Temporal Logic of Actions Temporal Logic of Actions Advanced Topics in Distributed Computing Dominik Grewe Saarland University March 20, 2008
Temporal Logic of Actions Outline Basic Concepts Transition Systems Temporal Operators Fairness Temporal Logic of Actions Introduction Definitions Example TLC - A Model Checker for TLA +Cal - An Algorithm Language Based on TLA Introduction Example
Temporal Logic of Actions Basic Concepts Transition Systems Interpretations ◮ Vocabulary V a countable set of variables ◮ Expressions over V : x+y ◮ Assertions over V : x>0 ◮ Interpretations I An interpretation I ∈ I maps a set of variables V ⊆ V to values. Example for V = { x , y , z } : I = � x : 2 , y : 8 , z : „ abc “ �
Temporal Logic of Actions Basic Concepts Transition Systems Interpretations ◮ An interpretation I satifies an assertion φ I | = φ iff φ evaluates to true w.r.t. I ◮ Example: I = � x : 2 , y : 8 , z : „ abc “ � φ := ( x < y ) ∧ ( z = „ abc “ ) = φ ⇔ ( I [ x ] < I [ y ]) ∧ ( I [ z ] = „ abc “ ) I | ⇔ ( 2 < 8 ) ∧ ( „ abc “ = „ abc “ )
Temporal Logic of Actions Basic Concepts Transition Systems Transition Systems A transition system is a quadruple � Π , Σ , T , Θ � where ◮ Π ⊆ V — a set of state variables divided into data variables and control variables ◮ Σ — a set of states interpretations of Π ◮ T — a finite set of transitions transition is a function τ : Σ → 2 Σ ◮ Θ — an initial condition assertion specifying the initial states
Temporal Logic of Actions Basic Concepts Transition Systems Transitions A transition τ : Σ → 2 Σ is characterized by a transition relation ρ τ (Π , Π ′ ) Example with Π = { x } : x > 0 ∧ x ′ = x + 1 ◮ s ′ is a τ -successor of s iff s ′ ∈ τ ( s ) ◮ τ is enabled iff τ ( s ) � = ∅
Temporal Logic of Actions Basic Concepts Transition Systems Transitions ◮ a computation is an infinite sequence of states σ : s 0 , s 1 , s 2 , ... with s 0 | = Θ ∀ i ∃ τ : s i + 1 ∈ τ ( s i ) ◮ implicitly assume idling transition τ I (e.g. to model terminating systems)
Temporal Logic of Actions Basic Concepts Transition Systems Example ◮ Π : { x , y } ◮ Θ : x = 0 ∧ y = 0 ◮ τ x : x ′ = x + 1 ◮ τ y : y ′ = y + 1 Possible Computations � x : 0 , y : 0 � � x : 0 , y : 0 � � x : 0 , y : 0 � � x : 1 , y : 0 � � x : 0 , y : 1 � � x : 0 , y : 0 � � x : 2 , y : 0 � � x : 1 , y : 1 � � x : 0 , y : 0 � � x : 3 , y : 0 � � x : 1 , y : 2 � � x : 0 , y : 0 � ... ... ...
Temporal Logic of Actions Basic Concepts Temporal Operators Intuition ◮ ✸ φ — Eventually φ : ¬ φ → ¬ φ → ... → φ → “don’t care” → ... ◮ ✷ φ — Always φ : φ → φ → ... ◮ � φ — Next φ : “don’t care” → φ → “don’t care” → ... ◮ φ U ψ — φ Until ψ : φ → φ → ... → φ → ψ → “don’t care” Symmetry ✸ φ ≡ ¬ ✷ ¬ φ
Temporal Logic of Actions Basic Concepts Temporal Operators Formal Definition σ : s 0 , s 1 , . . . . Let σ [ i ] : s i , s i + 1 , . . . ∀ i ≥ 0 Then Eventually φ ∃ i ≥ 0 : σ [ i ] | σ | = ✸ φ ⇔ = φ Always φ ∀ i ≥ 0 : σ [ i ] | σ | = ✷ φ ⇔ = φ
Temporal Logic of Actions Basic Concepts Temporal Operators Formal Definition σ : s 0 , s 1 , . . . . Let σ [ i ] : s i , s i + 1 , . . . ∀ i ≥ 0 Then Next φ σ | = � φ ⇔ σ [ 1 ] | = φ φ Until ψ ∃ i ≥ 0 : σ [ i ] | = ψ ∧ ∀ 0 ≤ j < i : σ [ j ] | σ | = φ U ψ ⇔ = φ
Temporal Logic of Actions Basic Concepts Temporal Operators Some Properties Useful expressions infinitely often: ✷✸ φ eventually always: ✸✷ φ Symmetry ¬ ✷ φ ≡ ✸ ¬ φ ¬ ✸ φ ≡ ✷ ¬ φ ¬ ✷✸ φ ≡ ✸✷ ¬ φ ¬ ✸✷ φ ≡ ✷✸ ¬ φ
Temporal Logic of Actions Basic Concepts Fairness Motivation Reconsider the example: ◮ Π : { x , y } No! Only taking the idling transition τ i ◮ Θ : x = 0 ∧ y = 0 � x : 0 , y : 0 � � x : 0 , y : 0 � ◮ τ x : x ′ = x + 1 � x : 0 , y : 0 � ◮ τ y : y ′ = y + 1 � x : 0 , y : 0 � Does it satisfy ... ✸ ( x > 0 ∨ y > 0 ) ?
Temporal Logic of Actions Basic Concepts Fairness Definitions Weak Fairness (Justice) If a transition is continually enabled, it is taken infinitely often. ✸✷ Enabled ( τ ) ⇒ ✷✸ Taken ( τ ) ≡ ✷✸ ¬ Enabled ( τ ) ∨ ✷✸ Taken ( τ )
Temporal Logic of Actions Basic Concepts Fairness Definitions Strong Fairness (Compassion) If a transition is infinitely often enabled, it is taken infinitely often. ✷✸ Enabled ( τ ) ⇒ ✷✸ Taken ( τ ) ≡ ✸✷ ¬ Enabled ( τ ) ∨ ✷✸ Taken ( τ )
Temporal Logic of Actions Basic Concepts Fairness Weak vs. Strong Fairness Any computation satisfying a strong fairness condition also satifies the corresponding weak fairness condition: ( ✸✷ ¬ Enabled ( τ ) ∨ ✷✸ Taken ( τ )) ⇒ ( ✷✸ ¬ Enabled ( τ ) ∨ ✷✸ Taken ( τ )) because ✸✷ φ ⇒ ✷✸ φ
Temporal Logic of Actions Basic Concepts Fairness Adding Fairness to our Example Since both transitions τ x and τ y are always enabled Enabled ( τ x ) = Enabled ( τ y ) = true weak fairness is enough to exclude computations where ✸ ( x > 0 ∨ y > 0 ) doesn’t hold. Actually, for all n ≥ 0, it holds ✸ ( x > n ) ∧ ✸ ( y > n )
Temporal Logic of Actions Temporal Logic of Actions Introduction Basic Facts ◮ Developed by Lesley Lamport (Microsoft Research) ◮ Specify (concurrent) systems with logical formulas ◮ Proof properties of specifications ◮ Modular specifications ◮ Extension: TLA +
Temporal Logic of Actions Temporal Logic of Actions Definitions Basic Definitions ◮ State Functions nonboolean expressions built from variables and constants ◮ State Predicates boolean expressions containing variables and constants ◮ Actions boolean expressions formed from variables, primed variables and constants
Temporal Logic of Actions Temporal Logic of Actions Definitions Temporal Operators ◮ ✸ F (Eventually F ), ✷ G (Always G ) common temporal operators ◮ F ❀ G — F leads to G equivalent to ✷ ( F ⇒ ✸ G ) ◮ Unchanged f � f ′ = f Example: Unchanged � x , y � ≡ ( x ′ = x ) ∧ ( y ′ = y )
Temporal Logic of Actions Temporal Logic of Actions Definitions Additional Operators Stuttering In TLA, there is no implicit idling transition, but there is a special operator to explicitly express stuttering: [ A ] f � A ∨ ( f ′ = f ) Progress To express progress, a new operator is introduced: �A� f � A ∧ ( f ′ � = f )
Temporal Logic of Actions Temporal Logic of Actions Definitions Fairness To express fairness in TLA, there are special operators: Weak Fairness WF f ( A ) � ( ✷✸ �A� f ) ∨ ( ✷✸ ¬ Enabled �A� f ) Strong Fairness SF f ( A ) � ( ✷✸ �A� f ) ∨ ( ✸✷ ¬ Enabled �A� f )
Temporal Logic of Actions Temporal Logic of Actions Example Example revisited in TLA Init Φ ( x = 0 ) ∧ ( y = 0 ) ∆ = ( x ′ = x + 1 ) ∧ ( y ′ = y ) ∆ M x = ( y ′ = y + 1 ) ∧ ( x ′ = x ) ∆ M y = ∆ M = M x ∨ M y Init Φ ∧ ✷ [ M ] � x , y � ∧ WF � x , y � ( M x ) ∧ WF � x , y � ( M y ) ∆ Φ =
Temporal Logic of Actions Temporal Logic of Actions Example Example revisited in TLA MODULE Counter EXTENDS Naturals VARIABLES x, y Init Φ ∆ = ( x = 0 ) ∧ ( y = 0 ) = ( x ′ = x + 1 ) ∧ ( y ′ = y ) ∆ M x = ( y ′ = y + 1 ) ∧ ( x ′ = x ) ∆ M y ∆ M = M x ∨ M y = Init Φ ∧ ✷ [ M ] � x,y � ∧ WF � x,y � ( M x ) ∧ WF � x,y � ( M y ) ∆ Φ
Temporal Logic of Actions Temporal Logic of Actions TLC - A Model Checker for TLA The TLC Model Checker ◮ designed and implemented by Yuan Yu ◮ can handle specifications of the form Init ∧ ✷ [ Next ] vars ∧ Temporal ◮ checks for deadlocks, expressed by ¬ ✷ ( ENABLED Next ) ◮ can check various types of properties (e.g. invariants) ◮ builds a state graph to proof or disproof properties
Temporal Logic of Actions Temporal Logic of Actions TLC - A Model Checker for TLA Exploring the state graph 1. compute the set of states satisfying the initial condition 2. compute for each state the successor states according to the next-state action ⇒ state space has to be finite
Temporal Logic of Actions Temporal Logic of Actions TLC - A Model Checker for TLA Another Example - Mutual Exclusion ∆ Init = sem = 1 ∧ pc = „ acq “ ∧ pc = „ acq “ ∆ pc i = „ acq “ ∧ sem > 0 ∧ pc ′ = i = „ crit “ ∧ Next i, sem ′ = sem − 1 ∧ pc ′ − i = pc − i ∆ pc i = „ crit “ ∧ pc ′ = i = „ rel “ ∧ Next i, sem ′ = sem ∧ pc ′ − i = pc − i ∆ pc i = „ rel “ ∧ pc ′ = i = „ acq “ ∧ Next i, sem ′ = sem + 1 ∧ pc ′ − i = pc − i ∆ = ... ... ∆ MutExSpec = Init ∧ ✷ [ Next ] vars ∧ SF vars ( Next ) ∧ SF vars ( Next )
Temporal Logic of Actions Temporal Logic of Actions TLC - A Model Checker for TLA The state graph � 1 , „ acq “ , „ acq “ � � 0 , „ crit “ , „ acq “ � � 0 , „ acq “ , „ crit “ � � 0 , „ rel “ , „ acq “ � � 0 , „ acq “ , „ rel “ �
Recommend
More recommend
