P. Cabalar Linear-time Temporal Logic Pedro Cabalar Department of Computer Science University of Corunna, SPAIN [email protected] 2013/2014 ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN2013/2014 [email protected] 1 / 64) Propositional Linear-time Temporal Logic (LTL) Syntax Σ = set of atoms or propositions. Example: Σ = {p, q, r } usual propositional operators ⊥, >, ∧, ∨, ¬, →, ↔ plus modal operators to talk about (linear) time Modal operators: P. Cabalar unary operators: = “forever” ♦ = “eventually” = “next” binary operators: U = “until” W = “until” (weak version) V = “release” (dual of U) ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN2013/2014 [email protected] 3 / 64) Semantics Definition 1 (State) Given a set of propositions Σ, a state s is a truth valuation s : Σ −→ {True, False}. It can be represented as the set of (true) atoms. Example: if Σ = {p, q, r } state s = {p, r } means s(p) = True, s(q) = False, s(r ) = True. Definition 2 (Interpretation) An interpretation M is an infinite sequence of states s0 , s1 , s2 , . . . Example: P. Cabalar {p, q} {p, r } {q} {q, r } ∅ • /• /• /• /• s0 s1 s2 s3 s4 / ... ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN2013/2014 [email protected] 4 / 64) Definition 3 (Satisfaction) Let M = s0 , s1 , . . . with i ≥ 0. We say that M, i |= α when: M, i |= p if p ∈ si (for p ∈ Σ) M, i |= α if M, j |= α for all j ≥ i M, i |= ♦α if M, j |= α for some j ≥ i M, i |= α if M, i + 1 |= α M, i |= α U β if there exists n ≥ i, M, n |= β and M, j |= α for all i ≤ j<n. M, i |= α W β if M, i |= α or M, i |= α U β P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN2013/2014 [email protected] 5 / 64) Semantics ϕ ϕ • /• /• ϕ ϕ ϕ • /• /• / ... /• / ... ϕ ϕ / ... /• / ... ♦ϕ ϕ • P. Cabalar /• /• / ... /• / ... ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN2013/2014 [email protected] 6 / 64) Semantics ϕ U ψ = repeat ϕ until (mandatorily) ψ ϕ ϕ ϕ • /• /• / ... ϕ ψ /• /• / ... ϕ V ψ = there is a ϕ before any state in which ¬ψ ¬ψ ϕ • P. Cabalar /• /• / ... /• /• / ... ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN2013/2014 [email protected] 7 / 64) Semantics > U ψ = repeat > until (mandatorily) ψ > > > • /• /• / ... > ψ /• /• / ... This is equivalent to ♦ψ. ⊥ V ψ = there is a ⊥ before any state with ¬ψ. That is, we cannot have ¬φ, i.e., ψ must hold forever ψ P. Cabalar ψ ψ ψ • /• /• / ... ψ ψ /• /• / ... ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN2013/2014 [email protected] 8 / 64) Some standard logical terminology Interpretation M is a model of theory Γ, written M |= Γ, iff M, 0 |= α for each formula α ∈ Γ. Formula α is inconsistent or unsatisfiable iff it has no models. α is a tautology or is valid iff any interpretation is a model of α. α is a “logical consequence of” or “is entailed by” Γ, written Γ |= α, iff any model of Γ satisfies α. Therefore, when Γ = ∅, what does |= α mean? Two formulas are equivalent iff they have the same models. LTL satisfies {α} |= β iff |= α → β In particular, α and β are equivalent iff |= α ↔ β. P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN2013/2014 [email protected] 9 / 64) Some interesting equivalences P. Cabalar ♦α ↔ > U α (1) α ↔ ⊥ V α (2) α ↔ ¬♦¬α (3) ♦α ↔ ¬¬α (4) α ↔ α ∧ α (5) ♦α ↔ α ∨ ♦α (6) α U β ↔ (α W β) ∧ ♦β (7) α W β ↔ (α U β) ∨ α (8) α U β ↔ β ∨ α ∧ (α U β) α V β ↔ ¬(¬α U ¬β) (9) (10) ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 10 / 64) Some interesting equivalences Exercise 1 Prove validity of (6) and (9). Exercise 2 Which are the models of ⊥ Up? Which are the models of (p) U¬p ? Exercise 3 Define an operator B (“before”) so that α B β means for any state in which β will occur, then some α will occur before. Exercise 4 Try to express the formula whose models satisfy: p is true in all even states 0, 2, 4, . . . leaving all the rest free. P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 11 / 64) Outline 1 Syntax and semantics 2 Specification with LTL 3 Model checking algorithms 4 Deductive system 5 Complexity and expressiveness 6 Semantic tableaux P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 13 / 64) Examples of properties specification Figure out the meaning of these example formulas: P. Cabalar ((¬passport ∨ ¬ticket) → ¬board)) (requested → ♦received) (received → processed) (processed → ♦done) “It can’t be that we continually resend a request that is never done.” The statement: requested ∧ ¬done should be inconsistent. That is, we should be able to derive requested → ♦done. ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 14 / 64) An example: trains crossing Railroad, single rail and a road level-crossing. Goal: specifying properties to be satisfied. Propositions representing events I I I I P. Cabalar a = “A train is approaching" c = “A train is crossing" l = “The light is blinking" b = “The barrier is down" ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 15 / 64) Safety properties Safety property = something bad never happens = ¬bad. When a train is crossing, the barrier must be down Solution: (c → b) ≡ ¬(c ∧ ¬b) If a train is approaching or crossing, the light must be blinking Solution: (a ∨ c → l) ≡ ¬((a ∨ c) ∧ ¬l) If the barrier is up and the light is off, then no train is coming or crossing. Solution: (¬b ∧ ¬l → ¬a ∧ ¬c) ≡ (¬b ∧ ¬l ∧ (a ∨ c)) P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 16 / 64) Liveness properties Liveness property = something initiated eventually terminates = (initiated → ♦terminates) P. Cabalar When a train is approaching, a train will eventually cross Solution: (a → ♦c) Sometimes we can use U, W or V to propagate a condition until termination. When a train is approaching (and nobody is crossing), the barrier will be eventually down before it crosses (if it does so) Solution: (a ∧ ¬c → ¬c W b) If a train finishes crossing, the barrier will be eventually risen Solution: ¬(c ∧ c U(¬c ∧ b)) ≡ (c → ¬c V(¬c → ♦¬b)) ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 17 / 64) Infinitely often vs latching condition P. Cabalar Something happens infinitely often = ♦something. Example: The barrier is risen infinitely often = ♦¬b The dual is a latching condition = ♦α. Example: at a given point, no more trains are approaching = ♦¬a ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 18 / 64) Fairness Fairness means that if a choice holds sufficiently often, then it is taken sufficiently often. Some examples: P. Cabalar Unconditional or absolute fairness (a.k.a. impartiality) every process should be executed infinitely often ♦executedi Strong fairness every process enabled infinitely often should be executed infinitely often ♦enabledi → ♦executedi Weak fairness every process permanently enabled after some point should be executed infinitely often ♦enabledi → ♦executedi ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 19 / 64) Outline 1 Syntax and semantics 2 Specification with LTL 3 Model checking algorithms 4 Deductive system 5 Complexity and expressiveness 6 Semantic tableaux P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 21 / 64) A simple example of concurrent program An example (from “A primer on Model Checking”, M. Ben-Ari 2010). Two processes P and Q may increment the value of a memory cell n using a register regP, regQ respectively. They run concurrently. An interruption may arbitrarily stop the execution, store the register values, and then restore them on return. Process P Process Q integer regQ=0; integer regP=0; p1: load n into regP q1: load n into regQ q2: increment regQ p2: increment regP q3: store regQ into n p3: store regP into n p4: end q4: end P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 22 / 64) A simple example of concurrent program P. Cabalar A state has (IPP,IPQ,regP,regQ,n) where IPP and IPQ are the respective instruction pointers. Initial state is always (p1,q1,0,0,0). Thus, each variable can take values 0,1,2 (at most, two increments are made). There exist 4 × 4 × 3 × 3 × 3 = 432 states. We may build a non-deterministic finite automaton (NFDA) with all the transitions. ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 23 / 64) A simple example of concurrent program P. Cabalar Example of computation: (p1,q1,0,0,0) → (p2,q1,0,0,0) (p3,q1,1,0,0) → (p4,q1,1,0,1) (p4,q2,1,1,1) → (p4,q3,1,2,1) (p4,q2,1,2,2) p1: p2: p3: p4: load n into regP increment regP store regP into n end q1: q2: q3: q4: load n into regQ increment regQ store regQ into n end ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 24 / 64) A simple example of concurrent program P. Cabalar We want to check the assertion: after termination, n=2. That is, p4 ∧ q4 ⇒ n = 2. We check whether there exists an execution satisfying the negation: p4 ∧ q4 ∧ n 6= 2. After building the automaton, we obtain a counterexample path: (p1,q1,0,0,0) → (p2,q1,0,0,0) (p2,q2,0,0,0) → (p3,q2,1,0,0) (p3,q3,1,1,0) → (p4,q3,1,1,1) (p4,q4,1,1,1) p1: p2: p3: p4: load n into regP increment regP store regP into n end q1: q2: q3: q4: load n into regQ increment regQ store regQ into n end ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 25 / 64) Model checking algorithms P. Cabalar Real problems have finite number of states (computers deal with a finite number of bits). But still, we deal with an unfeasible, astronomical number of cases: possible values in the memory × possible transitions in a path the NFDA × number of possible paths in the NFDA. Keypoint: not all the states are reachable. In our example, from 432, fixing initial state (p1,q1,0,0,0) only 22 are reachable. Model checking algorithms generate reachable states on-the-fly from initial state and property to check. To check whether a generated state was obtained before, a hash table storing the states is used. ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 26 / 64) SPIN It uses a programming language Promela (PROcess MEta LAnguage) derived from Dijkstra’s Guarded Command LanguageProperties are specified either using local assert statments or globally using linear temporal logic (LTL). No pointers, functions, parameters, classes, etc. Focused on concurrency and verification. P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 27 / 64) SPIN P. Cabalar Assume we execute now our two processes in a loop of 10 times. The code using SPIN programming language, Promela, would be: byte n=0, finish=0; active [2] proctype P() { byte register, counter=0; do :: counter = 10 -> break :: else -> register=n; register++; n=register; counter++ od; finish++ } ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 28 / 64) SPIN P. Cabalar (continued) active proctype WaitForFinish() { finish==2; printf("n= %d \n",n) } ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 29 / 64) Automata construction P. Cabalar Model checking algorithms try to build an automaton AP that captures the program behaviour. Given the property α to check, we generate a second automaton A¬α for its negation. We take the intersection automaton AP ∩ A¬α . 1 2 If no path, the property is satisfied If we find a path, it is a counterexample “On-the-fly” techniques [Gerth,Peled,Vardi & Wolper 95] allow detecting that a property does not hold before completely constructing the full automaton. ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 30 / 64) Explicit vs Symbolic Two possibilities: Explicit model checking: each automaton node is an individual state. A hash table indexes all the expanded states. SPIN uses this method. Symbolic model checking each node actually represents a set of states. Typically, each set of states is represented with a Binary Decision Diagram (BDD). SMV uses this method. P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 31 / 64) Model checking techniques P. Cabalar Partial order reduction: the keypoint is detecting when the ordering of interleavings is irrelevant. Example: n processes can execute instructions I1 , I2 , . . . In in any ordering. We have n! combinations, but we can fix an arbitrary one when ordering is irrelevant for the property to check. Bounded model checking: when we want to check if property α is violated in k or fewer steps (k ≥ 0 finite). Fixing the path length i ≤ k we can translate the problem to SAT (propositional satisfiability). Iterative deepening goes increasing i = 1, 2, . . . , k until a counterexample is found or k reached. ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 32 / 64) Outline 1 Syntax and semantics 2 Specification with LTL 3 Model checking algorithms 4 Deductive system 5 Complexity and expressiveness 6 Semantic tableaux P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 34 / 64) Inference Methods Inference or formal proof: we make syntactic manipulation of formulae. To do so, we use: P. Cabalar An initial set of formulae: axioms. Syntactic manipulation rules: inference rules. As a result of applying these rules, we go obtaining new formulae: theorems ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 35 / 64) Inference methods Notation: Γ ` α means that formula α can be derived or inferred from theory Γ. Usually, axioms are not represented inside Γ. Thus, ` α means that α is a theorem (from logic L). Given a language L, a logic L is a subset of L. It can be defined: I I Semantically: L = {α ∈ L | |= α}. Syntactically: L = {α ∈ L | ` α}. What should we expect from an inference method? I I P. Cabalar Soundness (or correctness): if ` α then |= α Completeness: if |= α then ` α ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 36 / 64) A deductive system We define the LTL deductive system as follows. Axioms: Ax0 PC Any substitution instance of any Propositional Calculus tautology Ax1 ` (α → β) → (α → β) Distribution of over → Ax2 ` (α → β) → (α → β) Distribution of over → Ax3 ` α → (α ∧ α ∧ α) Expansion of Ax4 ` (α → α) → (α → α) Induction Ax5 ` α ↔ ¬ ¬α Linearity Inference rules: P. Cabalar MP N `α, `α→β `β `α `α Modus Ponens Necessitation ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 37 / 64) A deductive system An example of a proof Theorem 4 (transitivity) ` p ↔ p Proof: 1. 2. 3. 4. 5. 6. P. Cabalar ` p → p ` p → p ` (p → p) ` (p → p) → (p → p) ` p → p ` p ↔ p Expansion Expansion Necessitation on 2 Induction Modus Ponens on 3, 4 P.C. 1, 5 Q.E.D. ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 38 / 64) A deductive system Derived inference rules: G `α→β `α→β − Generalization G `α→β `α→β − Generalization Ind `α→α `α→α Induction These rules can be derived from previous axioms and rules. P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 39 / 64) A deductive system Exercises Exercise 5 Prove the following theorems: ` (p ∧ q) ↔ p ∧ q ` ♦(p ∨ q) ↔ ♦p ∨ ♦q Exercise 6 Prove the theorem ` p ∨ q → (p ∨ q) and find a counterexample for: (p ∨ q) → p ∨ q P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 40 / 64) Outline 1 Syntax and semantics 2 Specification with LTL 3 Model checking algorithms 4 Deductive system 5 Complexity and expressiveness 6 Semantic tableaux P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 42 / 64) Complexity P. Cabalar In complexity theory, solving a decision problem means building an algorithm that, in a finite number of steps, answers yes or no to a given input query. For instance, SAT (propositional satisfiability, i.e., “does a formula α have any model?”) is a decision problem, and its complexity class is NP-complete. Other examples of NP-complete problems are: the Travelling Salesman problem, the Graph Coloring problem, Subset Sum problem (find non-empty subset of integers that sum 0). ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 43 / 64) Meaning of NP-completeness ... 0 0 0 0 1 A B 2 0 0 ... q4 A Turing Machine (TM) is a theoretical device that operates on an infinite tape with cells containing symbols in a finite alphabet (including the blank or ’0’) The TM has a current state Si among a finite set of states (including ’Halt’), and a head pointing to the “current” cell in the tape. It has an associated transition function that describes the next step. P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 44 / 64) Meaning of NP-completeness P. Cabalar Example: with scanned symbol 0 and state q4 , write 1, move Left and go to state q2 . That is: ... 0 0 0 0 1 A B 2 0 0 ... q4 t(0, q4 ) = (1, Left, q2 ) ... 0 0 0 1 1 A B 2 0 0 ... q2 ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 45 / 64) Meaning of NP-completeness P. Cabalar A decision problem consists in providing a given tape input and asking the Turing Machine for a final output symbol answering Yes or No. Example: SAT = given (an encoding of) a propositional formula, does it have at least one model? A decision problem is in complexity class P iff the number of steps carried out by the TM is polynomial on the size n of the input. ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 46 / 64) Meaning of NP-completeness Now, a non-deterministic Turing Machine (NDTM) is such that the transition function is replaced by a transition relation. We may have different possibilities for the next step. Example: t(0, q4 , 1, Left, q2 ), t(0, q4 , 0, Right, q3 ) ... 0 0 0 0 1 A B 2 0 0 ... q4 ... 0 0 0 1 1 A B 2 0 0 q2 P. Cabalar ... ... 0 0 0 0 1 A B 2 0 0 q3 ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 47 / 64) .. Meaning of NP-completeness Keypoint: an NDTM provides an affirmative answer to a decision problem when at least one of the executions for the same input answers Yes. A decision problem is in class NP iff the number of steps carried out by the NDTM is polynomial on the size n of the input. For SAT , we can build an NDTM that performs two steps: 1 For each atom, generate 1 or 0 nondeterministically. This provides an arbitrary interpretation in linear time. 2 Test whether the current interpretation is a model or not. The sequence of these two steps takes polynomial time. P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 48 / 64) Meaning of NP-completeness Unsolved problem ? P = NP The most accepted conjecture is that P ⊂ NP. But remains unproved. It is one of the 7 Millenium Prize Problems http://www.claymath.org/millennium/P_vs_NP/ The Clay Mathematics Institute designated $1 million prize for its solution! P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 49 / 64) Meaning of NP-completeness A problem X is C-complete, for some complexity class C, iff any problem Y in C is reducible to X in polynomial-time. A complete problem is a representative of the class. Example: if an NP-complete problem happened to be in P then P = NP. SAT was the first problem to be identified as NP-complete (Cook’s theorem, 1971). SAT is commonly used nowadays for showing that a problem X is at least as complex as NP. To this aim, just encode SAT into X . P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 50 / 64) LTL-satisfiability is PSPACE-complete Theorem 5 [Halpern & Reif 1981], [Sistla & Clarke, 1982] LTL-satisfiability is PSPACE-complete. PSPACE is the set of decision problems that can be solved by a Turing Machine using a polynomial amount of space (for a finite, unlimited time). There is no difference when the machine is non-deterministic NPSPACE = PSPACE [Savitch 1970]. On the other hand, NP ⊆ PSPACE. Again, unsolved question ? NP = PSPACE but strongly suspected to be 6=. Other PSPACE-complete problems are: Quantified Boolean Formula satisfiability, AI-Planning (STRIPS) existence of plan. P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 51 / 64) LTL and automata P. Cabalar An finite state machine or finite automaton is a tuple (Q, A, δ, q0 , F) where I I I I I Q is a finite set of states A is a finite set called the alphabet δ : Q × A → Q is the transition function q0 is the initial state F is the set of accepting or final states Example: this automaton recognizes words containing an even 1 1 0 start number of 0’s q0 q1 0 ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 52 / 64) LTL and automata ω-automata are a variation where the accepted language consists of words of infinite length. They define different acceptance conditions (when we consider a word to be “accepted”) A Büchi automaton (BA) is an ω-automaton with the acceptance condition: There is some run that visits (at least) one of the states in F infinitely often Example: this automaton recognizes the language (0 + 1)∗ 0ω 0 0 start q0 0 q1 1 P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 53 / 64) LTL and automata P. Cabalar During model checking, LTL properties are translated into “equivalent” BA’s By equivalent we mean they recognize the same language. The BA alphabet A corresponds to the set of possible LTL states. Example: if the formula uses atoms Σ = {p, q} then A = 2Σ = {∅, {p}, {q}, {p, q}} Usually, each BA arc is labelled with a set of states that yield the same transition. This set of states is actually represented as an LTL formula. ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 54 / 64) LTL and automata A language accepted by a non-deterministic BA is called regular ω-language. An important restriction: LTL is less expressive than Büchi automata. For instance, Exercise 4 (make p true in even states and free in all the rest) cannot be represented in LTL whereas it is accepted by the Büchi automaton: p start q0 q1 p, ¬p Other temporal logics do cover regular ω-languages. P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 55 / 64) Outline 1 Syntax and semantics 2 Specification with LTL 3 Model checking algorithms 4 Deductive system 5 Complexity and expressiveness 6 Semantic tableaux P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 57 / 64) Semantic tableaux def For simplicity, we assume α → β = ¬α ∨ β and def α ↔ β = (α ∧ β) ∨ (¬α ∧ ¬β) With respect to Propositional Calculus tableaux, we add unfolding rules for modal operators as follows: Propositional Calculus rules Formula α∨β α∧β ¬(α ∨ β) ¬(α ∧ β) ¬¬α P. Cabalar Branch 1 Branch 2 α β α, β ¬α, ¬β ¬α ¬β α Modal rules Formula α ¬♦α ♦α ¬α Branch 1 Branch 2 α, α ¬α, ¬ ♦α α ♦α ¬α ¬ α ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 58 / 64) Semantic tableaux When these rules are exhausted, each tableau leaf is boxed and (partially) represents a state The state usually contains -formulas like α or ¬ α. In such a case, we generate a transition to a next state whose content is fixed with the new rules: Formula Next state α α ¬α ¬α We can reach a state repeated in previous tableau node. If so, we just label the previous node and reuse it P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 59 / 64) Semantic tableaux P. Cabalar Example: take (p ∨ q) ∧ (¬p ∧ ¬q) (p ∨ q) ∧ (¬p ∧ ¬q) (p ∨ q), (¬p ∧ ¬q) p, (¬p ∧ ¬q) q, (¬p ∧ ¬q) Both open branches yield to a transition to a new state where: ¬p ∧ ¬q ¬p, ¬q ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 60 / 64) Semantic tableaux That is, any model of (p ∨ q) ∧ (¬p ∧ ¬q) must contain one of the following structures: s0 p / s1 s0 ¬p ¬q q / s1 ¬p ¬q These are called Hintikka structures. They can be expanded to interpretations (arbitrarily completing the truth of the rest of atoms) P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 61 / 64) Semantic tableaux Example 2: is (p ∧ q) → p valid? We negate the formula and check if we obtain a closed tableau ¬((p ∧ q) → p) l0 : (p ∧ q), ♦¬p p ∧ q, (p ∧ q), ♦¬p p, q, (p ∧ q), ♦¬p p, q, (p ∧ q), ♦¬p p, q, (p ∧ q), ¬p × We would create a new state with (p ∧ q), ♦¬p = l0 P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 62 / 64) Semantic tableaux The tableau is open but generates the following Hintikka structure: s0 p, q s1 s2 / p, q / p, q / ... or simply s0 p, q which is never a model because ♦¬p is never fulfilled For open tableaux, we will have to check fulfillment of ♦α formulas P. Cabalar ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 63 / 64) Semantic tableaux P. Cabalar Example ♦p l1 : ♦p l2 : ♦p, ♦p l3 : p, ♦p l4 : ♦p, ♦p To l1 l5 : ♦p, ♦p To l2 ♦α formulas are fulfilled, so the Hintikka structure represents possible models: s0 s1 p t 4 p ( Department LinearofTemporal ComputerLogic Science University of Corunna, SPAIN 2013/2014 [email protected] 64 / 64)
© Copyright 2025 Paperzz