An Introduction to Temporal Logics

Similar documents
Computation Tree Logic

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Lecture 16: Computation Tree Logic (CTL)

LTL and CTL. Lecture Notes by Dhananjay Raju

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Verification Using Temporal Logic

Computation Tree Logic (CTL)

Automata-Theoretic Model Checking of Reactive Systems

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Linear Temporal Logic and Büchi Automata

Modal and Temporal Logics

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Model for reactive systems/software

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Timo Latvala. February 4, 2004

T Reactive Systems: Temporal Logic LTL

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

The State Explosion Problem

Temporal Logic Model Checking

PSPACE-completeness of LTL/CTL model checking

Finite-State Model Checking

Lecture 11 Safety, Liveness, and Regular Expression Logics

Temporal Logics for Specification and Verification

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

FAIRNESS FOR INFINITE STATE SYSTEMS

Alan Bundy. Automated Reasoning LTL Model Checking

Lecture Notes on Model Checking

Overview. overview / 357

Computer-Aided Program Design

PSL Model Checking and Run-time Verification via Testers

Alternating Time Temporal Logics*

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Reasoning about Time and Reliability

Model Checking Algorithms

Chapter 6: Computation Tree Logic

Monodic fragments of first-order temporal logics

Model Checking. Boris Feigin March 9, University College London

Model Checking with CTL. Presented by Jason Simas

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Testing with model checkers: A survey

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

First-order resolution for CTL

Syntax and Semantics of Propositional Linear Temporal Logic

Meeting the Deadline: Why, When and How

Chapter 4: Computation tree logic

Symbolic Model Checking Property Specification Language*

Propositional Logic: Part II - Syntax & Proofs 0-0

From Liveness to Promptness

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

On simulations and bisimulations of general flow systems

CS357: CTL Model Checking (two lectures worth) David Dill

Temporal Logic and Fair Discrete Systems

Almost Linear Büchi Automata

The Safety Simple Subset

ESE601: Hybrid Systems. Introduction to verification

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

CTL, the branching-time temporal logic

Verification. Lecture 9. Bernd Finkbeiner Peter Faymonville Michael Gerke

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Linear-Time Logic. Hao Zheng

Computation Tree Logic

Decision Procedures for CTL

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

CIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns

Model Checking: An Introduction

A 3 Valued Contraction Model Checking Game: Deciding on the World of Partial Information

Abstractions and Decision Procedures for Effective Software Model Checking

CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment

Models for Efficient Timed Verification

Model checking (III)

Chapter 5: Linear Temporal Logic

Model Checking Games for Branching Time Logics

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Reasoning about Strategies: From module checking to strategy logic

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Linear-time Temporal Logic

QBF Encoding of Temporal Properties and QBF-based Verification

MODEL CHECKING. Arie Gurfinkel

COMPUTER SCIENCE TEMPORAL LOGICS NEED THEIR CLOCKS

Automata-based Verification - III

Model-Checking Games: from CTL to ATL

Towards Algorithmic Synthesis of Synchronization for Shared-Memory Concurrent Programs

Revising Specifications with CTL Properties using Bounded Model Checking

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Deciding Safety and Liveness in TPTL

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

From Liveness to Promptness

A Hierarchy for Accellera s Property Specification Language

Timo Latvala. March 7, 2004

A Context Dependent Equivalence Relation Between Kripke Structures (Extended abstract)

Reasoning about Equilibria in Game-like Concurrent Systems

Transcription:

An Introduction to Temporal Logics c 2001,2004 M. Lawford

Outline Motivation: Dining Philosophers Safety, Liveness, Fairness & Justice Kripke structures, LTS, SELTS, and Paths Linear Temporal Logic Branching Temporal Logics: CTL and CTL Real-time Temporal Logics: RTTL, RTL, etc. 1

An Introduction to Temporal Logics References: E.M. Clarke, E.A. Emerson, and A.P. Sistla, Automatic verification of finite state concurrent systems using temporal logic specifications. ACM Trans on Prog Languages & Systems, Vol. 8, No. 2, April 1986, pp. 244-263. Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems. Springer-Verlag, New York, 1992. A. Arnold, Finite Transition Systems. Prentice Hall, 1994. J.S. Ostroff. Temporal Logic for Real-Time Systems. Research Studies Press/Wiley, Taunton, UK, 1989. E.A. Emerson et al. Quantitative temporal reasoning. Real-Time Systems, No. 4, pp. 331-352, 1992. 2

Motivation: Want to be able to express & verify properties of system dynamics: Safety (invariance): Nothing bad will happen Liveness: Something good will happen Allows for abstract specification of properties without providing all the details Can express properties that are not expressible by defining 1 step transition relation (e.g. fairness) 3

Detailed Outline Motivation System Models Kripke Structures Labeled Transitions Systems (LTS) State-Event Labeled Transition Systems (SELTS) Duality of State & Event representations Temporal Logics Propositional Logic LTL - Linear Temporal Logic CTL - Computational Tree Logic CTL* LTL and CTL - What s the difference? Expressivity, Complexity, & Decidability 4

Motivation: Dining Philosophers & Deadlock Abstraction of resource sharing problem common in many systems. n philosophers seated at round table with food in center n chop sticks, one between each pair Philosophers are either thinking or eating To eat a philosopher must use 2 chopsticks (the one to their left & one to their right Greedy heuristic: Hold on to any chop-stick until you get to eat. Deadlock: When the system is prevented from taking any action (no transitions are possible since all enablement conditions are false). Problem: System can deadlock (how?) 5

Motivation for Fairness Less Greedy heuristic: Only pick up right chopstick if left present. Assumptions: weak fairness: any transition that is continuously enabled eventually happens (i.e. philosopher who is eating will always eventually finish) Still not enough! strong fairness: any transition that is enabled infinitely often will eventually occur. (If his/her two chop-sticks are available infinitely often, philosopher will eventually eat - and hence eat infinitely often.) 6

Motivation: Dining Philosophers & Livelock Strong fairness assumption for Less Greedy heuristic still not enough to prevent individual starvation due to livelock. Livelock: When system component is prevented from taking any action or a particular action (individual starvation). Two can starve in n = 4 (4 philosophers) case if consecutive feedings allowed. How? a) 1 starts eating, then 3. b) 1 finishes, then starts feeding again before 3 finishes. c) 3 finishes,then starts again before 1 finishes... Even disallowing consecutive feedings for n 5, one philosopher can still starve due livelock. How? 7

Motivation Want to be able to express & verify properties of system dynamics: Safety : Nothing bad will happen. Liveness : Something good will happen. Fairness : Independent processes will progress. Temporal logics: Allows for formal abstract specification of above properties Can express properties that are not expressible by describing 1 step transition relation (e.g. fairness). Can be effectively model-checked for finite state systems Predicate logic allows to reason about a state. Temporal logic allows to reason about sequences of states. 8

Kripke Structures S is a set of states M := S, R, S 0, A, P R S S is a transition relation (or equivalently R : S P(S)) S 0 S is a set of initial states A is a set of atomic propositions (e.g. y=1) P : S P(A) labels each state with the set of atomic propositions satisfied by the state is a Kripke structure (aka. labeled state transition graph) A path in M is a sequence of states π: π := s 0 s 1... s n S + and R(s n ) = or, π := s 0 s 1... S ω such that s 0 S 0 and for all i 0, (s i, s i+1 ) R in which case we write s i s i+1. 9

Paths & Postfixes Let π be the length of the path π. Any path or computation π in a Kripke structure satisfies the following: i) Initialization: s 0 is an initial state of M. ii) Succession: 0 i < π implies (s i, s i+1 ) R (i.e. s i s i+1 in M) iii) Diligence: π is finite, ending in state s n iff R(s n ) =. Def: The kth postfix of a path π = s 0 s 1..., denoted π k will be used to denote the k-shifted suffix of π, that is π k := s k s k+1.... 10

Labeled Transition Systems (LTS) S is a set of states M := S, Σ, R Σ, S 0 Σ is a set of transition labels ( events ) R Σ = {α M S S α Σ} is a set of transition relations (or, equivalently, for each α Σ, α M : S P(S)) S 0 S is a set of initial states is a Labeled Transition System (LTS) A path in M is a sequence of states and events π: α π := s 1 α 0 s 2 1... α n 1 s n and ( α Σ)α M (s n ) =, or π := s 0 α 1 s 1 α 2... such that s 0 S 0 and for all i 0, (s i, s i+1 ) α M i in which case we write s i α i s i+1. 11

State Event Labeled Transition Systems (SELTS) M := S, Σ, R Σ, S 0, P where S, Σ, R Σ, S 0 is a LTS, and P : S P(A) is a state output map, is a State Event Labeled Transition System (SELTS) A path in M is defined the same as for a LTS. Such paths in a transition system satisfying the diligence property are also known as maximal paths. 12

An SELTS Example tick q 0 (0,1,a) [0,0,0] α State Legend (u, v, x) [c α, c β, c γ ] tick (0,1,a) [1,0,1] α (1,1,b) [0,0,0] tick (0,1,a) [2,0,2] (1,1,b) [0,0,1] (1,1,b) [0,1,1] γ (0,1,c) [0,0,0] α (1,1,b) [0,0,2] γ tick (1,1,b) [0,1,2] γ γ tick (1,1,b) [0,2,2] β tick (1,1,e) [0,0,0] (2,0,d) [0,0,0] tick tick 13

Duality of State and Event Models Claim 1: Any LTS has an equivalent Kripke structure representation. Proof: For LTS M := S, Σ, R Σ, S 0 create Kripke structure M := S, R, S 0, A, P : Let S := S Σ. Then (s 1, α 1 ) (s 2, α 2 ) in M α iff ( s S)s 1 α 1 s 2 2 s in M defines R. Take S 0 := {(s 0, α 0 ) S s 0 S 0 α M 0 (s 0) } Let η be the next event variable. Take A := {η = α α Σ} So P : S P(A ) is given by (s, α) P (η = α) Corollary: Any SELTS has an equivalent Kripke structure representation. Claim 2: Any Kripke structure has an equivalent LTS representation. 14

Linear Temporal Logic: Syntax The definition of linear temporal logic formula adds two new operators X and U, to the definition of a propositional formula. Def: A formula is defined as follows: 1. If φ A {, } then φ formula. 2. If φ and ψ are formulas, so are: ( φ), (φ ψ), (φ ψ), (φ ψ), (φ ψ) 3. If φ and ψ are formulas, then so are: Xφ and φuψ 15

Linear Temporal Logic: Semantics Def: (Satisfaction) For LTL formulas φ, φ 1 and φ 2, M a Kripke structure and π := s 0 s 1..., a path in M then the satisfaction relation is defined as follows: If φ A {, }, is an atomic proposition or logical constant, then π = φ iff s 0 = φ (i.e. φ P (s 0 ) or φ is ) π = φ 1 φ 2 iff π = φ 1 or π = φ 2 π = φ 1 φ 2 iff π = φ 1 and π = φ 2 π = φ iff π = φ π = Xφ iff π 1 exists and π 1 = φ π = φ 1 Uφ 2 iff π = φ 2, or ( k > 0) π k is defined, π k = φ 2 and ( i : 0 i < k)π i = φ 1. We say that state s of M satisfies formula φ, written M, s = φ iff for every path π in M starting at s, we have π = φ. We say that M = φ iff for every path π in M it is the case that π = φ 16

Derived Operators: F & G Linear Temporal Logic (LTL) allows us to say: A formula will eventually be true on a path A formula will alway be true on a path Consider the temporal formula Uφ Since is true in every state, Uφ is satisfied by any path π for which ( k 0)π k = φ (i.e. EVENTUALLY φ is true in path π). As an abbreviation for Uφ we write Fφ. If φ is always true at every state in π, then it must be the case that φ is never true. i.e. π = F φ. In this case we say that HENCEFORTH φ is true in π. As an abbreviation for F φ we write Gφ. 17

Combining Temporal Operators Let π be an infinite path. By combining the F and G operators we can say: At a certain point, a formula is true at all future states of the path π = FGφ iff ( k 0)π k = Gφ iff ( k 0)( i k)π i = φ A formula is true at infinitely many states on the path π = GFφ iff ( k 0)π k = Fφ iff ( k 0)( i k)π i = φ 18

Fairness Formulas Strong Fairness: FGφ 1 GFφ 2 E.g. For Dining philosophers, want paths to satisfy property: FG(x i = Feed) GF(x i = Think) If a philosopher tries to feed forever, then he will always eventually be thinking. This simplifies to FG(x i = Feed) (i.e. He won t succeed at feeding forever) for philosopher with two states. Weak Fairness: GFφ 1 GFφ 2 GF(x i = Think) GF(x i = Feed) If a philosopher is thinking infinitely often, he will feed infinitely often. 19

Computational Tree Logic (CTL): Syntax The definition of a CTL formula adds four new operators EX, AX, E( U ) and A( U ), to the definition of a propositional formula. Def: A formula is defined as follows: 1. If φ A or φ is or then φ formula. 2. If φ and ψ are formulas, so are: ( φ), (φ ψ), (φ ψ), (φ ψ), (φ ψ) 3. If φ and ψ are formulas, then so are: EXφ, AXφ, and E(φUψ), A(φUψ) 20

CTL: Semantics Def: (Satisfaction) For temporal formulas φ, φ 1 and φ 2, M a Kripke structure and s 0 S a state of M, the satisfaction relation = is defined as follows: If φ A {, }, is an atomic proposition or logical constant, then M, s 0 = φ iff s 0 = φ (i.e. φ P (s 0 ) or φ is ) M, s 0 = φ 1 φ 2 iff M, s 0 = φ 1 or M, s 0 = φ 2 M, s 0 = φ 1 φ 2 iff M, s 0 = φ 1 and M, s 0 = φ 2 M, s 0 = φ iff M, s 0 = φ M, s 0 = EXφ iff ( s S)s 0 s and M, s = φ M, s 0 = AXφ iff ( s S) if s 0 s then M, s = φ 21

CTL: Semantics (cont.) M, s 0 = E(φ 1 Uφ 2 ) iff M, s 0 = φ 2, or ( π = s 0 s 1... s n...), a path in M s.t. ( k > 0), M, s k = φ 2, and ( i : 0 i < k)m, s i = φ 1. M, s 0 = A(φ 1 Uφ 2 ) iff M, s 0 = φ 2, or ( π = s 0 s 1... s n...), paths in M, ( k > 0), M, s k = φ 2, and ( i : 0 i < k)m, s i = φ 1 π = s 0 s 1... s n is a finite path and ( i : 0 i n)m, s i = φ 1. 22

Expressivity of LTL and CTL A logic is said to be more expressive than another if it can express (say) more things. In terms of expressivity, LTL and CTL are not comparable in the sense that each logic can say things that the other cannot, e.g. LTL cannot express the existence of a path like CTL can (e.g. EXφ) CTL cannot express fairness constraints such as the LTL formula GF(η = tick) GF(η = β) This motivates the creation of CTL, a logic that is more expressive than both LTL and CTL. 23

CTL : Syntax In terms of expressivity CTL is a superset of both LTL and CTL. A state formula is any formula of the form: φ ::= p ( φ) (φ φ) A[α] E[α] where p is any atomic proposition and α is a path formula and A path formula is any formula of the form: α ::= φ ( α) (α α) αuα Xα where φ is any state formula. 24

Real Time Temporal Logic (RTTL) Assume we are dealing with a SELTS M. Consider path: π := s 0 α 1 s 1 α 2... For an event α Σ, define #α(π, k) = { number of α s from s0 and s k undefined if k > π π = F 1 U α [l,u] F 2 iff k 0 such that π k is defined, π k = F 2 and i, 0 i < k, π i = F 1 and l #α(π, k) u. If we have a distinguished event tick that represents the tick of a global clock, then π = F 1 U tick [l,u] F 2 iff path π satisfies F 1 until F 2 between the lth and u + 1th tick transition. 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback