Advanced Logic Linear Temporal Logic Computation Tree Logic - - PowerPoint PPT Presentation

— Advanced Logic — Linear Temporal Logic Computation Tree Logic

Daniel Gebler

VU University Amsterdam

March 11, 2013

Overview

Linear temporal logic (LTL):

◮ describes properties of paths (individual executions) ◮ no modalities to reason about branching

Computation tree logic (CTL):

◮ is a branching-time logic ◮ time has a tree structure (multiple possible futures) ◮ has modalities for reasoning about the branching structure

Linear Temporal Logic (LTL)

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ | X φ where p ∈ Ω LTL formulas have meaning on individual computation paths:

◮ let π = s1 → s2 → s3 → . . . a path; write πi for si → si+1 → . . .

The path π satisfies φ, π | = φ, is defined by:

1

π | = p iff s1 ∈ V (p)

2

π | = ⊤; π | = ¬φ iff π | = φ; π | = φ1 ∧ φ2 iff π | = φ1 and π | = φ2

Linear Temporal Logic (LTL)

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ where p ∈ Ω LTL formulas have meaning on individual computation paths:

◮ let π = s1 → s2 → s3 → . . . a path; write πi for si → si+1 → . . .

The path π satisfies φ, π | = φ, is defined by:

1

π | = p iff s1 ∈ V (p)

2

π | = ⊤; π | = ¬φ iff π | = φ; π | = φ1 ∧ φ2 iff π | = φ1 and π | = φ2

Linear Temporal Logic (LTL)

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ next where p ∈ Ω LTL formulas have meaning on individual computation paths:

◮ let π = s1 → s2 → s3 → . . . a path; write πi for si → si+1 → . . .

The path π satisfies φ, π | = φ, is defined by:

1

π | = p iff s1 ∈ V (p)

2

π | = ⊤; π | = ¬φ iff π | = φ; π | = φ1 ∧ φ2 iff π | = φ1 and π | = φ2

Linear Temporal Logic (LTL)

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ next where p ∈ Ω LTL formulas have meaning on individual computation paths:

◮ let π = s1 → s2 → s3 → . . . a path; write πi for si → si+1 → . . .

The path π satisfies φ, π | = φ, is defined by:

1

π | = p iff s1 ∈ V (p)

2

π | = ⊤; π | = ¬φ iff π | = φ; π | = φ1 ∧ φ2 iff π | = φ1 and π | = φ2

3

π | = φ U ψ (φ is true until ψ is true) φ φ φ φ ψ formally: for some i ≥ 1, πi | = ψ and for all j < i, πj | = φ

Linear Temporal Logic (LTL)

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ next where p ∈ Ω LTL formulas have meaning on individual computation paths:

◮ let π = s1 → s2 → s3 → . . . a path; write πi for si → si+1 → . . .

The path π satisfies φ, π | = φ, is defined by:

1

π | = p iff s1 ∈ V (p)

2

π | = ⊤; π | = ¬φ iff π | = φ; π | = φ1 ∧ φ2 iff π | = φ1 and π | = φ2

3

π | = φ U ψ (φ is true until ψ is true) φ φ φ φ ψ formally: for some i ≥ 1, πi | = ψ and for all j < i, πj | = φ

4

π | = X φ (φ is true in the next moment in time) φ formally: π2 | = φ

LTL: Extended

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ next | F φ | G φ where p ∈ Ω

LTL: Extended

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ next | F φ finally | G φ where p ∈ Ω

LTL: Extended

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ next | F φ finally | G φ globally where p ∈ Ω

LTL: Extended

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ next | F φ finally | G φ globally where p ∈ Ω

1

π | = G φ iff for all i ≥ 1, πi | = φ φ φ φ φ φ φ

LTL: Extended

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ next | F φ finally | G φ globally where p ∈ Ω

1

π | = G φ iff for all i ≥ 1, πi | = φ φ φ φ φ φ φ

2

π | = F φ iff for some i ≥ 1, πi | = φ φ

LTL: Extended

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ next | F φ finally | G φ globally where p ∈ Ω

1

π | = G φ iff for all i ≥ 1, πi | = φ φ φ φ φ φ φ

2

π | = F φ iff for some i ≥ 1, πi | = φ φ The modalities F and G can be defined:

LTL: Extended

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ next | F φ finally | G φ globally where p ∈ Ω

1

π | = G φ iff for all i ≥ 1, πi | = φ φ φ φ φ φ φ

2

π | = F φ iff for some i ≥ 1, πi | = φ φ The modalities F and G can be defined: F = ⊤ U φ G φ = ¬F ¬φ = ¬(⊤ U ¬φ)

LTL: Extended

Linear temporal logic (LTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ U φ until | X φ next | F φ finally | G φ globally where p ∈ Ω

1

π | = G φ iff for all i ≥ 1, πi | = φ φ φ φ φ φ φ

2

π | = F φ iff for some i ≥ 1, πi | = φ φ The modalities F and G can be defined: F = ⊤ U φ G φ = ¬F ¬φ = ¬(⊤ U ¬φ) Binding strength: ¬, X , F , G stronger than U than ∧, ∨ than →, ↔

LTL: Examples

◮ F G φ :

LTL: Examples

◮ F G φ : from some point on, φ holds forever

φ φ φ φ

LTL: Examples

◮ F G φ : from some point on, φ holds forever

φ φ φ φ

◮ G F φ :

LTL: Examples

◮ F G φ : from some point on, φ holds forever

φ φ φ φ

◮ G F φ : always eventually φ (in every suffix, at some point φ holds)

φ φ φ

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state.

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release Which of the states satisfies the following? ? | = X extended ? | = F G extended ? | = X X extended ? | = ¬ F G extended ? | = F extended ? | = G (¬extended → X extended) ? | = G extended ? | = G (extended → X ¬extended) ? | = G F extended

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release Which of the states satisfies the following? M, s1, s3 | = X extended ? | = F G extended ? | = X X extended ? | = ¬ F G extended ? | = F extended ? | = G (¬extended → X extended) ? | = G extended ? | = G (extended → X ¬extended) ? | = G F extended

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release Which of the states satisfies the following? M, s1, s3 | = X extended ? | = F G extended M, s2, s3 | = X X extended ? | = ¬ F G extended ? | = F extended ? | = G (¬extended → X extended) ? | = G extended ? | = G (extended → X ¬extended) ? | = G F extended

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release Which of the states satisfies the following? M, s1, s3 | = X extended ? | = F G extended M, s2, s3 | = X X extended ? | = ¬ F G extended M, s1, s2, s3 | = F extended ? | = G (¬extended → X extended) ? | = G extended ? | = G (extended → X ¬extended) ? | = G F extended

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release Which of the states satisfies the following? M, s1, s3 | = X extended ? | = F G extended M, s2, s3 | = X X extended ? | = ¬ F G extended M, s1, s2, s3 | = F extended ? | = G (¬extended → X extended) M, s3 | = G extended ? | = G (extended → X ¬extended) ? | = G F extended

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release Which of the states satisfies the following? M, s1, s3 | = X extended ? | = F G extended M, s2, s3 | = X X extended ? | = ¬ F G extended M, s1, s2, s3 | = F extended ? | = G (¬extended → X extended) M, s3 | = G extended ? | = G (extended → X ¬extended) M, s1, s2, s3 | = G F extended

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release Which of the states satisfies the following? M, s1, s3 | = X extended M, s3 | = F G extended M, s2, s3 | = X X extended ? | = ¬ F G extended M, s1, s2, s3 | = F extended ? | = G (¬extended → X extended) M, s3 | = G extended ? | = G (extended → X ¬extended) M, s1, s2, s3 | = G F extended

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release Which of the states satisfies the following? M, s1, s3 | = X extended M, s3 | = F G extended M, s2, s3 | = X X extended M, s1, s2, s3 | = ¬ F G extended M, s1, s2, s3 | = F extended ? | = G (¬extended → X extended) M, s3 | = G extended ? | = G (extended → X ¬extended) M, s1, s2, s3 | = G F extended

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release Which of the states satisfies the following? M, s1, s3 | = X extended M, s3 | = F G extended M, s2, s3 | = X X extended M, s1, s2, s3 | = ¬ F G extended M, s1, s2, s3 | = F extended ? | = G (¬extended → X extended) M, s3 | = G extended ? | = G (extended → X ¬extended) M, s1, s2, s3 | = G F extended Note that: M | = F G extended and M | = ¬ F G extended !

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release Which of the states satisfies the following? M, s1, s3 | = X extended M, s3 | = F G extended M, s2, s3 | = X X extended M, s1, s2, s3 | = ¬ F G extended M, s1, s2, s3 | = F extended M | = G (¬extended → X extended) M, s3 | = G extended ? | = G (extended → X ¬extended) M, s1, s2, s3 | = G F extended Note that: M | = F G extended and M | = ¬ F G extended !

LTL: Models

M, s | = φ if φ is satisfied on every path starting at s. M | = φ if φ is satisfied on every path starting from the initial state. s1 s2 extended s3 extended, malfunction pull breaks release Which of the states satisfies the following? M, s1, s3 | = X extended M, s3 | = F G extended M, s2, s3 | = X X extended M, s1, s2, s3 | = ¬ F G extended M, s1, s2, s3 | = F extended M | = G (¬extended → X extended) M, s3 | = G extended M, s1, s2, s3 | = G (extended → X ¬extended) M, s1, s2, s3 | = G F extended Note that: M | = F G extended and M | = ¬ F G extended !

LTL: Equivalence of Formulas

LTL formulas φ and ψ are semantically equivalent, denoted by φ ≡ ψ, if they are true for the same paths

LTL: Equivalence of Formulas

LTL formulas φ and ψ are semantically equivalent, denoted by φ ≡ ψ, if they are true for the same paths Which of the following are semantically equivalent? X (φ ∨ ψ) ≡ X φ ∨ X ψ X (φ ∧ ψ) ≡ X φ ∧ X ψ F (φ ∧ ψ) ≡ F φ ∧ F ψ F (φ ∨ ψ) ≡ F φ ∨ F ψ G (φ ∧ ψ) ≡ G φ ∧ F ψ G (φ ∨ ψ) ≡ G φ ∨ F ψ ρ U (φ ∨ ψ) ≡ (ρ U φ) ∨ (ρ U ψ) ρ U (φ ∧ ψ) ≡ (ρ U φ) ∧ (ρ U ψ) F F φ ≡ F φ G G φ ≡ G φ F G φ ≡ G F φ ¬F φ ≡ G ¬φ ¬G φ ≡ F ¬φ F φ ≡ φ ∨ X (F φ) G φ ≡ φ ∧ X (G φ) φ U ψ ≡ φ U (φ U ψ)

LTL: Equivalence of Formulas

LTL formulas φ and ψ are semantically equivalent, denoted by φ ≡ ψ, if they are true for the same paths Which of the following are semantically equivalent? X (φ ∨ ψ) ≡ X φ ∨ X ψ X (φ ∧ ψ) ≡ X φ ∧ X ψ F (φ ∧ ψ) ≡ F φ ∧ F ψ F (φ ∨ ψ) ≡ F φ ∨ F ψ G (φ ∧ ψ) ≡ G φ ∧ F ψ G (φ ∨ ψ) ≡ G φ ∨ F ψ ρ U (φ ∨ ψ) ≡ (ρ U φ) ∨ (ρ U ψ) ρ U (φ ∧ ψ) ≡ (ρ U φ) ∧ (ρ U ψ) F F φ ≡ F φ G G φ ≡ G φ F G φ ≡ G F φ ¬F φ ≡ G ¬φ ¬G φ ≡ F ¬φ F φ ≡ φ ∨ X (F φ) G φ ≡ φ ∧ X (G φ) φ U ψ ≡ φ U (φ U ψ)

LTL: Equivalence of Formulas

LTL formulas φ and ψ are semantically equivalent, denoted by φ ≡ ψ, if they are true for the same paths Which of the following are semantically equivalent? X (φ ∨ ψ) ≡ X φ ∨ X ψ X (φ ∧ ψ) ≡ X φ ∧ X ψ F (φ ∧ ψ) ≡ F φ ∧ F ψ F (φ ∨ ψ) ≡ F φ ∨ F ψ G (φ ∧ ψ) ≡ G φ ∧ F ψ G (φ ∨ ψ) ≡ G φ ∨ F ψ ρ U (φ ∨ ψ) ≡ (ρ U φ) ∨ (ρ U ψ) ρ U (φ ∧ ψ) ≡ (ρ U φ) ∧ (ρ U ψ) F F φ ≡ F φ G G φ ≡ G φ F G φ ≡ G F φ ¬F φ ≡ G ¬φ ¬G φ ≡ F ¬φ F φ ≡ φ ∨ X (F φ) G φ ≡ φ ∧ X (G φ) φ U ψ ≡ φ U (φ U ψ)

LTL: Equivalence of Formulas

LTL formulas φ and ψ are semantically equivalent, denoted by φ ≡ ψ, if they are true for the same paths Which of the following are semantically equivalent? X (φ ∨ ψ) ≡ X φ ∨ X ψ X (φ ∧ ψ) ≡ X φ ∧ X ψ F (φ ∧ ψ) ≡ F φ ∧ F ψ F (φ ∨ ψ) ≡ F φ ∨ F ψ G (φ ∧ ψ) ≡ G φ ∧ F ψ G (φ ∨ ψ) ≡ G φ ∨ F ψ ρ U (φ ∨ ψ) ≡ (ρ U φ) ∨ (ρ U ψ) ρ U (φ ∧ ψ) ≡ (ρ U φ) ∧ (ρ U ψ) F F φ ≡ F φ G G φ ≡ G φ F G φ ≡ G F φ ¬F φ ≡ G ¬φ ¬G φ ≡ F ¬φ F φ ≡ φ ∨ X (F φ) G φ ≡ φ ∧ X (G φ) φ U ψ ≡ φ U (φ U ψ)

LTL: Equivalence of Formulas

LTL formulas φ and ψ are semantically equivalent, denoted by φ ≡ ψ, if they are true for the same paths Which of the following are semantically equivalent? X (φ ∨ ψ) ≡ X φ ∨ X ψ X (φ ∧ ψ) ≡ X φ ∧ X ψ F (φ ∧ ψ) ≡ F φ ∧ F ψ F (φ ∨ ψ) ≡ F φ ∨ F ψ G (φ ∧ ψ) ≡ G φ ∧ F ψ G (φ ∨ ψ) ≡ G φ ∨ F ψ ρ U (φ ∨ ψ) ≡ (ρ U φ) ∨ (ρ U ψ) ρ U (φ ∧ ψ) ≡ (ρ U φ) ∧ (ρ U ψ) F F φ ≡ F φ G G φ ≡ G φ F G φ ≡ G F φ ¬F φ ≡ G ¬φ ¬G φ ≡ F ¬φ F φ ≡ φ ∨ X (F φ) G φ ≡ φ ∧ X (G φ) φ U ψ ≡ φ U (φ U ψ)

Mutual Exclusion

◮ multiple processes ◮ a shared resource that can only be used by one process at a time

process P process Q shared resource

Mutual Exclusion

◮ multiple processes ◮ a shared resource that can only be used by one process at a time

process P process Q shared resource P non critical . . . CP critical section . . . non critical Q non critical . . . CQ critical section . . . non critical To solve conflicts: processes agree on a negotiation protocol.

◮ mutual exclusion: never more than one process in the critical section

Mutual Exclusion

◮ multiple processes ◮ a shared resource that can only be used by one process at a time

process P process Q shared resource P non critical . . . CP critical section . . . non critical Q non critical . . . CQ critical section . . . non critical To solve conflicts: processes agree on a negotiation protocol.

◮ mutual exclusion: never more than one process in the critical section

G ¬(CQ ∧ CP)

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0 p1,q2,1

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0 p1,q2,1 p1,CQ,0

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0 p1,q2,1 p1,CQ,0 p1,q4,0

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0 p1,q2,1 p1,CQ,0 p1,q4,0

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0 p1,q2,1 p1,CQ,0 p1,q4,0

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0 p1,q2,1 p1,CQ,0 p1,q4,0 p2,q2,1

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0 p1,q2,1 p1,CQ,0 p1,q4,0 p2,q2,1 p2,CQ,0

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0 p1,q2,1 p1,CQ,0 p1,q4,0 p2,q2,1 p2,CQ,0 CP,CQ,0

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0 p1,q2,1 p1,CQ,0 p1,q4,0 p2,q2,1 p2,CQ,0 CP,CQ,0 CP,q2,0

Mutual Exclusion: Attempt 1

◮ boolean variable free = 1

P loop forever p1: wait for free = 1 p2: free = 0 CP: critical section p4: free = 1 Q loop forever q1: wait for free = 1 q2: free = 0 CQ: critical section q4: free = 1 For such a program we compute the state space:

p1,q1,1 p2,q1,1 CP,q1,0 p4,q1,0 p1,q2,1 p1,CQ,0 p1,q4,0 p2,q2,1 p2,CQ,0 CP,CQ,0 CP,q2,0 p2,q4,0 p4,q2,0 CP,q4,0 p4,CQ,0 p4,q4,0

Model Checking

1

Formalize the system design

2

Formalize the validation requirements

3

Validate: system meets requirements

System Reqs LTL SPIN engine Req1 Req2 . . . Reqn System design Promela or Embedded C Verification process

Mutual Exclusion: Peterson

◮ boolean variables x = 0, y = 0, t = 0

P loop forever p1: x = 1 p2: turn = 1 p3: wait for y = 0 or t = 0 CP: critical section p4: x = 0 Q loop forever q1: y = 1 q2: turn = 0 q3: wait for x = 0 or t = 1 CQ: critical section q4: y = 0

LTL: Applications

Safety properties

◮ “nothing bad ever happens”

G ¬(reactor temperature > 1000)

◮ invariant: “a is always false”

Liveness properties

◮ “something good will eventually happen”

G (ordered → F delivered)

◮ termination: “the system will eventually terminate” ◮ response: “if action a occurs then b eventually will occur”

Deadlock freeness

◮ deadlock state: “a state where no actions are possible” ◮ no deadlocks: there is always some next state

G (¬terminated → X ⊤)

Industrial Case Studies I

Figure: After Flood Disaster (1953), Maeslant Barrier (Maeslantkering)

Industrial Case Studies: Flood Control

Verification of the interface between BOS and BESW:

◮ Beslis- en Ondersteunend Systeem (BOS) ◮ BEsturingsSysteem Waterweg (BESW) ◮ BOS takes the decision to move the barrier ◮ BESW performs this task

Even deadlocks were found in BESW!

Industrial Case Studies II

Figure: NASA Mission Critical Software: Cassini, Mars Rovers, Deep Impact

Industrial Case Studies III

State Space Explosion

State Space Explosion

◮ Assume A1, A2, . . . are a processes each having 10 states

State Space Explosion

◮ Assume A1, A2, . . . are a processes each having 10 states ◮ Then A1 and A2 together have 100 states.

State Space Explosion

◮ Assume A1, A2, . . . are a processes each having 10 states ◮ Then A1 and A2 together have 100 states. ◮ Then A1, . . . , An together have 10n states.

State Space Explosion

◮ Assume A1, A2, . . . are a processes each having 10 states ◮ Then A1 and A2 together have 100 states. ◮ Then A1, . . . , An together have 10n states.

This is the state space explosion problem.

State Space Explosion

◮ Assume A1, A2, . . . are a processes each having 10 states ◮ Then A1 and A2 together have 100 states. ◮ Then A1, . . . , An together have 10n states.

This is the state space explosion problem.

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ where p ∈ Ω The formula φ holds model M at state s, M, s | = φ, is defined by:

1

as usual: M, s | = ⊤, M, s | = p, M, s | = ¬φ, M, s | = φ1 ∧ φ2

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ exists until | EG φ | EX φ where p ∈ Ω The formula φ holds model M at state s, M, s | = φ, is defined by:

1

as usual: M, s | = ⊤, M, s | = p, M, s | = ¬φ, M, s | = φ1 ∧ φ2

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ exists until | EG φ exists globally | EX φ where p ∈ Ω The formula φ holds model M at state s, M, s | = φ, is defined by:

1

as usual: M, s | = ⊤, M, s | = p, M, s | = ¬φ, M, s | = φ1 ∧ φ2

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ exists until | EG φ exists globally | EX φ exists next where p ∈ Ω The formula φ holds model M at state s, M, s | = φ, is defined by:

1

as usual: M, s | = ⊤, M, s | = p, M, s | = ¬φ, M, s | = φ1 ∧ φ2

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ exists until | EG φ exists globally | EX φ exists next where p ∈ Ω The formula φ holds model M at state s, M, s | = φ, is defined by:

1

as usual: M, s | = ⊤, M, s | = p, M, s | = ¬φ, M, s | = φ1 ∧ φ2

2

M, s | = φ EU ψ (φ until ψ holds on some path starting from s)

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ exists until | EG φ exists globally | EX φ exists next where p ∈ Ω The formula φ holds model M at state s, M, s | = φ, is defined by:

1

as usual: M, s | = ⊤, M, s | = p, M, s | = ¬φ, M, s | = φ1 ∧ φ2

2

M, s | = φ EU ψ (φ until ψ holds on some path starting from s) iff there is a path s = s1 → s2 → . . ., such that for some i ≥ 1, M, si | = ψ and for all j < i, M, sj | = φ

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ exists until | EG φ exists globally | EX φ exists next where p ∈ Ω The formula φ holds model M at state s, M, s | = φ, is defined by:

1

as usual: M, s | = ⊤, M, s | = p, M, s | = ¬φ, M, s | = φ1 ∧ φ2

2

M, s | = φ EU ψ (φ until ψ holds on some path starting from s) iff there is a path s = s1 → s2 → . . ., such that for some i ≥ 1, M, si | = ψ and for all j < i, M, sj | = φ

3

M, s | = EG φ (φ holds globally on some path starting from s)

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ exists until | EG φ exists globally | EX φ exists next where p ∈ Ω The formula φ holds model M at state s, M, s | = φ, is defined by:

1

as usual: M, s | = ⊤, M, s | = p, M, s | = ¬φ, M, s | = φ1 ∧ φ2

2

M, s | = φ EU ψ (φ until ψ holds on some path starting from s) iff there is a path s = s1 → s2 → . . ., such that for some i ≥ 1, M, si | = ψ and for all j < i, M, sj | = φ

3

M, s | = EG φ (φ holds globally on some path starting from s) iff there is a path s = s1 → s2 → . . . such that for all i ≥ 1, M, si | = φ

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ exists until | EG φ exists globally | EX φ exists next where p ∈ Ω The formula φ holds model M at state s, M, s | = φ, is defined by:

1

as usual: M, s | = ⊤, M, s | = p, M, s | = ¬φ, M, s | = φ1 ∧ φ2

2

M, s | = φ EU ψ (φ until ψ holds on some path starting from s) iff there is a path s = s1 → s2 → . . ., such that for some i ≥ 1, M, si | = ψ and for all j < i, M, sj | = φ

3

M, s | = EG φ (φ holds globally on some path starting from s) iff there is a path s = s1 → s2 → . . . such that for all i ≥ 1, M, si | = φ

4

M, s | = EX φ (φ holds in some next state)

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ exists until | EG φ exists globally | EX φ exists next where p ∈ Ω The formula φ holds model M at state s, M, s | = φ, is defined by:

1

as usual: M, s | = ⊤, M, s | = p, M, s | = ¬φ, M, s | = φ1 ∧ φ2

2

M, s | = φ EU ψ (φ until ψ holds on some path starting from s) iff there is a path s = s1 → s2 → . . ., such that for some i ≥ 1, M, si | = ψ and for all j < i, M, sj | = φ

3

M, s | = EG φ (φ holds globally on some path starting from s) iff there is a path s = s1 → s2 → . . . such that for all i ≥ 1, M, si | = φ

4

M, s | = EX φ (φ holds in some next state) iff (M, s2) | = φ for some s2 such that s → s2

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ | AG φ | AX φ where p ∈ Ω

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ | AX φ where p ∈ Ω

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ always globally | AX φ where p ∈ Ω

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ always globally | AX φ always next where p ∈ Ω

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ always globally | AX φ always next where p ∈ Ω

1

M, s | = AG φ (φ holds globally on all paths starting from s)

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ always globally | AX φ always next where p ∈ Ω

1

M, s | = AG φ (φ holds globally on all paths starting from s) iff for all paths s = s1 → s2 → . . . we have: for all i ≥ 1, M, si | = φ

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ always globally | AX φ always next where p ∈ Ω

1

M, s | = AG φ (φ holds globally on all paths starting from s) iff for all paths s = s1 → s2 → . . . we have: for all i ≥ 1, M, si | = φ AG φ = ¬EF ¬φ

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ always globally | AX φ always next where p ∈ Ω

1

M, s | = AG φ (φ holds globally on all paths starting from s) iff for all paths s = s1 → s2 → . . . we have: for all i ≥ 1, M, si | = φ AG φ = ¬EF ¬φ

2

M, s | = AX φ (φ holds in all next states)

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ always globally | AX φ always next where p ∈ Ω

1

M, s | = AG φ (φ holds globally on all paths starting from s) iff for all paths s = s1 → s2 → . . . we have: for all i ≥ 1, M, si | = φ AG φ = ¬EF ¬φ

2

M, s | = AX φ (φ holds in all next states) iff (M, s2) | = φ for all s2 such that s → s2

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ always globally | AX φ always next where p ∈ Ω

1

M, s | = AG φ (φ holds globally on all paths starting from s) iff for all paths s = s1 → s2 → . . . we have: for all i ≥ 1, M, si | = φ AG φ = ¬EF ¬φ

2

M, s | = AX φ (φ holds in all next states) iff (M, s2) | = φ for all s2 such that s → s2 AX φ = ¬EX ¬φ

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ always globally | AX φ always next where p ∈ Ω

1

M, s | = AG φ (φ holds globally on all paths starting from s) iff for all paths s = s1 → s2 → . . . we have: for all i ≥ 1, M, si | = φ AG φ = ¬EF ¬φ

2

M, s | = AX φ (φ holds in all next states) iff (M, s2) | = φ for all s2 such that s → s2 AX φ = ¬EX ¬φ

3

M, s | = φ AU ψ (φ until ψ holds on all paths starting from s)

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ always globally | AX φ always next where p ∈ Ω

1

M, s | = AG φ (φ holds globally on all paths starting from s) iff for all paths s = s1 → s2 → . . . we have: for all i ≥ 1, M, si | = φ AG φ = ¬EF ¬φ

2

M, s | = AX φ (φ holds in all next states) iff (M, s2) | = φ for all s2 such that s → s2 AX φ = ¬EX ¬φ

3

M, s | = φ AU ψ (φ until ψ holds on all paths starting from s) iff for all paths s = s1 → s2 → . . . we have: for some i ≥ 1, M, si | = ψ and for all j < i, M, sj | = φ

CTL: Extensions

Computation Tree Logic (CTL) is defined by: φ ::= p | ⊤ | ¬φ | φ ∧ φ | φ EU φ | EG φ | EX φ | φ AU φ always until | AG φ always globally | AX φ always next where p ∈ Ω

1

M, s | = AG φ (φ holds globally on all paths starting from s) iff for all paths s = s1 → s2 → . . . we have: for all i ≥ 1, M, si | = φ AG φ = ¬EF ¬φ

2

M, s | = AX φ (φ holds in all next states) iff (M, s2) | = φ for all s2 such that s → s2 AX φ = ¬EX ¬φ

3

M, s | = φ AU ψ (φ until ψ holds on all paths starting from s) iff for all paths s = s1 → s2 → . . . we have: for some i ≥ 1, M, si | = ψ and for all j < i, M, sj | = φ φ AU ψ = ¬(¬ψ EU (¬φ ∧ ¬ψ)) ∧ ¬EG ¬ψ

CTL: Examples

s1 r s2 p, t, r s3 p, q s4 q, r Which of the states satisfies the following? ? | = AF t ? | = ¬EG r ? | = t EU q ? | = EX q ? | = AX q ? | = EF q

CTL: Examples

s1 r s2 p, t, r s3 p, q s4 q, r Which of the states satisfies the following? M, s2, s3, s4 | = AF t ? | = ¬EG r ? | = t EU q ? | = EX q ? | = AX q ? | = EF q

CTL: Examples

s1 r s2 p, t, r s3 p, q s4 q, r Which of the states satisfies the following? M, s2, s3, s4 | = AF t M, s3 | = ¬EG r ? | = t EU q ? | = EX q ? | = AX q ? | = EF q

CTL: Examples

s1 r s2 p, t, r s3 p, q s4 q, r Which of the states satisfies the following? M, s2, s3, s4 | = AF t M, s3 | = ¬EG r M, s2, s3, s4 | = t EU q ? | = EX q ? | = AX q ? | = EF q

CTL: Examples

s1 r s2 p, t, r s3 p, q s4 q, r Which of the states satisfies the following? M, s2, s3, s4 | = AF t M, s3 | = ¬EG r M, s2, s3, s4 | = t EU q M, s1, s2, s3 | = EX q ? | = AX q ? | = EF q

CTL: Examples

s1 r s2 p, t, r s3 p, q s4 q, r Which of the states satisfies the following? M, s2, s3, s4 | = AF t M, s3 | = ¬EG r M, s2, s3, s4 | = t EU q M, s1, s2, s3 | = EX q M, s2, s3 | = AX q ? | = EF q

CTL: Examples

s1 r s2 p, t, r s3 p, q s4 q, r Which of the states satisfies the following? M, s2, s3, s4 | = AF t M, s3 | = ¬EG r M, s2, s3, s4 | = t EU q M, s1, s2, s3 | = EX q M, s2, s3 | = AX q M, s1, s2, s3, s4 | = EF q

CTL: Examples

s1 r s2 q s3 p s4 q, r s5 p Which of the states satisfies the following? ? | = AG (EF p) ? | = AG ((q ∨ r) AU p) ? | = AG (EF (q ∧ r))

CTL: Examples

s1 r s2 q s3 p s4 q, r s5 p Which of the states satisfies the following? M, s1, s2, s3, s4, s5 | = AG (EF p) ? | = AG ((q ∨ r) AU p) ? | = AG (EF (q ∧ r))

CTL: Examples

s1 r s2 q s3 p s4 q, r s5 p Which of the states satisfies the following? M, s1, s2, s3, s4, s5 | = AG (EF p) M, s3 | = AG ((q ∨ r) AU p) ? | = AG (EF (q ∧ r))

CTL: Examples

s1 r s2 q s3 p s4 q, r s5 p Which of the states satisfies the following? M, s1, s2, s3, s4, s5 | = AG (EF p) M, s3 | = AG ((q ∨ r) AU p) M, s2, s4, s5 | = AG (EF (q ∧ r))

CTL vs LTL

CTL vs LTL

◮ a CTL formula necessitating E cannot be expressed in LTL

EX p s1 s2 s3 p

CTL vs LTL

◮ a CTL formula necessitating E cannot be expressed in LTL

EX p s1 s2 s3 p

◮ the CTL formula AF AG p cannot be expressed in LTL

s1 p s2 s3 p

CTL vs LTL

◮ a CTL formula necessitating E cannot be expressed in LTL

EX p s1 s2 s3 p

◮ the CTL formula AF AG p cannot be expressed in LTL

s1 p s2 s3 p

◮ the LTL formula G F p → F q cannot be expressed in CTL