A Sound and Complete Deductive System for CTL* Verification
Size: px
Start display at page:

Download "A Sound and Complete Deductive System for CTL* Verification"

Transcription

1 A Sound and Complete Deductive System for CTL* Verification DOV M. GABBAY, King s College, London. dov.gabbay@kcl.ac.uk AMIR PNUELI, New York University, Courant Institute. amir@cs.nyu.edu Abstract The paper presents a compositional approach to the verification of CTL* properties over reactive systems. Both symbolic model-checking (SMC) and deductive verification are considered. Both methods are based on two decomposition principles. A general state formula is decomposed into basic state formulas which are CTL* formulas with no embedded path quantifiers. To deal with arbitrary basic state formulas, we introduce another reduction principle which replaces each basic path formula, i.e., path formulas whose principal operator is temporal and which contain no embedded temporal operators or path quantifiers, by a newly introduced boolean variable which is added to the system. Thus, both the algorithmic and the deductive methods are based on two statification transformations which successively replace temporal formulas by assertions which contain no path quantifiers or temporal operators. Performing these decompositions repeatedly, we remain with basic assertional formulas, i.e., formulas of the form E f p and A f p for some assertion p. In the model-checking method we present a single symbolic algorithm to verify both universal and existential basic assertional properties. In the deductive method we present a small set of proof rules and show that this set is sound and relatively complete for verifying universal and existential basic assertional properties over reactive systems. Together with two proof rules for the decompositions, we obtain a sound and relatively complete proof system for arbitrary CTL* properties. Interestingly, the deductive approach for CTL* presented here, offers a viable new approach to the deductive verification of arbitrary LTL formulas. The paper corrects a previous preliminary version of a deductive system for CTL*, in which some of the rules were unsound. The correction is based on the introduction of a new type of temporal testers which are guaranteed to be non blocking. That is, when composed with a deadlock-free system, which is a key operation in the verification process, the resulting composed system is guaranteed to remain deadlock free. 1 Introduction The paper presents a compositional approach to the verification of CTL* properties over reactive systems. We present both an algorithmic method based on symbolic model-checking, for the verification of finite-state systems and a deductive method for the verification of possibly infinite-state systems. The logic CTL* is a temporal logic which can express linear-time as well as branching-time temporal properties, and combinations thereof, and contains both LTL and CTL as sub-logics. A complete deductive proof system for linear-time temporal logic (LTL) has been presented in [MP91a] and further elaborated in [MP91b] and [MP95]. This proof system has been successfully implemented in the Stanford Temporal Verifier STeP [BBC + 95]. The deductive proof system presented here can be viewed as an extension of the approach of [MP91a] to the logic CTL*. This research was supported in part by EPSRC grant GR/D Vol. 16 No. 6, The Author Published by Oxford University Press. All rights reserved. For Permissions, please journals.permissions@oxfordjournals.org doi: /jigpal/jzn018

2 500 A Sound and Complete Deductive System for CTL* Verification A deductive proof system for CTL* is valuable for several reasons. In spite of the impressive progress in the various versions of model-checking and other algorithmic verification techniques, they are still restricted to finite-state systems. The only verification method known to be complete for all programs is still the method of deductive verification. There are special benefits to the extension of the deductive methodology from the linear-time framework to the more expressive branching semantics of CTL*: 1. Some important system properties are expressible in CTL* but not in LTL. Typically, these are possibility properties, such as the viability of a system, stating that any reachable state can spawn a fair computation. This is strongly related to the non-zeno ness of real-time and hybrid systems. 2. As shown in [PR88], the problem of synthesis of a reactive module can be solved by checking for validity of a certain CTL* formula, even if the original specification is a pure LTL formula. Deductive verification of CTL* formulas is valuable even in the context of finite-state systems which can be model-checked: 3. A counter-example of even simple CTL formulas such as E p is no longer a simple finite printable trace. A convincing evidence of a counter-example could be an automatically produced proof of its existence. 4. In general, model-checking is useful if it produces a counter-example. However, when it terminates declaring the property to be valid, the user is not always convinced. A deductive proof can provide a convincing argument of such a validity [Nam01, PPZ01]. A general CTL* formula is composed of state sub-formulas that are interpreted over states and path sub-formulas that are interpreted over paths. Both the algorithmic and the deductive methods for CTL* verification are based on the same two decomposition principles. The first decomposition process decomposes a general state formula into basic state formulas which are CTL* formulas with no embedded path quantifiers. A basic state formula has the form Qϕ, where Q is a path quantifier and ϕ is a general path formula (according to the CTL* terminology) or, equivalently, can be described as an LTL formula. Then, the second decomposition process decomposes a general path formula into basic path formulas which are path formulas whose principal operator is temporal and which contain no embedded temporal operators or path quantifiers. Thus, as a first step, we reduce the problem of verifying an arbitrary CTL* formula into a set of verification tasks of the form p i β i in the deductive case (p i β i in the algorithmic case), where p i is an assertion (non-temporal formula) and β i is a basic state formula. This reduction is based on the following observation: Let f (β) be a CTL* formula (assumed to be in positive normal form i.e., negations are only applied to assertions) which contains one or more occurrences of the basic state formula β. Then, a sufficient condition for f (β) tobe valid over the computation tree of system D (D-valid) is the D-validity of the formulas p β and f (p), for some assertion p, where f (p) is obtained from f (β) by replacing all occurrences of β by the assertion p. By repeated application of such replacements (for appropriately designed assertions p), we reduce the verification problem of an arbitrary CTL* formula to a set of verification problems, each requiring the proof of a formula of the form p i β i, where β i are basic state formulas. In the context of finite-state model checking, this decomposition of the verification task based on the path quantifiers was first proposed by Emerson and Lei in [EL87]. It has been

3 A Sound and Complete Deductive System for CTL* Verification 501 used again in [KPRS06] for the construction of a symbolic model checker (SMC) for CTL* properties over finite state systems. To deal with arbitrary basic state formulas, we introduce the second reduction principle which replaces each basic path formula by a newly introduced boolean variable which is added to the system D. This reduction can be viewed as a simplified version of the tableau construction proposed in [LP85] and later referred to as the construction of a tester [KPR98]. The idea of allocation of an individual Boolean variable to each sub-formula of a path formula has been considered first in [BCM + 92] in the context of symbolic implementation of a tableau construction. The observation that this boolean variable can replace the sub-formula itself in the context of model checking has been later considered in [CGH94]. Thus, both the algorithmic and the deductive methods are based on two statification transformations which successively replace temporal formulas by assertions which contain no path quantifiers or temporal operators. The first transformation replaces a basic state formula β by an assertion p, provided that we can independently establish the D-validity of the entailment p β. The second transformation replaces the basic path formula ϕ by the single boolean variable x ϕ (which is also a trivial assertion) at the price of augmenting the system D by a temporal tester T ϕ. It is interesting to compare the general structure of the CTL* deductive proof system presented here with the LTL proof system presented in [MP91a] and elaborated in [MP91b, MP95, BBC + 95]. In [MP91a], the system lists first useful rules for special form formulas, the most important of which are formulas of the form p q, p q, and p q, where p and q are arbitrary past formulas. To deal with the general case, [MP91a] invokes a general canonic-form theorem, according to which every (quantifier-free) LTL formula is equivalent to a conjunction of formulas of the form p i q i, for some past formulas p i and q i. While this approach is theoretically adequate, it is not a practically acceptable solution to the verification of arbitrary LTL formulas. This is because the best known algorithms for converting an arbitrary LTL formula into canonic form are at least exponential (e.g., [Gab87] which is actually non-elementary). A better approach to the verification of arbitrary LTL formulas is based on the notion of deductive model checking [SUM99], which can also be described as a tableau-based construction. The approach presented here, gives a small set of proof rules that is sound and relatively complete for proving basic assertional formulas, which are formulas of the form Qp where Q is a path quantifier and p is an assertion. To deal with the general case, a general path formula is decomposed to basic path formulas based on successive elimination of temporal operators. This decomposition, which proceeds all the way to basic assertional formulas, can be viewed as an incremental tableau construction which offers a viable new approach to the deductive verification of arbitrary LTL formulas, even though it is presented as part of a deductive proof system for CTL*, which is a more complex logic than LTL. A preliminary version of the deductive system presented here has been proposed in [KP05]. Unfortunately, some of the rules presented in [KP05] are unsound. This paper corrects the faults in the system of [KP05]. The reason for the unsoundness of the rules in [KP05] is that the temporal testers used there may sometimes be blocking. This means that, when such a tester is composed with a deadlock-free system, there is no guarantee that the composed system remains deadlock free. The main technical contribution of this paper is a new version of temporal testers which are guaranteed to be non-blocking. In view of this improvement, we are now able to provide rigorous arguments for the soundness and completeness of our deductive system, which is presented here, but was missing in [KP05].

4 502 A Sound and Complete Deductive System for CTL* Verification There have been two earlier complete axiomatizations of propositional CTL*. The work reported in [Rey01] provides (the first) complete axiomatization of pure propositional CTL*, thus solving a long standing open problem in branching-time temporal logic. Comparing this impressive result with our work, we should remind the reader of our motivation which is to provide a deductive system to verify first-order CTL* expressible properties of reactive systems, where the computational model includes a full fledged set of weak and strong fairness assumptions. Our goal is to derive a deductive system for CTL* which extends the LTL deductive methodology expounded in [MP95] and provides realistic tools for verifying non-trivial reactive systems, such as those implemented in the STeP system [BBC + 95]. Theoretically, this goal can be implemented even within the pure-logic axiomatization of [Rey01], because CTL* (being more expressive than LTL) can certainly capture the computation tree of a reactive system including all fairness assumptions. This allows us to reduce the verification problem D = ϕ into the pure validity problem = S D ϕ, where S D is the CTL* formula characterizing the computation tree of system D. While this is possible in theory, it is highly impractical and leads to very obscure and unreadable proofs. A similar dichotomy exists in finite-state LTL verification. On one hand, one can use the special LTL model checking technique proposed in [LP85] for verifying D = ϕ whose complexity is exponential in ϕ but only linear in D. On the other hand, one can reduce this to the problem of checking the validity of the implication S D ϕ which is exponential in both ϕ and D. It is obvious that the specialized technique which does not transform the system into a formula is (exponentially) better than the reductionism approach. While the analogy between finite-state model checking and deductive verification is not perfect, this argument serves to indicate the inherent rise in complexity when using pure temporal logic techniques for practical verification. Another related work is that of Sprenger [Spr00]. This approach is much closer to our own, because it preserves the distinction between the system and the formula, and contains a special treatment of the different kinds of fairness. The advantage of our approach is that it proceeds at a coarser level of granularity, and therefore yields a much simpler proof system. Sprenger s method of local model checking proceeds at steps analogous to the basic steps of a tableau construction, including step by step handling of the boolean connectives. Our approach attempts to get rid of one temporal operator at each step, applying the appropriate rule for this operator, with no need to trace cycles and close leaves in the tableau. We believe that our proof system and its application to be significantly more succinct and effective and, therefore, more amenable to the construction of support systems for serious reactive verification. The paper is organized as follows. In Section 2 we present the FDS computation model. In Section 3, we present the logic CTL* with past operators. In Section 4 we present the notion of a tester which is an FDS constructed for a basic path formula (i.e., a simple LTL formula) and identifies the positions in a computation at which the formula holds. Testers are constructs which are central to our method of decomposing a verification of a large CTL* formula into subtasks of verifying smaller sub-formulas. In Section 5 we present a method for model checking an arbitrary CTL* formula, using the decomposition principles and the single FEASIBLE algorithm used to verify basic assertional formulas. Finally, in Section 6 we present a deductive proof system for the verification of general CTL* formulas. The presentation starts by presenting a proof rule for the elimination of state formulas embedded within a general CTL* formula. Next, we present a set of proof rules for some basic state properties which is sound and relatively complete for verifying basic assertional formulas. Finally we

5 A Sound and Complete Deductive System for CTL* Verification 503 give a proof rule for the elimination of temporal operators from an arbitrary state formula, using a tester for this purpose We prove soundness and relative completeness of the deductive system for verifying arbitrary CTL* formulas over reactive systems. The algorithmic method for CTL* verification has been presented in [KPRS06] and is given here for the completeness of the presentation. A conference version of the deductive method appeared in [KP02]. It should be noted that both the algorithmic and deductive methods for CTL* verification are presented here in terms of a decomposition of an arbitrary CTL* formula all the way to basic assertional formulas. Obviously this is not the most efficient method, and is presented here mainly for the simplicity of the presentation. For better efficiency, the decomposition of a general state formula should stop at CTL formulas, namely refrain from eliminating the outermost temporal operator. In the algorithmic method, this requires augmenting the proof system with a set of algorithms for all CTL operators. This option is discussed in [PK03]. In the deductive method, the proof system has to be augmented to be sound and relatively complete for CTL. 2 The Computational Model In this paper we refer to a first-order formula as an assertion. As a computational model for reactive systems, we take the model of fair discrete system (FDS). An FDS D : V,,ρ,J,C consists of the following components. V ={u 1,...,u n } : A finite set of typed state variables over possibly infinite domains. We define a state s to be a type-consistent interpretation of V, assigning to each variable u V a value s[u] in its domain. We denote by the set of all states. : The initial condition. This is an assertion characterizing all the initial states of the FDS. A state is called initial if it satisfies. ρ :Atransition relation. This is an assertion ρ(v,v ), relating a state s to its D-successor s by referring to both unprimed and primed versions of the state variables. The transition relation ρ(v,v ) identifies state s as a D-successor of state s if s,s =ρ(v,v ), where s,s is the joint interpretation which interprets x V as s[x], and x as s [x]. J ={J 1,...,J k } : A set of assertions expressing the justice (weak fairness) requirements. Intentionally, the justice requirement J J stipulates that every computation contains infinitely many J -positions (positions j 0, such that s j satisfies J ). C ={ p 1,q 1,..., p n,q n } : A set of assertions expressing the compassion (strong fairness) requirements. Intentionally, the compassion requirement p,q C stipulates that every computation containing infinitely many p-positions also contains infinitely many q-positions. Let σ :s 0,s 1,..., be a sequence of states, ϕ be an assertion, and j 0 be a natural number. We say that j is a ϕ-position of σ if s j is a ϕ-state, i.e., s j satisfies the assertion ϕ. Let D be an FDS for which the above components have been identified. A run of D is an infinite sequence of states σ :s 0,s 1,..., satisfying the requirements of Initiality: s 0 is initial, i.e., s 0 =. Consecution: For each j 0, s j+1 is a D-successor of s j.

6 504 A Sound and Complete Deductive System for CTL* Verification We denote by runs(d) the set of runs of D. A run of D is called a computation if it satisfies the following: Justice: For each J J, σ contains infinitely many J -positions Compassion: For each p,q C, ifσ contains infinitely many p-positions, it must also contain infinitely many q-positions. We denote by Comp(D) the set of all computations of D. A state s is said to be reachable if it occurs in some run of D. State s is feasible if it occurs in some computation of D. An FDS D is called deadlock free if every reachable state has a D-successor. It can be shown that all FDS s corresponding to programs are deadlock-free. An FDS D is feasible if it has at least one computation, i.e., if Comp(D) =. We say that an FDS D is viable if every reachable state is feasible. It is not difficult to see that every viable FDS is deadlock free. From now on, we assume that all given FDS s are deadlock free. 2.1 Parallel Composition of FDS s Fair discrete systems can be composed in parallel. Let D i = V i, i,ρ i,j i,c i, i {1,2}, be two fair discrete systems. Two versions of parallel composition are used. Asynchronous composition is used to assemble an asynchronous system from its components (see [KP00]). We define the asynchronous parallel composition of two FDS s to be D = V,,ρ,J,C = V 1, 1,ρ 1,J 1,C 1 V 2, 2 ρ 2,J 2,C 2, where V = V 1 V 2 = 1 2, ρ = ρ 1 pres(v 2 V 1 ) ρ 2 pres(v 1 V 2 ), J = J 1 J 2, C = C 1 C 2. For a set of variables U, the predicate pres(u ) stands for an abbreviation of the conjunction x U (x =x), implying that all variables in U preserve their values in the current transition. The execution of D =D 1 D 2 is the interleaved execution of D 1 and D 2. Another mode of parallel composition is that of synchronous parallel composition. Synchronous composition is used in some cases, to assemble a system from its components (in particular when considering hardware designs which are naturally synchronous). However, our primary use of synchronous composition is for combining a system with a tester T ϕ for a basic path formula ϕ, as described, for example, in Subsection 5.4. We define the synchronous parallel composition of two FDS s to be where D = V,,ρ,J,C = V 1, 1,ρ 1,J 1,C 1 V 2, 2 ρ 2,J 2,C 2, V = V 1 V 2 = 1 2, ρ = ρ 1 ρ 2, J = J 1 J 2, C = C 1 C 2. We can view the execution of D as the joint execution of D 1 and D 2.

7 A Sound and Complete Deductive System for CTL* Verification 505 Claim 1 Let σ be an infinite sequence of (V 1 V 2 )-states. The sequence σ is a computation of D 1 D 2 iff σ V1 is a computation of D 1 and σ V2 is a computation of D 2. In general the composition of D 2 with D 1 may restrict the set of computations of D 1. We therefore say that system D 2 is non-interfering with system D 1 if, for every σ 1 a computation of D 1, there exists a computation σ of D 1 D 2 which agrees with σ 1 on the values of the V 1 -variables. That is, σ V1 =σ From FDS to JDS An FDS with no compassion requirements is called a just discrete system (JDS). Let D : V,,ρ,J,C be an FDS such that C ={(p 1,q 1 ),...,(p m,q m )} and m >0. We define a JDS D J : V J, J,ρ J,J J, equivalent to D, as follows: V J =V {n_p i : boolean (p i,q i ) C} {x c }. That is, for every compassion requirement (p i,q i ) C, we add to V J a boolean variable n_p i. Variable n_p i is intended to turn true at a point in a computation from which the assertion p i remains false forever. Variable x c, common to all compassion requirements, is intended to turn true at a point m in a computation satisfying (p i n_p i ). J : x c =0 i=1 m n_p i =0. i=1 That is, initially all the newly introduced boolean variables are set to zero. ρ J =ρ ρ n_p ρ c, where m ρ n_p : (n_p i n_p i ) i=1 ) m ρ c : x c (x = c (p i n_p i ) The augmented transition relation allows each of the n_p i variables to change nondeterministically from 0 to 1. Variable x c is set to 1 on the first occurrence of p i n_p i, for some i, 1 i m. Once set, it is never reset. J J =J { x c } {n_p i q i (p i,q i ) C}. The augmented justice set contains the additional justice requirement n_p i q i for each (p i,q i ) C. This requirement demands that either n_p i turns true sometime, implying that p i is continuously false from that time on, or that q i holds infinitely often. The justice requirement x c ensures that a run with one of the variables n_p i set prematurely, will not be accepted as a computation. The transformation of an FDS to a JDS follows the transformation of Streett automata to generalized Büchi Automata (see [Cho74] for finite state automata, [Var91] for infinite state automata). The reactive systems we want to verify can have both weak (justice) and strong (compassion) fairness requirements. In the case of algorithmic verification we use an algorithm that deals with the compassion requirements of the system directly. We show in [KPRS06] that this approach is more efficient. However in the deductive case, although [MP91a] presents an LTL proof rule that deals directly with compassion, and can easily be i=1

8 506 A Sound and Complete Deductive System for CTL* Verification adapted for CTL*, the application of the rule initiates a tree of additional rules to be included, resulting in a complex proof system. To keep the presentation reasonable, we prefer in the exposition of the deductive approach to transform the FDS representation of the verified system into a JDS, prior to the verification, and present rules which only deal with justice. 3 The Branching Temporal Logic CTL* In the following we define the branching temporal logic CTL* with both future and past operators. We denote the fragment of CTL* without the past operators as the future fragment of CTL* (see [Eme90] for the future fragment). We assume a finite set of variables V over possibly infinite domains, and an underlying assertion language L which contains the predicate calculus augmented with fix-point operators 1. We assume that L contains interpreted symbols for expressing the standard operations and relations over some concrete domains, such as the integers. In practice, our assertional language is a first-order language over the integers. An assertion is a formula in that language. We will rarely use fix-point operators in assertions and their inclusion is merely for the sake of claims of relative completeness. A CTL* formula is constructed out of assertions to which we apply the boolean operators, temporal operators and path quantifiers. The basic temporal operators are Next Previous Weak Previous U Until S Since W Waiting-for (Unless) B Back-to Additional temporal operators may be defined as follows: p = T U p Eventually p p = p W F Always, henceforth p p = T Sp Sometimes in the past p p = pbf Always in the past p The path quantifiers are E, A, E f and A f. We refer to E f and A f as the fair path quantifiers and to E and A as the unrestricted path quantifiers. In the following, we present the syntax and semantics of the logic which is interpreted over the computation graph generated by an FDS. We use the terms path and fair path as synonymous to a run and a computation respectively, over an FDS. Let π :s 0,s 1,... be a run of D. Then, we write π[j] to denote s j, the j th state in π. 3.1 The Logic CTL* There are two types of sub-formulas in CTL*: state formulas that are interpreted over states, and path formulas that are interpreted over paths. The syntax of a CTL* formula is defined inductively as follows. 1 As is well known ([LPS81],) a first-order language is not adequate for (relative) completeness of a temporal proof system for infinite state reactive programs. The use of minimal and maximal fix-points for relative completeness of the liveness rules is discussed in [MP91a], based on [SdRG89].

9 A Sound and Complete Deductive System for CTL* Verification 507 State formulas: Every assertion in L is a state formula. If p is a path formula, then Ep, Ap, E f p and A f p are state formulas. If p and q are state formulas then so are p q and p q. Path formulas: Every state formula is a path formula. If p and q are path formulas then so are p q, p q, p, p U q, p W q, p, p, p Sq, and pbq. The formulas of CTL* are all the state formulas generated by the above rules. A formula of the form Qψ, where Q {E,A,E f,a f } is a path quantifier and ψ is a path formula containing no other path quantifier, is called a basic state formula. A basic state formula of the form Aψ or A f ψ (Eψ or E f ψ) is called a basic universal (existential) state formula. A basic state formula Qp where p is an assertion is called a basic assertional formula. We define a basic path formula to be a path formula ϕ whose principal operator is temporal, and such that ϕ contains no other temporal operators or path quantifiers. We refer to the set of variables that occur in a formula p as the vocabulary of p. Apure path formula is a path formula which contains no occurrence of a path quantifier. Note that our inductive definitions did not include the Boolean operation of negation ( ). This implies that negations are allowed only as part of assertions. This causes all of our CTL* formulas to be in positive normal form. This is not a significant restriction, because any other presentation of the logic can be transformed in a straightforward (and linear complexity) manner into a positive normal form presentation. 3.2 Semantics of CTL* The semantics of a CTL* formula p is defined with respect to an FDS D over the vocabulary of p. The semantics is defined inductively as follows. State formulas are interpreted over states in D. We define the notion of a CTL* formula p holding at a state s in D, denoted (D,s) = p, as follows: For an assertion p, (D,s) = p s = p For state formulas p and q, (D,s) = p q (D,s) = p or (D,s) = q (D,s) = p q (D,s) = p and (D,s) = q For a path formula p, (D,s) = Ep (D,π,j) = p for some path π runs(d) and position j 0 satisfying π[j]=s. (D,s) = Ap (D,π,j) = p for all paths π runs(d) and positions j 0 satisfying π[j]=s. The semantics of E f p and A f p are defined similarly to Ep and Ap respectively, replacing path (run) by fair path (fair runs or computations). Path formulas are interpreted over runs of D. We denote the notion of a CTL* formula p holding at position j of a run π runs(d), by (D,π,j) = p. When j =0, we use the shorthand notation (D,π) = p. The semantics of path formulas is presented in Fig. 1.

10 508 A Sound and Complete Deductive System for CTL* Verification Figure 1: Semantics of path formulas Let p be a CTL* formula. We say that p holds on D (p is D-valid), denoted D = p, if(d,s) = p, for every initial state s in D. A CTL* formula p is called satisfiable if it holds on some model. A CTL* formula is called valid if it holds on all models. We refer to a state which satisfies p as a p-state. Let p and q be CTL* formulas. We introduce the abbreviation p q for A (p q). where p q is the logical implication equivalent to p q. Thus, the formula p q holds at D if the implication p q holds at all reachable states. Let V be a set of variables and ψ be a CTL* formula over V. We denote by ψ the formula ψ in which every variable v V is replaced by the primed variable v. The restricted subset of CTL* in which each temporal operator is immediately preceded by a path quantifier is called Computation Tree Logic (CTL). A state formula whose principal operators are a pair QT (where Q is a path quantifier and T is a temporal operator) and which does not contain any additional temporal operators or path quantifiers is called a basic CTL formula. We refer to path formulas which do not contain any path quantifiers as LTL formulas. 3.3 The Verification Problem Having presented our model for systems and the specification language of CTL*, we can formulate the problem this paper intends to solve. Given a viable FDS D and a CTL* formula ϕ, our goal is to verify that ϕ is D-valid, i.e., all computations of D satisfy ϕ. With no loss of generality, we assume that formula ϕ is given in positive normal form, i.e. contains negations only as part of assertions. It is straightforward to transform an arbitrary CTL* formula ψ into a positive form CTL* formula which is equivalent to ψ over every viable FDS. 4 Temporal Testers In this section we present a construction of temporal testers [KPR98] which are central to our verification process.

11 A Sound and Complete Deductive System for CTL* Verification 509 Let ϕ be a pure path formula over vocabulary U, and let x U be a boolean variable disjoint from U. Let σ :s 0,s 1,... be an infinite sequence of states which interpret all the variables in U {x}. We say that x matches ϕ in σ if, for every position j 0, the value of x at position j is true iff (σ,j) = ϕ. An FDS T with system variables V T U {x} is defined to be a temporal tester for ϕ, ifit satisfies the following requirements: T1. The variable x matches ϕ in any computation of T. T2. For any σ an infinite sequence of U -states, there exists a computation of T which agrees with σ on the interpretation of the variables in U. That is, any infinite U -sequence can be extended into a computation of T by adding an appropriate interpretation to the variables in V T U. We can view T as a (possibly non-deterministic) transducer which incrementally reads the values of the variables U and outputs in x the current value of ϕ over the infinite sequence. In this section we will present a recipe for constructing, for each pure path formula ϕ, a temporal tester T[ϕ] (sometimes denoted T ϕ ). Temporal testers present a modular and symbolic version of the construction of a temporal tableau [LP85]. The testers we present here are an improvement on the testers introduced in [KP05]. While the testers of [KP05] may produce a system which is not deadlock free when composed with a system under observation D, the testers introduced here are guaranteed to be non-blocking. That is, for every observed deadlock-free system D and tester T ϕ, the composition D T ϕ is guaranteed to be deadlock free. 4.1 Testers for Basic Path Formulas We first present a construction of testers for the basic path formulas. These will serve as the building blocks for the construction of a tester for a general path formula. We define a tester for each of the temporal operators, U, W,,, S, and B. We refer to these tester as basic testers. The set of variables of a tester T[ϕ] for a basic path formula consists of the vocabulary of ϕ (denoted Vars(ϕ)) augmented by the variables x ϕ and Er. 2 For a future path formula ϕ, the variable x ϕ has to determine at each position j 0 whether the formula ϕ holds at this position. We can view this determination as a non-deterministic prediction, whose validity can be confirmed only at positions later than j. Consequently, the variable Er is set to 1 as soon as it is established that one of the earlier prediction was wrong. Once Er is set to 1, it remains 1 for all subsequent positions. Each tester has as one of its justice requirements the requirement Er, demanding that Er = 0 infinitely many times. Due to the one-way behavior of Er this can only happen if Er =0 continuously throughout the computation. A Tester for p The tester T[ p] for the basic path formula p is defined as follows: V : Vars(p) {x,er} : Er T[ p]: ρ : Er (x =p ) Er J : Er C : 2 In the sequel, when the context is clear we write x instead of x p and x U instead of x U(p,q).

12 510 A Sound and Complete Deductive System for CTL* Verification Consider the tester T[ p]. The core of the tests imposed by the tester is the transition relation x =p. Requiring that the value of x at position j 0 equals the value of assertion p at position j +1. Suppose we are currently at a state in which x =1 and the next observed value of p happens to be 0. A blocking tester will have no successor state compatible with p =0. In our non-blocking version, there always exists the escape option of moving to a next state in which Er =1. Once Er becomes 1, it must stay 1 for the rest of the computation. The tester contains the justice requirement Er which demands that in an acceptable computation of the tester, Er =0 infinitely many times. Due to the transition relation, this is possible only if Er = 0 continuously. Thus, while blocking testers reject an observed sequence by blocking the next transition, the non-blocking variant rejects a sequence σ by setting Er to 1 and then relying on the violation of the justice requirement Er for the rejection of σ. Claim 2 The FDS T[ p] is a temporal tester for the basic path formula p. Proof: To show that T[ p] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[ p]. From the transition relation and the justice requirement Er, it follows that Er =0 at all states in σ. Consequently, the transition relation implies that, for every j 0, s j [x ]=1 iff s j+1 = p, i.e., s j [x ]=1 iff (σ,j) = p. To prove T2, let σ :s 0,s 1,... be an infinite sequence of states over U =Vars(p). We extend σ by letting s j [Er]=0 and setting s j [x ]=1 iff s j+1 = p, for every j 0. It is not difficult to show that the extended sequence is a computation of T[ p]. A Tester for pu q The tester T[p U q] for the basic path formula p U q is given by: V : Vars(p,q) {x U,Er} : Er T[p U q]: ρ : Er (x U =(q p x )) Er U J : { x U q, Er} C : Claim 3 The FDS T[p U q] is a temporal tester for the basic path formula p U q. Proof: To show that T[p U q] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[p U q]. From the transition relation and the justice requirement Er, it follows that Er =0 at all states in σ. Consequently, the transition relation can be simplified to x U =(q p x ). U Let j 0 be any position in σ. Consider first the case that s j [x U ]=1 and we will show that (σ,j) = p U q. According to the transition relation, s j [x U ]=1 implies that either s j = q or s j = p and s j+1 = x U.Ifs j = q then (σ,j) = p U q and we are done. Otherwise, we apply the same argument to position j +1. Continuing in this manner, we either locate a k j such that s k = q and s i = p for all i, j i <k, orwehaves i = ( q p x U ) for all i j. Ifwe locate a stopping k then, obviously (σ,j) = p U q according to the semantic definition of the U operator. The other case in which both q and x U hold over all positions beyond j is impossible since it violates the justice requirement ( x U q) demanding that σ contains infinitely many positions at which either q is true or x U is false. Next, consider the case that σ is a computation of T(p U q) and (σ,j) = p U q, and we have to show that s j [x U ]=1. According to the semantic definition, there exists a k j such that s k = q and s i = p for all i, j i <k. Proceeding from k backwards all the way to j, wecan

13 A Sound and Complete Deductive System for CTL* Verification 511 show (by induction if necessary) that the simplified transition relation implies that s t = x U for all t =k,k 1,...,j. To establish requirement T2, let σ be an infinite sequence of states over U =Vars(p,q). We extend σ into σ : s 0, s 1,..., by letting s j [Er]=0 and setting s j [x ]=1 iff (σ,j) = p U q, for every j 0. We will show that σ is a computation of T(p U q). From the semantic definition of U it follows that (σ,j) = p U q iff either s j = q or s j = p and (σ,j +1) = p U q. Thus, if x U =(p U q) and Er =0 at all positions of σ, the transition relation Er (x U =(q p x )) Er holds U at all positions. To show that x U satisfies the justice requirement q x U it is enough to consider the case that σ contains only finitely many q-positions. In that case, there must exist a cutoff position c 0 such that no position beyond c satisfies q. In this case, p U q must be false at all positions beyond c. Consequently, x U is false at all positions beyond c and is therefore false at infinitely many positions. Finally, the justice requirement Er is trivially satisfied since Er = 0 at all positions. A Tester for pwq The tester T[p W q] for the basic path formula p W q is given by: V : Vars(p,q) {x W,Er} : Er T[p W q]: ρ : Er (x W =(q p x )) Er W J : {x W p, Er} C : Claim 4 The FDS T[p W q] is a temporal tester for the basic path formula p W q. Proof: To show that T[p W q] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[p W q]. From the transition relation and the justice requirement Er, it follows that Er =0 at all states in σ. Consequently, the transition relation can be simplified to x W =(q p x ). W Let j 0 be any position in σ. Consider first the case that s j [x W ]=1 and we will show that (σ,j) = p W q. According to the transition relation, s j [x W ]=1 implies that either s j = q or s j = p and s j+1 [x W ]=1. If s j = q then (σ,j) = p W q and we are done. Otherwise, we apply the same argument to position j +1. Continuing in this manner, we either locate a k j such that s k = q and s i = p for all i, j i <k, orwehaves i = (p x W ) for all i j. In both cases (σ,j) = p W q according to the semantic definition of the W operator. Next, consider the case that σ is a computation of T(p W q) and (σ,j) = p W q, and we have to show that s j [x W ]=1. According to the semantic definition, there either exists a k j such that s k = q and s i = p for all i, j i <k, ors i = p for all i j. In the first case, we can proceed from k backwards all the way down to j and show (by induction if necessary) that the simplified transition relation implies that s t = x W for all t =k,k 1,...,j. In the second case (i.e. s i = p for all i j), we use the justice requirement x W p to conclude that x W =1at infinitely many positions, in particular some position k j. Going backwards from k down to j, we again infer that s j [x W ]=1. To establish requirement T2, let σ be an infinite sequence of states over U =Vars(p,q). We extend σ into σ : s 0, s 1,..., by letting s j [Er]=0 and setting s j [x ]=1 iff (σ,j) = p W q, for every j 0. We will show that σ is a computation of T(p W q). From the semantic definition of W it follows that (σ,j) = p W q iff either s j = q or s j = p and (σ,j +1) = p W q. Thus, if x W =(p W q) and Er =0 at all positions of σ, the transition relation Er (x W =(q p x )) Er holds W at all positions. To show that x W satisfies the justice requirement x W p it is enough to

14 512 A Sound and Complete Deductive System for CTL* Verification consider the case that σ contains only finitely many p-positions. In that case, there must exist a cutoff position c 0 such that p holds at all positions beyond c. In this case, p W q must hold at all positions beyond c. Consequently, x W is true at all positions beyond c and is therefore true at infinitely many positions. Finally, the justice requirement Er is trivially satisfied since Er =0 at all positions. 4.2 Testers for Basic Past Path Formulas We now consider testers for basic path formulas whose main temporal operator is one of the past operators:,, S, and B. Unlike the future testers, these testers compute their output in the variable x ϕ based on the part of the sequence that has already been observed. Therefore, the computation is fully deterministic, and the misprediction variable Er is no longer required. Therefore, these testers do not reference the Er variable. A Tester for p The tester T[ p] for the basic path formula p is given by: V : Vars(p) {x } : x =0 T[ p]: ρ : x =p J : C : Claim 5 The FDS T[ p] is a temporal tester for the basic path formula p. Proof: To show that T[ p] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[ p]. According to the semantic definition of p this formula is always false at position 0. The initial condition x =0 guarantees that this is also the value of x at position 0. For every j >0, the transition relation guarantees that the value of x at position j matches the value of assertion p at position j 1. To establish requirement T2, let σ be an infinite sequence of states over U = Vars(p). We extend σ into σ : s 0, s 1,..., by letting s 0 [x ]=0 and, for every j >0 setting s 0 [x ]=1 iff s j 1 = p. It is not difficult to show that σ is a computation of T[ p]. A Tester for p The tester T[ p] for the basic path formula p is given by: V : Vars(p) {x } : x T[ p]: ρ : x =p J : C : Claim 6 The FDS T[ p] is a temporal tester for the basic path formula p. Proof: The proof is similar to that of Claim 5 except that the initial condition sets x 1 at the initial position. to

15 A Tester for psq A Sound and Complete Deductive System for CTL* Verification 513 The tester T[p Sq] for the basic path formula p Sq is given by: V : Vars(p) x S : x S =q T[p Sq]: ρ : x =q (p x S S ) J : C = : Claim 7 The FDS T[p Sq] is a temporal tester for the basic path formula p Sq. Proof: To show that T[p Sq] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[p Sq]. Let j 0 be any position in σ. Consider first the case that s j [x S ]=1 and we will show that (σ,j) = p Sq. According to the transition relation, s j [x S ]=1 implies that either s j = q or s j = p and s j 1 = x S.Ifs j = q then (σ,j) = p Sq and we are done. Otherwise, j >0 because if j =0, then the initial condition implies that s 0 [x S ]=1 iff s 0 = q. Therefore, if s j = q we may apply the same argument to position j 1. Continuing in this manner, we must eventually locate a k j such that s k = q and s i = p for all i, k <i j. It follows that (σ,j) = p Sq according to the semantic definition of the S operator. Next, consider the case that σ is a computation of T(p Sq) and (σ,j) = p Sq, and we have to show that s j [x S ]=1. According to the semantic definition, there exists a k j such that s k = q and s i = p for all i, k <i j. Proceeding from k all the way up to j, we can show (by induction if necessary) that the transition relation implies that s t = x S for all t =k,k +1,...,j. To establish requirement T2, let σ be an infinite sequence of states over U = Vars(p,q). We extend σ into σ : s 0, s 1,..., by setting s j [x S ]=1 iff (σ,j) = p Sq, for every j 0. It is not difficult to show that σ is a computation of T[p Sq]. A Tester for pbq The tester T[pBq] for the basic path formula pbq is given by: V : Vars(p) x B : x B =p q T[pBq]: ρ : x =q (p x B B ) J : C : Claim 8 The FDS T[pBq] is a temporal tester for the basic path formula pbq. Proof: To show that T[pBq] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[pBq]. Let j 0 be any position in σ. Consider first the case that s j [x B ]=1 and we will show that (σ,j) = pbq. According to the transition relation, s j [x B ]=1 implies that either s j = q or s j = p and s j 1 = x B.Ifs j = q or j =0 and s 0 = p then (σ,j) = pbq and we are done. Otherwise, j >0 because if j =0, then the initial condition implies that s 0 [x B ]=1 iff s 0 = p q. Therefore, if j >0 we may apply the same argument to position j 1. Continuing in this manner, we must eventually locate a k j such that either s k = q or k =0 and s k = (p q) and, in both cases, s i = p for all i, k <i j. It follows that (σ,j) = pbq according to the semantic definition of the B operator. Next, consider the case that σ is a computation of T(pBq) and (σ,j) = pbq, and we have to show that s j [x B ]=1. According to the semantic definition, there exists a k j such that either

16 514 A Sound and Complete Deductive System for CTL* Verification s k = q or k =0 and s k = (p q) where, in both cases, s i = p for all i, k <i j. Proceeding from k all the way up to j, we can show (by induction if necessary) that the transition relation implies that s t = x B for all t =k,k +1,...,j. To establish requirement T2, let σ be an infinite sequence of states over U = Vars(p,q). We extend σ into σ : s 0, s 1,..., by setting s j [x B ]=1 iff (σ,j) = pbq, for every j 0. It is not difficult to show that σ is a computation of T[pBq]. 4.3 Testers for General Pure Path Formulas Next, we present an incremental construction of a tester for a general pure path formula. First, we restrict our attention to pure path formulas whose principal operator is temporal (rather than boolean). For a pure path formula ψ, we denote by T[ψ] the temporal tester for ψ. Let f (ϕ) be a principally temporal path formula containing one or more occurrences of the basic path formula ϕ. We denote by f (x) the formula obtained from f by replacing all occurrences of ϕ by the boolean variable x. Then the construction principle is presented by the following recursive reduction formula: T[f ] = T[f (x ϕ )] T[ϕ] (1) That is, we conjoin the tester for ϕ to the recursively constructed tester for the simpler formula f (x ϕ ). We illustrate this construction on the pure path formula p for the case that p is a simple proposition (boolean variable). Application of the reduction principle leads to T[ p] = T[ x ] T[ p] Computing T[ p] and T[ x ] separately and forming their synchronous parallel composition yields the following tester whose output variable is x. V : {p,x,x,er} : Er T[ p]: ρ : ( Er (x =(p x )) Er ) ( Er (x =(x x )) Er ) J : { x p, x x, Er} C : Note that it is not necessary to allocate a separate Er variable to each of the component testers. Component testers may share a single Er variable. In fact, the transition relation of the tester T[ p] can be simplified to ρ : Er (x =(p x )) (x =(x x )) Er In general, for a principally temporal formula ψ, T[ψ]=T 1 T k, where T 1,...,T k are the temporal testers constructed for the principally temporal sub-formulas of ψ. T[ψ] contains k+1 auxiliary boolean variables, and the output variable of T[ψ] is the output variable of T 1 the last constructed tester. According to the recipe, we carry the recursive reduction described by Equation (1) until we obtain the tester T 1 which is a tester for a basic path formula. We can carry it one step

17 A Sound and Complete Deductive System for CTL* Verification 515 further and obtain an assertion which contains no further temporal operators. We refer to this assertion as the redux of the original pure path formula ψ, denoted by redux(ψ). For the case that ψ is principally temporal, redux(ψ) is the single output variable x ψ. If we apply the recursive construction Equation (1) to a pure path formula which is not principally temporal, we may obtain a more complex assertion as the resulting redux. Consider, for example, the pure path formula ψ : p q. The corresponding tester is given by: T[ψ] = T[ p] T[ q] while redux(ψ)=x x, where x and x are the output variables of T[ p] and T[ q], respectively. 4.4 Properties of Testers Since the main use of testers is their composition with the systems that they observe, it is important to establish for them the properties of non-interference and non-blocking. The problem is not completely trivial due to the fact that we intend to share a single Er variable among all the constituent testers which are incrementally conjoined to the system under observation. A deadlock-free FDS D is defined to be Er-flexible if either Er V D or 1. The variable Er is continuously false in any computation of D. 2. Every reachable state in D has a successor s such that s [Er]=1. An Er-flexible FDS D is called Er-permissive if for every two states s,s which interpret V D {Er}, such that s [Er]=1, state s is a D-successor of s. The following properties can be established: P1. Every tester T ϕ is Er-permissive. P2. If system D is Er-flexible and T ϕ is a tester, then T ϕ does not interfere with D, and D T ϕ is a (deadlock-free) Er-flexible system. Property P1 can be proven by induction on the structure of T ϕ. Property P2 establishes that temporal testers are non-interfering and non-blocking with respect to the systems they observe. 5 Symbolic Model Checking CTL* Properties In this section we present algorithms for symbolic model checking of a CTL* formula over a finite-state FDS. The variables of both the FDS and the CTL* formula are restricted to finite domains. Let D : V,,ρ,J,C be an FDS and p=p(v ) be an assertion over V. We define the pre-image of p in D to be the assertion ρ p = V :ρ(v,v ) p(v ) Every state in D satisfying ρ p has a successor satisfying p. Thus, ρ p characterizes all the predecessors of p-states.

Similar documents

PSL Model Checking and Run-time Verification via Testers

PSL Model Checking and Run-time Verification via Testers PSL Model Checking and Run-time Verification via Testers Formal Methods 2006 Aleksandr Zaks and Amir Pnueli New York University Introduction Motivation (Why PSL?) A new property specification language,

More information

Bridging the Gap Between Fair Simulation and Trace Inclusion

Bridging the Gap Between Fair Simulation and Trace Inclusion Bridging the Gap Between Fair Simulation and Trace Inclusion Yonit Kesten a Nir Piterman b,,1 Amir Pnueli b a Department of Communication Systems Engineering, Ben Gurion University, Beer-Sheva, Israel.

More information

The State Explosion Problem

The State Explosion Problem The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis

More information

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras Introduction to Model Checking Debdeep Mukhopadhyay IIT Madras How good can you fight bugs? Comprising of three parts Formal Verification techniques consist of three parts: 1. A framework for modeling

More information

Linear Temporal Logic and Büchi Automata

Linear Temporal Logic and Büchi Automata Linear Temporal Logic and Büchi Automata Yih-Kuen Tsay Department of Information Management National Taiwan University FLOLAC 2009 Yih-Kuen Tsay (SVVRL @ IM.NTU) Linear Temporal Logic and Büchi Automata

More information

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège Temporal logics and explicit-state model checking Pierre Wolper Université de Liège 1 Topics to be covered Introducing explicit-state model checking Finite automata on infinite words Temporal Logics and

More information

From Liveness to Promptness

From Liveness to Promptness From Liveness to Promptness Orna Kupferman Hebrew University Nir Piterman EPFL Moshe Y. Vardi Rice University Abstract Liveness temporal properties state that something good eventually happens, e.g., every

More information

Chapter 4: Computation tree logic

Chapter 4: Computation tree logic INFOF412 Formal verification of computer systems Chapter 4: Computation tree logic Mickael Randour Formal Methods and Verification group Computer Science Department, ULB March 2017 1 CTL: a specification

More information

Temporal Logic and Fair Discrete Systems

Temporal Logic and Fair Discrete Systems Temporal Logic and Fair Discrete Systems Nir Piterman and Amir Pnueli Abstract Temporal logic was used by philosophers to reason about the way the world changes over time. Its modern use in specification

More information

Automata-Theoretic Model Checking of Reactive Systems

Automata-Theoretic Model Checking of Reactive Systems Automata-Theoretic Model Checking of Reactive Systems Radu Iosif Verimag/CNRS (Grenoble, France) Thanks to Tom Henzinger (IST, Austria), Barbara Jobstmann (CNRS, Grenoble) and Doron Peled (Bar-Ilan University,

More information

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications Shengbing Jiang and Ratnesh Kumar Abstract The paper studies failure diagnosis of discrete event systems with

More information

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either Introduction to Temporal Logic The purpose of temporal logics is to specify properties of dynamic systems. These can be either Desired properites. Often liveness properties like In every infinite run action

More information

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006 THEORY OF SYSTEMS MODELING AND ANALYSIS Henny Sipma Stanford University Master class Washington University at St Louis November 16, 2006 1 1 COURSE OUTLINE 8:37-10:00 Introduction -- Computational model

More information

Synthesis of Designs from Property Specifications

Synthesis of Designs from Property Specifications Synthesis of Designs from Property Specifications Amir Pnueli New York University and Weizmann Institute of Sciences FMCAD 06 San Jose, November, 2006 Joint work with Nir Piterman, Yaniv Sa ar, Research

More information

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

Characterizing Fault-Tolerant Systems by Means of Simulation Relations Characterizing Fault-Tolerant Systems by Means of Simulation Relations TECHNICAL REPORT Ramiro Demasi 1, Pablo F. Castro 2,3, Thomas S.E. Maibaum 1, and Nazareno Aguirre 2,3 1 Department of Computing and

More information

Timo Latvala. March 7, 2004

Timo Latvala. March 7, 2004 Reactive Systems: Safety, Liveness, and Fairness Timo Latvala March 7, 2004 Reactive Systems: Safety, Liveness, and Fairness 14-1 Safety Safety properties are a very useful subclass of specifications.

More information

Chapter 6: Computation Tree Logic

Chapter 6: Computation Tree Logic Chapter 6: Computation Tree Logic Prof. Ali Movaghar Verification of Reactive Systems Outline We introduce Computation Tree Logic (CTL), a branching temporal logic for specifying system properties. A comparison

More information

Description Logics. Deduction in Propositional Logic. franconi. Enrico Franconi

Description Logics. Deduction in Propositional Logic. franconi. Enrico Franconi (1/20) Description Logics Deduction in Propositional Logic Enrico Franconi franconi@cs.man.ac.uk http://www.cs.man.ac.uk/ franconi Department of Computer Science, University of Manchester (2/20) Decision

More information

Introduction to Logic in Computer Science: Autumn 2006

Introduction to Logic in Computer Science: Autumn 2006 Introduction to Logic in Computer Science: Autumn 2006 Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Plan for Today Today s class will be an introduction

More information

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Computation Tree Logic (CTL) & Basic Model Checking Algorithms Computation Tree Logic (CTL) & Basic Model Checking Algorithms Martin Fränzle Carl von Ossietzky Universität Dpt. of Computing Science Res. Grp. Hybride Systeme Oldenburg, Germany 02917: CTL & Model Checking

More information

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66 Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66 Teknillisen korkeakoulun tietojenkäsittelyteorian laboratorion tutkimusraportti 66 Espoo 2000 HUT-TCS-A66

More information

Temporal Logic Model Checking

Temporal Logic Model Checking 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 1 Temporal Logic Model Checking Thomas Wahl Computing Laboratory, Oxford University 18 Feb, 2009 Thomas Wahl, Oxford University

More information

Alan Bundy. Automated Reasoning LTL Model Checking

Alan Bundy. Automated Reasoning LTL Model Checking Automated Reasoning LTL Model Checking Alan Bundy Lecture 9, page 1 Introduction So far we have looked at theorem proving Powerful, especially where good sets of rewrite rules or decision procedures have

More information

Automata, Logic and Games: Theory and Application

Automata, Logic and Games: Theory and Application Automata, Logic and Games: Theory and Application 1. Büchi Automata and S1S Luke Ong University of Oxford TACL Summer School University of Salerno, 14-19 June 2015 Luke Ong Büchi Automata & S1S 14-19 June

More information

PSPACE-completeness of LTL/CTL model checking

PSPACE-completeness of LTL/CTL model checking PSPACE-completeness of LTL/CTL model checking Peter Lohmann April 10, 2007 Abstract This paper will give a proof for the PSPACE-completeness of LTLsatisfiability and for the PSPACE-completeness of the

More information

Foundations of Mathematics MATH 220 FALL 2017 Lecture Notes

Foundations of Mathematics MATH 220 FALL 2017 Lecture Notes Foundations of Mathematics MATH 220 FALL 2017 Lecture Notes These notes form a brief summary of what has been covered during the lectures. All the definitions must be memorized and understood. Statements

More information

2.5.2 Basic CNF/DNF Transformation

2.5.2 Basic CNF/DNF Transformation 2.5. NORMAL FORMS 39 On the other hand, checking the unsatisfiability of CNF formulas or the validity of DNF formulas is conp-complete. For any propositional formula φ there is an equivalent formula in

More information

Lecture Notes on Inductive Definitions

Lecture Notes on Inductive Definitions Lecture Notes on Inductive Definitions 15-312: Foundations of Programming Languages Frank Pfenning Lecture 2 September 2, 2004 These supplementary notes review the notion of an inductive definition and

More information

CS 486: Applied Logic Lecture 7, February 11, Compactness. 7.1 Compactness why?

CS 486: Applied Logic Lecture 7, February 11, Compactness. 7.1 Compactness why? CS 486: Applied Logic Lecture 7, February 11, 2003 7 Compactness 7.1 Compactness why? So far, we have applied the tableau method to propositional formulas and proved that this method is sufficient and

More information

Finite-State Model Checking

Finite-State Model Checking EECS 219C: Computer-Aided Verification Intro. to Model Checking: Models and Properties Sanjit A. Seshia EECS, UC Berkeley Finite-State Model Checking G(p X q) Temporal logic q p FSM Model Checker Yes,

More information

Abstractions and Decision Procedures for Effective Software Model Checking

Abstractions and Decision Procedures for Effective Software Model Checking Abstractions and Decision Procedures for Effective Software Model Checking Prof. Natasha Sharygina The University of Lugano, Carnegie Mellon University Microsoft Summer School, Moscow, July 2011 Lecture

More information

A Hierarchy for Accellera s Property Specification Language

A Hierarchy for Accellera s Property Specification Language A Hierarchy for Accellera s Property Specification Language Thomas Türk May 1st, 2005 Diploma Thesis University of Kaiserslautern Supervisor: Prof. Dr. Klaus Schneider Vorliegende Diplomarbeit wurde von

More information

Lecture Notes on Inductive Definitions

Lecture Notes on Inductive Definitions Lecture Notes on Inductive Definitions 15-312: Foundations of Programming Languages Frank Pfenning Lecture 2 August 28, 2003 These supplementary notes review the notion of an inductive definition and give

More information

First-order resolution for CTL

First-order resolution for CTL First-order resolution for Lan Zhang, Ullrich Hustadt and Clare Dixon Department of Computer Science, University of Liverpool Liverpool, L69 3BX, UK {Lan.Zhang, U.Hustadt, CLDixon}@liverpool.ac.uk Abstract

More information

Chapter 5: Linear Temporal Logic

Chapter 5: Linear Temporal Logic Chapter 5: Linear Temporal Logic Prof. Ali Movaghar Verification of Reactive Systems Spring 94 Outline We introduce linear temporal logic (LTL), a logical formalism that is suited for specifying LT properties.

More information

Automatic Synthesis of Distributed Protocols

Automatic Synthesis of Distributed Protocols Automatic Synthesis of Distributed Protocols Rajeev Alur Stavros Tripakis 1 Introduction Protocols for coordination among concurrent processes are an essential component of modern multiprocessor and distributed

More information

Model for reactive systems/software

Model for reactive systems/software Temporal Logics CS 5219 Abhik Roychoudhury National University of Singapore The big picture Software/ Sys. to be built (Dream) Properties to Satisfy (caution) Today s lecture System Model (Rough Idea)

More information

Model Checking: An Introduction

Model Checking: An Introduction Model Checking: An Introduction Meeting 3, CSCI 5535, Spring 2013 Announcements Homework 0 ( Preliminaries ) out, due Friday Saturday This Week Dive into research motivating CSCI 5535 Next Week Begin foundations

More information

Chapter 3 Deterministic planning

Chapter 3 Deterministic planning Chapter 3 Deterministic planning In this chapter we describe a number of algorithms for solving the historically most important and most basic type of planning problem. Two rather strong simplifying assumptions

More information

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial * Formal Methods in System Design, 16, 1 45 (2000) c 2000 Kluwer Academic Publishers, Boston. Manufactured in The Netherlands. Verifying Temporal Properties of Reactive Systems: A STeP Tutorial * NIKOLAJ

More information

Abstraction for Falsification

Abstraction for Falsification Abstraction for Falsification Thomas Ball 1, Orna Kupferman 2, and Greta Yorsh 3 1 Microsoft Research, Redmond, WA, USA. Email: tball@microsoft.com, URL: research.microsoft.com/ tball 2 Hebrew University,

More information

Overview. overview / 357

Overview. overview / 357 Overview overview6.1 Introduction Modelling parallel systems Linear Time Properties Regular Properties Linear Temporal Logic (LTL) Computation Tree Logic syntax and semantics of CTL expressiveness of CTL

More information

CONTENTS. Appendix C: Gothic Alphabet 109

CONTENTS. Appendix C: Gothic Alphabet 109 Contents 1 Sentential Logic 1 1.1 Introduction............................ 1 1.2 Sentences of Sentential Logic................... 2 1.3 Truth Assignments........................ 7 1.4 Logical Consequence.......................

More information

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure Outline Temporal Logic Ralf Huuck Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness Model Checking Problem model, program? M φ satisfies, Implements, refines property, specification

More information

Topics in Verification AZADEH FARZAN FALL 2017

Topics in Verification AZADEH FARZAN FALL 2017 Topics in Verification AZADEH FARZAN FALL 2017 Last time LTL Syntax ϕ ::= true a ϕ 1 ϕ 2 ϕ ϕ ϕ 1 U ϕ 2 a AP. ϕ def = trueu ϕ ϕ def = ϕ g intuitive meaning of and is obt Limitations of LTL pay pay τ τ soda

More information

CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment

CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment CS256/Winter 2009 Lecture #1 Zohar Manna FORMAL METHODS FOR REACTIVE SYSTEMS Instructor: Zohar Manna Email: manna@cs.stanford.edu Office hours: by appointment TA: Boyu Wang Email: wangboyu@stanford.edu

More information

Computer-Aided Program Design

Computer-Aided Program Design Computer-Aided Program Design Spring 2015, Rice University Unit 3 Swarat Chaudhuri February 5, 2015 Temporal logic Propositional logic is a good language for describing properties of program states. However,

More information

Computation Tree Logic

Computation Tree Logic Computation Tree Logic Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: zheng@cse.usf.edu Phone: (813)974-4757 Fax: (813)974-5456 Hao Zheng (CSE,

More information

Notes. Corneliu Popeea. May 3, 2013

Notes. Corneliu Popeea. May 3, 2013 Notes Corneliu Popeea May 3, 2013 1 Propositional logic Syntax We rely on a set of atomic propositions, AP, containing atoms like p, q. A propositional logic formula φ Formula is then defined by the following

More information

An Introduction to Temporal Logics

An Introduction to Temporal Logics An Introduction to Temporal Logics c 2001,2004 M. Lawford Outline Motivation: Dining Philosophers Safety, Liveness, Fairness & Justice Kripke structures, LTS, SELTS, and Paths Linear Temporal Logic Branching

More information

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct. EE 244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2016 Temporal logic Stavros Tripakis University of California, Berkeley Stavros Tripakis (UC Berkeley) EE 244, Fall 2016

More information

Model checking the basic modalities of CTL with Description Logic

Model checking the basic modalities of CTL with Description Logic Model checking the basic modalities of CTL with Description Logic Shoham Ben-David Richard Trefler Grant Weddell David R. Cheriton School of Computer Science University of Waterloo Abstract. Model checking

More information

Peano Arithmetic. CSC 438F/2404F Notes (S. Cook) Fall, Goals Now

Peano Arithmetic. CSC 438F/2404F Notes (S. Cook) Fall, Goals Now CSC 438F/2404F Notes (S. Cook) Fall, 2008 Peano Arithmetic Goals Now 1) We will introduce a standard set of axioms for the language L A. The theory generated by these axioms is denoted PA and called Peano

More information

Computer Science and State Machines

Computer Science and State Machines Computer Science and State Machines Leslie Lamport 8 June 2008 minor correction on 13 January 2018 Contribution to a Festschrift honoring Willem-Paul de Roever on his retirement. Computation Computer science

More information

Linear-time Temporal Logic

Linear-time Temporal Logic Linear-time Temporal Logic Pedro Cabalar Department of Computer Science University of Corunna, SPAIN cabalar@udc.es 2015/2016 P. Cabalar ( Department Linear oftemporal Computer Logic Science University

More information

Model Checking Algorithms

Model Checking Algorithms Model Checking Algorithms Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan November 14, 2018 Bow-Yaw Wang (Academia Sinica) Model Checking Algorithms November 14, 2018 1 / 56 Outline

More information

Goal specification using temporal logic in presence of non-deterministic actions

Goal specification using temporal logic in presence of non-deterministic actions Goal specification using temporal logic in presence of non-deterministic actions Chitta Baral Matt Barry Department of Computer Sc. and Engg. Advance Tech Development Lab Arizona State University United

More information

Revising Distributed UNITY Programs is NP-Complete

Revising Distributed UNITY Programs is NP-Complete Revising Distributed UNITY Programs is NP-Complete Borzoo Bonakdarpour and Sandeep S. Kulkarni Department of Computer Science and Engineering Michigan State University East Lansing, MI 48824, U.S.A. {borzoo,sandeep}@cse.msu.edu

More information

Syntax. Notation Throughout, and when not otherwise said, we assume a vocabulary V = C F P.

Syntax. Notation Throughout, and when not otherwise said, we assume a vocabulary V = C F P. First-Order Logic Syntax The alphabet of a first-order language is organised into the following categories. Logical connectives:,,,,, and. Auxiliary symbols:.,,, ( and ). Variables: we assume a countable

More information

Temporal Logic of Actions

Temporal Logic of Actions Advanced Topics in Distributed Computing Dominik Grewe Saarland University March 20, 2008 Outline Basic Concepts Transition Systems Temporal Operators Fairness Introduction Definitions Example TLC - A

More information

The TLA + proof system

The TLA + proof system The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy & INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 Stephan

More information

KRIPKE S THEORY OF TRUTH 1. INTRODUCTION

KRIPKE S THEORY OF TRUTH 1. INTRODUCTION KRIPKE S THEORY OF TRUTH RICHARD G HECK, JR 1. INTRODUCTION The purpose of this note is to give a simple, easily accessible proof of the existence of the minimal fixed point, and of various maximal fixed

More information

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking Temporal & Modal Logic E. Allen Emerson Presenter: Aly Farahat 2/12/2009 CS5090 1 Acronyms TL: Temporal Logic BTL: Branching-time Logic LTL: Linear-Time Logic CTL: Computation Tree Logic PLTL: Propositional

More information

KE/Tableaux. What is it for?

KE/Tableaux. What is it for? CS3UR: utomated Reasoning 2002 The term Tableaux refers to a family of deduction methods for different logics. We start by introducing one of them: non-free-variable KE for classical FOL What is it for?

More information

Classical Propositional Logic

Classical Propositional Logic The Language of A Henkin-style Proof for Natural Deduction January 16, 2013 The Language of A Henkin-style Proof for Natural Deduction Logic Logic is the science of inference. Given a body of information,

More information

Computation Tree Logic

Computation Tree Logic Chapter 6 Computation Tree Logic Pnueli [88] has introduced linear temporal logic to the computer science community for the specification and verification of reactive systems. In Chapter 3 we have treated

More information

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics CS256/Spring 2008 Lecture #11 Zohar Manna Beyond Temporal Logics Temporal logic expresses properties of infinite sequences of states, but there are interesting properties that cannot be expressed, e.g.,

More information

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the Sérgio Campos, Edmund Why? Advantages: No proofs Fast Counter-examples No problem with partial specifications can easily express many concurrency properties Main Disadvantage: State Explosion Problem Too

More information

Shape Analysis by Augmentation, Abstraction, and Transformation

Shape Analysis by Augmentation, Abstraction, and Transformation Shape Analysis by Augmentation, Abstraction, and Transformation by Ittai Balaban A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of

More information

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for? Computer Engineering and Networks Overview Discrete Event Systems Verification of Finite Automata Lothar Thiele Introduction Binary Decision Diagrams Representation of Boolean Functions Comparing two circuits

More information

ESE601: Hybrid Systems. Introduction to verification

ESE601: Hybrid Systems. Introduction to verification ESE601: Hybrid Systems Introduction to verification Spring 2006 Suggested reading material Papers (R14) - (R16) on the website. The book Model checking by Clarke, Grumberg and Peled. What is verification?

More information

Expressive number restrictions in Description Logics

Expressive number restrictions in Description Logics Expressive number restrictions in Description Logics Franz Baader and Ulrike Sattler August 12, 1999 Abstract Number restrictions are concept constructors that are available in almost all implemented Description

More information

CS156: The Calculus of Computation

CS156: The Calculus of Computation CS156: The Calculus of Computation Zohar Manna Winter 2010 It is reasonable to hope that the relationship between computation and mathematical logic will be as fruitful in the next century as that between

More information

Module 7 D and Equivalent Systems

Module 7 D and Equivalent Systems Module 7 D and Equivalent Systems G J Mattey May 2, 2007 Contents 1 he Semantical System DI 1 2 he Derivational System DD 4 3 he Axiom System D 6 4 Applications of the D-Systems 6 In this and subsequent

More information

The priority promotion approach to parity games

The priority promotion approach to parity games The priority promotion approach to parity games Massimo Benerecetti 1, Daniele Dell Erba 1, and Fabio Mogavero 2 1 Università degli Studi di Napoli Federico II 2 Università degli Studi di Verona Abstract.

More information

Propositional Logic: Syntax

Propositional Logic: Syntax Logic Logic is a tool for formalizing reasoning. There are lots of different logics: probabilistic logic: for reasoning about probability temporal logic: for reasoning about time (and programs) epistemic

More information

A MODEL-THEORETIC PROOF OF HILBERT S NULLSTELLENSATZ

A MODEL-THEORETIC PROOF OF HILBERT S NULLSTELLENSATZ A MODEL-THEORETIC PROOF OF HILBERT S NULLSTELLENSATZ NICOLAS FORD Abstract. The goal of this paper is to present a proof of the Nullstellensatz using tools from a branch of logic called model theory. In

More information

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication Stavros Tripakis Abstract We introduce problems of decentralized control with communication, where we explicitly

More information

CHAPTER 10. Gentzen Style Proof Systems for Classical Logic

CHAPTER 10. Gentzen Style Proof Systems for Classical Logic CHAPTER 10 Gentzen Style Proof Systems for Classical Logic Hilbert style systems are easy to define and admit a simple proof of the Completeness Theorem but they are difficult to use. By humans, not mentioning

More information

AI Programming CS S-09 Knowledge Representation

AI Programming CS S-09 Knowledge Representation AI Programming CS662-2013S-09 Knowledge Representation David Galles Department of Computer Science University of San Francisco 09-0: Overview So far, we ve talked about search, which is a means of considering

More information

Revising UNITY Programs: Possibilities and Limitations 1

Revising UNITY Programs: Possibilities and Limitations 1 Revising UNITY Programs: Possibilities and Limitations 1 Ali Ebnenasir, Sandeep S. Kulkarni, and Borzoo Bonakdarpour Software Engineering and Network Systems Laboratory Department of Computer Science and

More information

Timo Latvala. February 4, 2004

Timo Latvala. February 4, 2004 Reactive Systems: Temporal Logic LT L Timo Latvala February 4, 2004 Reactive Systems: Temporal Logic LT L 8-1 Temporal Logics Temporal logics are currently the most widely used specification formalism

More information

CTL-RP: A Computational Tree Logic Resolution Prover

CTL-RP: A Computational Tree Logic Resolution Prover 1 -RP: A Computational Tree Logic Resolution Prover Lan Zhang a,, Ullrich Hustadt a and Clare Dixon a a Department of Computer Science, University of Liverpool Liverpool, L69 3BX, UK E-mail: {Lan.Zhang,

More information

Mathematics 114L Spring 2018 D.A. Martin. Mathematical Logic

Mathematics 114L Spring 2018 D.A. Martin. Mathematical Logic Mathematics 114L Spring 2018 D.A. Martin Mathematical Logic 1 First-Order Languages. Symbols. All first-order languages we consider will have the following symbols: (i) variables v 1, v 2, v 3,... ; (ii)

More information

LTL with Arithmetic and its Applications in Reasoning about Hierarchical Systems

LTL with Arithmetic and its Applications in Reasoning about Hierarchical Systems This space is reserved for the EPiC Series header, do not use it LTL with Arithmetic and its Applications in Reasoning about Hierarchical Systems Rachel Faran and Orna Kupferman The Hebrew University,

More information

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic Model Checking (I) SMV the Symbolic Model Verifier Example: the alternating bit protocol LTL Linear Time temporal Logic CTL Fixed Points Correctness Slide 1 SMV - Symbolic Model Verifier SMV - Symbolic

More information

Complexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler

Complexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler Complexity Theory Complexity Theory VU 181.142, SS 2018 6. The Polynomial Hierarchy Reinhard Pichler Institut für Informationssysteme Arbeitsbereich DBAI Technische Universität Wien 15 May, 2018 Reinhard

More information

Outline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181.

Outline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181. Complexity Theory Complexity Theory Outline Complexity Theory VU 181.142, SS 2018 6. The Polynomial Hierarchy Reinhard Pichler Institut für Informationssysteme Arbeitsbereich DBAI Technische Universität

More information

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago Model-Checking Concurrent PGM Temporal SPEC Model Checker Yes/No Counter Example Approach Build the global state graph Algorithm

More information

Conjunction: p q is true if both p, q are true, and false if at least one of p, q is false. The truth table for conjunction is as follows.

Conjunction: p q is true if both p, q are true, and false if at least one of p, q is false. The truth table for conjunction is as follows. Chapter 1 Logic 1.1 Introduction and Definitions Definitions. A sentence (statement, proposition) is an utterance (that is, a string of characters) which is either true (T) or false (F). A predicate is

More information

Preliminaries. Introduction to EF-games. Inexpressivity results for first-order logic. Normal forms for first-order logic

Preliminaries. Introduction to EF-games. Inexpressivity results for first-order logic. Normal forms for first-order logic Introduction to EF-games Inexpressivity results for first-order logic Normal forms for first-order logic Algorithms and complexity for specific classes of structures General complexity bounds Preliminaries

More information

Dipartimento di Scienze dell Informazione

Dipartimento di Scienze dell Informazione UNIVERSITÀ DEGLI STUDI DI MILANO Dipartimento di Scienze dell Informazione RAPPORTO INTERNO N 313-07 Combination Methods for Satisfiability and Model-Checking of Infinite-State Systems Silvio Ghilardi,

More information

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking CTL Model checking Assumptions:. finite number of processes, each having a finite number of finite-valued variables.. finite length of CTL formula Problem:Determine whether formula f 0 is true in a finite

More information

Implementing Proof Systems for the Intuitionistic Propositional Logic

Implementing Proof Systems for the Intuitionistic Propositional Logic Implementing Proof Systems for the Intuitionistic Propositional Logic Veronica Zammit Supervisor: Dr. Adrian Francalanza Faculty of ICT University of Malta May 27, 2011 Submitted in partial fulfillment

More information

3. Only sequences that were formed by using finitely many applications of rules 1 and 2, are propositional formulas.

3. Only sequences that were formed by using finitely many applications of rules 1 and 2, are propositional formulas. 1 Chapter 1 Propositional Logic Mathematical logic studies correct thinking, correct deductions of statements from other statements. Let us make it more precise. A fundamental property of a statement is

More information

CS1021. Why logic? Logic about inference or argument. Start from assumptions or axioms. Make deductions according to rules of reasoning.

CS1021. Why logic? Logic about inference or argument. Start from assumptions or axioms. Make deductions according to rules of reasoning. 3: Logic Why logic? Logic about inference or argument Start from assumptions or axioms Make deductions according to rules of reasoning Logic 3-1 Why logic? (continued) If I don t buy a lottery ticket on

More information

Axiomatic set theory. Chapter Why axiomatic set theory?

Axiomatic set theory. Chapter Why axiomatic set theory? Chapter 1 Axiomatic set theory 1.1 Why axiomatic set theory? Essentially all mathematical theories deal with sets in one way or another. In most cases, however, the use of set theory is limited to its

More information

T Reactive Systems: Temporal Logic LTL

T Reactive Systems: Temporal Logic LTL Tik-79.186 Reactive Systems 1 T-79.186 Reactive Systems: Temporal Logic LTL Spring 2005, Lecture 4 January 31, 2005 Tik-79.186 Reactive Systems 2 Temporal Logics Temporal logics are currently the most

More information

Proving Completeness for Nested Sequent Calculi 1

Proving Completeness for Nested Sequent Calculi 1 Proving Completeness for Nested Sequent Calculi 1 Melvin Fitting abstract. Proving the completeness of classical propositional logic by using maximal consistent sets is perhaps the most common method there

More information

Petri nets. s 1 s 2. s 3 s 4. directed arcs.

Petri nets. s 1 s 2. s 3 s 4. directed arcs. Petri nets Petri nets Petri nets are a basic model of parallel and distributed systems (named after Carl Adam Petri). The basic idea is to describe state changes in a system with transitions. @ @R s 1

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback