EE 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2014 Temporal logic Stavros Tripakis University of California, Berkeley Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 1 / 27 Why temporal logic a formal specification language = a way to specify what we want mathematically (unambiguously!) Amir Pnueli (1941 - 2009) won the ACM Turing Award, in part for proposing to use temporal logic for specification. Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 2 / 27
14
Embed
EE 144/244: Fundamental Algorithms for System Modeling ......logic formulas or LTL formulas. Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 11 / 27 State machines
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
EE 144/244: Fundamental Algorithms for
System Modeling, Analysis, and Optimization
Fall 2014
Temporal logic
Stavros TripakisUniversity of California, Berkeley
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 1 / 27
Why temporal logic
a formal specification language=
a way to specify what we want mathematically(unambiguously!)
Amir Pnueli (1941 - 2009) won the ACM Turing Award, in part forproposing to use temporal logic for specification.
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 2 / 27
Example: Specification of the SpaceWire Protocol
(European Space Agency standard)
From Sanjit Seshia.
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 3 / 27
Temporal Logics
Many variants: for linear, branching, timed, continuous, security,..., properties
We will look at LTL (for so-called linear-time properties) andCTL (for so-called branching-time properties).
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 4 / 27
LTL (Linear Temporal Logic) – SyntaxLTL1 formulas are defined by the following grammar:
φ1 Uφ2: φ1 until φ2.1This is PLTL: Propositional LTL (there is also first-order LTL with
quantifiers ∀,∃).Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 5 / 27
LTL – Semantics: IntuitionLTL formulas are evaluated over infinite sequences (executiontraces).Satisfaction relation looks like this – for LTL formula φ and infinitetrace σ:
σ |= φ
formula mnemonicformula mnemonicproposition (must hold now)always globallyalways, globallyfinally, future, eventuallynext stepnext stepuntil
11
Intuitive semantics
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 6 / 27
LTL: examples
GFp
G(p→ Fq)
pU (q U (p ∧ r))
What do these formulas intuitively mean?
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 7 / 27
LTL – Semantics: FormallyWe want to define formally the satisfaction relation: σ |= φ.
What kind of object is σ ?
An infinite trace of sets of atomic propositions:
σ ∈ (2P )ω.
That is,σ = σ0, σ1, σ2, · · ·
where σi ⊆ P for all i. P is the set of all atomic propositions.
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 9 / 27
LTL – Semantics: FormallyLet
σ = σ0, σ1, σ2, · · ·
Notation: σ[i..] = σi, σi+1, σi+2, · · ·
Satisfaction relation defined recursively on the syntax of a formula:
σ |= p iff p ∈ σ0 p holds at the first (current) stepσ |= φ1 ∧ φ2 iff σ |= φ1 and σ |= φ2σ |= ¬φ iff σ 6|= φσ |= Gφ iff ∀i = 0, 1, ... : σ[i..] |= φ φ holds for every suffix of σσ |= Fφ iff ∃i = 0, 1, ... : σ[i..] |= φ φ holds for some suffix of σσ |= Xφ iff σ[1..] |= φ φ holds for the suffix starting at the next stepσ |= φ1 Uφ2 iff ∃i = 0, 1, ... : σ[i..] |= φ2 ∧
∀0 ≤ j < i : σ[j..] |= φ1φ2 holds for some suffix of σ andφ1 holds for all previous suffixes
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 10 / 27
LTL Semantics: Summary
11
Linear Temporal Logic (LTL)
LTL formulas: Statements about an execution trace
Here, p is propositional logic formula and is either a propositional logic or an LTL formula.
formula meaning
Here p is a propositional logic formula and φ, φ1, φ2 are propositionallogic formulas or LTL formulas.
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 11 / 27
State machines and temporal logic
State machine = implementation (the system we want to verify).
LTL formula = specification (the property that we want the systemto satisfy).
The model checking problem: does a given system (e.g., statemachine) satisfy a given temporal logic specification (e.g., LTLformula) ?
Meaning: all execution traces of the system must satisfy the LTLformula.
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 12 / 27
Execution traces of a state machineA run of a Mealy machine (I, O, S, s0, δ, λ) is a (finite or infinite)sequence of states / transitions:
s0x0/y0−→ s1
x1/y1−→ s2x2/y2−→ s3 · · ·
such that
∀i : xi ∈ I, yi ∈ O∀i : si+1 = δ(si, xi)
∀i : yi = λ(si, xi)
The observable I/O behavior (trace) corresponding to the above runis
{x0, y0} −→ {x1, y1} −→ {x2, y2} −→ · · ·Here we assume that only I/O are observable. We could also define tracesthat expose the internal state of the machine. E.g., we may want to statethe requirement that a certain register never has a certain value.
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 13 / 27
System models can also be Transition Systems
Transition system: an even more basic model than state machines:
Transition system = states + transitions (+ labels)
Possibly infinite sets of states/transitions.
Can describe infinite-state systems (e.g., programs with integeror real variables).
Can also be used in non-discrete systems (e.g., timed or hybridautomata, as we will see later).
Form the basis for the semantics of temporal logics (LTL, CTL,...) and other equivalences between systems such as(bi-)simulation.
Many variants: Labeled Transition Systems, Kripke Structures, ...
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 14 / 27
Example: Labeled Transition System
In a LTS the labels are on the transitions.Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 15 / 27
Example: Kripke Structure
In a KS the labels are on the states. Each state is labeled with a setof atomic propositions (those that hold on that state).
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 16 / 27
The model-checking problem for LTL
Given a transition system M and an LTL formula φ, check that alltraces of M satisfy φ.
We write this as:M |= φ
(read “M satisfies φ”).
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 17 / 27
Examples
Let’s find transition systems satisfying or violating the following LTLformulas:
Gp
Fp
GFp
G(p→ Fq)
pU q
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 18 / 27
Interesting facts about LTL
Can we express Gp using only F, p, and boolean operators?
Vice versa, can we express F in terms of G?
Can we express F in terms of U ?
Can we express X in terms of G, F, U ?
I Cannot be done!
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 19 / 27
LTL – more examples
See http://embedded.eecs.berkeley.edu/eecsx44/lectures/
Fall2013/TemporalLogic.pdf.
Errata:
Slides 13-14: “if and only if it holds” should be “if and only if pholds”.
Slide 19: F(p⇒ (XXq)) should be G(p⇒ (XXq)).
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 20 / 27
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 21 / 27
Safety and Liveness
Two important classes of properties.
Safety property: something “bad” does not happen.I E.g., system never crashes, division by zero never happens,
voltage stays always ≤ K (never exceeds K), etc.I Finite length error trace.
Liveness property: something “good” must happen.I E.g., every request must eventually receive a response.I Infinite length error trace.
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 22 / 27
Safety and Liveness
Are these LTL properties safety, liveness, something else?
Gp: safety.
Fp: liveness.
Xp: safety.
pU q: “both”.
GFp: liveness.
G(p⇒ Fq): liveness.
G(p⇒ Xq): safety.
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 23 / 27
Safety and Liveness – Formally
Let P be a set of atomic propositions.2P is the powerset of P .(2P )∗ is the set of all finite sequences over P .(2P )ω is the set of all infinite sequences over P .
What is a property, formally?
A property A is a set of traces: A ⊆ (2P )ω.
Examples:
A = (2P )ω: A holds on all traces (every trace is in A, i.e., everytrace satisfies property A).
A = ∅: no trace satisfies A.
A = the set of all traces satisfying GFp.
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 24 / 27
Safety and Liveness – FormallyLet A be a property = set of (infinite) traces.
For a trace σ, and length k ∈ N, we denote by σ[1..k] the finiteprefix σ1 · · ·σk of σ.
A is a safety property if
∀σ 6∈ A : ∃k ∈ N : ∀ρ ∈ (2P )ω : σ[1..k] · ρ 6∈ A
i.e., for any σ violating the safety property, there exists a badprefix σ[1..k], such that no matter how we extend this prefix wecan no longer satisfy the safety property.
A is a liveness property if
∀σ ∈ (2P )∗ : ∃ρ ∈ (2P )ω : σ · ρ ∈ A
i.e., every finite trace can be extended, by appending a goodsuffix, into an infinite trace which satisfies the liveness property.
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 25 / 27
Safety and Liveness – Formally
Theorem ([Alpern and Schneider, 1985])
Every property is the intersection of a safety property and a livenessproperty.
Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 26 / 27
BibliographyAlpern, B. and Schneider, F. B. (1985).