Specification of Systems With Temporal Logic: Simon Robillard

Specification of Systems with Temporal Logic
Simon Robillard
Autumn 2019
1 / 24
Introduction
Section 1
Introduction
2 / 24
Introduction
Before We Begin
1 Exercises during the lecture

2 Keep track of answers, as they might be re-used in later
exercises
Contact: simon.robillard@imt-atlantique.fr
3 / 24
Introduction
Verification, Abstraction and Specification
I In previous part of course: modelling of systems

I To do verification, we need a way to express what is expected
of the system
I The expected behavior is often described in natural language
Example: RFC 793 (Transmission Control Protocol)

“The TCP then waits until its own FIN is acknowledged whereupon
it deletes the connection.”
I Natural language cannot be understood by computers

I Even for humans, it can be ambiguous
I We need a formal language, with precise semantics, to
describe what we want
4 / 24
Introduction
Properties of a Logic of Time
What is the nature of time?

I Discrete or continuous?
I Deterministic or not?
I Does it have a beginning? An end?
I If two events happen simultaneously, are they the same?
What properties do we need to specify?
I Time points (instants) or time intervals?
I Describe the future, the past, or both?
I Need to describe that something is true sometimes? a certain
(precise) number of times? infinitely often?
I Probabilities?
5 / 24
Introduction
LTL and CTL

I The two most common temporal logics for computer science
I Discrete time in both (common view in computer science,
since computers follow a clock)
Linear Temporal Logic Computational Tree Logic
I interpreted over timelines, I interpreted over “time trees”:

where every moment has a at a given point, there can
unique successor be more than one possible
I one timeline = one run of a future
program/system I one tree already captures the
I we are generally interested in different possible runs of a
checking that a formula is program/system
true for all possible runs
6 / 24
Introduction
Labelled Transition Systems (LTS)
I until now, we have mainly considered transitions (actions)

I this can make it difficult to express some properties
I example: to check that 2 processes are never in a critical
section at the same time, we need to check all the sequences
of actions that can lead to this situation
I instead, we can label the states of our system with some
properties (e.g., “process X is in the critical section”)
7 / 24
Introduction
Boolean Abstractions
I we use Boolean variables for our labels: for a set of variables
P, states are labelled with elements of 2P
I if p ∈ L(σ), then p is true in state σ, otherwise ¬p is true
I in theory, we can use a countably infinite set of variables
I in practice, you may need a coarse abstraction
Example: two processes in a critical section, P = {crit1 , crit2 }
{crit1 }
{} {crit1 , crit2 }
{crit2 } 8 / 24
Linear Temporal Logic: Syntax and Semantics
Section 2
9 / 24
Syntax of LTL
Let P be a set of propositional variables. The syntax of LTL is

defined inductively:
I propositions: if p ∈ P, then p is an LTL formula
I Boolean operators: if ϕ and ψ are LTL formulas, then
• ¬ϕ
• ϕ∨ψ
are LTL formulas
I modalities: if ϕ and ψ are LTL formulas, then
• Xϕ (“next ϕ”)
• ϕ U ψ (“ϕ until ψ”)
are LTL formulas
Precedence: unary operators bind stronger than binary ones
10 / 24
Intuitive semantics
Atomic proposition: p
p
...
Next state: Xϕ
...
Until: ϕ U ψ ψ
...
ϕ
11 / 24
Interpretations
I LTL interpretations = infinite words over the alphabet 2P

(infinite sequences of interpretations of the propositional
variables)
I One path in a LTS = one interpretation
I Let w = w0 w1 . . . be an infinite word. We denote by w i the
word wi wi+1 . . .
Example with P = {p, q}
{q} {p} {} {p, q} {q}

w= ...
w2
12 / 24
Definition of semantics
The satisfaction relation |= between w and an LTL formula is

defined inductively:
w |= p ≡ p ∈ w0
w |= Xϕ ≡ w 1 |= ϕ
w |= ϕ U ψ ≡ there exists i ≥ 0 such that:
• w i |= ψ
• for all 0 ≤ j < i, w j |= ϕ
w |= ¬ϕ ≡ w |= ϕ is not true
w |= ϕ ∨ ψ ≡ w |= ϕ or w |= ψ
13 / 24
Derived Operators
Derived Boolean operators:
> ≡ p ∨ ¬p
⊥ ≡ ¬>
ϕ∧ψ ≡ ¬(¬ϕ ∨ ¬ψ)
ϕ =⇒ ψ ≡ ¬ϕ ∨ ψ
ϕ ⇐⇒ ψ ≡ (ϕ =⇒ ψ) ∧ (ψ =⇒ ϕ)
Derived modalities
Fϕ ≡ >Uϕ
Gϕ ≡ ¬(F¬ϕ)
ϕRψ ≡ ¬(¬ϕ U ¬ψ)
ϕWψ ≡ (ϕ U ψ) ∨ Gϕ
ϕMψ ≡ (ϕ R ψ) ∧ Fϕ
14 / 24
Exercise 1
Give a direct description of the semantics of F, G, R, W, M and

justify it.
15 / 24
Exercise 1
Give a direct description of the semantics of F, G, R, W, M and

justify it.
Answer
I Fϕ (“eventually ϕ”): ϕ will be satisfied at some point
I Gϕ (“globally ϕ”): ϕ is always satisfied
I ϕ R ψ (“ϕ release ψ): ψ must remain true up to (including)
the point when ϕ becomes true, which may never occur
I ϕ W ψ (“weak until”): same as “until”, but the stop condition
ψ may never occur
I ϕ M ψ (“strong release”): same as “release”, but the release
condition ϕ must occur
15 / 24
Validity, Equivalence, Models
I a formula ϕ is valid (denoted |= ϕ) if for any word w , w |= ϕ

I two formulas ϕ and ψ are equivalent (ϕ ≡ ψ) if for any word
w , w |= ϕ ⇐⇒ w |= ψ
I a transition system TS satisfies a formula ϕ (TS |= ϕ), if, for
any word w ∈ L(TS), w |= ϕ
16 / 24
A Note on Negation
I for a word, by definition
w 6|= ϕ ≡ w |= ¬ϕ
I the same is not true for a transition system!
{p} {} {p}
This system satisfies neither Gp, nor ¬Gp
17 / 24
Equivalence Rules
Negation Distributivity
¬Xϕ ≡ X¬ϕ X(ϕ ∨ ψ) ≡ Xϕ ∨ Xψ

¬Gϕ ≡ F¬ϕ X(ϕ ∧ ψ) ≡ Xϕ ∧ Xψ
¬Fϕ ≡ G¬ϕ X(ϕ U ψ) ≡ Xϕ U Xψ
¬(ϕ U ψ) ≡ ¬ϕ R ¬ψ F(ϕ ∨ ψ) ≡ Fϕ ∨ Fψ
¬(ϕ R ψ) ≡ ¬ϕ U ¬ψ G(ϕ ∧ ψ) ≡ Gϕ ∧ Gψ
¬(ϕ W ψ) ≡ ¬ϕ M ¬ψ ρ U (ϕ ∨ ψ) ≡ (ρ U ϕ) ∨ (ρ U ψ)
¬(ϕ M ψ) ≡ ¬ϕ W ¬ψ (ϕ ∧ ψ) U ρ ≡ (ϕ U ρ) ∧ (ψ U ρ)
Idempotency Unrolling
G ≡ GGϕ Gϕ ≡ ϕ ∧ XGϕ
F ≡ FFϕ Fϕ ≡ ϕ ∨ XFϕ
ϕ U ψ ≡ ϕ U (ϕ U ψ) ϕ U ψ ≡ ψ ∨ (ϕ ∧ X(ϕ U ψ))
18 / 24
Exercise 2
Show that the following formulas are not equivalent:

1 G(p ∨ q) 6≡ Gp ∨ Gq
2 F(p ∧ q) 6≡ Fp ∧ Fq
3 p U (q U r ) 6≡ (p U q) U r
19 / 24
Negation Normal Form
A LTL formula is in negation normal form if:

1 negations appear only in front of propositional variables
2 >, ⊥, ∧ and ∨ are the only Boolean operators allowed
3 X, U and R are the only operators allowed
Examples
¬Xp 7 X¬p 3
p =⇒ Xq 7 ¬p ∨ Xa 3
Fp 7 >Up 3
20 / 24
Exercise 3
Put the following formulas in NNF:

1 Gp
2 ¬FGp
3 ¬G(p =⇒ Fq)
21 / 24
Formalizing Properties of Systems (Examples)
I Safety (mutual exclusion invariant):
G¬(crit1 ∧ crit2 )
I A safety property that is not an invariant
¬access W authenticated
I Liveness (request):
G(request =⇒ Fgrant)
22 / 24
Liveness vs Safety
I liveness properties describe what the program should do

I often easier to formulate than safety properties
I harder to check (counter-examples are infinite)
I for a given liveness property, there is often a corresponding
safety property
23 / 24
Exercise 4
1 Write LTL formulas corresponding to the following properties:

• if p becomes true at any point, then q must be true until r
becomes true
• p can only be true if q has been true at least once before
• p is true exactly every other state
2 Consider a traffic light. Formalize the property that the light
must cycle through colors in the usual order.
24 / 24

Specification of Systems With Temporal Logic: Simon Robillard

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Specification of Systems With Temporal Logic: Simon Robillard

Uploaded by

Copyright:

Available Formats

Specification of Systems with Temporal Logic

Specification of Systems with Temporal Logic

1 Exercises during the lecture

Verification, Abstraction and Specification

I In previous part of course: modelling of systems

Example: RFC 793 (Transmission Control Protocol)

I Natural language cannot be understood by computers

Properties of a Logic of Time

What is the nature of time?

LTL and CTL

Linear Temporal Logic Computational Tree Logic

I interpreted over timelines, I interpreted over “time trees”:

Labelled Transition Systems (LTS)

I until now, we have mainly considered transitions (actions)

Linear Temporal Logic: Syntax and Semantics

Let P be a set of propositional variables. The syntax of LTL is

I LTL interpretations = infinite words over the alphabet 2P

{q} {p} {} {p, q} {q}

The satisfaction relation |= between w and an LTL formula is

Give a direct description of the semantics of F, G, R, W, M and

Give a direct description of the semantics of F, G, R, W, M and

Validity, Equivalence, Models

I a formula ϕ is valid (denoted |= ϕ) if for any word w , w |= ϕ

I for a word, by definition

I the same is not true for a transition system!

This system satisfies neither Gp, nor ¬Gp

¬Xϕ ≡ X¬ϕ X(ϕ ∨ ψ) ≡ Xϕ ∨ Xψ

Show that the following formulas are not equivalent:

Negation Normal Form

A LTL formula is in negation normal form if:

Put the following formulas in NNF:

Formalizing Properties of Systems (Examples)

I Safety (mutual exclusion invariant):

I A safety property that is not an invariant

I liveness properties describe what the program should do

1 Write LTL formulas corresponding to the following properties:

You might also like