Temporal Logic of Actions Advanced Topics in Distributed Computing - - PowerPoint PPT Presentation

temporal logic of actions
SMART_READER_LITE
LIVE PREVIEW

Temporal Logic of Actions Advanced Topics in Distributed Computing - - PowerPoint PPT Presentation

Nov 11, 2023 149 likes •483 views

Temporal Logic of Actions Temporal Logic of Actions Advanced Topics in Distributed Computing Dominik Grewe Saarland University March 20, 2008 Temporal Logic of Actions Outline Basic Concepts Transition Systems Temporal Operators Fairness

slide-1
SLIDE 1

Temporal Logic of Actions

Temporal Logic of Actions

Advanced Topics in Distributed Computing Dominik Grewe

Saarland University

March 20, 2008

slide-2
SLIDE 2

Temporal Logic of Actions

Outline

Basic Concepts Transition Systems Temporal Operators Fairness Temporal Logic of Actions Introduction Definitions Example TLC - A Model Checker for TLA +Cal - An Algorithm Language Based on TLA Introduction Example

slide-3
SLIDE 3

Temporal Logic of Actions Basic Concepts Transition Systems

Interpretations

◮ Vocabulary V

a countable set of variables

◮ Expressions over V:

x+y

◮ Assertions over V:

x>0

◮ Interpretations I

An interpretation I ∈ I maps a set of variables V ⊆ V to values. Example for V = {x, y, z}: I = x : 2, y : 8, z : „abc“

slide-4
SLIDE 4

Temporal Logic of Actions Basic Concepts Transition Systems

Interpretations

◮ An interpretation I satifies an assertion φ

I | = φ iff φ evaluates to true w.r.t. I

◮ Example:

I = x : 2, y : 8, z : „abc“ φ := (x < y) ∧ (z = „abc“) I | = φ ⇔ (I[x] < I[y]) ∧ (I[z] = „abc“) ⇔ (2 < 8) ∧ („abc“ = „abc“)

slide-5
SLIDE 5

Temporal Logic of Actions Basic Concepts Transition Systems

Transition Systems

A transition system is a quadruple Π, Σ, T , Θ where

◮ Π ⊆ V — a set of state variables

divided into data variables and control variables

◮ Σ — a set of states

interpretations of Π

◮ T — a finite set of transitions

transition is a function τ : Σ → 2Σ

◮ Θ — an initial condition

assertion specifying the initial states

slide-6
SLIDE 6

Temporal Logic of Actions Basic Concepts Transition Systems

Transitions

A transition τ : Σ → 2Σ is characterized by a transition relation ρτ(Π, Π′)

Example with Π = {x}:

x > 0 ∧ x′ = x + 1

◮ s′ is a τ-successor of s iff s′ ∈ τ(s) ◮ τ is enabled iff τ(s) = ∅

slide-7
SLIDE 7

Temporal Logic of Actions Basic Concepts Transition Systems

Transitions

◮ a computation is an infinite sequence of states

σ : s0, s1, s2, ... with s0 | = Θ ∀ i ∃ τ : si+1 ∈ τ(si)

◮ implicitly assume idling transition τI

(e.g. to model terminating systems)

slide-8
SLIDE 8

Temporal Logic of Actions Basic Concepts Transition Systems

Example

◮ Π : {x, y} ◮ Θ : x = 0 ∧ y = 0 ◮ τx : x′ = x + 1 ◮ τy : y′ = y + 1

Possible Computations

x : 0, y : 0 x : 0, y : 0 x : 0, y : 0 x : 1, y : 0 x : 0, y : 1 x : 0, y : 0 x : 2, y : 0 x : 1, y : 1 x : 0, y : 0 x : 3, y : 0 x : 1, y : 2 x : 0, y : 0 ... ... ...

slide-9
SLIDE 9

Temporal Logic of Actions Basic Concepts Temporal Operators

Intuition

◮ ✸φ — Eventually φ:

¬φ → ¬φ → ... → φ → “don’t care” → ...

◮ ✷φ — Always φ:

φ → φ → ...

◮ φ — Next φ:

“don’t care” → φ → “don’t care” → ...

◮ φ U ψ — φ Until ψ:

φ → φ → ... → φ → ψ → “don’t care”

Symmetry

✸φ ≡ ¬✷¬φ

slide-10
SLIDE 10

Temporal Logic of Actions Basic Concepts Temporal Operators

Formal Definition

Let σ : s0, s1, . . . . Then σ[i] : si, si+1, . . . ∀i ≥ 0

Eventually φ

σ | = ✸φ ⇔ ∃i ≥ 0 : σ[i] | = φ

Always φ

σ | = ✷φ ⇔ ∀i ≥ 0 : σ[i] | = φ

slide-11
SLIDE 11

Temporal Logic of Actions Basic Concepts Temporal Operators

Formal Definition

Let σ : s0, s1, . . . . Then σ[i] : si, si+1, . . . ∀i ≥ 0

Next φ

σ | = φ ⇔ σ[1] | = φ

φ Until ψ

σ | = φ U ψ ⇔ ∃i ≥ 0 : σ[i] | = ψ ∧ ∀0 ≤ j < i : σ[j] | = φ

slide-12
SLIDE 12

Temporal Logic of Actions Basic Concepts Temporal Operators

Some Properties

Useful expressions

infinitely often: eventually always: ✷✸φ ✸✷φ

Symmetry

¬✷φ ≡ ✸¬φ ¬✸φ ≡ ✷¬φ ¬✷✸φ ≡ ✸✷¬φ ¬✸✷φ ≡ ✷✸¬φ

slide-13
SLIDE 13

Temporal Logic of Actions Basic Concepts Fairness

Motivation

Reconsider the example:

◮ Π : {x, y} ◮ Θ : x = 0 ∧ y = 0 ◮ τx : x′ = x + 1 ◮ τy : y′ = y + 1

Does it satisfy ✸(x > 0 ∨ y > 0) ?

No! Only taking the idling transition τi

x : 0, y : 0 x : 0, y : 0 x : 0, y : 0 x : 0, y : 0 ...

slide-14
SLIDE 14

Temporal Logic of Actions Basic Concepts Fairness

Definitions

Weak Fairness (Justice)

If a transition is continually enabled, it is taken infinitely often. ✸✷Enabled(τ) ⇒ ✷✸Taken(τ) ≡ ✷✸¬Enabled(τ) ∨ ✷✸Taken(τ)

slide-15
SLIDE 15

Temporal Logic of Actions Basic Concepts Fairness

Definitions

Strong Fairness (Compassion)

If a transition is infinitely often enabled, it is taken infinitely

  • ften.

✷✸Enabled(τ) ⇒ ✷✸Taken(τ) ≡ ✸✷¬Enabled(τ) ∨ ✷✸Taken(τ)

slide-16
SLIDE 16

Temporal Logic of Actions Basic Concepts Fairness

Weak vs. Strong Fairness

Any computation satisfying a strong fairness condition also satifies the corresponding weak fairness condition: (✸✷¬Enabled(τ) ∨ ✷✸Taken(τ)) ⇒ (✷✸¬Enabled(τ) ∨ ✷✸Taken(τ)) because ✸✷φ ⇒ ✷✸φ

slide-17
SLIDE 17

Temporal Logic of Actions Basic Concepts Fairness

Adding Fairness to our Example

Since both transitions τx and τy are always enabled Enabled(τx) = Enabled(τy) = true weak fairness is enough to exclude computations where ✸(x > 0 ∨ y > 0) doesn’t hold. Actually, for all n ≥ 0, it holds ✸(x > n) ∧ ✸(y > n)

slide-18
SLIDE 18

Temporal Logic of Actions Temporal Logic of Actions Introduction

Basic Facts

◮ Developed by Lesley Lamport (Microsoft Research) ◮ Specify (concurrent) systems with logical formulas ◮ Proof properties of specifications ◮ Modular specifications ◮ Extension: TLA+

slide-19
SLIDE 19

Temporal Logic of Actions Temporal Logic of Actions Definitions

Basic Definitions

◮ State Functions

nonboolean expressions built from variables and constants

◮ State Predicates

boolean expressions containing variables and constants

◮ Actions

boolean expressions formed from variables, primed variables and constants

slide-20
SLIDE 20

Temporal Logic of Actions Temporal Logic of Actions Definitions

Temporal Operators

◮ ✸F (Eventually F), ✷G (Always G)

common temporal operators

◮ F ❀ G — F leads to G

equivalent to ✷(F ⇒ ✸G)

◮ Unchangedf f ′ = f

Example: Unchangedx, y ≡ (x′ = x) ∧ (y′ = y)

slide-21
SLIDE 21

Temporal Logic of Actions Temporal Logic of Actions Definitions

Additional Operators

Stuttering

In TLA, there is no implicit idling transition, but there is a special

  • perator to explicitly express stuttering:

[A]f A ∨ (f ′ = f)

Progress

To express progress, a new operator is introduced: Af A ∧ (f ′ = f)

slide-22
SLIDE 22

Temporal Logic of Actions Temporal Logic of Actions Definitions

Fairness

To express fairness in TLA, there are special operators:

Weak Fairness

WFf(A) (✷✸Af) ∨ (✷✸¬EnabledAf)

Strong Fairness

SFf(A) (✷✸Af) ∨ (✸✷¬EnabledAf)

slide-23
SLIDE 23

Temporal Logic of Actions Temporal Logic of Actions Example

Example revisited in TLA

InitΦ

= (x = 0) ∧ (y = 0) Mx

= (x′ = x + 1) ∧ (y′ = y) My

= (y′ = y + 1) ∧ (x′ = x) M

= Mx ∨ My Φ

= InitΦ ∧ ✷[M]x,y ∧ WFx,y(Mx) ∧ WFx,y(My)

slide-24
SLIDE 24

Temporal Logic of Actions Temporal Logic of Actions Example

Example revisited in TLA

MODULE Counter EXTENDS Naturals VARIABLES x, y

InitΦ

= (x = 0) ∧ (y = 0) Mx

= (x′ = x + 1) ∧ (y′ = y) My

= (y′ = y + 1) ∧ (x′ = x) M

= Mx ∨ My Φ

= InitΦ ∧ ✷[M]x,y ∧ WFx,y(Mx) ∧ WFx,y(My)

slide-25
SLIDE 25

Temporal Logic of Actions Temporal Logic of Actions TLC - A Model Checker for TLA

The TLC Model Checker

◮ designed and implemented by Yuan Yu ◮ can handle specifications of the form

Init ∧ ✷[Next]vars ∧ Temporal

◮ checks for deadlocks, expressed by ¬✷(ENABLED Next) ◮ can check various types of properties (e.g. invariants) ◮ builds a state graph to proof or disproof properties

slide-26
SLIDE 26

Temporal Logic of Actions Temporal Logic of Actions TLC - A Model Checker for TLA

Exploring the state graph

  • 1. compute the set of states satisfying the initial condition
  • 2. compute for each state the successor states according to

the next-state action ⇒ state space has to be finite

slide-27
SLIDE 27

Temporal Logic of Actions Temporal Logic of Actions TLC - A Model Checker for TLA

Another Example - Mutual Exclusion

Init

= sem = 1 ∧ pc = „acq“ ∧ pc = „acq“ Nexti,

= pci = „acq“ ∧ sem > 0 ∧ pc′

i = „crit“ ∧

sem′ = sem − 1 ∧ pc′

−i = pc−i

Nexti,

= pci = „crit“ ∧ pc′

i = „rel“ ∧

sem′ = sem ∧ pc′

−i = pc−i

Nexti,

= pci = „rel“ ∧ pc′

i = „acq“ ∧

sem′ = sem + 1 ∧ pc′

−i = pc−i

...

= ... MutExSpec

= Init ∧ ✷[Next]vars ∧ SFvars(Next) ∧ SFvars(Next)

slide-28
SLIDE 28

Temporal Logic of Actions Temporal Logic of Actions TLC - A Model Checker for TLA

The state graph

1, „acq“, „acq“ 0, „crit“, „acq“ 0, „acq“, „crit“ 0, „rel“, „acq“ 0, „acq“, „rel“

slide-29
SLIDE 29

Temporal Logic of Actions +Cal - An Algorithm Language Based on TLA Introduction

Basic Facts

◮ a language for writing (concurrent) algorithms ◮ can be automatically translated to TLA

⇒ can be model-checked (using TLC)

◮ uses labels to break a sequence of statements into atomic

steps

◮ two syntaxes:

◮ c-syntax (c-like) ◮ p-syntax (prolix)

slide-30
SLIDE 30

Temporal Logic of Actions +Cal - An Algorithm Language Based on TLA Example

Fast Mutual Exclusion (pseudo code)

slide-31
SLIDE 31

Temporal Logic of Actions +Cal - An Algorithm Language Based on TLA Example

Fast Mutual Exclusion (+CAL)

slide-32
SLIDE 32

Temporal Logic of Actions Conclusion

Conclusion

TLA

◮ Specify (concurrent) systems with logical formulas ◮ Automatically proof properties of specifications

Model Checker TLC

◮ Modular design

+CAL

◮ Algorithm language for writing (concurrent) algorithms ◮ Goal: Combine precision of programming languages with

readability of pseudo code

◮ Automatic Translations to TLA

⇒ Model-Checking