Benefits of Interval Temporal Logic
for Specification of Concurrent Systems
Ben Moszkowski
Software Technology Research Laboratory
De Montfort University
Leicester
Great Britain
email: [email protected]
http://www.tech.dmu.ac.uk/~benm
Cambridge Concurrency Workshop 2010
5–6 July ’10
1
Introduction
• Intervals and discrete linear state sequences offer a
compellingly natural and flexible way to model computational
processes involving hardware or software.
Finite or infinite state sequence:
· · · · ···
• Interval Temporal Logic (ITL) is an established formalism (over
25 years old) for reasoning about such phenomena.
• It includes operators for sequentially combining formulas.
• For example, if A and B are formulas, so are following
A; B
(“chop”)
A∗
(“chop-star”).
• ITL can express various imperative programming constructs
(e.g., while-loops) and has executable subsets.
• The Duration Calculus (DC) is a real-time extension of ITL for
hybrid systems.
2
ITL, Point-Based Temporal Logic and Time Reversal
• For several decades, widely held conventional wisdom:
Point-based linear-time temporal logic (e.g., PTL) is much
superior to ITL for safety and liveness concurrency properties.
• ITL’s computational intractability seen as limit to tool support.
• We offer evidence suggesting that a reexamination is in order.
• Our presentation uses Peterson’s mutual exclusion algorithm.
• Interval properties can be more natural and at higher level
than point-based ones. Use transformations with time reversal
and from infinite time to finite time.
• For tool support, transform to lower-level, point-based formulas.
* Hence point-based linear-time temporal logic primarily serves as a
subordinate formalism.
3
Syntax of Propositional ITL
In what follows, p is any propositional variable and both A and B
themselves denote formulas in Propositional ITL (PITL):
true
p
¬A
A∨B
skip
A; B
A∗ .
“;” is called chop.
“∗ ” is called chop-star.
4
Intervals of Time
Discrete linear time is represented by intervals (i.e., sequences of
states).
An interval σ has a finite, nonzero number of states σ0 , σ1 , . . . .
* Can naturally extend to also permit infinite (i.e., ω) states.
Each state σi maps each variable p, q, . . . to true or false.
The value of p in the state σi is denoted σi (p).
Hence, propositional variables p, q, . . . are local to states.
5
Semantics of PITL for Finite Time
Let σ |= A denote that the interval σ satisfies the PITL formula A.
Below is excerpt from semantics of basic PITL constructs:
• σ
|=
p iff
σ0 (p) = true.
• σ
|=
¬A
• σ
|=
A∨B
iff
(Use p’s value in σ’s initial state σ0 )
σ |6 = A.
iff σ
|=
A
or σ
|=
B.
Pictorial summary of finite-time semantics of interval constructs:
skip
A_ B
A
A
B
∗
A
A
A
Each pair of adjacent subintervals share a state.
Can also have “chomp”, a version of chop with unit gap: A; skip; B.
6
Some Sample Formulas
(Assume Finite Time)
p
p ∧ skip
skip; p
(° p)
true; ¬p
p: t
f
p: t
f
p: f
t
skip
p: f
(3 ¬p)
¬(true; ¬p)
f
t
f
p
t
t
f
true
p: t
t
t
t
f
¬p
t
t
t
(2 p)
7
Notes
• A, A0 , B, C, . . . denote arbitrary formulas.
• w, w0 , . . . denote state formulas
(no temporal operators).
• If σ
|=
A for some σ, then A is satisfiable.
• If σ
|=
A for all σ, then A is valid.
Denote as |= A.
• Can extend PITL to include infinite time and Aω (chop-omega).
8
Some Derivable ITL Operators
Define false, A ∧ B, A ⊃ B (implies), A ≡ B (equivalence), . . . .
Propositional Temporal Logic (PTL) with finite & infinite time:
°A
more
finite
3A
def
≡ skip; A
def
° true
≡
(“next”)
(≥ 2 states)
def
≡ 3 empty (finite)
def
empty ≡ ¬more (just 1 state)
def
inf
def
≡ ¬finite (infinite)
≡ finite; A (“eventually”) 2 A
def
≡ ¬ 3 ¬A (“henceforth”)
def
≡ 2(empty ⊃ A) (final state)
¡
¢
def
A ← B ≡ finite ⊃ (fin A) ≡ B
(temporal assignment)
fin A
Interval-oriented operators:
def
3f A ≡ (A ∧ finite); true
def
2 A ≡ ¬ 3f ¬A
f
A
ω def
≡ (A ∧ finite)∗
(Some finite prefix)
(ALL finite prefixes)
∧
inf
(Chop-omega)
9
Sequential Compositionality with Temporal Fixpoints
• ITL-based assumptions and commitments for a system Sys:
w
∧
As
∧
Sys ⊃ Co
∧
fin w0
• Sequential composition of two formulas Sys and Sys 0 :
|=
w
|=
w0
|=
w
∧
∧
∧
As
As
As
∧
∧
∧
Sys ⊃ Co
∧
Sys 0 ⊃ Co
fin w0
∧
fin w00
(Sys; Sys 0 ) ⊃ Co
∧
fin w00
• Zero or more iterations of a formula Sys:
|=
w
∧
As
∧
Sys ⊃ Co
|=
w
∧
As
∧
Sys ∗ ⊃ Co
∧
fin w
∧
fin w
See Moszkowski ’94 (also ’96, ’98)
(Shares some features with Jones’ rely/guarantee conditions)
10
Commitments as Fixpoints
• Formalization:
|=
Co ≡ Co ∗
• Intuition:
Co is true on an interval
iff Co is true on each of a sequence of subintervals.
• Examples:
– “p’s values in the initial and final states are equal” (p ← p)
p: f
t
t
p←p
– Any formula A∗
f
f
p←p
t
t
f
p←p
Example: “even length”
(skip; skip)∗
f
– Any formula expressible as 2(more ⊃ 3
B).
¡
¢
0
Examples: 2(more ⊃ w), 2 (more ∧ w) ⊃ 3 w
11
Peterson’s Mutual Exclusion Algorithm
Process P0 :
do forever
(. . . Noncritical section . . . )
flag 0 := 1;
turn := 0;
await(flag 1 = 0 ∨ turn = 1);
cs 0 := 1;
(. . . Critical section . . . )
cs 0 := 0;
flag 0 := 0;
(. . . Noncritical section . . . )
Overall program has two processes P0 and P1 :
flag 0 = flag 1 = cs 0 = cs 1 = 0 ∧ turn = 0 ∧ (P0 k P1 )
See textbook Synchronization Algorithms and Concurrent
Programming, G. Taubenfeld (Pearson/Prentice Hall, 2006).
12
Safety Property
Can express behaviour of the program in PITL.
Recall that 2f A means: “A is true in all finite prefix subintervals”.
Safety property for mutual exclusion expressible as
2f (more ⊃ 3 B).
¡
¢
Includes formulas of form 2f (more ∧ fin w) ⊃ 3 C .
Safety property for individual process in Peterson’s algorithm:
¡
2f (more ∧ fin(cs 0 = 1)) ⊃
3(test;
stability;
test;
¢
stability) .
“Star-free” operand of 2f reducible to point-based temporal logic.
Can use 2f instead of past-time constructs.
13
Time Reversal and Chop-Star Fixpoints
Let σ r denote temporal reverse of finite interval σ:
Let Ar be like A in reverse:
σr
A
|=
iff
σ
|=
σ|σ| . . . σ0 .
Ar for finite intervals.
Sample finite-time semantic equivalences:
(A∨B)r ≡ Ar ∨B r (A;B)r ≡ B r;Ar more r ≡ more (2f A)r ≡ 2(Ar ).
For finite time:
|=
finite ⊃ A
iff
|=
finite ⊃ Ar .
Time reversal of 2f (more ⊃ 3 B) with finite time:
¡
¢r
2f (more ⊃ 3 B) ≡ 2(more ⊃ 3f B r ).
Already have that 2(more ⊃ 3f B r ) is chop-star fixpoint:
¡
¢∗
r
r
f
|= 2(more ⊃ 3
B ) ≡ 2(more ⊃ 3f B ) .
Using time reversal
³ of this:
´r
¡
¢
∗
f
|= finite ⊃ 2(more ⊃ 3
B r ) ≡ 2(more ⊃ 3f B r )
.
¡
¢∗
Simplify: |= finite ⊃ 2f (more ⊃ 3 B) ≡ 2f (more ⊃ 3 B) .
* Can extend proof to infinite time.
14
Reduction to Conventional Temporal Logic
• Want to show: 2f (more ⊃ 3 B) ∧ 2f (more ⊃ 3 B 0 ) ⊃ 2 w.
Example: In Peterson’s algorithm, let w be cs 0 = 0 ∨ cs 1 = 0.
Re-express 2 w as 2f fin w.
Can test validity for finite time. Readily extends to infinite time.
Or test by reducing to finite time with point-based temporal logic:
(more ⊃ 3 B)
∧
(more ⊃ 3 B 0 )
⊃
fin w
• Temporal reverse of 2f (more ⊃ 3 B) reducible to PTL formula.
Simplifies testing w ∧ As ∧ Sys ⊃ Co ∧ fin w.
Sys is like a regular expression and easy to reverse.
• In following, for any 2f formula only need to check for finite time:
|=
w
∧
finite
∧
Sys ∗ ⊃ 2f A ∧ fin w ⇒
|=
w
∧
Sys ω ⊃ 2f A ∧ fin w.
Helps show 2f (more ⊃ 3 B) is chop-star fixpoint for infinite time.
15
Some Related Observations by Others
• Textbook using Duration Calculus (ITL variant for real time):
Real-Time Systems:
Formal Specification and and Automatic Verification
E.-R. Olderog & H. Dierks, Cambridge University Press
Regarding point-based logics: “complicated reasoning”
Regarding timed process algebras: “difficult to calculate with”
• KIV interactive theorem prover at Univ. of Augsburg, Germany.
Uses ITL as frontend and as backend for UML, Statecharts, etc.
FACS journal paper, 2009 (lock-free algs., linearizability, Re/Gu):
“The (program’s) line numbers . . . are not used in KIV.”
“An additional translation to a special normal form (as e.g. in
TLA) using explicit program counters is not necessary.”
16
Conclusions
We have presented some ideas about reasoning in ITL:
• Temporal fixpoints for sequential compositionality
• Prefix subintervals (instead of past-time constructs).
• Time reversal for reduction to point-based temporal logic.
• Reductions from infinite time to finite time.
View point-based temporal logic as lower level and subordinate.
Approach is intriguing (and axiomatisable) but needs further study.
Appears related to Dijkstra’s “Gotos considered harmful” thesis.
Somewhat analogous to Vardi’s “Final Showdown” article relating
linear-time and branch-time temporal logics for model checking.
For more about ITL: ITL webpages – maintained by Antonio Cau:
http://www.tech.dmu.ac.uk/STRL/ITL/
Using search engine: “Interval Temporal Logic”
17