Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 842: Specification and Verification of Reactive Systems

Published byDora Hopkins Modified over 5 years ago

Similar presentations

Presentation on theme: "CIS 842: Specification and Verification of Reactive Systems"— Presentation transcript:

1 CIS 842: Specification and Verification of Reactive Systems
Lecture SPIN-Temporal-Logic: Introduction to Temporal Logic Copyright , Matt Dwyer, John Hatcliff, Robby. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

2 Objectives Understand why temporal logic can be a useful formalism for specifying properties of concurrent/reactive systems. Understand the intuition behind Computation Tree Logic (CTL) – the specification logic used e.g., in the well-known SMV model-checker. Be able to confidently apply Linear Temporal Logic (LTL) – the specification logic used in e.g., SPIN – to specify simple properties of systems. Understand the formal semantics of LTL.

3 Outline CTL by example LTL by example
Checking LTL specifications with SPIN LTL – formal definition Common properties to be stated for concurrent systems and how they can be specified using LTL

4 Reasoning about Executions
0.1 0.2 0.3 1.1 0.4 2.1 1.2 2.2 1.3 We want to reason about execution trees tree node = snap shot of the program’s state Reasoning consists of two layers defining predicates on the program states (control points, variable values) expressing temporal relationships between those predicates

5 Why Use Temporal Logic? Requirements of concurrent, distributed, and reactive systems are often phrased as constraints on sequences of events or states or constraints on execution paths. Temporal logic provides a formal, expressive, and compact notation for realizing such requirements. The temporal logics we consider are also strongly tied to various computational frameworks (e.g., automata theory) which provides a foundation for building verification tools.

6 Computational Tree Logic (CTL)
Syntax F ::= P …primitive propositions | !F | F && F | F || F | F -> F …propositional connectives | AG F | EG F | AF F | EF F …temporal operators | AX F | EX F | A[F U F] | E[F U F]

7 Computational Tree Logic (CTL)
Syntax F ::= P …primitive propositions | !F | F && F | F || F | F -> F …propositional connectives | AG F | EG F | AF F | EF F …temporal operators | AX F | EX F | A[F U F] | E[F U F] Semantic Intuition path quantifier AG p …along All paths p holds Globally temporal operator EG p …there Exists a path where p holds Globally AF p …along All paths p holds at some state in the Future EF p …there Exists a path where p holds at some state in the Future

8 Computational Tree Logic (CTL)
Syntax F ::= P …primitive propositions | !F | F && F | F || F | F -> F …propositional connectives | AG F | EG F | AF F | EF F …temporal operators | AX F | EX F | A[F U F] | E[F U F] Semantic Intuition AX p …along All paths, p holds in the neXt state EX p …there Exists a path where p holds in the neXt state A[p U q] …along All paths, p holds Until q holds E[p U q] …there Exists a path where p holds Until q holds

9 Computation Tree Logic
AG p p

10 Computation Tree Logic
EG p p

11 Computation Tree Logic
AF p p

12 Computation Tree Logic
EF p p

13 Computation Tree Logic
AX p p

14 Computation Tree Logic
EX p p

15 Computation Tree Logic
A[p U q] p q

16 Computation Tree Logic
E[p U q] p q

17 Example CTL Specifications
For any state, a request (e.g., for some resource) will eventually be acknowledged AG(requested -> AF acknowledged)

18 Example CTL Specifications
From any state, it is possible to get to a restart state AG(EF restart)

19 Example CTL Specifications
An upwards travelling elevator at the second floor does not changes its direction when it has passengers waiting to go to the fifth floor AG((floor=2 && direction=up && button5pressed) -> A[direction=up U floor=5])

20 Semantics for CTL (excerpts)
For pAP: s |= p  p  L(s) s |= p  p  L(s) s |= f  g  s |= f and s |= g s |= f  g  s |= f or s |= g s |= EXf  =s0s1... from s: s1 |= f s |= E(f U g)  =s0s1... from s j0 [ sj |= g and i : 0 i j [si |= f ] ] s |= EGf  =s0s1... from s i  0: si |= f Source: Orna Grumberg

21 CTL Notes Invented by E. Clarke and E. A. Emerson (early 1980’s)
Specification language for Symbolic Model Verifier (SMV) model-checker SMV is a symbolic model-checker instead of an explicit-state model-checker Symbolic model-checking uses Binary Decision Diagrams (BDDs) to represent boolean functions (both transition system and specification

22 Linear Time Logic Restrict path quantification to “ALL” (no “EXISTS”)

23 Linear Time Logic Restrict path quantification to “ALL” (no “EXISTS”)
Reason in terms of branching traces instead of branching trees

24 Linear Time Logic (LTL)
Syntax F ::= P …primitive propositions | !F | F && F | F || F | F -> F …propositional connectives | []F | <>F | F U F | X F …temporal operators Semantic Intuition F []F …always F F <>F …eventually F F G F U G …F until G

25 Linear Time Logic []<>p p
“Along all paths, it must be the case that globally (I.e., in each state we come to) eventually p will hold” Expresses a form of fairness p must occur infinitely often along the path To check F under the assumption of fair traces, check []<>p -> F

26 Linear Time Logic <>[]p p p p p p p p p
“Along all paths, eventually it is the case that p holds at each state)” (i.e., “eventually permanently p”) “Any path contains only finitely many !p states”

27 = Linear Time Logic p W q []p || (p U q) p p p q p p p p p p p p p p q
“p unless q”, or “p waiting for q”, or “p weak-until q”

28 Checking LTL Specs in SPIN
Define the predicates/propositions using #define in sys.prom file (using lowercase letters to begin predicate names) e.g., #define bigx x > 1000 Formalize requirement as an LTL formula e.g. “eventually x is greater than 1000” becomes <>(bigx) Put the negation of the desired LTL property in file req.ltl e.g., (!<>(bigx)) Run SPIN to create a verifier based on the property spin –a –F req.ltl sys.prom Compile gcc –o pan.exe pan.c Run with command-line option (-a) specifying that a liveness property is being checked pan.exe –a Display error trail spin –t sys.prom

29 Semantics for LTL Semantics of LTL is given with respect to a (usually infinite) path or trace  = s1 s2 s3 … We write i for the suffix starting at si, e.g., 3 = s3 s4 s5 … A system satisfies an LTL formula f if each path through the system satisfies f.

30 Semantics of LTL For pAP:  |= p  p  L(s1)  |= p  p  L(s1)
 |= f  g   |= f and  |= g  |= f  g   |= f or  |= g  |= Xf  2 |= f  |= <>f  i >= 1. i |= f  |= []f  i >= 1. i |= f  |= (f U g)  i >= 1. i |= g and j : 1  j  i-1. j |= f

31 LTL Notes Invented by Prior (1960’s), and first use to reason about concurrent systems by A. Pnueli, Z. Manna, etc. LTL model-checkers are usually explicit-state checkers due to connection between LTL and automata theory Most popular LTL-based checker is SPIN (G. Holzman)

32 Comparing LTL and CTL CTL* CTL LTL CTL is not strictly more expression than LTL (and vice versa) CTL* invented by Emerson and Halpern in 1986 to unify CTL and LTL We believe that almost all properties that one wants to express about software lie in intersection of LTL and CTL

Download ppt "CIS 842: Specification and Verification of Reactive Systems"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.

卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
© Katz, 2007CS236368 Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS236368 Shmuel Katz The Technion.

© Katz, 2007CS Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS Shmuel Katz The Technion.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.
Review of the automata-theoretic approach to model-checking.

Review of the automata-theoretic approach to model-checking.

Similar presentations

Ads by Google