Linear time temporal logic
What are the behaviours of a system?
•A path in a transition system
•A full path: infinite path or
path ending in a state with no
successors
•A prefix of a path
Invariance properties
No bad state appears
•Mutual exclusion
•No deadlock
Safety properties
Nothing bad will happen
•Every drink should be preceded by a pay
•No two pay in a row
Safety properties
A property P ✓ A! is safety property if there is B ✓ A⇤ such that
P = A! (BA! ).
A transition system satisfies a safety property if it does not have a finite path in B.
Every invariant property is a safety property
For P ✓ A! let
Closure(P ) = {w : every prefix of w is a prefix of a word in P }
Fact: P is a safety property iff P = Closure(P )
Liveness properties
Something good will eventually happen
Lunch will eventually be served
Termination for sequential programs
Lunch will be served infinitely often
Starvation freedom
Each time I pay I will eventually get lunch
Every waiting process will get to the critical section
Philosopher:
•thinks
•picks a fork
•if he has two
forks, he can eat
•leaves a fork
•Each philosopher thinks infinitely often.
•Two neighbours never eat at the same time.
•When a philosopher eats then he has been
thinking before.
•When a philosopher eats then he will think some
time afterwards.
•Between two meals of philosopher i, philosopher
(i+1) gets to eat too.
Safety: Nothing bad will happen.
Liveness: Something good will eventually happen.
Liveness
Def: P ✓
a word in P .
⇤
is a liveness property i⇥ every finite word can be extended to
Pref (P ) =
⇤
Each process will eventually enter its critical section
Each process will enter its critical section infinitely often
Whenever a process has requested its critical section then
it will eventually enter it.
Decomposition lemma
For every property P ✓
property Pl such that:
there is a safety property Ps and a liveness
P = Ps \ Pl
Take Ps = Closure(P ) and Pl = P [ (
Recall:
safety
P = Closure(P )
Closure(P )).
liveness
Pref (P ) =
Q: What properties are safety and liveness at the same time?
⇤
Fairness
Liveness properties are often violated although we expect them to hold
Each waiting process will eventually enter its critical section
Unconditional fairness:
every process gets its turn infinitely often
Strong fairness:
every process enabled infinitely often gets its turn infinitely
often
Weak fairness:
every process that is continuously enabled from a certain
moment, gets its turn infinitely often.
Unconditional fairness:
every process gets its turn infinitely often
Strong fairness:
every process enabled infinitely often gets its turn infinitely
often
Weak fairness:
every process that is continuously enabled from a certain
moment, gets its turn infinitely often.
(unconditionally fair)
(strongly fair)
(weakly fair)
Is “infinitely often b” true for executions that are:
•Unconditionally fair wrt. α and β
•Weakly fair wrt. α and β
•Strongly fair wrt. α and β
Summary
Invariance properties: no bad state occurs
Safety properties: nothing bad occurs
Defined by the set of bad prefixes
Liveness properties: something good will occur
Properties that do not depend on a prefix
Fairness conditions: liveness properties that put conditions
on how to resolve nondeterminism.
How to do model checking?
Invariant properties: reachability
Model checking safety properties
X
Automaton for
Σ*(pay)(pay)
Check for reachability of an accepting state in the product
Model checking liveness properties
First, we need a good method to specify them
LTL
Linear time Temporal Logic
Propositional logic
a|
⇥⇥ |
⇥|¬
With propositional logic we can specify properties of states
¬(crit1
And then we can specify invariance properties:
crit2 )
G¬(crit1
crit2 )
Next operator
G(drink
X¬drink )
Finally operator
F(crit 1 )
Until operator
¬(crit 1 )Ucrit 2
Syntax and semantics of LTL
a|¬ |
[[a]] = a
[[¬↵]] =
⇥ | X | U⇥
!
!
[[↵]]
[[a _ ⇥]] = [[ ]] [ [[⇥]]
[[X ]] = {suffix 1 (w) : w
[[ ]]}
[[ U⇥]] = {w : ⇤i suffix i (w)
[[⇥]] and ⇥j < isuffix j (w)
[[ ]]}
Examples
[[a]] = a
!
[[¬↵]] =
!
[[↵]]
[[a _ ⇥]] = [[ ]] [ [[⇥]]
[[X ]] = {suffix 1 (w) : w
[[ ]]}
[[ U ]] = {w : ⇤i . suffix i (w)
[[⇥]] and ⇥j < i. suffix j (w)
[[ ]]}
Finally
Xa
(a _ b)Uc
aU(bUc)
Always
Infinitely often