Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.

Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

CIS 842: Specification and CIS 842: Specification and Verification of Reactive SystemsVerification of Reactive Systems

Lecture 3: Temporal Logic Specifications

Reasoning about ExecutionsReasoning about Executions

We want to reason about execution trees– tree node = snap shot of the program’s state

Reasoning consists of two layers– defining predicates on the program states (control points,

variable values)– expressing temporal relationships between those predicates

[L3, (mt3, vr3), ….]

Explored State-Space (computation tree)

Conceptual View

[L1, (mt1, vr1), ….]

[L2, (mt2, vr2), ….]

[L5, (mt5, vr5), ….]

L1 L4

L2

L3

L5

?b1

?err

?b0

?b1 !a1

?a1?b0

?err

!a0

Computational Tree Logic (CTL)Computational Tree Logic (CTL)

::= P …primitive propositions

| ! | && | || | -> …propositional connectives

| AG | EG | AF | EF …temporal operators | AX | EX | A[ U ] | E[ U ]

Syntax

Semantic Intuition

AG p …along All paths p holds Globally

EG p …there Exists a path where p holds Globally

AF p …along All paths p holds at some state in the Future

EF p …there Exists a path where p holds at some state in the Future

path quantifier

temporal operator

Computational Tree Logic (CTL)Computational Tree Logic (CTL)

::= P …primitive propositions

| ! | && | || | -> …propositional connectives

| AG | EG | AF | EF …path/temporal operators | AX | EX | A[ U ] | E[ U ]

Syntax

Semantic Intuition

AX p …along All paths, p holds in the neXt state

EX p …there Exists a path where p holds in the neXt state

A[p U q] …along All paths, p holds Until q holds

E[p U q] …there Exists a path where p holds Until q holds

Computation Tree LogicComputation Tree Logic

p

p

p

p p p

p

p

p

p

p

p p p p

AG p

Computation Tree LogicComputation Tree Logic

EG p p

p

p

p

Computation Tree LogicComputation Tree Logic

AF p

p

p p p

p

p

Computation Tree LogicComputation Tree Logic

EF p

p

Computation Tree LogicComputation Tree Logic

AX p

p

p p

p

p p

p

p

p

Computation Tree LogicComputation Tree Logic

EX p

p

p

p

p p p

Computation Tree LogicComputation Tree Logic

A[p U q]p

p

p

q q p

p

q

q

p

p

Computation Tree LogicComputation Tree Logic

E[p U q]p

p

q q p

p

q

q

q

Example CTL SpecificationsExample CTL Specifications

For any state, a request (for some resource) will eventually be acknowledged

AG(requested -> AF acknowledged)

From any state, it is possible to get to a restart state

AG(EF restart)

An upwards travelling elevator at the second floor does not changes its direction when it has passengers waiting to go to the fifth floor

AG((floor=2 && direction=up && button5pressed) -> A[direction=up U floor=5])

Semantics for CTL (excerpts)Semantics for CTL (excerpts)

For pAP:

s |= p p L(s) s |= p p L(s) s |= f g s |= f and s |= g s |= f g s |= f or s |= g

s |= EXf =s0s1... from s: s1 |= f

s |= E(f U g) =s0s1... from s

j0 [ sj |= g and i : 0 i j [si |= f ] ]

s |= EGf =s0s1... from s i 0: si |= f

Source: Orna GrumbergSource: Orna Grumberg

CTL NotesCTL Notes

Invented by E. Clarke and E. A. Emerson (early 1980’s)

Specification language for Symbolic Model Verifier (SMV) model-checker

SMV is a symbolic model-checker instead of an explicit-state model-checker

Symbolic model-checking uses Binary Decision Diagrams (BDDs) to represent boolean functions (both transition system and specification

Linear Temporal LogicLinear Temporal Logic

Restrict path quantification to “ALL” (no “EXISTS”)

Reason in terms of linear traces instead of branching trees

Linear Temporal Logic (LTL)Linear Temporal Logic (LTL)

Semantic Intuition

[] …always

<> …eventually

U … until

::= P …primitive propositions | ! | && | || | -> …propositional connectives | [] | <> | U X …temporal operators

Syntax

Linear Time LogicLinear Time Logic

[]<> p

p p p

“Along all paths, it must be the case that globally (I.e., in each state we come to) eventually p will hold”

Expresses a form of fairness– p must occur infinitely often along the path – To check under the assumption of fair traces, check

[]<>p ->

Linear Time LogicLinear Time Logic

p

<>[] p

p p

“Along all paths, eventually it is the case that p holds globally (I.e., at each state)”

pp p p p

Semantics for LTLSemantics for LTL

Semantics of LTL is given with respect to a (usually infinite) path or trace– = s1 s2 s3 …

We write i for the suffix starting at si, e.g., 3 = s3 s4 s5 …

A system satisfies an LTL formula f if each path through the system satisfies f.

Semantics for LTLSemantics for LTL

For pAP:

|= p p L(s1) |= p p L(s1) |= f g |= f and |= g |= f g |= f or |= g |= Xf 2 |= f |= <>f i >= 1. i |= f |= <>f i >= 1. i |= f |= (f U g) i >= 1. i |= g

and j : 1 j i-1. i |= f

LTL NotesLTL Notes

Invented by Prior (1960’s), and first use to reason about concurrent systems by A. Pnueli, Z. Manna, etc.

LTL model-checkers are usually explicit-state checkers due to connection between LTL and automata theory

Most popular LTL-based checker is Spin (G. Holzman)

Comparing LTL and CTLComparing LTL and CTL

CTL LTL

CTL*

CTL is not strictly more expression than LTL (and vice versa)CTL* invented by Emerson and Halpern in 1986 to unify CTL and LTLWe believe that almost all properties that one wants to express about software lie in intersection of LTL and CTL

LTL and Automata TheoryLTL and Automata Theory

LTL Checking in SpinLTL Checking in Spin