Homework 2: Temporal logic

Transcription

1 ICS-E5010 Computer-Aided Verification and Synthesis, Spring 2016 Stavros Tripakis Homework 2: Temporal logic Assigned: January 20, 2016 Due: February 1, 2016 Total: 235 points. 1. (20 points) Two formulae φ 1 and φ 2 in the same logic are equivalent, written φ 1 φ 2, if and only if they have the same set of models, i.e., φ 1 is satisfied (by some model) if and only if φ 2 is satisfied (by the same model). In particular, two LTL formulae are equivalent iff they are satisfied by exactly the same set of infinite traces. φ 1 is stronger than φ 2 if every model which satisfies φ 1 also satisfies φ 2. In other words, if φ 1 implies (or entails) φ 2. (a) Consider the two LTL formulae and G(a b) Ga Gb Are they equivalent? If yes, prove it. If not, provide a counterexample (i.e., an infinite trace which satisfies one formula but violates the other). A trace that would satisfy only the weaker formula would be one in which a is true only on even steps and b is true only on odd steps. (b) Is one of the above two formulae stronger that the other? Ga Gb G(a b) Consider any trace that satisfies the left side. There are two possibilities: in every state a holds, or in every state b holds. For each of these possibilites, in every state one of the two hold, satisfying the right side. (c) Answer the same questions as in (a), (b), for the two LTL formulae F(a b) and Fa Fb 1

2 F(a b) Fa Fb Consider any trace that satisfies the left side. There must exist a state in the trace at which both a and b hold simultaneously. Both of the conditions on the right hold in this case. An example of a trace that would only satisfy the weaker condition would be one in which a is true only on the first step, and b is only true on the second step. 2. (40 points) (Problem 5.6 from the book by Baier and Katoen, Principles of Model Checking) For each of the following, either prove that the equivalence is correct, or give a counterexample to show that it is not: (a) Gφ Fψ φ U (ψ φ) This equivalence is true. The left hand side can be algebraically transformed by standard temporal logic identities: Gφ Fψ Gφ Fψ F φ Fψ F( φ ψ) true U( φ ψ) For the last formula, any trace satisfying it is unconstrained until either φ or ψ is first true. For the prefix up to this until condition is first met, φ must be true. Likewise, for a trace violating this condition, φ must always be true and ψ must never be true, thus violating the until condition regardless of the what the prefix condition is. Consequently, true U( φ ψ) φu( φ ψ) proving the equivalence. (b) FGφ GFψ G(φ U (ψ φ)) This equivalence is true. To show this, the left and right hand sides can be transformed into an easier comparision. First, the left, using standard identities, can be transformed as follows FGφ GFψ FGφ GFψ GF φ GFψ G(F φ) G(Fψ) 2

3 The right can be transformed using the steps from the previous part G(φ U ( φ ψ)) G(F φ Fψ) As can be seen (with the parenthesis inserted above for clarity), the transformed equations are of the same form as the comparison in the previous question. What can therefore be determined is that at least G(F φ) G(Fψ) G(F φ Fψ) which leaves only the implication in the other direction. To show this, the following lemma is needed: G(Fa Fb) GFa GFb Consider a trace satisfying the left side of the implication. At every state there will eventually be a state in which either a holds or one in which b holds. Fix some arbitrary k, and take the suffix of such a trace. There must exist an n k at which a holds or one at which b holds. One can therefore always construct a function { (n, 0) a holds at n f(k) = (n, 1) b holds at n choosing for each k a step n at which a or b holds. Suppose that neither GFa nor GFb hold for this trace. Then there would be a maximum n in the range of f. But this would contradict the property that n k for all k, of which there are infinite. Thus, by contradiction, at least one of GFa or GFb must hold, proving the lemma. Using this lemma, the orignal equation is fully proven. (c) GG(φ ψ) F( φ ψ) This equivalence is true. This can be shown via a simple derivation. (d) GFφ GFψ G(φ Fψ) This equivalence is false. GG(φ ψ) G(φ ψ) G(φ ψ) F (φ ψ) F( φ ψ) 3

4 Consider any trace in which φ is true only finitely many times and ψ is never true after the last state in which φ is. This trace will satisfy the left side of the equation vacuously, since the premis of the implication is false. However, the last state in which φ is true, by definition, has no subsequent state in which ψ is true, violating the implication in the right side. Since there is a state in which the implication is false, it is not always true, thus violating the right side formula. 3. (30 points) (Problem 5.2 from Baier and Katoen) Consider the transition system (Kripke structure) shown below, over the set of atomic propositions {a, b, c}. Determine which of the following LTL formulae hold in this transition system. For those that do hold, explain why. For those that do not, provide a counterexample trace. Note: we use for logical implication, and assume that it binds with lower priority than other operators. So, for example, X c XXc means (X c) (XXc). (a) φ 1 = FGc This is false. A counterexample is a trace (b) φ 2 = GFc This is true. (c) φ 3 = X c XXc This is true. s 1 (s 3 s 4 ) (d) φ 4 = Ga This is false. A counterexample is any trace starting with s 2. (e) φ 5 = a U (G(b c)) This is true. 4

5 (f) φ 6 = (XXb) U (b c) This is false. A counterexample is any trace starting with s 1 s 4 s (20 points) Consider the formula ( p)up. Is this formula stronger, weaker, or equivalent to Fp? Justify your answers (provide proof or counterexample). ( p)up and Fp are equivalent. To see this, observe that ( p)up implies Fp since in general φuψ implies Fψ. It remains to show that Fp implies φuψ. To see this, consider a trace σ satisfying Fp. Consider the first point in σ, say point i, where p holds (such an i must exist, otherwise σ wouldn t satisfy Fp). Then for all j < i, p holds. Thus σ satisfies ( p)up. 5. (40 points) We want to compare LTL and CTL, to see whether properties stated in one logic could also be expressed in the other logic. To do this, we need to compare LTL and CTL formulae. If φ 1 is an LTL formula and φ 2 is a CTL formula, we need to define what it means for the two to be equivalent, since they don t have the same types of models (φ 1 is satisfied by traces, whereas φ 2 is satisfied by states of transition systems). However, we know what it means for a transition system to satisfy an LTL formula as well as a CTL formula. Therefore, we will say that φ 1 and φ 2 are equivalent iff they are satisfied by exactly the same set of transition systems. (a) Consider the LTL formula FGp and the CTL formula AFAGp. Are the two formulas equivalent? They are not equivalent: consider transition system M with three states, s 0, s 1, s 2, s 0 being the initial state, and transitions s 0 s 1, s 1 s 2, s 0 s 0 (self-loop) and s 2 s 2 (self-loop). Let p hold at s 0, s 2 but not at s 1. Then M = FGp because every infinite path in M either always stays at s 0 (where p holds) or eventually moves to s 2 (where again p holds) and stays there forever after. But M does not satisfy AFAGp. To see why, observe that neither s 0 nor s 1 satisfy AGp, because from both there is a reachable state (s 1 ) where p does not hold. Letting ψ := AGp, we then see that s 0 does not satisfy AFψ, because the path that always stays in s 0 does not satisfy Fψ. In fact, there is no equivalent CTL formula for FGp. This is left without proof. (b) Is the CTL formula (AGp) (AGq) equivalent to (Gp) (Gq)? (AGp) (AGq) and (Gp) (Gq) are not equivalent. For instance, consider transition system M with three states, s 0, s 1, s 2, s 0 being the initial state, and transitions s 0 s 1, s 0 s 2, s 1 s 1, and s 2 s 2. At s 0 both p, q hold. At s 1 only p holds. At s 2 only q holds. Then M = (Gp) (Gq). But M does not satisfy AGp, neither AGq. 5

6 (c) Consider the CTL formula AFp, where p is an atomic proposition. Is there an equivalent LTL formula? 6. (30 points) Consider the CTL formula EFp, where p is an atomic proposition. (a) Is there an equivalent LTL formula? Justify your answer. There is not equivalent LTL formula for EFp. LTL formulas are all satisfied by sets of traces when the properties are true over all the traces in the set. This formula is satisfied by sets containing only some satisfying traces due to the E quantifier. (b) Suppose you want to check whether a given transition system M satisfies the CTL formula EFp. You only have a model-checker that can check LTL formulas, but not CTL formulas. Even if the answer to (a) is there is no equivalent LTL formula can you still use your LTL model-checker to check the above CTL formula? How? Although there is no equivalent LTL formula, we can try to check the negation of the CTL formula EFp, i.e., EFp, which is equivalent to AG p. This has an equivalent LTL formula G p and thus can be checked by the LTL model-checker. If it is verified, the original formula EFp is false. If a counterexample is found, the original formula EFp is true, with the witness being the counterexample. 7. (15 points) Express the following two statements in first-order logic: (a) There is someone who loves everyone. x : y : Loves(x, y) (b) There is someone whom no one loves. x : y : Loves(y, x) Are the two statements consistent with each other? (I.e., is their conjunction satisfiable?) The conjunction of the above formulas is not satisfiable. Suppose it is. Let a satisfy y : Loves(a, y) and let b satisfy y : Loves(y, b). Then after setting y := b to the first, we get Loves(a, b). After setting y := a to the second, we get Loves(a, b). Contradiction. 8. (40 points) For each of the logic formulas below: (a) Explain whether they are valid, unsatisfiable, or neither (i.e., satisfiable but not valid). 6

7 (b) If they are propositional logic formulas, put them in CNF (conjunctive normal form). (c) If they are first-order logic formulas, put them in prenex normal form. Here are the formulas: (a) (p q) ( p q) Valid (de Morgan s law). CNF: true (or p p). (b) (a b) ( a c) (b c) Unsatisfiable (resolve first two clauses, obtain new clause b c, which contradicts the third clause). CNF: false (or p p). (c) (p (q r)) ((p q) r) Valid. CNF: true. (d) (p q) (p q) Satisfiable but not valid. E.g., p = q = 1 makes it true but p = q = 0 makes it false. CNF: (p q) p q ( p q) p q p q. (e) ( x : y : P (x, y)) ( y : x : P (x, y)) Satisfiable but not valid. E.g., P (a, a) makes it true when a is the only element, and P (a, a), P (b, b), P (a, b), P (b, a) makes it false. PNX: i. Convert to NNF: ( x : y : P (x, y)) ( y : x : P (x, y)) ( x : y : P (x, y)) ( y : x : P (x, y)) ii. Rename: iii. PNX: (f) ( x : y : P (x, y)) ( y : x : P (x, y)) Valid. PNX: true. ( x : y : P (x, y)) ( z : w : P (w, z)) x : y : z : w : P (x, y) P (w, z) (g) ( x : P (x)) ( x : P (x)) Satisfiable but not valid. When the set of values is empty, it is false. Otherwise it is true. PNX: 7

8 i. Convert to NNF: ( x : P (x)) ( x : P (x)) ( x : P (x)) ( x : P (x)) ii. Rename: iii. PNX: ( x : P (x)) ( y : P (y)) x : y : P (x) P (y) 8