Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously.

Published byDinah Williams Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously."— Presentation transcript:

1 1 Temporal logic

2 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously that satisfy x Ç : y ? To reason about programs, we need dynamics!

3 3 Need dynamics In prop. logic: State = a full assignment Formula = a set of states i.e., the set of assignments that satisfy it. What we need is a sequence of states. possibly an infinite sequence for reactive systems. Each such sequence is called a behavior, or a computation.

4 4 Need dynamics The checked system: M. Specification of the possible behaviors of M:  We will ask whether the following holds: M ²  i.e., do all behaviors of M satisfy the property .

5 5 History of Temporal Logic Designed by philosophers to study the way that time is used in natural language arguments Brought to Computer Science by Amir Pnueli in 1977. Has proved to be useful for specification of reactive systems

6 6 Linear Temporal Logic (LTL) In LTL time is implicit, discrete, has an initial moment with no predecessors, and infinite in the future The model of LTL formula is infinite sequence of states  s 0, s 1, s 2, …

7 7 LTL: Syntax  := (  ) | ¬  |  Æ   Ç   U  R  G  F  |X  | p Elements : Atomic propositions Boolean operators   ¬  Temporal operators G F X U R

8 8 LTL: Syntax  := (  ) | ¬  |  Æ   Ç   U  R  G  F  |X  | p G  Always  ( = “Henceforth  ”) F  Eventually  (= “  in the future”) X  “next-time  ”  U  “  until  ”  R  “  Release  ”

9 9 Semantic Intuition G f - always f F f – eventually f X f – next state f U r – until f R r – releases f f f f f f f f f f f f r r r,f r r f r r r r r r

10 10 Semantic Semantic is given with respect to paths  = s 0 s 1 s 2 … Suffix of trace starting at s i  i = s i s i+1 s i+2 … A system satisfies an LTL formula  if each path through the system satisfies .

11 11 Semantic (cont ’ d)  k ² a iff a  s k  k ²  iff not  k ²   k ²    iff  k ²  and  k ²   k ²    iff  k ²  or  k ²   k ² X  iff  k  1 ²   k ² F  iff exists i  k  i ²   k ² G  iff for all i  k  i ²   k ²  U  iff exists i  k  i ²  and for all k  j < i.  j ²   k ²  R  iff for all j  k, if for every k · i < j not  i ²  then  j ² 

12 12 LTL Identities Write G with F:G  =  F  Write F with U: F  = ( true U  ) Write R with U:  R  =  (  U   ) Every LTL formula  can be rewritten using only operators   X U

13 13 Combinations GF p “ p will happen infinitely often ” FG p “ p will happen from some point forever ”. (GF p) ! (GF q) “ If p happens infinitely often, then q also happens infinitely often ”. (Now: Examples of specifying with LTL )

14 14 Limitations of LTL Is there a temporal behavior that we cannot express with LTL ? Property: “ p holds in every even state ” Unexpressible in LTL. There are extensions to LTL that solve these type of problems. We will not learn them.

15 15 Two classes of properties Safety properties: nothing ‘ bad ’ will happen. A counterexample is a finite loop-free sequence of states. Example: G(p → X q) pp,q Bad state Initial state

16 16 Two classes of properties Liveness properties: something ‘ good ’ will happen. A counterexample is an infinite trace, showing that this good thing NEVER happens. In a finite state model, this is represented as a finite sequence of states ending with a loop. Example: F p :p:p :p:p :p:p :p:p :p:p :p:p Initial state

17 17 A Spring Example s1s3s2 pull release S2 S3  0 = s1 s2 s1 s2 s1 s2 s1 …  1 = s1 s2 s3 s3 s3 s3 s3 …  2 = s1 s2 s1 s2 s3 s3 s3 … …

18 18 LTL satisfaction by a single sequence s1s3s2 pull release  2 = s1 s2 s1 s2 s3 s3 s3 …  2 ² S2 ??  2 ² X S2 ??  2 ² XX S2 ??  2 ² F S2 ??  2 ² G S2 ??  2 ² FG S2 ??  2 ² FG S3 ??  2 ² ¬ FG S2 ??  2 ² (¬S2) U S3 ??  2 ² G (¬S2 ! X S2) ??

19 19 LTL satisfaction by a system s1s3s2 pull release A ² S2 ?? A ² X S2 ?? A ² XX S2 ?? A ² F S2 ?? A ² G S2 ?? A ² FG S2 ?? A ² FG S3 ?? A ² ¬FG S2 ?? A ² (¬S2) U S3 ?? A ² G(¬S2 ! X S2) ?? A:

20 20 The problem of vacuity Consider the following property  : G(request  F ack)... and a system M that never sends requests. The property is satisfied: M ²  Is it ok ? This can indicate a bug in M or in the property.

21 21 The problem of vacuity Consider the following property  : G(p U (p Ç q))... and a system M which satisfies Gq. The property is satisfied: M ²  Is this what the user intended ? A bug in the property? Equivalent to G (p Ç q) Otherwise change the property.

22 22 The problem of vacuity When a formula passes not due to the ‘ right ’ reasons we might be fooling ourselves that everything is ok. Is there a way to check for such errors ?

23 23 The problem of vacuity Let  be an LTL formula in negation normal form.  is said to be vacuous in M if there exists an occurrence of an atom a 2 AP(  ) such that M ²  [ a à false] (or M ²  [ a à true] if a appears negatively). We check vacuity only after we know that M ² 

24 24 The problem of vacuity Example 1:  : G(request  F ack) Check   : G(true  F ack) Suppose that M ²   Either: This contradicts the user ’ s understanding of M. There is a bug in M. This was the intention. So change  to the stronger formula GF ack.

25 25 The problem of vacuity Example 1:  : G(request  F ack) Check   : G(request  F false) Suppose that M ²   Either: This contradicts the user ’ s understanding of M. There is a bug in M. This was the intention. So change  to the stronger formula G : request.

26 26 The problem of vacuity Example 2:  : G(p U (p Ç q)) Check   : G(false U (p Ç q)) For all M, if M ²  then M ²  . Hopefully the user will realize that it should be G(p Ç q).

27 27 The problem of vacuity Example 2:  : G(p U (p Ç q)) Check   : G(p U (false Ç q)) If M ²   then there is no path satisfying G(p Æ : q) Error in the model ? Should we change the property to   ?

28 28 The problem of vacuity Example 2:  : G(p U (p Ç q)) Check   : G(p U (p Ç false)) If M ²   then M ² Gp Error in the model ? Should we change the property to   ?

29 29 Mutual vacuity Consider  = G(a Ç b Ç c).. and M: M ² G(b Ç c)// nothing else to remove M ² G(a Ç b)// can still remove b M ² G(a) Conclusion: order of vacuity-checks matters! ab ac

30 30 Mutual vacuity The mutual vacuity problem: what is the largest number of literal ocurrences that can be replaced with false simultanuously without falsifying M in  ? Formally: find largest S µ lit-occur(  ) such that M ²  [a à false | a 2 S]

31 31 Vacuity checks in the industry Most commercial model-checkers check for vacuity automatically Typically only a few ‘ important checks ’, not all possible. Too expansive in practice to check for mutual vacuity.

32 32 Representing Concurrent Systems The ‘ spring ’ system is an example of a ‘ Kripke structure ’ Kripke structure: a tuple M = (S, S 0, R, L), where S – set of all states of the system S 0 – set of initial states R – transition relation between states L – a function that associates each state with set of propositions true in that state

33 33 Kripke Model Set of states S {q 1,q 2,q 3 } Set of initial states S 0 {q 1 } Set of atomic propositions AP {a,b} a a,bb q1q1 q3q3 q2q2

34 34 What ’ s next ? A Kripke structure is a special variant of an automaton. Next, we will learn about automata.

Download ppt "1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.

Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.

Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.

Similar presentations

Ads by Google