SS 2017
Software Verification
From multimodal to temporal logic, LTL and CTL
Prof. Dr. Holger Schlingloff 1,2
Dr. Esteban Pavese 1
(1) Institut für Informatik der Humboldt Universität
(2) Fraunhofer Institut für offene Kommunikationssysteme FOKUS
Some Motivation
H. Schlingloff, E. Pavese SS2017: Software-Verifikation
Slide 2
Recap
• Deficits of (multi-)modal logic?
• Definitions of Next-, Future-, and Global-operator?
• Which of the following are valid?




||||-
G*φ  Xφ
F+φ  F* φ
G*φ  (φ  G* X φ)
F* G* φ  G* F* φ
• What is a natural model for temporal logic?
• Give a formula describing the following:
 if p, then q at the next occurrence of p
 before the next occurrence of p there is a q
 between any two occurences of p there is a q
H. Schlingloff, E. Pavese SS2017: Software-Verifikation
Slide 3
LTL (Linear Temporal Logic)
• Usually interpreted on natural or on linearly ordered models
• Expressively equivalent to FOL (<) on linear orders
• Arguably more intuitive to use
• Let M be an FSM, w0 a state in M, and φ an LTL formula.
What is the meaning of (M, w0) ||- φ ?
• interpreted in the graph?
• interpreted in all maximal traces of M?
• Usually, for LTL the second alternative is chosen.
• (M, w0) ||- φ iff for all maximal traces T of M from w0, (T, w0) ||- φ
H. Schlingloff, E. Pavese SS2017: Software-Verifikation
Slide 4
CTL (Computation Tree Logic)
• Any FSM gives rise to
 a set of maximal traces, or
 a computation tree
H. Schlingloff, E. Pavese SS2017: Software-Verifikation
Slide 5
H. Schlingloff, E. Pavese SS2017: Software-Verifikation
Slide 6
Kripke models = LTS
• branching time – possibility properties
• linear time – fairness properties
• CTL* subsumes both CTL and LTL
H. Schlingloff, E. Pavese SS2017: Software-Verifikation
Slide 7
Some Temporal Formulas
•
•
•
•
•
•
•
•
•
•
Termination: F* X 
Deadlock: EF*AX 
Nontermination (deadlock-freedom): G* X Τ or G* F+ Τ
Guarantee: F* φ (where φ describes some desired states)
Safety: G*φ (where φ describes the admissible states)
Invariance: G*(φ  )
Response: G*(φ  F* )
Obligation: (F* φ  F* )
Recurrence / Livelock: G* F+ φ („infinitely often“)
Persistence / Trap: F* G* φ (where φ describes the trap)
Reactivity: (G* F* φ  G* F* ) („infinitely many ping lead to infinitely
many pong“)
• Possibility: AG* EF* φ
• Testability: EG* φ
H. Schlingloff, E. Pavese SS2017: Software-Verifikation
Slide 8
Example: Dining Philosophers
• Signature: P={philieating, forkiavailable,
philihasLeftFork, philihasRightFork}
• Specification of desired properties
X
G*
X
U+
H. Schlingloff, E. Pavese SS2017: Software-Verifikation
Slide 9
(Ph_8) “Philosopher 0 can always eventually be eating”
(Ph_9) “Possibly Philosopher 0 will starve”
H. Schlingloff, E. Pavese SS2017: Software-Verifikation
Slide 10