Chapter 3:
Temporal Logic I: LTL
Summerterm 2009 – p.67/392
The big picture
System (to be build)
Requirements
modelling
formalisation
Model
modify
Counter example
temporal logic formula
Model checker
no
yes
✓
Summerterm 2009 – p.68/392
In this chapter ...
Learn about:
• a temporal logic (LTL)
syntax
• semantics of LTL
interpretation on Kripke structures
what does M |= ϕ mean ?
• examples for the specification of requirements in LTL
• expressiveness of LTL
Summerterm 2009 – p.69/392
LTL
(P)LTL - Propositional linear-time temporal logic
Basis:
atomic propositions
(assertions/predicates on states,
also called state formulae)
additionally:
boolean connectives: ∨, ∧, ¬
temporal operators: always, sometimes, tomorrow
Summerterm 2009 – p.70/392
LTL - Syntax
Def.. AP a set of atomic propositions. The set of LTL-formulae over
AP is inductively defined as follows
• p ∈ AP is an LTL formula
• if ϕ is an LTL formula, so is ¬ϕ,
• if ϕ, ψ are LTL formulae, so is ϕ ∨ ψ ,
• if ϕ is an LTL formula, so are X ϕ, G ϕ, F ϕ,
• if ϕ, ψ are LTL formulae, so is ϕ U ψ .
A formula without U , G , X , F is a state formula.
Summerterm 2009 – p.71/392
In addition ..
Derived boolean connectives
true
false
ϕ∧ψ
ϕ⇒ψ
ϕ⇔ψ
:=
:=
:=
:=
:=
p ∨ ¬p
¬true
¬(¬ϕ ∨ ¬ψ)
¬ϕ ∨ ψ
(ϕ ⇒ ψ) ∧ (ψ ⇒ ϕ)
Summerterm 2009 – p.72/392
Semantics: informally
Meaning of temporal operators
• X (next)
X ϕ: ϕ holds in the next state
• G (globally, always)
G ϕ: ϕ holds always
• F (eventually, in the future)
F ϕ: ϕ holds sometimes in the future
• U (until)
ϕ U ψ : ϕ holds until ψ holds (and ψ will eventually
hold)
Examples of LTL formulae: let AP = {x = 1, x < 2, x ≥ 3}
X (x = 1), ¬(x < 2), (x < 2) U (x ≥ 3), F (x < 2) ∨ G (x ≥ 3)
Summerterm 2009 – p.73/392
Semantics: graphically
Formulae are interpreted on paths of Kripke structures
|= X p
p
|= G p
p
p
p
p
p
p
p
p
p
p
p
p
p
|= F p
p
|= p U q
p
p
p
p
p
q
Summerterm 2009 – p.74/392
Semantics: formal
Given Kripke structure M , look at all paths of M
Def.. Let M be a Kripke structure and ϕ an LTL formula. M |= ϕ iff
π |= ϕ for all paths π of M, which start in the initial state.
some notation:
π = s0 s1 s2 . . . a path.
π i = si si +1 si +2 . . . is the i-suffix of π
Summerterm 2009 – p.75/392
Semantics: formal (2)
Def.. Let π = s0 s1 s2 . . . a path, ϕ an LTL formula. π |= ϕ is
inductively defined as follows.
• π |= p, p ∈ AP iff p holds in s0 (i.e. p ∈ L(s0 ))
• π |= ¬ϕ iff not π |= ϕ
• π |= ϕ ∨ ψ iff π |= ϕ oder π |= ψ
• π |= X ϕ iff π 1 |= ϕ
• π |= G ϕ iff ∀ i ≥ 0 : π i |= ϕ
• π |= F ϕ iff ∃ j ≥ 0 : π j |= ϕ
• π |= ϕ U ψ iff ∃ k ≥ 0 : π k |= ψ and
∀ j , 0 ≤ j < k , π j |= ϕ.
Summerterm 2009 – p.76/392
Examples
on the blackboard
Summerterm 2009 – p.77/392
Specification of properties
Properties:
- p is always (eventually) followed by q
G (p ⇒ F q )
- p is always directly followed by q
G (p ⇒ X q )
- p will eventually be true forever
F Gp
- p will always be true
Gp
Summerterm 2009 – p.78/392
Specification of properties (2)
Atomic propositions:
coffee chosen, tea chosen, money inserted , coffee delivered , tea delivered
- once in a while someone chooses tea or coffee
- if coffee is chosen and next money is inserted
coffee will be delivered
- when coffee has been chosen tea will not be delivered
until tea is chosen
Summerterm 2009 – p.79/392
Specification of properties (2)
Atomic propositions:
coffee chosen, tea chosen, money inserted , coffee delivered , tea delivered
- once in a while someone chooses tea or coffee
G F (tea chosen ∨ coffee chosen)
- if coffee is chosen and next money is inserted
coffee will be delivered
G ((coffee chosen ∧ X money inserted ) ⇒
F coffee delivered )
- when coffee has been chosen tea will not be delivered
until tea is chosen
G (coffee chosen ⇒ (¬tea delivered U tea chosen))
Summerterm 2009 – p.79/392
Temporal operators
Some temporal operators expressible by others (X and U
sufficient)
Def. (Equivalence of LTL formulae). LTL formulae ϕ, ψ are said to be
equivalent (ϕ ≡ ψ ) iff for all paths π we have
π |= ϕ ⇔ π |= ψ
The following holds
1. F ϕ ≡ true U ϕ,
2. G ϕ ≡ ¬F ¬ϕ
Summerterm 2009 – p.80/392
Proof: eventually by until
Look at a path π
π |= F ϕ
⇔ ∃ k ≥ 0 : π k |= ϕ (Def. F )
⇔ ∃ k ≥ 0 : π k |= ϕ ∧ ∀ j , 0 ≤ j < k : π j |= true
(true holds on all states)
⇔ π |= true U ϕ (Def. U )
Summerterm 2009 – p.81/392
Proof: always by eventually
π |= G ϕ
⇔ ∀ i ≥ 0 : π i |= ϕ (Def. G )
⇔ ¬ ∃ i ≥ 0 : ¬(π i |= ϕ) (predicate logic)
⇔ ¬ ∃ i ≥ 0 : π i |= ¬ϕ (Def. ¬)
⇔ ¬(π |= F ¬ϕ) (Def. F )
⇔ π |= ¬F ¬ϕ (Def. ¬)
Summerterm 2009 – p.82/392
More equivalences (1)
Duality
¬G ϕ ≡ F ¬ϕ
¬F ϕ ≡ G ¬ϕ
¬X ϕ ≡ X ¬ϕ
Idempotency
GGϕ ≡ Gϕ
F F ϕ ≡ F ϕ
ϕ U (ϕ U ψ) ≡ ϕ U ψ
(ϕ U ψ) U ψ ≡ ϕ U ψ
Summerterm 2009 – p.83/392
More equivalences (2)
Absorption
F GF ϕ ≡ GF ϕ
GF Gϕ ≡ F Gϕ
Distributivity
X (ϕ U ψ) ≡ (X ϕ) U (X ψ)
Expansion
ϕ U ψ ≡ ψ ∨ (ϕ ∧ X (ϕ U ψ))
F ϕ ≡ ϕ∨X F ϕ
G ϕ ≡ ϕ∧X G ϕ
Summerterm 2009 – p.84/392
Extensions of LTL (1)
every temporal operator has a dual one referring to the
past
for next
- previous
X
always
- has always been G
eventually - once
F
until
- since
S
these operators do not increase expressiveness but may
simplify specification of properties
Summerterm 2009 – p.85/392
Characterising properties (1)
Informally:
• Safety
”nothing bad happens”
• Liveness
”eventually something good happens”
Summerterm 2009 – p.86/392
Characterising properties (2)
Formally:
let π = s0 s1 s2 . . . be a path
let π[0..k ] := s0 . . . sk be a prefix of π
then π is said to be an extension of π[0..k ]
• ϕ is a safety formula iff every path π such that π 6|= ϕ
has a prefix π[0..k ] such that for all infinite extensions
π ′ of π[0..k ] π ′ 6|= ϕ holds.
• ϕ is a liveness formula iff every finite sequence of
states s0 . . . sk can be extended to an infinite path π
such that π |= ϕ holds.
Summerterm 2009 – p.87/392
Example - MUTEX








l0
: while true do
l1

: while true do
NC0
: wait (turn = 0);
NC1
: wait (turn = 1);
CR0
: turn := 1
CR1
: turn := 0
od;
lˆ0 ;
od;
lˆ1 ;







Safety properties
• mutual exclusion
G ¬(at CR0 ∧ at CR1 )
• more difficult: ”1-bounded-overtaking”
when P0 enters NC0 , then P1 can enter its critical
region at most once before P0 does
Summerterm 2009 – p.88/392
1-bounded-overtaking
Needed:
weak until p W q := G p ∨ (p U q )
1-bounded-overtaking as LTL formula:
at NC0 ⇒ ¬at CR1 W (at CR1 W (¬at CR1 W at CR0 ))
if P0 is at NC0 , then we have an interval, in which P1 is not
at CR1 , then one, in which P1 is at CR1 , then one, in which
P1 is not in CR1 and then P0 enters CR0
every such interval can be empty, and in particular can
also be infinitely long
therefore safety property
Summerterm 2009 – p.89/392
MUTEX (2)
Liveness property:
• already seen
G F at CR0 and G F at CR1
does not hold!
holds under some fairness assumption only
(later)
Summerterm 2009 – p.90/392
Expressiveness of LTL (1)
Question: are there properties which cannot be
expressed in LTL?
Answer: yes
1. properties which refer to the branching structure of
the Kripke structure
CTL can express such properties (later)
Summerterm 2009 – p.91/392
Expressiveness of LTL (2)
2. Parity
p, q atomic propositions
A p-Position j (in a path), i.e. a state sj of the path, in
which p holds, is said to be an even p occurrence, if
the number of p-states before j is even.
Property:
q holds on states with even p-occurrence only
not expressible in LTL;
logic needs to be able to count modulo 2
possible in logics with quantification
Summerterm 2009 – p.92/392
Learned
Summary
• a temporal logic with syntax and semantics
• expressiveness
• specification of properties
Summerterm 2009 – p.93/392
The big picture
System (to be build)
Requirements
modelling
formalisation
Model
modify
Counter example
temporal logic formula
Model checker
no
yes
✓
Summerterm 2009 – p.94/392