formal verifjcation lecture 2 linear temporal logic
play

Formal Verifjcation Lecture 2: Linear Temporal Logic Jacques - PowerPoint PPT Presentation

Formal Verifjcation Lecture 2: Linear Temporal Logic Jacques Fleuriot jdf@inf.ed.ac.uk Recap Previously: Model Checking, and an informal introduction to LTL Tiis time: Linear Temporal Logic Syntax Semantics Equivalences


  1. Formal Verifjcation Lecture 2: Linear Temporal Logic Jacques Fleuriot jdf@inf.ed.ac.uk

  2. Recap ▶ Previously: ▶ Model Checking, and an informal introduction to LTL ▶ Tiis time: Linear Temporal Logic ▶ Syntax ▶ Semantics ▶ Equivalences

  3. LTL – Syntax LTL = Linear(-time) Temporal Logic Assume some set Atom of atomic propositions Pronunciation: Other common connectives: W (weak until), R (release). Syntax of LTL formulas φ : φ ::= p | ¬ φ | φ ∨ φ | φ ∧ φ | φ → φ | X φ | F φ | G φ | φ U φ where p ∈ Atom . ▶ X φ — neXt φ ▶ F φ — Future φ ▶ G φ — Globally φ ▶ φ U ψ — φ Until ψ Precedence high-to-low: ( X , F , G , ¬ ) , ( U ) , ( ∧ , ∨ ) , → . ▶ E.g. Write F p ∧ G q → p U r instead of (( F p ) ∧ ( G q )) → ( p U r ) .

  4. LTL – Informal Semantics meanings. holds for all positions prior to that. Tiis will be made more formal in the next few slides. the system (a path is a sequence of states connected by transitions) LTL formulas are evaluated at a position i along a path π through ▶ An atomic p holds if p is true the state at position i . ▶ Tie propositional connectives ¬ , ∧ , ∨ , → have their usual ▶ Meaning of LTL connectives: ▶ X φ holds if φ holds at the next position; ▶ F φ holds if there exists a future position where φ holds; ▶ G φ holds if, for all future positions, φ holds; ▶ φ U ψ holds if there is a future position where ψ holds, and φ ▶ φ R ψ holds if there is a future position where φ becomes true, and ψ holds for all positions prior to and including that i.e. φ ‘releases’ ψ . ▶ It is equivalent to ¬ ( ¬ φ U ¬ ψ ) . ▶ Tius R is the dual of U .

  5. LTL – Formal Semantics: Transition Systems and Paths transition relation Defjnition (Path) powerset of Atom . Defjnition (Transition System) a labelling function a fjnite set of states S A transition system (or model) M = ⟨ S , → , L ⟩ consists of: → ⊆ S × S L : S → P ( Atom ) such that ∀ s 1 ∈ S . ∃ s 2 ∈ S . s 1 → s 2 Note: Atom is a fjxed set of atomic propositions, P ( Atom ) is the Tius, L ( s ) is just the set of atomic propositions that is true in state s . A path π in a transition system M = ⟨ S , → , L ⟩ is an infjnite sequence of states s 0 , s 1 , ... such that ∀ i ≥ 0 . s i → s i +1 . Paths are writuen as: π = s 0 → s 1 → s 2 → ...

  6. LTL – Formal Semantics: Satisfaction by Path = i φ — “path at position i satisfjes formula φ ” Satisfaction : π | = i ⊤ π | = i ⊥ π ̸| π | ifg p ∈ L ( s i ) = i p = i ¬ φ = i φ π | ifg π ̸| = i φ ∧ ψ = i φ and π | = i ψ π | ifg π | = i φ ∨ ψ = i φ or π | = i ψ π | ifg π | = i φ → ψ = i φ implies π | = i ψ π | ifg π | = i +1 φ π | = i X φ ifg π | = j φ π | ifg ∃ j ≥ i . π | = i F φ = j φ π | = i G φ ifg ∀ j ≥ i . π | = i φ 1 U φ 2 ifg ∃ j ≥ i . π | = j φ 2 and ∀ k ∈ { i .. j − 1 } . π | = k φ 1 π | = i φ 1 R φ 2 ifg ( ∀ j ≥ i . π | = j φ 2 ) or π | = j φ 1 and ∀ k ∈ { i .. j } . π | = k φ 2 ) ( ∃ j ≥ i . π |

  7. LTL – Formal Semantics: Alternative Satisfaction by Path instead of operators. exercise. = for the other connectives is lefu as an ifg CTL. ifg For example, the alternative defjnition of satisfaction for G would be: Alternatively, we can defjne π | = φ using the notion of i th suffjx π i = s i → s i +1 → ... of a path π = s 0 → s 1 → ... . ∀ j ≥ 0 . π j | π | = G φ = φ = j φ = 0 G φ π | ∀ j ≥ 0 . π | Satisfaction in terms of | = i φ is betuer for understanding, and needed for past-time ▶ π | ▶ π | = φ is needed for the semantics of branching-time logics, like

  8. LTL Semantics: Satisfaction by a Model For a model M , we write M , s | = φ if, for every execution path π ∈ M starting at state s , we have = 0 φ π |

  9. = i G = i G request L s j implies L s k . = i G request L s j implies L s k and L s l . At every position in the future, a request implies that there j grant 4. request U grant j exists a future point where grant holds, and request holds up until that point. i request k j grant l j k request k A Taste of LTL – Examples i request i read invariant is true for all future positions 2. read write In all future positions, it is not the case that read and write j L s j write L s j 3. F grant At every position in the future, a request implies that there exists a future point where grant holds. j 1. π | = i G invariant ∀ j ≥ i . π | = j invariant ∀ j ≥ i . invariant ∈ L ( s j )

  10. = i G request L s j implies L s k . = i G request L s j implies L s k and L s l . k j grant l j until that point. j k exists a future point where grant holds, and request holds up At every position in the future, a request implies that there request U grant request 4. i request A Taste of LTL – Examples j grant F grant invariant is true for all future positions 3. In all future positions, it is not the case that read and write At every position in the future, a request implies that there exists a future point where grant holds. j i request k 1. π | = i G invariant ∀ j ≥ i . π | = j invariant ∀ j ≥ i . invariant ∈ L ( s j ) 2. π | = i G ¬ ( read ∧ write ) ∀ j ≥ i . read ̸∈ L ( s j ) ∨ write ̸∈ L ( s j )

  11. = i G request L s j implies L s k and L s l . request j k l j grant k i request j until that point. exists a future point where grant holds, and request holds up At every position in the future, a request implies that there request U grant A Taste of LTL – Examples exists a future point where grant holds. At every position in the future, a request implies that there In all future positions, it is not the case that read and write invariant is true for all future positions 4. 1. π | = i G invariant ∀ j ≥ i . π | = j invariant ∀ j ≥ i . invariant ∈ L ( s j ) 2. π | = i G ¬ ( read ∧ write ) ∀ j ≥ i . read ̸∈ L ( s j ) ∨ write ̸∈ L ( s j ) 3. π | = i G ( request → F grant ) ∀ j ≥ i . request ∈ L ( s j ) implies ∃ k ≥ j . grant ∈ L ( s k ) .

  12. A Taste of LTL – Examples At every position in the future, a request implies that there invariant is true for all future positions In all future positions, it is not the case that read and write until that point. At every position in the future, a request implies that there exists a future point where grant holds. exists a future point where grant holds, and request holds up 1. π | = i G invariant ∀ j ≥ i . π | = j invariant ∀ j ≥ i . invariant ∈ L ( s j ) 2. π | = i G ¬ ( read ∧ write ) ∀ j ≥ i . read ̸∈ L ( s j ) ∨ write ̸∈ L ( s j ) 3. π | = i G ( request → F grant ) ∀ j ≥ i . request ∈ L ( s j ) implies ∃ k ≥ j . grant ∈ L ( s k ) . 4. π | = i G ( request → ( request U grant )) ∀ j ≥ i . request ∈ L ( s j ) implies ∃ k ≥ j . grant ∈ L ( s k ) and ∀ l ∈ { j , k − 1 } . request ∈ L ( s l ) .

  13. LTL Equivalences 1 G F F G G G Distributive laws: U R R U F F G X X Dualities from LTL: Dualities from Propositional Logic: F = i φ ↔ π | = i ψ φ ≡ ψ = · ∀M . ∀ π ∈ M . ∀ i . π |

  14. LTL Equivalences 1 F F F G G G Distributive laws: U R R U G F G X X Dualities from LTL: Dualities from Propositional Logic: F = i φ ↔ π | = i ψ φ ≡ ψ = · ∀M . ∀ π ∈ M . ∀ i . π | ¬ ( φ ∧ ψ ) ≡ ¬ φ ∨ ¬ ψ ¬ ( φ ∨ ψ ) ≡ ¬ φ ∧ ¬ ψ

  15. LTL Equivalences 1 Dualities from LTL: F F G G G Distributive laws: F Dualities from Propositional Logic: = i φ ↔ π | = i ψ φ ≡ ψ = · ∀M . ∀ π ∈ M . ∀ i . π | ¬ ( φ ∧ ψ ) ≡ ¬ φ ∨ ¬ ψ ¬ ( φ ∨ ψ ) ≡ ¬ φ ∧ ¬ ψ ¬ X φ ≡ X ¬ φ ¬ G φ ≡ F ¬ φ ¬ F φ ≡ G ¬ φ ¬ ( φ U ψ ) ≡ ¬ φ R ¬ ψ ¬ ( φ R ψ ) ≡ ¬ φ U ¬ ψ

  16. LTL Equivalences 1 Distributive laws: Dualities from Propositional Logic: Dualities from LTL: = i φ ↔ π | = i ψ φ ≡ ψ = · ∀M . ∀ π ∈ M . ∀ i . π | ¬ ( φ ∧ ψ ) ≡ ¬ φ ∨ ¬ ψ ¬ ( φ ∨ ψ ) ≡ ¬ φ ∧ ¬ ψ ¬ X φ ≡ X ¬ φ ¬ G φ ≡ F ¬ φ ¬ F φ ≡ G ¬ φ ¬ ( φ U ψ ) ≡ ¬ φ R ¬ ψ ¬ ( φ R ψ ) ≡ ¬ φ U ¬ ψ G ( φ ∧ ψ ) ≡ G φ ∧ G ψ F ( φ ∨ ψ ) ≡ F φ ∨ F ψ

  17. LTL Equivalences 2 G GF F G F GF FGF FG GFG Some more surprising equivalences: F W U U Inter-defjnitions: W Weak and strong until: G GG F FF Idempotency: GF F φ ≡ ¬ G ¬ φ G φ ≡ ¬ F ¬ φ F φ ≡ ⊤ U φ G φ ≡ ⊥ R φ

  18. LTL Equivalences 2 U GF F G F GF FGF FG GFG Some more surprising equivalences: F W G Inter-defjnitions: U W Weak and strong until: Idempotency: GF F φ ≡ ¬ G ¬ φ G φ ≡ ¬ F ¬ φ F φ ≡ ⊤ U φ G φ ≡ ⊥ R φ FF φ ≡ F φ GG φ ≡ G φ

  19. LTL Equivalences 2 Some more surprising equivalences: GF F G F GF FGF FG GFG GF Inter-defjnitions: Weak and strong until: Idempotency: F φ ≡ ¬ G ¬ φ G φ ≡ ¬ F ¬ φ F φ ≡ ⊤ U φ G φ ≡ ⊥ R φ FF φ ≡ F φ GG φ ≡ G φ φ W ψ ≡ φ U ψ ∨ G φ φ U ψ ≡ φ W ψ ∧ F ψ

  20. LTL Equivalences 2 Inter-defjnitions: Idempotency: Weak and strong until: Some more surprising equivalences: F φ ≡ ¬ G ¬ φ G φ ≡ ¬ F ¬ φ F φ ≡ ⊤ U φ G φ ≡ ⊥ R φ FF φ ≡ F φ GG φ ≡ G φ φ W ψ ≡ φ U ψ ∨ G φ φ U ψ ≡ φ W ψ ∧ F ψ GFG φ ≡ FG φ FGF φ ≡ GF φ G ( F φ ∨ F ψ ) ≡ GF φ ∨ GF ψ

Recommend


More recommend