Real-time Model Checking Timed Temporal Logics Nicolas M ARKEY - - PowerPoint PPT Presentation

Real-time Model Checking

— Timed Temporal Logics — Nicolas MARKEY

• Lav. Sp´

ecification & V´ erification CNRS & ENS Cachan – France

March 3, 2010

(Quantitative) Model checking

system:

⇒

property:

Always(safe)

model-checking algorithm

yes/no

(Quantitative) Model checking

system:

⇒

property:

Always(safe)

model-checking algorithm

yes/no timed automata

(Quantitative) Model checking

system:

⇒

property:

Always(safe)

model-checking algorithm

yes/no timed automata r e a c h a b i l i t y v i a r e g i

• n

s

(Quantitative) Model checking

system:

⇒

property:

Always(safe)

model-checking algorithm

yes/no timed automata r e a c h a b i l i t y v i a r e g i

• n

s q u a n t i t a t i v e t e m p

• r

a l l

• g

i c s

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= X ϕ | ϕ U ϕ

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= X ϕ | ϕ U ϕ | = X

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= X ϕ | ϕ U ϕ | = X

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= X ϕ | ϕ U ϕ | = X | = U

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= X ϕ | ϕ U ϕ | = X | = U

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= X ϕ | ϕ U ϕ | = X | = U | = F ≡ ⊤ U

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= X ϕ | ϕ U ϕ | = X | = U | = F ≡ ⊤ U | = G ≡ ¬ (F ¬ )

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= X ϕ | ϕ U ϕ | = Eϕ | = Aϕ

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= ϕ | X ϕ | ϕ U ϕ

Example

( U ) ∨ G : weak until

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= ϕ | X ϕ | ϕ U ϕ

Example

( U ) ∨ G : weak until G F : “infinitely often”

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= ϕ | X ϕ | ϕ U ϕ

Example

( U ) ∨ G : weak until G F : “infinitely often” A G( ⇒ A F ): response property

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Quick reminder on untimed temporal logics

LTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ CTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eψ | Aψ ψ ::= ϕ | X ϕ | ϕ U ϕ

Example

( U ) ∨ G : weak until G F : “infinitely often” A G( ⇒ A F ): response property A(G F ⇒ G ): fair runs are safe (not a CTL formula)

Refs: [1] Pnueli. The Temporal Logic of Programs (1977). [2] Emerson, Clarke. Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons (1982).

Outline of the talk

1

Introduction

2

Extending temporal logics with real-time constraints Continuous and pointwise semantics Expressiveness issues

3

Model checking timed linear-time logics Undecidability of MTL and TPTL Decidable fragments

4

Model checking timed branching-time logics

5

Conclusions and open problems

Outline of the talk

1

Introduction

2

Extending temporal logics with real-time constraints Continuous and pointwise semantics Expressiveness issues

3

Model checking timed linear-time logics Undecidability of MTL and TPTL Decidable fragments

4

Model checking timed branching-time logics

5

Conclusions and open problems

Extending temporal modalities with time

decorating modalities with timing constraints:

1.4 3.4 0.2 1.3 1.2

| = U=5

Refs: [1] Alur, Henzinger. A Really Temporal Logic (1989). [2] Koymans. Specifying Real-Time Properties with Metric Temporal Logic (1990).

Extending temporal modalities with time

decorating modalities with timing constraints:

1.4 3.4 0.2 1.3 1.2

| = U=5

Refs: [1] Alur, Henzinger. A Really Temporal Logic (1989). [2] Koymans. Specifying Real-Time Properties with Metric Temporal Logic (1990).

Extending temporal modalities with time

decorating modalities with timing constraints:

1.4 3.4 0.2 1.3 1.2

| = U=5

1.4 3.5 1.8 3.6 0.9

| = F≥6 ≡ ⊤ U≥6

Refs: [1] Alur, Henzinger. A Really Temporal Logic (1989). [2] Koymans. Specifying Real-Time Properties with Metric Temporal Logic (1990).

Extending temporal modalities with time

decorating modalities with timing constraints:

1.4 3.4 0.2 1.3 1.2

| = U=5

1.4 3.5 1.8 3.6 0.9

| = F≥6 ≡ ⊤ U≥6

Refs: [1] Alur, Henzinger. A Really Temporal Logic (1989). [2] Koymans. Specifying Real-Time Properties with Metric Temporal Logic (1990).

Extending temporal modalities with time

decorating modalities with timing constraints:

1.4 3.4 0.2 1.3 1.2

| = U=5

1.4 3.5 1.8 3.6 0.9

| = F≥6 ≡ ⊤ U≥6

1.4 1.7 2.5 0.7 1.2

| = G≤7 ≡ ¬ (F≤7 ¬ )

Refs: [1] Alur, Henzinger. A Really Temporal Logic (1989). [2] Koymans. Specifying Real-Time Properties with Metric Temporal Logic (1990).

Extending temporal modalities with time

decorating modalities with timing constraints:

1.4 3.4 0.2 1.3 1.2

| = U=5

1.4 3.5 1.8 3.6 0.9

| = F≥6 ≡ ⊤ U≥6

1.4 1.7 2.5 0.7 1.2

| = G≤7 ≡ ¬ (F≤7 ¬ )

Refs: [1] Alur, Henzinger. A Really Temporal Logic (1989). [2] Koymans. Specifying Real-Time Properties with Metric Temporal Logic (1990).

Extending temporal modalities with time

decorating modalities with timing constraints:

1.4 3.4 0.2 1.3 1.2

| = U=5

1.4 3.5 1.8 3.6 0.9

| = F≥6 ≡ ⊤ U≥6

1.4 1.7 2.5 0.7 1.2

| = G≤7 ≡ ¬ (F≤7 ¬ ) using formula clocks

Refs: [1] Alur, Henzinger. A Really Temporal Logic (1989). [2] Koymans. Specifying Real-Time Properties with Metric Temporal Logic (1990).

Extending temporal modalities with time

decorating modalities with timing constraints:

1.4 3.4 0.2 1.3 1.2

| = U=5

1.4 3.5 1.8 3.6 0.9

| = F≥6 ≡ ⊤ U≥6

1.4 1.7 2.5 0.7 1.2

| = G≤7 ≡ ¬ (F≤7 ¬ ) using formula clocks

1.4 1.5 1.8 3.6 0.9

| = F( ∧ x. G(x ≤ 5 ⇒ ¬ ))

Refs: [1] Alur, Henzinger. A Really Temporal Logic (1989). [2] Koymans. Specifying Real-Time Properties with Metric Temporal Logic (1990).

Extending temporal modalities with time

decorating modalities with timing constraints:

1.4 3.4 0.2 1.3 1.2

| = U=5

1.4 3.5 1.8 3.6 0.9

| = F≥6 ≡ ⊤ U≥6

1.4 1.7 2.5 0.7 1.2

| = G≤7 ≡ ¬ (F≤7 ¬ ) using formula clocks

1.4 1.5 1.8 3.6 0.9 x:=0 x≤5

| = F( ∧ x. G(x ≤ 5 ⇒ ¬ ))

Refs: [1] Alur, Henzinger. A Really Temporal Logic (1989). [2] Koymans. Specifying Real-Time Properties with Metric Temporal Logic (1990).

Timed words vs. timed state sequences

Example

a,

x≤2 y:=0

b,

y>0 x:=0

a,

x≥2 y:=0

c,

y≤2 x:=0

pointwise semantics continuous semantics

Timed words vs. timed state sequences

Example

a,

x≤2 y:=0

b,

y>0 x:=0

a,

x≥2 y:=0

c,

y≤2 x:=0

pointwise semantics

x=0 y=0

continuous semantics

Timed words vs. timed state sequences

Example

a,

x≤2 y:=0

b,

y>0 x:=0

a,

x≥2 y:=0

c,

y≤2 x:=0

pointwise semantics

x=1.5 y=0 a 1.5

continuous semantics

Timed words vs. timed state sequences

Example

a,

x≤2 y:=0

b,

y>0 x:=0

a,

x≥2 y:=0

c,

y≤2 x:=0

pointwise semantics

a 1.5 x=0 y=1.3 b 2.8

continuous semantics

Timed words vs. timed state sequences

Example

a,

x≤2 y:=0

b,

y>0 x:=0

a,

x≥2 y:=0

c,

y≤2 x:=0

pointwise semantics

a 1.5 b 2.8 x=2.6 y=0 a 5.4

continuous semantics

Timed words vs. timed state sequences

Example

a,

x≤2 y:=0

b,

y>0 x:=0

a,

x≥2 y:=0

c,

y≤2 x:=0

pointwise semantics

a 1.5 b 2.8 a 5.4 x=0 y=1.3 c 6.7

continuous semantics

Timed logics in the pointwise framework

Definition

MTL ∋ ϕ ::= | ¬ ϕ | ϕ ∨ ϕ | ϕ UI ϕ where ranges over { , , ...} and I is an interval with bounds in Q+ ∪ {+∞}.

Timed logics in the pointwise framework

Definition

Pointwise semantics of MTL: over π = (wi, ti)i with t0 = 0: π, i | = ϕ UI ψ iff there exists some j > 0 s.t.

– π, i + j | = ψ, – π, i + k | = ϕ for all 0 < k < j, – ti+j − ti ∈ I.

Timed logics in the pointwise framework

Definition

Pointwise semantics of MTL: over π = (wi, ti)i with t0 = 0: π, i | = ϕ UI ψ iff there exists some j > 0 s.t.

– π, i + j | = ψ, – π, i + k | = ϕ for all 0 < k < j, – ti+j − ti ∈ I.

Example

1 2

(init,0) (a,0.6) (a,1.2) (c,2.1)

a U[2,3] c

Timed logics in the pointwise framework

Definition

Pointwise semantics of MTL: over π = (wi, ti)i with t0 = 0: π, i | = ϕ UI ψ iff there exists some j > 0 s.t.

– π, i + j | = ψ, – π, i + k | = ϕ for all 0 < k < j, – ti+j − ti ∈ I.

Example

1 2

(init,0) (b,0.8) (b,1.3) (a,2.3)

F(b ∧ ⊥ U[1,1] a)

Timed logics in the pointwise framework

Definition

Pointwise semantics of MTL: over π = (wi, ti)i with t0 = 0: π, i | = ϕ UI ψ iff there exists some j > 0 s.t.

– π, i + j | = ψ, – π, i + k | = ϕ for all 0 < k < j, – ti+j − ti ∈ I.

Example

1 2

(init,0) (b,0.9) (c,2)

F[2,2] c

Timed logics in the pointwise framework

Definition

Pointwise semantics of MTL: over π = (wi, ti)i with t0 = 0: π, i | = ϕ UI ψ iff there exists some j > 0 s.t.

– π, i + j | = ψ, – π, i + k | = ϕ for all 0 < k < j, – ti+j − ti ∈ I.

Example

1 2

(init,0) (b,0.9) (c,2)

F[2,2] c

def

= F=2 c

Timed logics in the pointwise framework

Definition

Pointwise semantics of MTL: over π = (wi, ti)i with t0 = 0: π, i | = ϕ UI ψ iff there exists some j > 0 s.t.

– π, i + j | = ψ, – π, i + k | = ϕ for all 0 < k < j, – ti+j − ti ∈ I.

Example

1 2

(init,0) (b,0.9) (c,2)

F[2,2] c ≡ F=1 F=1 c

Timed logics in the pointwise framework

Definition

TPTL ∋ ϕ ::= | x ∼ c | ¬ ϕ | ϕ ∨ ϕ | ϕ U ϕ | x. ϕ where ranges over { , , ...}, x ranges over a set of formula clocks, c ∈ Q+ and ∼ ∈ {<, ≤, =, ≥, >}.

Timed logics in the pointwise framework

Definition

Pointwise semantics of TPTL: over π = (wi, ti)i with t0 = 0, under some clock valuation τ: : π, i, τ | = x ∼ c iff τ(x) ∼ c

Timed logics in the pointwise framework

Definition

Pointwise semantics of TPTL: over π = (wi, ti)i with t0 = 0, under some clock valuation τ: : π, i, τ | = x ∼ c iff τ(x) ∼ c π, i, τ | = x. ϕ iff π, i, τ [x←0] | = ϕ

Timed logics in the pointwise framework

Definition

Pointwise semantics of TPTL: over π = (wi, ti)i with t0 = 0, under some clock valuation τ: : π, i, τ | = x ∼ c iff τ(x) ∼ c π, i, τ | = x. ϕ iff π, i, τ [x←0] | = ϕ π, i, τ | = ϕ U ψ iff there exists some j > 0 s.t.

– π, i + j, τ + ti+j − ti | = ψ, – π, i + k, τ + ti+k − ti | = ϕ for all 0 < k < j.

Timed logics in the pointwise framework

Definition

Pointwise semantics of TPTL: over π = (wi, ti)i with t0 = 0, under some clock valuation τ: : π, i, τ | = x ∼ c iff τ(x) ∼ c π, i, τ | = x. ϕ iff π, i, τ [x←0] | = ϕ π, i, τ | = ϕ U ψ iff there exists some j > 0 s.t.

– π, i + j, τ + ti+j − ti | = ψ, – π, i + k, τ + ti+k − ti | = ϕ for all 0 < k < j.

Example

1 2

(init,0) (a,0.6) (a,1.2) (c,2.1)

x.(a U (c ∧ x ∈ [2, 3]))

Timed logics in the pointwise framework

Definition

Pointwise semantics of TPTL: over π = (wi, ti)i with t0 = 0, under some clock valuation τ: : π, i, τ | = x ∼ c iff τ(x) ∼ c π, i, τ | = x. ϕ iff π, i, τ [x←0] | = ϕ π, i, τ | = ϕ U ψ iff there exists some j > 0 s.t.

– π, i + j, τ + ti+j − ti | = ψ, – π, i + k, τ + ti+k − ti | = ϕ for all 0 < k < j.

Example

1 2

(init,0) (a,0.6) (b,1.1) (a,2.1)

F(b ∧ x.(⊥ U (a ∧ x = 1)))

Timed logics in the pointwise framework

Definition

Pointwise semantics of TPTL: over π = (wi, ti)i with t0 = 0, under some clock valuation τ: : π, i, τ | = x ∼ c iff τ(x) ∼ c π, i, τ | = x. ϕ iff π, i, τ [x←0] | = ϕ π, i, τ | = ϕ U ψ iff there exists some j > 0 s.t.

– π, i + j, τ + ti+j − ti | = ψ, – π, i + k, τ + ti+k − ti | = ϕ for all 0 < k < j.

Example

1 2

(init,0) (a,0.5) (b,0.9) (c,2)

• x. F(a ∧ F(b ∧ x ≤ 1))

Timed logics in the continuous framework

Definition

Continuous semantics of MTL: over π: R+ → { , , ...}: π, t | = ϕ UI ψ iff there exists some u > 0 s.t.

– π, t + u | = ψ, – π, t + v | = ϕ for all 0 < v < u, – u ∈ I.

Timed logics in the continuous framework

Definition

Continuous semantics of MTL: over π: R+ → { , , ...}: π, t | = ϕ UI ψ iff there exists some u > 0 s.t.

– π, t + u | = ψ, – π, t + v | = ϕ for all 0 < v < u, – u ∈ I.

π, t | = p iff p ∈ π(t)

Timed logics in the continuous framework

Definition

Continuous semantics of MTL: over π: R+ → { , , ...}: π, t | = ϕ UI ψ iff there exists some u > 0 s.t.

– π, t + u | = ψ, – π, t + v | = ϕ for all 0 < v < u, – u ∈ I.

π, t | = p iff p ∈ π(t)

Example

1 2

( ∨ ) U≤2

Timed logics in the continuous framework

Definition

Continuous semantics of MTL: over π: R+ → { , , ...}: π, t | = ϕ UI ψ iff there exists some u > 0 s.t.

– π, t + u | = ψ, – π, t + v | = ϕ for all 0 < v < u, – u ∈ I.

π, t | = p iff p ∈ π(t)

Example

1 2

F=2

Timed logics in the continuous framework

Definition

Continuous semantics of MTL: over π: R+ → { , , ...}: π, t | = ϕ UI ψ iff there exists some u > 0 s.t.

– π, t + u | = ψ, – π, t + v | = ϕ for all 0 < v < u, – u ∈ I.

π, t | = p iff p ∈ π(t)

Example

1 2

F=2 ≡ F=1(F=1 )

Timed logics in the continuous framework

Definition

Continuous semantics of TPTL: over π: R+ → { , , ...}: π, t, τ | = x ∼ c iff τ(x) ∼ c

Timed logics in the continuous framework

Definition

Continuous semantics of TPTL: over π: R+ → { , , ...}: π, t, τ | = x ∼ c iff τ(x) ∼ c π, t, τ | = x. ϕ iff π, i, τ [x←0] | = ϕ

Timed logics in the continuous framework

Definition

Continuous semantics of TPTL: over π: R+ → { , , ...}: π, t, τ | = x ∼ c iff τ(x) ∼ c π, t, τ | = x. ϕ iff π, i, τ [x←0] | = ϕ π, t, τ | = ϕ U ψ iff there exists some u > 0 s.t.

– π, t + u, τ + u − t | = ψ, – π, i + k, τ + v − t | = ϕ for all 0 < v < u.

Timed logics in the continuous framework

Definition

Continuous semantics of TPTL: over π: R+ → { , , ...}: π, t, τ | = x ∼ c iff τ(x) ∼ c π, t, τ | = x. ϕ iff π, i, τ [x←0] | = ϕ π, t, τ | = ϕ U ψ iff there exists some u > 0 s.t.

– π, t + u, τ + u − t | = ψ, – π, i + k, τ + v − t | = ϕ for all 0 < v < u.

Example

1 2

x.(( ∨ ) U ( ∧ x ≤ 2)

Timed logics in the continuous framework

Definition

Continuous semantics of TPTL: over π: R+ → { , , ...}: π, t, τ | = x ∼ c iff τ(x) ∼ c π, t, τ | = x. ϕ iff π, i, τ [x←0] | = ϕ π, t, τ | = ϕ U ψ iff there exists some u > 0 s.t.

– π, t + u, τ + u − t | = ψ, – π, i + k, τ + v − t | = ϕ for all 0 < v < u.

Example

1 2

• x. F(

∧ F( ∧ x ≤ 2))

Relative expressiveness of TPTL and MTL

Lemma

MTL can be translated into TPTL. Proof. ϕ UI ψ ≡ x. ϕ U (ψ ∧ x ∈ I).

Relative expressiveness of TPTL and MTL

Lemma

MTL can be translated into TPTL. Proof. ϕ UI ψ ≡ x. ϕ U (ψ ∧ x ∈ I). Conversely, consider the following TPTL formula: G

• ⇒ x. F(

∧ F( ∧ x ≤ 2))

.

It characterizes the following pattern:

green red blue 1 2

Relative expressiveness of TPTL and MTL

G

• ⇒ x. F(

∧ F( ∧ x ≤ 2))

.

green 1 2

G ⇒

                

Relative expressiveness of TPTL and MTL

G

• ⇒ x. F(

∧ F( ∧ x ≤ 2))

.

green red blue 1 2

G ⇒

                

F[0,1] ∧ F[1,2]

Relative expressiveness of TPTL and MTL

G

• ⇒ x. F(

∧ F( ∧ x ≤ 2))

.

green red blue 1 2

G ⇒

                

F[0,1] ∧ F[1,2] ∨ F[0,1]( ∧ F[0,1] )

Relative expressiveness of TPTL and MTL

G

• ⇒ x. F(

∧ F( ∧ x ≤ 2))

.

green red blue 1 2

G ⇒

                

F[0,1] ∧ F[1,2] ∨ F[0,1]( ∧ F[0,1] )

Relative expressiveness of TPTL and MTL

G

• ⇒ x. F(

∧ F( ∧ x ≤ 2))

.

green red blue

=1

1 2

G ⇒

                

F[0,1] ∧ F[1,2] ∨ F[0,1]( ∧ F[0,1] ) ∨ F[0,1](F(0,1) ∧ F=1 )

Relative expressiveness of TPTL and MTL

G

• ⇒ x. F(

∧ F( ∧ x ≤ 2))

.

green red blue

=1

1 2

G ⇒

                

F[0,1] ∧ F[1,2] ∨ F[0,1]( ∧ F[0,1] ) ∨ F[0,1](F(0,1) ∧ F=1 )

Remark

This translation is only valid in the continuous semantics

Relative expressiveness of TPTL and MTL

Theorem

TPTL is strictly more expressive than MTL.

Refs: [1] Bouyer, Chevalier, M. On the Expressiveness of TPTL and MTL (2005).

Relative expressiveness of TPTL and MTL

Theorem

TPTL is strictly more expressive than MTL. Proof. In the pointwise semantics: G

• ⇒ x. F(

∧ F( ∧ x ≤ 2))

• cannot be expressed in MTL.

In both semantics: ϕ = x. F( ∧ x ≤ 1 ∧ G(x ≤ 1 ⇒ ¬ )) cannot be expressed in MTL.

Refs: [1] Bouyer, Chevalier, M. On the Expressiveness of TPTL and MTL (2005).

Outline of the talk

1

Introduction

2

Extending temporal logics with real-time constraints Continuous and pointwise semantics Expressiveness issues

3

Model checking timed linear-time logics Undecidability of MTL and TPTL Decidable fragments

4

Model checking timed branching-time logics

5

Conclusions and open problems

MTL model-checking

Theorem

MTL model-checking and satisfiability are undecidable under the continuous semantics.

Refs: [1] Alur, Henzinger. Real-time logics: Complexity and expressiveness (1990).

MTL model-checking

Theorem

MTL model-checking and satisfiability are undecidable under the continuous semantics. Proof. Encode the halting problem of a Turing machine: One time-unit = one configuration of the Turing machine

Refs: [1] Alur, Henzinger. Real-time logics: Complexity and expressiveness (1990).

MTL model-checking

Theorem

MTL model-checking and satisfiability are undecidable under the continuous semantics. Proof. Encode the halting problem of a Turing machine: One time-unit = one configuration of the Turing machine

n n+1 n+2

1 1

tape head

1

tape head

Refs: [1] Alur, Henzinger. Real-time logics: Complexity and expressiveness (1990).

MTL model-checking

Theorem

MTL model-checking and satisfiability are undecidable under the continuous semantics. Proof. Encode the halting problem of a Turing machine: One time-unit = one configuration of the Turing machine

n n+1 n+2

=1 =1 Refs: [1] Alur, Henzinger. Real-time logics: Complexity and expressiveness (1990).

MTL model-checking

Theorem

MTL model-checking and satisfiability are undecidable under the continuous semantics. Proof. Encode the halting problem of a Turing machine: One time-unit = one configuration of the Turing machine

n n+1 n+2

=1 =1

G [( ∧ ¬ ( U ) ∧ ¬ (( ¬ ∧ ¬ ) U )) ⇔ F=1 ] ∧ ...

Refs: [1] Alur, Henzinger. Real-time logics: Complexity and expressiveness (1990).

MTL model-checking

Remark

This reduction requires continuous semantics, or the use of past-time modalities:

n n+1 n+2

Refs: [1] Ouaknine, Worrell. On the decidability of Metric Temporal Logic (2005). [2] Ouaknine, Worrell. On Metric Temporal Logic and faulty Turing machines (2006).

MTL model-checking

Remark

This reduction requires continuous semantics, or the use of past-time modalities:

n n+1 n+2

=1 =1 Refs: [1] Ouaknine, Worrell. On the decidability of Metric Temporal Logic (2005). [2] Ouaknine, Worrell. On Metric Temporal Logic and faulty Turing machines (2006).

MTL model-checking

Remark

This reduction requires continuous semantics, or the use of past-time modalities:

n n+1 n+2

=1 =1

“insertion errors”

Refs: [1] Ouaknine, Worrell. On the decidability of Metric Temporal Logic (2005). [2] Ouaknine, Worrell. On Metric Temporal Logic and faulty Turing machines (2006).

MTL model-checking

Remark

This reduction requires continuous semantics, or the use of past-time modalities:

n n+1 n+2

=1 =1

“insertion errors”

Theorem

Under pointwise semantics, MTL model-checking and satisfiability are undecidable over infinite timed words; are decidable (with non-primitive recursive complexity) over finite timed words.

Refs: [1] Ouaknine, Worrell. On the decidability of Metric Temporal Logic (2005). [2] Ouaknine, Worrell. On Metric Temporal Logic and faulty Turing machines (2006).

Metric Interval Temporal Logic

Definition

MITL is the fragment of MTL where punctuality is not allowed: MITL ∋ ϕ ::= | ¬ ϕ | ϕ ∨ ϕ | ϕ UI ϕ where ranges over { , , ...} and I is a non-punctual interval with bounds in Q+ ∪ {+∞}.

Refs: [1] Alur, Feder, Henzinger. The benefits of relaxing punctuality (1991).

Metric Interval Temporal Logic

Definition

MITL is the fragment of MTL where punctuality is not allowed: MITL ∋ ϕ ::= | ¬ ϕ | ϕ ∨ ϕ | ϕ UI ϕ where ranges over { , , ...} and I is a non-punctual interval with bounds in Q+ ∪ {+∞}.

Example

G( ⇒ F[1,2] ) is an MITL formula; G( ⇒ F=1 ) is not.

Refs: [1] Alur, Feder, Henzinger. The benefits of relaxing punctuality (1991).

Metric Interval Temporal Logic

Definition

MITL is the fragment of MTL where punctuality is not allowed: MITL ∋ ϕ ::= | ¬ ϕ | ϕ ∨ ϕ | ϕ UI ϕ where ranges over { , , ...} and I is a non-punctual interval with bounds in Q+ ∪ {+∞}.

Example

G( ⇒ F[1,2] ) is an MITL formula; G( ⇒ F=1 ) is not.

Theorem

MITL model checking and satisfiability are EXPSPACE-complete.

Refs: [1] Alur, Feder, Henzinger. The benefits of relaxing punctuality (1991).

(Co)Flat MTL

Definition

CoFlatMTL is the fragment of MTL defined as: CoFlatMTL ∋ ϕ ::= | ¬ | ϕ ∨ ϕ | ϕ ∧ ϕ | ϕ UI ϕ | ϕ UJ ψ | ϕ RI ϕ | ψ RJ ϕ where ranges over { , , ...}, I ranges over bounded intervals with bounds in Q, J ranges over intervals with bounds in Q ∪ {+∞}, and ψ ranges over MITL.

Refs: [1] Bouyer, M., Ouaknine, Worrell. The Cost of Punctuality (2007).

(Co)Flat MTL

Definition

CoFlatMTL is the fragment of MTL defined as: CoFlatMTL ∋ ϕ ::= | ¬ | ϕ ∨ ϕ | ϕ ∧ ϕ | ϕ UI ϕ | ϕ UJ ψ | ϕ RI ϕ | ψ RJ ϕ

Remark

CoFlatMTL is not closed under negation.

Refs: [1] Bouyer, M., Ouaknine, Worrell. The Cost of Punctuality (2007).

(Co)Flat MTL

Definition

CoFlatMTL is the fragment of MTL defined as: CoFlatMTL ∋ ϕ ::= | ¬ | ϕ ∨ ϕ | ϕ ∧ ϕ | ϕ UI ϕ | ϕ UJ ψ | ϕ RI ϕ | ψ RJ ϕ

Remark

CoFlatMTL is not closed under negation.

Example

G( ⇒ F=1 ) is in CoFlatMTL. F( ∧ G=1 ) is in FlatMTL, but not in CoFlatMTL.

Refs: [1] Bouyer, M., Ouaknine, Worrell. The Cost of Punctuality (2007).

(Co)Flat MTL

Definition

CoFlatMTL is the fragment of MTL defined as: CoFlatMTL ∋ ϕ ::= | ¬ | ϕ ∨ ϕ | ϕ ∧ ϕ | ϕ UI ϕ | ϕ UJ ψ | ϕ RI ϕ | ψ RJ ϕ

Remark

CoFlatMTL is not closed under negation.

Theorem

CoFlatMTL model-checking is EXPSPACE-complete. CoFlatMTL satisfiability is undecidable.

Refs: [1] Bouyer, M., Ouaknine, Worrell. The Cost of Punctuality (2007).

Outline of the talk

1

Introduction

2

Extending temporal logics with real-time constraints Continuous and pointwise semantics Expressiveness issues

3

Model checking timed linear-time logics Undecidability of MTL and TPTL Decidable fragments

4

Model checking timed branching-time logics

5

Conclusions and open problems

Branching-time logics with timing constraints – syntax

Definition

TCTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eϕ U∼c ϕ | Aϕ U∼c ϕ where ∈ { , , , ...}, ∼ ∈ {≤, <, =, >, ≥} and c ∈ N.

Refs: [1] Alur, Courcoubetis, Dill. Model-Checking in Dense Real-Time (1993).

Branching-time logics with timing constraints – syntax

Definition

TCTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eϕ U∼c ϕ | Aϕ U∼c ϕ where ∈ { , , , ...}, ∼ ∈ {≤, <, =, >, ≥} and c ∈ N.

Example

A G( ⇒ E F≤5 )

Refs: [1] Alur, Courcoubetis, Dill. Model-Checking in Dense Real-Time (1993).

Branching-time logics with timing constraints – syntax

Definition

TCTL ∋ ϕ ::= | ¬ ϕ | ϕ ∧ ϕ | Eϕ U∼c ϕ | Aϕ U∼c ϕ where ∈ { , , , ...}, ∼ ∈ {≤, <, =, >, ≥} and c ∈ N.

Example

A G( ⇒ E F≤5 ) A F(A G≤5 )

Refs: [1] Alur, Courcoubetis, Dill. Model-Checking in Dense Real-Time (1993).

Branching-time logics with timing constraints – semantics

Definition

The semantics of TCTL is defined as follows: let be a location and v be a clock valuation. , v | = E( U∼c ) iff there is a run from ( , v) such that v v’ ∼ c , v | = A( U∼c ) is defined similarly.

Branching-time logics with timing constraints – semantics

Definition

The semantics of TCTL is defined as follows: let be a location and v be a clock valuation. , v | = E( U∼c ) iff there is a run from ( , v) such that v v’ ∼ c , v | = A( U∼c ) is defined similarly.

Remark

We could also define a pointwise semantics:

v v+c v′ v′+c′

delay = c action delay = c′

Branching-time logics with timing constraints – semantics

Example

x≤2 y:=0 y≤2 x≥3 y≤2, x:=0 x≤3, y:=0

,

• x=1.2

y=0.4

• |

= E U≥1 ,

• x=1.2

y=0.4

• |

= A G ¬

Branching-time logics with timing constraints – semantics

Example

x≤2 y:=0 y≤2 x≥3 y≤2, x:=0 x≤3, y:=0

,

• x=1.2

y=0.4

• |

= E U≥1 ,

• x=1.2

y=0.4

• |

= A G ¬

x=1 x:=0 x=0 y=3

,

• x=0

y=0

?

| = E(E F=1 ) U=3

TCTL model checking

Lemma

Let be a location and ϕ be a TCTL formula. For any two valuations v and v′ that belong to the same region, , v | = ϕ ⇔ , v′ | = ϕ.

Refs: [1] Alur, Courcoubetis, Dill. Model-Checking in Dense Real-Time (1993).

TCTL model checking

Lemma

Let be a location and ϕ be a TCTL formula. For any two valuations v and v′ that belong to the same region, , v | = ϕ ⇔ , v′ | = ϕ. Proof. By induction on ϕ.

Refs: [1] Alur, Courcoubetis, Dill. Model-Checking in Dense Real-Time (1993).

TCTL model checking

Lemma

Let be a location and ϕ be a TCTL formula. For any two valuations v and v′ that belong to the same region, , v | = ϕ ⇔ , v′ | = ϕ. Proof. By induction on ϕ.

Theorem

TCTL model-checking is PSPACE-complete.

Refs: [1] Alur, Courcoubetis, Dill. Model-Checking in Dense Real-Time (1993).

TCTL model checking

Lemma

Let be a location and ϕ be a TCTL formula. For any two valuations v and v′ that belong to the same region, , v | = ϕ ⇔ , v′ | = ϕ. Proof. By induction on ϕ.

Theorem

TCTL model-checking is PSPACE-complete. Proof. Space-efficient CTL labelling algorithm on the region graph.

Refs: [1] Alur, Courcoubetis, Dill. Model-Checking in Dense Real-Time (1993).

Outline of the talk

1

Introduction

2

Extending temporal logics with real-time constraints Continuous and pointwise semantics Expressiveness issues

3

Model checking timed linear-time logics Undecidability of MTL and TPTL Decidable fragments

4

Model checking timed branching-time logics

5

Conclusions and open problems

Conclusions and perspectives

Real-time temporal logics have been much studied:

Conclusions and perspectives

Real-time temporal logics have been much studied: linear-time:

natural extensions of LTL are undecidable; several restrictions lead to decidability; however, model-checking linear-time logics is hard; no implementation exists.

Conclusions and perspectives

Real-time temporal logics have been much studied: linear-time:

natural extensions of LTL are undecidable; several restrictions lead to decidability; however, model-checking linear-time logics is hard; no implementation exists.

branching-time:

TCTL model-checking is in PSPACE; can be made efficient in practice; implemented in several tools (Uppaal, Kronos, ...)

Conclusions and perspectives

Real-time temporal logics have been much studied: linear-time:

natural extensions of LTL are undecidable; several restrictions lead to decidability; however, model-checking linear-time logics is hard; no implementation exists.

branching-time:

TCTL model-checking is in PSPACE; can be made efficient in practice; implemented in several tools (Uppaal, Kronos, ...)

Hot topics in real-time temporal logic model-checking: symbolic algorithms for linear-time temporal logics; robust model-checking.