Modal logics and - calculus INF 5140-Specification and verification - - PowerPoint PPT Presentation

Modal logics and µ- calculus

INF 5140-Specification and verification of parallel system

Ratan Thapa ratanbt@ifi.uio.no

18 May 2018 1

Table of Content

Review Theory of fixpoints µ calculus Syntax of µ calculus Semantics of µ calculus Model checking

2

Review

1960’s, Floyd-Hoare Logic allows assertions and proof system to verify these assertions

• {precondition}

program {postcondition}

• e.g. {x = 1} x := x + 1 {x = 2}
• partial correctness + termination = total correctness
• rules/calculus :

composition rule:

{P}s1{Q} {P}s1{Q} {P}s1;s2{Q}

conditional rule:

{P∧E}s1{Q} {P∧¬E}s2{Q} {P}If E then s1 else s2 {Q}

while rule:

{P∧E}s{P} {P}while E do s {P∧E}

consequence rule:

P⇒P′ {P′}s{Q′} ⇒Q′ {P}s{Q}

3

Review

1970’s, Dynamic Logic (Vaughan Pratt,1974) ”Exogenous”: a program is a part of a formula Formula:

• [a]ϕ

def

⇐ ⇒ It is necessary that after executing a, ϕ holds

• aϕ

def

⇐ ⇒ ¬[a]¬ϕ

Example:

• [a ∪ b]ϕ, (a; b)∗ϕ
• While ϕ do a

def

= (ϕ?; a)∗; ¬ϕ

4

Review

1970’s, Temporal Logic LTL: (Amir Pnueli,1977) ”Endogenous”: a program is a part of a model Formula

• s |

= ϕ

def

⇐ ⇒ all states t such that (s, t) ∈ Next,t | = ϕ

• s |

= ϕ

def

⇐ ⇒ starting with s, all future states satisfy ϕ

• s |

= ♦ϕ

def

⇐ ⇒ s | = ¬¬ϕ

Example:

• ϕ is true at each multiple of 3 but false elsewhere

ϕ ∧ (ϕ → (¬ϕ ∧ (¬ϕ ∧ ϕ))))

5

Review

1980’s, HML (Hennessy-Milner Logic,1980) primitive modal logic of action Synatx: ϕ ∈ formula and a ∈ Action

• ϕ ::= tt | ff | ¬ϕ | ϕ1 ∧ ϕ2 | ϕ1 ∨ ϕ2 | aϕ | [a]ϕ

Semantics: inductively over state transition system

• E |

= aϕ

def

⇐ ⇒ iff ∃s.E

a

→ s ∧ s | = ϕ ”it is possible to do an a-action to a state where ϕ holds”

• With variables: v, w ′.. → sets of states
• E, v |

= [a]¬ϕ

def

⇐ ⇒ iff for all w ′ with v

a

→ w ′,where E, w ′ | = [a]¬ϕ

6

Review

1980’s,Computation Tree Logic (E.M. Clarke and E.A. Emerson, 1981) {extention of LTL} includes further modalitie. Semantics over ”runs” of a process

• A run S0

a1

→ S1

a2

→ .. has the property (ϕ∪ψ), if there is an i ≥ 0 such that Si | = ϕ and for all j : 0 ≤ j < i, Sj | = ϕ

Quantified: ∀ and ∃ version of U and path operators:

• Fϕ = (tt ∪ ϕ)

def

⇐ ⇒ ϕ eventually holds

• Gϕ = ¬(tt ∪ ¬ϕ)

def

⇐ ⇒ ϕ always holds

Examples,

• S |

= ∀[ϕ ∪ ψ]

def

⇐ ⇒ Every run of S has the property (ϕ ∪ ψ)

• S |

= ∃[ϕ ∪ ∃Fψ] → CTL∗(mixing path and quantifiers)

7

Review

Computation Tree Logic: X: Next, φ ∈ formula

8

Theory of fixpoints

If (S, ≤) is a set and F : s → s is a monotonic function, then s ∈ S is called a fixpoint of F if F(s) = s

• fixpoint s ∈ S of F(s) is least pre-fixpoint of F iff all other

pre-fixpoint ∀u ∈ S of F, u ≮ s

semantic

⇐ ⇒ F(s) ≤ s

• fixpoint s ∈ S of F(s) is greatest post-fixpoint of F iff all
• ther post-fixpoint ∀u ∈ S of F, u ≯ s

semantic

⇐ ⇒ s ≤ F(s)

Knaster-Tarski fixed point theorem : Let (S, ≤) be a complete lattice and F be a monotonic function on (S, ≤), then

F has a least fixed point (µX.F). , Meet of all pre-fixed points F has a greatest fixed point (vX.F). , Join of all post-fixed points

9

Theory of fixpoints

10

Fixpoints

Given a labelled transition systems M = (S, R, V ),

• S- state space of system
• R, transition relation →⊆ S × L × S, La∈A set of actions
• Vprop : P → 2S

, maps AP to sets of states where P holds

• Vvar : Var → 2S, Var={X, Y .., Z} set of variables,
• varibles always occurs in positive normal form to maintain

monotonicity property

Semantics of ϕ(Z) ⇒ is a function F : 2s → 2s By Knaster-Tarski Theorem, ”F” is monotonic function on 2s lattice structure, then

• µZ.ϕ(Z) → least fixpoint of F
• vZ.ϕ(Z) → greatest fixpoint of F

Recursion

• ∀Gϕ → ”always ϕ” ⇒ {X = ϕ ∧ [−]X}

semantic

= ⇒ {X ⊆ ϕ ∧ [−]X} ⇒ {vX.ϕ ∧ [−]Z}

• ∃Fϕ → ”Exist a path Fϕ” ⇒ {X = ϕ ∨ −X}

semantic

= ⇒ {X ⊇ ϕ ∨ −X} ⇒ {µX.ϕ ∨ −X}

Fixpoint slogan: v → ”infinte” and µ → ”finite” ,looping

11

µ-Calculus

A powerful logic, add fixpoint operators It extends HML with recursion (others CTL, CTL*..as well) Use of fixpoint operators in program logic

• (Emerson and clarke,1980): Capture fairness and correctness
• (Pratt,1982): Minimization operator of recursive theory
• (D. Kozen,1983): Modal µ-calculus

12

Syntax

(D. Kozen,1983) µ-calculus is a logic describing properties of labeled transition systems states labeled with set of propositions Syntax:

• ϕ ::

tt |ff |p |¬p |¬ϕ |ϕ1∧ϕ2 |ϕ1∨ϕ2 |aϕ |[a]ϕ |Z |vZ.ϕ |µZ.ϕ

ϕ ∈ formula, a ∈ Action and Z ∈ variable Model: M = (S, R, V ),

• S-nonempty set of states
• R, maps each actions on binary relation→⊆

S×L×S, La∈A set of actions {Tt∈(s×a×s), set of transitions}

• Vprop : Pi∈N → 2S,maps Pi to sets of states where Pi holds
• V : Var → 2S, Var={X, Y ..Z}(non-negative)set of variables

13

Semantics

Given the Model: M=(S,R,V), semantics of set ϕM

V of

states satisfying a formula ϕ is defined as follows

• ZM

V = V (Z)

• piM

V = Pi and ¬piM V = S − Pi, for every pi ∈ prop

• ϕ ∨ ψM

V = ϕM V ∪ ψM V and ϕ ∧ ψM V = ϕM V ∩ ψM V

• [a]ϕM

V = {s|∀t.s a

→ t ⇒ t ∈ ϕM

V }

• aϕM

V = {s|∃t.s a

→ t ⇒ t ∈ ϕM

V }

• µZ.ϕM

V = {S ⊆ S|S ⊇ ϕM V [Z:=S]

• vZ.ϕM

V = {S ⊆ S|S ⊆ ϕM V [Z:=S]

Notes

• t ∈ ϕM

V ⇒ t |

= ϕ

• V [Z := S]

valuation

⇐ ⇒ V : Z → S

14

Syntactic properties

De Morgan duality

• (ϕ ∨ ψ)

def

⇐ ⇒ ¬(¬ϕ ∧ ¬ψ)

• aϕ

def

⇐ ⇒ ¬ [a]¬ϕ

• µZ.ϕ(Z)

def

⇐ ⇒ ¬ vZ.¬ϕ(¬Z)

Syntactic extension : allowing modalities to sets of action

• S |

= [A]ϕ iff ∀a ∈ A.S | = [a]ϕ

• [−A]ϕ

def

⇐ ⇒ [L − A]ϕ

• [−]ϕ

def

⇐ ⇒ [L]ϕ

Positive normal form (negation)

• vX.ϕ ∧ [a]X

negation

⇐ ⇒ ¬vX.ϕ ∧ [a]X ⇒ µX.¬(ϕ ∧ [a]¬X) ⇒ µX.(¬ϕ ∧ ¬([a]¬X)) ⇒ µX.¬ϕ ∧ aX

• vY .µX(ϕ ∧ aY ) ∨ aX

negation

⇐ ⇒ µY .vX(¬ϕ ∨ [a]Y ) ∧ [a]X

15

Expressivity

µ calculus expressivity

• Safety : vX.ϕ ∧ [a]X⇒ ”ϕ is true along every a-path ”
• Liveness : µX.ϕ ∨ [a]X⇒ ”along every a-path ϕ must

eventually come true”

• Fairness: ♦ϕ | µ calculus: vY (µX((ϕ ∧ aY ) ∨ aX))

⇒”on some a-path there are infinitely many states where ϕ holds”

• PDL: a∗ϕ

µ

⇐ ⇒ µX.ϕ ∨ aX

• CTL: ∀G(∃Fϕ) ⇒”Always (exists + ϕ eventually holds”)

⇒ ”It is always possible that ϕ will hold”

µ

⇐ ⇒ vZ.µX.(ϕ ∨ −X) ∧ [−]Z

more example:

• µZ.vX(ϕ ∧ [a]Z) ∨ (¬ϕ ∧ [a]X)
• (ϕ ∪ ψ)

µ

⇐ ⇒ µZ.ψ(ϕ ∪ Oψ)

16

Expressivity

Alternation

• depth: number of alternation between µ and v in the prefix
• proportional w.r.t. expressive power and exponential w.r.t.

complexity of model-checking algorithm

• a formula has same alternating depth as its unfolding

i.e.µX.ϕ(X) ↔ ϕ(µX.ϕ(X))

• µX.(vY .(p ∧ aY )) ∨ aX ⇒ nested formula (not

alternation)⇒ µX.Z ∨ aX ,((vY .(p ∧ aY )) ,substituted for Z)

• vY (µX((ϕ ∧ aY ) ∨ aX)) ⇒ alternation depth ”2”

17

Expressivity

Alternation

• vY (µX((p ∧ aY ) ∨ aX))

18

Expressivity

Bisimulation notion of similarity between models (i.e, is two system behave in the same way?) bisimulation between M1 = (S1, R1, V 1), and M2 = (S2, R2, V 2) is a S1 ≈ S2 such that if s1 ≈ s2 then,

• s1 |

=? and s2 | =?, ? ∈ same proposition

• R1

a(s1, s, 1) and R2 a(s2, s, 2), a ∈ act such that s, 1 ≈ s, 2

• and transition is symmetrical

Logical equivalence : Bisimilarity

19

Model checking

Capturing ”correctness”: given a process expression E, does it have a particular modal property ϕ, i.e. E | = ϕ ?

• Is ϕ satisfiable?
• Is ϕ valid ? i.e. does every process E have ϕ?
• Issue : E

?

= ⇒ expression and structure, ϕ

?

= ⇒ property and language

Aproaches: E | = ϕ?

• use techniques verify directly whether or not E |

= ϕ?

• reduce E to a characteristic formula Eϕ, is Eϕ → ϕ valid ?
• E

Automaton

= ⇒ AE and ϕ

Automaton

= ⇒ Aϕ

complement

= ⇒ AC

E , is Aϕ ∩ AC E

= empty?

20

Satisfiability

• verification: s

?

| = vY .µZ.[a](Z ∨ (p ∧ Y ))

21

Reference

• Kozen, D. (1983). Results on the propositional µ-calculus.

Theoretical computer science, 27(3), 333-354.

• Bradfield, J., Stirling, C. (2001). Modal Logics and

mu-Calculi: An Introduction.

• Bradfield, J., Walukiewicz, I. (2015). The mu-calculus and

model-checking. Handbook of Model Checking. Springer-Verlag, 35-45.

22