Timo Latvala. February 4, 2004

Similar documents
T Reactive Systems: Temporal Logic LTL

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Computer-Aided Program Design

Lecture 16: Computation Tree Logic (CTL)

Timo Latvala. March 7, 2004

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Model for reactive systems/software

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Temporal Logic Model Checking

Chapter 4: Computation tree logic

Linear Temporal Logic and Büchi Automata

Automata-Theoretic Model Checking of Reactive Systems

Alan Bundy. Automated Reasoning LTL Model Checking

Automata-based Verification - III

Automata-based Verification - III

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Automata on Infinite words and LTL Model Checking

Linear-Time Logic. Hao Zheng

Chapter 3: Linear temporal logic

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Linear Temporal Logic (LTL)

Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

PSL Model Checking and Run-time Verification via Testers

An Introduction to Temporal Logics

Chapter 5: Linear Temporal Logic

ESE601: Hybrid Systems. Introduction to verification

Finite-State Model Checking

Linear Temporal Logic (LTL)

Verification Using Temporal Logic

From Liveness to Promptness

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Tecniche di Verifica. Introduction to Propositional Logic

Büchi Automata and Linear Temporal Logic

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Visibly Linear Dynamic Logic

Logic Model Checking

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

Computation Tree Logic

Theoretical Foundations of the UML

Overview. overview / 357

CS477 Formal Software Dev Methods

Modal logics: an introduction

Chapter 6: Computation Tree Logic

PSPACE-completeness of LTL/CTL model checking

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

Modal and Temporal Logics

Embedded systems specification and design

Alternating Time Temporal Logics*

Model checking (III)

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

Propositional Dynamic Logic

Model Theory of Modal Logic Lecture 1: A brief introduction to modal logic. Valentin Goranko Technical University of Denmark

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

LTL Model Checking. Wishnu Prasetya.

LTL with Arithmetic and its Applications in Reasoning about Hierarchical Systems

Chapter 5: Linear Temporal Logic

Alternating-Time Temporal Logic

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

On the Expressiveness and Complexity of ATL

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Automata-Theoretic LTL Model-Checking

LTL is Closed Under Topological Closure

09 Modal Logic II. CS 3234: Logic and Formal Systems. October 14, Martin Henz and Aquinas Hobor

Topics in Verification AZADEH FARZAN FALL 2017

Course Runtime Verification

A brief introduction to Logic. (slides from

Reasoning About Bounds In Weighted Transition Systems

Announcements. CS243: Discrete Structures. Propositional Logic II. Review. Operator Precedence. Operator Precedence, cont. Operator Precedence Example

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Syntax and Semantics of Propositional Linear Temporal Logic

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

Model Checking: An Introduction

Lecture 3: Semantics of Propositional Logic

Advanced Topics in LP and FP

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

Abstractions and Decision Procedures for Effective Software Model Checking

Language of Propositional Logic

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Classes and conversions

With Question/Answer Animations. Chapter 2

Announcements. CS311H: Discrete Mathematics. Propositional Logic II. Inverse of an Implication. Converse of a Implication

MODEL CHECKING. Arie Gurfinkel

First-order resolution for CTL

Correspondence between Kripke Structures and Labeled Transition Systems for Model Minimization

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

An Introduction to Modal Logic III

Automata-Theoretic Verification

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

A Hierarchy for Accellera s Property Specification Language

Notes on BAN Logic CSG 399. March 7, 2006

Tableau-based decision procedures for the logics of subinterval structures over dense orderings

Temporal Logic and Fair Discrete Systems

Model Checking Algorithms

Transcription:

Reactive Systems: Temporal Logic LT L Timo Latvala February 4, 2004

Reactive Systems: Temporal Logic LT L 8-1 Temporal Logics Temporal logics are currently the most widely used specification formalism for reactive systems. They were first suggested to be used for specifying properties of programs in late 1970 s by A. Pnueli. Before that philosophers had used similar logics to reason about the notions of knowledge and belief in natural language. In early 1980 s first practical tools using temporal logics as the specification language appeared.

Reactive Systems: Temporal Logic LT L 8-2 Why Use Temporal Logics? Temporal logics proved to be popular for several reasons: specifications have close correspondence to the natural language well defined semantics modelling language independent algorithms and tools for them exist expressive enough are succinct enough (more succinct than automata) allow easy complementation without blow-up

Reactive Systems: Temporal Logic LT L 8-3 Recall the definition of Kripke structures: Definition 1 Let AP be a non-empty set of atomic propositions. A Kripke structure is a four tuple M = (S,s 0,R,L), where S is a finite set of states, s 0 S is an initial state, R S S is a transition relation, for which it holds that s S : s S : (s,s ) R, and L : S 2 AP is labelling, a function which labels each state with the atomic propositions which hold in that state.

Reactive Systems: Temporal Logic LT L 8-4 Paths In temporal logics we are interested in non-terminating (infinite) executions of the system, whose behavior is described by the Kripke structure M. (Infinite executions are needed to handle liveness.) A path starting from a state s S is an infinite sequence of states π = s 0,s 1,s 2,..., such that s 0 = s and (s i,s i+1 ) R holds for all i 0.

Reactive Systems: Temporal Logic LT L 8-5 Temporal Logic LT L We start by defining the syntax of LTL, the logic we will mostly use in this course. The logic LT L is a linear temporal logic, meaning that the formulas are interpreted over infinite sequences of states. A minimal syntax for LT L formulas is the following. Given the set AP, an LT L formula is: true, false, or p for p AP f 1, f 1 f 2, X f 1, or f 1 U f 2, where f 1 and f 2 are LTL formulas The formula X f 1 is read next-time f 1, and f 1 U f 2 is read f 1 until f 2.

Reactive Systems: Temporal Logic LT L 8-6 Often a non-minimal version of the LT L syntax is used. Given the set AP, an LT L formula is: true, false, or p for p AP. f 1, f 1 f 2, f 1 f 2, X f 1, f 1 U f 2, or f 1 R f 2, where f 1 and f 2 are LTL formulas. The formula f 1 R f 2 is read f 1 releases f 2.

Reactive Systems: Temporal Logic LT L 8-7 This syntax of the previous slide is redundant, because actually f 1 f 2 = ( f 1 f 2 ), f 1 R f 2 = ( f 1 U f 2 ) and X f 1 = (X( f 1 )) hold in all temporal logics to be considered in this course. The redundancy is used by some algorithms to push negations deeper into the formula by using the temporal logic DeMorgan rules described above.

Reactive Systems: Temporal Logic LT L 8-8 Additional Shorthand Notation for LT L We also use standard propositional shorthands: f 1 f 2 = ( f 1 f 2 ), f 1 f 2 = (( f 1 f 2 ) ( f 1 f 2 )), etc. Some often used temporal logic shorthands are: F f 1 = trueu f 1, read finally f 1 (or in the future f 1 ) G f 1 = F f 1 (or equivalently G f 1 = falser f 1 ), read globally f 1 (or always f 1 ).

Reactive Systems: Temporal Logic LT L 8-9 Alternative Notation for LT L Also also the following notation is used often with LT L: f 1 = G f 1 (for box f 1 ), f 1 = F f 1 (for diamond f 1 ), and f 1 = X f 1 (for next-time f 1 ), f 1 U f 2 = f 1 U f 2 (alternative typesetting for until). The formula combination GF f 1 is read as infinitely often.

Reactive Systems: Temporal Logic LT L 8-10 Some examples of practical use of LTL formulas in specification are: (cs 1 cs 2 ) (it always holds that two processes are not at the same time in a critical section), (req ack) (it is always the case that a request is eventually followed by an acknowledgement), and (( sch 1 ) ( sch 2 )) ( (tr 1 cs 1 )) (if both process 1 and 2 are scheduled infinitely often, then always the entering of process 1 in the trying section is followed by the process 1 eventually entering the critical section).

Reactive Systems: Temporal Logic LT L 8-11 Semantics of LT L in a Path We denote the fact that an LT L formula f holds in a path π with the notation π = f. Another way of saying π = f is that the path π is a model of the formula f. The term model checking in fact refers to the fact that we are checking whether the behaviors of the system are models of the specification formula.

Reactive Systems: Temporal Logic LT L 8-12 Notation for Paths We use π i to denote the suffix of the path π = s 0,s 1,s 2,... starting at index i, and thus π i = s i,s i+1,s i+2,... We use π 0 to denote the first state of the path π = s 0,s 1,s 2,..., namely s 0. We next inductively define the = relation (when does a path π of the Kripke structure fulfill its specification f ).

Reactive Systems: Temporal Logic LT L 8-13 Semantics, part I The relation π = f is defined inductively as follows: π = true π = false π = p iff p L(π 0 ) for p AP π = f 1 iff not π = f 1 π = f 1 f 2 iff π = f 1 or π = f 2 π = f 1 f 2 iff π = f 1 and π = f 2

Reactive Systems: Temporal Logic LT L 8-14 Semantics, part II π = X f 1 iff π 1 = f 1 π = f 1 U f 2 iff there is j 0, such that π j = f 2 and for all 0 i < j, π i = f 1 π = f 1 R f 2 iff for all j 0, if for every 0 i < j π i = f 1 then π j = f 2 (Or equivalently: π = f 1 R f 2 iff ((there is j 0, such that π j = f 1 f 2 and for every 0 i < j, π j = f 2 ), or (π k = f 2 for all k 0)).) The alternative defintion of release is expressing release as: f 1 R f 2 = f 2 U ( f 1 f 2 ) f 2.

Reactive Systems: Temporal Logic LT L 8-15 Semantics, part III If we want, we can also express the semantics of f 1 and f 1 directly, instead of using the definitions f 1 = trueu f 1, and f 1 = falser f 1 : π = f 1 iff there is i 0, such that π i = f 1 π = f 1 iff for all i 0, π i = f 1

Reactive Systems: Temporal Logic LT L 8-16 Semantics in a State We also want to define when a formula f holds in a state s in a Kripke structure M. Definition 2 An LT L formula f holds in a state s of Kripke structure M, denoted M,s = f, iff for all paths π in M, such that π 0 = s, it holds that π = f. Thus a formula f holds in s iff it holds for all paths starting at s. Note: The LT L formulas are evaluated in paths. A single state can appear many times in a path, and have different LT L formulas holding at the different instances of the same state!

Reactive Systems: Temporal Logic LT L 8-17 Semantics in a Kripke Structure Now we want to also define when a Kripke structure satisfies the LT L specification f. Definition 3 An LT L formula f holds in a Kripke structure M, denoted M = f iff M,s 0 = f. We will in the future use logics which have both explicit A : for all paths, and E : there exist a path quantifications in the language. As shown above, the standard LT L interpretation adds an implicit for all paths quantification in front of the (top-level) LT L formula. Intuitively this means that out LT L specifications specify properties which should hold for all behaviors (paths) of the system.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback