Specification and Analysis of Contracts Lectures 3 and 4 - - PowerPoint PPT Presentation

specification and analysis of contracts lectures 3 and 4
SMART_READER_LITE
LIVE PREVIEW

Specification and Analysis of Contracts Lectures 3 and 4 - - PowerPoint PPT Presentation

Oct 30, 2023 351 likes •1.54k views

Specification and Analysis of Contracts Lectures 3 and 4 Background: Modal Logics Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov. 7, 2008 Cape Town,

slide-1
SLIDE 1

university-logo

Specification and Analysis of Contracts Lectures 3 and 4 Background: Modal Logics

Gerardo Schneider

gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov. 7, 2008 Cape Town, South Africa

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 1 / 56

slide-2
SLIDE 2

university-logo

Plan of the Course

1 Introduction 2 Components, Services and Contracts 3 Background: Modal Logics 1 4 Background: Modal Logics 2 5 Deontic Logic 6 Challenges in Defining a Good Contract language 7 Specification of ’Deontic’ Contracts (CL) 8 Verification of ’Deontic’ Contracts 9 Conflict Analysis of ’Deontic’ Contracts 10 Other Analysis of ’Deontic’ Contracts and Summary Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 2 / 56

slide-3
SLIDE 3

university-logo

Modal Logics

Modal logic is the logic of possibility and necessity

ϕ: ϕ is necessarily true. ✸ ϕ: ϕ is possibly true.

Not a single system but many different systems depending on application Good to reason about causality and situations with incomplete information Different interpretation for the modalities: belief, knowledge, provability, etc.

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 3 / 56

slide-4
SLIDE 4

university-logo

Modal Logics

Modal logic is the logic of possibility and necessity

ϕ: ϕ is necessarily true. ✸ ϕ: ϕ is possibly true.

Not a single system but many different systems depending on application Good to reason about causality and situations with incomplete information Different interpretation for the modalities: belief, knowledge, provability, etc. Depending on the semantics, we can interpret ϕ differently temporal ϕ will always hold doxastic I believe ϕ epistemic I know ϕ deontic It ought to be the case that ϕ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 3 / 56

slide-5
SLIDE 5

university-logo

Modal Logic

Dynamic Aspect of Modal Logic

Modal logic is good to reason in dynamic situations

Truth values may vary over time (classical logic is static)

Sentences in classical logic are interpreted over a single structure or world In modal logic, interpretation consists of a collection K of possible worlds or states

If states change, then truth values can also change

Dynamic interpretation of modal logic

Temporal logic

Linear time Branching time

Dynamic logic

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 4 / 56

slide-6
SLIDE 6

university-logo

Modal Logic

Dynamic Aspect of Modal Logic

Modal logic is good to reason in dynamic situations

Truth values may vary over time (classical logic is static)

Sentences in classical logic are interpreted over a single structure or world In modal logic, interpretation consists of a collection K of possible worlds or states

If states change, then truth values can also change

Dynamic interpretation of modal logic

Temporal logic

Linear time Branching time

Dynamic logic

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 4 / 56

slide-7
SLIDE 7

university-logo

Modal Logics

We will see

In the rest of this and next lecture (2 hours): Temporal logic Propositional modal logic Multimodal logic Dynamic logic µ-calculus Real-time logics In the following lecture (1 hour): Deontic logic

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 5 / 56

slide-8
SLIDE 8

university-logo

Plan

1

Temporal Logic

2

Propositional Modal Logic

3

Multimodal Logic

4

Dynamic Logic

5

Mu-calculus

6

Real-Time Logics

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 6 / 56

slide-9
SLIDE 9

university-logo

Plan

1

Temporal Logic

2

Propositional Modal Logic

3

Multimodal Logic

4

Dynamic Logic

5

Mu-calculus

6

Real-Time Logics

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 7 / 56

slide-10
SLIDE 10

university-logo

Temporal Logic

Introduction

Temporal logic is the logic of time There are different ways of modeling time

linear time vs. branching time time instances vs. time intervals discrete time vs. continuous time past and future vs. future only

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 8 / 56

slide-11
SLIDE 11

university-logo

Temporal Logic

Introduction

In Linear Temporal Logic (LTL) we can describe such properties as, if i is now, p holds in i and every following point (the future) p holds in i and every preceding point (the past) We will only be concerned with the future

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 9 / 56

slide-12
SLIDE 12

university-logo

Temporal Logic

Introduction

In Linear Temporal Logic (LTL) we can describe such properties as, if i is now, p holds in i and every following point (the future) p holds in i and every preceding point (the past) We will only be concerned with the future

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 9 / 56

slide-13
SLIDE 13

university-logo

Temporal Logic

Introduction

In Linear Temporal Logic (LTL) we can describe such properties as, if i is now, p holds in i and every following point (the future) p holds in i and every preceding point (the past) We will only be concerned with the future . . .

i−1 i−2 i+1

. . .

i+3 i+2 i

p p p p

. . .

i−1 i−2 i+1

. . .

i+3 i+2 i

p p p

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 9 / 56

slide-14
SLIDE 14

university-logo

Temporal Logic

Introduction

We extend the first-order language L to a temporal language LT by adding the temporal operators , ✸, , U, R and W .

Interpretation

ϕ ϕ will always (in every state) hold ✸ ϕ ϕ will eventually (ins some state) hold ϕ ϕ will hold at the next point in time ϕ U ψ ψ will eventually hold, and until that point ϕ will hold ϕ R ψ ψ holds until (incl.) the point (if any) where ϕ holds (release) ϕ W ψ ϕ will hold until ψ holds (weak until or waiting for)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 10 / 56

slide-15
SLIDE 15

university-logo

Temporal Logic

Introduction

Definition

We define LTL formulae as follows: L ⊆ LT: first-order formulae are also LTL formulae If ϕ is an LTL formulae, so are ϕ, ✸ ϕ, ϕ and ¬ϕ If ϕ and ψ are LTL formulae, so are ϕ U ψ, ϕ R ψ, ϕ W ψ, ϕ ∨ ψ, ϕ ∧ ψ, ϕ ⇒ ψ and ϕ ≡ ψ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 11 / 56

slide-16
SLIDE 16

university-logo

Temporal Logic

Semantics

Definition

A path is an infinite sequence of states σ = s0, s1, s2, . . . σk denotes the path sk, sk+1, sk+2, . . . σk denotes the state sk All computations are paths, but not vice versa

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 12 / 56

slide-17
SLIDE 17

university-logo

Linear Temporal Logic

Semantics

Definition

We define the notion that an LTL formula ϕ is true (false) relative to a path σ, written σ | = ϕ (σ | = ϕ) as follows. σ | = ϕ iff σ0 | = ϕ when ϕ ∈ L σ | = ¬ϕ iff σ | = ϕ σ | = ϕ ∨ ψ iff σ | = ϕ or σ | = ψ σ | = ϕ iff σk | = ϕ for all k ≥ 0 σ | = ✸ ϕ iff σk | = ϕ for some k ≥ 0 σ | = ϕ iff σ1 | = ϕ (cont.)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 13 / 56

slide-18
SLIDE 18

university-logo

Linear Temporal Logic

Semantics

Definition

(cont.) σ | = ϕ U ψ iff σk | = ψ for some k ≥ 0, and σi | = ϕ for every i such that 0 ≤ i < k σ | = ϕ R ψ iff for every j ≥ 0, if for every i < j σi | = ϕ then σj | = ψ σ | = ϕ W ψ iff σ | = ϕ U ψ or σ | = ϕ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 14 / 56

slide-19
SLIDE 19

university-logo

Temporal Logic

Semantics

Definition

If σ | = ϕ for all paths σ, we say that ϕ is (temporally) valid and write | = ϕ (Validity) If | = ϕ ≡ ψ (ie. σ | = ϕ iff σ | = ψ, for all σ), we say that ϕ and ψ are equivalent and write ϕ ∼ ψ (Equivalence)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 15 / 56

slide-20
SLIDE 20

university-logo

Temporal Logic

Semantics

Definition

If σ | = ϕ for all paths σ, we say that ϕ is (temporally) valid and write | = ϕ (Validity) If | = ϕ ≡ ψ (ie. σ | = ϕ iff σ | = ψ, for all σ), we say that ϕ and ψ are equivalent and write ϕ ∼ ψ (Equivalence)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 15 / 56

slide-21
SLIDE 21

university-logo

Temporal Logic

Semantics

σ | = p

1 3 4 2

. . .

p p p p p

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 16 / 56

slide-22
SLIDE 22

university-logo

Temporal Logic

Semantics

σ | = p

1 3 4 2

. . .

p p p p p

σ | = ✸ p

1 3 4 2

. . .

p

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 16 / 56

slide-23
SLIDE 23

university-logo

Temporal Logic

Semantics

σ | = p

1 3 4 2

. . .

p p p p p

σ | = ✸ p

1 3 4 2

. . .

p

σ | = p

1 3 4 2

. . .

p

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 16 / 56

slide-24
SLIDE 24

university-logo

Temporal Logic

Semantics

σ | = p U q – The sequence of p is finite

1 3 4 2

. . .

p p p q

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 17 / 56

slide-25
SLIDE 25

university-logo

Temporal Logic

Semantics

σ | = p U q – The sequence of p is finite

1 3 4 2

. . .

p p p q

σ | = p R q – The sequence of q may be infinite

1 3 4 2

. . .

q q q q, p

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 17 / 56

slide-26
SLIDE 26

university-logo

Temporal Logic

Semantics

σ | = p U q – The sequence of p is finite

1 3 4 2

. . .

p p p q

σ | = p R q – The sequence of q may be infinite

1 3 4 2

. . .

q q q q, p

σ | = p W q – The sequence of p may be infinite (p W q ≡ (p U q) ∨ ✷p)

1 3 4 2

. . .

p p p q

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 17 / 56

slide-27
SLIDE 27

university-logo

Temporal Logic

Examples

Example (Response)

(ϕ ⇒ ✸ ψ)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 18 / 56

slide-28
SLIDE 28

university-logo

Temporal Logic

Examples

Example (Response)

(ϕ ⇒ ✸ ψ) Every ϕ-position coincides with or is followed by a ψ-position

1 3 4 2

. . .

5 6

ϕ ψ ϕ, ψ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 18 / 56

slide-29
SLIDE 29

university-logo

Temporal Logic

Examples

Example (Response)

(ϕ ⇒ ✸ ψ) Every ϕ-position coincides with or is followed by a ψ-position

1 3 4 2

. . .

5 6

ϕ ψ ϕ, ψ

This formula will also hold in every path where ϕ never holds

1 3 4 2

. . .

¬ϕ ¬ϕ ¬ϕ ¬ϕ ¬ϕ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 18 / 56

slide-30
SLIDE 30

university-logo

Temporal Logic

Formalization

It can be difficult to correctly formalize informally stated requirements in temporal logic

Example

How does one formalize the informal requirement “ϕ implies ψ”? ϕ ⇒ ψ? (ϕ ⇒ ψ)? ϕ ⇒ ✸ ψ? (ϕ ⇒ ✸ ψ)?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 56

slide-31
SLIDE 31

university-logo

Temporal Logic

Formalization

It can be difficult to correctly formalize informally stated requirements in temporal logic

Example

How does one formalize the informal requirement “ϕ implies ψ”? ϕ ⇒ ψ? (ϕ ⇒ ψ)? ϕ ⇒ ✸ ψ? (ϕ ⇒ ✸ ψ)?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 56

slide-32
SLIDE 32

university-logo

Temporal Logic

Formalization

It can be difficult to correctly formalize informally stated requirements in temporal logic

Example

How does one formalize the informal requirement “ϕ implies ψ”? ϕ ⇒ ψ? ϕ ⇒ ψ holds in the initial state (ϕ ⇒ ψ)? ϕ ⇒ ✸ ψ? (ϕ ⇒ ✸ ψ)?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 56

slide-33
SLIDE 33

university-logo

Temporal Logic

Formalization

It can be difficult to correctly formalize informally stated requirements in temporal logic

Example

How does one formalize the informal requirement “ϕ implies ψ”? ϕ ⇒ ψ? ϕ ⇒ ψ holds in the initial state (ϕ ⇒ ψ)? ϕ ⇒ ✸ ψ? (ϕ ⇒ ✸ ψ)?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 56

slide-34
SLIDE 34

university-logo

Temporal Logic

Formalization

It can be difficult to correctly formalize informally stated requirements in temporal logic

Example

How does one formalize the informal requirement “ϕ implies ψ”? ϕ ⇒ ψ? ϕ ⇒ ψ holds in the initial state (ϕ ⇒ ψ)? ϕ ⇒ ψ holds in every state ϕ ⇒ ✸ ψ? (ϕ ⇒ ✸ ψ)?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 56

slide-35
SLIDE 35

university-logo

Temporal Logic

Formalization

It can be difficult to correctly formalize informally stated requirements in temporal logic

Example

How does one formalize the informal requirement “ϕ implies ψ”? ϕ ⇒ ψ? ϕ ⇒ ψ holds in the initial state (ϕ ⇒ ψ)? ϕ ⇒ ψ holds in every state ϕ ⇒ ✸ ψ? (ϕ ⇒ ✸ ψ)?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 56

slide-36
SLIDE 36

university-logo

Temporal Logic

Formalization

It can be difficult to correctly formalize informally stated requirements in temporal logic

Example

How does one formalize the informal requirement “ϕ implies ψ”? ϕ ⇒ ψ? ϕ ⇒ ψ holds in the initial state (ϕ ⇒ ψ)? ϕ ⇒ ψ holds in every state ϕ ⇒ ✸ ψ? If ϕ holds in the initial state, ψ will hold in some state (ϕ ⇒ ✸ ψ)?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 56

slide-37
SLIDE 37

university-logo

Temporal Logic

Formalization

It can be difficult to correctly formalize informally stated requirements in temporal logic

Example

How does one formalize the informal requirement “ϕ implies ψ”? ϕ ⇒ ψ? ϕ ⇒ ψ holds in the initial state (ϕ ⇒ ψ)? ϕ ⇒ ψ holds in every state ϕ ⇒ ✸ ψ? If ϕ holds in the initial state, ψ will hold in some state (ϕ ⇒ ✸ ψ)?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 56

slide-38
SLIDE 38

university-logo

Temporal Logic

Formalization

It can be difficult to correctly formalize informally stated requirements in temporal logic

Example

How does one formalize the informal requirement “ϕ implies ψ”? ϕ ⇒ ψ? ϕ ⇒ ψ holds in the initial state (ϕ ⇒ ψ)? ϕ ⇒ ψ holds in every state ϕ ⇒ ✸ ψ? If ϕ holds in the initial state, ψ will hold in some state (ϕ ⇒ ✸ ψ)? As above, but iteratively

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 56

slide-39
SLIDE 39

university-logo

Temporal Logic

Duals

For a binary boolean connective ◦ (such as ∧), a binary boolean connective • is its dual if ¬(ϕ ◦ ψ) is equivalent to (¬ϕ • ¬ψ) Similarly for unary connectives; • is the dual of ◦ if ¬ ◦ ϕ is equivalent to •¬ϕ. Duality is symmetrical; if • is the dual of ◦ then ◦ is the dual of •, thus we may refer to two connectives as dual ∧ and ∨ are duals; ¬(ϕ ∧ ψ) is equivalent to (¬ϕ ∨ ¬ψ) ¬ is its own dual What is the dual of ? Any other?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 20 / 56

slide-40
SLIDE 40

university-logo

Temporal Logic

Duals

For a binary boolean connective ◦ (such as ∧), a binary boolean connective • is its dual if ¬(ϕ ◦ ψ) is equivalent to (¬ϕ • ¬ψ) Similarly for unary connectives; • is the dual of ◦ if ¬ ◦ ϕ is equivalent to •¬ϕ. Duality is symmetrical; if • is the dual of ◦ then ◦ is the dual of •, thus we may refer to two connectives as dual ∧ and ∨ are duals; ¬(ϕ ∧ ψ) is equivalent to (¬ϕ ∨ ¬ψ) ¬ is its own dual What is the dual of ? Any other?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 20 / 56

slide-41
SLIDE 41

university-logo

Temporal Logic

Duals

For a binary boolean connective ◦ (such as ∧), a binary boolean connective • is its dual if ¬(ϕ ◦ ψ) is equivalent to (¬ϕ • ¬ψ) Similarly for unary connectives; • is the dual of ◦ if ¬ ◦ ϕ is equivalent to •¬ϕ. Duality is symmetrical; if • is the dual of ◦ then ◦ is the dual of •, thus we may refer to two connectives as dual ∧ and ∨ are duals; ¬(ϕ ∧ ψ) is equivalent to (¬ϕ ∨ ¬ψ) ¬ is its own dual What is the dual of ? And of ✸? Any other?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 20 / 56

slide-42
SLIDE 42

university-logo

Temporal Logic

Duals

For a binary boolean connective ◦ (such as ∧), a binary boolean connective • is its dual if ¬(ϕ ◦ ψ) is equivalent to (¬ϕ • ¬ψ) Similarly for unary connectives; • is the dual of ◦ if ¬ ◦ ϕ is equivalent to •¬ϕ. Duality is symmetrical; if • is the dual of ◦ then ◦ is the dual of •, thus we may refer to two connectives as dual ∧ and ∨ are duals; ¬(ϕ ∧ ψ) is equivalent to (¬ϕ ∨ ¬ψ) ¬ is its own dual What is the dual of ? And of ✸? Any other?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 20 / 56

slide-43
SLIDE 43

university-logo

Temporal Logic

Duals

For a binary boolean connective ◦ (such as ∧), a binary boolean connective • is its dual if ¬(ϕ ◦ ψ) is equivalent to (¬ϕ • ¬ψ) Similarly for unary connectives; • is the dual of ◦ if ¬ ◦ ϕ is equivalent to •¬ϕ. Duality is symmetrical; if • is the dual of ◦ then ◦ is the dual of •, thus we may refer to two connectives as dual ∧ and ∨ are duals; ¬(ϕ ∧ ψ) is equivalent to (¬ϕ ∨ ¬ψ) ¬ is its own dual What is the dual of ? And of ✸? and ✸ are duals: ¬ ϕ ∼ ✸ ¬ϕ, ¬ ✸ ϕ ∼ ¬ϕ Any other?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 20 / 56

slide-44
SLIDE 44

university-logo

Temporal Logic

Duals

For a binary boolean connective ◦ (such as ∧), a binary boolean connective • is its dual if ¬(ϕ ◦ ψ) is equivalent to (¬ϕ • ¬ψ) Similarly for unary connectives; • is the dual of ◦ if ¬ ◦ ϕ is equivalent to •¬ϕ. Duality is symmetrical; if • is the dual of ◦ then ◦ is the dual of •, thus we may refer to two connectives as dual ∧ and ∨ are duals; ¬(ϕ ∧ ψ) is equivalent to (¬ϕ ∨ ¬ψ) ¬ is its own dual What is the dual of ? And of ✸? and ✸ are duals: ¬ ϕ ∼ ✸ ¬ϕ, ¬ ✸ ϕ ∼ ¬ϕ Any other?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 20 / 56

slide-45
SLIDE 45

university-logo

Temporal Logic

Duals

For a binary boolean connective ◦ (such as ∧), a binary boolean connective • is its dual if ¬(ϕ ◦ ψ) is equivalent to (¬ϕ • ¬ψ) Similarly for unary connectives; • is the dual of ◦ if ¬ ◦ ϕ is equivalent to •¬ϕ. Duality is symmetrical; if • is the dual of ◦ then ◦ is the dual of •, thus we may refer to two connectives as dual ∧ and ∨ are duals; ¬(ϕ ∧ ψ) is equivalent to (¬ϕ ∨ ¬ψ) ¬ is its own dual What is the dual of ? And of ✸? and ✸ are duals: ¬ ϕ ∼ ✸ ¬ϕ, ¬ ✸ ϕ ∼ ¬ϕ Any other? U and R are duals: ¬(ϕ U ψ) ∼ (¬ϕ) R (¬ψ) ¬(ϕ R ψ) ∼ (¬ϕ) U (¬ψ)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 20 / 56

slide-46
SLIDE 46

university-logo

Temporal Logic

Classification of Properties

Classification

We can classify a number of properties expressible in LTL: safety ϕ liveness ✸ ϕ

  • bligation

ϕ ∨ ✸ ψ recurrence ✸ ϕ persistence ✸ ϕ reactivity ✸ ϕ ∨ ✸ ψ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 21 / 56

slide-47
SLIDE 47

university-logo

Temporal Logic

Classification of Properties

Classification

We can classify a number of properties expressible in LTL: safety ϕ liveness ✸ ϕ

  • bligation

ϕ ∨ ✸ ψ recurrence ✸ ϕ persistence ✸ ϕ reactivity ✸ ϕ ∨ ✸ ψ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 21 / 56

slide-48
SLIDE 48

university-logo

Temporal Logic

Classification of Properties

Classification

We can classify a number of properties expressible in LTL: safety ϕ liveness ✸ ϕ

  • bligation

ϕ ∨ ✸ ψ recurrence ✸ ϕ persistence ✸ ϕ reactivity ✸ ϕ ∨ ✸ ψ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 21 / 56

slide-49
SLIDE 49

university-logo

Temporal Logic

Classification of Properties

Classification

We can classify a number of properties expressible in LTL: safety ϕ liveness ✸ ϕ

  • bligation

ϕ ∨ ✸ ψ recurrence ✸ ϕ persistence ✸ ϕ reactivity ✸ ϕ ∨ ✸ ψ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 21 / 56

slide-50
SLIDE 50

university-logo

Temporal Logic

Classification of Properties

Classification

We can classify a number of properties expressible in LTL: safety ϕ liveness ✸ ϕ

  • bligation

ϕ ∨ ✸ ψ recurrence ✸ ϕ persistence ✸ ϕ reactivity ✸ ϕ ∨ ✸ ψ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 21 / 56

slide-51
SLIDE 51

university-logo

Temporal Logic

Classification of Properties

Classification

We can classify a number of properties expressible in LTL: safety ϕ liveness ✸ ϕ

  • bligation

ϕ ∨ ✸ ψ recurrence ✸ ϕ persistence ✸ ϕ reactivity ✸ ϕ ∨ ✸ ψ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 21 / 56

slide-52
SLIDE 52

university-logo

Temporal Logic

Classification of Properties

Classification

We can classify a number of properties expressible in LTL: safety ϕ liveness ✸ ϕ

  • bligation

ϕ ∨ ✸ ψ recurrence ✸ ϕ persistence ✸ ϕ reactivity ✸ ϕ ∨ ✸ ψ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 21 / 56

slide-53
SLIDE 53

university-logo

Plan

1

Temporal Logic

2

Propositional Modal Logic

3

Multimodal Logic

4

Dynamic Logic

5

Mu-calculus

6

Real-Time Logics

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 22 / 56

slide-54
SLIDE 54

university-logo

Propositional Modal Logic

The logic of possibility and necessity

ϕ: ϕ is “necessarily true”, or “ϕ holds in all possible worlds” ✸ ϕ: ϕ is “possibly true”, or “there is a possible world that realizes ϕ”

The modalities are dual

✸ ϕ

def

= ¬ ¬ϕ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 23 / 56

slide-55
SLIDE 55

university-logo

Propositional Modal Logic

Semantics: Kripke Frames

Definition

A Kripke frame M is a structure (W , R, ν) where W is a finite non-empty set of states (or worlds) –W is called the universe of M R ⊆ W × W is an accessibility relation between states (transition relation) ν : P − → 2K determines the truth assignment to the atomic propositional variables in each state

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 24 / 56

slide-56
SLIDE 56

university-logo

Propositional Modal Logic

Semantics: Kripke Frames

Definition

We define the notion that a modal formula ϕ is true in the world w in the model M, written M, w | = ϕ as follows: M, w | = p iff w ∈ ν(p) M, w | = ¬ϕ iff M, w | = ϕ M, w | = ϕ1 ∨ ϕ2 iff M, w | = ϕ1 or M, w | = ϕ2 M, w | = ϕ iff M, w′ | = ϕ for all w′ such that (w, w′) ∈ R M, w | = ✸ ϕ iff M, w′ | = ϕ for some w′ such that (w, w′) ∈ R

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 25 / 56

slide-57
SLIDE 57

university-logo

Propositional Modal Logic

Examples

Example (Logic T)

R reflexive M, w | = ¬p

¬p ¬p

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 26 / 56

slide-58
SLIDE 58

university-logo

Propositional Modal Logic

Examples

Example (Logic T)

R reflexive M, w | = ¬p

¬p ¬p

Example (Logic S4)

R reflexive and transitive M, w | = ¬p

¬p ¬p ¬p

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 26 / 56

slide-59
SLIDE 59

university-logo

Propositional Modal Logic

Semantics: Kripke Frames

Remarks

The semantics is alternatively called relational semantics, frame semantics, world semantics, possible world semantics, Kripke semantics/frame/structure There are different variations of the definition of Kripke semantics Sometimes a Kripke frame is defined to be a structure (W , R), and then the triple (W , R, ν) is called a Kripke model The Kripke model may be defined as (W , R, | =) instead Sometimes a set of starting states W0 ⊆ W is added to the definition In other cases a valuation function V : K → 2P is given instead of ν The semantics of and ✸ depend on the properties of R

R can be reflexive, transitive, euclidean, etc Axioms and theorems will be determined by R (or vice-versa!)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 27 / 56

slide-60
SLIDE 60

university-logo

Propositional Modal Logic

Semantics: Kripke Frames

Remarks

The semantics is alternatively called relational semantics, frame semantics, world semantics, possible world semantics, Kripke semantics/frame/structure There are different variations of the definition of Kripke semantics Sometimes a Kripke frame is defined to be a structure (W , R), and then the triple (W , R, ν) is called a Kripke model The Kripke model may be defined as (W , R, | =) instead Sometimes a set of starting states W0 ⊆ W is added to the definition In other cases a valuation function V : K → 2P is given instead of ν The semantics of and ✸ depend on the properties of R

R can be reflexive, transitive, euclidean, etc Axioms and theorems will be determined by R (or vice-versa!)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 27 / 56

slide-61
SLIDE 61

university-logo

Propositional Modal Logic

Semantics: Kripke Frames

Remarks

The semantics is alternatively called relational semantics, frame semantics, world semantics, possible world semantics, Kripke semantics/frame/structure There are different variations of the definition of Kripke semantics Sometimes a Kripke frame is defined to be a structure (W , R), and then the triple (W , R, ν) is called a Kripke model The Kripke model may be defined as (W , R, | =) instead Sometimes a set of starting states W0 ⊆ W is added to the definition In other cases a valuation function V : K → 2P is given instead of ν The semantics of and ✸ depend on the properties of R

R can be reflexive, transitive, euclidean, etc Axioms and theorems will be determined by R (or vice-versa!)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 27 / 56

slide-62
SLIDE 62

university-logo

Plan

1

Temporal Logic

2

Propositional Modal Logic

3

Multimodal Logic

4

Dynamic Logic

5

Mu-calculus

6

Real-Time Logics

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 28 / 56

slide-63
SLIDE 63

university-logo

Multimodal Logic

A multimodal logic contains a set A = {a, . . .} of modalities We can augment propositional logic with one modality for each a ∈ A

If ϕ is a formula and a ∈ A, then [a]ϕ is a formula

We also define aϕ def = ¬[a]¬ϕ The semantics of a and [a] are defined as for ✸ a and a, but “labelling” the transition with a

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 29 / 56

slide-64
SLIDE 64

university-logo

Multimodal Logic

Definition

A Kripke frame now is a structure M = (W , R, ν) where W is a finite non-empty set of states (or worlds) –W is called the universe of M R(a) ⊆ W × W is the accessibility relation between states (transition relation), associating each modality in a ∈ A to a transition

We get a labelled Kripke frame

ν : P − → 2K determines the truth assignment to the atomic propositional variables in each state

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 30 / 56

slide-65
SLIDE 65

university-logo

Multimodal Logic

Examples

Example

¬p p p a b a a w1 w2 w3

M, w1 | = [a]p M, w1 | = ap M, w1 | = bp, and also M, w1 | = [b]p What about M, w2 | = b¬p? What about M, w2 | = [b]¬p?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 31 / 56

slide-66
SLIDE 66

university-logo

Multimodal Logic

Examples

Example

¬p p p a b a a w1 w2 w3

M, w1 | = [a]p M, w1 | = ap M, w1 | = bp, and also M, w1 | = [b]p What about M, w2 | = b¬p? What about M, w2 | = [b]¬p?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 31 / 56

slide-67
SLIDE 67

university-logo

Multimodal Logic

Examples

Example

¬p p p a b a a w1 w2 w3

M, w1 | = [a]p M, w1 | = ap M, w1 | = bp, and also M, w1 | = [b]p What about M, w2 | = b¬p? What about M, w2 | = [b]¬p?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 31 / 56

slide-68
SLIDE 68

university-logo

Multimodal Logic

Examples

Example

¬p p p a b a a w1 w2 w3

M, w1 | = [a]p M, w1 | = ap M, w1 | = bp, and also M, w1 | = [b]p What about M, w2 | = b¬p? What about M, w2 | = [b]¬p?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 31 / 56

slide-69
SLIDE 69

university-logo

Multimodal Logic

Examples

Example

¬p p p a b a a w1 w2 w3

M, w1 | = [a]p M, w1 | = ap M, w1 | = bp, and also M, w1 | = [b]p What about M, w2 | = b¬p? NO What about M, w2 | = [b]¬p?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 31 / 56

slide-70
SLIDE 70

university-logo

Multimodal Logic

Examples

Example

¬p p p a b a a w1 w2 w3

M, w1 | = [a]p M, w1 | = ap M, w1 | = bp, and also M, w1 | = [b]p What about M, w2 | = b¬p? NO What about M, w2 | = [b]¬p?

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 31 / 56

slide-71
SLIDE 71

university-logo

Multimodal Logic

Examples

Example

¬p p p a b a a w1 w2 w3

M, w1 | = [a]p M, w1 | = ap M, w1 | = bp, and also M, w1 | = [b]p What about M, w2 | = b¬p? NO What about M, w2 | = [b]¬p? YES

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 31 / 56

slide-72
SLIDE 72

university-logo

Plan

1

Temporal Logic

2

Propositional Modal Logic

3

Multimodal Logic

4

Dynamic Logic

5

Mu-calculus

6

Real-Time Logics

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 32 / 56

slide-73
SLIDE 73

university-logo

Propositional Dynamic Logic (PDL)

The dynamic aspect of modal logic fits well the framework of program execution

K: universe of all possible execution states of a program With any program α, define a relation R over K s.t. (s, t) ∈ R iff t is a possible final state of the program α with initial state s

“possible” since programs may be non-deterministic

Syntactically, each program gives rise to a modality of a multimodal logic

αϕ: it is possible to execute α and halt in a state satisfying ϕ [α]ϕ: whenever α halts, it does so in a state satisfying ϕ

Dynamic logic (PDL) is more than just multimodal logic applied to programs

It uses various calculi of programs, together with predicate logic, giving rise to a reasoning system for interacting programs

Dynamic logic subsumes Hoare logic

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 33 / 56

slide-74
SLIDE 74

university-logo

Propositional Dynamic Logic (PDL)

The dynamic aspect of modal logic fits well the framework of program execution

K: universe of all possible execution states of a program With any program α, define a relation R over K s.t. (s, t) ∈ R iff t is a possible final state of the program α with initial state s

“possible” since programs may be non-deterministic

Syntactically, each program gives rise to a modality of a multimodal logic

αϕ: it is possible to execute α and halt in a state satisfying ϕ [α]ϕ: whenever α halts, it does so in a state satisfying ϕ

Dynamic logic (PDL) is more than just multimodal logic applied to programs

It uses various calculi of programs, together with predicate logic, giving rise to a reasoning system for interacting programs

Dynamic logic subsumes Hoare logic

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 33 / 56

slide-75
SLIDE 75

university-logo

Propositional Dynamic Logic (PDL)

The dynamic aspect of modal logic fits well the framework of program execution

K: universe of all possible execution states of a program With any program α, define a relation R over K s.t. (s, t) ∈ R iff t is a possible final state of the program α with initial state s

“possible” since programs may be non-deterministic

Syntactically, each program gives rise to a modality of a multimodal logic

αϕ: it is possible to execute α and halt in a state satisfying ϕ [α]ϕ: whenever α halts, it does so in a state satisfying ϕ

Dynamic logic (PDL) is more than just multimodal logic applied to programs

It uses various calculi of programs, together with predicate logic, giving rise to a reasoning system for interacting programs

Dynamic logic subsumes Hoare logic

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 33 / 56

slide-76
SLIDE 76

university-logo

Propositional Dynamic Logic (PDL)

The dynamic aspect of modal logic fits well the framework of program execution

K: universe of all possible execution states of a program With any program α, define a relation R over K s.t. (s, t) ∈ R iff t is a possible final state of the program α with initial state s

“possible” since programs may be non-deterministic

Syntactically, each program gives rise to a modality of a multimodal logic

αϕ: it is possible to execute α and halt in a state satisfying ϕ [α]ϕ: whenever α halts, it does so in a state satisfying ϕ

Dynamic logic (PDL) is more than just multimodal logic applied to programs

It uses various calculi of programs, together with predicate logic, giving rise to a reasoning system for interacting programs

Dynamic logic subsumes Hoare logic

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 33 / 56

slide-77
SLIDE 77

university-logo

Propositional Dynamic Logic

Syntax

PDL contains syntax constructs from:

Propositional logic Modal logic Algebra of regular expressions

Expressions are of two sorts

Propositions and formulas: ϕ, ψ, . . . Programs: α, β, γ, . . .

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 34 / 56

slide-78
SLIDE 78

university-logo

Propositional Dynamic Logic

Syntax

Definition

Programs and propositions of regular PDL are built inductively using the following operators

Propositional operators → implication falsity Program operators ; composition ∪ choice ∗ iteration Mixed operators [ ] necessity ? test

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 35 / 56

slide-79
SLIDE 79

university-logo

Propositional Dynamic Logic

Intuitive Meaning

[α]ϕ: It is necessary that after executing α, ϕ is true (necessity) α ∪ β: Choose either α or β non-deterministically and execute it (choice) α; β: Execute α, then execute β (concatenation, sequencing) α∗: Execute α a non-deterministically chosen finite of times –zero or more (Kleene star) ϕ?: Test ϕ; proceed if true, fail if false (test) We define αϕ def = ¬[α]¬ϕ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 36 / 56

slide-80
SLIDE 80

university-logo

Propositional Dynamic Logic

Intuitive Meaning

[α]ϕ: It is necessary that after executing α, ϕ is true (necessity) α ∪ β: Choose either α or β non-deterministically and execute it (choice) α; β: Execute α, then execute β (concatenation, sequencing) α∗: Execute α a non-deterministically chosen finite of times –zero or more (Kleene star) ϕ?: Test ϕ; proceed if true, fail if false (test) We define αϕ def = ¬[α]¬ϕ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 36 / 56

slide-81
SLIDE 81

university-logo

Propositional Dynamic Logic

Intuitive Meaning

[α]ϕ: It is necessary that after executing α, ϕ is true (necessity) α ∪ β: Choose either α or β non-deterministically and execute it (choice) α; β: Execute α, then execute β (concatenation, sequencing) α∗: Execute α a non-deterministically chosen finite of times –zero or more (Kleene star) ϕ?: Test ϕ; proceed if true, fail if false (test) We define αϕ def = ¬[α]¬ϕ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 36 / 56

slide-82
SLIDE 82

university-logo

Propositional Dynamic Logic

Intuitive Meaning

[α]ϕ: It is necessary that after executing α, ϕ is true (necessity) α ∪ β: Choose either α or β non-deterministically and execute it (choice) α; β: Execute α, then execute β (concatenation, sequencing) α∗: Execute α a non-deterministically chosen finite of times –zero or more (Kleene star) ϕ?: Test ϕ; proceed if true, fail if false (test) We define αϕ def = ¬[α]¬ϕ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 36 / 56

slide-83
SLIDE 83

university-logo

Propositional Dynamic Logic

Intuitive Meaning

[α]ϕ: It is necessary that after executing α, ϕ is true (necessity) α ∪ β: Choose either α or β non-deterministically and execute it (choice) α; β: Execute α, then execute β (concatenation, sequencing) α∗: Execute α a non-deterministically chosen finite of times –zero or more (Kleene star) ϕ?: Test ϕ; proceed if true, fail if false (test) We define αϕ def = ¬[α]¬ϕ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 36 / 56

slide-84
SLIDE 84

university-logo

Propositional Dynamic Logic

Intuitive Meaning

[α]ϕ: It is necessary that after executing α, ϕ is true (necessity) α ∪ β: Choose either α or β non-deterministically and execute it (choice) α; β: Execute α, then execute β (concatenation, sequencing) α∗: Execute α a non-deterministically chosen finite of times –zero or more (Kleene star) ϕ?: Test ϕ; proceed if true, fail if false (test) We define αϕ def = ¬[α]¬ϕ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 36 / 56

slide-85
SLIDE 85

university-logo

Propositional Dynamic Logic

Additional Programs

skip

def

= 1? fail

def

= 0? if ϕ1 → α1 | . . . | ϕn → αn fi

def

= ϕ1?; α1 ∪ . . . ∪ ϕn?; αn do ϕ1 → α1 | . . . | ϕn → αn od

def

= (ϕ1?; α1 ∪ . . . ∪ ϕn?; αn)∗; (¬ϕ1 ∧ . . . ∧ ¬ϕn)? if ϕ then α else β

def

= if ϕ → α | ¬ϕ → β fi = ϕ?; α ∪ ¬ϕ?; β while ϕ do α

def

= do ϕ → α od = (ϕ?; α)∗; ¬ϕ? repeat α until ϕ

def

= α; while ¬ϕ do α od = α; (¬ϕ?; α)∗; ϕ? {ϕ} α {ψ}

def

= ϕ → [α]ψ

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 37 / 56

slide-86
SLIDE 86

university-logo

Propositional Dynamic Logic

Remark

It is possible to reason about programs by using PDF proof system We will not see the semantics here The semantics of PDL comes from that from modal logic

Kripke frames

We will see its application in our contract language

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 38 / 56

slide-87
SLIDE 87

university-logo

Plan

1

Temporal Logic

2

Propositional Modal Logic

3

Multimodal Logic

4

Dynamic Logic

5

Mu-calculus

6

Real-Time Logics

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 39 / 56

slide-88
SLIDE 88

university-logo

µ-calculus

µ-calculus is a powerful language to express properties of transition systems by using least and greatest fixpoint operators

ν is the greatest fixpoint meaning looping µ is the least fixpoint meaning finite looping

Many temporal and program logics can be encoded into the µ-calculus Efficient model checking algorithms Formulas are interpreted relative to a transition system

The Kripke structure needs to be slightly modified

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 40 / 56

slide-89
SLIDE 89

university-logo

µ-calculus: Syntax

Let Var = {Z, Y , . . .} be an (infinite) set of variable names Let Prop = {P, Q, . . .} be a set of atomic propositions Let L = {a, b, . . .} be a set of labels (or actions)

Definition

The set of µ-calculus formulae (w.r.t. (Var, Prop, L)) is defined as follows: P is a formula Z is a formula If φ1 and φ2 are formulae, so is φ1 ∧ φ2 If φ is a formula, so is [a]φ If φ is a formula, so is ¬φ If φ is a formula, then νZ.φ is a formula

Provided every free occurrence of Z in φ occurs positively (within the scope of an even number of negations) ν is the only binding operator

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 41 / 56

slide-90
SLIDE 90

university-logo

µ-calculus: Syntax

If φ(Z), then the subsequent writing φ(ψ) means φ with ψ substituted for all free occurrences of Z The positivity requirement syntactically guarantees monotonicity in Z

Unique minimal and maximal fixpoint

Derived operators

φ1 ∨ φ2

def

= ¬(¬φ1 ∧ ¬φ2) aφ

def

= ¬[a]¬φ µZ.φ(Z)

def

= ¬νZ.¬φ(¬Z)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 42 / 56

slide-91
SLIDE 91

university-logo

µ-calculus: Syntax

If φ(Z), then the subsequent writing φ(ψ) means φ with ψ substituted for all free occurrences of Z The positivity requirement syntactically guarantees monotonicity in Z

Unique minimal and maximal fixpoint

Derived operators

φ1 ∨ φ2

def

= ¬(¬φ1 ∧ ¬φ2) aφ

def

= ¬[a]¬φ µZ.φ(Z)

def

= ¬νZ.¬φ(¬Z)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 42 / 56

slide-92
SLIDE 92

university-logo

µ-calculus: Syntax

If φ(Z), then the subsequent writing φ(ψ) means φ with ψ substituted for all free occurrences of Z The positivity requirement syntactically guarantees monotonicity in Z

Unique minimal and maximal fixpoint

Derived operators

φ1 ∨ φ2

def

= ¬(¬φ1 ∧ ¬φ2) aφ

def

= ¬[a]¬φ µZ.φ(Z)

def

= ¬νZ.¬φ(¬Z)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 42 / 56

slide-93
SLIDE 93

university-logo

µ-calculus: Semantics

Definition

A labelled transition system (LTS) is a triple M = (S, T, L), where: S is a nonempty set of states L is a set of labels (actions) as defined before T ⊆ S × L × S is a transition relation A modal µ-calculus structure T (over Prop and L) is a LTS (S, T, L) together with an interpretation VProp : Prop → 2S for the atomic propositions

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 43 / 56

slide-94
SLIDE 94

university-logo

µ-calculus

Semantics

Definition

Given a structure T and an interpretation V : Var → 2S of the variables, the set φT

V is defined as follows:

PT

V

= VProp(P) ZT

V

= V(Z) ¬φT

V

= S − φT

V

φ1 ∧ φ2T

V

= φ1T

V ∩ φ2T V

[a]φT

V

= {s | ∀t.(s, a, t) ∈ T ⇒ t ∈ φT

V }

νZ.φT

V

=

  • {S ⊆ S | S ⊆ φT

V[Z:=S]}

where V[Z := S] is the valuation mapping Z to S and otherwise agrees with V

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 44 / 56

slide-95
SLIDE 95

university-logo

µ-calculus

Semantics

If we consider only positive formulae, we may add the following derived

  • perators

Interpretation

φ1 ∨ φ2T

V

= φ1T

V ∪ φ2T V

aφT

V

= {s | ∃t.(s, a, t) ∈ T ∧ t ∈ φT

V

µZ.φT

V

=

  • {S ⊆ S | S ⊇ φT

V[Z:=S]}

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 45 / 56

slide-96
SLIDE 96

university-logo

µ-calculus

Example

µ is liveness

“On all length a-path, P eventually holds” µZ.(P ∨ [a]Z) “On some a-path, P holds until Q holds” µZ.(Q ∨ (P ∧ aZ)

ν is safety

“P is true along every a-path” νZ.(P ∧ [a]Z) “On every a-path P holds while Q fails” νZ.(Q ∨ (P ∧ [a]Z))

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 46 / 56

slide-97
SLIDE 97

university-logo

Plan

1

Temporal Logic

2

Propositional Modal Logic

3

Multimodal Logic

4

Dynamic Logic

5

Mu-calculus

6

Real-Time Logics

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 47 / 56

slide-98
SLIDE 98

university-logo

Real-time Logics

Temporal logic (TL) is concerned with the qualitative aspect of temporal system requirements

Invariance, responsiveness, etc

TL cannot refer to metric time: Not suitable for the specification of quantitative temporal requirements There are many ways to extend a temporal logic with real-time

1

Replace the unrestricted temporal operators with time-bounded versions

2

Extend temporal logic with explicit references to the times of temporal contexts (freeze quantification)

3

Add an explicit clock variable

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 48 / 56

slide-99
SLIDE 99

university-logo

Real-time Logics

Temporal logic (TL) is concerned with the qualitative aspect of temporal system requirements

Invariance, responsiveness, etc

TL cannot refer to metric time: Not suitable for the specification of quantitative temporal requirements There are many ways to extend a temporal logic with real-time

1

Replace the unrestricted temporal operators with time-bounded versions

2

Extend temporal logic with explicit references to the times of temporal contexts (freeze quantification)

3

Add an explicit clock variable

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 48 / 56

slide-100
SLIDE 100

university-logo

Real-time Logics

Temporal logic (TL) is concerned with the qualitative aspect of temporal system requirements

Invariance, responsiveness, etc

TL cannot refer to metric time: Not suitable for the specification of quantitative temporal requirements There are many ways to extend a temporal logic with real-time

1

Replace the unrestricted temporal operators with time-bounded versions

2

Extend temporal logic with explicit references to the times of temporal contexts (freeze quantification)

3

Add an explicit clock variable

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 48 / 56

slide-101
SLIDE 101

university-logo

Real-time Logics

  • 1. Bounded Temporal Operators

Example of a R-T logic with bounded temporal operators

ϕ := p | ¬ϕ | ϕ ∧ ϕ | ϕ UI ϕ where p is a propositional variable, and I is a rational interval Informally, ϕ1 UI ϕ2 holds at time t in a timed observation sequence iff

There is a later time t′ ∈ t + I s.t. ϕ2 holds at time t′ and ϕ1 holds through the interval (t, t′)

Derived operators

✸Iϕ

def

= true UI ϕ: time-bounded eventually ✷Iϕ

def

= ¬✸I¬ϕ: time-bounded always

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 49 / 56

slide-102
SLIDE 102

university-logo

Real-time Logics

  • 1. Bounded Temporal Operators

Example of a R-T logic with bounded temporal operators

ϕ := p | ¬ϕ | ϕ ∧ ϕ | ϕ UI ϕ where p is a propositional variable, and I is a rational interval Informally, ϕ1 UI ϕ2 holds at time t in a timed observation sequence iff

There is a later time t′ ∈ t + I s.t. ϕ2 holds at time t′ and ϕ1 holds through the interval (t, t′)

Derived operators

✸Iϕ

def

= true UI ϕ: time-bounded eventually ✷Iϕ

def

= ¬✸I¬ϕ: time-bounded always

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 49 / 56

slide-103
SLIDE 103

university-logo

Real-time Logics

  • 1. Bounded Temporal Operators

Example of a R-T logic with bounded temporal operators

ϕ := p | ¬ϕ | ϕ ∧ ϕ | ϕ UI ϕ where p is a propositional variable, and I is a rational interval Informally, ϕ1 UI ϕ2 holds at time t in a timed observation sequence iff

There is a later time t′ ∈ t + I s.t. ϕ2 holds at time t′ and ϕ1 holds through the interval (t, t′)

Derived operators

✸Iϕ

def

= true UI ϕ: time-bounded eventually ✷Iϕ

def

= ¬✸I¬ϕ: time-bounded always

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 49 / 56

slide-104
SLIDE 104

university-logo

Real-time Logics

  • 1. Bounded Temporal Operators

Example of a R-T logic with bounded temporal operators

ϕ := p | ¬ϕ | ϕ ∧ ϕ | ϕ UI ϕ where p is a propositional variable, and I is a rational interval Informally, ϕ1 UI ϕ2 holds at time t in a timed observation sequence iff

There is a later time t′ ∈ t + I s.t. ϕ2 holds at time t′ and ϕ1 holds through the interval (t, t′)

Derived operators

✸Iϕ

def

= true UI ϕ: time-bounded eventually ✷Iϕ

def

= ¬✸I¬ϕ: time-bounded always

Example

✷[2,4]p means “p holds at all times within 2 to 4 time units” ✷(p ⇒ ✸[0,3]q): “every stimulus p is followed by a response q within 3 time units”

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 49 / 56

slide-105
SLIDE 105

university-logo

Real-time Logics

  • 2. Freeze Quantification

Bounded-operator cannot express non-local timing requirements

Ex: “every stimulus p is followed by a response q, followed by another response r, such that r is within 3 time units of p”

Need to have explicit references to time of temporal contexts The freeze quantifier x. binds x to the time of the current temporal context

x.ϕ(x) holds at time t iff ϕ(t) does

A logic with freeze quantifier is called half-order

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 50 / 56

slide-106
SLIDE 106

university-logo

Real-time Logics

  • 2. Freeze Quantification

Bounded-operator cannot express non-local timing requirements

Ex: “every stimulus p is followed by a response q, followed by another response r, such that r is within 3 time units of p”

Need to have explicit references to time of temporal contexts The freeze quantifier x. binds x to the time of the current temporal context

x.ϕ(x) holds at time t iff ϕ(t) does

A logic with freeze quantifier is called half-order

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 50 / 56

slide-107
SLIDE 107

university-logo

Real-time Logics

  • 2. Freeze Quantification

Bounded-operator cannot express non-local timing requirements

Ex: “every stimulus p is followed by a response q, followed by another response r, such that r is within 3 time units of p”

Need to have explicit references to time of temporal contexts The freeze quantifier x. binds x to the time of the current temporal context

x.ϕ(x) holds at time t iff ϕ(t) does

A logic with freeze quantifier is called half-order

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 50 / 56

slide-108
SLIDE 108

university-logo

Real-time Logics

  • 2. Freeze Quantification

Bounded-operator cannot express non-local timing requirements

Ex: “every stimulus p is followed by a response q, followed by another response r, such that r is within 3 time units of p”

Need to have explicit references to time of temporal contexts The freeze quantifier x. binds x to the time of the current temporal context

x.ϕ(x) holds at time t iff ϕ(t) does

A logic with freeze quantifier is called half-order

Example of a R-T logic with freeze quantification

ϕ := p | π | ¬ϕ | ϕ ∧ ϕ | ϕ U ϕ | x.ϕ V is a set of time variables π ∈ Π(V ) represents atomic timing constraints with free variables from V (e.g., z ≤ x + 3)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 50 / 56

slide-109
SLIDE 109

university-logo

Real-time Logics

  • 2. Freeze Quantification

Example

“Every stimulus p is followed by a response q within 3 time units” ✷x.(p ⇒ ✸y.(q ∧ y ≤ x + 3))

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 51 / 56

slide-110
SLIDE 110

university-logo

Real-time Logics

  • 2. Freeze Quantification

Example

“Every stimulus p is followed by a response q within 3 time units” ✷x.(p ⇒ ✸y.(q ∧ y ≤ x + 3)) “Every stimulus p is followed by a response q, followed by another response r, such that r is within 3 time units of p” ✷x.(p ⇒ ✸(q ∧ ✸z.(r ∧ z ≤ x + 3)))

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 51 / 56

slide-111
SLIDE 111

university-logo

Real-time Logics

  • 3. Explicit Clock Variable

It uses a dynamic state variable T (the clock variable), and A first-order quantification for global (rigid) variables over time

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 52 / 56

slide-112
SLIDE 112

university-logo

Real-time Logics

  • 3. Explicit Clock Variable

It uses a dynamic state variable T (the clock variable), and A first-order quantification for global (rigid) variables over time

Example of a R-T logic with explicit clocks

ϕ := p | π | ¬ϕ | ϕ ∧ ϕ | ϕ U ϕ | ∃x.ϕ x ∈ V , with V a set of (global) time variables π ∈ Π(V ∪ {T}) represents atomic timing constraints over the variables from V ∪ {T}) (e.g., T ≤ x + 3) The freeze quantifier x.ϕ is equivalent to ∃x.(T = x ∧ ϕ)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 52 / 56

slide-113
SLIDE 113

university-logo

Real-time Logics

  • 3. Explicit Clock Variable

It uses a dynamic state variable T (the clock variable), and A first-order quantification for global (rigid) variables over time

Example of a R-T logic with explicit clocks

ϕ := p | π | ¬ϕ | ϕ ∧ ϕ | ϕ U ϕ | ∃x.ϕ x ∈ V , with V a set of (global) time variables π ∈ Π(V ∪ {T}) represents atomic timing constraints over the variables from V ∪ {T}) (e.g., T ≤ x + 3) The freeze quantifier x.ϕ is equivalent to ∃x.(T = x ∧ ϕ)

Example

“Every stimulus p is followed by a response q within 3 time units” ∀x.✷((p ∧ T = x) ⇒ ✸(q ∧ T ≤ x + 3))

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 52 / 56

slide-114
SLIDE 114

university-logo

Real-time Logics

Examples of Real-Time Logics

Linear-time: MTL (metric temporal logic)

A propositional bounded-operator logic

TPTL (timed temporal logic)

A propositional half-order logic using only the future operators until and next

RTTL (real-time temporal logic)

A first-order explicit-clock logic

XCTL (explicit-clock temporal logic)

A propositional explicit-clock logic with a rich timing constraints (comparison and addition) Does not allow explicit quantification over time variables (implicit universal quantification)

MITL (metric interval temporal logic)

A propositional linear-time with an interval-based strictly-monotonic real-time semantics Does not allow equality constraints

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 53 / 56

slide-115
SLIDE 115

university-logo

Real-time Logics

Examples of Real-Time Logics

Branching-time: RTCTL (real-time computation tree logic)

A propositional branching-time logic for synchronouys systems Bounded-operator extension of CTL with a point-based strictly-monotonic integer-time semantics

TCTL (timed computation tree logic)

A propositional branching-time logic with less restricted semantics Bounded-operator extension of CTL with an interval-based strictly-monotonic real-time semantics

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 54 / 56

slide-116
SLIDE 116

university-logo

Final Remarks

Remarks

For most of the presented logics, there is an axiomatic system, and/or a Natural Deduction system Though important, it is not needed for the rest of the tutorial

Our contract language will use the syntax of some of the presented logics We will focus on the semantics (Kripke models, semantic encoding into

  • ther logic)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 55 / 56

slide-117
SLIDE 117

university-logo

Further Reading

Modal and Temporal Logics

  • M. Fitting. Basic Modal Logic. Handbook of Logic in Artificial

Intelligence and Logic Programming, vol. 1, 1993

  • C. Stirling. Modal and Temporal Logics. Handbook of Logic in

Computer Science, vol. 2, 1992 Dynamic Logic

  • D. Harel, D. Kozen and J. Tiuryn. Dynamic Logic. MIT, 2003

µ-calculus:

  • J. Bradfield and C. Stirling. Modal logics and µ-calculi: an

introduction Real-time logics:

  • R. Alur and T. Henzinger. Logics and Models of Real time: A
  • Survey. LNCS 600, pp. 74-106, 1992

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 56 / 56