T Reactive Systems: Temporal Logic LTL

Similar documents
Timo Latvala. February 4, 2004

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Lecture 16: Computation Tree Logic (CTL)

Computer-Aided Program Design

Model for reactive systems/software

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Temporal Logic Model Checking

Chapter 4: Computation tree logic

Alan Bundy. Automated Reasoning LTL Model Checking

Automata-based Verification - III

Automata on Infinite words and LTL Model Checking

Linear-Time Logic. Hao Zheng

Automata-based Verification - III

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Automata-Theoretic Model Checking of Reactive Systems

Linear Temporal Logic and Büchi Automata

Timo Latvala. March 7, 2004

Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

Chapter 3: Linear temporal logic

Linear Temporal Logic (LTL)

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Logic Model Checking

ESE601: Hybrid Systems. Introduction to verification

Finite-State Model Checking

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

From Liveness to Promptness

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Lecture Notes on Emptiness Checking, LTL Büchi Automata

PSL Model Checking and Run-time Verification via Testers

Chapter 5: Linear Temporal Logic

Computation Tree Logic

Linear Temporal Logic (LTL)

Theoretical Foundations of the UML

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Tecniche di Verifica. Introduction to Propositional Logic

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

CS477 Formal Software Dev Methods

Visibly Linear Dynamic Logic

Model Theory of Modal Logic Lecture 1: A brief introduction to modal logic. Valentin Goranko Technical University of Denmark

An Introduction to Temporal Logics

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

Propositional Dynamic Logic

Verification Using Temporal Logic

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

LTL Model Checking. Wishnu Prasetya.

Overview. overview / 357

PSPACE-completeness of LTL/CTL model checking

Model Checking: An Introduction

Modal logics: an introduction

Chapter 6: Computation Tree Logic

Announcements. CS243: Discrete Structures. Propositional Logic II. Review. Operator Precedence. Operator Precedence, cont. Operator Precedence Example

Lecture 3: Semantics of Propositional Logic

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Course Runtime Verification

Modal and Temporal Logics

Embedded systems specification and design

Model checking (III)

Büchi Automata and Linear Temporal Logic

Advanced Topics in LP and FP

Announcements. CS311H: Discrete Mathematics. Propositional Logic II. Inverse of an Implication. Converse of a Implication

LTL with Arithmetic and its Applications in Reasoning about Hierarchical Systems

Chapter 5: Linear Temporal Logic

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Alternating-Time Temporal Logic

On the Expressiveness and Complexity of ATL

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Abstractions and Decision Procedures for Effective Software Model Checking

09 Modal Logic II. CS 3234: Logic and Formal Systems. October 14, Martin Henz and Aquinas Hobor

LTL is Closed Under Topological Closure

Automata-Theoretic LTL Model-Checking

Notes on BAN Logic CSG 399. March 7, 2006

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

Show Your Work! Point values are in square brackets. There are 35 points possible. Some facts about sets are on the last page.

A brief introduction to Logic. (slides from

Reasoning About Bounds In Weighted Transition Systems

G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV

Alternating Time Temporal Logics*

ECE473 Lecture 15: Propositional Logic

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Applied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw

Model Checking. Boris Feigin March 9, University College London

Language of Propositional Logic

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Classes and conversions

With Question/Answer Animations. Chapter 2

First-order resolution for CTL

Automata-Theoretic Verification

Correspondence between Kripke Structures and Labeled Transition Systems for Model Minimization

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

An Introduction to Modal Logic III

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

Transcription:

Tik-79.186 Reactive Systems 1 T-79.186 Reactive Systems: Temporal Logic LTL Spring 2005, Lecture 4 January 31, 2005

Tik-79.186 Reactive Systems 2 Temporal Logics Temporal logics are currently the most widely used specification formalism for reactive systems. They were first suggested to be used for specifying properties of programs in late 1970 s by A. Pnueli. Before that philosophers had used similar logics to reason about the notions of knowledge and belief in natural language. In early 1980 s first practical tools using temporal logics as the specification language appeared.

Tik-79.186 Reactive Systems 3 Why Use Temporal Logics? Temporal logics proved to be popular for several reasons: specifications have close correspondence to the natural language well defined semantics modelling language independent algorithms and tools for them exist expressive enough are succinct enough (more succinct than automata) allow easy complementation without blow-up

Tik-79.186 Reactive Systems 4 Recall the definition of Kripke structures: Definition 1 Let AP be a non-empty set of atomic propositions. A Kripke structure is a four tuple M = (S, s 0, R, L), where S is a finite set of states, s 0 S is an initial state, R S S is a transition relation, for which it holds that s S : s S : (s, s ) R, and L : S 2 AP is labelling, a function which labels each state with the atomic propositions which hold in that state.

Tik-79.186 Reactive Systems 5 Paths In temporal logics we are interested in non-terminating (infinite) executions of the system, whose behavior is described by the Kripke structure M. (Infinite executions are needed to handle liveness.) A path starting from a state s S is an infinite sequence of states π = s 0, s 1, s 2,..., such that s 0 = s and (s i, s i+1 ) R holds for all i 0.

Tik-79.186 Reactive Systems 6 Temporal Logic LT L We start by defining the syntax of LTL, the logic we will mostly use in this course. The logic LT L is a linear temporal logic, meaning that the formulas are interpreted over infinite sequences of states. A minimal syntax for LT L formulas is the following. Given the set AP, an LT L formula is: true, false, or p for p AP f 1, f 1 f 2, Xf 1, or f 1 U f 2, where f 1 and f 2 are LTL formulas The formula Xf 1 is read next-time f 1, and f 1 U f 2 is read f 1 until f 2.

Tik-79.186 Reactive Systems 7 Often a non-minimal version of the LT L syntax is used. Given the set AP, an LT L formula is: true, false, or p for p AP. f 1, f 1 f 2, f 1 f 2, Xf 1, f 1 U f 2, or f 1 R f 2, where f 1 and f 2 are LTL formulas. The formula f 1 R f 2 is read f 1 releases f 2.

Tik-79.186 Reactive Systems 8 This syntax of the previous slide is redundant, because actually f 1 f 2 = ( f 1 f 2 ), f 1 R f 2 = ( f 1 U f 2 ) and Xf 1 = (X( f 1 )) hold in all temporal logics to be considered in this course. The redundancy is used by some algorithms to push negations deeper into the formula by using the temporal logic DeMorgan rules described above.

Tik-79.186 Reactive Systems 9 Additional Shorthand Notation for LT L We also use standard propositional shorthands: f 1 f 2 = ( f 1 f 2 ), f 1 f 2 = ((f 1 f 2 ) ( f 1 f 2 )), etc. Some often used temporal logic shorthands are: F f 1 = true U f 1, read finally f 1 (or in the future f 1 ) Gf 1 = F f 1 (or equivalently Gf 1 = false R f 1 ), read globally f 1 (or always f 1 ).

Tik-79.186 Reactive Systems 10 Alternative Notation for LT L Also also the following notation is used often with LT L: f 1 = Gf 1 (for box f 1 ), f 1 = F f 1 (for diamond f 1 ), and f 1 = Xf 1 (for next-time f 1 ), f 1 U f 2 = f 1 U f 2 (alternative typesetting for until). The formula combination GF f 1 is read as infinitely often.

Tik-79.186 Reactive Systems 11 Some examples of practical use of LTL formulas in specification are: (cs 1 cs 2 ) (it always holds that two processes are not at the same time in a critical section), (req ack) (it is always the case that a request is eventually followed by an acknowledgement), and (( sch 1 ) ( sch 2 )) ( (tr 1 cs 1 )) (if both process 1 and 2 are scheduled infinitely often, then always the entering of process 1 in the trying section is followed by the process 1 eventually entering the critical section).

Tik-79.186 Reactive Systems 12 Semantics of LT L in a Path We denote the fact that an LT L formula f holds in a path π with the notation π = f. Another way of saying π = f is that the path π is a model of the formula f. The term model checking in fact refers to the fact that we are checking whether the behaviors of the system are models of the specification formula.

Tik-79.186 Reactive Systems 13 Notation for Paths We use π i to denote the suffix of the path π = s 0, s 1, s 2,... starting at index i, and thus π i = s i, s i+1, s i+2,.... We use π 0 to denote the first state of the path π = s 0, s 1, s 2,..., namely s 0. We next inductively define the = relation (when does a path π of the Kripke structure fulfill its specification f).

Tik-79.186 Reactive Systems 14 Semantics, part I The relation π = f is defined inductively as follows: π = true π = false π = p iff p L(π 0 ) for p AP π = f 1 iff not π = f 1 π = f 1 f 2 iff π = f 1 or π = f 2 π = f 1 f 2 iff π = f 1 and π = f 2

Tik-79.186 Reactive Systems 15 Semantics, part II π = X f 1 iff π 1 = f 1 π = f 1 U f 2 iff there is j 0, such that π j = f 2 and for all 0 i < j, π i = f 1 π = f 1 R f 2 iff for all j 0, if for every 0 i < j π i = f 1 then π j = f 2 (Or equivalently: π = f 1 R f 2 iff ((there is j 0, such that π j = f 1 f 2 and for every 0 i < j, π j = f 2 ), or (π k = f 2 for all k 0)).) The alternative defintion of release is basically expressing release as: f 1 R f 2 = f 2 U (f 1 f 2 ) f 2.

Tik-79.186 Reactive Systems 16 Semantics, part III If we want, we can also express the semantics of f 1 and f 1 directly, instead of using the definitions f 1 = true U f 1, and Gf 1 = false R f 1 : π = f 1 iff there is i 0, such that π i = f 1 π = f 1 iff for all i 0, π i = f 1

Tik-79.186 Reactive Systems 17 Semantics in a State We also want to define when a formula f holds in a state s in a Kripke structure M. Definition 2 An LT L formula f holds in a state s of Kripke structure M, denoted M, s = f, iff for all paths π in M, such that π 0 = s, it holds that π = f. Thus a formula f holds in s iff it holds for all paths starting at s. Note: The LT L formulas are evaluated in paths. A single state can appear many times in a path, and have different LT L formulas holding at the different instances of the same state!

Tik-79.186 Reactive Systems 18 Semantics in a Kripke Structure Now we want to also define when a Kripke structure satisfies the LT L specification f. Definition 3 An LT L formula f holds in a Kripke structure M, denoted M = f iff M, s 0 = f. We will in the future use logics which have both explicit A : for all paths, and E : there exist a path quantifications in the language. As shown above, the standard LT L interpretation adds an implicit for all paths quantification in front of the (top-level) LT L formula. Intuitively this means that out LT L specifications specify properties which should hold for all behaviors (paths) of the system.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback