satisfy formula E[ φ U φ ], function UpdateEU first checks whether M satisfies φ at the initial state s . If it does not, then UpdateEU will update this TL Model Update for System Modifications initial state so that the model satisfies φ at its initial state. This will make the laterupdate possible. Then under the condition that ( M, s ) satisfies φ , UpdateEU considerstwo cases: if there is a valid path in M for formula E[ φ U φ ], then it simply links theinitial state s to this path and forms a new path that satisfies E[ φ U φ ] (i.e. case (a)); orUpdateEU directly selects a path to make it satisfy formula E[ φ U φ ] (i.e. case (b)). Handling logical connectives ¬ , ∨ and ∧ Having the De Morgan rules and equivalences on CTL modal formulas, an update forformula ¬ φ can be handled quite easily. In fact we only need to consider a few primary formsof negative formulas in our algorithm implementation. Update on a disjunctive formula φ ∨ φ , on the other hand, is simply implemented by calling CTLUpdate(( M, s ) , φ )or CTLUpdate(( M, s ) , φ ) in a nondeterministic way. Hence here we only describe thefunction of updating for conjunctive formula φ ∧ φ . ∗ function Update ∧ (( M, s ) , φ ∧ φ ) ∗ input: ( M, s ) and φ ∧ φ , where M = ( S, R, L ), s ∈ S , and ( M, s ) = φ ∧ φ ;output: ( M ′ , s ′ ), where M ′ = ( S ′ , R ′ , L ′ ), s ′ ∈ S ′ and ( M ′ , s ′ ) | = φ ∧ φ ; begin if φ ∧ φ is a propositional formula, then ( M ′ , s ′ ) = Update prop (( M, s ) , φ ∧ φ ); else ( M ∗ , s ∗ ) = CTLUpdate(( M, s ) , φ ); ( M ′ , s ′ ) = CTLUpdate(( M ∗ , s ∗ ) , φ ) with constraint φ ; return ( M ′ , s ′ ); end Function Update ∧ handles update for a conjunctive formula in an obvious way. Line indicates that when we conduct the update with φ , we should view φ as a constraintthat the update has to obey. Without this condition, the result of updating φ may violatethe satisfaction of φ that is achieved in the previous update. We will address this point inmore details in next subsection.Finally, we describe the CTL model update algorithm as follows. ∗ algorithm CTLUpdate(( M, s ) , φ ) ∗ input: ( M, s ) and φ , where M = ( S, R, L ), s ∈ S , and ( M, s ) = φ ;output: ( M ′ , s ′ ), where M ′ = ( S ′ , R ′ , L ′ ), s ′ ∈ S ′ and ( M ′ , s ′ ) | = φ ; begin case φ is a propositional formula: return Update prop (( M, s ) , φ ); φ is φ ∧ φ : return Update ∧ (( M, s ) , φ ∧ φ ); φ is φ ∨ φ : return Update ∨ (( M, s ) , φ ∨ φ ); φ is ¬ φ : return Update ¬ (( M, s ) , ¬ φ ); φ is AX φ : return CTLUpdate(( M, s ) , ¬ EX ¬ φ ); φ is EX φ : return UpdateEX(( M, s ) , EX φ ); φ is A[ φ U φ ]: return CTLUpdate(( M, s ) , ¬ (E[ ¬ φ U( ¬ φ ∧ φ )] ∨ EG ¬ φ )); φ is E[ φ U φ ]: return UpdateEU(( M, s ) , E[ φ U φ ]); φ is EF φ ; return CTLUpdate(( M, s ) , E[ ⊤ U φ ]); φ is EG φ : return CTLUpdate(( M, s ) , ¬ AF ¬ φ ); hang & Ding φ is AF φ : return UpdateAF(( M, s ) , AF φ ); φ is AG φ : return CTLUpdate(( M, s ) , ¬ E[ ⊤ U ¬ φ ]); end case ; endTheorem 8 Given a CTL Kripke model M = ( S, R, L ) and a satisfiable CTL formula φ , where ( M, s ) = φ and s ∈ S . Algorithm CTLUpdate((
M, s ) , φ ) terminates andgenerates an admissible model to satisfy φ . In the worst case, CTLUpdate runs in time O (2 | φ | · | φ | · ( | S | + | R | ) ) . Proof:
Since we have assumed that φ is satisfiable, from above descriptions, it is notdifficult to see that CTLUpdate will only call these functions finite times, and each callto these functions will (recursively) generate a result that satisfies the underlying updatedformula, and then return to the main algorithm CTLUpdate. So CTLUpdate(( M, s ) , φ )will terminate, and the output model ( M ′ , s ′ ) satisfies φ .We can show that the output model ( M ′ , s ′ ) is admissible by induction on the structureof φ . The proof is quite tedious - it involves detailed examinations on φ running through eachupdate function. Here it is sufficient to observe that for each update function, each time theinput model is updated in a minimal way, e.g., it adds one state or relation element, removesa minimal set of relation elements to disconnect a state, or updates a state minimally. Withiterated updates on sub-formulas of φ , minimal changes on the original input model will beretained.Now we consider the complexity of CTLUpdate. We first analyze these functions’ com-plexity without considering their embedded recursions. Function Update prop is to updatea state by a propositional formula, which has the worst time complexity O (2 | φ | ). Func-tion UpdateAF contains the following major computations: (1) finding a reachable statein ( M, s ); (2) selecting a path in which each state does not satisfy φ ; and (3) checking( M ′ , s ′ ) | = AF φ . Task (1) can be achieved by computing a spanning tree of M rootedat s , which can be done in time O ( | R | · log | S | ) (Pettie & Ramachandran, 2002). Task(2) can be reduced to find a valid path for formula AG φ . From Theorem 6, this can bedone in time O ( | φ | · ( | S | + | R | ) ). Task (3) has the same complexity of task (2). So,overall, function UpdateAF has the complexity O ( | φ | · ( | S | + | R | ) ). Similarly, we canshow that functions UpdateEX and UpdateEU have complexity O ( | φ | · ( | S | + | R | ) ) and O ( | φ | · ( | S | + | R | ) + 2 | φ | ) respectively. Other functions’ complexity are obvious either fromtheir implementations based on the De Morgan rules and equivalences, or from the callsto other functions (i.e. Update ¬ ) or the main algorithm (i.e. Update ∧ and Update ∨ ). Atmost algorithm CTLUpdate has | φ | calls to other functions. Therefore, in the worst time,CTLUpdate runs in time O (2 | φ | · | φ | · ( | S | + | R | ) ). ✷ It is worth mentioning that except functions Update prop , Update ¬ and Update ∧ , all otherfunctions used in algorithm CTLUpdate are involved in some nondeterministic choices.This implies that algorithm CTLUpdate is not syntax independent. In other words, given TL Model Update for System Modifications a CTL model and two logical equivalent formulas, updating the model with one formulamay generate different admissible models.In the description of function Update ∧ , we have briefly mentioned the issue of constraintsin a CTL model update. In general, when we perform a CTL model update, we usually haveto protect some properties that should not be violated by this update procedure. Theseproperties are usually called domain constraints . It is not difficult to modify algorithmCTLUpdate to cope with this requirement. In particular, suppose C is the set of domainconstraints for a system specification M = ( S, R, L ), and we need to update (
M, s ) withformula φ , where s ∈ S , and C ∪{ φ } is satisfiable. Then in each function of CTLUpdate, wesimply add a model checking condition on the candidate model M ′ = ( S ′ , R ′ , L ′ ): ( M ′ , s ′ ) | = C ( s ′ ∈ S ′ ). The result ( M ′ , s ′ ) is returned from the function if it satisfies C . Otherwise,the function will look for another candidate model. Since model checking ( M ′ , s ′ ) | = C canbe done in time O ( |C| · ( | S ′ | + | R ′ | )), the modified algorithm does not significantly increasethe overall complexity. In our implemented system prototype, we have integrated a genericconstraint checking component as an option to be added into our update functions so thatdomain constraints may be taken into account when necessary.In addition to the implementation of the algorithm CTLUpdate, we have implementedseparate update functions for typical CTL formulas such as EX φ , AG φ , EG φ , AF φ , EF φ ,etc., where φ is a propositional formula, based on our characterizations provided in Section4.2. These functions simplify an update procedure when the input formula does not containnested CTL temporal operators or can be converted into such simplified formula.
7. Two Case Studies
In this section, we show two case studies of applications of our CTL model update approachfor system modifications. The two cases have been implemented in the CTL model updaterprototype, which is a simplified compiler. In this prototype, the input is a complete CTLKripke model and a CTL formula, and the output is an updated CTL Kripke model whichsatisfies the input formula.We should indicate that our prototype contains three major components: parsing, modelchecking and model update functions. The prototype first parses the input formula andbreaks it down into its atomic subformulas. Then the model checking function checkswhether the input formula is satisfied in the underlying model. If the formula is not satisfiedin the model, our model checking function will generate all relevant states that violate theinput formula. Consequently, this information will directly be used for the model updatefunction to update the model.
We consider the well-known microwave oven scenario presented by Clarke et al. (1999),that has been used to illustrate the CTL model checking algorithm on the model describingthe behaviour of a microwave oven. The Kripke model as shown in Figure 11 can be viewedas a hardware design of a microwave oven. In this Kripke model, each state is labeled withboth the propositional atoms that are true in the state and the negations of propositionalatoms that are false in the state. The labels on the arcs present the actions that causestate transitions in the Kripke model. Note that actions are not part of this Kripke model. hang & Ding
The initial state is state 1. Then the given Kripke model M describes the behaviour of amicrowave oven. ~Start~Heat~Close~Error~Close~HeatStartError ~Start~Heat~ErrorClose warm up ~StartClose~ErrorHeatStart~HeatErrorClose StartClose~Heat~Error CloseHeat~Error Startstart oven open doorclose door reset 3 start oven start cookingclose dooropen dooropen door 12 45 6 7 sss ssss cook done Figure 11: CTL Kripke model M of a microwave oven.It is observed that this model does not satisfy a desired property φ = ¬ EF(
Start ∧ EG ¬ Heat ): “once the microwave oven is started, the stuff inside will be eventually heated”(Clarke et al., 1999) . That is, ( M, s ) = φ . What we would like to do is to apply ourCTL model update prototype to modify this Kripke model to satisfy property φ . As wementioned earlier, since our prototype combines formula parsing, model checking and modelupdate together, the update procedure for this case study does not exactly follow the genericCTL model update algorithm illustrated in Section 6. ~Start~Heat~Close~Error~Close~HeatStartError ~Start~Heat~ErrorClose ~Startwarm up Close~ErrorHeatStart~HeatErrorClose StartClose~Heat~Error CloseHeat~Error Startopen doorclose door reset 3 start oven start cookingclose dooropen dooropen door 12 45 6 7 sss ssss cook done Figure 12: Updated microwave oven model using PU2.
6. This formula is equivalent to AG(
Start → AF heat ). TL Model Update for System Modifications
First, we parse φ into AG( ¬ ( Start ∧ EG ¬ Heat )) to remove the front ¬ . The translation isperformed by function Update ¬ , which is called in CTLUpdate(( M, s ) , φ ). Then we checkwhether each state satisfies ¬ ( Start ∧ EG ¬ Heat ). First, we select EG ¬ Heat to be checkedusing the model checking function for EG. In this model checking, each path that has everystate with ¬ Heat is identified. Here we find paths [ s , s , s , s , s , · · · ] and [ s , s , s , · · · ]which are strongly connected component loops (Clarke et al., 1999) containing all stateswith ¬ Heat . Thus the model satisfies EG ¬ Heat . Consequently, we identify all states with
Start : they are { s , s , s , s } . Now we select those states with both Start and ¬ Heat : theyare { s , s } . Since the formula AG( ¬ ( Start ∧ EG ¬ Heat )) requires that the model shouldnot have any states with both
Start and ¬ Heat , we should perform model update relatedto states s and s . Now, using Theorem 3 in Section 4.2, the proper update is performed.Eventually, we obtain two possible minimal updates: (1) applying PU2 to remove relationelement ( s , s ); or (2) applying PU3 to change the truth assignments on s and s . Afterthe update, the model satisfies formula φ and it has a minimal change from the originalmodel M . For instance, by choosing the update (1) above, we obtain a new Kripke model(as shown in Figure 12), which simply states that no state transition from s to s is allowed,whereas choosing update (2), we obtain a new Kripke model (as shown in Figure 13), whichsays that allowing transition from state s to state s will cause an error that the microwaveoven could not start in s , and this error message will carry on to its next state s . ~Start~Heat~Close~Error~Close~HeatStartError ~Start~Heat~ErrorClose ~StartClose~ErrorHeatStart~HeatErrorClose StartClose~Heat~Error CloseHeat~Error Startstart oven open doorclose door reset warmup3 start oven start cookingclose dooropen dooropen door 1 46 7 sss ss ~~ cookdone s5 s2 Figure 13: Updated microwave oven model using PU3.
The Andrew File System 1 (AFS1) (Wing & Vaziri-Farahani, 1995) is a cache coherenceprotocol for a distributed file system. AFS1 applies a validation-based technique to theclient-server protocol, as described by Wing and Vaziri-Farahani (1995). In this protocol,a client has two initial states: either it has no files or it has one or more files but no beliefsabout their validity. If the protocol starts with the client having suspect files, then the clientmay request a file validation from the server. If the file is invalid, then the client requestsa new copy and the run terminates. If the file is valid, the protocol simply terminates. hang & Ding
AFS1 is abstracted as a model with one client, one server and one file. The state transitiondiagrams with single client and server modules are presented in Figure 14. The nodes andarcs are labelled with the value for the state variable, belief , and, the name of the receivedmessage that causes the state transition, respectively. A protocol run begins at an initialstate (one of the leftmost nodes) and ends at a final state (one of the rightmost nodes). valnofilesuspect validnone invalid validinvalidinval valfetchvalidate & valid-filevalidate& !valid-file fetchClientServer val
Figure 14: State transition diagrams for AFS1.The client’s belief about a file has 4 possible values { nof ile, valid, invalid, suspect } ,where nofile means that the client cache is empty; valid , if the client believes its cachedfile is valid; invalid if it believes its caches file is not valid; and suspect , if it has no beliefabout the validity of the file (it could be valid or invalid ). The server’s belief about the filecached by the client ranges over { valid, invalid, none } , where valid , if the server believesthat the file cached at the client is valid; invalid , if the server believes it is not valid; none ,if the server has no belief about the existence of the file in the client’s cache or its validity.The set of messages that the client may send to the server is { f etch, validate } . Themessage f etch stands for a request for a file, and validate message is used by the client todetermine the validity of the file in its cache. The set of messages that the server may sendto the client is { val, inval } . The server sends the val ( inval ) message to indicate to theclient that its cached file is valid (invalid). valid - f ile is used when the client has a suspectfile in its cache and requests a validation from the server. If an update by some other clienthas occurred then the server reflects this fact by nondeterministically setting the value of valid - f ile to 0; otherwise, 1 (the file cached at the client is still valid). The specificationproperty for AFS1 is:AG(( Server.belief = valid ) → ( Client.belief = valid )) . (1)In this file system design, the client belief leads the server belief. This specificationproperty has been deliberately chosen to fail with AFS1 (Wing & Vaziri-Farahani, 1995).Thus, after model updating, we do not need to pay much attention to the rationality ofthe updated models. Our model updater will update the AFS1 model to derive admissible TL Model Update for System Modifications models which satisfy the specification property (1). In this case study, we focus on theupdate procedure according to the functionality of the prototype.
Extracting the Kripke model of AFS1 from NuSMV
It should be noted that, in our CTL model update algorithm described in Section 6, thecomplete Kripke model describing system behaviours is one of two input parameters (i.e.,(
M, s ) and φ ), while the original AFS1 model checking process demonstrated in (Wing &Vaziri-Farahani, 1995) does not contain such a Kripke model. In fact, it only provides SMVmodel definitions (e.g., AFS1.smv) as input to the SMV model checker. This requires initialextraction of a complete AFS1 Kripke model before performing any update of it. For thispurpose, NuSMV (Cimatti et al., 1999) has been used to derive the Kripke model for theloaded model (AFS1). The output Kripke model is shown in Figure 15. This method canalso be used for extracting any other Kripke model.
26 13 146 53 41 2212322 24 79 8101615
11 121719 182025 shows order of variables in a state; Initials of values of variables are shown in states. Initial states: {11, 12, 13, 14}False states: {19, 20, 23, 24, 7, 8}
Figure 15: CTL Kripke model of AFS1.In the AFS1 Kripke model (see Figure 15), there are 26 reachable states (out of total 216states) with 52 transitions between them. The model contains 4 initial states { , , , } and 5 variables with each individual variable having 2, 3 or 4 possible values. These vari-ables are: “Client.out”, (range { f etch , validate } ); “Client.belief” (range { valid , invalid , hang & Ding suspect , nof ile } ); “Server.out” (range { val , inval } ); “Server.belief” (range { none , valid , invalid } ); and “Server.valid-file” (range { true , f alse } ). Update procedure
Model checking : In our CTL model update prototype, we first check whether formula (1) issatisfied by the AFS1 model. That is, we need to check whether each reachable state containseither
Server.belief = ¬ valid or Client.belief = valid . Our model updater identifies thatthe set of reachable states that do not satisfy these conditions is { , , , , , } . Wecall these states false states . Model update : Figure 15 reveals that each false state in AFS1 is on a different path. FromTheorem 3 in Section 4 and UpdateAG in Section 6, we know that to update the modelto satisfy the property, operations PU2 and PU3 may be applied to these false states incertain combinations. As a result, one admissible model is depicted in Figure 16. Thismodel results from the update where each false state on each false path is updated usingPU2. We observe that after the update, states 25 , ,
15 and 16 are no longer reachablefrom initial states 11 and 12, and states 9 and 10 become unreachable from initial states 13and 14.
26 13 146 53 41 2212322 24 79 8101615
11 121719 182025
Initials of values of variables are shown in states.
Figure 16: One of the admissible models from AFS1 model update.
TL Model Update for System Modifications
We should know that Figure 16 only presents one possible updated model after the up-date on AFS1 model. In fact there are too many possible admissible models. For instance,instead of only using PU2 operation, we could also use both PU2 and PU3 in different com-binations to produce many other admissible models. The total number of such admissiblemodels is 64.
8. Optimizing Update Results
From Section 7.2, we observe that very often, our CTL model update approach may derivemany more possible admissible models than we really need. In practice, we would expectthat the solution of a CTL model update provides more concrete information to correctthe underlying system specification. This motivates us to improve our CTL model updateapproach so that we can eliminate unnecessary admissible models and narrow down theupdate results.Consider AFS1 update case again. While the model described in Figure 16 satisfies therequired property and is admissible, it, however, does not retain a similar structure to theoriginal AFS1 model. This implies that after the update, there is a significant change tothe system behaviour. So this admissible model may not represent a desirable correction onthe original system. One way to reduce this possibility is to impose the notion of maximalreachable states into the minimal change principle, so that each possible updated model willalso retain as many reachable states as possible from the original model.Given a Kripke model M = ( S, R, L ) and s ∈ S , and, let M = ( M, s ), we say that s ′ is a reachable state of M , if there is a path in M = ( S, R, L ) of the form π = [ s , s , · · · ]where s ′ ∈ π . RS ( M ) = RS ( M, s ) is used to denote the set of all reachable states of M . Now, we propose a refined CTL model update principle which can significantly reducethe number of updated models. Let M = ( S, R, L ) be a CTL Kripke model and s ∈ S .Suppose M ′ = ( S ′ , R ′ , L ′ ) and ( M ′ , s ′ ) is an updated model obtained from the update of( M, s ) to satisfy some CTL formula. We specify that RS ( M ) ∩ ∼ RS ( M ′ ) = { s | s ∈ RS ( M ) ∩ RS ( M ′ ) and L ( s ) = L ′ ( s ) } .States in RS ( M ) ∩ ∼ RS ( M ′ ) are the common reachable states in M and M ′ , called un-changed reachable states . Note that a state having the same name may be reachable in twodifferent models but with different truth assignments defined by L and L ′ respectively. Inthis case, this state is not a common reachable state for M and M ′ . Definition 7 ( Minimal change with maximal reachable states ) Given a CTL Kripkemodel M = ( S, R, L ) , M = ( M, s ) , where s ∈ S , and a CTL formula φ , a model U pdate ( M , φ ) is called committed with respect to the update of M to satisfy φ , if thefollowing conditions hold: (1) U pdate ( M , φ ) = M ′ = ( M ′ , s ′ ) is admissible; and, (2)there is no other model M ′′ = ( M ′′ , s ′′ ) such that M ′′ | = φ and RS ( M ) ∩ ∼ RS ( M ′ ) ⊂ RS ( M ) ∩ ∼ RS ( M ′′ ) . Condition (2) in Definition 7 ensures that a maximal set of unchanged reachable statesis retained in the updated model. As we will prove next, the amended CTL model updateapproach based on Definition 7 does not significantly increase the overall computationalcost. hang & Ding
Lemma 1
Given a CTL Kripke model M = ( S, R, L ) , M = ( M, s ) , where s ∈ S , a CTLformula φ , and two models M ′ = ( M ′ , s ′ ) and M ′′ = ( M ′′ , s ′′ ) from the update of ( M, s ) to satisfy φ , checking whether RS ( M ) ∩ ∼ RS ( M ′ ) ⊂ RS ( M ) ∩ ∼ RS ( M ′′ ) can be achievedin polynomial time. Proof:
For a given M = ( S, R, L ), we can view M as a directed graph G ( M ) = ( S, R ),where S is the set of vertices and R represents all edges in the graph. Obviously, the prob-lem of finding all reachable states from s in M is the same as that of finding all reachablevertices from vertex s in graph G ( M ), which can be obtained by computing a spanning treewith root s in G ( M ). It is well known that a spanning tree can be computed in polynomialtime (Pettie & Ramachandran, 2002). Therefore, all sets RS ( M ), RS ( M ′ ), and RS ( M ′′ )can be obtained in polynomial time. Also, RS ( M ) ∩ ∼ RS ( M ′ ) ⊂ RS ( M ) ∩ ∼ RS ( M ′′ ) canbe checked in polynomial time. ✷ Theorem 9
Given two CTL Kripke models M = ( S, R, L ) and M ′ = ( S ′ , R ′ , L ′ ) , where s ∈ S and s ′ ∈ S ′ , and a CTL formula φ , it is co-NP-complete to decide whether ( M ′ , s ′ ) is a committed result of the update of ( M, s ) to satisfy φ . Proof:
Since every committed result is also an admissible one, from Theorem 5, the hard-ness holds. For the membership, we need to check (1) whether ( M ′ , s ′ ) is admissible; and,(2) an updated model M ′′ does not exist such that ( M ′′ , s ′′ ) | = φ and RS ( M ) ∩ ∼ RS ( M ′ ) ⊂ RS ( M ) ∩ ∼ RS ( M ′′ ). From Theorem 5, checking whether ( M ′ , s ′ ) is in co-NP. For (2),we consider its complement: a updated model M ′′ exits such that ( M ′′ , s ′′ ) | = φ and RS ( M ) ∩ ∼ RS ( M ′ ) ⊂ RS ( M ) ∩ ∼ RS ( M ′′ ). From Lemma 1, we can conclude that theproblem is in NP. Consequently, the original problem of checking (2) is in co-NP. ✷ As in Section 4, for many commonly used CTL formulas, we can also provide usefulsemantic characterizations to simplify the process of computing a committed model in anupdate. Here, we present one such result for formula AF φ , where φ is a propositionalformula. Given a CTL model M = ( S, R, L ) such that (
M, s ) = AF φ ( s ∈ S ). We recallthat π = [ s , · · · ] in ( M, s ) is a valid path of AF φ if there exists some state s ∈ π and s > s such that L ( s ) | = φ ; otherwise, π is called a false path of AF φ . Theorem 10
Let M = ( S, R, L ) be a Kripke model, and M = ( M, s ) = AF φ , where s ∈ S and φ is a propositional formula. Let M ′ = U pdate ( M , AF φ ) be a model obtainedby the following 1 or 2, then M ′ is a committed model. For each false path π = [ s , s , · · · ] :1. if there is no other false path π ′ sharing any common state with π , then PU3 is appliedto any state s ∈ π ( s > s ) to change s ’s truth assignment such that L ′ ( s ) | = φ and Dif f ( L ( s ) , L ′ ( s )) is minimal; otherwise, this operation is only applied to a sharedstate s j ( j > ) in maximum number of false paths;2. PU2 is applied to remove relation element ( s , s ) , if s also occurs in another validpath π ′ , where π ′ = [ s , s ′ , · · · , s ′ k , s , s ′ k +1 , . . . ] and there exists some s ′ i ( ≤ i ≤ k )such that L ( s ′ i ) | = φ . TL Model Update for System Modifications
Proof:
We first prove Result 1. Consider a false path π = [ s , · · · , s i , s i +1 , · · · ]. Since eachstate in π does not satisfy φ , we need to (minimally) change one state s ’s truth assignmentalong this path so that L ′ ( s ) satisfies φ (i.e., apply PU3 once). If there is no other falsepath that shares any states with π , then we can apply PU3 on any state in path π . In thiscase, only one reachable state in the original model with respect to this path is changed tosatisfy φ . Thus, the updated model retains a maximal set of unchanged states.Suppose that there are other false paths sharing a common state with π . Without lossof generality, let π ′ = [ s , · · · , s ′ i − , s i , s ′ i +1 , · · · ] be a false path sharing a common state s i with π . Then applying PU3 to any state rather than s i in π will not necessarily retain amaximal set of unchanged reachable states, because a further change on any state such as s i could be made in path π ′ in order to make π ′ valid. Since s i is a sharing state betweentwo paths π and π ′ , it implies that updating two states with PU3 does not retain a maximalset of unchanged reachable states comparing to the change only on one state s i that makesboth π and π ′ valid.Now we consider the general case. In order to retain a maximal set of unchangedreachable states in the original model, we should consider all states in π that are also inother false paths. In this case, we only need to apply PU3 operation to one state s j in π that is shared by a maximal number of false paths. In this way, changing s j to satisfy φ will also minimally change other false paths to be valid at the same time. Consequently, weretain a maximal set of unchanged reachable states in the original model.Now we prove Result 2. Let π = [ s , s , s , · · · ] be a false path. According to thecondition, there is a valid path π ′ of the form π ′ = [ s , s ′ , · · · , s ′ k , s , s ′ k +1 , · · · ], where forsome s ′ i ∈ π ′ (1 ≤ i ≤ k ), s ′ i | = φ . Note that the third path, formed from π and π ′ , π ′′ = [ s , s ′ , · · · , s ′ k , s , s , · · · ] is also valid. Applying PU2 on relation element ( s , s ) willsimply eliminate the false path π from the model. Under the condition, it is easy to see thatthis operation does not actually affect the state reachability in the original model becausethe valid path π ′′ will connect s and all states in path π are still reachable from s butthrough path π ′′ . This is described in Figure 17 as follows. ✷ As an optimization of function UpdateAF described in Section 6.1, Theorem 10 proposesan efficient way to update a CTL model to satisfy formula AF φ to guarantee that the updatemodel retains a maximal set of reachable states from the original model. Compared with(a) in function UpdateAF, which updates any state in a path, case 1 in Theorem 10 onlyupdates a state shared by the maximum number of false paths to minimize changes in anupdate to protect unchanged reachable states. Compared with (b) in function UpdateAF,which could disconnect a false path to make the disconnected part unreachable, case 2 inTheorem 10 only disconnects the false path accompanied by an alternate path to ensurethe disconnected path still reachable via the alternate path. This theorem illustrates theprinciple of optimization for characterizations for other CTL formulas.In general, committed models can be computed by revising our previous CTL modelupdate algorithms with particular emphasis to identifying maximal reachable states. As anexample, using the improved approach, we can obtain a committed model of AFS1 modelupdate (as illustrated in Figure 18), and rules out the model presented in Figure 16. Itcan be shown that using the improved approach to the AFS1 model update, the number oftotal possible updated models is reduced from 64 to 36. hang & Ding s0sk’ s1 sk+1’ Figure 17: s occurs in another valid path { s , s ′ , · · · , s ′ k , s , s ′ k +1 , · · · ].
26 13 146 53 41 2212322 24 79 8101615
11 121719 182025
Initials of values of variables are shown in states. f,v, v,n,
Figure 18: One of the committed models of AFS1.
TL Model Update for System Modifications
9. Concluding Remarks
In this paper, we present a formal approach to the update of CTL models. By specifyingprimitive operations on CTL Kripke models, we have defined the minimal change criteria forCTL model update. The semantic and computational properties of our approach are alsoinvestigated in some detail. Based on this formalization, we have developed a CTL modelupdate algorithm and implemented a system prototype to perform CTL model update.Two case studies are used to demonstrate important applications of this work.There are a number of issues that merit further investigations. Our current researchfocuses on the following two tasks:-
Partial CTL model update : In our current approach, a model update is performed on acomplete Kripke model. In practice, this may not be feasible if the system is complexwith a large number of states and transition relations. One possible method to handlethis problem is to employ the model checker to extract partial useful information anduse it as the model update input. This could be a counterexample or a partial Kripkemodel containing components that should be repaired (Buccafurri, Eiter, Gottlob, &Leone, 2001; Clarke, Jha, Lu, & Veith, 2002; Groce & Visser, 2003; Rustan, Leino,Millstein, & Saxe, 2005). In this way, the update can be directly performed on thiscounterexample or partial model to generate possible corrections. It is possible todevelop a unified prototype integrating model checking (e.g., SMV) and model update.-
Combining maximal structure similarity with minimal change : As demonstrated inSection 8, the principle of minimal change with maximal reachable states may sig-nificantly reduce the number of updated models. However, it is evident that thismaximal reachable states principle is applied after the minimal change (see Definition7). We may improve this principle by defining a unified analogue that integrates bothminimal change and maximal structural similarity at the same level. This may furtherrestrict the number of final updated models. This unified principle may be definedbased on the notion of bisimulation of Kripke models (Clarke, Grumberg, Jha, Liu,& Veith, 2003). For instance, if two states are preserved in an update and there is apath between these two states in the original model, then the new definition shouldpreserve this path in the updated model as well, so that the updated model retainsmaximal structural similarity with respect to the original. Consider the committedmodel described in Figure 18: since there is a path from state 21 to state 26 in theoriginal model (i.e., Figure 15), we would require retention of the path between 21and 26 in the updated model. Accordingly, the model displayed in Figure 18 shouldbe ruled out as a final updated model.
Acknowledgments
This research is supported in part by an Australian Research Council Discovery Grant(DP0559592). The authors thank three anonymous reviewers for their many valuable com-ments on the earlier version of this paper. hang & Ding
References
Amla, N., Du, X., Kuehlmann, A., Kurshan, R., & McMillan, K. (2005). An analysis ofsat-based model checking techniques in an industrial environment. In
Proceedings ofCorrect Hardware Design and Verification Methods - 13th IFIP WG 10.5 AdvancedResearch Working Conference (CHARME 2005) , pp. 254–268.Baral, C., & Zhang, Y. (2005). Knowledge updates: semantics and complexity issues.
Ar-tificial Intelligence , , 209–243.Berard, B., Bidoit, M., Finkel, A., Laroussinie, F., Petit, A., Petrucci, L., & Schnoebelen,P. (2001). System and Software Verification: Model-Checking Techniques and Tools .Springer-Verlag Berlin Heidelberg.Boyer, M., & Sighireanu, M. (2003). Synthesis and verification of constraints in the pgmprotocol. In
Proceedings of the 12th International Symposium of Formal MethodsEurope (FME’03) , pp. 264–281. Springer Verlag.Buccafurri, F., Eiter, T., Gottlob, G., & Leone, N. (1999). Enhancing model checking inverification by ai techniques.
Artificial Intelligence , , 57–104.Buccafurri, F., Eiter, T., Gottlob, G., & Leone, N. (2001). On actl formulas having linearcounterexamples. Journal of Computer and System Sciences , , 463–515.Chauhan, P., Clarke, E., Kukula, J., Sapra, S., Veith, H., & Wang, D. (2002). Automatedabstraction refinement for model checking large state spaces using sat based conflictanalysis. In Proceedings of Formal Methods in Computer Aided Design (FMCAD’02) ,pp. 33–51.Cimatti, A., Clarke, E., Giunchiglia, F., & Roveri, M. (1999). Nusmv: A new symbolicmodel verifier. In
Proceedings of the 11th International Conference on ComputerAided Verification , pp. 495–499.Clarke, E., Grumberg, O., Jha, S., Liu, Y., & Veith, H. (2003). Counterexample-guidedabstraction refinement for symbolic model checking.
Journal of ACM , , 752–794.Clarke, E., Grumberg, O., & Peled, D. (1999). Model Checking . MIT Press.Clarke, E., Jha, S., Lu, Y., & Veith, H. (2002). Tree-like counterexamples in model checking.In
Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science(LICS’02) , pp. 19–29.Dennis, L., Monroy, R., & Nogueira, P. (2006). Proof-directed debugging and repair. In
Proceedings of the 7th Symposium on Trends in Functional Programming , pp. 131–140.Ding, Y., & Zhang, Y. (2005). A logic approach for ltl system modification. In
Proceedingsof the 15th International Symposium on Methodologies for Intelligent Systems (ISMIS2005) , pp. 436–444. Springer.Ding, Y., & Zhang, Y. (2006). Ctl model update: Semantics, computations and implementa-tion. In
Proceedings of the 17th European Conference on Artificial Intelligence (ECAI2006) , pp. 362–366. IOS Press.Eiter, T., & Gottlob, G. (1992). On the complexity of propositional knowledge base revision,updates, and counterfactuals.
Artificial Intelligence , , 227–270. TL Model Update for System Modifications
Gammie, P., & van der Meyden, R. (2004). Mck-model checking the logic of knowledge.In
Proceedings of the 16th International Conference on Computer Aided Verification(CAV-2004) , pp. 479–483.Gardenfors, P. (1988).
Knowledge in Flux: Modeling the Dynamics of Epistemic States . TheMIT Press.Groce, A., & Visser, W. (2003). What went wrong: Explaining counterexamples. In
Pro-ceedings of the SPIN Workshop on Model Checking of Software , pp. 121–135.Harris, H., & Ryan, M. (2002). Feature integration as an operation of theory change. In
Proceedings of the 15th European Conference on Artificial Intelligence (ECAI-2002) ,pp. 546–550.Harris, H., & Ryan, M. (2003). Theoretical foundations of updating systems. In
Proceedingsof the 18th IEEE International Conference on Automated Software Engineering , pp.291–298.Herzig, A., & Rifi, O. (1999). Propositional belief base update and minimal change.
ArtificialIntelligence , , 107–138.Holzmann, C. (2003). The SPIN Model Checker: Primer and Reference Manual . Addison-Wesley Professional.Huth, M., & Ryan, M. (2004).
Logic in Computer Science: Modelling and Reasoning aboutSystems . 2nd edition, Cambridge University Press.Katsuno, H., & Mendelzon, A. (1991). On the difference between updating a knowledgebase and revising it. In
Proceedings of International Conference on the Principles ofKnowledge Representation and Reasoning (KR’91) , pp. 387–394.McMillan, K., & Amla, N. (2002). A logic of implicit and explicit belief. In
Automatic Ab-straction without Counterexamples . Cadence Berkeley Labs, Cadence Design Systems.Pettie, S., & Ramachandran, V. (2002). An optimal minimum spanning tree algorithm.
Journal of ACM , , 16–34.Rustan, K., Leino, M., Millstein, T., & Saxe, J. (2005). Generating error traces fromverification-condition counterexamples. Science of Computer Programming , , 209–226.Stumptner, M., & Wotawa, F. (1996). A model-based approach to software debugging. In Proceedings of the 7th International Workshop on Principles of Diagnosis .Wing, J., & Vaziri-Farahani, M. (1995). A case study in model checking software. In
Proceedings of the 3rd ACM SIGSOFT Symposium on the Foundations of SoftwareEngineering .Winslett, M. (1988). Reasoning about action using a possible models approach. In
Proceed-ings of AAAI-88 , pp. 89–93.Winslett, M. (1990).
Updating Logical Databases . Cambridge University Press.. Cambridge University Press.