INF5140 Specification and Verification of Parallel Systems - - PowerPoint PPT Presentation

INF5140 Specification and Verification of Parallel Systems

Presentation of LTL, CTL and CTL* Christopher A. Trotter

University of Oslo Institute of informatics

2018

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 1 / 43

Outline

Temporal logic Linear Temporal Logic (LTL) Computation Tree Logic (CTL) LTL vs. CTL example Incomparable expressiveness, CTL vs. LTL CTL* Relationship between LTL, CTL and CTL* CTL* - Expressiveness

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 2 / 43

Temporal Logic

Temporal logic extends propositional or predicate logic by modalities that permit to referral to the infinite behavior of a system, for example reactive systems. It provides a very intuitive and mathematically precise notation for expressing properties about the relation between the state labels in executions, i.e., LT properties. ♦ ”eventually” (eventually in the future) ”always” (now and forever in the future) The underlying nature of time in temporal logic can be either linear or branching.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 3 / 43

Linear vs. branching time

Linear In the linear view, at each moment in time there is a single successor moment. Branching Whereas in the branching view it can have a tree-like structure, where time may split into alternative courses. (We will emphasize the difference throughout the presentation)

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 4 / 43

Transition system

A transition system TS is a tuple (S, Act, →, I, AP, L) where S is a set of states, Act is a set of actions, →⊆ S × Act × S is a transition relation, I ⊆ S is a set of initial states, AP is a set of atomic propositions, and L : S → 2AP is a labeling function. TS is called finite if S, Act, and AP are finite.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 5 / 43

LTL - Syntax

LTL formulae over the set AP of atomic propositions are formed according to the following grammar: ϕ ::= true | a | ϕ1 ∧ ϕ2 | ¬ϕ | ϕ | ϕ1 U ϕ2 (1) where a ∈ AP. The precedence order: (from strongest to weakest) ¬, , U, ∧, ∨ and → (2) Using the Boolean connectives ¬ and ∧ we can obtain the full power of propositional logic. The until operator, U, allows us to derive the temporal modalities ♦ and . Finally, by combining the temporal modalities, ♦ and , we can acquire new temporal modalities.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 6 / 43

LTL - Visual example

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 7 / 43

LTL - Visual example

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 8 / 43

LTL - Visual example

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 9 / 43

LTL - Visual example

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 10 / 43

LTL - Visual example

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 11 / 43

LTL - Semantics(I)

Let ϕ be an LTL formula over AP. The LT property induced by ϕ is Words(ϕ) = {σ ∈ (2AP)ω|σ | = ϕ} (3) where the satisfaction relation | = ⊆ (2AP)ω × LTL is the smallest relation with the properties described on the next slide.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 12 / 43

LTL - Semantics(II)

σ | = true σ | = a iff a ∈ A0(i.e., A0 | = a) σ | = ϕ1ϕ2 iff σ | = ϕ1andσ | = ϕ2 σ | = ¬ϕ iff σ | = ϕ σ | = ϕ iff σ[1...] = A1A2A3... | = ϕ σ | = ϕ1Uϕ2 iff ∃j ≥ 0.σ[j...] | = ϕ2andσ[i...] | = ϕ2 for all 0 ≤ i < j.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 13 / 43

LTL - Semantics(III)

LTL formulae stand for properties of paths (or in fact their traces). This means that a path can either fulfill an LTL-formula, or not. To precisely formulate when a path satisfies an LTL formula, we proceed as follows: First, the semantics of LTL formulae ϕ is defined as a language Words(ϕ) that contains all infinite words over the alphabet 2AP that satisfy ϕ. That is, to every LTL formula a single LT property is associated. Then, the semantics is extended to an interpretation over paths and states of a transition system.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 14 / 43

LTL - Semantics(IV)

Let TS = (S, Act,→,I, AP, L) be a transition system without terminal states, and let ϕ be an LTL-formula over AP. For infinite path fragment of TS, the satisfaction relation is defined by π | = ϕ iff trace(π) | = ϕ. For state s S, the satisfaction relation | = is defined by s | = ϕ iff (∀π ∈ Paths(s).π | = ϕ. TS satisfies ϕ, denoted TS | = ϕ, if Traces(TS) ⊆ Words(ϕ).

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 15 / 43

LTL - model checking

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 16 / 43

CTL - Syntax

CTL state formulae over the set AP of atomic proposition are formed according to the following grammar: Φ ::= true | a | Φ1 ∧ Φ2 | ¬Φ | ∃ϕ | ∀ϕ (4) where a ∈ AP and ϕ is a path formula. CTL path formulae are formed according to the following grammar: ϕ ::= Φ | Φ1 ∪ Φ2 (5) where Φ, Φ1 and Φ2 are state formulae. As in LTL, we are able to obtain the full power of propositional logic and derive the temporal modalities.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 17 / 43

CTL - Visual example

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 18 / 43

CTL - Visual example

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 19 / 43

CTL - Visual example

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 20 / 43

CTL - Visual example

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 21 / 43

CTL - Visual example

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 22 / 43

CTL - Visual example

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 23 / 43

CTL - Semantics(I)

CTL formulae interpreted over the states and paths of a transition system

• TS. Formally, given a transition system TS, the semantics of CTL formulae

is defined by two satisfaction relations (both denoted by | =TS or briefly | =):

• ne for the state formulae and
• ne for the path formulae.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 24 / 43

CTL - Semantics(II)

Let a ∈ AP be an atmoic proposition, TS = (S, Act, →, I, AP, L) be a transition system without terminal states, state s ∈ S, Φ, Ψ be CTL state formulae, and ϕ be a CTL path formula. The satisfaction relation | = is defined for state formulae by s | = a iff a ∈ L(s) s | = ¬Φ iff not s | = Φ s | = Φ ∧ Ψ iff (s | = Φ) and (s | = Ψ) s | = ∃ϕ iff π | = ϕ for some π ∈ Paths(s) s | = ∀ϕ iff pi | = ϕ for all π ∈ Paths(s)

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 25 / 43

CTL - Semantics(III)

For path π, the satisfaction relation | = for path formulae is defined by π | = Φ iff π[1] | = Φ π | = ΦUΨ iff ∃j ≥ 0.(π[j] | = Ψ ∧ (∀0 ≤ k < j.π[k] | = Ψ)) where for path π = s0s1s2... and integer i ≥ 0, π[i] denotes the (i+1)th state of π, i.e., π[i] = si.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 26 / 43

LTL vs. CTL example

♦a

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 27 / 43

LTL vs. CTL example

♦a ♦(a ∧ a)

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 28 / 43

LTL vs. CTL example

♦a ♦(a ∧ a) ∀∃♦a

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 29 / 43

LTL vs. CTL example

♦a ♦(a ∧ a) ∀∃♦a ♦(a ∧ a) ∨ ∀∃♦a

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 30 / 43

LTL vs. CTL(II)

Aspects Linear time Branching time ”behavior” path-based: state-based: in a state s trace(s) computation tree of s temporal path formulae ϕ state formulae logic s | = ϕ iff ∀π = Paths(s). exsistential path ∃ϕ π | = ϕ universal path ∀ϕ complexity of PSPACE-complete PTIME the model checking O(|TS| × exp(|ϕ|)) O(|TS| × |φ|) problems Implemetation- trace inclusion simulation and relation and the like bisimulation (PSPACE-complete) (polynomial time) fairness no special special techniques techniques needed needed

Table: Linear-time vs. branching-time in a nutshell-

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 31 / 43

Incomparable Expressiveness, CTL vs. LTL(I)

There exists a LTL formulae for which no equivalent CTL formula exists. This holds for, for instance ♦a or ♦(a ∧ a). (6) Proof: (by construction) Shown in chapter 6 of the principles of model checking book under theorem 6.21.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 32 / 43

Incomparable Expressiveness, CTL vs. LTL(II)

There exists a CTL formulae for which no equivalent LTL formula exists. This holds for, for instance ∀♦∀a and ∀♦(a ∧ ∀ a) and ∀∃♦a. (7) Proof: (by contradiction) Shown in chapter 6 of the principles of model checking book under theorem 6.21.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 33 / 43

CTL*

CTL* is an extension of CTL as it allows path quantifiers ∃ and ∀ to be arbitrarily nested with temporal operators such as and U. In contrast, in CTL each linear temporal operator must be immediately preceded by a path quantifier. As in CTL, the syntax of CTL* distinguishes between state and path formulae. The syntax of CTL* state formulae is roughly as in CTL, while CTL* path formulae are defined as LTL formulae, the only difference being that arbitrary CTL* state formulae can be used as atoms.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 34 / 43

CTL* - Syntax

CTL* state formulae over the set AP of atomic proposition, briefly called CTL* formulae, are formed according to the following grammar: Φ ::= true | a | Φ1 ∧ Φ2 | ¬Φ | ∃ϕ (8) where a ∈ AP and ϕ is a path formula. The syntax of CTL* path formulae is given by the following grammar: ϕ ::= Φ | ϕ1 ∧ ϕ2 | ¬ϕ | ϕ | ϕ1 ∪ ϕ2 (9) where Φ is a state formula, and ϕ, ϕ1 and ϕ2 are path formulae.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 35 / 43

CTL* - Syntax difference from CTL

For example, the following formulae are syntactically correct CTL* formulae: ∀(♦a ∧ ¬(bUc)) (10) ∀ ¬a ∧ ∃♦(a ∨ ∀(bUa)). (11) (Note that these formulae are not CTL formulae)

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 36 / 43

CTL* - Semantics(I)

Let a ∈ AP be an atmoic proposition, TS = (S, Act, →, I, AP, L) be a transition system without terminal states, state s ∈ S, Φ, Ψ be CTL* state formulae, and ϕ, ϕ1 and ϕ2 be a CTL* path formula. The satisfaction relation | = is defined for state formulae by s | = a iff a ∈ L(s) s | = ¬Φ iff not s | = Φ s | = Φ ∧ Ψ iff (s | = Φ) and (s | = Ψ) s | = ∃ϕ iff π | = ϕ for some π ∈ Paths(s)

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 37 / 43

CTL* - Semantics(III)

For path π, the satisfaction relation | = for path formulae is defined by π | = Φ iff s0 | = Φ π | = ϕ1 ∧ ϕ2 iff π | = ϕ1 and | = ϕ2 π | = ¬ϕ iff π | = ϕ π | = ϕ iff π[1] | = ϕ π | = ϕ1Uϕ2 iff ∃j ≥ 0.(π[j] | = ϕ2 ∧ (∀0 ≤ k < j.π[k] | = ϕ1)) where for path π = s0s1s2... and integer i ≥ 0, π[i...] denotes the suffix of π from index i on.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 38 / 43

CTL* - Relationship between LTL, CTL and CTL*

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 39 / 43

CTL* - Expressiveness

For the CTL* formula over AP = { a, b }, Φ = (∀♦a) ∨ (∀∃♦b) (12) there does not exist any equivalent LTL or CTL formula.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 40 / 43

CTL* - Expressiveness

For the CTL* formula over AP = { a, b }, Φ = (∀♦a) ∨ (∀∃♦b) (13) there does not exist any equivalent LTL or CTL formula. Proof: This follows directly from the fact that ∀∃♦b is a CTL formula that cannot be expressed in LTL, whereas ♦a is an LTL formula that cannot be expressed in CTL. Shown in Theorem 6.21.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 41 / 43

Comparative - LTL, CTL and CTL*

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 42 / 43

References

Christel Baier and Joost-Pieter Katoen. Principle of Model Checking, MIT Press 2008.

Christopher A. Trotter (University of Oslo Institute of informatics) INF5140 Specification and Verification of Parallel Systems 2018 43 / 43