[PPT] - Summary of Lecture III Introducing Temporal Logics. Intuitions PowerPoint Presentation

SLIDE 1

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Alessandro Artale Faculty of Computer Science – Free University of Bolzano

artale@inf.unibz.it http://www.inf.unibz.it/∼artale/

Some material (text, figures) displayed in these slides is courtesy of:

M. Benerecetti, A. Cimatti, M. Fisher, F. Giunchiglia, M. Pistore, M. Roveri, R.Sebastiani.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 1/39

SLIDE 2

Summary of Lecture III

Introducing Temporal Logics. Intuitions beyond Linear Temporal Logic. LTL: Syntax and Semantics. LTL in Computer Science. LTL Interpreted over Kripke Models. LTL and Model Checking: Intuitions.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 2/39

SLIDE 3

An Introduction to Temporal Logics

In classical logic, formulae are evaluated within a single fixed world. For example, a proposition such as “it is Monday” must be either true or false. Propositions are then combined using constructs such as ‘∧’, ‘¬’, etc. But, most (not just computational) systems are dynamic. In temporal logics, evaluation takes place within a set of

worlds. Thus, “it is Monday” may be satisfied in some

worlds, but not in others.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 3/39

SLIDE 4

An Introduction to Temporal Logics (Cont.)

The set of worlds correspond to moments in time. How we navigate between these worlds depends on our particular view of time. The particular model of time is captured by a temporal accessibility relation between worlds. Essentially, temporal logic extends classical propositional logic with a set of temporal operators that navigate between worlds using this accessibility relation.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 4/39

SLIDE 5

Typical Models of Time

Alessandro Artale (FM – First Semester – 2007/2008) – p. 5/39

SLIDE 6

Summary

Introducing Temporal Logics. Intuitions beyond Linear Temporal Logic. LTL: Syntax and Semantics. LTL in Computer Science. LTL Interpreted over Kripke Models. LTL and Model Checking: Intuitions.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 6/39

SLIDE 7

Linear Temporal Logic (LTL): Intuitions

Consider a simple temporal logic (LTL) where the accessibility relation characterises a discrete, linear model isomorphic to the Natural Numbers. Typical temporal operators used are

❦

ϕ ϕ is true in the next moment in time ϕ ϕ is true in all future moments

♦ϕ

ϕ is true in some future moment ϕU ψ ϕ is true until ψ is true Examples: ((¬passport ∨¬ticket) ⇒

❦

¬board_ flight)

Alessandro Artale (FM – First Semester – 2007/2008) – p. 7/39

SLIDE 8

Computational Example

(requested ⇒ ♦received) (received ⇒

❦

processed) (processed ⇒ ♦ done) From the above we should be able to infer that it is not the case that the system continually re-sends a request, but never sees it completed ( ¬done); i.e. the statement requested ∧ ¬done should be inconsistent.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 8/39

SLIDE 9

Summary

Introducing Temporal Logics. Intuitions beyond Linear Temporal Logic. LTL: Syntax and Semantics. LTL in Computer Science. LTL Interpreted over Kripke Models. LTL and Model Checking: Intuitions.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 9/39

SLIDE 10

LTL: Syntax

Countable set Σ of atomic propositions: p,q,... the set FORM

f formulas is:

ϕ,ψ → p | (atomic proposition) ⊤ | (true) ⊥ | (false) ¬ϕ | (complement) ϕ∧ψ | (conjunction) ϕ∨ψ | (disjunction)

❦

ϕ | (next time) ϕ | (always)

♦ϕ |

(sometime) ϕU ψ (until)

Alessandro Artale (FM – First Semester – 2007/2008) – p. 10/39

SLIDE 11

Temporal Semantics

We interpret our temporal formulae in a discrete, linear model of time. Formally, this structure is represented by

M

= N, I where

I : N → 2Σ

maps each Natural number (representing a moment in time) to a set of propositions. The semantics of a temporal formula is provided by the satisfaction relation: | =: (M ×N× FORM) → {true,false}

Alessandro Artale (FM – First Semester – 2007/2008) – p. 11/39

SLIDE 12

Semantics: The Propositional Aspect

We start by defining when an atomic proposition is true at a time point “i” M , i | = p iff p ∈ I (i) (for p ∈ Σ) The semantics for the classical operators is as expected: M , i | = ¬ϕ iff M , i | = ϕ M , i | = ϕ∧ψ iff M , i | = ϕ and M , i | = ψ M , i | = ϕ∨ψ iff M , i | = ϕ or M , i | = ψ M , i | = ϕ ⇒ ψ iff if M , i | = ϕ then M , i | = ψ

M , i |

= ⊤

M , i |

= ⊥

Alessandro Artale (FM – First Semester – 2007/2008) – p. 12/39

SLIDE 13

Temporal Operators: ‘next’

M , i | =

❦

ϕ iff M , i+1 | = ϕ This operator provides a constraint on the next moment in time. Examples: (sad ∧ ¬rich) ⇒

❦

sad ((x = 0) ∧ add3) ⇒

❦

(x = 3)

Alessandro Artale (FM – First Semester – 2007/2008) – p. 13/39

SLIDE 14

Temporal Operators: ‘sometime’

M , i | = ♦ϕ iff there exists j. (j ≥ i) ∧ M , j | = ϕ N.B. while we can be sure that ϕ will be true either now or in the future, we can not be sure exactly when it will be true. Examples: (¬resigned ∧ sad) ⇒ ♦famous sad ⇒ ♦happy send ⇒ ♦receive

Alessandro Artale (FM – First Semester – 2007/2008) – p. 14/39

SLIDE 15

Temporal Operators: ‘always’

M , i | = ϕ iff for all j. if (j ≥ i) then M , j | = ϕ This can represent invariant properties. Examples: lottery-win ⇒ rich

Alessandro Artale (FM – First Semester – 2007/2008) – p. 15/39

SLIDE 16

Temporal Operators: ‘until’

M , i | = ϕU ψ iff there exists j. (j ≥ i) ∧ M , j | = ψ ∧ for all k. (i ≤ k < j) ⇒ M , k | = ϕ Examples: start_lecture ⇒ talkU end_lecture born ⇒ aliveU dead request ⇒ replyU acknowledgement

Alessandro Artale (FM – First Semester – 2007/2008) – p. 16/39

SLIDE 17

Satisfiability and Validity

A structure M = N, I is a model of φ, if M , i | = φ, for some i ∈ N. Similarly as in classical logic, an LTL formula φ can be satisfiable, unsatisfiable or valid. A formula φ is: Satisfiable, if there is model for φ. Unsatisfiable, if φ is not satisfiable. Valid (i.e., a Tautology): | = φ iff ∀M ,∀i ∈ N. M , i | = φ.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 17/39

SLIDE 18

Entailment and Equivalence

Similarly as in classical logic we can define the notions of entailment and equivalence between two LTL formulas Entailment. φ | = ψ iff ∀M ,∀i ∈ N.M , i | = φ ⇒ M , i | = ψ Equivalence. φ ≡ ψ iff ∀M ,∀i ∈ N.M , i | = φ ⇔ M , i | = ψ

Alessandro Artale (FM – First Semester – 2007/2008) – p. 18/39

SLIDE 19

Equivalences in LTL

The temporal operators and ♦ are duals ¬ ϕ ≡ ♦¬ϕ

♦ (and then

) can be rewritten in terms of U

♦ϕ ≡ ⊤U ϕ

All the temporal operators can be rewritten using the “Until” and “Next” operators

Alessandro Artale (FM – First Semester – 2007/2008) – p. 19/39

SLIDE 20

Equivalences in LTL (Cont.)

♦ distributes over ∨ while

distributes over ∧

♦(ϕ∨ψ) ≡ ♦ϕ∨♦ψ

(ϕ∧ψ) ≡ ϕ∧ ψ The following equivalences are useful for generating formulas in Negated Normal Form. ¬

❦

ϕ ≡

❦

¬ϕ ¬(ϕU ψ) ≡ (¬ψU (¬ϕ∧¬ψ))∨ ¬ψ

Alessandro Artale (FM – First Semester – 2007/2008) – p. 20/39

SLIDE 21

LTL Vs. FOL

Linear Temporal Logic can be thought of as a specific decidable (PSPACE-complete) fragment

f classical first-order logic

We just map each proposition to a unary predicate in FOL. In general, the following satisfiability preserving mapping () holds: p

p(t)

❦

p

p(t +1)

♦p

∃t′. (t′ ≥ t) ∧ p(t′)

p

∀t′. (t′ ≥ t) ⇒ p(t′)

Alessandro Artale (FM – First Semester – 2007/2008) – p. 21/39

SLIDE 22

Summary

Introducing Temporal Logics. Intuitions beyond Linear Temporal Logic. LTL: Syntax and Semantics. LTL in Computer Science. LTL Interpreted over Kripke Models. LTL and Model Checking: Intuitions.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 22/39

SLIDE 23

Temporal Logic in Computer Science

Temporal logic was originally developed in order to represent tense in natural language. Within Computer Science, it has achieved a significant role in the formal specification and verification of concurrent reactive systems. Much of this popularity has been achieved as a number of useful concepts can be formally, and concisely, specified using temporal logics, e.g.

safety properties
liveness properties
fairness properties

Alessandro Artale (FM – First Semester – 2007/2008) – p. 23/39

SLIDE 24

Safety Properties

Safety: “something bad will not happen” Typical examples: ¬(reactor_temp > 1000) ¬(one_way∧

❦

ther_way)

¬((x = 0)∧

❦ ❦ ❦

(y = z/x)) and so on..... Usually: ¬....

Alessandro Artale (FM – First Semester – 2007/2008) – p. 24/39

SLIDE 25

Liveness Properties

Liveness: “something good will happen” Typical examples:

♦rich ♦(x > 5)

(start ⇒ ♦terminate) and so on..... Usually: ♦....

Alessandro Artale (FM – First Semester – 2007/2008) – p. 25/39

SLIDE 26

Fairness Properties

Often only really useful when scheduling processes, responding to messages, etc. Strong Fairness: “if something is attempted/requested infinitely

ften, then it will be successful/allocated infinitely
ften”

Typical example:

♦ready ⇒ ♦run

Alessandro Artale (FM – First Semester – 2007/2008) – p. 26/39

SLIDE 27

Summary

Introducing Temporal Logics. Intuitions beyond Linear Temporal Logic. LTL: Syntax and Semantics. LTL in Computer Science. LTL Interpreted over Kripke Models. LTL and Model Checking: Intuitions.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 27/39

SLIDE 28

Kripke Models and Linear Structures

Consider the following Kripke structure:

done !done

Its paths/computations can be seen as a set of linear structures (computation tree):

done done done !done !done !done !done done done done !done !done !done !done !done !done

.....

done done done done done done !done !done !done !done

Alessandro Artale (FM – First Semester – 2007/2008) – p. 28/39

SLIDE 29

Path-Semantics for LTL

LTL formulae are evaluated over the set N of Natural Numbers. Paths in Kripke structures are infinite and linear sequences of states. Thus, they are isomorphic to the Natural Numbers: π = s0 → s1 → ··· → si → si+1 → ··· We want to interpret LTL formulas over Kripke structures. Given a Kripke structure, K M = (S,I,R,AP,L), a path π in K M , a state s ∈ S, and an LTL formula φ, we define:

1. K M ,π |

= φ, and then

2. K M ,s |

= φ Based on the LTL semantics over the Natural Numbers.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 29/39

SLIDE 30

Path-Semantics for LTL (Cont.)

We first extract an LTL model, M π = (π,Iπ), from the Kripke structure K M . M π = (π,Iπ) is such that:

π is a path in K M
Iπ is the restriction of L to states in π:

∀s ∈ π and ∀p ∈ AP, p ∈ Iπ(s) iff p ∈ L(s) Given a Kripke structure, K M = (S,I,R,AP,L), a path π in K M , a state s ∈ S, and an LTL formula φ:

1. K M ,π |

= φ iff M π,s0 | = φ with s0 initial state of π

2. K M ,s |

= φ iff K M ,π | = φ for all paths π starting at s.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 30/39

SLIDE 31

LTL Model Checking Definition

Given a Kripke structure, K M = (S,I,R,AP,L), the LTL model checking problem K M | = φ: Check if K M ,s0 | = φ, for every s0 ∈ I initial state of the Kripke structure K M .

Alessandro Artale (FM – First Semester – 2007/2008) – p. 31/39

SLIDE 32

Summary

Introducing Temporal Logics. Intuitions beyond Linear Temporal Logic. LTL: Syntax and Semantics. LTL in Computer Science. LTL Interpreted over Kripke Models. LTL and Model Checking: Intuitions.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 32/39

SLIDE 33

Example 1: mutual exclusion (safety)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

= ¬(C1 ∧C2) ?

Alessandro Artale (FM – First Semester – 2007/2008) – p. 33/39

SLIDE 34

Example 1: mutual exclusion (safety)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

= ¬(C1 ∧C2) ? YES: There is no reachable state in which (C1 ∧C2) holds!

Alessandro Artale (FM – First Semester – 2007/2008) – p. 33/39

SLIDE 35

Example 2: mutual exclusion (liveness)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

= ♦C1 ?

Alessandro Artale (FM – First Semester – 2007/2008) – p. 34/39

SLIDE 36

Example 2: mutual exclusion (liveness)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

= ♦C1 ? NO: the blue cyclic path is a counterexample!

Alessandro Artale (FM – First Semester – 2007/2008) – p. 34/39

SLIDE 37

Example 3: mutual exclusion (liveness)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

= (T1 ⇒ ♦C1) ?

Alessandro Artale (FM – First Semester – 2007/2008) – p. 35/39

SLIDE 38

Example 3: mutual exclusion (liveness)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

= (T1 ⇒ ♦C1) ? YES: in every path if T1 holds afterwards C1 holds!

Alessandro Artale (FM – First Semester – 2007/2008) – p. 35/39

SLIDE 39

Example 4: mutual exclusion (fairness)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

♦C1 ?

Alessandro Artale (FM – First Semester – 2007/2008) – p. 36/39

SLIDE 40

Example 4: mutual exclusion (fairness)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

♦C1 ?

NO: the blue cyclic path is a counterexample!

Alessandro Artale (FM – First Semester – 2007/2008) – p. 36/39

SLIDE 41

Example 4: mutual exclusion (strong fairness)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

♦T1 ⇒ ♦C1 ?

Alessandro Artale (FM – First Semester – 2007/2008) – p. 37/39

SLIDE 42

Example 4: mutual exclusion (strong fairness)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

♦T1 ⇒ ♦C1 ?

YES: every path which visits T1 infinitely often also visits C1 infinitely often!

Alessandro Artale (FM – First Semester – 2007/2008) – p. 37/39

SLIDE 43

LTL Alternative Notation

Alternative notations are used for temporal operators.

♦

F

sometime in the Future

G Globally in the future

❦ X

neXtime

Alessandro Artale (FM – First Semester – 2007/2008) – p. 38/39

SLIDE 44

Summary of Lecture III

Introducing Temporal Logics. Intuitions beyond Linear Temporal Logic. LTL: Syntax and Semantics. LTL in Computer Science. LTL Interpreted over Kripke Models. LTL and Model Checking: Intuitions.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 39/39