An On-the-fly Tableau Construction for a Real-Time Temporal Logic

#! & F $ F ' F " F % An On-the-fly Tableau Construction for a Real-Time Temporal Logic Marc Geilen and Dennis Dams Faculty of Electrical Engineering, Eindhoven University of Technology P.O.Box 513, 5600 MB Eindhoven The Netherlands E-mail: {m.c.w.geilen,d.dams}@tue.nl September 22, 2000 N # O N # N # O O N # N O N # O O O N O N O O N # N

Overview 1. Introduction 2. Tableaux for Linear Temporal Logic 3. Real-Time Temporal Logic 4. Temporal Normal Form 5. Example 6. Tableau Construction 7. Conclusions 1

1. Introduction Temporal logic is used to formalise correctness properties of reactive systems. Real-time temporal logic is a variant in which timing aspects can be expressed. The automata theoretic approach to model-checking relies on the construction of an automaton from the temporal logic formula to be verified. Such tableau algorithms are being improved for efficient verification and in particular on-the-fly versions have been defined. For (linear) real-time temporal logic, a tableau algorithm exists, but is rather complex and has never been implemented. We try to develop an on-the-fly construction for a particular subset of MITL 2

) 5 ) 5 ) Automata Theoretic Verification 5 O I J A 5 6 2 H F A H J O ) K J = J ) K J = J 2 H @ K? J ) K J = J ) System S satisfies property ϕ iff the language of the automaton A S (adequately) describing S is included in the language of the tableau automaton A ϕ of ϕ iff the languages L(A S ) and L(A ϕ ) of the automata A S and A ϕ = A ϕ have no words in common iff the language of the synchronous product A S A ϕ is empty. 3

2. Tableaux for Linear Temporal Logic On-the-fly tableau construction based on separation of now and next using the following equivalences. ϕ 1 Uϕ 2 ϕ 2 (ϕ 1 ϕ 1 Uϕ 2 ) ϕ 1 Vϕ 2 ϕ 2 (ϕ 1 ϕ 1 Vϕ 2 ) Using these equivalences every LTL formulas can be rewritten into an equivalent formula in disjunctive temporal form. k i=1 Π i Φ i For instance, puq q (p (puq)) 4

On-the-fly Tableau Construction From this form the tableau construction follows k i=1 Π i Φ i Acceptance conditions for liveness aspects Recently optimisations have been studied to improve on the basic procedure. 5

3. Real-Time Temporal Logics Extensions of linear temporal logic have been introduced to express properties of timed systems. The time domain may be discrete (e.g. N) or dense (e.g. R). Different logics have been introduced. MTL, MITL, TPTL (freeze quantifiers) Tableaux constructions exist but not on-the-fly or designed for efficient model-checking (as a consequence) they have not been implemented 6

Preliminary definitions An interval I is a left-closed and right-open subset [a, b) of R 0. A state σ is a subset of the set Prop of atomic propositions. A timed state sequence ρ is a pair ( σ, Ī) consisting of an infinite sequence of states and an (initial, diverging and consecutive) infinite sequence of intervals. ρ(t) being the state at time t and ρ t the suffix of the timed state sequence starting from time t. F F F " $ Time state sequences ρ 1 and ρ 2 are called equivalent if for every t R, ρ 1 (t) = ρ 2 (t). 7

The Logic We consider a restricted version of the real-time temporal logic MITL of (Alur, 91), MITL, with formulas of the following form and interpreted on timed state sequences (p Prop, d N). ϕ ::= true p ϕ ϕ 1 ϕ 2 ϕ 1 U d ϕ 2 ρ = true; ρ = p iff p ρ(0); ρ = ϕ iff not ρ = ϕ; ρ = ϕ 1 ϕ 2 iff ρ = ϕ 1 or ρ = ϕ 2 ; ρ = ϕ 1 U d ϕ 2 iff there is some 0 t d, such that ρ t = ϕ 2 and for all 0 t < t, ρ t = ϕ 1. d ϕ def = trueu d ϕ d ϕ def = d ϕ 8

4. The Extended Logic Obtain discretisation of the timed state sequence and normal form by separating now (current interval) and next (TSS from next interval onward). Extended logic with timers, a next operator, in positive form and interpreted within a timer environment ν : T N. ψ ::= ϕ ψ 1 ψ 2 ψ 1 ψ 2 TS.ψ x > 0 x 0 ϕ 1 V <d ϕ 2 ϕ 1 U x ϕ 2 ϕ 1 V <x ϕ 2 ψ TS is a timer assignment TS : T N. ϕ 1 U d ϕ 2 [x := d].(ϕ 1 U x ϕ 2 ) (ϕ 1 V <x ϕ 2 to obtain x 0 instead of x < 0) 9

Semantics (interesting operators only) ρ = ν ϕ iff ρ = ϕ; ρ = ν TS.ψ iff ρ = TS(ν) ψ; ρ = ν ϕ 1 U x ϕ 2 iff there is some 0 t ν(x), such that ρ t = ν t ϕ 2 and for all 0 t < t, ρ t = ν t ϕ 1 ; ρ = ν ϕ 1 V <x ϕ 2 iff for all 0 t < ν(x), ρ t = ν t ϕ 2 or there is some 0 t < t, such that ρ t = ν t ϕ 1 ; ρ = ν x > 0 iff ν(x) > 0; ρ = ν x 0 iff ν(x) 0; ρ = ν ψ iff ( σ 1, Ī 1) = ν Ī(0) ψ where ρ = ( σ, Ī) 10

ϕ-fineness (1) The operator discriminates between equivalent timed state sequences. Definition 1. An interval sequence Ī is called ϕ-fine for timed state sequence ρ if for every syntactic subformula ψ of ϕ, every k 0, and every t 1, t 2 Ī(k), we have ρ t 1 = ψ iff ρ t 2 = ψ. In case that Ī is ϕ-fine for a timed state sequence ( σ, Ī), also ( σ, Ī) will be called ϕ-fine. 11

ϕ-fineness (2) In (Alur, 91) it was shown that the intervals of a timed state sequence can always be refined so that the value of a given MITL formula does not change within any interval. This result still holds in our restricted setting of timed state sequences and formulas. Lemma 1. Let ϕ be an MITL formula and ρ a TSS. Then there exists a ϕ-fine TSS that is a refinement of and equivalent with ρ. If we restrict timed state sequences to ϕ-fine timed state sequences, then the operator turns out to provide a suitable discretisation for a tableau. 12

Disjunctive Temporal Form The temporal normal form and rewrite procedure Definition 2. An MITL formula is in disjunctive temporal form if it is of the form k i=1 TS i. (Π i Ξ i Φ i ) the TS i are timer settings, the Π i are conjunctions of atomic propositions and negated atomic propositions, the Ξ i are conjunctions of timer conditions, and the Φ i conjunctions of MITL formulas. Lemma 2. Every extended MITL formula can be rewritten to an equivalent formula in disjunctive temporal form. 13

7 N 8 N Rewrite Rules (1) Every MITL formula can be rewritten into an equivalent formula in disjunctive temporal form. ϕ 1 U d ϕ 2 [y := d].(ϕ 1 U y ϕ 2 ) ϕ 1 V <d ϕ 2 [y := d].(ϕ 1 V <y ϕ 2 ) N @ N @ 14

8 7 @ N 8 N Rewrite Rules (2) - Unfolding ϕ 1 U x ϕ 2 ϕ 2 (x > 0 ϕ 1 (ϕ 1 U x ϕ 2 )) (if ν(x) 0) N ϕ 1 V d ϕ 2 ϕ 2 (ϕ 1 (ϕ 1 V <d ϕ 2 )) ϕ 1 V <x ϕ 2 x 0 (ϕ 2 (ϕ 1 (ϕ 1 V <x ϕ 2 ))) N 15

Rewrite Rules (3) Limiting the number of timers The unfolding of U and V operators introduce new timers. The following equivalences allow the use of a single timer per U or V formula. If ν(x) d, (ϕ 1 U x ϕ 2 ) ( [y := d].(ϕ 1 U y ϕ 2 ) ) ϕ 1 U x ϕ 2 (ϕ 1 V <x ϕ 2 ) ( [y := d].(ϕ 1 V <y ϕ 2 ) ) [y := d].(ϕ 1 V <y ϕ 2 ) 16

5. Example ( 2 p) trueu 2 p [x := 2].(trueU x p) [x := 2].(p (x > 0 true (trueu x p))) ([x := 2].p) ([x := 2].(x > 0 true (trueu x p))) ([x := 2].p) ([x := 2].(x > 0 (trueu x p))) trueu x p (if ν(x) 0) p (x > 0 true (trueu x p)) p (x > 0 true (trueu x p)) p (x > 0 (trueu x p)) 17

6. Tableau Construction (1) - Timed Automata Timed automaton A ϕ = (L, T, L 0, Q, TC, E) in the style of (Alur and Dill, 91) Using only left-closed right-open intervals. States are labelled with symbols, not transitions. Timers decrease. Only timer conditions of the form x > 0 or x 0 are used. 18

Tableau Construction (2) Building the tableau automaton for the formula ϕ. The set T includes a timer for every ϕ 1 U d ϕ 2 and ϕ 1 V d ϕ 2 subformula of ϕ. Use the alphabet 2 Prop, where Prop is the set of atomic propositions occurring in ϕ. Start generating locations (L, L 0, sets of (extended) subformulas of ϕ) and transitions (E) on-the-fly using the disjunctive temporal form procedure. Use the Π i of the disjunctive temporal form terms for the symbol labelling Q. Use the Ξ i of the disjunctive temporal form terms for the labelling TC with timer conditions. 19

On-the-fly Tableau Construction k i=1 TS i. (Π i Ξ i Φ i ) 6 5 6 5 6 5 Use the normal form procedure to determine the timer setting operations and labelling of the states. 20

N F Example (1) Construction of the tableau automaton of the formula 2 p (= trueu 2 p). trueu 2 p ([x := 2].p) ([x := 2].(x > 0 (trueu x p))) N N N J H K A 7 F J H K A 21

N F Example (2) Construction of the tableau automaton of the formula 2 p (= trueu 2 p). trueu 2 p ([x := 2].p) ([x := 2].(x > 0 (trueu x p))) trueu x p p (x > 0 (trueu x p)) N N N J H K A 7 F J H K A 22

N F Example (3) Construction of the tableau automaton of the formula 2 p (= trueu 2 p). trueu 2 p ([x := 2].p) ([x := 2].(x > 0 (trueu x p))) trueu x p p (x > 0 (trueu x p)) true true true N N N J H K A 7 F J H K A J H K A 23

#! & F $ F ' F " F % Example Tableau automaton of the formula 100 5 p. Timer x is used enforce constraints arising from 5 p subformula. Timer y is used enforce constraints arising from 100 5 p subformula. N # O N # N # O O N # N O N # O O O N O N O O N # N 24

7. Some Numerical Results Formula #states #transitions #timers 5 p 4 6 1 100 5 p 10 22 2 ) 5 ( 1 p 1 q 11 21 3 ( )) pu 1 qu 1 (ru 1 s p ( )) ( 5 q 1 r 14 30 3 15 48 2 ( ) p 5 q U 100 5 p 21 64 3 ((( ) ) ) pu 4 q U 3 r U 2 s U 1 t 60 271 4! $ J H = I E J E I I J = J A I " $ & " 5 E A B. H K = 25

8. Conclusions Introduction of timers, timer conditions and a next operator into the logic. Rewrite rules to transform formulas into disjunctive temporal form which constitutes the basis for the on-the-fly tableau construction. We have introduced an on-the-fly construction for a dense real-time linear temporal logic. We have implemented the algorithm and collected some experimental results. Generalisation to arbitrary intervals possible. In order to check an MITL formula for satisfiability the restricted analysis suffices. Optimisations are still possible similar to the untimed case. Generalisation to include unbounded until operator using acceptance conditions. 26