Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Similar documents
Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Model for reactive systems/software

Computation Tree Logic

Overview. overview / 357

An Introduction to Temporal Logics

LTL and CTL. Lecture Notes by Dhananjay Raju

T Reactive Systems: Temporal Logic LTL

Lecture 16: Computation Tree Logic (CTL)

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Verification Using Temporal Logic

Timo Latvala. February 4, 2004

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

FAIRNESS FOR INFINITE STATE SYSTEMS

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Computation Tree Logic (CTL)

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Finite-State Model Checking

Temporal Logics for Specification and Verification

Automata-Theoretic Model Checking of Reactive Systems

Temporal Logic Model Checking

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Chapter 4: Computation tree logic

Model Checking Algorithms

Alan Bundy. Automated Reasoning LTL Model Checking

Computer-Aided Program Design

Automata-Theoretic Verification

Model Checking with CTL. Presented by Jason Simas

Chapter 3: Linear temporal logic

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

PSL Model Checking and Run-time Verification via Testers

Modal and Temporal Logics

Model checking (III)

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Automata on Infinite words and LTL Model Checking

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Computation Tree Logic

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

The Safety Simple Subset

A Hierarchy for Accellera s Property Specification Language

Automata and Reactive Systems

Chapter 6: Computation Tree Logic

LTL with Arithmetic and its Applications in Reasoning about Hierarchical Systems

Reasoning about Strategies: From module checking to strategy logic

From Liveness to Promptness

Reasoning about Time and Reliability

Symbolic Model Checking Property Specification Language*

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

An Introduction to Multi Valued Model Checking

Verification. Lecture 9. Bernd Finkbeiner Peter Faymonville Michael Gerke

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

LTL is Closed Under Topological Closure

Linear Temporal Logic and Büchi Automata

PSPACE-completeness of LTL/CTL model checking

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Systems Verification. Alessandro Abate. Day 1 January 25, 2016

Topics in Verification AZADEH FARZAN FALL 2017

A Symbolic Approach to Safety LTL Synthesis

On simulations and bisimulations of general flow systems

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Model Checking. Boris Feigin March 9, University College London

Monodic fragments of first-order temporal logics

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Chapter 5: Linear Temporal Logic

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction

Lecture 11 Safety, Liveness, and Regular Expression Logics

Languages, logics and automata

Automata-based Verification - III

Algorithmic verification

a Hebrew University b Weizmann Institute c Rice University

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Course Runtime Verification

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

3-Valued Abstraction-Refinement

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Timo Latvala. March 7, 2004

Abstractions and Decision Procedures for Effective Software Model Checking

ESE601: Hybrid Systems. Introduction to verification

Lecture 2 Automata Theory

Büchi Automata and Linear Temporal Logic

Computation Tree Logic

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Model Checking: An Introduction

Counterexample-Driven Model Checking

The theory of regular cost functions.

Automata-based Verification - III

CS357: CTL Model Checking (two lectures worth) David Dill

Linear-Time Logic. Hao Zheng

Transcription:

Outline Temporal Logic Ralf Huuck Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness Model Checking Problem model, program? M φ satisfies, Implements, refines property, specification How to formalize the different components? for this lecture we assume is M given as a Kripke structure, what about and φ? Kripke Structure Given a set of atomic propositions AP. Kripke structure M=(S,,, μ) is defined by S set of states initial state S S transition relation (total) μ:s 2 AP labeling function Any infinite run is accepting, i.e., like Buchi automaton where every state is a final state. Product as for NFA. 1

Example How to define properties formally? Kripke structure automata ω regular expression logics Logic can provide succinct notation, close to natural language. Propositional Logic Propositional Logic Syntax φ ::= p φ φ 1 φ 2 Other connectivities (,,, ) can be derived (see next slide) Semantics Given a state s in a Kipke structure M we define M,s φ inductively by: M,s p p μ(s) M,s φ not M,s φ M,s φ 1 φ 2 M,s φ 1 or M,s φ 2 (,,, true,false ) Propositional logic is good at describing static situations. 2

Example Example M, a b M, a M, a How to describe: eventually b will happen? a will happen always again? Propositional logic is good for describing static situations. Propositional logic is unsuitable for describing dynamic behavior. Dynamic Behavior Mutual Exclusion Important for reactive systems security protocols hardware operating systems embedded systems process1 ncs cs ncs process2 ncs cs ncs always only one process in cs eventually process1 in cs always eventually process2 in cs cs = critical section ncs = none critical section 3

Temporal Logics LTL originate from philosophy how to express statements including time? what is an appropriate model? real-time vs discrete time linear time vs branching time (deterministic vs non-deterministic) (P)LTL LTL Syntax Propositional Linear time Temporal Logic discrete time linear (deterministic) progression on on on on on on on on PLTL formula are inductively defined by: φ ::= p φ φ 1 φ 2 Xφ Fφ Gφ φ 1 Uφ 2 p denotes atomic proposition X denotes next-state operator F denotes eventually/finally G denotes always/globally U denotes until 4

LTL semantics Paths in Kripke Structures LTL formula φ interpreted over infinite paths of states π= we define LTL wrt Kripke structure M M,π²φ denotes φ holds in a path π of Kripke structure M. M²φ iff all paths of M satisfy φ, i.e., for all π in M we have M,π²φ remember transition relation is total Semantics of LTL Operators Example let π k denote suffix s k s k+1 s k+2... where k 0 M,π² p iff ² p, i.e., p μ( ) M,π² φ iff not M,π²φ M,π²φ 1 φ 2 iff M,π²φ 1 or M,π²φ 2 M,π² Xφ iff M,π 1 ²φ, i.e., s k s k+1 s k+2... satisfies φ M,π² Fφ iff k 0 s.t. M,π k ²φ M,π² Gφ iff k 0 M,π k ²φ M,π² φ 1 Uφ 2 iff 0 s.t. M,π k ² φ 2 and 0 j<k we have M,π j ² φ 1 path π satisfies: M,π² a M,π² b M,π² Xb M,π² Fa M,π² FG(a b) M,π² F(bUa) M,π² FG(aUb) what else? 5

Exercise M²φ Which temporal operators can be expressed through one or more of the others? M²φ iff M,π²φ for all paths π Which cannot? Which properties satisfy this Kripke structure? CTL* CTL* Computational Tree Logic (star) discrete time branching (non-deterministic) progression describes properties of computation trees more powerful than LTL 6

Computation Trees Unwinding Kripke Structure Kripke structure computation tree on on on on on on on on on on on Operators in CTL* CTL* Formulae temporal operators same as LTL, describe properties of paths path quantifiers A: for all paths ( )... E: there exists a path ( )... more formally... propositional logic as underlying static logic two different types of formulae state formula: properties of a state path formulas: property of a path all LTL formulae are path formulae state formulae static propositional formulae 7

State Formulae Path Quantifiers in State Formulae φ s ::= p φ s φ s1 φ s2 Aφ π Eφ π φ s denotes state formula φ π path formula p atomic proposition Aφ π and Eφ π are state formulas set of all state formulae = set of all legal CTL* formulae Aand Eare path quantifiers denote universal and existential quantification over paths starting in a certain state Aφ π holds in a state s iff for all paths starting in s, φ π holds Eφ π holds in a state s iff there exisits a path starting in s, s.t. φ π holds Path Formulae Semantics of CTL* φ π ::= φ s φ π φ π1 φ π2 Xφ π Fφ π Gφ π φ π1 Uφ π2 every LTL formula is path formula all state formulae are also path formulae define semantics w.r.t. Kripke structure M M,s²φ denotes state formula φ holds in a state s of M M,π²φ denotes path formula φ holds for path π in M ² defined inductively, as before nesting: A(GF(A a b)) (example tree?) 8

Semantics of CTL* State Formulae Semantics of CTL* Path Formulae M,s² piffp μ(s) M,s² φ iff not M,s²φ M,s²φ 1 φ 2 iff M,s²φ 1 and M,s²φ 2 M,s² Aφ iff for all paths π starting in s, M,π²φ M,s² Eφ iff there exists a paths π starting in s, such that M,π²φ M,π²φ s iff ² φ s M,π² φ iff not M,π²φ M,π²φ 1 φ 2 iff M,π²φ 1 or M,π²φ 2 M,π² Xφ iff M,π 1 ²φ, i.e., s k s k+1 s k+2... satisfies φ M,π² Fφ iff k 0 s.t. M,π k ²φ M,π² Gφ iff k 0 M,π k ²φ M,π² φ 1 Uφ 2 iff k 0 s.t. M,π k ² φ 2 and 0 j<k we have M,π j ² φ 1 basically, same as before LTL vs. CTL* Examples φ LTL implies Aφ CTL* root state s o satisfies: M, ² Aa computation tree EFφ CTL* but not expressible in LTL (other examples?) M, ² A( b) M, ² AXb LTL strictly less expressive than CTL* M, ² EFa M, ² EFAa what else? 9

M²φ M²φ (φ CTL*) iff M, ²φ for initial state CTL a fragment of CTL* Which properties satisfies this Kripke structure? CTL CTL Syntax CTL is restricted version of CTL* temporal operators as in CTL* path quantifier as in CTL* However, no unrestricted nesting and Boolean combinations of path formulae (next slide) φ::= p φ φ 1 φ 2 AXφ EXφ AFφ EFφ AGφ EGφ A(φ 1 Uφ 2 ) E(φ 1 U φ2) no arbitrary nesting path qualifiers and temporal operators alternate no Boolean combinations of path formulae Not allowed: a Fq, E(A(F(a b)),..., what else? 10

Example LTL vs. CTL vs. CTL* Which CTL properties hold for this Kripke structure? LTL sublogic of CTL* (EF φ CTL*, not expressible in LTL) CTL sublogic of CTL* (FGφ CTL*, not expressible in CTL) LTL and CTL not comparable FGφ LTL, not expressible in CTL EFφ CTL, not expressible in LTL LTL vs. CTL vs. CTL* Safety and Liveness CTL* safety: never something bad will happen AG (in1 in2) LTL CTL liveness: eventually something good will happen EF safe rule of thumb: liveness properties iff counter example requires an infinite trace/infinite deep tree 11

Fairness Weak/Strong Fairness Often liveness properties cannot be proven without certain assumptions, i.e., fairness. weak fairness if an event is continuously enabled, it will occur infinitely often in LTL: GF ( enabled occurs) strong fairness if a event is infinitely often enabled it will occur infinitely often in LTL: GF enabled GF occurs {c} {c} M²Fb? M²Fc? Weak/Strong Fairness {c} weak fairness if an event is continuously enabled, it will occur infinitely often in LTL: GF ( enabled occurs) strong fairness if a event is infinitely often enabled it will occur infinitely often in LTL: GF enabled GF occurs {c} Fairness and Model Checking Weak/strong fairness can be expressed in LTL, however, not in CTL in LTL model checking fairness can be added directly as an assumption in CTL model checking fairness has to be build into the model checking algorithm under weak fairness: M²Fb under strong fairness: M²Fc 12

This Lecture Summary temporal logic to specify behavior over time LTL: linear structure (for all paths) CTL(*): branching structure (selective paths) LTL, CTL sublogics of CTL* CTL, LTL not comparable different classes of properties (safety/liveness, fairness) Next Lecture CTL model checking how does it work 13

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback