Basics of Linear Temporal Properties Robert B. France 1
State vs action view • Action view – abstracts out states; focus only on action labels • State view: – focus only on states and the propositions that are true in states 2
Transition System and its State Graph 3
Definitions • The state graph of a TS = (S, Act, ->, I, AP, L), G(TS) is the digraph (V, E) with vertices V = S and edges E = {(s,s’) ∈ S x S | s’ ∈ Post(s)} – G(TS) is obtained by omitting all atomic propositions in states, and all action labels. – Initial states are not distinguished in a state graph – Multiple transitions between two states are represented by one edge in a state graph • Post(s) consists of all the target states associated with s via transitions from s • Post*(s): the set of states that are reachable from s in a state graph • If C is a set of states then Post*(C) = U s ∈ C Post*(s) 4
Post(Pay) = { Select} ; Post(Select) = { Soda, Error} Post* (Pay) = { Select, Error, Soda, Pay} ; Post* (Error) = { } Post* ({ Soda, Error} ) = { Select, Error, Soda, Pay} 5
Path fragments • A path fragment is a path s0, s1, s2, … where s1 in Post(s0), s2 in Post(s1) etc. – Can be finite or infinite – A maximal path fragment is a path that cannot be prolonged, i.e., it is either infinite or ends in a state, sfinal, in which Post(sfinal) is empty (terminal state) – A path is initial if its first state is an initial state • A path of a transition system is an initial, maximal path fragment • Path(s) is the set of maximal path fragments in which the first element is s 6
Example An initial finite fragment: Pay, Select, Soda, Pay, Select An infinite fragment that is not initial: Select, Soda, Pay, Select, Soda, … A finite path: Pay, Select, Soda, Pay, Select, Error An infinite path: Pay, Select, Soda, Pay, Select, Soda, Pay, … 7
Executions of a TS • TS Executions formalize the notion of behavior in a modeled system • A finite execution fragment of a TS is a sequence of state transitions. – For example, s0-act1->s1, s1-act2->s3, is written as an alternating sequence of states and actions that ends in a state, s0,act1,s1,act2,s3 • An infinite execution fragment is an infinite sequence of transitions • A maximal execution fragment is either a finite execution fragment that ends in a final state, or an infinite execution fragment. – An execution fragment is called initial if it starts in an initial state. • An execution of a transition system is an initial maximal execution fragment 8
Example An execution: Pay , comp, Select , dispense_soda, Soda , get_soda, Pay , … 9
Traces • States are observed through their associated atomic propositions • The execution s0,act0,s1,act1,s2,act2,s3, … can be represented as a trace, L(s0),L(s1),L(s2),L(s3),… in a state view of a transition system • A trace is thus a word over the power set of AP in a transition system 2 AP 10
Example An execution: Pay , comp, Select , dispense_soda, Soda , get_soda, Pay , insert_coin, Select , dispense_soda, Soda , door_err, Error The corresponding trace: { } ,{ paid} ,{ paid,dispensed} ,{ } ,{ paid} ,{ paid,dispensed} ,{ paid,error} 11
Traces and paths Definition 3.8. Trace and Trace Fragment Let TS = (S, Act,→, I,AP, L) be a transition system without terminal states. • The trace of the infinite path fragment π = s0 s1 . . . is defined as trace(π) = L(s0)L(s1) . . .. • The trace of the finite path fragment π = s0 s1 . . . sn is defined as trace(π) = L(s0)L(s1) . . .L(sn). 12
Trace operators • trace(Π ) is the set of traces obtained from the paths in the set of paths, Π – trace(Π) = { trace(π) | π ∈ Π } • Traces(s) is the set of traces of s – Traces(s) = traces(Paths(s)) • Traces(TS) is the set of all traces for all initial states of TS – Traces(TS) = U s in I Traces(s) 13
Checking models against temporal properties • Reduce problem to checking sets of traces • Temporal property as a set of traces: The traces in the set all have the property • Model as a set of traces: the traces in the set are exactly those traces defined by the model’s transition system • A model satisfies a temporal property if its traces are included in the set of traces defined by the property – Set of model traces is a subset of the set of property traces 14
LT property A linear temporal (LT) property over a set of atomic propositions, AP is a subset of the set of all infinite words formed using only elements in AP (denoted (2 AP ) ω ) Definition 3.11. Satisfaction Relation for LT Properties Let P be an LT property over AP and TS = (S, Act,→, I,AP, L) a transition system without terminal states. TS = (S, Act,→, I,AP, L) satisfies P, denoted TS |= P, iff Traces(TS) ⊆ P. State s ∈ S satisfies P, notation s |= P, whenever Traces(s) ⊆ P. 15
Traffic Light example • Two traffic lights: – AP = { red1, green1, red2, green2} • LT1: The first traffic light is infinitely often green – A 0 A 1 A 2 . . . over 2 AP , such that green 1 ∈ A i holds for infinitely many i. – Example trace in LT1: {green1},{red1,green1,green2},{red1,green1},{red2,green},{red2, green2,green1,red1}, … • LT2: The traffic lights are never both green simultaneously – A 0 A 1 A 2 . . . such that either not( green 1 ∈ A i ) or not(green 2 ∈ A i ), for all i ≥ 0. – Example trace in LT2: {red1,green1,red2},{red1},{red2,red1},{green2},{green2,red2},{gr een1}, … 16
Starvation Freedom Example • A process that wants to enter its critical section will eventually do so ( AP = { wait1, crit1, wait2, crit2 }) – P finwait = set of infinite words A 0 A 1 A 2 . . . such that ∀ j.wait i ∈ A j ⇒ ∃ k ≥ j.crit i ∈ A k for each i ∈ {1, 2 } • A process that waits often enters its critical section often – P nostarve = set of infinite words A0 A1 A2 . . . such that: ( ∀ k ≥ 0. ∃ j ≥ k . waiti ∈ Aj ) ⇒ ( ∀ k ≥ 0. ∃ j ≥ k . criti ∈ Aj ) for each i ∈ {1, 2 } – In abbreviated form we write: ∃ ∞ j . waiti ∈ Aj ⇒∃ ∞ j . criti ∈ Aj for each i ∈ {1, 2 }, where ∃ ∞ stands for “there are infinitely many”. 17
Trace inclusion and equivalence • Trace inclusion: TS is a correct implementation of TS’ if Traces(TS) is a subset of Traces(TS’). • Equivalent statement : For any LT property P: TS’ |= P implies TS |= P. • Transition systems TS and TS’ are trace - equivalent with respect to the set of propositions AP if Traces AP (TS) = Traces AP (TS’ ) • Traces(TS) = Traces(TS ’ ) iff TS and TS’ satisfy the same LT properties 18
Equivalent TS example • For AP = {pay, soda, beer} the two TSs are trace equivalent • There does not exist an LT property that distinguishes between the two vending machine models 19
Safety properties • A safety property is a behavior in which “nothing bad happens” – e.g., Always at most one process is in its critical section (the bad thing – two or more processes in critical section) • An invariant is a special type of safety property. – An invariant property is true in all states that are reachable from an initial state – e.g., only one process can be in its critical state in any state, i.e., Φ = not crit1 ∨ not crit2 is true in every state 20
Invariants • An LT property Pinv over AP is an invariant if there is a propositional logic formula Φ over AP such that P inv = {A0A1A2 . . . ∈ (2 AP ) ω | ∀ j ≥ 0. Aj |= Φ } • TS |= P inv iff trace(π) ∈ P inv for all paths π in TS – iff L(s) |= Φ for all states s that belong to a path of TS – iff L(s) |= Φ for all states s ∈ Reach(TS) 21
Checking invariants • Naïve checking: adapt BFS of DFS algorithm of state graph of TS – If a state is found in which the invariant does not hold then algorithm returns false, else it returns true – See page 109 for algorithm 3 – Algorithm can be adapted to provide a counterexample. See page 110 for algorithm 4 22
Other safety properties • A safety property that is not an invariant: money in a ATM is dispensed only after a valid PIN is provided – Note that this is not a state property – It is a safety property since any finite prefix in which money is withdrawn without previous entry of a valid PIN is bad behavior 23
Formal definition of a safety property An LT property P safe over AP is called a safety property if for all words σ ∈ (2 AP ) ω \ P safe there exists a finite prefix σ^ of σ such that P safe ∩ {σ’ ∈ (2 AP ) ω | σ^ is a finite prefix of σ’} = ∅ • σ^ is called a bad prefix for P safe • A bad prefix is minimal if there is no smaller prefix that is bad • BadPref(P safe ) denotes set of all bad prefixes for P safe 24
Traffic Light examples • It is always the case that at least one light is on – { σ = A 0 A 1 . . . | A j ⊆ AP ∧ A j not = ∅ } – Bad prefixes are finite words that contain ∅ • A red light must be preceded immediately by a yellow light – σ = A 0 A 1 . . . with A i ⊆ { red, yellow } such that for all i ≥ 0 we have that red ∈ A i implies i > 0 and yellow ∈ A i−1 – Minimal bad prefixes: ∅∅ { red } and ∅ { red } 25
Recommend
More recommend
