Linear Temporal Logic (LTL)

Similar documents
Temporal Logic and Model Checking

Computation Tree Logic (CTL)

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Model for reactive systems/software

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

T Reactive Systems: Temporal Logic LTL

Timo Latvala. February 4, 2004

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Lecture 16: Computation Tree Logic (CTL)

Computation Tree Logic

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Temporal Logic Model Checking

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Verification Using Temporal Logic

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Model Checking with CTL. Presented by Jason Simas

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Theorem Proving beyond Deduction

Model Checking Algorithms

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Linear Temporal Logic (LTL)

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Modal and Temporal Logics

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Alan Bundy. Automated Reasoning LTL Model Checking

Chapter 4: Computation tree logic

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Decision Procedures for CTL

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Syntax of propositional logic. Syntax tree of a formula. Semantics of propositional logic (I) Subformulas

Thorough Checking Revisited

Computation Tree Logic (CTL)

Syntax and Semantics of Propositional Linear Temporal Logic

From Liveness to Promptness

An Introduction to Temporal Logics

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

MODEL CHECKING. Arie Gurfinkel

LTL and CTL. Lecture Notes by Dhananjay Raju

Finite-State Model Checking

Model-Checking Games: from CTL to ATL

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Reasoning about Time and Reliability

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Propositional Logic: Part II - Syntax & Proofs 0-0

A Hierarchy for Accellera s Property Specification Language

Computation Tree Logic

Model Checking: An Introduction

Overview. overview / 357

Model checking (III)

PSL Model Checking and Run-time Verification via Testers

INTRODUCTION TO LOGIC. Propositional Logic. Examples of syntactic claims

Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

LTL with Arithmetic and its Applications in Reasoning about Hierarchical Systems

22c:145 Artificial Intelligence

ESE601: Hybrid Systems. Introduction to verification

Homework 2: Temporal logic

PSPACE-completeness of LTL/CTL model checking

Topics in Verification AZADEH FARZAN FALL 2017

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Propositional Logic: Models and Proofs

A brief introduction to Logic. (slides from

Automata and Reactive Systems

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

QBF Encoding of Temporal Properties and QBF-based Verification

Natural Deduction for Propositional Logic

Chapter 6: Computation Tree Logic

COMP219: Artificial Intelligence. Lecture 19: Logic for KR

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Chapter 5: Linear Temporal Logic

Theoretical Foundations of the UML

Comp487/587 - Boolean Formulas

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

CS357: CTL Model Checking (two lectures worth) David Dill

Computer-Aided Program Design

3. Temporal Logics and Model Checking

Tecniche di Verifica. Introduction to Propositional Logic

First-order resolution for CTL

The research thesis was done under the supervision of Prof. Orna Grumberg, in the Faculty of Computer Science, the Technion - Israel Institute of Tech

Chapter 4: Classical Propositional Semantics

A logical framework to deal with variability

Logic: Propositional Logic (Part I)

Multi-Valued Symbolic Model-Checking

Reducing CTL-live Model Checking to Semantic Entailment in First-Order Logic (Version 1)

Algorithms for Model Checking (2IW55)

Description Logics. Foundations of Propositional Logic. franconi. Enrico Franconi

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Automata theory. An algorithmic approach. Lecture Notes. Javier Esparza

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Comparing LTL Semantics for Runtime Verification

Linear Temporal Logic and Büchi Automata

Logic. Propositional Logic: Syntax

Systems Verification. Alessandro Abate. Day 1 January 25, 2016

COMP219: Artificial Intelligence. Lecture 19: Logic for KR

Alternating-Time Temporal Logic

Model checking the basic modalities of CTL with Description Logic

Transcription:

Linear Temporal Logic (LTL) Grammar of well formed formulae (wff) φ φ ::= p (Atomic formula: p AP) φ (Negation) φ 1 φ 2 (Disjunction) Xφ (successor) Fφ (sometimes) Gφ (always) [φ 1 U φ 2 ] (Until) Details differ from Prior s tense logic but similar ideas Semantics define when φ true in model M where M = (S, S0, R, L) a Kripke structure notation: M = φ means φ true in model M model checking algorithms compute this (when decidable) Mike Gordon 46 / 128

M = φ means wff φ is true in model M If M = (S, S 0, R, L) then π is an M-path starting from s iff Path R s π If M = (S, S 0, R, L) then we define M = φ to mean: φ is true on all M-paths starting from a member of S 0 We will define [[φ]] M (π) to mean φ is true on the M-path π Thus M = φ will be formally defined by: M = φ π s. s S 0 Path R s π [[φ]] M (π) It remains to actually define [[φ]] M for all wffs φ Mike Gordon 47 / 128

Definition of [[φ]] M (π) [[φ]] M (π) is the application of function [[φ]] M to path π thus [[φ]]m : (N S) B Let M = (S, S 0, R, L) [[φ]] M is defined by structural induction on φ [[p]] M (π) = p L(π 0) [[ φ]] M (π) = ([[φ]] M (π)) [[φ 1 φ 2 ]] M (π) = [[φ 1 ]] M (π) [[φ 2 ]] M (π) [[Xφ]] M (π) = [[φ]] M (π 1) [[Fφ]] M (π) = i. [[φ]] M (π i) [[Gφ]] M (π) = i. [[φ]] M (π i) [[[φ 1 U φ 2 ]]] M (π) = i. [[φ 2 ]] M (π i) j. j<i [[φ 1 ]] M (π j) We look at each of these semantic equations in turn Mike Gordon 48 / 128

[[p]] M (π) = p(π 0) Assume M = (S, S 0, R, L) We have: [[p]] M (π) = p L(π 0) p is an atomic property, i.e. p AP π : N S so π 0 S π 0 is the first state in path π p L(π 0) is true iff atomic property p holds of state π 0 [[p]] M (π) means p holds of the first state in path π T,F AP witht L(s) andf / L(s) for all s S [[T]]M (π) is always true [[F]]M (π) is always false Mike Gordon 49 / 128

[[ φ]] M (π) = ([[φ]] M (π)) [[φ 1 φ 2 ]] M (π) = [[φ 1 ]] M (π) [[φ 2 ]] M (π) [[ φ]] M (π) = ([[φ]] M (π)) [[ φ]]m (π) true iff [[φ]] M (π) is not true [[φ 1 φ 2 ]] M (π) = [[φ 1 ]] M (π) [[φ 2 ]] M (π) [[φ1 φ 2 ]] M (π) true iff [[φ 1 ]] M (π) is true or [[φ 2 ]] M (π) is true Mike Gordon 50 / 128

[[Xφ]] M (π) = [[φ]] M (π 1) [[Xφ]] M (π) = [[φ]] M (π 1) π 1 is π with the first state chopped off π 1(0) = π(1+0) = π(1) π 1(1) = π(1+1) = π(2) π 1(2) = π(1+2) = π(3). [[Xφ]] M (π) true iff [[φ]] M true starting at the second state ofπ Mike Gordon 51 / 128

[[Fφ]] M (π) = i. [[φ]] M (π i) [[Fφ]] M (π) = i. [[φ]] M (π i) π i is π with the first i states chopped off π i(0) = π(i + 0) = π(i) π i(1) = π(i + 1) π i(2) = π(i + 2). [[φ]]m (π i) true iff [[φ]] M true starting i states along π [[Fφ]] M (π) true iff [[φ]] M true starting somewhere along π Fφ is read as sometimes φ Mike Gordon 52 / 128

[[Gφ]] M (π) = i. [[φ]] M (π i) [[Gφ]] M (π) = i. [[φ]] M (π i) π i is π with the first i states chopped off [[φ]]m (π i) true iff [[φ]] M true starting i states along π [[Gφ]] M (π) true iff [[φ]] M true starting anywhere along π Gφ is read as always φ or globally φ M = AGp defined earlier: M = AGp M = G(p) G is definable in terms of F and : Gφ = (F( φ)) [[ (F( φ))]] M (π) = ([[F( φ)]] M (π)) = ( i. [[ φ]] M (π i)) = ( i. ([[φ]] M (π i))) = i. [[φ]] M (π i) = [[Gφ]] M (π) Mike Gordon 53 / 128

[[[φ 1 U φ 2 ]]] M (π) = i. [[φ 2 ]] M (π i) j. j<i [[φ 1 ]] M (π j) [[[φ 1 U φ 2 ]]] M (π) = i. [[φ 2 ]] M (π i) j. j<i [[φ 1 ]] M (π j) [[φ2 ]] M (π i) true iff [[φ 2 ]] M true starting i states along π [[φ1 ]] M (π j) true iff [[φ 1 ]] M true starting j states along π [[[φ 1 U φ 2 ]]] M (π) is true iff [[φ 2 ]] M is true somewhere alongπ and up to then[[φ 1 ]] M is true [φ 1 U φ 2 ] is read as φ 1 until φ 2 F is definable in terms of [ U ]: Fφ = [T U φ] [[[T U φ]]] M (π) = i. [[φ]] M (π i) j. j<i [[T]] M (π j) = i. [[φ]] M (π i) j. j<i true = i. [[φ]] M (π i) true = i. [[φ]] M (π i) = [[Fφ]] M (π) Mike Gordon 54 / 128

Review of Linear Temporal Logic (LTL) Grammar of well formed formulae (wff) φ φ ::= p (Atomic formula: p AP) φ (Negation) φ 1 φ 2 (Disjunction) Xφ (successor) Fφ (sometimes) Gφ (always) [φ 1 U φ 2 ] (Until) M = φ means φ holds on all M-paths M = (S, S0, R, L) [[φ]]m (π) means φ is true on the M-path π M = φ π s. s S0 Path R s π [[φ]] M (π) Mike Gordon 55 / 128

LTL examples DeviceEnabled holds infinitely often along every path G(FDeviceEnabled) Eventually the state becomes permanentlydone F(GDone) EveryReq is followed by anack G(Req FAck) Number ofreq andack may differ - no counting IfEnabled infinitely often thenrunning infinitely often G(FEnabled) G(FRunning) An upward going lift at the second floor keeps going up if a passenger requests the fifth floor G(AtFloor2 DirectionUp RequestFloor5 [DirectionUp U AtFloor5]) Mike Gordon (acknowledgement: http://pswlab.kaist.ac.kr/courses/cs402-2011/temporal-logic2.pdf) 56 / 128

A property not expressible in LTL Let AP = {P} and consider models M and M below M P P M P s 0 s 1 s 0 M = ({s 0, s 1 },{s 0 },{(s 0, s 0 ),(s 0, s 1 ),(s 1, s 1 )}, L) M = ({s 0 },{s 0 },{(s 0, s 0 )}, L) where: L = λs. if s = s 0 then {} else {P} Every M -path is also an M-path So if φ true on every M-path then φ true on every M -path Hence in LTL for any φ if M = φ then M = φ Consider φ P can always reach a state satisfyingp φp holds in M but not in M but in LTL can t have M = φp and not M = φ P hence φ P not expressible in LTL Mike Gordon (acknowledgement: Logic in Computer Science, Huth & Ryan (2nd Ed.) page 219, ISBN 0 521 54310 X) 57 / 128

LTL expressibility can always reach a state satisfyingp In LTL M = φ says φ holds of all paths of M LTL formulae φ are evaluated on paths.... path formulae Want to say that from any state there exists a path to some state satisfying p s. π. Path R s π i. p L(π(i)) but this isn t expressible in LTL (see slide 57) CTL properties are evaluated at a state... state formulae they can talk about both some or all paths starting from the state they are evaluated at Mike Gordon 58 / 128

Computation Tree Logic (CTL) LTL formulae φ are evaluated on paths.... path formulae CTL formulae ψ are evaluated on states.. state formulae Syntax of CTL well-formed formulae: ψ ::= p (Atomic formula p AP) ψ (Negation) ψ 1 ψ 2 (Conjunction) ψ 1 ψ 2 (Disjunction) ψ 1 ψ 2 (Implication) AXψ (All successors) EXψ (Some successors) A[ψ 1 U ψ 2 ] (Until along all paths) E[ψ 1 U ψ 2 ] (Until along some path) Mike Gordon 59 / 128

Semantics of CTL Assume M = (S, S 0, R, L) and then define: [[p]] M (s) [[ ψ]] M (s) [[ψ 1 ψ 2 ]] M (s) [[ψ 1 ψ 2 ]] M (s) [[ψ 1 ψ 2 ]] M (s) = p L(s) = ([[ψ]] M (s)) = [[ψ 1 ]] M (s) [[ψ 2 ]] M (s) = [[ψ 1 ]] M (s) [[ψ 2 ]] M (s) = [[ψ 1 ]] M (s) [[ψ 2 ]] M (s) [[AXψ]] M (s) = s. R s s [[ψ]] M (s ) [[EXψ]] M (s) = s. R s s [[ψ]] M (s ) [[A[ψ 1 U ψ 2 ]]] M (s) = π. Path R s π i. [[ψ 2 ]] M (π(i)) j. j<i [[ψ 1 ]] M (π(j)) [[E[ψ 1 U ψ 2 ]]] M (s) = π. Path R s π i. [[ψ 2 ]] M (π(i)) j. j<i [[ψ 1 ]] M (π(j)) Mike Gordon 60 / 128

The defined operator AF Define AFψ = A[T U ψ] AFψ true at s iffψ true somewhere on every R-path from s [[AFψ]] M (s) = [[A[T U ψ]]] M (s) = π. Path R s π i. [[ψ]] M (π(i)) j. j < i [[T]] M (π(j)) = π. Path R s π i. [[ψ]] M (π(i)) j. j < i true = π. Path R s π i. [[ψ]] M (π(i)) Mike Gordon 61 / 128

The defined operator EF Define EFψ = E[T U ψ] EFψ true at s iffψ true somewhere on some R-path from s [[EFψ]] M (s) = [[E[T U ψ]]] M (s) = π. Path R s π i. [[ψ]] M (π(i)) j. j < i [[T]] M (π(j)) = π. Path R s π i. [[ψ]] M (π(i)) j. j < i true = π. Path R s π i. [[ψ]] M (π(i)) can reach a state satisfying p is EF p Mike Gordon 62 / 128

The defined operator AG Define AGψ = EF( ψ) AGψ true at s iffψ true everywhere on every R-path from s [[AGψ]] M (s) = [[ EF( ψ)]] M (s) = ([[EF( ψ)]] M (s)) = ( π. Path R s π i. [[ ψ]] M (π(i))) = ( π. Path R s π i. [[ψ]] M (π(i))) = π. (Path R s π i. [[ψ]] M (π(i))) = π. Path R s π ( i. [[ψ]] M (π(i))) = π. Path R s π i. [[ψ]] M (π(i)) = π. Path R s π i. [[ψ]] M (π(i)) = π. Path R s π i. [[ψ]] M (π(i)) AGψ means ψ true at all reachable states [[AG(p)]] M (s) s. R s s p L(s ) can always reach a state satisfying p is AG(EF p) Mike Gordon 63 / 128

The defined operator EG Define EGψ = AF( ψ) EGψ true at s iffψ true everywhere on some R-path from s [[EGψ]] M (s) = [[ AF( ψ)]] M (s) = ([[AF( ψ)]] M (s)) = ( π. Path R s π i. [[ ψ]] M (π(i))) = ( π. Path R s π i. [[ψ]] M (π(i))) = π. (Path R s π i. [[ψ]] M (π(i))) = π. Path R s π ( i. [[ψ]] M (π(i))) = π. Path R s π i. [[ψ]] M (π(i)) = π. Path R s π i. [[ψ]] M (π(i)) Mike Gordon 64 / 128

The defined operator A[ψ 1 W ψ 2 ] A[ψ 1 W ψ 2 ] is a partial correctness version of A[ψ 1 U ψ 2 ] It is true at s if along all R-paths from s: ψ1 always holds on the path, or ψ2 holds sometime on the path, and until it does ψ 1 holds Define [[A[ψ 1 W ψ 2 ]]] M (s) = [[ E[(ψ 1 ψ 2 ) U ( ψ 1 ψ 2 )]]] M (s) = [[E[(ψ 1 ψ 2 ) U ( ψ 1 ψ 2 )]]] M (s) = ( π. Path R s π i. [[ ψ 1 ψ 2 ]] M (π(i)) j. j<i [[ψ 1 ψ 2 ]] M (π(j))) Exercise: understand the next two slides! Mike Gordon 65 / 128

A[ψ 1 W ψ 2 ] continued (1) Continuing: ( π. Path R s π i. [[ ψ 1 ψ 2 ]] M (π(i)) j. j<i [[ψ 1 ψ 2 ]] M (π(j))) = π. (Path R s π i. [[ ψ 1 ψ 2 ]] M (π(i)) j. j<i [[ψ 1 ψ 2 ]] M (π(j))) = π. Path R s π ( i. [[ ψ 1 ψ 2 ]] M (π(i)) j. j<i [[ψ 1 ψ 2 ]] M (π(j))) = π. Path R s π i. [[ ψ 1 ψ 2 ]] M (π(i)) ( j. j<i [[ψ 1 ψ 2 ]] M (π(j))) Mike Gordon 66 / 128

A[ψ 1 W ψ 2 ] continued (2) Continuing: = π. Path R s π i. [[ ψ 1 ψ 2 ]] M (π(i)) ( j. j<i [[ψ 1 ψ 2 ]] M (π(j))) = π. Path R s π i. ( j. j<i [[ψ 1 ψ 2 ]] M (π(j))) [[ ψ 1 ψ 2 ]] M (π(i)) = π. Path R s π i. ( j. j<i [[ψ 1 ψ 2 ]] M (π(j))) [[ψ 1 ψ 2 ]] M (π(i)) Exercise: explain why this is [[A[ψ 1 W ψ 2 ]]] M (s)? this exercise illustrates the subtlety of writing CTL! Mike Gordon 67 / 128

Sanity check: A[ψ W F] = AG ψ From last slide: [[A[ψ 1 W ψ 2 ]]] M (s) = π. Path R s π i. ( j. j<i [[ψ 1 ψ 2 ]] M (π(j))) [[ψ 1 ψ 2 ]] M (π(i)) Set ψ 1 to ψ and ψ 2 tof: [[A[ψ WF]]] M (s) = π. Path R s π i. ( j. j<i [[ψ F]] M (π(j))) [[ψ F]] M (π(i)) Simplify: [[A[ψ WF]]] M (s) = π. Path R s π i. ( j. j<i [[ψ]] M (π(j))) [[ψ]] M (π(i)) By induction on i: [[A[ψ WF]]] M (s) = π. Path R s π i. [[ψ]] M (π(i)) Exercises 1. Describe the property: A[T W ψ]. 2. Describe the property: E[ ψ 2 U (ψ 1 ψ 2 )]. 3. Define E[ψ 1 W ψ 2 ] = E[ψ 1 U ψ 2 ] EGψ 1. Describe the property: E[ψ 1 W ψ 2 ]? Mike Gordon 68 / 128

Recall model behaviour computation tree Atomic properties are true or false of individual states General properties are true or false of whole behaviour Behaviour of (S, R) starting from s S as a tree: s initial state states after one step A path is shown in red states after two steps Properties may look at all paths, or just a single path CTL: Computation Tree Logic (all paths from a state) LTL: Linear Temporal Logic (a single path) Mike Gordon 69 / 128

Summary of CTL operators (primitive + defined) CTL formulae: p (Atomic formula - p AP) ψ (Negation) ψ 1 ψ 2 (Conjunction) ψ 1 ψ 2 (Disjunction) ψ 1 ψ 2 (Implication) AXψ (All successors) EXψ (Some successors) AFψ (Somewhere along all paths) EFψ (Somewhere along some path) AGψ (Everywhere along all paths) EGψ (Everywhere along some path) A[ψ 1 U ψ 2 ] (Until along all paths) E[ψ 1 U ψ 2 ] (Until along some path) A[ψ 1 W ψ 2 ] (Unless along all paths) E[ψ 1 W ψ 2 ] (Unless along some path) Mike Gordon 70 / 128

Example CTL formulae EF(Started Ready) It is possible to get to a state where Started holds but Ready does not hold AG(Req AFAck) If a request Req occurs, then it will eventually be acknowledged by Ack AG(AFDeviceEnabled) DeviceEnabled is always true somewhere along every path starting anywhere: i.e. DeviceEnabled holds infinitely often along every path AG(EFRestart) From any state it is possible to get to a state for which Restart holds Can t be expressed in LTL! Mike Gordon 71 / 128

More CTL examples (1) AG(Req A[Req U Ack]) If a request Req occurs, then it continues to hold, until it is eventually acknowledged AG(Req AX(A[ Req U Ack])) Whenever Req is true either it must become false on the next cycle and remains false until Ack, or Ack must become true on the next cycle Exercise: is the AX necessary? AG(Req ( Ack AX(A[Req U Ack]))) Whenever Req is true and Ack is false then Ack will eventually become true and until it does Req will remain true Exercise: is the AX necessary? Mike Gordon 72 / 128

More CTL examples (2) AG(Enabled AG(Start A[ Waiting U Ack])) If Enabled is ever true then if Start is true in any subsequent state then Ack will eventually become true, and until it does Waiting will be false AG( Req 1 Req 2 A[ Req 1 Req 2 U (Start Req 2 )]) Whenever Req 1 and Req 2 are false, they remain false until Start becomes true with Req 2 still false AG(Req AX(Ack AF Req)) If Req is true and Ack becomes true one cycle later, then eventually Req will become false Mike Gordon 73 / 128

Some abbreviations AX i ψ AX(AX( (AX ψ) )) }{{} i instances of AX ψ is true on all paths i units of time later ABF i..j ψ AX i (ψ AX(ψ AX(ψ AX ψ) )) }{{} j i instances of AX ψ is true on all paths sometime between i units of time later and j units of time later AG(Req AX(Ack 1 ABF 1..6 (Ack 2 A[Wait U Reply]))) One cycle after Req, Ack 1 should become true, and then Ack 2 becomes true 1 to 6 cycles later and then eventually Reply becomes true, but until it does Wait holds from the time of Ack 2 More abbreviations in Industry Standard language PSL Mike Gordon 74 / 128

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback