Semantically Equivalent Formulas
• Let Φ and ψ be formulas of propositional
logic. We say that Φ and ψ are
semantically equivalent iff
Φ╞ψ
ψ╞Φ
hold. In that case we write Φ ≡ ψ.
Further, we call Φ valid if
╞Φ
holds.
Examples of equivalent formulas
•
•
•
•
p → q ≡ ¬p  q
p → q ≡ ¬q → ¬p
p  q → p ≡ r  ¬r
p  q → r ≡ p → (q →r)
Lemma
• Given propositional logic formulas Φ1, Φ2,
…, Φn, ψ, we have
Φ1, Φ2, …, Φn ╞ ψ
iff
╞ Φ1 →(Φ2 → (Φ3 → … → (Φn → ψ)))
Literal
• A literal is either an atom p or the negation
of an atom ¬p.
Conjunctive Normal Form (CNF)
• A formula Φ is in conjunctive normal form
(CNF) if it is of the form
ψ1  ψ2  ….  ψn
for some n ≥ 1, such that ψi is a literal, or a
disjunction of literal, for all 1 ≤ i ≤ n.
Examples for CNF formulas
• (¬q  p  r)  (¬p  r)  q
• (p  r)  (¬p  r)  (p  ¬r)
Lemma
• A disjunction of literals L1  L2  ….  Lm
is valid (i.e., ╞ L1  L2  ….  Lm) iff there
are 1 ≤ i, j ≤ m such that Li is ¬Lj.
Satisfiable formulas
• Given a formula Φ in a propositional logic,
we say that Φ is satisfiable if there exists
an assignment of truth values to its
propositional atoms such that Φ is true.
Proposition
• Let Φ be a formula of propositional logic.
Then Φ is satisfiable iff ¬Φ is not valid.
function CNF(Φ)
/* pre-condition: Φ implication free and in NNF*/
/* post-condition: CNF(Φ) computes an equivalent CNF for Φ */
begin function
case
Φ is a literal : return Φ
Φ is Φ1  Φ2: return CNF(Φ1)  CNF(Φ2)
Φ is Φ1  Φ2: return DISTR(CNF(Φ1), CNF(Φ2) )
end case
end function
function DISTR(η1, η2):
/* pre-condition: η1 and η2 are in CNF */
/* post-condition: DISTR(η1, η2) computes a CNF for η1 η2 */
begin function
case
η1 is η11  η12 : return DISTR(η11 , η2)  DISTR(η12 , η2)
η2 is η21  η22 : return DISTR(η1 , η21)  DISTR(η1 , η22)
otherwise (= no conjunction): return η1 η2
end case
end function
function NNF(Φ)
/* pre-condition: Φ is implication free */
/* post-condition: NNF(Φ) computes a NNF for Φ */
begin function
case
Φ is a literal : return Φ
Φ is ¬¬Φ1 : return NNF(Φ1)
Φ is Φ1  Φ2 : return NNF(Φ1)  NNF(Φ2)
Φ is Φ1  Φ2 : return NNF(Φ1)  NNF(Φ2)
Φ is ¬(Φ1  Φ2) : return NNF(¬Φ1  ¬Φ2)
Φ is ¬(Φ1  Φ2) : return NNF(¬Φ1  ¬Φ2)
end case
end function
Φ = ¬p  q → p  (r → q)
IMPL_FREE Φ = ¬ IMPL_FREE (¬p  q )  IMPL_FREE (p (r → q))
= ¬((IMPL_FREE ¬p )  (IMPL_FREE q ))  IMPL_FREE (p (r → q))
= ¬((¬p )  IMPL_FREE q )  IMPL_FREE (p (r → q))
= ¬ (¬p  q )  IMPL_FREE (p (r → q))
= ¬ (¬p  q )  ((IMPL_FREE (p)  IMPL_FREE (r → q))
= ¬ (¬p  q )  (p  IMPL_FREE (r → q))
= ¬ (¬p  q )  (p  (¬ (IMPL_FREE r)  IMPL_FREE (q)))
= ¬ (¬p  q )  (p  (¬ r  IMPL_FREE (q)))
= ¬ (¬p  q )  (p  (¬ r  q))
IMPL_FREE Φ = ¬ (¬p  q )  (p  (¬ r  q))
NNF (IMPL_FREE Φ )
= NNF (¬ (¬p  q ))  NNF (p  (¬ r  q))
= NNF (¬ (¬p )  ¬q ))  NNF (p  (¬ r  q))
= (NNF (¬¬p ))  (NNF (¬q ))  NNF (p  (¬ r  q))
= (p  (NNF (¬q )))  NNF (p  (¬ r  q))
= (p  ¬q )  NNF (p  (¬ r  q))
= (p  ¬q )  ((NNF p)  (NNF (¬ r  q)))
= (p  ¬q )  ( p  (NNF (¬ r  q)))
= (p  ¬q )  ( p  ((NNF (¬ r))  (NNF q)))
= (p  ¬q )  ( p  (¬ r  (NNF q)))
= (p  ¬q )  ( p  (¬ r  q))
NNF (IMPL_FREE Φ) = (p  ¬q )  ( p  (¬ r  q))
CNF(NNF (IMPL_FREE Φ))
= CNF ((p  ¬q )  ( p  (¬r  q)))
= DISTR ( CNF (p  ¬q ), CNF (p  (¬ r  q)))
= DISTR (p  ¬q , CNF (p  (¬ r  q)))
= DISTR (p  ¬q , p  (¬ r  q))
= DISTR (p  ¬q , p)  DISTR (p  ¬q , ¬ r  q)
= (p  ¬q  p)  DISTR (p  ¬q , ¬ r  q)
= (p  ¬q  p)  (p  ¬q  ¬ r  q)
Horn Formula Φ
• is a formula Φ of propositional logic if it is
of the form ψ1  ψ2 ...  ψn for some n ≥ 1
such that ψi is of the form
p1  p2 ...  pki → qi
for some ki ≥ 1, where p1, p1, …, pki, qi are
atoms, ┴ or T. We call such ψi a Horn
clause.
Examples of Horn formulas
• (p  q  s → p)  (q  r → p)  (p  s → s)
• (p  q  s → ┴)  (q  r → p)  (T → s)
• (p2  p3  p5 → p13) (T→ p2)  (p5  p11 → ┴)
Examples of non-Horn formulas
•
•
•
•
(p  q  s → ¬p)  (q  r → p)  (p  s → s)
(p  q  s → ┴)  (¬q  r → p)  (T → s)
(p2  p3  p5 → p13  p27)  (T→ p2)  (p5  p11 → ┴)
(p2  p3  p5 → p13 ) (T→ p2)  (p5  p11  ┴)
function HORN(Φ)
/* Pre-condition : Φ is a Horn formula*/
/* Post-condition : HORN(Φ) decides the satisfiability for Φ */
begin function
mark all atoms p where T → p is a sub-formula of Φ;
while there is a sub-formula p1  p2 ...  pki → qi of Φ such that all pj
are marked but qi is not do
if qi ≡ ┴ then return ‘unsatisfiable’
else mark qi for all such subformulas
end while
return ‘satisfiable’
end function
Theorem
• The algorithm HORN is correct for the
satisfiability decision problem of Horn
formulas and has no more than n cycles in
its while-loop if n is the number of atoms in
Φ. HORN always terminates on correct
input.
Kripke structure
Let AP be a set of atomic propositions. A Kripke structure M
over AP is a four tuple M= (S, S0, R, L) where
1.
S is a finite set of states
2.
S0  S is the set of initial states.
3.
R  S × S is a transition relation that must be total, that is for every
state s S there is a state s’ S such that R (s, s’).
4.
L: S  2 AP is a function that labels each state with the set of
atomic proposition in that state.
A path in the structure M from a state s is an infinite sequence of states
ω = s0 s1 s2 … such that s0 = s and R (si, si+1) holds for all i ≥ 0.
First order representation
of Kipke structures
• We use interpreted first order formulas to describe concurrent
systems.
• We use usual logical connectives (and , or , implies , not , and
so on) and universal ( ) and existential (  ) quantifications.
• Let V = {v1, …, vn} be the set of system variables. We assume that
the variables in V range over a finite set D.
• A valuation for V is a function that associated a value in D with
each variable v in V. Thus, s is a valuation for V when s: V  D.
• A state of a concurrent system can be viewed as a valuation for the
set of its variables V.
• Let V’ = {v’1, …, v’n}. We think of the variables in V as present state
variables and the variables in V’ as next state variables.
First order representation
of Kipke structures
Let M = (S, S0, R, L) be a Kripke structure.
• S is the set of all valuations for all variables of the system which can
be described by a proposition S. Usually, S = True.
• The set of initial states S0 can be described by a proposition (on the
set of variables) S0.
• R can be described by a proposition R such that for any two states s
and s’, R(s, s’) holds if R evaluates to True when each variable v is
assigned the value s(v) and each variable v’ is assigned the value
s(v’).
• The labeling function L:S  2AP is defined so that L(s) is the subset
of all atomic propositions true in s which can be described by some
appropriate proposition.
A simple example
We consider a simple system with variables x and y that range
over D = {0, 1}. Thus, a valuation for the variables x and y is
just a pair (d1, d2)  D × D where d1 is the value for x and d2 is
the value for y. The system consists of one transition
x := (x +y) mod 2,
Which starts from the state in which x = 1 and y = 1.
A simple example with transition
x := (x +y) mod 2
• S = True
• S0 (x, y) ≡ x = 1  y = 1
• R (x, y, x’, y’) ≡ x’ = (x +y) mod 2  y’ = y
A simple example with transition
x := (x +y) mod 2
The Kripke structure M = (S, S0, R, L) for this system is simply:
• S = D × D.
• S0 = {(1,1)}
• R = {((1,1), (0,1)), ((0,1), (1,1)), ((1,0), (1,0)), ((0,0), (0,0))}.
• L(1,1) = {x =1, y = 1}, L(0,1) = {x =0, y = 1}, L(1,0) = {x =1, y = 0},
L(0,0) = {x =0, y = 0}.
The only path in the Kripke structure that starts in the initial state is
(1,1) (0,1) (1,1) (0,1) ….
Concurrent systems
• A concurrent system consists of a set of components
that execute together.
• Normally, the components have some means of
communicating with each other.
Modes of execution
We will consider two modes of execution:
Asynchronous or interleaved execution,
in which only one component makes a
step at a time, and synchronous
execution, in which all of the components
make a step at the same time
Modes of communication
• We will also distinguish three modes of communication.
Components can either communicate by changing the
value of shared variables or by exchanging messages
using queues or some handshaking protocols.
A modulo 8 counter
v2
v1
v0
Synchronous circuit
A modulo 8 counter
The transitions of the circuit are given by
• v’0 = v0
• v’1 = v0  v1
• v’2 = (v0  v1)  v2
• R0 (v, v’) ≡ (v’0 ↔ v0)
• R1 (v, v’) ≡ (v’1 ↔ v0 v1)
• R2 (v, v’) ≡ (v’2 ↔ (v0  v1)  v2)
• R (v, v’) ≡ R0 (v, v’)  R1 (v, v’)  R2 (v, v’)
Synchronous circuit
General case
•
•
•
•
Let V = {v0, …., vn-1} and V’ = {v’0, …., v’n-1}
Let v’i = fi (V), 1= 0, …, n-1.
Define Ri (v, v’) ≡ ( v’i ↔ fi (V)).
Then, the transition relation can be
described as
R (v, v’) ≡ R0 (v, v’)  …  Rn-1 (v, v’).
Asynchronous circuit
General case
• In this case, the transition relation can be
described as
R (v, v’) ≡ R0 (v, v’)  …  Rn-1 (v, v’),
Where
Ri (v, v’) ≡ ( v’i ↔ fi (V)) j ≠ i (v’j ↔ vj )).
Example
• Let V = {v0, v1}, v’0 = v0  v1 and v’1 = v0  v1.
• Let s be a state with v0 = 1  v1 = 1.
• For the synchronous model, the only
successor of s is the state v0 = 0  v1 = 0.
• For the asynchronous model, the state s has
two successors:
• 1. v0 = 0  v1 = 1 ( the assignment to v0 is
taken first).
• 2. v0 = 1  v1 = 0 ( the assignment to v1 is
taken first).
Labeled program
•
•
•
•
Given a statement P, the labeled statement PL is defined
as follows:
If P is not a composite statement then P = PL. .
If P = P1; P2 then PL = P1L ; l’’ : P2L.
If P = if b then P1 else P2 end if, then
PL = if b then l1 : P1L else l2 : P2L end if.
If P = while b do P1 end while, then PL = while b do l1 :
P1L end while.
Some assumptions
• We assume that P is a labeled statement and that the
entry and exit points of P are labeled by m and m’,
respectively.
• Let pc be a special variable called the program counter
that ranges over the set of program labels and an
additional value ┴ called the undefined value.
• Let V denote the set of program variables, V’ the set of
primed variables for V, and pc’ the primed variables for
pc.
• Let same (Y) =
y ε Y (y’ = y).
The set of initial states of P
• Given some condition pre (V) on the initial
variables for P,
S0 (V, pc) ≡ pre (V)  pc = m.
The transition relation for P
• C (l, P, l’) describes the set of transitions in P as a
disjunction of all transitions in the set.
• Assignment:
C ( l, v ← e, l’) ≡ pc = l  pc’ = l’  v’ = e  same (V \ {v})
• Skip:
C ( l, skip, l’) ≡ pc = l  pc’ = l’  same (V)
• Sequential composition:
C ( l, P1; l’’ : P2, l’) ≡ C ( l, P1, l’’)  C ( l’’, P2, l’)
The transition relation for P (continued)
• Conditional:
C (l, if b then l1: P1 else l2 : P2 end if, l’) is the
disjunction of the following formulas:
• pc = l  pc’ = l1  b  same (V)
• pc = l  pc’ = l2  b  same (V)
• C (l1, P1, l’)
• C (l2, P2, l’)
The transition relation for P (continued)
• While:
C (l, while b do l1 : P1 end while, l’) is the disjunction of
the following formulas:
• pc = l  pc’ = l1  b  same (V)
• pc = l  pc’ = l’  b  same (V)
• C (l1, P1, l)
Concurrent programs
• A concurrent program consists of a set of processes that
can be executed in parallel. A process is a sequential
program.
• Let Vi be the set of variables that can be changed by
process Pi. V is the set of all program variables.
• pci is the program counter of process Pi. PC is the set of
all program counters.
• A concurrent program has the form
cobegin P1 || P2 … || Pn coend
where P1, …, Pn are processes.
Labeling transformation
• We assume that no two labels are identical and that the
entry and exit points of P are labeled m and m’,
respectively.
• If P = cobegin P1 || P2 … || Pn coend, then
PL = cobegin l1 : P1L l’1 || l2 : P2L l’2 || … || ln : PnL l’n coend.
The set of initial states of P
S0 (V, pc) ≡ pre (V)  pc = m  i = 1, … n (pci = ┴ )
The transition relation for P
C (l, cobegin l1 : P1L l’1 || … || ln : PnL l’n coend, l’)
Is the disjunction of three formulas:
• pc = l  pc’1 = l1  …  pc’n = ln  pc’ = ┴
• pc = ┴  pc1 = l’1  …  pcn = l’n  pc’ = l’ 
•

i = 1, … n

i = 1, … n
(pc’i = ┴)
(C (li, Pi, l’i)  (same (V \ Vi)  same (PC \ {pci}))
Shared variables
• Wait:
•
•
C (l, wait (b), l’) is a disjunction of the following two formulas:
(pci = l  pc’i = l  b  same (Vi))
(pci = l  pc’i = l’  b  same (Vi))
• Lock (v) (= wait (v = 0)):
•
•
C (l, lock (v), l’) is a disjunction of the following two formulas:
(pci = l  pc’i = l  v = 1  same (Vi))
(pci = l  pc’i = l’  v = 0  v’ = 1  same (Vi \ {v}))
• Unlock (v):
C (l, unlock (v), l’) ≡ pci = l  pc’i = l’  v’ = 0  same (Vi \ {v})
A simple mutual exclusion program
P = m: cobegin P0 || P1 coend m’
P0 :: l0 : while True do
NC0 : wait (turn = 0);
CR0 : turn :=1;
end while;
l’0
P1 :: l1 : while True do
NC1 : wait (turn = 1);
CR1 : turn := 0;
end while;
l’1
Kripke structure
• pc takes values in the set { m, m’, ┴ }.
• pci takes values in the set { li, l’i, NCi, CRi, ┴ }.
• V = V0 = V1 = {turn}.
• PC = {pc, pc0, pc1}.
The set of initial states of P
• S0 (V, PC) ≡ pc = m  pc0 = ┴  pc1 = ┴.
The transition relation for P
• R (V, PC, V’, PC’) is the disjunction of the following four
formulas:
• pc = m  pc’0 = l0  pc’1 = l1  pc’ = ┴.
• pc0 = l’0  pc1 = l’1  pc’ = m’  pc’0 = ┴  pc’1 = ┴.
• C (l0, P0, l’0)  same (pc, pc1).
• C (l1, P1, l’1)  same (pc, pc0).
The transition relation of Pi
•
•
•
•
•
For each process Pi, C (li, Pi, l’i) is the
disjunction of:
pci = li  pc’i = NCi  True  same (turn)
pci = NCi  pc’i = CRi  turn = i  same (turn)
pci = CRi  pc’i = li  turn’ = (i+1) mod 2
pci = NCi  pc’i = NCi  turn ≠ i  same (turn)
pci = li  pc’i = l’i  False  same (turn)
turn =
0
┴, ┴
turn =
1
┴, ┴
turn =
0
l0, l1
turn =
0
l0,
NC1
turn =
1
l0, l1
turn =
0
l1,
NC0
turn =
0
turn =
0
CR0, l1
NC0,
NC1
turn =
0
CR0,
NC1
turn =
1
l0,
NC1
turn =
1
CR1, l0
turn =
1
l1,
NC0
turn =
1
NC0,
NC1
turn =
0
CR1,
NC0
Syntax of
Computational Tree Logic (CTL)
Φ ::= ┴ | T | p | (¬Φ) | (Φ  Φ) | (Φ  Φ) |
(Φ → Φ) | AX Φ | EX Φ | A[Φ U Φ] |
E[Φ U Φ] | AG Φ | EG Φ | AF Φ | EG Φ
where p ranges over atomic formulas.
Convention
• The unary connectives (consisting of ¬ and
the temporal connectives AG, EG, AF, AX
and EX) bind most tightly. Next in the order
come  and ; and after that come → , AU
and EU.
Some examples of well-formed
CTL formulas
•
•
•
•
•
•
•
•
(EG r)
AG (q → EG r)
(AG q) → (EG r)
EF E[r U q]
A[p U EF r]
EF EG p → AF r
(EF EG p) → AF r
EF EG (p → AF r)
Some examples of not well-formed
CTL formulas
•
•
•
•
•
•
FG r
A ¬G¬p
F[r U q]
EF (r U q)
AEF r
AF [(r U q)  (p U q)]
CTL Subformulas
• Definition: A subformula of a CTL
formula Φ is any formula ψ whose parse
tree is a subtree of Φ‘s parse tree.
The parse tree for
A[AX ¬p U E[EX (p  q) U ¬p]]
AU
AX
EU
¬
EX
¬

p
p
p
q
Semantics of
Computational Tree Logic (CTL)
• Let M = (S, R, L) be a Kripke structure.
Given any state s in S, we define whether
a CTL formula Φ holds in state s. We
denote this by
M, s ╞ Φ,
where ╞ is the satisfaction relation.
The satisfaction relation ╞ is defined by structural induction
on all CTL formulas:
•
•
•
•
•
•
•
M, s ╞ T and ¬(M, s ╞ ┴) for all s ε S.
M, s ╞ p iff p ε L(s).
M, s ╞ ¬Φ iff ¬(M, s ╞ Φ).
M, s ╞ Φ1  Φ2 iff M, s ╞ Φ1 and M, s ╞ Φ2.
M, s ╞ Φ1  Φ2 iff M, s ╞ Φ1 or M, s ╞ Φ2.
M, s ╞ Φ1 → Φ2 iff ¬(M, s ╞ Φ1) or M, s ╞ Φ2.
M, s ╞ AX Φ iff for all s1 such that (s, s1) ε R, we have M,
s1 ╞ Φ . Thus, AX says: ‘in every next state’.
• M, s ╞ EX Φ iff for some s1 such that (s, s1) ε R, we have
M, s1 ╞ Φ . Thus, EX says: ‘in some next state’.
The satisfaction relation ╞ is defined by structural
induction on all CTL formulas: (continued)
• M, s ╞ AG Φ iff for all paths s1 s2 s3 … where s1 equals s, and all si
along the path, we have such that (si, si+1) ε R, we have M, si ╞ Φ .
Thus, AG says: ‘for all computation paths beginning s the property Φ
holds globally’.
• M, s ╞ EG Φ iff there is a path s1 s2 s3 … where s1 equals s, and all
si along the path, we have such that (s, s1) ε R, we have M, si ╞ Φ .
Thus, AG says: ‘there exists a computation path beginning s such
that Φ holds globally along the path’.
• M, s ╞ AF Φ iff for all paths s1 s2 s3 … where s1 equals s, there is
some si such that M, si ╞ Φ. Thus, AF says: ‘for all computation
paths beginning in s there will be some future state where Φ holds’.
The satisfaction relation ╞ is defined by structural
induction on all CTL formulas: (continued)
• M, s ╞ EF Φ iff there is a path s1 s2 s3 … where s1 equals s, and for
some si along the path, we have M, si ╞ Φ. Thus, EF says: ‘there
exists a computation path beginning in s such that Φ holds in some
future state’.
• M, s ╞ A[Φ1 U Φ2] iff for all paths s1 s2 s3 … where s1 equals s, that
path satisfies Φ1 U Φ2, i.e., there is some si along the path, such that
M, si ╞ Φ2, and, for each j < i, we have M, sj╞ Φ1. Thus, A[Φ1 U Φ2]
says: ‘all computation paths beginning in s satisfy that Φ1 until Φ2
holds on it’.
• M, s ╞ E[Φ1 U Φ2] iff there is a path s1 s2 s3 … where s1 equals s,
and that path satisfies Φ1 U Φ2, i.e., there is some sj along the path,
such that M, si ╞ Φ2, and, for each j < i, we have M, sj ╞ Φ1. Thus,
E[Φ1 U Φ2] says: ‘there exists a computation path beginning in s
such that Φ1 until Φ2 holds on it’.
A system whose starting state satisfies EF Φ
Φ
A system whose starting state satisfies EG Φ
Φ
Φ
Φ
A system whose starting state satisfies AG Φ
Φ
Φ
Φ
Φ
Φ
Φ
Φ
Φ
Φ
Φ
A system whose starting state satisfies AF Φ
Φ
Φ
Φ
Φ
Φ
Some examples for the following system M:
p, q
s0
s1
•
•
•
•
•
•
•
•
•
•
•
q, r
M, s0 ╞ p  q
M, s0 ╞ ¬r
M, s0 ╞ T
M, s0 ╞ EX (q  r)
M, s0 ╞ ¬AX (q  r)
M, s0 ╞ ¬EF (p  r)
M, s2 ╞ EG r
M, s2 ╞ AG r
M, s0 ╞ AF r
M, s0 ╞ E[(p  q) U r]
M, s0 ╞ A[p U r]
r
s2
Other examples for CTL logic
• It is possible to get a state where started holds but ready does not
hold: EF (started  ¬ready)
• For any state, if a request (of some resource) occurs, then it will
eventually be acknowledged:
AG (requested → AF acknowledged)
• A certain process is enabled indefinitely often on every computation
path:
AG (AF enabled)
• Whatever happens, a certain process will eventually be permanently
deadlocked: AF (AG deadlocked)
Other examples for CTL logic (continued)
• From any state it is possible to get a restart state: AG (EF restart)
• An upwards traveling elevator at the second floor does not change
its direction when it has passengers wishing to go to the fifth floor:
AG (floor=2  direction=up  ButtonPressed5 →
A[direction=up U floor=5])
• The elevator can remain idle on the third floor with its doors
closed:
AG (floor=3  idle  door=closed → EG (floor=3  idle 
door=closed))
Semantically equivalent CTL formulas
• Definition: Two CTL formulas Φ and ψ
are said to be semantically equivalent if
any state in any Kripke structure which
satisfies one of them also satisfies the
other; we denote this by Φ ≡ ψ.
Important equivalences between CTL
formulas
•
•
•
•
•
•
¬AF Φ ≡ EG ¬Φ
¬EF Φ ≡ AG ¬Φ
¬AX Φ ≡ EX ¬Φ
AF Φ ≡ A[T U Φ]
EF Φ ≡ E[T U Φ]
A[p U q] ≡ ¬(E[¬q U (¬p  ¬q)]  EG ¬q)
Theorem:
• The set of operators ┴, ¬ and  together
with AF, EU and EX are adequate for CTL:
any CTL formula can be transformed into a
semantically equivalent CTL formula which
uses only those logical connectives.
Other interesting equivalences
•
•
•
•
•
•
AG Φ ≡ Φ  AX AG Φ
EG Φ ≡ Φ  EX EG Φ
AF Φ ≡ Φ  AX AF Φ
EF Φ ≡ Φ  EX EF Φ
A[Φ U ψ] ≡ ψ  (Φ  AX A[Φ U ψ])
E[Φ U ψ] ≡ ψ  (Φ  EX E[Φ U ψ])
Example: mutual exclusion
• When concurrent processes share a resource, it
may be necessary to ensure that they do not
have access to it at the same time.
• We therefore identify certain critical sections of
each process code and arrange that only one
process can be in its critical section at a time.
• The problem we are faced with is to find a
protocol for determining which process is
allowed to enter its critical section at which time.
Some expected properties for mutual exclusion
• Safety: The protocol allows only one process to be in its
critical section at a time.
• Liveness: Whenever any process wants to enter its
critical section, it will eventually be permitted to do so.
• Non-blocking: A process can always request to enter its
critical section.
• No strict sequencing: Processes need not enter their
critical section in strict sequence.
A simple example of two processes
• n = a process is in a non-critical state
• t = a process tries to enter in its critical
section
• c = a process is in its critical section
A first-attempt model for mutual exclusion
s0
n1n2
s1
n1t2
t1n2
s5
t1t2
s2
c1n2
n1c2
s3
c1t2
s4
s6
t1c2
s7
CTL formulas for the system properties
• Safety: Φ1 = AG ¬(c1  c2). (o.k.)
• Liveness: Φ2 = AG (t1 → AF c1). (not o.k.)
because there exists a computation path, namely, s1 →
s3 → s7 → s1 →… on which c1 is always false.
• Non-blocking: Φ3= AG (n1 → EX t1). (o.k.)
• No strict sequencing: EF (c1  E[c1 U
(¬c1  E[¬c2 U c1])]). (o.k.)
A second-attempt model for mutual exclusion
s0
n1n2
s1
s2
n1t2
t1n2
t1t2
c1n2
s3
c1t2
s4
s5
t1t2
n1c2
s6
s9
t1c2
s7
Syntax of Linear-time temporal logic (LTL)
• Definition: Linear-time temporal logic (LTL) has the
following syntax given in Backus Naur form
Φ ::= p | (¬Φ) | (Φ  Φ) | (Φ U Φ) | (G Φ)| (F Φ)| (X Φ)
where p is any propositional atom.
Semantics of
Linear Tree Logic (LTL)
• Let M = (S, R, L) be a Kripke structure. Given a path σ =
s1 s2 s3 … in M, where s1 is the initial state, and for all si
along the path, such that (si, si+1) ε R, we define whether
a LTL formula Φ holds in the path σ denoted as
M, σ ╞ Φ,
where ╞ is the satisfaction relation.
• Let σi = si si+1 ... denote the suffix of σ starting at si.
The satisfaction relation ╞ is defined by structural
induction on all of LTL formulas:
•
•
•
•
•
•
•
•
M, σ ╞ T and ¬(M, s ╞ ┴) for all s ε S.
M, σ ╞ p iff p ε L(s1).
M, σ ╞ ¬Φ iff ¬(M, σ ╞ Φ).
M, σ ╞ Φ1  Φ2 iff M, σ ╞ Φ1 and M, σ ╞ Φ2.
M, σ ╞ X Φ iff M, σ2 ╞ Φ,
M, σ ╞ G Φ iff, for all i ≥ 1, M, σi ╞ Φ,
M, σ ╞ F Φ iff, for some i ≥ 1, M, σi ╞ Φ,
M, σ ╞ Φ U ψ iff, there is some i ≥ 1 such that M, σi ╞ ψ
and for all j = 1 … i-1 we have M, σj ╞ Φ.
Semantically equivalent LTL formulas
• Definition: Two LTL formulas Ф and ψ are
semantically equivalent, writing as Ф ≡ ψ,
if they are true for the same paths in each
model. An LTL formula Ф is satisfied in a
state s of a model if Ф is satisfied in every
path starting at s.
Some semantically equivalent LTL formulas
•
•
•
•
•
G Ф ≡ ¬F ¬Ф
F Ф ≡ ¬G ¬Ф
F(Ф  ψ) ≡ F Ф  F ψ
G(Ф  ψ) ≡ G Ф  G ψ
Ф U ψ ≡ ¬(¬ ψ U (¬Ф  ¬ψ))  F ψ
Syntax of CTL*
The CTL* formulas are divided into two classes:
• state formulas, which are evaluated in states:
Φ ::= p | T | (¬Φ) | (Φ  Φ) | A[α] | E[α],
• path formulas, which are evaluated along paths:
α ::= Φ | (¬α) | (α  α) | (α U α) | (G α) | (F α) | (X α)
where Φ is any state formula.
LTL and CTL as subsets of CTL*
• Although the syntax of LTL does not include A
and E, the semantic viewpoint of LTL is that we
consider all paths. Therefore, the LTL formula α
is equivalent to the CTL* formula A[α]
• CTL is the fragment of CTL* in which we restrict
the form of path formulas to
α ::= (Φ U Φ) | (G Φ) | (F Φ) | (X Φ).
Example of in CTL but not in LTL: ψ1 = AG EF p
• Whenever we have got to, we can always get
back to a state in which p is true. This is useful,
e.g., in finding deadlocks in protocols.
M
s
t
¬p
p
M’
s
¬p
Example of in CTL*, but neither in CTL nor in
LTL: ψ2 = E[GF p]
• Saying, there is a path with infinitely many p.
Example of in LTL but not in CTL:
ψ3 = AG (p → F q)
• Saying that if there are infinitely many p along
the path, then there is an occurrence of q.
• This is an interesting thing to be able to say,; for
example, many fairness constraints are of the
form ‘infinitely often requested implies eventually
acknowledged’.
Example of in LTL and CTL:
ψ4 = AG (p → AF q) in CTL, or G (p → F q) in LTL
• Saying, any p is eventually followed by a q.
Example
• G p and AF AG p are not semantically
equivalent, since FG p is satisfied, whereas AF
AG p is not satisfied, in the model
p
¬p
p
weak until W
• The formula A[p W q] is true in a state if,
along all paths from that state, p is true
from the present state until the first state in
which q is true, if any. In particular, if there
is no q state on a path, then p needs to
hold for all states of that path.
weak until W (continued)
• In LTL and CTL*, weak Until may be defined in
terms of the ordinary Until, as follows:
p W q ≡ (p U q)  G p
• For CTL, we have:
E[p W q] ≡ E[p U q]  EG p
A[p W q] ≡ ¬E[¬q U ¬(p  q)]