Specification of Systems with Temporal Logic

Specification of Systems with Temporal Logic

Simon Robillard

Autumn 2019

1 / 24
Specification of Systems with Temporal Logic
Introduction

Section 1

Introduction

2 / 24
Specification of Systems with Temporal Logic
Introduction

Before We Begin

1 Exercises during the lecture

2 Keep track of answers, as they might be re-used in later
exercises
Contact: [email protected]

3 / 24
Specification of Systems with Temporal Logic
Introduction

Verification, Abstraction and Specification

I In previous part of course: modelling of systems

I To do verification, we need a way to express what is expected
of the system
I The expected behavior is often described in natural language

Example: RFC 793 (Transmission Control Protocol)

“The TCP then waits until its own FIN is acknowledged whereupon
it deletes the connection.”

I Natural language cannot be understood by computers

I Even for humans, it can be ambiguous
I We need a formal language, with precise semantics, to
describe what we want
4 / 24
Specification of Systems with Temporal Logic
Introduction

Properties of a Logic of Time

What is the nature of time?

I Discrete or continuous?
I Deterministic or not?
I Does it have a beginning? An end?
I If two events happen simultaneously, are they the same?
What properties do we need to specify?
I Time points (instants) or time intervals?
I Describe the future, the past, or both?
I Need to describe that something is true sometimes? a certain
(precise) number of times? infinitely often?
I Probabilities?

5 / 24
Specification of Systems with Temporal Logic
Introduction

LTL and CTL

I The two most common temporal logics for computer science
I Discrete time in both (common view in computer science,
since computers follow a clock)

Linear Temporal Logic Computational Tree Logic

I interpreted over timelines, I interpreted over “time trees”:

where every moment has a
unique successor
I one timeline = one run of a
program/system
I we are generally interested in
checking that a formula is
true for all possible runs
at a given point, there can
be more than one possible
future
I one tree already captures the
different possible runs of a
program/system
6 / 24
Specification of Systems with Temporal Logic
Introduction

Labelled Transition Systems (LTS)

I until now, we have mainly considered transitions (actions)

I this can make it difficult to express some properties
I example: to check that 2 processes are never in a critical
section at the same time, we need to check all the sequences
of actions that can lead to this situation
I instead, we can label the states of our system with some
properties (e.g., “process X is in the critical section”)

7 / 24
Specification of Systems with Temporal Logic
Introduction

Boolean Abstractions
I we use Boolean variables for our labels: for a set of variables
P, states are labelled with elements of 2P
I if p ∈ L(σ), then p is true in state σ, otherwise ¬p is true
I in theory, we can use a countably infinite set of variables
I in practice, you may need a coarse abstraction
Example: two processes in a critical section, P = {crit1 , crit2 }
{crit1 }

{} {crit1 , crit2 }

{crit2 } 8 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Section 2

Linear Temporal Logic: Syntax and Semantics

9 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Syntax of LTL

Let P be a set of propositional variables. The syntax of LTL is

defined inductively:
I propositions: if p ∈ P, then p is an LTL formula
I Boolean operators: if ϕ and ψ are LTL formulas, then
• ¬ϕ
• ϕ∨ψ
are LTL formulas
I modalities: if ϕ and ψ are LTL formulas, then
• Xϕ (“next ϕ”)
• ϕ U ψ (“ϕ until ψ”)
are LTL formulas
Precedence: unary operators bind stronger than binary ones

10 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Intuitive semantics
Atomic proposition: p
p
...

Next state: Xϕ

...

Until: ϕ U ψ ψ

...

ϕ
11 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Interpretations

I LTL interpretations = infinite words over the alphabet 2P

(infinite sequences of interpretations of the propositional
variables)
I One path in a LTS = one interpretation
I Let w = w0 w1 . . . be an infinite word. We denote by w i the
word wi wi+1 . . .
Example with P = {p, q}

{q} {p} {} {p, q} {q}

w= ...

w2

12 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Definition of semantics

The satisfaction relation |= between w and an LTL formula is

defined inductively:

w |= p ≡ p ∈ w0
w |= Xϕ ≡ w 1 |= ϕ
w |= ϕ U ψ ≡ there exists i ≥ 0 such that:
• w i |= ψ
• for all 0 ≤ j < i, w j |= ϕ
w |= ¬ϕ ≡ w |= ϕ is not true
w |= ϕ ∨ ψ ≡ w |= ϕ or w |= ψ

13 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Derived Operators
Derived Boolean operators:

> ≡ p ∨ ¬p
⊥ ≡ ¬>
ϕ∧ψ ≡ ¬(¬ϕ ∨ ¬ψ)
ϕ =⇒ ψ ≡ ¬ϕ ∨ ψ
ϕ ⇐⇒ ψ ≡ (ϕ =⇒ ψ) ∧ (ψ =⇒ ϕ)

Derived modalities
Fϕ ≡ >Uϕ
Gϕ ≡ ¬(F¬ϕ)
ϕRψ ≡ ¬(¬ϕ U ¬ψ)
ϕWψ ≡ (ϕ U ψ) ∨ Gϕ
ϕMψ ≡ (ϕ R ψ) ∧ Fϕ

14 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Exercise 1

Give a direct description of the semantics of F, G, R, W, M and

justify it.

15 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Exercise 1

Give a direct description of the semantics of F, G, R, W, M and

justify it.
Answer
I Fϕ (“eventually ϕ”): ϕ will be satisfied at some point
I Gϕ (“globally ϕ”): ϕ is always satisfied
I ϕ R ψ (“ϕ release ψ): ψ must remain true up to (including)
the point when ϕ becomes true, which may never occur
I ϕ W ψ (“weak until”): same as “until”, but the stop condition
ψ may never occur
I ϕ M ψ (“strong release”): same as “release”, but the release
condition ϕ must occur

15 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Validity, Equivalence, Models

I a formula ϕ is valid (denoted |= ϕ) if for any word w , w |= ϕ

I two formulas ϕ and ψ are equivalent (ϕ ≡ ψ) if for any word
w , w |= ϕ ⇐⇒ w |= ψ
I a transition system TS satisfies a formula ϕ (TS |= ϕ), if, for
any word w ∈ L(TS), w |= ϕ

16 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

A Note on Negation

I for a word, by definition

w 6|= ϕ ≡ w |= ¬ϕ

I the same is not true for a transition system!

{p} {} {p}

This system satisfies neither Gp, nor ¬Gp

17 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Equivalence Rules

Negation Distributivity

¬Xϕ ≡ X¬ϕ X(ϕ ∨ ψ) ≡ Xϕ ∨ Xψ

¬Gϕ ≡ F¬ϕ X(ϕ ∧ ψ) ≡ Xϕ ∧ Xψ
¬Fϕ ≡ G¬ϕ X(ϕ U ψ) ≡ Xϕ U Xψ
¬(ϕ U ψ) ≡ ¬ϕ R ¬ψ F(ϕ ∨ ψ) ≡ Fϕ ∨ Fψ
¬(ϕ R ψ) ≡ ¬ϕ U ¬ψ G(ϕ ∧ ψ) ≡ Gϕ ∧ Gψ
¬(ϕ W ψ) ≡ ¬ϕ M ¬ψ ρ U (ϕ ∨ ψ) ≡ (ρ U ϕ) ∨ (ρ U ψ)
¬(ϕ M ψ) ≡ ¬ϕ W ¬ψ (ϕ ∧ ψ) U ρ ≡ (ϕ U ρ) ∧ (ψ U ρ)

Idempotency Unrolling

G ≡ GGϕ Gϕ ≡ ϕ ∧ XGϕ
F ≡ FFϕ Fϕ ≡ ϕ ∨ XFϕ
ϕ U ψ ≡ ϕ U (ϕ U ψ) ϕ U ψ ≡ ψ ∨ (ϕ ∧ X(ϕ U ψ))
18 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Exercise 2

Show that the following formulas are not equivalent:

1 G(p ∨ q) 6≡ Gp ∨ Gq
2 F(p ∧ q) 6≡ Fp ∧ Fq
3 p U (q U r ) 6≡ (p U q) U r

19 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Negation Normal Form

A LTL formula is in negation normal form if:

1 negations appear only in front of propositional variables
2 >, ⊥, ∧ and ∨ are the only Boolean operators allowed
3 X, U and R are the only operators allowed
Examples
¬Xp 7 X¬p 3
p =⇒ Xq 7 ¬p ∨ Xa 3
Fp 7 >Up 3

20 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Exercise 3

Put the following formulas in NNF:

1 Gp
2 ¬FGp
3 ¬G(p =⇒ Fq)

21 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Formalizing Properties of Systems (Examples)

I Safety (mutual exclusion invariant):

G¬(crit1 ∧ crit2 )

I A safety property that is not an invariant

¬access W authenticated

I Liveness (request):

G(request =⇒ Fgrant)

22 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Liveness vs Safety

I liveness properties describe what the program should do

I often easier to formulate than safety properties
I harder to check (counter-examples are infinite)
I for a given liveness property, there is often a corresponding
safety property

23 / 24
Specification of Systems with Temporal Logic
Linear Temporal Logic: Syntax and Semantics

Exercise 4

1 Write LTL formulas corresponding to the following properties:

• if p becomes true at any point, then q must be true until r
becomes true
• p can only be true if q has been true at least once before
• p is true exactly every other state
2 Consider a traffic light. Formalize the property that the light
must cycle through colors in the usual order.

24 / 24