Basics of model checking Paul Gastin LIAFA (Paris) and LSV (Cachan) - PowerPoint PPT Presentation

Synchronized products General product ◮ Components: M i = ( S i , A i , T i , I i , AP i , ℓ i ) ◮ Product: M = ( S, A, T, I, AP , ℓ ) with S = � i S i , A = � i ( A i ∪ { ε } ) , and I = � i I i ( a 1 ,...,a n ) T = { ( p 1 , . . . , p n ) − − − − − − → ( q 1 , . . . , q n ) | for all i, ( p i , a i , q i ) ∈ T i or p i = q i and a i = ε } AP = � i AP i and ℓ ( p 1 , . . . , p n ) = � i ℓ ( p i ) Synchronized products are restrictions of the general product. ◮ Synchronous: A sync = � i A i ◮ Asynchronous: A sync = � i A i ◮ By states: S sync ⊆ S ◮ By labels: A sync ⊆ A ◮ By transitions: T sync ⊆ T 15/71

Synchronized products General product ◮ Components: M i = ( S i , A i , T i , I i , AP i , ℓ i ) ◮ Product: M = ( S, A, T, I, AP , ℓ ) with S = � i S i , A = � i ( A i ∪ { ε } ) , and I = � i I i ( a 1 ,...,a n ) T = { ( p 1 , . . . , p n ) − − − − − − → ( q 1 , . . . , q n ) | for all i, ( p i , a i , q i ) ∈ T i or p i = q i and a i = ε } AP = � i AP i and ℓ ( p 1 , . . . , p n ) = � i ℓ ( p i ) Synchronized products are restrictions of the general product. ◮ Synchronous: A sync = � i A i ◮ Asynchronous: A sync = � i A i ◮ By states: S sync ⊆ S ◮ By labels: A sync ⊆ A ◮ By transitions: T sync ⊆ T 15/71

Synchronized products General product ◮ Components: M i = ( S i , A i , T i , I i , AP i , ℓ i ) ◮ Product: M = ( S, A, T, I, AP , ℓ ) with S = � i S i , A = � i ( A i ∪ { ε } ) , and I = � i I i ( a 1 ,...,a n ) T = { ( p 1 , . . . , p n ) − − − − − − → ( q 1 , . . . , q n ) | for all i, ( p i , a i , q i ) ∈ T i or p i = q i and a i = ε } AP = � i AP i and ℓ ( p 1 , . . . , p n ) = � i ℓ ( p i ) Synchronized products are restrictions of the general product. ◮ Synchronous: A sync = � i A i ◮ Asynchronous: A sync = � i A i ◮ By states: S sync ⊆ S ◮ By labels: A sync ⊆ A ◮ By transitions: T sync ⊆ T 15/71

Synchronized products General product ◮ Components: M i = ( S i , A i , T i , I i , AP i , ℓ i ) ◮ Product: M = ( S, A, T, I, AP , ℓ ) with S = � i S i , A = � i ( A i ∪ { ε } ) , and I = � i I i ( a 1 ,...,a n ) T = { ( p 1 , . . . , p n ) − − − − − − → ( q 1 , . . . , q n ) | for all i, ( p i , a i , q i ) ∈ T i or p i = q i and a i = ε } AP = � i AP i and ℓ ( p 1 , . . . , p n ) = � i ℓ ( p i ) Synchronized products are restrictions of the general product. ◮ Synchronous: A sync = � i A i ◮ Asynchronous: A sync = � i A i ◮ By states: S sync ⊆ S ◮ By labels: A sync ⊆ A ◮ By transitions: T sync ⊆ T 15/71

Example: Printer manager Synchronization by states: ( P, P ) is forbidden Idle Wait Print I, I I, W I, P Idle Wait W, I W, W W, P P, I P, W Print 16/71

Example: Elevator Synchronization by actions ?up ?down ?up ?up !leave 0 !leave 1 !reach 1 !reach 2 Cabin: 0 1 2 ?down ?down !leave 1 !leave 2 !reach 0 !reach 1 ?leave i ?reach i ?reach i Opened Closed Door for level i : ?leave i 17/71

Example: digicode Synchronization by transitions B, C B, C A A B A 1 2 3 4 C OPEN A B A 0 1,0 2,0 3,0 4,0 OPEN A C B, C B, C A B A 1,1 2,1 3,1 4,1 1 OPEN A C B, C B, C A B A 2 1,2 2,2 3,2 4,2 A, C OPEN B, C B, C 3 5,3 ERROR ERROR 18/71

Example: Peterson’s algorithm (1981) Synchronization by shared variables if req[1-i]=false 4 3 else if turn=i req[i]:=false turn:=1-i 1 2 req[i]:=true The global state is a 5-tuple: (state 0 , state 1 , req[0], req[1], turn) 19/71

Example: Peterson’s algorithm (1981) Synchronization by shared variables if req[1-i]=false 4 3 else if turn=i req[i]:=false turn:=1-i 1 2 req[i]:=true The global state is a 5-tuple: (state 0 , state 1 , req[0], req[1], turn) 19/71

High-level descriptions ◮ Sequential programs = transition system with variables ◮ Concurrent programs with shared variables ◮ Concurrent programs with Rendez-vous ◮ Concurrent programs with FIFO communication ◮ Petri net ◮ . . . 20/71

Models: expressivity versus decidability (Un)decidability ◮ Automata with 2 integer variables = Turing powerful Restriction to variables taking values in finite sets ◮ Asynchronous communication: unbounded fifo channels = Turing powerful Restriction to bounded channels Some infinite state models are decidable ◮ Petri nets. Several unbounded integer variables but no zero-test. ◮ Pushdown automata. Model for recursive procedure calls. ◮ Timed automata. ◮ . . . 21/71

Models: expressivity versus decidability (Un)decidability ◮ Automata with 2 integer variables = Turing powerful Restriction to variables taking values in finite sets ◮ Asynchronous communication: unbounded fifo channels = Turing powerful Restriction to bounded channels Some infinite state models are decidable ◮ Petri nets. Several unbounded integer variables but no zero-test. ◮ Pushdown automata. Model for recursive procedure calls. ◮ Timed automata. ◮ . . . 21/71

Outline Introduction 1 Models 2 Specification 3 Linear Time Specifications Branching Time Specifications 22/71

Static and dynamic properties Static properties Example: Mutual exclusion Most safety properties are static. They can be reduced to reachability. Dynamic properties Example: Every request should be eventually granted. → ∃ t ′ ≥ t, (atLevel i ( t ′ ) ∧ openDoor i ( t ′ ))) � ∀ t, (Call i ( t ) − i The elevator should not cross a level for which a call is pending without stopping. ∀ t ∀ t ′ , (Call i ( t ) ∧ t ≤ t ′ ∧ atLevel i ( t ′ )) − � → i ∃ t ≤ t ′′ ≤ t ′ , (atLevel i ( t ′′ ) ∧ openDoor i ( t ′′ ))) 23/71

Static and dynamic properties Static properties Example: Mutual exclusion Most safety properties are static. They can be reduced to reachability. Dynamic properties Example: Every request should be eventually granted. → ∃ t ′ ≥ t, (atLevel i ( t ′ ) ∧ openDoor i ( t ′ ))) � ∀ t, (Call i ( t ) − i The elevator should not cross a level for which a call is pending without stopping. ∀ t ∀ t ′ , (Call i ( t ) ∧ t ≤ t ′ ∧ atLevel i ( t ′ )) − � → i ∃ t ≤ t ′′ ≤ t ′ , (atLevel i ( t ′′ ) ∧ openDoor i ( t ′′ ))) 23/71

First Order specifications First order logic ◮ These specifications can be written in FO( < ) . ◮ FO( < ) has a good expressive power. . . . but FO( < ) -formulas are not easy to write and to understand. ◮ FO( < ) is decidable. . . . but satisfiability and model checking are non elementary. Temporal logics ◮ no variables: time is implicit. ◮ quantifications and variables are replaced by modalities. ◮ Usual specifications are easy to write and read. ◮ Good complexity for satisfiability and model checking problems. 24/71

First Order specifications First order logic ◮ These specifications can be written in FO( < ) . ◮ FO( < ) has a good expressive power. . . . but FO( < ) -formulas are not easy to write and to understand. ◮ FO( < ) is decidable. . . . but satisfiability and model checking are non elementary. Temporal logics ◮ no variables: time is implicit. ◮ quantifications and variables are replaced by modalities. ◮ Usual specifications are easy to write and read. ◮ Good complexity for satisfiability and model checking problems. 24/71

Linear versus Branching Let M = ( S, T, I, AP , ℓ ) be a Kripke structure. Linear specifications Example: The printer manager is fair. On each run, whenever some process requests the printer, it eventually gets it. Execution sequences (runs): σ = s 0 → s 1 → s 2 → · · · with s i → s i +1 ∈ T Two Kripke structures having the same execution sequences satisfy the same linear specifications. Actually, linear specifications only depend on the label of the execution sequence ℓ ( σ ) = ℓ ( s 0 ) → ℓ ( s 1 ) → ℓ ( s 2 ) → · · · Branching specifications Example: Each process has the possibility to print first. Such properties depend on the execution tree. Execution tree = unfolding of the transition system 25/71

Linear versus Branching Let M = ( S, T, I, AP , ℓ ) be a Kripke structure. Linear specifications Example: The printer manager is fair. On each run, whenever some process requests the printer, it eventually gets it. Execution sequences (runs): σ = s 0 → s 1 → s 2 → · · · with s i → s i +1 ∈ T Two Kripke structures having the same execution sequences satisfy the same linear specifications. Actually, linear specifications only depend on the label of the execution sequence ℓ ( σ ) = ℓ ( s 0 ) → ℓ ( s 1 ) → ℓ ( s 2 ) → · · · Branching specifications Example: Each process has the possibility to print first. Such properties depend on the execution tree. Execution tree = unfolding of the transition system 25/71

Outline Introduction 1 Models 2 Specification 3 Linear Time Specifications Branching Time Specifications 26/71

Linear Temporal Logic (Pnueli 1977) Syntax: LTL(AP , X , U ) ϕ ::= ⊥ | p ( p ∈ AP) | ¬ ϕ | ϕ ∨ ϕ | X ϕ | ϕ U ϕ Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | p ∈ λ ( x ) = p if t, x | = ¬ ϕ if t, x �| = ϕ t, x | = ϕ ∨ ψ if t, x | = ϕ or t, x | = ψ t, x | = X ϕ if ∃ y. x ⋖ y & t, y | = ϕ t, x | = ϕ U ψ if ∃ z. x ≤ z & t, z | = ψ & ∀ y. ( x ≤ y < z ) → t, y | = ϕ Example 27/71

Linear Temporal Logic (Pnueli 1977) Syntax: LTL(AP , X , U ) ϕ ::= ⊥ | p ( p ∈ AP) | ¬ ϕ | ϕ ∨ ϕ | X ϕ | ϕ U ϕ Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | p ∈ λ ( x ) = p if t, x | = ¬ ϕ if t, x �| = ϕ t, x | = ϕ ∨ ψ if t, x | = ϕ or t, x | = ψ t, x | = X ϕ if ∃ y. x ⋖ y & t, y | = ϕ t, x | = ϕ U ψ if ∃ z. x ≤ z & t, z | = ψ & ∀ y. ( x ≤ y < z ) → t, y | = ϕ Example · · · p p, q p q p, r q, r q ∅ ∅ 27/71

Linear Temporal Logic (Pnueli 1977) Syntax: LTL(AP , X , U ) ϕ ::= ⊥ | p ( p ∈ AP) | ¬ ϕ | ϕ ∨ ϕ | X ϕ | ϕ U ϕ Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | p ∈ λ ( x ) = p if t, x | = ¬ ϕ if t, x �| = ϕ t, x | = ϕ ∨ ψ if t, x | = ϕ or t, x | = ψ t, x | = X ϕ if ∃ y. x ⋖ y & t, y | = ϕ t, x | = ϕ U ψ if ∃ z. x ≤ z & t, z | = ψ & ∀ y. ( x ≤ y < z ) → t, y | = ϕ Example 27/71

Linear Temporal Logic (Pnueli 1977) Syntax: LTL(AP , X , U ) ϕ ::= ⊥ | p ( p ∈ AP) | ¬ ϕ | ϕ ∨ ϕ | X ϕ | ϕ U ϕ Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | p ∈ λ ( x ) = p if t, x | = ¬ ϕ if t, x �| = ϕ t, x | = ϕ ∨ ψ if t, x | = ϕ or t, x | = ψ t, x | = X ϕ if ∃ y. x ⋖ y & t, y | = ϕ t, x | = ϕ U ψ if ∃ z. x ≤ z & t, z | = ψ & ∀ y. ( x ≤ y < z ) → t, y | = ϕ Example X ϕ · · · ϕ 27/71

Linear Temporal Logic (Pnueli 1977) Syntax: LTL(AP , X , U ) ϕ ::= ⊥ | p ( p ∈ AP) | ¬ ϕ | ϕ ∨ ϕ | X ϕ | ϕ U ϕ Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | p ∈ λ ( x ) = p if t, x | = ¬ ϕ if t, x �| = ϕ t, x | = ϕ ∨ ψ if t, x | = ϕ or t, x | = ψ t, x | = X ϕ if ∃ y. x ⋖ y & t, y | = ϕ t, x | = ϕ U ψ if ∃ z. x ≤ z & t, z | = ψ & ∀ y. ( x ≤ y < z ) → t, y | = ϕ Example ϕ U ψ · · · · · · ϕ ϕ ϕ ψ 27/71

Linear Temporal Logic (Pnueli 1977) Macros: ◮ Eventually: F ϕ = ⊤ U ϕ F ϕ · · · · · · ϕ ◮ Always: G ϕ = ¬ F ¬ ϕ ◮ Weak until: ϕ W ψ = G ϕ ∨ ϕ U ψ ¬ ( ϕ U ψ ) = ( G ¬ ψ ) ∨ ( ¬ ψ U ( ¬ ϕ ∧ ¬ ψ )) = ¬ ψ W ( ¬ ϕ ∧ ¬ ψ ) ◮ ◮ Release: ϕ R ψ = ψ W ( ϕ ∧ ψ ) = ¬ ( ¬ ϕ U ¬ ψ ) ◮ Next until: ϕ XU ψ = X ( ϕ U ψ ) X ψ = ⊥ XU ψ and ϕ U ψ = ψ ∨ ( ϕ ∧ ϕ XU ψ ) . ◮ 28/71

Linear Temporal Logic (Pnueli 1977) Macros: ◮ Eventually: F ϕ = ⊤ U ϕ F ϕ · · · · · · ϕ ◮ Always: G ϕ = ¬ F ¬ ϕ G ϕ · · · ϕ · · · ϕ ϕ ϕ ϕ ◮ Weak until: ϕ W ψ = G ϕ ∨ ϕ U ψ ¬ ( ϕ U ψ ) = ( G ¬ ψ ) ∨ ( ¬ ψ U ( ¬ ϕ ∧ ¬ ψ )) = ¬ ψ W ( ¬ ϕ ∧ ¬ ψ ) ◮ ◮ Release: ϕ R ψ = ψ W ( ϕ ∧ ψ ) = ¬ ( ¬ ϕ U ¬ ψ ) ◮ Next until: ϕ XU ψ = X ( ϕ U ψ ) X ψ = ⊥ XU ψ and ϕ U ψ = ψ ∨ ( ϕ ∧ ϕ XU ψ ) . ◮ 28/71

Linear Temporal Logic (Pnueli 1977) Macros: ◮ Eventually: F ϕ = ⊤ U ϕ F ϕ · · · · · · ϕ ◮ Always: G ϕ = ¬ F ¬ ϕ G ϕ · · · ϕ · · · ϕ ϕ ϕ ϕ ◮ Weak until: ϕ W ψ = G ϕ ∨ ϕ U ψ ¬ ( ϕ U ψ ) = ( G ¬ ψ ) ∨ ( ¬ ψ U ( ¬ ϕ ∧ ¬ ψ )) = ¬ ψ W ( ¬ ϕ ∧ ¬ ψ ) ◮ ◮ Release: ϕ R ψ = ψ W ( ϕ ∧ ψ ) = ¬ ( ¬ ϕ U ¬ ψ ) ◮ Next until: ϕ XU ψ = X ( ϕ U ψ ) X ψ = ⊥ XU ψ and ϕ U ψ = ψ ∨ ( ϕ ∧ ϕ XU ψ ) . ◮ 28/71

Linear Temporal Logic (Pnueli 1977) Macros: ◮ Eventually: F ϕ = ⊤ U ϕ F ϕ · · · · · · ϕ ◮ Always: G ϕ = ¬ F ¬ ϕ G ϕ · · · ϕ · · · ϕ ϕ ϕ ϕ ◮ Weak until: ϕ W ψ = G ϕ ∨ ϕ U ψ ¬ ( ϕ U ψ ) = ( G ¬ ψ ) ∨ ( ¬ ψ U ( ¬ ϕ ∧ ¬ ψ )) = ¬ ψ W ( ¬ ϕ ∧ ¬ ψ ) ◮ ◮ Release: ϕ R ψ = ψ W ( ϕ ∧ ψ ) = ¬ ( ¬ ϕ U ¬ ψ ) ◮ Next until: ϕ XU ψ = X ( ϕ U ψ ) X ψ = ⊥ XU ψ and ϕ U ψ = ψ ∨ ( ϕ ∧ ϕ XU ψ ) . ◮ 28/71

Linear Temporal Logic (Pnueli 1977) Macros: ◮ Eventually: F ϕ = ⊤ U ϕ F ϕ · · · · · · ϕ ◮ Always: G ϕ = ¬ F ¬ ϕ G ϕ · · · ϕ · · · ϕ ϕ ϕ ϕ ◮ Weak until: ϕ W ψ = G ϕ ∨ ϕ U ψ ¬ ( ϕ U ψ ) = ( G ¬ ψ ) ∨ ( ¬ ψ U ( ¬ ϕ ∧ ¬ ψ )) = ¬ ψ W ( ¬ ϕ ∧ ¬ ψ ) ◮ ◮ Release: ϕ R ψ = ψ W ( ϕ ∧ ψ ) = ¬ ( ¬ ϕ U ¬ ψ ) ◮ Next until: ϕ XU ψ = X ( ϕ U ψ ) X ψ = ⊥ XU ψ and ϕ U ψ = ψ ∨ ( ϕ ∧ ϕ XU ψ ) . ◮ 28/71

Linear Temporal Logic (Pnueli 1977) Macros: ◮ Eventually: F ϕ = ⊤ U ϕ F ϕ · · · · · · ϕ ◮ Always: G ϕ = ¬ F ¬ ϕ G ϕ · · · ϕ · · · ϕ ϕ ϕ ϕ ◮ Weak until: ϕ W ψ = G ϕ ∨ ϕ U ψ ¬ ( ϕ U ψ ) = ( G ¬ ψ ) ∨ ( ¬ ψ U ( ¬ ϕ ∧ ¬ ψ )) = ¬ ψ W ( ¬ ϕ ∧ ¬ ψ ) ◮ ◮ Release: ϕ R ψ = ψ W ( ϕ ∧ ψ ) = ¬ ( ¬ ϕ U ¬ ψ ) ◮ Next until: ϕ XU ψ = X ( ϕ U ψ ) ϕ XU ψ · · · · · · ϕ ϕ ψ X ψ = ⊥ XU ψ and ϕ U ψ = ψ ∨ ( ϕ ∧ ϕ XU ψ ) . ◮ 28/71

Linear Temporal Logic (Pnueli 1977) Macros: ◮ Eventually: F ϕ = ⊤ U ϕ F ϕ · · · · · · ϕ ◮ Always: G ϕ = ¬ F ¬ ϕ G ϕ · · · ϕ · · · ϕ ϕ ϕ ϕ ◮ Weak until: ϕ W ψ = G ϕ ∨ ϕ U ψ ¬ ( ϕ U ψ ) = ( G ¬ ψ ) ∨ ( ¬ ψ U ( ¬ ϕ ∧ ¬ ψ )) = ¬ ψ W ( ¬ ϕ ∧ ¬ ψ ) ◮ ◮ Release: ϕ R ψ = ψ W ( ϕ ∧ ψ ) = ¬ ( ¬ ϕ U ¬ ψ ) ◮ Next until: ϕ XU ψ = X ( ϕ U ψ ) ϕ XU ψ · · · · · · ϕ ϕ ψ X ψ = ⊥ XU ψ and ϕ U ψ = ψ ∨ ( ϕ ∧ ϕ XU ψ ) . ◮ 28/71

Linear Temporal Logic (Pnueli 1977) Specifications: ◮ Safety: G good ◮ MutEx: ¬ F (crit 1 ∧ crit 2 ) ◮ Liveness: G F active ◮ Response: G (request → F grant) ◮ Response’: G (request → X ( ¬ request U grant)) ◮ Release: reset R alarm ◮ Strong fairness: G F request → G F grant ◮ Weak fairness: F G request → G F grant 29/71

Linear Temporal Logic (Pnueli 1977) Specifications: ◮ Safety: G good ◮ MutEx: ¬ F (crit 1 ∧ crit 2 ) ◮ Liveness: G F active ◮ Response: G (request → F grant) ◮ Response’: G (request → X ( ¬ request U grant)) ◮ Release: reset R alarm ◮ Strong fairness: G F request → G F grant ◮ Weak fairness: F G request → G F grant 29/71

Linear Temporal Logic (Pnueli 1977) Specifications: ◮ Safety: G good ◮ MutEx: ¬ F (crit 1 ∧ crit 2 ) ◮ Liveness: G F active ◮ Response: G (request → F grant) ◮ Response’: G (request → X ( ¬ request U grant)) ◮ Release: reset R alarm ◮ Strong fairness: G F request → G F grant ◮ Weak fairness: F G request → G F grant 29/71

Linear Temporal Logic (Pnueli 1977) Specifications: ◮ Safety: G good ◮ MutEx: ¬ F (crit 1 ∧ crit 2 ) ◮ Liveness: G F active ◮ Response: G (request → F grant) ◮ Response’: G (request → X ( ¬ request U grant)) ◮ Release: reset R alarm ◮ Strong fairness: G F request → G F grant ◮ Weak fairness: F G request → G F grant 29/71

Linear Temporal Logic (Pnueli 1977) Specifications: ◮ Safety: G good ◮ MutEx: ¬ F (crit 1 ∧ crit 2 ) ◮ Liveness: G F active ◮ Response: G (request → F grant) ◮ Response’: G (request → X ( ¬ request U grant)) ◮ Release: reset R alarm ◮ Strong fairness: G F request → G F grant ◮ Weak fairness: F G request → G F grant 29/71

Linear Temporal Logic (Pnueli 1977) Specifications: ◮ Safety: G good ◮ MutEx: ¬ F (crit 1 ∧ crit 2 ) ◮ Liveness: G F active ◮ Response: G (request → F grant) ◮ Response’: G (request → X ( ¬ request U grant)) ◮ Release: reset R alarm ◮ Strong fairness: G F request → G F grant ◮ Weak fairness: F G request → G F grant 29/71

Linear Temporal Logic (Pnueli 1977) Specifications: ◮ Safety: G good ◮ MutEx: ¬ F (crit 1 ∧ crit 2 ) ◮ Liveness: G F active ◮ Response: G (request → F grant) ◮ Response’: G (request → X ( ¬ request U grant)) ◮ Release: reset R alarm ◮ Strong fairness: G F request → G F grant ◮ Weak fairness: F G request → G F grant 29/71

Linear Temporal Logic (Pnueli 1977) Specifications: ◮ Safety: G good ◮ MutEx: ¬ F (crit 1 ∧ crit 2 ) ◮ Liveness: G F active ◮ Response: G (request → F grant) ◮ Response’: G (request → X ( ¬ request U grant)) ◮ Release: reset R alarm ◮ Strong fairness: G F request → G F grant ◮ Weak fairness: F G request → G F grant 29/71

Linear Temporal Logic (Pnueli 1977) Examples Every elevator request should be eventually satisfied. � G (Call i → F (atLevel i ∧ openDoor i )) i The elevator should not cross a level for which a call is pending without stopping. � G (Call i → ¬ atLevel i W (atLevel i ∧ openDoor i ) i 30/71

Linear Temporal Logic (Pnueli 1977) Examples Every elevator request should be eventually satisfied. � G (Call i → F (atLevel i ∧ openDoor i )) i The elevator should not cross a level for which a call is pending without stopping. � G (Call i → ¬ atLevel i W (atLevel i ∧ openDoor i ) i 30/71

Past LTL Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | = Y ϕ if ∃ y. y ⋖ x & t, y | = ϕ t, x | = ϕ S ψ if ∃ z. z ≤ x & t, z | = ψ & ∀ y. ( z < y ≤ x ) → t, y | = ϕ Example Y ϕ · · · ϕ LTL versus PLTL G (grant → Y ( ¬ grant S request)) = (request R ¬ grant) ∧ G (grant → (request ∨ X (request R ¬ grant))) Theorem (Laroussinie & Markey & Schnoebelen 2002) PLTL may be exponentially more succinct than LTL. 31/71

Past LTL Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | = Y ϕ if ∃ y. y ⋖ x & t, y | = ϕ t, x | = ϕ S ψ if ∃ z. z ≤ x & t, z | = ψ & ∀ y. ( z < y ≤ x ) → t, y | = ϕ Example ϕ · · · · · · ϕ ϕ ψ ϕ S ψ LTL versus PLTL G (grant → Y ( ¬ grant S request)) = (request R ¬ grant) ∧ G (grant → (request ∨ X (request R ¬ grant))) Theorem (Laroussinie & Markey & Schnoebelen 2002) PLTL may be exponentially more succinct than LTL. 31/71

Past LTL Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | = Y ϕ if ∃ y. y ⋖ x & t, y | = ϕ t, x | = ϕ S ψ if ∃ z. z ≤ x & t, z | = ψ & ∀ y. ( z < y ≤ x ) → t, y | = ϕ Example g g r r r LTL versus PLTL G (grant → Y ( ¬ grant S request)) = (request R ¬ grant) ∧ G (grant → (request ∨ X (request R ¬ grant))) Theorem (Laroussinie & Markey & Schnoebelen 2002) PLTL may be exponentially more succinct than LTL. 31/71

Past LTL Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | = Y ϕ if ∃ y. y ⋖ x & t, y | = ϕ t, x | = ϕ S ψ if ∃ z. z ≤ x & t, z | = ψ & ∀ y. ( z < y ≤ x ) → t, y | = ϕ Example g g r r r ¬ g ¬ g LTL versus PLTL G (grant → Y ( ¬ grant S request)) = (request R ¬ grant) ∧ G (grant → (request ∨ X (request R ¬ grant))) Theorem (Laroussinie & Markey & Schnoebelen 2002) PLTL may be exponentially more succinct than LTL. 31/71

Past LTL Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | = Y ϕ if ∃ y. y ⋖ x & t, y | = ϕ t, x | = ϕ S ψ if ∃ z. z ≤ x & t, z | = ψ & ∀ y. ( z < y ≤ x ) → t, y | = ϕ Example g g r r r r ¬ g ¬ g ¬ g LTL versus PLTL G (grant → Y ( ¬ grant S request)) = (request R ¬ grant) ∧ G (grant → (request ∨ X (request R ¬ grant))) Theorem (Laroussinie & Markey & Schnoebelen 2002) PLTL may be exponentially more succinct than LTL. 31/71

Past LTL Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | = Y ϕ if ∃ y. y ⋖ x & t, y | = ϕ t, x | = ϕ S ψ if ∃ z. z ≤ x & t, z | = ψ & ∀ y. ( z < y ≤ x ) → t, y | = ϕ Example g g r r r r r ¬ g ¬ g ¬ g ¬ g ¬ g LTL versus PLTL G (grant → Y ( ¬ grant S request)) = (request R ¬ grant) ∧ G (grant → (request ∨ X (request R ¬ grant))) Theorem (Laroussinie & Markey & Schnoebelen 2002) PLTL may be exponentially more succinct than LTL. 31/71

Past LTL Semantics: t = [ N , ≤ , λ ] with λ : N → Σ = 2 AP and x ∈ N t, x | = Y ϕ if ∃ y. y ⋖ x & t, y | = ϕ t, x | = ϕ S ψ if ∃ z. z ≤ x & t, z | = ψ & ∀ y. ( z < y ≤ x ) → t, y | = ϕ Example g g r r r r r ¬ g ¬ g ¬ g ¬ g ¬ g LTL versus PLTL G (grant → Y ( ¬ grant S request)) = (request R ¬ grant) ∧ G (grant → (request ∨ X (request R ¬ grant))) Theorem (Laroussinie & Markey & Schnoebelen 2002) PLTL may be exponentially more succinct than LTL. 31/71

Expressivity Theorem (Kamp 68) LTL( Y , S , X , U ) = FO Σ ( ≤ ) Separation Theorem (Gabbay, Pnueli, Shelah & Stavi 80) For all ϕ ∈ LTL( Y , S , X , U ) there exist ← ϕ i ∈ LTL( Y , S ) and − − → ϕ i ∈ LTL( X , U ) such that for all w ∈ Σ ω and k ≥ 0 , ← ϕ i ∧ − − → � w, k | = ϕ ⇐ ⇒ w, k | = ϕ i i Corollary: LTL( Y , S , X , U ) = LTL( X , U ) For all ϕ ∈ LTL( Y , S , X , U ) there exist − → ϕ ∈ LTL( X , U ) such that for all w ∈ Σ ω , = − → w, 0 | = ϕ ⇐ ⇒ w, 0 | ϕ Elegant algebraic proof of LTL( X , U ) = FO Σ ( ≤ ) due to Wilke 98. 32/71

Expressivity Theorem (Kamp 68) LTL( Y , S , X , U ) = FO Σ ( ≤ ) Separation Theorem (Gabbay, Pnueli, Shelah & Stavi 80) For all ϕ ∈ LTL( Y , S , X , U ) there exist ← ϕ i ∈ LTL( Y , S ) and − − → ϕ i ∈ LTL( X , U ) such that for all w ∈ Σ ω and k ≥ 0 , ← ϕ i ∧ − − → � w, k | = ϕ ⇐ ⇒ w, k | = ϕ i i Corollary: LTL( Y , S , X , U ) = LTL( X , U ) For all ϕ ∈ LTL( Y , S , X , U ) there exist − → ϕ ∈ LTL( X , U ) such that for all w ∈ Σ ω , = − → w, 0 | = ϕ ⇐ ⇒ w, 0 | ϕ Elegant algebraic proof of LTL( X , U ) = FO Σ ( ≤ ) due to Wilke 98. 32/71

Expressivity Theorem (Kamp 68) LTL( Y , S , X , U ) = FO Σ ( ≤ ) Separation Theorem (Gabbay, Pnueli, Shelah & Stavi 80) For all ϕ ∈ LTL( Y , S , X , U ) there exist ← ϕ i ∈ LTL( Y , S ) and − − → ϕ i ∈ LTL( X , U ) such that for all w ∈ Σ ω and k ≥ 0 , ← ϕ i ∧ − − → � w, k | = ϕ ⇐ ⇒ w, k | = ϕ i i Corollary: LTL( Y , S , X , U ) = LTL( X , U ) For all ϕ ∈ LTL( Y , S , X , U ) there exist − → ϕ ∈ LTL( X , U ) such that for all w ∈ Σ ω , = − → w, 0 | = ϕ ⇐ ⇒ w, 0 | ϕ Elegant algebraic proof of LTL( X , U ) = FO Σ ( ≤ ) due to Wilke 98. 32/71

Expressivity Theorem (Kamp 68) LTL( Y , S , X , U ) = FO Σ ( ≤ ) Separation Theorem (Gabbay, Pnueli, Shelah & Stavi 80) For all ϕ ∈ LTL( Y , S , X , U ) there exist ← ϕ i ∈ LTL( Y , S ) and − − → ϕ i ∈ LTL( X , U ) such that for all w ∈ Σ ω and k ≥ 0 , ← ϕ i ∧ − − → � w, k | = ϕ ⇐ ⇒ w, k | = ϕ i i Corollary: LTL( Y , S , X , U ) = LTL( X , U ) For all ϕ ∈ LTL( Y , S , X , U ) there exist − → ϕ ∈ LTL( X , U ) such that for all w ∈ Σ ω , = − → w, 0 | = ϕ ⇐ ⇒ w, 0 | ϕ Elegant algebraic proof of LTL( X , U ) = FO Σ ( ≤ ) due to Wilke 98. 32/71

Satisfiability for LTL Let AP be the set of atomic propositions and Σ = 2 AP . (Initial) Satisfiability problem A formula ϕ ∈ LTL( Y , S , X , U ) Input: Existence of w ∈ Σ ω such that w, 0 | Question: = ϕ . Theorem (Sistla & Clarke 85, Lichtenstein et. al 85) The satisfiability problem for LTL is PSPACE-complete 33/71

Satisfiability for LTL Let AP be the set of atomic propositions and Σ = 2 AP . (Initial) Satisfiability problem A formula ϕ ∈ LTL( Y , S , X , U ) Input: Existence of w ∈ Σ ω such that w, 0 | Question: = ϕ . Theorem (Sistla & Clarke 85, Lichtenstein et. al 85) The satisfiability problem for LTL is PSPACE-complete 33/71

Model checking for LTL Model checking problem Input: A Kripke structure M = ( S, T, I, AP , ℓ ) and a formula ϕ ∈ LTL Question: Does M | = ϕ ? ◮ Universal MC: M | = ϕ if ℓ ( σ ) , 0 | = ϕ for all initial infinite run of M . ◮ Existential MC: M | = ϕ if ℓ ( σ ) , 0 | = ϕ for some initial infinite run of M . Theorem (Sistla & Clarke 85, Lichtenstein et. al 85) The Model checking problem for LTL is PSPACE-complete 34/71

Model checking for LTL Model checking problem Input: A Kripke structure M = ( S, T, I, AP , ℓ ) and a formula ϕ ∈ LTL Question: Does M | = ϕ ? ◮ Universal MC: M | = ϕ if ℓ ( σ ) , 0 | = ϕ for all initial infinite run of M . ◮ Existential MC: M | = ϕ if ℓ ( σ ) , 0 | = ϕ for some initial infinite run of M . Theorem (Sistla & Clarke 85, Lichtenstein et. al 85) The Model checking problem for LTL is PSPACE-complete 34/71

Model checking for LTL Model checking problem Input: A Kripke structure M = ( S, T, I, AP , ℓ ) and a formula ϕ ∈ LTL Question: Does M | = ϕ ? ◮ Universal MC: M | = ϕ if ℓ ( σ ) , 0 | = ϕ for all initial infinite run of M . ◮ Existential MC: M | = ϕ if ℓ ( σ ) , 0 | = ϕ for some initial infinite run of M . Theorem (Sistla & Clarke 85, Lichtenstein et. al 85) The Model checking problem for LTL is PSPACE-complete 34/71

MC( X , U ) ≤ P SAT( X , U ) (Sistla & Clarke 85) Let M = ( S, T, I, AP , ℓ ) be a Kripke structure and ϕ ∈ LTL( X , U ) Introduce new atomic propositions: AP S = { at s | s ∈ S } Define AP ′ = AP ⊎ AP S Σ ′ = 2 AP ′ π : Σ ′ ω → Σ ω by π ( a ) = a ∩ AP . Let w ∈ Σ ′ ω . We have w | = ϕ iff π ( w ) | = ϕ Define     �� �  � � � � � ψ M = at s ∧ G  at s ∧ ¬ at t ∧ p ∧ ¬ p ∧ X at t   s ∈ I s ∈ S t � = s p ∈ ℓ ( s ) p/ ∈ ℓ ( s ) t ∈ T ( s ) We have w | = ψ M iff π ( w ) = ℓ ( σ ) for some initial infinite run σ of M. Therefore, M �| = ϕ iff ℓ ( σ ) | = ¬ ϕ for some initial infinite run σ of M = ψ M ∧ ¬ ϕ for some w ∈ Σ ′ ω iff w | iff ψ M ∧ ¬ ϕ is satisfiable 35/71

MC( X , U ) ≤ P SAT( X , U ) (Sistla & Clarke 85) Let M = ( S, T, I, AP , ℓ ) be a Kripke structure and ϕ ∈ LTL( X , U ) Introduce new atomic propositions: AP S = { at s | s ∈ S } Define AP ′ = AP ⊎ AP S Σ ′ = 2 AP ′ π : Σ ′ ω → Σ ω by π ( a ) = a ∩ AP . Let w ∈ Σ ′ ω . We have w | = ϕ iff π ( w ) | = ϕ Define     �� �  � � � � � ψ M = at s ∧ G  at s ∧ ¬ at t ∧ p ∧ ¬ p ∧ X at t   s ∈ I s ∈ S t � = s p ∈ ℓ ( s ) p/ ∈ ℓ ( s ) t ∈ T ( s ) We have w | = ψ M iff π ( w ) = ℓ ( σ ) for some initial infinite run σ of M. Therefore, M �| = ϕ iff ℓ ( σ ) | = ¬ ϕ for some initial infinite run σ of M = ψ M ∧ ¬ ϕ for some w ∈ Σ ′ ω iff w | iff ψ M ∧ ¬ ϕ is satisfiable 35/71

MC( X , U ) ≤ P SAT( X , U ) (Sistla & Clarke 85) Let M = ( S, T, I, AP , ℓ ) be a Kripke structure and ϕ ∈ LTL( X , U ) Introduce new atomic propositions: AP S = { at s | s ∈ S } Define AP ′ = AP ⊎ AP S Σ ′ = 2 AP ′ π : Σ ′ ω → Σ ω by π ( a ) = a ∩ AP . Let w ∈ Σ ′ ω . We have w | = ϕ iff π ( w ) | = ϕ Define     �� �  � � � � � ψ M = at s ∧ G  at s ∧ ¬ at t ∧ p ∧ ¬ p ∧ X at t   s ∈ I s ∈ S t � = s p ∈ ℓ ( s ) p/ ∈ ℓ ( s ) t ∈ T ( s ) We have w | = ψ M iff π ( w ) = ℓ ( σ ) for some initial infinite run σ of M. Therefore, M �| = ϕ iff ℓ ( σ ) | = ¬ ϕ for some initial infinite run σ of M = ψ M ∧ ¬ ϕ for some w ∈ Σ ′ ω iff w | iff ψ M ∧ ¬ ϕ is satisfiable 35/71

QBF ≤ P MC( X , U ) (Sistla & Clarke 85) � � Let γ = Q 1 x 1 · · · Q n x n a ij with Q i ∈ {∀ , ∃} and consider the KS M : 1 ≤ i ≤ m 1 ≤ j ≤ k i x t x t x t 1 2 n e 0 s 1 e 1 s 2 e 2 s n e n · · · x f x f x f n 1 2 a 11 a 21 a m 1 a 12 a 22 a m 2 f 0 f 1 f 2 · · · f m − 1 f m . . . . . . . . . a 1 k 1 a 2 k 2 a mk m � G ( x f k → ¬ a ij W s k ) if a ij = x k � Let ψ ij = and ψ = ψ ij . G ( x t k → ¬ a ij W s k ) if a ij = ¬ x k i,j j ) ∧ ( ¬ s j − 1 U x f � Let ϕ j = G ( e j − 1 → ( ¬ s j − 1 U x t j ) and ϕ = ϕ j . j | Q j = ∀ Then, γ is valid iff M �| = ¬ ( ϕ ∧ ψ ) iff σ | = ϕ ∧ ψ for some run σ . 36/71

QBF ≤ P MC( X , U ) (Sistla & Clarke 85) � � Let γ = Q 1 x 1 · · · Q n x n a ij with Q i ∈ {∀ , ∃} and consider the KS M : 1 ≤ i ≤ m 1 ≤ j ≤ k i x t x t x t 1 2 n e 0 s 1 e 1 s 2 e 2 s n e n · · · x f x f x f n 1 2 a 11 a 21 a m 1 a 12 a 22 a m 2 f 0 f 1 f 2 · · · f m − 1 f m . . . . . . . . . a 1 k 1 a 2 k 2 a mk m � G ( x f k → ¬ a ij W s k ) if a ij = x k � Let ψ ij = and ψ = ψ ij . G ( x t k → ¬ a ij W s k ) if a ij = ¬ x k i,j j ) ∧ ( ¬ s j − 1 U x f � Let ϕ j = G ( e j − 1 → ( ¬ s j − 1 U x t j ) and ϕ = ϕ j . j | Q j = ∀ Then, γ is valid iff M �| = ¬ ( ϕ ∧ ψ ) iff σ | = ϕ ∧ ψ for some run σ . 36/71

QBF ≤ P MC( X , U ) (Sistla & Clarke 85) � � Let γ = Q 1 x 1 · · · Q n x n a ij with Q i ∈ {∀ , ∃} and consider the KS M : 1 ≤ i ≤ m 1 ≤ j ≤ k i x t x t x t 1 2 n e 0 s 1 e 1 s 2 e 2 s n e n · · · x f x f x f n 1 2 a 11 a 21 a m 1 a 12 a 22 a m 2 f 0 f 1 f 2 · · · f m − 1 f m . . . . . . . . . a 1 k 1 a 2 k 2 a mk m � G ( x f k → ¬ a ij W s k ) if a ij = x k � Let ψ ij = and ψ = ψ ij . G ( x t k → ¬ a ij W s k ) if a ij = ¬ x k i,j j ) ∧ ( ¬ s j − 1 U x f � Let ϕ j = G ( e j − 1 → ( ¬ s j − 1 U x t j ) and ϕ = ϕ j . j | Q j = ∀ Then, γ is valid iff M �| = ¬ ( ϕ ∧ ψ ) iff σ | = ϕ ∧ ψ for some run σ . 36/71

QBF ≤ P MC( X , U ) (Sistla & Clarke 85) � � Let γ = Q 1 x 1 · · · Q n x n a ij with Q i ∈ {∀ , ∃} and consider the KS M : 1 ≤ i ≤ m 1 ≤ j ≤ k i x t x t x t 1 2 n e 0 s 1 e 1 s 2 e 2 s n e n · · · x f x f x f n 1 2 a 11 a 21 a m 1 a 12 a 22 a m 2 f 0 f 1 f 2 · · · f m − 1 f m . . . . . . . . . a 1 k 1 a 2 k 2 a mk m � G ( x f k → ¬ a ij W s k ) if a ij = x k � Let ψ ij = and ψ = ψ ij . G ( x t k → ¬ a ij W s k ) if a ij = ¬ x k i,j j ) ∧ ( ¬ s j − 1 U x f � Let ϕ j = G ( e j − 1 → ( ¬ s j − 1 U x t j ) and ϕ = ϕ j . j | Q j = ∀ Then, γ is valid iff M �| = ¬ ( ϕ ∧ ψ ) iff σ | = ϕ ∧ ψ for some run σ . 36/71

Decision procedure for LTL The core From an LTL formula ϕ , construct a B¨ uchi automaton A ϕ such that L ( A ) = L ( ϕ ) = { w ∈ Σ ω | w, 0 | = ϕ } . Satisfiability (initial) Check the B¨ uchi automaton A ϕ for emptiness. Model checking Construct the product B = M × A ¬ ϕ so that the successful runs of B correspond to the successful run of A satisfying ¬ ϕ . Then, check B for emptiness. 37/71

Decision procedure for LTL The core From an LTL formula ϕ , construct a B¨ uchi automaton A ϕ such that L ( A ) = L ( ϕ ) = { w ∈ Σ ω | w, 0 | = ϕ } . Satisfiability (initial) Check the B¨ uchi automaton A ϕ for emptiness. Model checking Construct the product B = M × A ¬ ϕ so that the successful runs of B correspond to the successful run of A satisfying ¬ ϕ . Then, check B for emptiness. 37/71

Decision procedure for LTL The core From an LTL formula ϕ , construct a B¨ uchi automaton A ϕ such that L ( A ) = L ( ϕ ) = { w ∈ Σ ω | w, 0 | = ϕ } . Satisfiability (initial) Check the B¨ uchi automaton A ϕ for emptiness. Model checking Construct the product B = M × A ¬ ϕ so that the successful runs of B correspond to the successful run of A satisfying ¬ ϕ . Then, check B for emptiness. 37/71

B¨ uchi automata Definition A = ( Q, Σ , I, T, F ) where ◮ Q : finite set of states ◮ Σ : finite set of labels ◮ I ⊆ Q : set of initial states ◮ T ⊆ Q × Σ × Q : transitions ◮ F ⊆ Q : set of accepting states (repeated, final) Example a b b A = 1 2 a L ( A ) = { w ∈ { a, b } ω | | w | a = ω } 38/71

B¨ uchi automata Definition A = ( Q, Σ , I, T, F ) where ◮ Q : finite set of states ◮ Σ : finite set of labels ◮ I ⊆ Q : set of initial states ◮ T ⊆ Q × Σ × Q : transitions ◮ F ⊆ Q : set of accepting states (repeated, final) Example a b b A = 1 2 a L ( A ) = { w ∈ { a, b } ω | | w | a = ω } 38/71

B¨ uchi automata for some LTL formulas Definition Recall that Σ = 2 AP . For p, q ∈ AP , we let ◮ Σ p = { a ∈ Σ | p ∈ a } and Σ ¬ p = Σ \ Σ p ◮ Σ p ∧ q = Σ p ∩ Σ q and Σ p ∨ q = Σ p ∪ Σ q ◮ Σ p ∧¬ q = Σ p \ Σ q . . . Examples Σ Σ Σ p F p : or 1 2 X X p : G p : 39/71

B¨ uchi automata for some LTL formulas Definition Recall that Σ = 2 AP . For p, q ∈ AP , we let ◮ Σ p = { a ∈ Σ | p ∈ a } and Σ ¬ p = Σ \ Σ p ◮ Σ p ∧ q = Σ p ∩ Σ q and Σ p ∨ q = Σ p ∪ Σ q ◮ Σ p ∧¬ q = Σ p \ Σ q . . . Examples Σ ¬ p Σ Σ Σ Σ p Σ p F p : or 1 2 1 2 X X p : G p : 39/71

B¨ uchi automata for some LTL formulas Definition Recall that Σ = 2 AP . For p, q ∈ AP , we let ◮ Σ p = { a ∈ Σ | p ∈ a } and Σ ¬ p = Σ \ Σ p ◮ Σ p ∧ q = Σ p ∩ Σ q and Σ p ∨ q = Σ p ∪ Σ q ◮ Σ p ∧¬ q = Σ p \ Σ q . . . Examples Σ ¬ p Σ Σ Σ Σ p Σ p F p : or 1 2 1 2 Σ p Σ Σ X X p : 1 2 3 4 Σ G p : 39/71

B¨ uchi automata for some LTL formulas Definition Recall that Σ = 2 AP . For p, q ∈ AP , we let ◮ Σ p = { a ∈ Σ | p ∈ a } and Σ ¬ p = Σ \ Σ p ◮ Σ p ∧ q = Σ p ∩ Σ q and Σ p ∨ q = Σ p ∪ Σ q ◮ Σ p ∧¬ q = Σ p \ Σ q . . . Examples Σ ¬ p Σ Σ Σ Σ p Σ p F p : or 1 2 1 2 Σ p Σ Σ X X p : 1 2 3 4 Σ G p : Σ p 1 39/71

B¨ uchi automata for some LTL formulas Examples Σ p Σ Σ p F G p : no deterministic B¨ uchi automaton. 1 2 deterministic B¨ uchi automaton G F p : are not closed under complement. G ( p → F q ) : 40/71