6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development
6/12/ Specification, verification and logics A framework for modelling systems A specification language for describing properties to be verified A verification method to ascertain whether the description of the system satisfies the properties [H-R ch.3]
6/12/ Possibilities Proof-based Degree of automation Full A priori Model based One property A posteriori
6/12/ Model Checking automatic Based on a builded model Verifying satisfiability of properties A posteriori provides a counterexample Concurrent systems Reactive systems Temporal aspects
6/12/ Γ |-- φ Γ |= φ M |= φ We are dealing with
6/12/ Γ |-- φ Γ |= φ M |= φ We are dealing with
6/12/ Γ |-- φ Γ |= φ M |= φ We are dealing with
6/12/ Temporal logic Let us want to express the following properties If a file is requested to be printed, eventually it will be printed After an amount a of time, x will begin to work x ((file(x) requested(x)) y (y≥a print(x,y)) y (y≥a works(x)) The constant a as well as the variable y, of type “time”
6/12/ One could use typed variables and first order logic making a distinction between temporal and dominion references Or one can use modal operators Temporal logic x ((file(x) requested(x)) F print(x)) G works(x)) F means eventually G means always
6/12/ Some hypotheses on temporal structure Discrete/ Continuous Linear / Branching
6/12/ Linear time temporal logic: LTL (syntax) ::=T | | p | ( ) | ( ) | ( ) | ( ) | (X ) | (F ) | (G ) | (X ) | ( U ) | ( W ) F “eventually” G “always” X “next step” U “until” W “until possibly”
6/12/ LTL: semantics Operators not connectives
6/12/ LTL: semantics Satisfiability: We are dealing with a path intended as an infinite series of states M, s |= if the path starting from s satisfys States or paths? States are starting points of paths suffixes of paths are still paths
6/12/ Semantics |= O-----O-----O-----O-----O , ’ …
6/12/ Semantics of G and F Semantics of G: |= G p Semantics of F: |= F p O-----O-----O-----O-----O p p p p p O-----O-----O-----O-----O p
6/12/ Semantics a modal formula can be true or false in a path in this trace: O-----O-----O-----O-----O------….. pq p¬q p¬q pq pq … p ∨ ¬q true: is true in the first state of the trace X¬q true, because q is false in the second state XXq false, because q is false in the third state Gp true, because p is true in all states Gq false, because q is not true in all states (it is true only in some states )
6/12/ Semantics in the same trace: O-----O-----O-----O-----O------….. pq p¬q p¬q pq pq … GFq true: for all states of the sequence, there is some future point where q is true pU¬q true: p is true until ¬q becomes true; (in the first state p is true, then ¬q becomes true) X(pU¬q) false: in the next state, q is false but p not (yet) true qUXXq true: in the first state q is true, in the second state XXq is true (because y is true two states later) G(pUXXq) not straightforward to check: all states have to be checked for qUXXq in turn, check XXq in all states
6/12/ Semantics of X and U Semantics of X: |= X p Semantics of U: |= p U q 1 |= p1 |= p j |= p j |= p i |= q i |= q
LTL: equivalences
6/12/ LTL: what does hold (exercises) G ( ) (G G ) G F G X X F G F X( ) ≅ X X
6/12/ LTL: reductions (transitivity on paths) G GG while GG G is always valid
6/12/ LTL An internal induction rule w.r.t. time X G( X ) ( G )
6/12/ LTL: definability F ≅ T U “eventually” G ≅ W “always” U ≅ ( W ) (F ) “until” W ≅ ( U ) (G ) “until possibly”
6/12/ LTL “ next ” operator
6/12/ LTL: what is expressible
6/12/ LTL: what is expressible
LTL: what is not expressible 6/12/
6/12/ LTL Characterising linear time , G (( G ) (G )) (G G ) Lefthand holds, righthand does not
6/12/ Linear time and Branching time Linear : only one possible future in a moment –Look at individual computations Branching: may split to different courses depending on possible futures –Look at the tree of computations s0 s1 s3 s0 s2 s0 s1... s0s2s3s1... s0 s1s0... s0 s1... s0 s2 s3 s1
6/12/ Semantics: transition systems LTS: Automata without terminal states Kripke structures S S Abstract models: states and transitions
6/12/ Computation Trees: labelled TS State transition structure (Kripke Model) Infinite computation tree for initial state s 1 a b a ac s1s1 s3s3 s1s1 s2s2 a b
6/12/ Operators and Quantifiers State operators –G a :a holds globally –F a :a holds eventually –X a :a holds at the next state –a U b:a holds until b holds –a W b:a holds until b possibly holds –Path quantifiers –E: along at least one path (there exists …) –A:along all paths (for all …)
6/12/ CTL Temporal operators must be immediately preceded by a path quantifier
6/12/ Typical CTL Formulas E F ( start ¬ ready ) –eventually a state is reached where start holds and ready does not hold A G ( req A F ack ) –any time request occurs, it will be eventually acknowledged A G ( E F restart ) –from any state it is possible to get to the restart state
6/12/ CTL semantics E X (f) –true in state s if f is true in some successor of s (there exists a next state of s for which f holds) A X (f) –true in state s if f is true for all successors of s (for all next states of s f is true) E G (f) – true in s if f holds in every state along some path emanating from s (there exists a path ….) A G (f) –true in s if f holds in every state along all paths emanating from s (for all paths ….globally )
6/12/ Basic CTL Formulas - cont ’d E F (g) –there exists a path which eventually contains a state in which g is true A F (g) –for all paths, eventually there is state in which g holds E F, A F are special case of E [f U g], A [f U g] –E F (g) = E [ true U g ], A F (g) = A [ true U g ] f U g (f until g) –true if there is a state in the path where g holds, and at every previous state f holds
6/12/ CTL Operators - examples s o |= E F g g soso soso g g g s o |= A F g s o |= E G g gsoso g g s o |= A G g soso g g g g gg
6/12/ Minimal set of CTL Formulas Full set of operators –Boolean: ¬, , , , –temporal:E, A, X, F, G, U, W Minimal set sufficient to express any CTL formula –Boolean:¬, –temporal:E, X, U Examples: f g = ¬(¬f ¬g), F f = true U f, A (f ) = ¬E(¬f )