1 Temporal Logic u Classical logic: Good for describing static conditions u Temporal logic: Adds temporal operators Describe how static conditions change over time u Two main ways to represent temporal logic: Linear time: describes single possible time line o LTL (Linear Temporal Logic): Spin Branching time: describes all possible time lines o CTL (Computation Tree Logic): SMV
2 What can you do with TL? u Use Automaton to describe system behavior Describes actions of system In terms of state sequences u Use temporal logic to describe property of state sequences u Use model checker to verify TL property Checks TL property against automaton Exhaustively checks the automaton Automatic checking
3 Basic Idea of Temporal Logic u Truth changes over time u Must say when things are true, Not just what is true u Most model checking tools do not allow quantification Use propositional TLs (PTLs)
4 Semantics of Temporal Logic u 4 basic operators: : always : sometime or eventually : next time or next step : until u Conceptual representation: Let S be a sequence of states S[ 0 ]: first state; S[ j ]: jth state S[ j.. ] sequence starting from jth state S[ j..k ] sequence from j to k U
5 More Formal Semantics u Classical Logic: S f: sequence S satisfies formula f S true: for any S S (f and g): S f and S g u Temporal Logic: S f : if for any j, S[j..] f S f : if for some j, S[j..] f Sf : if S[1..] f S f g : if for some k, S[k..] g, and for any j < k, S[ j.. ] f U
6 Example u Automaton/machine produces state sequence: abcabcabcabc… u Sequence satisfies property: (a b) and It’s always the case that a implies that the next step will be b (a a)) It’s always the case that a implies that the next step will eventually be an a. ab c
7 More Semantics of PTL u Next f: S[j] f iff S[j+1] f u Always f: S[j] f iff ( k: k j S[k] f ) u Sometime f: S[j] f iff ( k: k j S[k] f ) u f U g: S[j] f U g iff ( k: k j S[k] g ) ( l: j l k S[l] f )
8 Sample Specifications u Mutual Exclusion: ( inCsA inCsB) u Response: (wantsInA inCsA)
9 Computation Tree Logic u Most distributed, reactive systems are nondeterministic Cannot be represented by sequence of possible states or transitions Has a tree of possible computations u Can use CTL to represent these cases Computation Tree Logic
10 Kripke Structure ab bc ac s0 s2
11 CTL operator combinations
12 CTL Syntax u Basic logic, then add in… u Temporal expressions: Temporal operators are defined in pairs Path part: A: means “all paths” (inevitably) E: means “on some path” (possibly) Property part: F : same as % For some G : same as % Globally holds X : same as % neXt U : same as U
13 CTL Syntax Sample expression forms: AGp : On all paths, property p always holds EGp : On some paths, property p always holds AFp : On all paths, property p eventually holds EFp : On some path, property p eventually holds
14 Specification Patterns u Safety: bad thing never happens: AG ( bad-thing ) u Liveness: good thing eventually happens AF ( good-thing ) u Bad thing could happen: EF ( bad-thing )
15 System satisfying EFp
16 System satisfying EGp
17 System satisfying AGp
18 System satisfying AFp
19 Sample Specification Patterns u Possible to get to started state, but ready does not hold EF(started) ( ready)) u If a request occurs, then it will eventually be acknowledged AG (requested AF acknowledged) Process is enabled infinitely often on every path AG (AF enabled) u Whatever happens, a certain process will eventually be permanently deadlocked: AF (AG deadlocked) u From any state, it is possible to get to a restart state AG (AF restart)
20 Example Elevator u An elevator at the 2 nd floor traveling upward towards 5 th floor destination does not change its direction AG (floor = 2 direction = up ButtonPressed5 A [direction = up U floor
21 Tool Support u Model checkers: check that system satisfies property u Reachability analysis: describe paths of behavior of system u Each tool uses different algorithms for optimization purposes SPIN (Holzmann et al) SMV (Clarket et al) Nitpick (D. Jackson) COSPAN (Kurshan, mostly for HW) Verisoft FDR Etc.