Basics of Linear Temporal Properties Robert B. France 1 State vs - - PowerPoint PPT Presentation

Basics of Linear Temporal Properties

Robert B. France

1

State vs action view

• Action view

– abstracts out states; focus only on action labels

• State view:

– focus only on states and the propositions that are true in states

2

Transition System and its State Graph

3

Definitions

• The state graph of a TS = (S, Act, ->, I, AP, L), G(TS) is

the digraph (V, E) with vertices V = S and edges E = {(s,s’) ∈ S x S | s’ ∈ Post(s)}

– G(TS) is obtained by omitting all atomic propositions in states, and all action labels. – Initial states are not distinguished in a state graph – Multiple transitions between two states are represented by one edge in a state graph

• Post(s) consists of all the target states associated with s

via transitions from s

• Post*(s): the set of states that are reachable from s in a

state graph

• If C is a set of states then Post*(C) = Us ∈ C Post*(s)

4

5

Post(Pay) = { Select} ; Post(Select) = { Soda, Error} Post* (Pay) = { Select, Error, Soda, Pay} ; Post* (Error) = { } Post* ({ Soda, Error} ) = { Select, Error, Soda, Pay}

Path fragments

• A path fragment is a path s0, s1, s2, … where s1 in

Post(s0), s2 in Post(s1) etc.

– Can be finite or infinite – A maximal path fragment is a path that cannot be prolonged, i.e., it is either infinite or ends in a state, sfinal, in which Post(sfinal) is empty (terminal state) – A path is initial if its first state is an initial state

• A path of a transition system is an initial, maximal

path fragment

• Path(s) is the set of maximal path fragments in

which the first element is s

6

Example

7

An initial finite fragment: Pay, Select, Soda, Pay, Select An infinite fragment that is not initial: Select, Soda, Pay, Select, Soda, … A finite path: Pay, Select, Soda, Pay, Select, Error An infinite path: Pay, Select, Soda, Pay, Select, Soda, Pay, …

Executions of a TS

• TS Executions formalize the notion of behavior in a modeled

system

• A finite execution fragment of a TS is a sequence of state

transitions.

– For example, s0-act1->s1, s1-act2->s3, is written as an alternating sequence of states and actions that ends in a state, s0,act1,s1,act2,s3

• An infinite execution fragment is an infinite sequence of

transitions

• A maximal execution fragment is either a finite execution

fragment that ends in a final state, or an infinite execution fragment.

– An execution fragment is called initial if it starts in an initial state.

• An execution of a transition system is an initial maximal

execution fragment

8

Example

9

An execution: Pay, comp, Select, dispense_soda, Soda, get_soda, Pay, …

Traces

• States are observed through their associated

atomic propositions

• The execution s0,act0,s1,act1,s2,act2,s3, …

can be represented as a trace, L(s0),L(s1),L(s2),L(s3),… in a state view of a transition system

• A trace is thus a word over the power set of

AP in a transition system 2AP

10

Example

11

An execution: Pay, comp, Select, dispense_soda, Soda, get_soda, Pay, insert_coin, Select, dispense_soda, Soda, door_err, Error The corresponding trace: { } ,{ paid} ,{ paid,dispensed} ,{ } ,{ paid} ,{ paid,dispensed} ,{ paid,error}

Traces and paths

Definition 3.8. Trace and Trace Fragment Let TS = (S, Act,→, I,AP, L) be a transition system without terminal states.

• The trace of the infinite path fragment π = s0

s1 . . . is defined as trace(π) = L(s0)L(s1) . . ..

• The trace of the finite path fragment π = s0 s1

. . . sn is defined as trace(π) = L(s0)L(s1) . . .L(sn).

12

Trace operators

• trace(Π) is the set of traces obtained from the

paths in the set of paths, Π

– trace(Π) = { trace(π) | π ∈ Π}

• Traces(s) is the set of traces of s

– Traces(s) = traces(Paths(s))

• Traces(TS) is the set of all traces for all initial

states of TS

– Traces(TS) = Us in I Traces(s)

13

Checking models against temporal properties

• Reduce problem to checking sets of traces
• Temporal property as a set of traces: The traces in

the set all have the property

• Model as a set of traces: the traces in the set are

exactly those traces defined by the model’s transition system

• A model satisfies a temporal property if its traces

are included in the set of traces defined by the property

– Set of model traces is a subset of the set of property traces

14

LT property

A linear temporal (LT) property over a set of atomic propositions, AP is a subset of the set of all infinite words formed using only elements in AP (denoted (2AP)ω) Definition 3.11. Satisfaction Relation for LT Properties Let P be an LT property over AP and TS = (S, Act,→, I,AP, L) a transition system without terminal states. TS = (S, Act,→, I,AP, L) satisfies P, denoted TS |= P, iff Traces(TS) ⊆ P. State s ∈ S satisfies P, notation s |= P, whenever Traces(s) ⊆ P.

15

Traffic Light example

• Two traffic lights:

– AP = { red1, green1, red2, green2}

• LT1: The first traffic light is infinitely often green

– A0 A1 A2 . . . over 2AP, such that green1∈ Ai holds for infinitely many i. – Example trace in LT1: {green1},{red1,green1,green2},{red1,green1},{red2,green},{red2, green2,green1,red1}, …

• LT2: The traffic lights are never both green simultaneously

– A0 A1 A2 . . . such that either not(green1 ∈Ai ) or not(green2 ∈Ai), for all i ≥ 0. – Example trace in LT2: {red1,green1,red2},{red1},{red2,red1},{green2},{green2,red2},{gr een1}, …

16

Starvation Freedom Example

• A process that wants to enter its critical section will

eventually do so (AP = { wait1, crit1, wait2, crit2 })

– Pfinwait = set of infinite words A0 A1 A2 . . . such that∀j.waiti ∈ Aj ⇒ ∃k ≥ j.criti ∈ Ak for each i ∈ {1, 2 }

• A process that waits often enters its critical section
• ften

– Pnostarve = set of infinite words A0 A1 A2 . . . such that: (∀k ≥

• 0. ∃j ≥ k. waiti ∈ Aj ) ⇒ (∀k ≥ 0. ∃j ≥ k. criti ∈ Aj) for each i

∈ {1, 2 } – In abbreviated form we write: ∃∞ j. waiti ∈ Aj ⇒∃∞ j. criti ∈ Aj for each i ∈ {1, 2 }, where ∃∞ stands for “there are infinitely many”.

17

Trace inclusion and equivalence

• Trace inclusion: TS is a correct implementation
• f TS’ if Traces(TS) is a subset of Traces(TS’).
• Equivalent statement: For any LT property P:

TS’ |= P implies TS |= P.

• Transition systems TS and TS’ are trace-

equivalent with respect to the set of propositions AP if TracesAP(TS) = TracesAP(TS’)

• Traces(TS) = Traces(TS’) iff TS and TS’ satisfy

the same LT properties

18

Equivalent TS example

• For AP = {pay, soda, beer} the two TSs are trace

equivalent

• There does not exist an LT property that distinguishes

between the two vending machine models

19

Safety properties

• A safety property is a behavior in which “nothing

bad happens”

– e.g., Always at most one process is in its critical section (the bad thing – two or more processes in critical section)

• An invariant is a special type of safety property.

– An invariant property is true in all states that are reachable from an initial state – e.g., only one process can be in its critical state in any state, i.e., Φ = not crit1 ∨ not crit2 is true in every state

20

Invariants

• An LT property Pinv over AP is an invariant if

there is a propositional logic formula Φ over AP such that Pinv = {A0A1A2 . . . ∈ (2AP)ω | ∀j ≥ 0. Aj |= Φ}

• TS |= Pinv iff trace(π) ∈ Pinv for all paths π in TS

– iff L(s) |= Φ for all states s that belong to a path of TS – iff L(s) |= Φ for all states s ∈ Reach(TS)

21

Checking invariants

• Naïve checking: adapt BFS of DFS algorithm of

state graph of TS

– If a state is found in which the invariant does not hold then algorithm returns false, else it returns true – See page 109 for algorithm 3 – Algorithm can be adapted to provide a

• counterexample. See page 110 for algorithm 4

22

Other safety properties

• A safety property that is not an invariant:

money in a ATM is dispensed only after a valid PIN is provided

– Note that this is not a state property – It is a safety property since any finite prefix in which money is withdrawn without previous entry

• f a valid PIN is bad behavior

23

Formal definition of a safety property

An LT property Psafe over AP is called a safety property if for all words σ ∈ (2AP)ω \Psafe there exists a finite prefix σ^ of σ such that Psafe ∩ {σ’ ∈ (2AP)ω | σ^ is a finite prefix of σ’} = ∅

• σ^ is called a bad prefix for Psafe
• A bad prefix is minimal if there is no smaller

prefix that is bad

• BadPref(Psafe) denotes set of all bad prefixes

for Psafe

24

Traffic Light examples

• It is always the case that at least one light is
• n

– { σ = A0 A1 . . . | Aj ⊆ AP ∧ Aj not = ∅} – Bad prefixes are finite words that contain ∅

• A red light must be preceded immediately by a

yellow light

– σ = A0 A1 . . . with Ai ⊆ { red, yellow } such that for all i ≥ 0 we have that red ∈ Ai implies i > 0 and yellow ∈ Ai−1 – Minimal bad prefixes: ∅∅{ red } and ∅{ red }

25

Satisfying safety properties

TS |= Psafe iff Tracesfin (TS) ∩ BadPref(Psafe) = ∅ Psafe is a safety property iff closure(Psafe) = Psafe i.e., Psafecontains all the infinite traces whose finite prefixes are also prefixes of Psafe closure(P) = {σ ∈ (2AP)ω | pref(σ) ⊆ pref(P)} where pref(σ) is the set of finite prefixes of the word σ

26

Trace inclusion and safety properties

• Let TS and TS’ be transition systems without

terminal states and with the same set of propositions AP. Then the following statements are equivalent:

– Tracesfin (TS) ⊆ Tracesfin (TS’) – For any safety property Psafe : TS’ |= Psafe implies TS |= Psafe

• Note that even if Traces(TS) is not a subset of

Traces(TS), but the finite traces are (a weaker condition), then safety properties of TS’ also holds for TS

27

Finite vs. infinite systems

• Traces(TS) is not a subset of Traces (TS’) but Tracesfin(TS) is a

subset of Tracesfin(TS’)

• Property “eventually b” holds for TS’ but not TS
• Property “never b” holds for TS but not TS’

28

TS (finite transition system) TS’ (infinite transition system)

Liveness properties

• A system that does nothing satisfies its safety

properties; need to have properties that require system to make “progress”

• Liveness property: something good will eventually

happen

• Liveness properties are conditions on infinite behaviors

(Alpern, Schneider)

• Any finite prefix can be extended to satisfy a liveness

property

• How does this differ from safety properties?
• What are some examples of liveness properties?

29

Liveness definition

• A property P over AP is a liveness property

when pref(P) = (2AP)*

– Pref(P) is the set of all finite prefixes that satisfy P

• Each finite word can be extended to an infinite

word that satisfies P

• Stated differently, P is a liveness property iff

for all finite words w ∈ (2AP)∗ there exists an infinite word σ ∈ (2AP)ω satisfying wσ ∈ P

30

Examples

• Each process will eventually enter its critical

section (∃j≥ 0. crit1 ∈ Aj) ∧ (∃j≥ 0. crit2 ∈ Aj)

• Each process will enter its critical section

infinitely often (∀k≥ 0. ∃j≥ k. crit1 ∈ Aj) ∧ (∀k≥0. ∃j ≥k. crit2 ∈ Aj)

• Each waiting process will eventually enter its

critical section ∀j ≥0. (wait1 ∈ Aj ⇒ (∃k > j. crit1 ∈ Ak)) ∧ ∀j ≥0. (wait2 ∈ Aj ⇒ (∃k > j. crit2 ∈ Ak))

31

Safety and liveness properties

• Are safety and liveness properties disjoint? Yes

(if you exclude the set of all traces)

• Are all linear properties either a safety or

liveness property? No

• Theorem 3.37. Decomposition Theorem

For any LT property P over AP there exists a safety property Psafe and a liveness property Plive (both over AP) such that P = Psafe ∩ Plive .

32

Example

• P = The vending machine provides soda

infinitely often after initially providing beer three times in a row.

• What is the safety property?
• What is the liveness property?

33

Fairness

• To prove a liveness property you sometimes have to

remove behaviors in which a process “hogs” resources (i.e., behaviors in which a process prevents another process from accessing a resouce infinitely often)

• Process fairness: Each process can execute enabled

transitions infinitely often

• Example: to prove starvation freedom (i.e., a process

can enter its critical section infinitely often) we need to exclude the paths in which in which one process prevents the other process from entering its critical section infinitely often

• Requires fair scheduling of processes

34

Simple semaphore

• A process does not have to wait infinitely long before entering its critical section

while it is in its wait state

• Each of the processes executes its critical section infinitely often

35

Peterson’s algorithm

36

• A process does not have to wait infinitely long before entering its critical section

while it is in its wait state

• Each of the processes executes its critical section infinitely often

Fairness constraints

• Fairness constraints are used to rule out “unrealistic”

behaviors from a transition system semantics of a concurrent system

– Refine model to resolve non-deterministic behaviors

• Different types of fairness constraints

– Unconditional fairness (impartiality): e.g., a process can execute infinitely often – Strong fairness (compassion): e.g., a process that is enabled infinitely often gets its turn to execute infinitely

• ften

– Weak fairness (justice): e.g., a process that is continuously enabled after a certain time, gets its turn to execute infinitely often

37

Expressing fairness constraints

For transition system TS = (S, Act,→, I,AP, L) without terminal states, A ⊆ Act, and infinite execution fragment ρ = s0−−α0→s1−−α1→s2 -- . . . of TS:

• ρ is unconditionally A-fair whenever ∃∞j. αj ∈ A
• ρ is strongly A-fair whenever

(∃∞ j. Act(sj) ∩ A not= ∅ )⇒ (∃∞ j. αj ∈ A)

– Act(s) is the set of actions that are executable in state s

• ρ is weakly A-fair whenever

(∀∞ j. Act(sj) ∩ A not= ∅ )⇒ (∃∞ j. αj ∈ A)

– ∀∞ j : For nearly all j, i.e., for all, except for finitely many j

38

Example

39

A = { enter2} : Is the above uncoditionally A-fair, strongly A-fair, weakly A-fair for the infinite fragment shown in dashed lines? What about the trace shown in dotted lines?

Fairness assumption

40

Coming up

• How do we express linear temporal

properties?

• Ans: Use temporal logic

41