Linear Temporal Logic Moonzoo Kim CS Division of EECS Dept. KAIST [email protected] http://pswlab.kaist.ac.kr/courses/cs402-07 1 Motivation for verification There is a g great advantage g in being g able to verify y the correctness of computer systems This is most obvious in the case of safety safety--critical systems Also applies to mass mass--produced embedded devices ex. ex Cars, Cars avionics avionics, medical devices ex. handphone, USB memory, MP3 players, etc F Formal l verification ifi ti can b be th thought ht off as comprising i i th three parts t 1. 2. 3. a system description language a requirement specification language a verification method to establish whether the description of a system satisfies the requirement specification. 2 Model checking Model checking In a model model--based approach, the system is represented by a model M . The specification is again represented by a formula φ. The verification consists of computing whether M satisfies φ M ² φ C ti Caution: M ² φ represents t satisfaction satisfaction, ti f ti , nott semantic ti entailment t il t In model checking, The model M is a transition systems and the property φ is a formula in temporal logic ex. p, q, ♦ q, ♦ q p p p,q 3 Linear time temporal logic (LTL) LTL models time as a sequence of states, states, extending i fi it l iinto infinitely t th the future f t Fp→GrǬqUp sometimes a sequence of states is called a computation path or an execution path, path, or simply a path Def 3.1 LTL has the following syntax φ ::= T | ⊥ | p | ¬ φ | φ Æ φ | φ Ç φ | φ → φ |Xφ|Fφ|Gφ|φUφ|φWφ|φRφ where p is any propositional atom from some set Atoms → Ç F p U G Operator precedence the unary connectives bind most tightly tightly. Next in the order come U, R, W, Æ, Ç, and → r ¬ p q 4 Semantics of LTL (1/3) Def 3.4 A transition system (called model) M = (S, →, L) a set of states S a transition relation → (a binary relation on S) S={s0,s1,s2} →={(s {(s0,s1),(s1,s0),(s1,s2),(s0,s2),(s2,s2)} L={(s0,{p,q}),(s1,{q,r}), (s2,{r})} Def. 3.5 A path in a model M = (S, →, L) is an infinite sequence of ≥ 1, sij→ sij+1. We write the states si1, si2, si3,… in S s.t. for each jj≥ path as si1→ si2 → … a labeling function L: S → P (Atoms) Example such that every s ∈ S has some s’ ∈ S with s → s’ From now on if there is no confusion, we drop the subscript index i for the sake of simple description We write πi for the suffix of a path starting at si. ex. π3 is s3 → s4 → … 5 Semantics of LTL (2/3) D f3 Def 3.6 6L Lett M = (S, (S →, L) b be a model d l and d π = s1 → … be b a path in M. Whether π satisfies an LTL formula is defined by the satisfaction relation ² as follows: Basics: π ²>, π 2⊥, π ²p iff p ∈ L(s1) , π ² ¬φ iff π 2 φ Boolean operators: π ² p Æ q iff π ² p and π ² q π ² X φ iff π2 ² φ (next °) π ² G φ iff for all i ≥ 1, πi ² φ (always ) π ² F φ iff there is some i ≥ 1,, πi ² φ (eventually y ♦) π ² φ U ψ iff there is some i ≥ 1s.t. πi ² ψ and for all j=1,…,i j=1,…,i-1 we have j π ² φ (strong until) π ² φ W ψ iff either ((weak weak until) until) similar for other boolean binary operators either there is some i ≥ 1 s.t s.t.. πi ² ψ and for all j=1,…,i j=1,…,i-1 we have πj ² φ or for all k ≥ 1 we have πk ² φ π ² φ R ψ iff either ((release release)) either there is some i ≥ 1 s.t s.t.. πi ² φ and for all j=1,…,i j=1,…,i we have πj ² ψ or for all k ≥ 1 we have πk ² ψ 6 Semantics of LTL (3/3) Def 3.8 3 8 Suppose M = (S, (S →, L) is a model model, s ∈ S, S and φ an LTL formula. We write M,s ² φ if for every execution path π of M starting at s, we have π ² φ If M is clear from the context context, we write s ² φ M Example s0 ² p Æ q since π ² p Æ q for every path π beginning in s0 s0 ² ¬r, s0 ² > s0 ² X r, s0 2 X (q Æ r) s0 ² G ¬(p Æ r), s2 ² G r For any s of M, s ² F( F(¬ ¬q Æ r) → F G r s0 2 G F p Note that s2 satisfies ¬q Æ r s0 → s1 → s0 → s1 … ² G F p s0 → s2 → s2 → s2 … 2 G F p s0 ² G F p → G F r s0 2 G F r → G F p 7 8 slide quoted from Caltech 101b.2 “Logic Model Checking” by Dr.G.Holzmann 9 slide quoted from Caltech 101b.2 “Logic Model Checking” by Dr.G.Holzmann 10 slide quoted from Caltech 101b.2 “Logic Model Checking” by Dr.G.Holzmann 11 slide quoted from Caltech 101b.2 “Logic Model Checking” by Dr.G.Holzmann Equivalences between LTL formulas Def 3.9 φ ≡ ψ if for all models M and all paths π in M: π ² φ iff π ² ψ ¬G φ ≡ F ¬φ, ¬F φ ≡ G ¬φ, ¬X φ ≡ X ¬φ ¬ (φ U ψ ) ≡ ¬ φ R ¬ ψ , ¬ (φ R ψ ) ≡ ¬ φ U ¬ ψ F (φ (φ Ç ψ) ≡ F φ Ç F ψ G (φ (φ Æ ψ ) ≡ G φ Æ G ψ F φ ≡ T U φ, G φ ≡ ⊥ R φ φUψ≡φWψÆFψ φWψ≡φUψÇ Gφ φ W ψ ≡ ψ R (φ (φ Ç ψ ) φ R ψ ≡ ψ W (φ (φ Æ ψ ) 12 Practical patterns of specification For any state, if a request occurs, then it will eventually be acknowledge A certain t i process is i enabled bl d iinfinitely fi it l often on every computation path If the process is enabled infinitely often often, then it runs infinitely often F G deadlock G ((fllor2 Æ directionup p Æ ButtonPressed5 → (directionup U floor5) For every path, it is possible to get to such a state (started Ƭ Ƭready). ready). There exists a such path that gets to such a state. we cannot express this meaning directly LTL has limited expressive power G F enabled → G F running An upwards p traveling g lift at the second floor does not change its direction when it has passengers wishing to go to the fifth floor φ = G ¬(started Æ ¬ready) What is the meaning of (intuitive) negation of φ ? G F enabled Whatever happens, a certain process will eventually be permanently deadlocked It is impossible to get to a state where a system has started but is not ready G(requested → F acknowledged) For example, example LTL cannot express statements which assert the existence of a path From any state s, there exists a path π starting from s to get to a restart state The lift can remain idle on the third floor with its doors closed Computation Tree Logic (CTL) has operators for quantifying over paths and can express these properties 13 Summary of practical patterns Gp always p invariance Fp eventually t ll p guarantee t p → (F q) p implies eventually q response p → (q U r) p implies q until r precedence GFp always, eventually p recurrence (progress) FGp eventually, always p stability (non(nonprogress) Fp→Fq eventually p implies eventually q correlation 14
© Copyright 2026 Paperzz