Modal and Temporal Logics

Similar documents
Temporal logic CTL : syntax. Communication and Concurrency Lecture 6. Φ ::= tt ff Φ 1 Φ 2 Φ 1 Φ 2 [K]Φ K Φ AG Φ EF Φ AF Φ EG Φ A formula can be

An Introduction to Temporal Logics

Automata-Theoretic Model Checking of Reactive Systems

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Verification Using Temporal Logic

Modal and Temporal Logics

Linear Temporal Logic (LTL)

Model for reactive systems/software

Linear-time Temporal Logic

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Computer-Aided Program Design

Chapter 4: Computation tree logic

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Chapter 3: Linear temporal logic

T Reactive Systems: Temporal Logic LTL

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Mathematical Logic Propositional Logic - Tableaux*

Timo Latvala. February 4, 2004

Lecture 16: Computation Tree Logic (CTL)

Overview. overview / 357

Computation Tree Logic

Computation Tree Logic

Temporal Logic Model Checking

MODEL CHECKING. Arie Gurfinkel

Linear-Time Logic. Hao Zheng

PSPACE-completeness of LTL/CTL model checking

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

The State Explosion Problem

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

ESE601: Hybrid Systems. Introduction to verification

Lecture Notes on Emptiness Checking, LTL Büchi Automata

09 Modal Logic II. CS 3234: Logic and Formal Systems. October 14, Martin Henz and Aquinas Hobor

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Model Checking with CTL. Presented by Jason Simas

Chapter 5: Linear Temporal Logic

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Lecture Notes on Software Model Checking

A logical framework to deal with variability

LTL and CTL. Lecture Notes by Dhananjay Raju

Computation Tree Logic

Conjunctive Normal Form and SAT

FAIRNESS FOR INFINITE STATE SYSTEMS

Finite-State Model Checking

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

From Liveness to Promptness

LTL Model Checking. Wishnu Prasetya.

Computation Tree Logic (CTL)

Propositional and Predicate Logic - IV

First-order resolution for CTL

3 Propositional Logic

Theoretical Foundations of the UML

Safety and Liveness Properties

Linear Temporal Logic (LTL)

Syntax and Semantics of Propositional Linear Temporal Logic

Automata-based Verification - III

Reasoning about Strategies: From module checking to strategy logic

Model Checking: the Interval Way

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Automata-based Verification - III

Description Logics. Deduction in Propositional Logic. franconi. Enrico Franconi

Partial model checking via abstract interpretation

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Complexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler

Outline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181.

Logic Model Checking

Propositional and Predicate Logic - II

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

Reasoning about Equilibria in Game-like Concurrent Systems

Model Checking & Program Analysis

Tecniche di Verifica. Introduction to Propositional Logic

CS357: CTL Model Checking (two lectures worth) David Dill

Model Checking Fixed Point Logic with Chop

LOGIC PROPOSITIONAL REASONING

Model Checking: An Introduction

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Models of Concurrency

Temporal Logic - Soundness and Completeness of L

2.5.2 Basic CNF/DNF Transformation

Introduction to Logic in Computer Science: Autumn 2006

Tableau-based decision procedures for the logics of subinterval structures over dense orderings

Propositional and Predicate Logic - V

Propositional Logic: Models and Proofs

Recognizing Safety and Liveness by Alpern and Schneider

Model Theory of Modal Logic Lecture 5. Valentin Goranko Technical University of Denmark

Monitoring Distributed Controllers

Warm-Up Problem. Is the following true or false? 1/35

Modal Logic. UIT2206: The Importance of Being Formal. Martin Henz. March 19, 2014

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

Conjunctive Normal Form and SAT

Propositional Logic and Semantics

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Distributed Algorithms (CAS 769) Dr. Borzoo Bonakdarpour

Optimal Tableaux for Right Propositional Neighborhood Logic over Linear Orders

Chapter 6: Computation Tree Logic

Linear Temporal Logic and Büchi Automata

Comp487/587 - Boolean Formulas

Propositional Logic: Evaluating the Formulas

Transcription:

Modal and Temporal Logics Colin Stirling School of Informatics University of Edinburgh July 23, 2003

Why modal and temporal logics? 1 Computational System Modal and temporal logics Operational semantics models of labelled transition system (Kripke structure)

Example: Crossing 2 Road Rail Signal def = car.up.ccross.down.road def = train.green.tcross.red.rail def = green.red.signal + up.down.signal Crossing (Road Rail Signal)\K K = {green, red, up, down}

Transition System (Graph) 3 τ ccross E E E E E ccross E E 1 train 2 4 3 5 τ E E 8 6 7 9 τ τ train 10 car train train Crossing τ car car tcross τ E E car 11 τ tcross τ Crucial Properties It is never the case that a train and a car can cross at the same time Mutual exclusion problem

Example: Mutual Exclusion 4 Mutual Exclusion Protocol

5 Crucial Properties Mutual exclusion Absence of deadlock Absence of starvation Various algorithms: example, Peterson s solution

6 B1f = b1rf.b1f + b1wf.b1f + b1wt.b1t B1t = b1rt.b1t + b1wt.b1t + b1wf.b1f B2f = b2rf.b2f + b2wf.b2f + b2wt.b2t B2t = b2rt.b2t + b2wt.b2t + b2wf.b2f K1 = kr1.k1 + kw1.k1 + kw2.k2 K2 = kr2.k2 + kw2.k2 + kw1.k1 P1 = b1wt.req1.kw2.p11 P11 = b2rt.p11 + b2rf.p12 + kr2.p11 + kr1.p12 P12 = enter1.exit1.b1wf.p1 P2 = b2wt.req2.kw1.p21 P21 = b1rf.p22 + b1rt.p21 + kr1.p21 + kr2.p22 P22 = enter2.exit2.b2wf.p2 Peterson = (P1 P2 K1 B1f B2f) \ L

Formalising Properties in a Temporal Logic Mutex = AG ([exit1]ff [exit2] ff) NoDeadlock = AG tt NoStarvation = AG([req1] AF exit1 tt) AG([req2] AF exit2 tt) 7 Checking Temporal Properties The Edinburgh Concurrency Workbench (CWB) A tool for simulating and verifying CCS agents http://www.dcs.ed.ac.uk/home/cwb/

8 Within CWB: Proving Peterson s solution correct Command: checkprop(peterson,mutex); true Command: checkprop(peterson,nodeadlock); true Command: checkprop(peterson,nostarvation); true

A Scheduler Problem: assume n tasks when n > 1. a i initiates the ith task and b i signals its completion The scheduler plans the order of task initiation, ensuring 9 1. actions a 1... a n carried out cyclically 2. tasks may terminate in any order 3. but a task can not be restarted until its previous operation has finished. (a i and b i happen alternately for each i. ) More complex temporal properties ( not first order but are regular )

A solution 10 Cy def = a.c.(b.d.cy + d.b.cy) Cy 1 Cy [a 1 /a, c 1 /c, b 1 /b, c n /d] Cy i (d.cy )[a i /a, c i /c, b i /b, c i 1 /d] 1 < i n

Case when n = 4 _ c a 1 2 c 4 1 1 2 Cy _ c a Cy 1 2 c 11 b 1 b 2 _ c 3 a 4 a 3 Cy 4 c 4 _ c 2 Cy 3 c 3 b 4 b 3

State of the Art: An Example Verification of PathStar call processing code Part of a telephone switch designed by AT&T About 1600 lines of code, changing almost daily (300 versions) About 80 properties System support: Trailblazer, designed at Bell Labs, running on 16 PCs 75 errors found, 5 very serious http://cm.bell-labs.com/cm/cs/what/feaver/index.html 12

13 MODAL LOGIC

14 Transition Systems I a set of states S a set of action labels A a set of transitions: s a s where s, s S, a A Cl tick Here: S = {Cl}, A = {tick}, and Cl tick Cl

Variants: Kripke Structures Labels appear at states ( colours ) often instead of on transitions 15 s p, q r s s q

Finite State Transition Systems 16 Ven collect b 2p 1p collect l big Ven b Ven l little collect b.ven collect.ven l

Infinite State Transition Systems 17 a a a a a, c c c c px pyx pyyx pyyyx... b b b b p ε rx ryx ryyx ε ε ε ε... Generated by a (deterministic) pushdown automaton: finitely generable

Modal Logic: Syntax Φ ::= tt ff Φ 1 Φ 2 Φ 1 Φ 2 [K]Φ K Φ A formula can be 18 the constant true formula tt, the constant false formula ff, a conjunction of formulas Φ 1 Φ 2, a disjunction of formulas Φ 1 Φ 2, a formula [K]Φ, where K is any set of actions, read as box K Φ, or for all K-derivatives Φ, a formula K Φ, where K is any set of actions, read as diamond K Φ, or for some K-derivative Φ.

Modal Logic: Semantics We define when a state E of a transition system satisfies a formula Φ. Either E satisfies Φ, E = Φ, or it doesn t, E = Φ. 19 E = tt E = ff E = Φ Ψ iff E = Φ and E = Ψ E = Φ Ψ iff E = Φ or E = Ψ E = [K]Φ iff F {E : E a E and a K}. F = Φ E = K Φ iff F {E : E a E and a K}. F = Φ

Examples 20 E = tick tt: from E there is a tick transition. E = tick tock tt: E = {tick, tock} tt: from E there is a tick and then a tock transition. from E there is a tick or a tock transition. E = [tick]ff: there is not a tick transition from E. E = tick ff: this is equivalent to ff! E = [tick]tt: this is equivalent to true!

21 Checking satisfaction Cl tick Does Cl have the property [tick]( tick tt [tock]ff)?

22 iff iff iff iff iff iff iff iff Cl = [tick]( tick tt [tock]ff) F {E : Cl tick E}. F = tick tt [tock]ff Cl = tick tt [tock]ff Cl = tick tt and Cl = [tock]ff F {E : Cl tick E} and Cl = [tock]ff F {Cl} and Cl = [tock]ff Cl = [tock]ff {E : Cl tock E} = =

Syntactic sugar for sets of actions Let A be a universal set of actions. We write a 1,..., a n for {a 1,..., a n } for the set A K for the set A K a 1,..., a n for A {a 1,..., a n } 23

More examples 24 E = [ ]ff : E is deadlocked E = tt : some action can be executed from E E = tt [ a]ff : a must happen next from E (Something can happen, and nothing but a can happen.) E = tt [ ]Φ : Φ holds after one step E = tt [ ]( tt [ ]( tt [ a]ff)) :?

Negation Modal logic can be extended with a negation operator E = Φ iff E = Φ Negation is redundant: For every Φ there is Φ c such that for any E E = Φ c iff E = Φ Φ c is inductively defined as follows: 25 tt c = ff ff c = tt (Φ 1 Φ 2 ) c = Φ c 1 Φ c 2 (Φ 1 Φ 2 ) c = Φ c 1 Φ c 2 ([K]Φ) c = K Φ c ( K Φ) c = [K]Φ c

Proposition: For every state F and formula Φ: F = Φ c iff F = Φ Proof: By induction on the structure of Φ. Basis: Φ = tt and Φ = ff. Trivial. Induction step: Case Φ = Φ 1 Φ 2. 26 F = (Φ 1 Φ 2 ) c iff F = Φ c 1 Φ c 2 iff F = Φ c 1 or F = Φ c 2 (by clause for ) iff F = Φ 1 or F = Φ 2 (by i.h.) iff F = Φ 1 Φ 2 (by clause for )

Case Φ = [K]Φ 1. 27 F = ([K]Φ 1 ) c iff F = K Φ1 c iff G. a K. F a G and G = Φ c 1 iff G. a K. F a G and G = Φ 1 iff F = [K]Φ 1 (by i.h.)

Satisfiability, validity, equivalence A formula is satisfiable if some state of a transition system satisfies it. A formula is unsatisfiable if no state of any transition system satisfies it. A formula is valid if all states of all transition systems satisfy it. Two formulas are equivalent if they are satisfied by exactly the same states of any transition system. 28

29 Are the following statements true? Exercise If Φ valid then Φ satisfiable If Φ satisfiable then Φ c unsatisfiable If Φ valid then Φ c unsatisfiable If Φ unsatisfiable then Φ c valid Y/N

30 Exercise Let be the implies connective whose definition is Φ Ψ def = Φ c Ψ. Are the following statements true? If (Φ Ψ) valid and Φ valid then Ψ valid If (Φ Ψ) satisfiable and Φ satisfiable then Ψ satisfiable If (Φ Ψ) valid and Φ satisfiable then Ψ satisfiable Y/N

31 Exercise Which of the following are valid and which are unsatisfiable when Φ and Ψ are arbitrary modal formulas?

V U N Φ Φ Φ Φ Φ (Ψ Φ) Φ (Φ Ψ) a tt [a]ff a [b]( a tt [a]ff) a [b]( a tt [a]ff) [ ] b tt a [b]( a tt [a]ff) [ ] tt a (Φ Ψ) ( a Φ a Ψ) ( a Φ a Ψ) a (Φ Ψ) [a](φ Ψ) ([a]φ [a]ψ) ([a]φ [a]ψ) [a](φ Ψ) 32

33 Exercise Which of the following are equivalent when Φ 1 and Φ 2 are arbitrary modal formulas? Y/N tick (Φ 1 Φ 2 ) tick Φ 1 tick Φ 2 tick (Φ 1 Φ 2 ) tick Φ 1 tick Φ 2 [tick](φ 1 Φ 2 ) [tick]φ 1 [tick]φ 2 [tick](φ 1 Φ 2 ) [tick]φ 1 [tick]φ 2 [tick]φ 1 tick Φ 1

Bisimulation Invariance A binary relation B between states of a transition system is a bisimulation provided that, whenever (E, F ) B and a A, 34 if E a E then F a F for some F such that (E, F ) B, and if F a F then E a E for some E such that (E, F ) B Two states E and F are bisimulation equivalent, E F, if there is a bisimulation relation B such that (E, F ) B.

More Definitions 35 E F if for all modal Φ, E = Φ iff F = Φ. (E and F have the same modal properties.) A transition system is finitely branching if for each a A and state E, the set {F : E a F } is finite.

Bisimulation Invariance II Two bisimulation equivalent states have the same modal properties. Proposition If E F then E F. Proof By induction on modal formulas Φ: for any G and H, if G H, then G = Φ iff H = Φ. The base case: Φ is tt or ff is clear. The inductive step proceeds by case analysis. Let Φ be Ψ 1 Ψ 2 and assume the result for Ψ 1 and Ψ 2. By definition G = Φ iff G = Ψ 1 and G = Ψ 2 iff by the induction hypothesis H = Ψ 1 and H = Ψ 2, and therefore iff H = Φ. Similarly for Ψ 1 Ψ 2. Next, let Φ be [K]Ψ and G = Φ. Therefore, for any G such that G a G and a K, G = Ψ. To show that H = Φ, let H a H (with a K). However, for some G, G a G and G H, so by the induction hypothesis H = Ψ, and therefore H = Φ. The other modal case is similar. 36

Bisimulation invariance III Proposition If E and F belong to a finitely branching transition system and E F then E F. Proof We show that the following is a bisimulation. {(E, F ) : E F and E, F belong to finitely branching transition system} Assume not. Without loss of generality G H for some G and H, and G G for some a and G, but G H for all H such that H a H. There are two possibilities. First, the set {H : H a H } is empty. But G = a tt because G a G and H = a tt, which contradicts that G H. Next, the set {H : H a H } is non-empty. However it is finite because of finite branching, and therefore assume it is {H 1,..., H n }. Assume G H i for each i : 1 i n, meaning there are formulas Φ 1,..., Φ n such that G = Φ i and H i = Φ i. (Here we use the fact that modal formulas are closed under complement.) Let Ψ be 37 a

the formula Φ 1... Φ n. Clearly G = Ψ and H i = Ψ for each i, as it fails the ith component of the conjunction. Therefore, G = a Ψ because G a G, and H = a Ψ because each H i fails to have property Ψ. But this contradicts that G H. 38

Exercises 39 Consider the following three vending machines, Ven i, 1 i 3. Ven Ven 1 2 1p 1p tea coffee tea coffee 1p 1p 1p tea 1p Ven 3 1p coffee 1p 1p Provide 3 modal formulas Φ i, such that Ven i = Φ i and Ven i = Φ j i = j. when

Prove the following 40 Proposition If E or F belongs to a finitely branching transition system and E F then E F.

Variants Take Kripke structures where labels appear at states ( colours ) instead of on transitions. Kripke model is a Kripke structure + a labelling function L : Colours S. (S are states). Assume p ranges over colours Modal Logic: Syntax 41 Semantics Φ ::= p p Φ 1 Φ 2 Φ 1 Φ 2 [ ]Φ Φ We define when a state E of a Kripke model satisfies a formula Φ.

E = p iff E L(p) E = p iff E L(p) E = Φ Ψ iff E = Φ and E = Ψ E = Φ Ψ iff E = Φ or E = Ψ E = [ ]Φ iff F {E : E E }. F = Φ E = Φ iff F {E : E a E }. F = Φ 42

Bisimulation A binary relation B between states of a Kripke model is a bisimulation provided that, whenever (E, F ) B for all colours p, E L(p) iff F L(p) if E E then F F for some F such that (E, F ) B, and if F F then E E for some E such that (E, F ) B Two states E and F are bisimulation equivalent, E F, if there is a bisimulation relation B such that (E, F ) B. 43

Bisimulation Invariance 44 Proposition if E F then E F Proposition if E and F belongs to a finitely branching Kripke model and E F then E F.

Exercise 45 s p, q r s s q Which of these are true? s = [ ]( q [ ] r) s = [ ](q q) s = [ ] [ ]q s = [ ](q [ ] q)

46 Unfolding A transition system/kripke model can be unfolded into a (bisimulation equivalent) possibly infinite tree s p, q r s s q becomes

s 47 s... s s... s s...

Computational Properties 48 Satisfiability Problem Given a modal formula Φ, is Φ satisfiable (realisable)? is NP-complete. Finite Tree Property If Φ is satisfiable then Φ is satisfiable in a transition system/kripke model that is a finite tree. (Hence, also Finite Model Property: if Φ is satisfiable then Φ is satisfiable in a finite transition system/kripke model.) Model Checking Problem Given a finite transition system/kripke model, a state E of it, and a modal formula, does E = Φ? is P-complete.

Example: Mutual Exclusion 49 Mutual Exclusion Protocol

Crucial Properties 50 Mutual exclusion Absence of deadlocks Absence of starvation PROBLEM: None of these properties is expressible in modal logic! Modal depth of a formula: maximum embedding of modal operators. instance, the following has modal depth 3: tt [ ]( tt [ ]( tt [ a]ff)) For

Proposition If Φ has modal depth n and E and F have the same transition structure to depth n, then E = Φ iff F = Φ. E F 51 a b a b a c d a c d.................... E and F have the same transition structure to depth 2, and so for any modal formula Φ of modal depth 2, E = Φ iff F = Φ. Modal logic cant express longterm properties such as absence of deadlock.

Runs of a transition system 52 A run from state E 0 is a finite or infinite length sequence of transitions a E 1 a 0 E 2 a 1... n a n+1 E n... with maximal length. Similarly, for a Kripke model. Example s p, q r s s q Then an example run is s s s s... A run is a branch in the unfolded transition system/kripke model.

Beyond Modal Logic Runs provide a means for expressing long term features. 53 Mutual exclusion: no run has the property that two components are in their critical section at the same time. Absence of deadlock: every run has infinite length Absence of starvation: in every run if a component requests entry into critical section then eventually that component will be in its critical section Assume good = bad and bad = good Safety(bad) = Weak Liveness(good)

Liveness(good) = Weak Safety(bad) 54

Exercise For each of the following, state whether it is a liveness or a safety property, and identify the good or bad feature. At most five messages are in the buffer at any time. The cost of living never decreases. The temperature never rises. All good things must come to an end. If an interrupt occurs, then a message is printed within one second. 55

Next: (K)Φ Pure Temporal Operators on Runs 56 E 0 a 1 E 1 a 2... E i a i+1... a 1 K =... Φ Until: Φ U Ψ. Note: the index i can be 0 E 0 a 1 E 1 a 2... E i a i+1... = =... = Φ Φ Ψ

Pure Temporal Operators on Runs II Eventually: F Ψ = tt U Ψ. The index i can be 0 57 Always: G Ψ = F Ψ E 0 a 1 E 1 a 2... E i a i+1...... = Ψ E 0 a 1 E 1 a 2... E i a i+1... = =... = Ψ Ψ Ψ...

Linear Time Temporal Logic (LTL) 58 Syntax Φ ::= p Φ Φ 1 Φ 2 ( )Φ Φ U Ψ Semantics A state E of a Kripke model satisfies an LTL formula Φ, written E = Φ, if for any run π from E, the run π = Φ.

E Exercise F r G 59 p p,q p H Which of the following are true? s = p U q s = F r s = F p s = G(p r) s = F(G r G p)

Satisfiability, validity, equivalence A formula is satisfiable (or realisable) if some state of a Kripke model satisfies it. A formula is unsatisfiable if no state of any Kripke model satisfies it. A formula is valid if all states of all Kripke models satisfy it. Two formulas are equivalent if they are satisfied by exactly the same states of any Kripke model. 60

Exercise: Which are Valid, Unsatisfiable, Neither? V U N F Φ G Φ G Φ F Φ F(Φ Ψ) F Φ F Ψ F Φ (Φ ( )F Φ) G Φ (Φ ( )G Φ) G FΦ F GΦ F G Φ G F Φ G( Φ ( )Φ) Φ F Φ G(Φ Ψ) (G Φ G Ψ) 61

Exercise We write E F if for all LTL Φ, E = Φ iff F = Φ. 62 Prove the following: Proposition If E F then E F.

Computational Properties I 63 Satisfiability Problem Given an LTL formula Φ, is Φ satisfiable (realisable)? is PSPACE-complete. Tree Model Property If Φ is satisfiable then Φ is satisfiable in a transition system/kripke model that is a (regular) infinite tree whose branching degree is one.

Computational Properties II 64 Finite Model Property If Φ is satisfiable then Φ is satisfiable in a finite transition system/kripke model (that is eventually cyclic). E... Model Checking Problem Given a finite transition system/kripke model, a state E of it, and an LTL formula, does E = Φ? is PSPACE-complete.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback