Formal Methods in software development a.y.2017/2018 Prof. Anna Labella 1/17/2019

LTL: what is expressible Safety properties G ¬  Liveness properties GF or G(F) 1/17/2019

LTS: Automata without terminal states Semantics: transition systems Abstract models: states and transitions LTS: Automata without terminal states Kripke structures ®  S  S 1/17/2019

LTL Characterising linear time G ((G )  (G))  (GG) ,   --------  -------- Lefthand holds, righthand does not 1/17/2019

LTL: what is expressible 1/17/2019

LTL: what is not expressible 1/17/2019

Infinite computation tree for initial state s1 Computation Trees: labelled TS a b ac s1 s3 s1 s2 a b ac State transition structure (Kripke Model) Infinite computation tree for initial state s1 1/17/2019

Linear time and Branching time Linear: only one possible future in a moment Look at individual computations Branching: may split to different courses depending on possible futures Look at the tree of computations s0 s2 s3 s1 s0 s1 s3 s2 ... s0 s2 s3 s1 ... 1/17/2019

Operators and Quantifiers State operators G f : f holds globally F f : f holds eventually X f : f holds at the next state f U y : f holds until y holds f W y : f holds until y possibly holds Path quantifiers E: along at least one path (there exists …) A: along all paths (for all …) 1/17/2019

CTL characterisation Temporal operators must be immediately preceded by a path quantifier 1/17/2019

Typical CTL Formulas E F ( start  ¬ ready ) A G ( req  A F ack ) eventually a state is reached where start holds and ready does not hold A G ( req  A F ack ) any time request occurs, it will be eventually acknowledged A G ( E F restart ) from any state it is possible to get to the restart state 1/17/2019

CTL semantics E X (f) A X (f) E G (f) A G (f) true in state s if f is true in some successor of s (there exists a next state of s for which f holds) A X (f) true in state s if f is true for all successors of s (for all next states of s f is true) E G (f) true in s if f holds in every state along some path emanating from s (there exists a path ….) A G (f) true in s if f holds in every state along all paths emanating from s (for all paths ….globally ) 1/17/2019

E F, A F are special cases of E [f Uy], A [f Uy] E F (y) there exists a path which eventually contains a state in which y is true A F (y) for all paths, eventually there is state in which y holds E F (f U y) there exists a path where (f U y) is true A F (f U y) for all paths (f U y) is true E F, A F are special cases of E [f Uy], A [f Uy] E F (y) = E [ true U y ], A F (y) = A [ true U y ] 1/17/2019

CTL Operators - examples so |= E F y y so so y so |= A F y y so |= E G y y so so |= A G y so y y 1/17/2019

Minimal set of CTL Formulas Full set of operators Boolean: ¬, , , ,  temporal: E, A, X, F, G, U, W Minimal set sufficient to express any CTL formula Boolean: ¬,  temporal: E, X, U Examples: f  y = ¬(¬f  ¬y), F f = true U f , A (f ) = ¬E(¬f ) 1/17/2019

CTL* – Computation Tree Logic Path quantifiers - describe branching structure of the tree A (for all computation paths) E (for some computation path = there exists a path) Temporal operators - describe properties of a path through the tree X (next time, next state) F (eventually, finally) G (always, globally) U (until) W (weak until) 1/17/2019

CTL* Formulas Temporal logic formulas are evaluated w.r.to a state in the model State formulas apply to a specific state Path formulas apply to all states along a specific path 1/17/2019

CTL* Syntax An atomic proposition p is a state formula A state formula is also a path formula If f, y are state formulae, so are ¬f, fy, fy, If a is a path formula, E a is a state formula If a, b are path formulae, so are ¬a, ab , ab If a, b are path formulae, so are X a, aUb 1/17/2019

Summing up (CTL*) 1/17/2019

CTL* Semantics If formula f holds at state s (path ), we write: s |= f ( |= a) s |= p, p is an atomic formula, iff p  L(s) [label of s] s |= ¬ f, iff s |≠ f s |= f y, iff s |= f and s |= y s |= E f, iff   from state s, s.t.  |= f  |= ¬ a, iff  |≠ a  |= a b, iff  |= a and  |= b  |= X a, iff 1 |= a (a reachable in next state)  |= a U b, iff  |= a until  |= b 1/17/2019

CTL – Computational Tree Logic CTL* - a powerful branching-time temporal logic CTL – a branching-time fragment of CTL* In CTL every temporal operator (G,F,X,U,W) must be immediately preceded by a path quantifier (A,E) We need both state formulae and path formulae to recursively define the logic 1/17/2019

More expressivity in CTL than in LTL? Quantifying on paths In LTL formulas are always quantified through A 1/17/2019

LTL: blocks of operators must be thought as preceded by A always Linear time operators. The following are a complete set ¬f , fy , Xf, f U y Others can be derived f  y  ¬(¬f  ¬y) f y  ¬f y F f  (true U f) G f (f U false) 1/17/2019

CTL: what is expressible? 1 1/17/2019

CTL: what is expressible? 2 1/17/2019

Expressivity of LTL and CTL Safety G ( c1 c2) Liveness G (ti Fci) Safety AG ( c1 c2) Liveness AG (ti AFci) 1/17/2019

LTL and CTL LTL (Linear Temporal Logic) - Reasoning about infinite sequence of states π: s0, s1, s2, … CTL (Computation Tree Logic) – Reasoning on a computation tree. Temporal operators are immediately preceded by a path quantifier (e.g. A F p ) CTL vs. LTL – different expressive power EFp is not expressible in LTL FGp is not expressible in CTL 1/17/2019

Comparing logics 1/17/2019

Comparing logics 1/17/2019

Exercises 1/17/2019

Exercises 1/17/2019

LTL: what does hold (exercises) G ()  (G  G ) G   F  G  X X  F G  F X() ≅ X X 1/17/2019