Temporal Logic

Theory and Applications

Reuven Yakar
Tel-Aviv University
06/12/2007

1
 Today
„ First-order linear temporal logic
„ Applications of temporal logic – verification
of programs
… The Producer-Consumer Scenario
… Peterson’s Algorithm
„ Using FOLTL.
„ Using Propositional LTL.

… Verification using BrTL.

2
 First-order Linear Temporal Logic
„ Extension of propositional temporal logic.
„ We introduce variables, functions and
predicates.
„ Up side: greater expressiveness.
„ Down side: More complicated deduction
techniques, and no completeness.
„ Main application: specification, design and
verification of concurrent systems (examples
soon).

3
 Introduction to the Syntax:
Global Objects and Local Objects

„ Global objects: The meaning/truth-value is

the same in all states. (example: “Dan” (a
person))
„ Local objects: The meaning/truth-value is
state-dependant (example: “The prime
minister”)

4
 Syntax - Symbols
1. The set of logical connectives (¬,∧,∨,→,↔),
2. The set of temporal operators (⃝,⃞,⃟,U),
3. The set of quantifiers (∀,∃),
4. The equality connective (=),
5. A set P of global predicate constants (with arity),
6. A set F of global function constants (with arity),
7. A set Q of local propositions,
8. A set L of local individual constants,
9. A set V of global variables.

5
 Syntax – Construction Rules
„ A term: a variable, a local individual constant, or,
recursively, a functional form (defined next).
„ A functional form: the application of a function
constant f with arity n to t1,…,tn terms, denoted
f(t1,…,tn).
if n=0, we write f, instead of f(), and call it a
(global) individual constant.
„ A predicate form: the application of a predicate
constant p with arity n to t1,…,tn terms, denoted
p(t1,…,tn).
if n=0, we write p, instead of p(), and call it a
(global) propositional constant.
6
 Syntax – Construction Rules
„ An atom is a predicate form, a local
proposition or an equality (defined next).
„ An equality is an expression (s = t), where s
and t are terms.
„ A formula is:
… An atom,
… ¬A, ⃞A, ⃟A, ⃝A, A∧B, A∨B, A→B, A↔B, AUB
where A and B are formulas, or
… ∃xA and ∀xA, where A is a formula and x is a
variable.
7
Semantics – Temporal Interpretation
„ A temporal interpretation is a 5-tuple I =(S,R,D,Ic,Iv)
„ (S,R) is a linear temporal frame (same as LTL),
„ D is a non-empty set called the interpretation domain,
„ Ic is an interpretation function for constants as follows:
… For a global function constant f of arity n, Ic(f):Dn→D,
… For a global predicate constant p of arity m, Ic(p):Dm→{T,F},
… For a pair (s, l) where s∈S is a state and l∈L is a local
individual constant, Ic(s, l) ∈ D,
… For a pair (s,q) where s∈S is a state and q∈Q is a local
proposition, Ic(s,q) ∈ {T,F}.
„ Iv is an interpretation function for variables, which maps
each variable x∈V to an element Iv(x) ∈ D

8
 Semantics – Interpretations Rules
„ We need interpretation rules in order to
associate a truth value I(A) with each formula A,
and an element I(t) of D with each term t.
„ Most of them are very trivial, or simply the same
as for propositional temporal logic.
„ Here they are:
… If x is a variable, then I(s,x) =def Iv(x).
… If l is a local individual constant, I(s,l)=def IC(s,l).
… If f is a function constant of arity n and t1,…,tn are
terms, then I(s,f(t1,…,tn))=def IC(f)(I(s,t1),…,I(s,tn)).
„ We interpret each argument, and then apply the function on
their values, exactly like a function in the code of a program.
The difference is that the values of the arguments may
depend on the current state, but the function itself is the
same for all states.

9
 Semantics – Interpretations Rules
- If p is a function constant of arity m and t1,…,tm
are terms, then I(s,p(t1,…,tm))=def
IC(p)(I(s,t1),…,I(s,tm)).
- If q is a local proposition, then I(s,q)=def IC(s,q).
- If t1 and t2 are terms, then I(s,t1=t2) is T iff
I(s,t1)= I(s,t2).
- If A and B are formulas, then ¬A, A∧B, A∨B,
A→B, A↔B, ⃝A, ⃞A, ⃟A, AUB are interpreted
as in propositional temporal logic.
- If A is a formula, and if x is a variable, then
I(s,∀xA) is T if Ix/d(A) is T for every d∈D, and I
(s,∃xA) is T if Ix/d(A) is T for at least one d∈D.
• Ix/d denotes I, except that IV(x)=d.

10
 Semantics – Remarks
„ As in propositional temporal logic, we can
assume that S=ℕ, and R is the successor
function, R(n)=n+1.
„ Note that the role of variables is the same as in
classical predicate logic (they can free or bound,
and their semantics is the same).
„ The notation I⊨sA is used where I(s,A) = T.
„ We say I⊨A if I⊨sA in all states s∈S.
„ We say that the formula A is valid if I⊨A holds
for each temporal interpretation I.

11
 Axiomatic System
„ The main idea is to combine:
… The axiomatic system for classic predicate logic
… The axioms and inference rules of equality
… The axiomatic system for propositional temporal
calculus (last week).
„ A few changes due to the insertion of
temporal aspects…

12
 Axiomatic System
„ First, the schema ∀xA(x) → A(t), which is valid in
classical logic, remains valid in temporal logic iff
substituting the term t for the variable x doesn’t
introduce occurrences of local constants into the
scope of a temporal operator. When this
condition is satisfied, we say that “t is
substitutable for x in A”.
„ Similarly, in order for the following to be valid, ti
must be substitutable for xi in the appropriate
formulas:
x1=t1 ∧ x2=t2 ∧ … ∧ xn=tn x1=t1 ∧ x2=t2 ∧ … ∧ xn=tn
--------------------------------------- -------------------------------------
p(x1, x2,…, xn) ↔ p(t1, t2,…, tn) f(x1, x2,…, xn) = f(t1, t2,…, tn)
13
 Axiomatic System

„ Furthermore, we should mention the

relations between temporal operators and
quantifiers:
… ∀x⃝A ↔ ⃝∀xA
… ∀x⃞A ↔ ⃞∀xA

14
 Axiomatic System
Axioms:
„ Every valid schema of propositional
temporal logic is an axiom. In addition:
„ If A doesn’t contain local objects, then
A→⃝A.
„ If x is a global variable, if A(x) is a formula
and if the term t is subtitutable for x in
A(x), then ∀xA(x) → A(t).
„ If A is a formula and x is a global variable,
then ∃x¬A ↔ ¬∀xA.
15
 Axiomatic System
„ Inference rules:
… Modus Ponens: If A and A→B are theorems, then B is
a theorem.
… Necessitation: If A is a theorem, then so is ⃞A.
… Generalization: If the global variable x doesn’t occur
free in A and if A→B is a theorem, then A→∀xB is a
theorem.
„ A few more axioms:
… reflexivityaxiom for equality.
… substitutivity rules, restricted to substitutability
of the terms, as explained before.
16
 Axiomatic System - Remarks
„ As stated earlier, the temporal predicate
calculus cannot be axiomatized
completely, but this Axiomatic system is
sufficient to deduce a lot of useful
theorems, and for the applications we’ll
soon see.

17
 First-order Temporal Theories
„ A classical first-order theory is achieved by adapting
classical first-order logic to a specific domain. There
are two components to these theories:
… A signature: A set of function constants and predicate
constants which will be interpreted. No other constant will
occur in the formulas of the theory.
… A set of axioms: which restrict the possible interpretations
of elements of the signature. We only consider the
interpretations for which the axioms are true.
„ A similar concept exists for temporal logic, and
called, surprisingly, a temporal first-order theory.
The signature of a temporal first-order theory can
include global constants, but also local individual
constants, and local propositions. Examples ahead.
18
 Applications of Temporal Logic
„ Temporal logic is useful to specify and
verify concurrent systems. That is because
it allows us to express statements like
“something (e.g. program termination) will
eventually happen”, and “something will
happen at the next step”.
„ We will try to determine whether a given
system is correct with respect to its
specification, stated as a temporal logic
formula.
19
 Two Approaches
„ The first, based on predicate temporal logic. It’s
more intuitive and gives a good insight into the
programs under investigation.
„ The second, based on propositional temporal
logic, will allow the automation of the proof
process (when it can be applied).
„ But first, an elementary example to introduce the
concepts needed to specify and verify
concurrent systems:
20
The Producer-Consumer Problem
P: C:
while true do while true do
begin begin
await p-c < N do produce; await p > c do consume;
p := p + 1 c := c + 1
end end

•Memory sharing
•Initially, p=c=0.
•“produce;” and “consume” don’t alter the values of p,c.
•‘await B do S’ means “wait until condition B is true,
and then execute S”. If B = F forever, there’s an infinite
delay.
21
 Graphical Model

P0 C0

p-c < N p>c

p:=p+1 → c:=c+1 →
skip skip

P1 C1

Process P Process C

22
 Modeling
„ A computation state is an instance of the 4-
tuple (LP,LC,p,c), where LP is either P0 or P1,
and similarly for LC. p and c are the current
values of the counters p and c.
„ For example, if N=2, a possible computation
is:
0 1 2 3 4 5 6 7 8 9 10
LP P0 P1 P0 P1 P1 P0 P0 P0 P0 P1 P0
L C C0 C0 C0 C0 C1 C1 C0 C1 C0 C0 C0
p 0 0 1 1 1 2 2 2 2 2 3
c 0 0 0 0 0 0 1 1 2 2 2
23
 Formulas State Specifications
„ Soon we will see how to obtain axioms
from the code of the program, that
describe its computations. They will define
the temporal theory of the program.
„ For now, we can state specifications of the
program as temporal formulas. if we prove
that these formulas are theorems of the
theory, we can verify the correctness of
the program.
„ For example:
24
 In Our Simple Case
„ One property is that the processes are
adequately synchronized, given the initial state
is acceptable. Formally: P0 C0
… Init: (at-P0 ∧ at-C0 ∧ p=0 ∧ c=0) , p-c<N p>c
→ c:=c+1
… Z: (0 ≤ p-c ≤ N) , p:=p+1
skip
→
skip
… (Init → ⃞Z)
C1
„ And if we look at: P1
Process P Process C
… I: [at-P0 →p-c≤N] ∧ [at-P1→p-c<N] ∧
[at-C0→p≥c] ∧ [at-C1 → p>c].
It’s rather clear that I→⃝I (we’ll see how to prove
this later). As a consequence, if I is true initially,
it’s always true, and also, (Init → ⃞Z) is valid.
25
 Program Modeling
„ A set of processes: {P1,…, Pn} (like {P,C} we saw)
„ A set (memory) of program variables (as opposed
to logical variables): X = {x1,…, xk} {p,c,N}
„ Each process is represented in a flowchart, which
is a finite, connected and directed graph.
„ Initial node for each process.
„ Each node has a label. (P0, P1, C0, C1)
„ Each arc is associated with a statement.
„ A statement is an ordered pair (C,A) (denoted
C→A). C is a condition. A is an assignment.
Example: p-c < N → skip
26
 Program Modeling
„ C is a Boolean term involving global constants
and program variables.
„ A has the form: (x1,…, xk):=(t1,…, tk). We omit
variables that we don’t change, and short by
“skip”, if we change none.
„ We use “C?” instead of “C→skip”, and A instead
of “true→A”.
„ Sometimes a lexical representation is more
convenient, so the graph is simply represented
as a list of transitions of the form (l, C→A, l’).
„ For each process P: LP is the set of its labels
and TrP is the set of its transitions.
… LP={P0,P1}
… TrP={(P0, p-c<N → skip, P1), (P1, (true →)p:=p+1, P0)}
27
 Program Modeling
„ The output condition of a label l is out(l), the OR on
all the C’s on transitions that originate from l (false
by default, if no such transition exists).
the process is at the node with label l, and out(l)=F, it
… If
means that the process is “stuck”; it cannot proceed.
„ A memory state is a total function on the domain X,
mapping each variable to its value. The set of
memory states is denoted Σ.
„ control state is an element of Γ=LP1x…xLPn.
„ A system state is a pair s=(L,σ) where L is a control
state and σ is a memory state. (slide 23)
„ A state is final if for all i, out(li)(σ)=F. (all the
processes are “stuck”). 28
 Program Modeling
„ A transition T=(l, C→A, l’) of any process Pi defines
a transformation of the system state.
„ This transformations is modeled by a (partial)
function T:ΓxΣ→ΓxΣ defined as follows:
„ If s=(L,σ) and t=(L’,σ’) are two system states, t=T(s)
holds iff the following three:
…L and L’ are the same, except for one 1≤i≤n, for which,
L(i)=l, and L’(i)=l’. (only one process is in a different node
after the transition)
… σ satisfies C (the condition of the transition).
… σ’ = A(σ). (the memory is changed according to the
assignment)
29
 Program Modeling
„ A computation of the system is a
sequence (s0, s1,…) of states.
„ s0 is the initial state, meaning its control
state is the array of the initial states of the
processes.
„ If sk+1 exists, then there exists a transition
T such that sk+1=T(sk).

30
Break

31
 Example: Peterson’s Algorithm
P: Q:
while true do while true do
begin begin
non-critical section; non-critical section;
inP := T; inQ := T;
turn := q; turn := p;
await ¬inQ ∨ turn = p do skip; await ¬inP ∨ turn = q do skip;
critical section; critical section;
inP := F inQ := F
end end

• inQ and inP are true when the appropriate process requests
access. Initially, they are F.
• turn indicates which process has the priority, if both want in.
Initial value can be either p or q, arbitrarily.

32
 Formal Model
P: NCS inP := T
while true do p0 p1 p2
begin
non-critical section;
inP := T; inP := F turn := q
turn := q;
await ¬inQ ∨ turn = p do skip;
critical section; p5 p4 p3
inP := F CS (¬inQ ∨ turn = p)?
end
Process P

Q: NCS inQ := T
while true do q0 q1 q2
begin
non-critical section;
inQ := T; inQ := F turn := p
turn := p;
await ¬inP ∨ turn = q do skip;
critical section;
q5 q4 q3
inQ := F (¬inP ∨ turn = q)?
end CS
Process Q
33
A Program as a Temporal F-O Theory
Signature:
„ Global objects:
… Function constants and predicate constants
associated with the types of the program variables.
„ For example: - and <.
… As many logical variables as we want.
„ Local objects: to describe the system state
… For each label l, at-l=T iff the control state contains l.
… For each transition T, Next(T) = T in state s iff the
next state is the T-successor of s.
… For each process P, Next(P)=∨T∈PNext(T).
… For each program variable x, there’s a local logical
constant (also denoted x) whose value in state s is
the value of the program variable x in s.
34
A Program as a Temporal F-O Theory
Axioms:
1. The axioms of temporal predicate calculus, restricted to the
language defined by the signature.
2. Axioms that describe the data types used by the system.
These give the semantics of the function constants and the
predicate constants of the language.
• Example: if we have integers, we include the axioms of Number
Theory, so we can use predicates like <, and functions like +.
3. Axioms that give a formal description of the system itself.
An axiom schema is associated with each transition.
4. Axioms to model the semantics of the local propositions
associated with the processes and the control points
(nodes).
5. A special axiom to formalize the execution mechanism.
35
 Axioms
„ For each process P, for each transition
T: (l , C→(x1,…,xk):=(t1,…,tk) , l’) ; T∈TrP
we add the axiom schema:
BT: ⃞{[Next(T) ∧ Z(x1/t1,…,xk/tk,at-l’←T)] →
[at-l ∧ C ∧ ⃝(at-l’ ∧ Z)]}
where Z is any formula without temporal
operators.
BT indicates when T can be executed, and
formalized its effect.
36
 Axioms
„ Forexample, let’s use T: (P1, p:=p+1,
P0) of the P-C system. We’ll take the
formula I for Z. We get the axiom:
⃞{[Next(T) ∧ I(p/p+1, at-P0←T)] →
[at-P1 ∧ T ∧ ⃝(at-P0 ∧ I)]}
which “reduces” to:
⃞{[Next(T) ∧ p-c<N ∧ (at-C0→p≥c) ∧ (at-C1 → p>c)] →
[at-P1 ∧ ⃝(at-P0 ∧ p-c<N ∧ [at-C0→p≥c] ∧ [at-C1 → p>c])]} .

37
 Axioms
„ Notation: if a,b,c are propositions, then “a+b+c=1”
means that one and only one of these three is true.
„ The axioms about the control points and the
execution mechanism:
… For each process P, ⃞(Σl∈Lpat-l = 1).
… For each process P, ⃞[Next(P) = ΣT∈TrpNext(T)].
… If Pi≠Pj then, ⃞¬[Next (Pi) ∧ Next (Pj)].
… The execution mechanism: For each control
state (l1,…, ln), ⃞{(at- l1 ∧…∧ at- ln)→
[(∨j=1:nNext(Pj) ∧ out(lj)) ∨ (∧i=1:n¬out(lj))]}.
… Fairness: For each process P,
⃞[⃟Next(P) ∨ ∨l∈Lp(at-l ∧ ¬⃞⃟out(l))] .
38
 Program Properties
„ Initial conditions:
Init: at-p0 ∧ at-q0 ∧ ¬inP ∧ ¬inQ ∧ (turn=p ∨ turn=p).
„ Invariance properties: Init → ⃞Z (Z with no temporal ops).
… An invariant : A formula I with no temporal operators such that
Init → I, ⃞(I→⃝I), I→Z
… Already saw examples for the P-C program.
… Examples for Peterson’s algorithm, soon.
„ Liveness properties: Init → ⃞(Y→⃟Z) (Y,Z with no temporal ops).
„ It’s possible to generalize liveness and invariance
properties s.t. any property modeled by a temporal
formula becomes the conjunction of an invariance and
a liveness properties.
„ Intuitively, an invariance property asserts that nothing
bad happens, and a liveness property asserts that
something good will eventually happen.
39
Invariance Properties for Peterson’s Algorithm
„ The mutual exclusion property:
Init → ⃞¬[(at-p4 ∨ at-p5) ∧ (at-p4 ∨ at-p5)] .
„ Deadlock freedom: All computations are infinite.
The output condition of all nodes is T except p3
and q3, but out(p3) v out(q3) = T, which implies the
desired result: No final states.
„ We will prove that the following is an invariant:
I : ((at-p0 ∨ at-p1)↔¬inP) ∧ ((at-q0 ∨ at-q1)↔¬inQ)
∧ (turn=p ∨ turn=q)
∧ (at-q3 ∨ at-q4 ∨ at-q5)→(turn=p ∨ at-p3)
∧ (at-p3 ∨ at-p4 ∨ at-p5)→(turn=q ∨ at-q3)
40
Invariance Properties for Peterson’s Algorithm
„ First, when Init is T then I reduces to:
((T ∨ F)↔T) ∧ ((T ∨ F)↔T)
∧T
∧ (F ∨ F ∨ F) → (turn=p ∨ F)
∧ (F ∨ F ∨ F) → (turn=q ∨ F)

which reduces to T , implying that (Init → I) is

valid.

41
Invariance Properties for Peterson’s Algorithm
„ Secondly, we need to prove that ⃞(I→⃝I).
„ Sufficient to prove that for each transition
T, (I ∧ Next(T)) → ⃝I.
„ Let’s consider T2(p): (p2, turn:=q, p3)
„ To create the axiom associated with this
transition, we need to replace I for Z in BT:
BT2(p): ⃞{[Next(T2(p)) ∧ I(turn/q,at-p3←T)] →
[at-p2 ∧ ⃝(at-p3 ∧ I)]}

42
Invariance Properties for Peterson’s Algorithm
„ The required property will be proved if we prove
the following:
A: [I∧Next(T2(p))] → [Next(T2(p)) ∧ I(turn/q,at-p3←T)].
„ Taking into account that (Next(T2(p)) → at-p2) ,
A’s first part is:
Next(T2(p)) ∧ inP ∧ ((at-q0 ∨ at-q1)↔¬inQ)
∧ (turn=p ∨ turn=q)
∧ (at-q3 ∨ at-q4 ∨ at-q5)→turn=p ,
„ and A’s second part is:
Next(T2(p)) ∧ inP ∧ ((at-q0 ∨ at-q1)↔¬inQ) ,
which means that A is valid.
„ We handle the rest of the transitions similarly.
43
 Invariance Properties for Peterson’s Algorithm
„ Last, we need to prove (I→Z), where
Z: ¬[(at-p4 ∨ at-p5) ∧ (at-q4 ∨ at-q5)] (mutual exclusion in a single state)
„ The negation of (I→Z) is:
I ∧ (at-p4 ∨ at-p5) ∧ (at-q4 ∨ at-q5) ,
„ which can be written as:
(at-p4 ∨ at-p5) ∧ (at-q4 ∨ at-q5) ∧ inP ∧ inQ
∧ (turn = p ∨ turn = q)
∧ T→(turn = p ∨ F)
∧ T→(turn = q ∨ F)
„ which implies (turn = p ∧ turn = q) , which is a
contradiction.

44
 Fairness of Peterson’s Algorithm
„ Want to prove that the delay between a request for
access to the critical section and the access itself is
always finite. This needs to be proved for each
process, but the code is symmetric.
„ Formally: ⃞(at-p3 → ⃟at-p4) or, ⃞(at-p3 ∧ I → ⃟at-p4).
„ Proof is based on the next basic theorems:
1. ⃞[(at-p3 ∧ at-q3 ∧ I ∧ turn=p) → ⃝at-p4]
2. ⃞[(at-p3 ∧ at-q3 ∧ I ∧ turn=q) → ⃝(at-p3 ∧ at-q4 ∧ I)]
3. ⃞[(at-p3 ∧ at-q4 ∧ I) → ⃝(at-p3 ∧ at-q5 ∧ I)]
4. ⃞[(at-p3 ∧ at-q5 ∧ I) → ⃝(at-p3 ∧ at-q0 ∧ I)]
5. ⃞[(at-p3 ∧ at-q0 ∧ I) → ⃝(at-p4 ∨ (at-p3 ∧ at-q1 ∧ I))]
6. ⃞[(at-p3 ∧ at-q1 ∧ I) → ⃝(at-p4 ∨ (at-p3 ∧ at-q2 ∧ I))]
7. ⃞[(at-p3 ∧ at-q2 ∧ I) → ⃝(at-p4 ∨ (at-p3 ∧ at-q3 ∧ I ∧ turn=p))]

45
 Fairness of Peterson’s Algorithm
„ The proof:
8. ⃞[(at-p3 ∧ at-q3 ∧ I ∧ turn=p) → ⃟at-p4] (1)
9. ⃞[(at-p3 ∧ at-q2 ∧ I) → ⃟at-p4] (7,8)
10. ⃞[(at-p3 ∧ at-q1 ∧ I) → ⃟at-p4] (6,9)
11. ⃞[(at-p3 ∧ at-q0 ∧ I) → ⃟at-p4] (5,10)
12. ⃞[(at-p3 ∧ at-q5 ∧ I) → ⃟at-p4] (4,11)
13. ⃞[(at-p3 ∧ at-q4 ∧ I) → ⃟at-p4] (3,12)
14. ⃞[(at-p3 ∧ at-q3 ∧ I) → ⃟at-p4] (8,2,13)
15. ⃞[(at-p3 ∧ I) → ⃟at-p4] (9,10,11,12,13,14)
„ Fairness of the scheduler is not required for that proof,
but what if we are interested in a slightly stronger
property of fairness: ⃞(at-p0 → ⃟at-p4) , we need to
assume that the scheduler itself is fair.

46
 Fairness of Peterson’s Algorithm
„ Since we already proved that ⃞(at-p3 → ⃟at-p4) , it’s
enough to prove that ⃞(at-p0 → ⃟at-p3) , or equivalently,
⃞(at-p0 → ⃟at-p1), ⃞(at-p1 → ⃟at-p2), ⃞(at-p2 → ⃟at-p3) .
„ Formally, the fairness of the scheduler is a set of axioms,
one for each process. For P,
⃞[⃟Next(P) ∨ (at-p3 ∧ ¬⃞⃟(¬inQ ∨ turn=p))]
„ Proof that ⃞(at-p0 → ⃟at-p1) :
1. ⃞[at-p0 → ⃟Next(P)] (fairness)
2. ⃞[(at-p0 ∧ ⃟Next(P)) → ⃝at-p1] (semantic axiom)
3. ⃞[at-p0 → ⃟Next(P)] (1,2)
„ The remaining are proved in the same way.

„ The key in program verification is

finding an appropriate invariant!
47
 Verification Using Propositional
Temporal Logic
„ The method described is widely used, but:
… It’s sometimes incredibly hard to find the adequate invariants, and
… The proofs can be tedious.
„ The alternative method uses propositional temporal logic
(the one from last week), and allows automation of the
verification process.
„ Problem is: It only works if the system has only a finite
number of possible states (“finite-state system”):
… Finite number of control states (always true), and
… Finite number of possible values for each variable (sometimes not).
„ We will show that any finite-state system can be
represented as a Büchi automaton, so that the words it
accepts correspond to the executions of the program.
48
 Verification Using Propositional
Temporal Logic
„ We saw last week that for a given temporal logic formula,
there is a way to build a Büchi automaton that accepts
exactly the sequences that satisfy the formula. Our method
of proof will be based on that. The method is:
1. Build the automaton for the negation of the formula, and the
automaton describing the program.
2. Intersect the two.
3. Check that the intersection automaton is empty.
… If it is empty, there is no execution of the program that satisfies the
negation of the formula. Meaning, all executions of the program,
satisfy the formula – exactly what we want to prove.
… Hadn’t we used the negation of the formula, we would’ve had to
check the complement of the automaton, but complementing an
automaton is an expensive operation, that we wish to avoid.
49
 Modeling Programs with Finite
Automata
„ We will demonstrate the method on Peterson’s algorithm.
… Each process can be viewed as an automaton. The nodes
correspond to states of the automaton, and the arcs – to transitions.
Therefore, Σ = the set of statements of the program.
… We still need to represent the variables and their values.
… We also need to combine the two process into a single automaton.
… Solution:
„ We will represent each variable as a separate automaton.
„ We will define an operation of finite-state processes that represent the
concurrent execution of them.
„ That will allow us to combine the two processes and the three variables
into a single automaton representing the algorithm.
… First, we’ll see the automata, and then how to combine them.

50
 The Automata Representing the Processes
P:
while true do P:NCS P:inP := T
begin
> p0 p1 p2
non-critical section;
inP := T;
turn := q; P: inP := F P: turn := q
P: (inQ ∧
await ¬inQ ∨ turn = p do skip;
P: ¬inQ? turn = q)?
critical section;
inP := F p5 p4 p3
end P:CS
P: turn = p?
Process P
Q:
while true do Q:NCS Q:inQ := T
begin
> q0 q1 q2
non-critical section;
inQ := T;
turn := p; Q: inQ := F Q: turn := p
Q: (inP ∧
await ¬inP ∨ turn = q do skip;
Q: ¬inP? turn = p)?
critical section;
inQ := F q5 q4 q3
end Q:CS
Q: turn = q?
Process Q 51
 The Automata Representing the Variables
P: inP:=T
P: inP:=F P: inP:=T
> F T
Q: ¬inP? Q: (inP ∧ turn = p)?
P: inP:=F
Automaton for inP

Q: inQ:=T
Q: inQ:=F Q: inQ:=T
> F T
P: ¬inQ? P: (inQ ∧ turn = q)?
Q: inQ:=F
Automaton for inQ

P: turn:=q
Q: turn := p P: turn := q
> p q
P: turn = p? Q: turn = q?
Q: (inP ∧ turn = p)? Q: turn:=p P: (inQ ∧ turn = q)?
Automaton for turn
52
 How to Combine the Automata
„ Let’s explain the combination of just two automata
first.
… We have A1=(Σ1,S1,ρ1,S01,F1) and A2=(Σ2,S2,ρ2,S02,F2).
… The partly synchronized product of A1 and A2 is the
generalized Büchi automaton A=(Σ,S,ρ,S0,ℱ) formally
defined by:
„ Σ = Σ1∪Σ2
„ S=S1xS2 , S0=S01xS02
„ ℱ = {F1xS2,S1xF2}
„ (u,v) ∈ ρ((s,t),a) when:
… a∈Σ1∩Σ2 and u∈ρ1(s,a) and v∈ρ2(t,a),
… a∈Σ1\Σ2 and u∈ρ1(s,a) and v=t,
… a∈Σ2\Σ1 and u=s and v∈ρ2(t,a).

53
Modeling the Fairness Hypothesis
„ The fairness hypothesis: “Any unblocked process will
eventually execute an action”.
„ We built the automata representing P and Q, we added
transition to make sure there is no possibility of blocking.
„ So, we can use a simpler fairness hypothesis: “Every
process will eventually execute some action”. In Peterson’s
case, it means that the only allowable infinite executions are
those in which actions of both P and Q occur infinitely often.
„ We enforce this by adding one more automaton to the
partially synchronized product - the one of the scheduler:

choose Q choose P
sQ s0 sP
{action of Q} {action of P}
>

54
 Specification and Verification
„ What did we want to prove?
… Mutual exclusion: Two symmetrical conditions, one for each process:
„ ⃞[(P:CS) → (¬(Q:CS)U(P:inP:=F))]
„ ⃞[(Q:CS) → (¬(F:CS)U(Q:inQ:=F))]

… Liveness property: If a process wants in, it will eventually get in:

„ ⃞[(P:inP:=T) → ⃟(P:CS)]
„ ⃞[(Q:inQ:=T) → ⃟(Q:CS)]

„ The verification process is not designed to be applied

manually, but rather by a computer. A few notes on
complexity:
… The size of the product automata can grow as the product of the sizes
of the automata representing the processes and the variables.
… The size of the automaton representing a formula can grow
exponentially as a function of the length of the formula.
… However, once we have the intersection automaton, that we need to
check that is empty, the time complexity of checking emptiness is
linear in the size of the automaton.
55
 BrTL Application
„ A similar approach to program verification uses
BrTL.
„ We can think of the automaton that represents the
program as a branching-time temporal
interpretation.
„ Verifying that all executions of the program satisfy a
specification ϕ, is equivalent to verifying that the
interpretation is a model of the formula ∀ϕ.
„ If we restrict ourselves to CTL, the problem is, given
a finite set P of propositions, an Interpretation I, and
a formula A involving only elements of P, to
determine whether I is a model of A.
56
 Branching-time Application
„ Basically, the interpretation gives us a table for each state s,
that tells us the truth value of each element of P in s.
„ We need to complete these tables to contain the truth values
of all sub-formulas of A, including a itself.
„ First we consider the sub-formulas of A that include only one
logical connective, or one compound temporal operator
(∀⃝,∃⃝,∀⃞,∃⃞,∀⃟,∃⃟,∀U,∃U).
„ Example: ∀⃝p=T iff p=T in all the immediate successors of s.
„ If the tables contain the truth values for sub-formulas
containing n connectives, it’s clear how to determine the
values of the sub-formulas containing n+1 connectives.
„ The time complexity is O((size of the formula a) * (size of the
interpretation I)).

57
The

58