Download
1 / 34
340 likes | 368 Views
Temporal logic is essential for modeling dynamic systems and behavior over time, exploring Linear Temporal Logic (LTL), semantic intuition, syntax, LTL identities, and examples of specifying with LTL. Learn about safety and liveness properties, limitations, and practical examples.
E N D
Temporal logic • So far we used logic to model and reason about static situations. • Examples: • Are there truth values that can be assigned to x,ysimultaneously that satisfy x Ç:y ? • Is the following valid: 8n 2N.9p 2N. ((n >1 Æ isprime(p)) ! n < p < 2n) • To reason about programs, we need dynamics!
Need dynamics • State = an assignment • Formula = a set of states • i.e., the set of assignments that satisfy it. • What we need is a sequence of states. • possibly an infinite sequence for reactive systems. • Each such sequence is called a behavior, or a computation.
Need dynamics • Once we model our system M, we need to specify it. • Need temporal logic to specify required behavior over time. Let be such a formula. • We will ask whether the following holds: M ² i.e., do all behaviors of M satisfy the property .
History of Temporal Logic • Designed by philosophers to study the way that time is used in natural language arguments • Brought to Computer Science by Amir Pnueli in 1977. • Has proved to be useful for specification of concurrent reactive systems
Linear Temporal Logic (LTL) • In LTL time is • implicit, • discrete, • has an initial moment with no predecessors, and • infinite in the future • The model of LTL formula is infinite sequence of states : s0, s1, s2, …
LTL: Syntax • Elements: • Atomic propositions • Boolean operators¬ • Temporal operatorsG F X U R := () |¬| Æ Ç UR|GF|X| p
LTL: Syntax := () | ¬ | Æ ÇUWG F |X | p G Always( = “Henceforth ”) FEventually(= “ in the future”) X“next-time” U“ until” R“Release”
Semantic Intuition f f f f f f f r r r f f f f f f r r r r r r r,f r • G f - always f • F f –eventually f • X f –next state • f U r– until • f R r– releases
Semantic • Semantic is given with respect to paths • = s0 s1 s2… • Suffix of trace starting at si • i = si si+1 si+2… • A system satisfies an LTL formulaif each path through the system satisfies .
Semantic (cont’d) • k²a iff a sk • k² iff not k² • k² iff k² and k² • k² iff k² or k² • k²X iffk+1² • k²F iff exists i ki² • k²G ifffor all i ki² • k² U iff exists i ki² and for all k j < i. j² • k² R iff for all j k, if for every k· i < j noti² then j²
LTL Identities • Write G with F: G = F • Write F with U: F = (trueU ) • Write R with U: R = ( U ) • Every LTL formula can be rewritten using only operators X U
Combinations • GF p • “p will happen infinitely often” • FG p • “p will happen from some point forever”. • (GF p) ! (GF q) • “If p happens infinitely often, then q also happens infinitely often”. (Now: Examples of specifying with LTL )
Limitations of LTL • Is there a temporal behavior that we cannot express with LTL ? • Property: “p holds in every even state” • Unexpressible in LTL. • There are extensions to LTL that solve these type of problems. We will not learn them.
Two classes of properties • Safety properties: nothing ‘bad’ will happen. • A counterexample is a finite loop-free sequence of states. • Example: G(p → X q) Initial state Bad state p p,q
Two classes of properties • Liveness properties: something ‘good’ will happen. • A counterexample is an infinite trace, showing that this good thing NEVER happens. • In a finite state model, this is represented as a finite sequence of states ending with a loop. • Example: F p Initial state :p :p :p :p :p :p
A Spring Example release s1 s2 s3 pull release S3 S2 0 = s1 s2 s1 s2 s1 s2 s1 … 1 = s1 s2 s3 s3 s3 s3 s3 … 2 = s1 s2 s1 s2 s3 s3 s3 … …
LTL satisfaction by a single sequence release s1 s2 s3 pull release 2 = s1 s2 s1 s2 s3 s3 s3 … 2²S2 ?? 2² X S2 ?? 2² XX S2 ?? 2²FS2 ?? 2²GS2 ?? 2²FGS2 ?? 2²FGS3 ?? 2²¬FGS2 ?? 2² (¬S2) U S3 ?? 2²G(¬S2! X S2) ??
LTL satisfaction by a system release s1 s2 s3 pull release A: A ²FGS2 ?? A ²FGS3 ?? A ² ¬FGS2 ?? A ² (¬S2) U S3 ?? A ²G(¬S2! X S2) ?? A ²S2 ?? A ² X S2 ?? A ² XX S2 ?? A ²FS2 ?? A ²GS2 ??
The problem of vacuity • Consider the following property : G(request F ack) ... and a system M that never sends requests. • The property is satisfied: M ² • Is it ok ? • This can indicate a bug in M or in the property.
The problem of vacuity • Consider the following property : G(p U (p Ç q)) ... and a system M which satisfies Gq. • The property is satisfied: M ² • Is this what the user intended ? • A bug in the property? • Equivalent to G (p Ç q) • Otherwise change the property.
The problem of vacuity • When a formula passes not due to the ‘right’ reasons we might be fooling ourselves that everything is ok. • Is there a way to check for such errors ?
The problem of vacuity • Let be an LTL formula in negation normal form. • is said to be vacuous in M if there exists an occurrence of an atom a2 AP() such that M ²[aà false] • (or M ²[aà true] if a appears negatively). • We check vacuity only after we know that M ²
The problem of vacuity • Example 1: : G(request F ack) • Check 1: G(true F ack) • Suppose that M ²1 • Either: • This contradicts the user’s understanding of M. There is a bug in M. • This was the intention. So change to the stronger formula GF ack.
The problem of vacuity • Example 1: : G(request F ack) • Check 2: G(request F false) • Suppose that M ²2 • Either: • This contradicts the user’s understanding of M. There is a bug in M. • This was the intention. So change to the stronger formula G :request.
The problem of vacuity • Example 2: : G(p U (p Ç q)) • Check 1: G(false U (p Ç q)) • For all M, if M ² then M ²2. • Hopefully the user will realize that it should be G(p Ç q).
The problem of vacuity • Example 2: : G(p U (p Ç q)) • Check 2: G(p U (false Ç q)) • If M ²2 then there is no path satisfying G(p Æ:q) • Error in the model ? • Should we change the property to 2?
The problem of vacuity • Example 2: : G(p U (p Ç q)) • Check 3: G(p U (p Ç false)) • If M ²3 then M ²Gp • Error in the model ? • Should we change the property to 3?
Mutual vacuity ab ac • Consider = G(a Ç b Ç c) • .. and M: • M ² G(b Ç c) // nothing else to remove • M ² G(a Ç b) // can still remove b M ² G(a) • Conclusion: order of vacuity-checks matters!
Mutual vacuity • The mutual vacuity problem: what is the largest number of literal ocurrences that can be replaced with false simultanuously without falsifying M in ? • Formally: find largest S µ lit-occur() such that M ²[a à false | a 2 S]
Vacuity checks in the industry • Most commercial model-checkers check for vacuity automatically • Typically only a few ‘important checks’, not all possible. • Too expansive in practice to check for mutual vacuity.
Representing Concurrent Systems • The ‘spring’ system is an example of a ‘Kripke structure’ • Kripke structure: a tuple M = (S, S0, R, L), where • S– set of all states of the system • S0– set of initial states • R– transition relation between states • L– a function that associates each state with set of propositions true in that state
Kripke Model • Set of states S • {q1,q2,q3} • Set of initial states S0 • {q1} • Set of atomic propositions AP • {a,b} q1 a a,b b q2 q3
What’s next ? • A Kripke structure is a special variant of an automaton. • Next, we will learn about automata.
