Formal Software Development And Verification

Methods

SE Semester-V
LECTURE-5: Linear Temporal Logics-II

Mr. Waqas Ali

Department of Computer Science

University of Engineering and Technology, Lahore | New Campus

October 11, 2022 Tuesday

Outlines 2

1 Objectives

2 Reference Books

3 Review

4 LTL Model Checking

5 System Modelling

6 Semaphore-Based Mutual Exclusion Algorithm

7 Properties of LTL Operators

Course Objective 3

Course Objective

Verified hardware and software is one of the grand challenges

of computer science. As the complexity of systems increases
and as computers pervade our day-to-day activities, verification
of systems ranging from cell phones to medical equipment to
aircraft software to secure programs, has become a vibrant and
important field. The field of verification is almost as old as
computer science; some concepts such as the Floyd-Hoare style
of verification is 40 years old. And yet the field has become
a vibrant area of research only in the last 20 years, and has
matured in this period so much that hardware verification is
routinely done in the industry, and software verification tools
such as Microsoft’s SDV (and SLAM) are at the level where they
can be deployed automatically to check software. All this has
been based on a few fundamental techniques and tools, which
we will learn in this course.
Course Contents 4

Course Contents
Finite models and model-checking - Modeling using finite mod-
els, reachability algorithms, Specification logics - LTL on finite
words; automata theoretic model checking algorithms, the SMV
tool, Description Logic, Dataflow analysis of programs with-
out recursion, Handling recursion: pushdown models, reacha-
bility (using games!), dataflow analysis, Symbolic methods for
reachability: Boolean Decision Diagrams, operations on BDDs,
the tools SMV, CTL and CTL model-checking symbolically;
mu-calculus, Software verification: The Floyd-Hoare method
for verifying code, Invariant verification using automatic theo-
rem provers, Satisfiability solvers (SAT solvers); bounded model
checking and testing. Abstraction based model checking, miscel-
laneous topics, Decidable logics and overview of available theo-
rem provers, Predicate abstraction and abstract interpretation,
Handling heaps, Concurrency.
Today’s Objective 5

Today’s Objective

1 Examples of LTL
2 LTL Operators Properties
3 LTL Model Checking Concept
Review
Semantics for ♢ and □ 19

Semantics for ♢ and □

σ |= ♢φ if f ∃j ⩾ 0 : σ[j..] |= φ
σ |= □φ if f ∀j ⩾ 0 : σ[j..] |= φ

The statement for ♢ is immediate from the definition of ♢ and

the semantics of U .
The statement for □ follows from:

σ |= □φ = ¬♢¬φ if f ¬∃j ⩾ 0 : σ[j . . . ] |= ¬φ

if f ¬∃j ⩾ 0 : σ[j . . . ] ̸|= φ
if f ¬∀j ⩾ 0 : σ[j . . . ] |= φ
Semantics of Negation I 20

Semantics of Negation

For paths, it holds π |= φ iff π ̸|= ¬φ since:

W ords(¬φ) ̸≡ (2AP )ω W ords(φ)

Semantics of Negation II 21

Semantics of Negation

However, the statements

T S ̸|= φ ̸≡ T S |= ¬φ

in general. Instead, we have

T S |= ¬φ ⇒ T S ̸|= φ

Note that

T S ̸|= φ if f T races(T S) ̸⊆ W ords(φ)

if f T races(T S)\W ords(φ) ̸= ∅
if f T races(T S) ∩ W ords(¬φ) ̸= ∅
Semantics of Negation III 22

Semantics of Negation

T S neither satisfies φ nor ¬φ if there are

paths π1 and π2 in TS such that

π1 |= φ and π2 |= ¬φ
Verification Languages 23

verification languages

A selection of verification languages and their main

characteristics
Example I 24

A Few More Examples of LTL

p: “The moon is a satellite of the earth”

q: “The moon is rising”
r: “The moon is setting”

1 Proposition p can be viewed as timeless, since it is true in

past, present, and future.
2 In contrast, the propositions q and r have a temporalized
aspect and refer to the implicit time condition “now”.
3 Consequently temporal logic applies to time-related
universes of discourse where behaviors and courses of
events are of interest.
Example II 25

A Few More Examples of LTL

φ1 : Fq (♢q): The moon will be rising eventually

φ2 : GFq (□♢q): The moon will be rising again and again
φ3 : G(q → Fr) (□(q → ♢r)): Moon rise leads to moon setting
Example III 26

A Few More Examples of LTL

1 The example formula φ1 is true, if the moon is rising now

or will be rising in some future point of time.
2 Formula φ2 exemplifies that combinations of temporal
quantifiers can denote more complex time conditions, e.g.,
“always eventually” can correspond to the natural
language term “again and again”.
3 Finally, formula φ3 is an example of a “leads-to” pattern
describing that always a precondition q will eventually
result in a postcondition r.
Example IV 27

A Few More Examples of LTL

Due to its temporal quantifiers temporal logic is a

convenient and appropriate means to reason with
time-related propositions.
Indeed, classical logic can also handle temporal properties,
but the formulas tend to be complicated since points of
time have to be explicitly represented in the underlying
universe.
The formula φ1 may serve as example and underpin the
usefulness of temporal logics.
The easy-to-read temporal logic formula φ1 corresponds
to following predicate logic formula:
• For all subjects x a subject y exists such, that-if x is a
point of time-y is a point of time equal or later to x and
the moon is rising at y
Temporal Logics Applied 28

Temporal Logics Applied

Temporal logic is profitably applied with respect to following

topics:
1 Formal Specification:
• Temporal logic formulas serve as precise, concise and
binding descriptions of systems and components (e.g., as
proposed by Lamport, Manna, and Pnueli ).
2 Formal Verification:
• The rules of a temporal logic proof calculus are applied to
show the correctness of a temporal logic specification with
respect to more abstract system specifications.
3 Requirements Description:
• During the early system design the results of the
requirements constraining the functional system behavior
are represented by a set of temporal logic formulas.
4 Specification Checks:
• Several approaches exist which support the tool-based
checking of formal system specifications with respect to
temporal logic conditions (see Model Checking).
Example 29

Typical Properties in Temporal Logic

Following typical properties can be easily expressed in temporal

logic:
1 Termination: A formula of the form

“♢terminated′′

can assert that each execution leads to a state where the

system is terminated.
2 Live Service: Each state representing that a service
request is pending will be followed by a state the request
is served:
“□♢(requested → ♢served)′′
3 Fair Message Transfer: If a message is sent often enough
over a loose channel, then it is eventually delivered:

“(□♢sent) → (♢delivered)′′
Temporal Logic to Communication Protocols 30

Actions:
The transition relation can be expressed as a temporal logic formula.
Actions which can be performed at any time moment if only
conditions on the left implication side are fulfilled are described here.

Example
□(do send → ⃝(sent ∧ ¬ready to send))
Sending the packet via the channel.

□(is timeout → ⃝(timeout ∧ ¬timer ∧ ¬timer of f ))

Ending acknowledgement packet waiting time.

LTL: Linear Temporal Logic
time is discrete and is characterised by points
(computation) path is a (possible infinite) sequence of states
future is not determined (consider several paths)
base is a finite set of atomic propositions like
• I have a PhD
• process 1253 is suspended
• program P is executed
Example 32

Example

1 If the light is red, it cannot become green immediately

G(red ⇒ ¬Xgreen)

2 The traffic light eventually becomes green

Fgreen

3 Once red, the light eventually becomes green

G(red ⇒ Fgreen)

4 After being red, the light goes yellow and then eventually
becomes green

G(red ⇒ X(redU(yellow ∧ X(yellowUgreen))))

Another Example 33

Example
□((¬passport ∨ ¬ticket) ⇒ ⃝¬boardf light)
□(requested ⇒ ♢received)
□(received ⇒ ⃝processed)
□(processed ⇒ □ ⃝ done)
Concurrent Reactive Systems 34

Concurrent Reactive Systems

We describe here Concurrent Reactive systems.
Reactive Systems: Systems that interact with their environment
and usually do not terminate (e.g.communication protocols,
hardware circuits).
Concurrent Systems consist of a set of components that execute
together.
We distinguish two types of Concurrent Systems:
1 Asynchronous or Interleaved Systems. Only one component
makes a step at a time;
2 Synchronous Systems. All components make a step at the same
time.
Modeling Systems 35

Modeling Systems
We need to construct a Formal Specification of the system which
abstract from irrelevant details.
State: Snapshot of the system that captures the values of the
variables at a particular point in time.
System Transition: How the state of the system evolves as the
result of some action.
Computation: Infinite sequence of states along the different
transitions.
Modeling Systems with Kripke Structures 36

Modeling Systems with Kripke Structures

Kripke Structures are transition diagrams that represent the
dynamic behavior of a reactive system.
Kripke Structures consist of a set of states, a set of transitions
between states, and a set of properties labeling each state.
A path in a Kripke structure represents a computation of the
system.
What is Model Checking? 37
process of performing model checking 38

The overall process of performing model checking contains many

steps, some of which may require manual work.
LTL Model Checking M |= φ 39

LTL Model Checking M |= φ

π |= φ for every path π of the Kripke structure M

Important Remark
M ̸|= φ ̸⇒ M |= ¬φ
For Example if φ is a LTL formula and two paths π1 and
π2 are s.t. π1 |= φ and π2 |= ¬φ.
An Example 40

An Example

A transition system for which T S ̸|= Fa and T S ̸|= ¬Fa

Semaphore-Based Mutual Exclusion Algorithm I 41

Semaphore-Based Mutual Exclusion Algorithm

Semaphore-Based Mutual Exclusion Algorithm II 42

Transition System
Semaphore-Based Mutual Exclusion Algorithm III 43

Properties for the Mutual Exclusion Problem

Two concurrent processes P1 and P2

Process Pi is modeled by three locations:
1 The noncritical section
2 The waiting phase which is entered when the process
intends to enter the critical section
3 The critical section

Properties for the Mutual Exclusion Problem

1 waiti and criti denote that process Pi is in its waiting

phase and critical section, respectively
2 noncriti denote that process Pi is in non-critical section.
Semaphore-Based Mutual Exclusion Algorithm IV 44

Safety Property

1 The safety property stating that

• P1 and P2 never simultaneously have access to their
critical sections
2 can be described by the LTL-formula:

□(¬crit1 ∨ ¬crit2 )

This formula expresses that always (□) at least one of the two
processes is not in its critical section (¬criti ).
Semaphore-Based Mutual Exclusion Algorithm V 45

Liveness Property

1 The Liveness Property stating that each process

• Pi is infinitely often in its critical section
2 This is described by the LTL formula:

(□♢crit1 ) ∧ (□♢crit2 )
Semaphore-Based Mutual Exclusion Algorithm VI 46

Starvation Freedom
1 The Starvation Freedom
• Every waiting process will eventually enter its critical
section
2 That can-by using the additional proposition waiti -be
formulated as follows:

(□♢wait1 → □♢crit1 ) ∧ (□♢wait2 → □♢crit2 )

How to specify mutual exclusion?
How to specify mutual exclusion? 48

How to specify mutual exclusion?

Always at most one process is in its critical section

1 Let AP = {crit1 , crit2 }

• other atomic propositions are not of any relevance for this
property
2 Formalization as LT property
Pmutex = set of inf inite words A0 A1 A2 . . . with {crit1 , crit2 } ̸⊆ Ai f or all 0 ⩽ i

3 Contained in Pmutex are e.g., the infinite words:

{crit1 }{crit2 }{crit1 }{crit2 }{crit1 }{crit2 } . . .
φφφφ . . .
• this does not apply to words of the form:
{crit1 }φ{crit1 , crit2 } . . .
Does the semaphore-based algorithm satisfy
Pmutex ?
Does the semaphore-based algorithm satisfy Pmutex ?
How to specify starvation freedom?
The Propositions 52

semaphore: mutual exclusion problem

The mutual exclusion problem using a binary semaphore y, the

formula:
□((y = 0) → crit1 ∨ crit2 )
states that whenever the semaphore y has the value 0, one of
the processes is in its critical section.
How to specify starvation freedom? 53

How to specify starvation freedom?

A process that wants to enter the critical section is eventually able to do

so

1 Let AP = {wait1 , crit1 , wait2 , crit2 }

2 Formalization as LT property

Pnostrave = set of inf inite words A0 A1 A2 . . .

such that

(∃∞ j.waiti ∈ Ai ) ⇒ (∃∞ j.criti ∈ Ai ) f or each i ∈ {1, 2}

∃∞ stands for “there are infinitely many”.

Does the semaphore-based algorithm satisfy Pnostrave
Does the semaphore-based algorithm satisfy Pnostrave

NO
The Trace 56

The Trace

NO
The Trace
φ{wait2 }{wait1 , wait2 }{crit1 , wait2 }
{wait2 }{wait1 , wait2 }{crit1 , wait2 } . . .
is a possible trace of the transition system but not in Pnostrave
Transition System T Ssem 57

Transition System T Ssem

1 The LTL-formula stands for the mutual exclusion property

T Ssem |= □(¬crit1 ∨ ¬crit2 )

Transition System T Ssem 58

Transition System T Ssem

1 The LTL-formula stands for the mutual exclusion property

T Ssem |= □(¬crit1 ∨ ¬crit2 )

2 LTL-formula for the fact that at least one of the two

processes enters its critical section infinitely often.

T Ssem |= □♢¬crit1 ∨ □♢¬crit2

Transition System T Ssem 59

Transition System T Ssem

1 The LTL-formula stands for the mutual exclusion property

T Ssem |= □(¬crit1 ∨ ¬crit2 )

2 LTL-formula for the fact that at least one of the two

processes enters its critical section infinitely often.

T Ssem |= □♢¬crit1 ∨ □♢¬crit2

3 The absence of any fairness assumption-it is not ensured

that process P1 is enabled infinitely often. It may not be
able to acquire access to its critical section once.

T Ssem ̸|= □♢¬crit1 ∧ □♢¬crit2

Transition System T Ssem 60

Transition System T Ssem

1 The LTL-formula stands for the mutual exclusion property

T Ssem |= □(¬crit1 ∨ ¬crit2 )

2 LTL-formula for the fact that at least one of the two

processes enters its critical section infinitely often.

T Ssem |= □♢¬crit1 ∨ □♢¬crit2

3 The absence of any fairness assumption-it is not ensured

that process P1 is enabled infinitely often. It may not be
able to acquire access to its critical section once.

T Ssem ̸|= □♢¬crit1 ∧ □♢¬crit2

4 The same argument applies to show that

T Ssem ̸|= □♢¬wait1 → □♢¬crit1

as in principle process P1 may not get its turn once it

starts to wait.
Model Checking: M ̸|= φ ̸⇒ M |= ¬φ(!!!) 61

Example: M ̸|= φ ̸⇒ M |= ¬φ(!!!)

Let ¬p¬q
def
π1 = {s1 }ω s1
def
π2 = {s2 }ω
pq
M ̸|= Gp, in fact: s0
1 π1 |̸ = Gp
2 π2 |= Gp
M ̸|= ¬Gp, in fact: p¬q
1 π1 |̸ = ¬Gp s2
2 π2 |= ¬Gp
Syntactic Properties of LTL Operators 62

Syntactic Properties of LTL Operators

φ1 ∨ φ2 ⇔ ¬(¬φ1 ∧ ¬φ2 )
...
Fφ1 ⇔ ⊤Uφ1
Gφ1 ⇔ ⊥ Rφ1
Fφ1 ⇔ ¬G¬φ1
Gφ1 ⇔ ¬F¬φ1
¬Xφ1 ⇔ X¬φ1
φ1 Rφ2 ⇔ ¬(¬φ1 U¬φ2 )
Syntactic Properties of LTL Operators 63

Syntactic Properties of LTL Operators

φ1 ∨ φ2 ⇔ ¬(¬φ1 ∧ ¬φ2 )
...
Fφ1 ⇔ ⊤Uφ1
Gφ1 ⇔ ⊥ Rφ1
Fφ1 ⇔ ¬G¬φ1
Gφ1 ⇔ ¬F¬φ1
¬Xφ1 ⇔ X¬φ1
φ1 Rφ2 ⇔ ¬(¬φ1 U¬φ2 )

NOTE
LTL can be defined in terms of ∧, ¬, X, U only
Equivalence of LTL Formulae 64

Equivalence of LTL Formulae

LTL formulae φ1 , φ2 are equivalent, denoted

φ1 ≡ φ2

if
W ords(φ1 ) = W ords(φ2 )
Equivalence of LTL Formulae I 65

Duality Law: Equivalence of LTL Formulae

Duality Law:

¬⃝φ ≡ ⃝¬φ
¬♢φ ≡ □¬φ
¬□φ ≡ ♢¬φ
Equivalence of LTL Formulae II 66

Idempotency Law: Equivalence of LTL Formulae

Idempotency Law:

♢♢φ ≡ ♢φ
□□φ ≡ □φ
φU (φU ψ) ≡ φU ψ
(φU ψ)U ψ ≡ φU ψ
Equivalence of LTL Formulae III 67

Absorption Law: Equivalence of LTL Formulae

Absorption Law:

♢□♢φ ≡ □♢φ
□♢□φ ≡ ♢□φ
Equivalence of LTL Formulae IV 68

Expansion Law: Equivalence of LTL Formulae

1 The expansion laws play an important role.

2 They describe the temporal modalities U, F and G by
means of a recursive equivalence.
3 These equivalences all have the same global structure:
• they assert something about the current state, and about
the direct successor state.
• The assertion about the current state is done without the
need to use temporal modalities whereas the assertion
about the next state is done using the ⃝ operator.
Equivalence of LTL Formulae V 69

Expansion Law: Equivalence of LTL Formulae

Expansion Law:

φU ψ ≡ φ ∨ (φ ∧ ⃝(φU ψ))
♢ψ ≡ ψ ∨ ⃝♢ψ
□ψ ≡ ψ ∧ ⃝□ψ
Equivalence of LTL Formulae VI 70

Distributive Law: Equivalence of LTL Formulae

Distributive Law:

⃝(φU ψ) ≡ (⃝φ)U (⃝ψ)

♢(φ ∨ ψ) ≡ ♢ψ ∨ ♢ψ
□(φ ∧ ψ) ≡ □φ ∧ □ψ
Distributive Laws 71

Distributive Law of LTL Formulae

The distributive laws for F and ∨, or G and ∧,
respectively, are dual to each other.

F(a ∧ b) ̸≡ Fa ∧ Fb

and

G(a ∨ b) ̸≡ Ga ∨ Gb
Example 72

Example

T S ̸|= F(a ∧ b) and T S |= ♢a ∧ Fb

Precedence Orders I 73

Precedence Orders
1 The unary operators bind stronger than the binary ones.
2 ¬ and ⃝ bind equally strong.
3 The temporal operator U takes precedence over ∧, ∨, and
→.
4 Operator U is right-associative

Example
φ1 Uφ2 Uφ3 stands for φ1 U(φ2 Uφ3 ).
Precedence Orders II 74

Connectives and Temporal Operators

Connectives and Temporal Operators

References 75

1 Principles of Model Checking, Christel Baier, Joost-Pieter Katoen,

MIT Press 2008.
2 Reactive Systems Modelling, Specification and Verification Luca
Aceto, et al, Cambridge University Press, 2007
3 Slides on Modelling, Specification and Verification of Reactive Systems
4 Slides by Daniel Shahaf: on Temporal Logics I: Theory,
 After all... tomorrow is another day.
(Scarlett O’Hara, “Gone with the Wind”)