INF5140 Specification and Verification of Parallel Systems - PowerPoint PPT Presentation

INF5140 Specification and Verification of Parallel Systems Presentation of LTL, CTL and CTL* Christopher A. Trotter University of Oslo Institute of informatics 2018 Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 1 / 43

Outline Temporal logic Linear Temporal Logic (LTL) Computation Tree Logic (CTL) LTL vs. CTL example Incomparable expressiveness, CTL vs. LTL CTL* Relationship between LTL, CTL and CTL* CTL* - Expressiveness Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 2 / 43

Temporal Logic Temporal logic extends propositional or predicate logic by modalities that permit to referral to the infinite behavior of a system, for example reactive systems. It provides a very intuitive and mathematically precise notation for expressing properties about the relation between the state labels in executions, i.e., LT properties. ♦ ”eventually” (eventually in the future) � ”always” (now and forever in the future) The underlying nature of time in temporal logic can be either linear or branching. Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 3 / 43

Linear vs. branching time Linear In the linear view, at each moment in time there is a single successor moment. Branching Whereas in the branching view it can have a tree-like structure, where time may split into alternative courses. (We will emphasize the difference throughout the presentation) Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 4 / 43

Transition system A transition system TS is a tuple ( S , Act , → , I , AP , L ) where S is a set of states, Act is a set of actions, →⊆ S × Act × S is a transition relation, I ⊆ S is a set of initial states, AP is a set of atomic propositions, and L : S → 2 AP is a labeling function. TS is called finite if S , Act , and AP are finite. Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 5 / 43

LTL - Syntax LTL formulae over the set AP of atomic propositions are formed according to the following grammar: ϕ ::= true | a | ϕ 1 ∧ ϕ 2 | ¬ ϕ | � ϕ | ϕ 1 U ϕ 2 (1) where a ∈ AP . The precedence order: (from strongest to weakest) ¬ , � , U , ∧ , ∨ and → (2) Using the Boolean connectives ¬ and ∧ we can obtain the full power of propositional logic. The until operator, U , allows us to derive the temporal modalities ♦ and � . Finally, by combining the temporal modalities, ♦ and � , we can acquire new temporal modalities. Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 6 / 43

LTL - Visual example Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 7 / 43

LTL - Visual example Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 8 / 43

LTL - Visual example Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 9 / 43

LTL - Visual example Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 10 / 43

LTL - Visual example Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 11 / 43

LTL - Semantics(I) Let ϕ be an LTL formula over AP. The LT property induced by ϕ is Words ( ϕ ) = { σ ∈ (2 AP ) ω | σ | = ϕ } (3) = ⊆ (2 AP ) ω × LTL is the smallest relation where the satisfaction relation | with the properties described on the next slide. Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 12 / 43

LTL - Semantics(II) σ | = true σ | = a iff a ∈ A 0 ( i . e ., A 0 | = a ) σ | = ϕ 1 ϕ 2 iff σ | = ϕ 1 and σ | = ϕ 2 σ | = ¬ ϕ iff σ �| = ϕ σ | = � ϕ iff σ [1 ... ] = A 1 A 2 A 3 ... | = ϕ σ | = ϕ 1 U ϕ 2 iff ∃ j ≥ 0 .σ [ j ... ] | = ϕ 2 and σ [ i ... ] | = ϕ 2 for all 0 ≤ i < j . Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 13 / 43

LTL - Semantics(III) LTL formulae stand for properties of paths (or in fact their traces). This means that a path can either fulfill an LTL-formula, or not. To precisely formulate when a path satisfies an LTL formula, we proceed as follows: First, the semantics of LTL formulae ϕ is defined as a language Words ( ϕ ) that contains all infinite words over the alphabet 2 AP that satisfy ϕ . That is, to every LTL formula a single LT property is associated. Then, the semantics is extended to an interpretation over paths and states of a transition system. Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 14 / 43

LTL - Semantics(IV) Let TS = (S, Act, → ,I, AP, L) be a transition system without terminal states, and let ϕ be an LTL-formula over AP. For infinite path fragment of TS, the satisfaction relation is defined by π | = ϕ iff trace ( π ) | = ϕ . For state s S, the satisfaction relation | = is defined by s | = ϕ iff ( ∀ π ∈ Paths ( s ) .π | = ϕ . TS satisfies ϕ , denoted TS | = ϕ , if Traces(TS) ⊆ Words( ϕ ). Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 15 / 43

LTL - model checking Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 16 / 43

CTL - Syntax CTL state formulae over the set AP of atomic proposition are formed according to the following grammar: Φ ::= true | a | Φ 1 ∧ Φ 2 | ¬ Φ | ∃ ϕ | ∀ ϕ (4) where a ∈ AP and ϕ is a path formula. CTL path formulae are formed according to the following grammar: ϕ ::= � Φ | Φ 1 ∪ Φ 2 (5) where Φ , Φ 1 and Φ 2 are state formulae. As in LTL, we are able to obtain the full power of propositional logic and derive the temporal modalities. Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 17 / 43

CTL - Visual example Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 18 / 43

CTL - Visual example Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 19 / 43

CTL - Visual example Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 20 / 43

CTL - Visual example Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 21 / 43

CTL - Visual example Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 22 / 43

CTL - Visual example Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 23 / 43

CTL - Semantics(I) CTL formulae interpreted over the states and paths of a transition system TS. Formally, given a transition system TS, the semantics of CTL formulae is defined by two satisfaction relations (both denoted by | = TS or briefly | =): one for the state formulae and one for the path formulae. Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 24 / 43

CTL - Semantics(II) Let a ∈ AP be an atmoic proposition, TS = (S, Act, → , I, AP, L) be a transition system without terminal states, state s ∈ S , Φ , Ψ be CTL state formulae, and ϕ be a CTL path formula. The satisfaction relation | = is defined for state formulae by s | = a iff a ∈ L ( s ) s | = ¬ Φ iff not s | = Φ s | = Φ ∧ Ψ iff (s | = Φ) and ( s | = Ψ) s | = ∃ ϕ iff π | = ϕ for some π ∈ Paths ( s ) s | = ∀ ϕ iff pi | = ϕ for all π ∈ Paths ( s ) Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 25 / 43

CTL - Semantics(III) For path π , the satisfaction relation | = for path formulae is defined by π | = � Φ iff π [1] | = Φ π | = Φ U Ψ iff ∃ j ≥ 0 . ( π [ j ] | = Ψ ∧ ( ∀ 0 ≤ k < j .π [ k ] | = Ψ)) where for path π = s 0 s 1 s 2 ... and integer i ≥ 0 , π [ i ] denotes the (i+1)th state of π , i.e., π [ i ] = s i . Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 26 / 43

LTL vs. CTL example �♦ a Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 27 / 43