30-11-2024

Universal Second-Order Predicate Logic

Define Universal Second-Order Predicate Logic as the

language whose formulas are generated by the grammar: CS/IS F214
--> p Logic in Computer Science
--> BITS Pilani
Pilani Campus

where p is any predicate symbol and is any (first-

order) predicate logic formula.

Given a suitable model M, and a look-up table l , a formula MODULE: SAT PROBLEMS
p can be evaluated as follows:
M |=l p iff for all R in psM , M |=l [p|->R]

11 30-11-2024 0

SAT PROBLEM Satisfiability Problems

2
Decide whether a formula is satisfiable
is SAT iff there exists a model such that |=
night No one can work more than x hours a week Some pairs of people
One Model
Is there assignment of people to shifts that satisfy all constraints?

All possible Models

All Models Write logical specification
of, e.g. air traffic controller
Can these be satisfied simultaneously?
Models satisfying
formula
Many problems can be expressed as a list of
constraints. Answer is assignment to variables that
satisfy all the constraints.

BITS Pilani, Pilani Campus

 SAT and CNF
Satisfiability and Validity

Algorithm? Satisfiability problems are written as conjunctive normal form (CNF) formulas.

Satisfiability of formulas in CNF is NP-complete.

sentence: all truth value assignments for the variables make Clever heuristics exists (we will see it next lectures)
the sentence true.

BITS Pilani, Pilani Campus BITS Pilani, Pilani Campus

30-11-2024

Conjunctive Normal Form (CNF)

3
SAT-SOLVER
RECALL
Formula (in CNF) A propositional logic formula is said to be in CNF if the
formula is a conjunction of sub-formulas (or clauses):
i.e. it is of the form C1 C2 ... Cn
SAT where each clause Ci is a disjunction of literals:
Solver i.e. it is of the form Li1 Li2 ... Lim
where each literal Lij is
Unsatisfiable either an atomic proposition (p) or the negation of an
Satisfiable
(+ resolution atomic proposition ( p) .
(+ model)
proof)
In Boolean logic, the CNF is referred to as the Product-of-
Sums (POS) form.
6
 DPLL-- Introduction
1 EXAMPLE: ASSIGN AND SIMPLIFY
Part of modern day SAT solver
Today: is a formula in CNF

Introduced in 1962 by Martin Davis, Hilary Putnam, George

Logemann and Donald W. Loveland A is an assignment of truth values to variables

Total or partial assignment

Algorithm still forms basis for most modern SAT solvers

A complete, backtracking-based algorithm for deciding the

satisfiability of propositional logic formulae in conjunctive
normal form, i.e. for solving the CNF-SAT problem.

BITS Pilani, Pilani Campus

11/30/2024

Search Example:
(P Q) (P ¬Q R) (T ¬R) (¬P ¬T) (P S) (T R S)
22
BASIS IDEA - BACKTRACKING BINARY SEARCH (¬S T)

Recursively search for a satisfying model/assignment

such that = If we assign P=f, we get simpler set of constraints
P Q simplifies to Q
No such exists (P ¬Q R simplifies to (¬Q R)
Search space for with
is unsatisfiable variables (¬P ¬T) is satisfied and can be removed
(P S) simplifies to S

Result is (Q) (¬Q R) (T ¬R) (S) (T R S) (¬S T)

10
 11/30/2024

Search Example:
(P Q) (P ¬Q R) (T ¬R) (¬P ¬T) (P S) (T R S) DPLL General Idea
(¬S T)
First need to put into conjunctive normal form
=D ( D A B) ( D A B) ( D A B) A

Write as a set of clauses: (where each clause is a set of literals)

= {(D), ( D, A, B), ( D, A , B), ( D , A , B), (A)}

Two special cases:

true

false (no options to satisfy)

DPLL simply searches the space of truth assignments, assigning

one proposition a value at each step of the search tree

11
BITS Pilani, Pilani Campus

DPLL algorithm

Forms the basis of modern SAT solvers:

CS/IS F214
Logic in Computer Science
BITS Pilani
Pilani Campus

Else

Unit clause has only one literal

MODULE: SAT PROBLEMS Pure literal only occurs positively or negatively

30-11-2024 13
BITS Pilani, Pilani Campus
DPLL algorithm DPLL example 1

Forms the basis of modern SAT solvers: S = (P Q ¬R) (P ¬Q) ¬P R U

(P Q ¬R) (P ¬Q) ¬P R U One-Literal on ¬P [Unit propagation]

(Q ¬R) ¬Q R U One-Literal on ¬Q
Else
¬R R U One-Literal on R
unsatisable
Unit clause has only one literal
Pure literal only occurs positively or negatively

BITS Pilani, Pilani Campus BITS Pilani, Pilani Campus

DPLL example -2
DPLL example -2 (Continued)

{¬B C}, {B ¬C}, {B C}

S = {¬ A B C}, {A ¬B C}, {A B ¬ C}, {A B C}
Unit propagation is not possible as there are no unit Unit propagation and pure literal are still not applicable.
clauses. Apply splitting rule for the next literal B.
Pure literal rule is not applicable as there is no literals that Set B=0 and propagate:
occur only positively or only negatively. {1 C}, {0 ¬C}, {0 C}
To apply splitting rule select some literal, e.g. A. = {¬C}, {C}
Set A = 0 and propagate. This will result in
{1 B C}, {0 ¬ B C}, {0 B ¬C}, {0 B C} This formula consists of two unit clauses so it is
= {¬B C}, {B ¬C}, {B C} possible to apply unit propagation, which results in {} so
we backtrack.
Set B=1 and propagate. {0 C}, {1 ¬C}, {1 C}
= {C}
Again, unit propagation is applicable, but now results in
BITS Pilani, Pilani Campus empty formula which is trivially satisfiable BITS Pilani, Pilani Campus
 RESOLUTION
(FOR CNF)
Very important inference rule several other inference rules
can be seen as special cases of resolution.
CS/IS F214
Logic in Computer Science P Q
BITS Pilani P R
Pilani Campus
Q R

Soundness of rule (validity of rule):

MODULE: RESOLUTION [(P Q) ( P R)] (Q R) is valid

30-11-2024 19

RESOLUTION
11/30/2024

(FOR CNF) RESOLUTION:

SPECIAL CASES
Resolution for CNF applied to a special type of wffs: 1 Rule of Inference: Chaining
conjunction of clauses.
R P R P
can be re-written
P Q P Q
Literal either an atom (e.g., P) or its negation ( P).
R Q R Q
Clause disjunction of of literals (e.g., (P Q R)).
Rule of Inference Chaining
Note: Sometimes we use the notation of a set for a clause: e.g.
{P,Q, R} corresponds 2 Rule of Inference: Modus Ponens
to the clause (P Q R); the empty clause (sometimes written
as Nil or {}) is equivalent P can be re-written P
to False; P Q P Q
Q Q
Rule of Inference: Modus Ponens
21
 RESOLUTION DETERMINES UNSATISFIABILITY
RESOLUTION: CAUTION!
If a set of clauses is unsatisfiable, it is possible to derive the
No duplications in the resolvent set empty clause using the Resolution Principle.
only one instance of Q
P Q S R appears in the resolvent,
P Q W which is a set!
1. {p, q} Premise
Q R S W 2. {p, q} Premise
3. { p, q} Premise
Resolving one pair at a time DO NOT Resolve 4. { p, q} Premise
Resolving on Q and R
Resolving on R
5. {p} 1, 2
P Q R P Q R
on Q P Q R
P W Q R
6 { p} 3, 4
P W Q R P W Q R
P R R W P Q Q W 7 {} 5, 6
P W
True

11/30/2024

RESOLUTION REFUTATION Resolution refutation:

Unsatisfiability Determination: If a set of clauses is

unsatisfiable, it is possible to derive the empty clause
Convert all sentences to CNF
using the Resolution Principle.
Negate the desired conclusion (converted to CNF)
Unsatisfiability Theorem: if and only if { } is Apply resolution rule until either
unsatisfiable. Derive false (a contradiction)

Resolution Method: To prove that a set of sentences

logically entails a conclusion write in clausal
form and derive the empty clause.

38
26
 11/30/2024 11/30/2024

Soundness and completeness of resolution refutation method: Example:

Step Formula Derivation

Resolution refutation is sound and complete Prove R

If we derive a contradiction, then the conclusion follows from
the axioms
1PvQ
proved from the axioms. 2P R
3Q R

27 28

Step Formula Derivation Step Formula Derivation

1PvQ 1 PvQ Given
1 PvQ Given 2 ¬PvR Given
1PvQ 2 ¬PvR Given 2P R
3 ¬QvR Given

2P R 3 ¬QvR Given 3Q R 4 ¬R Negated

conclusion
¬R
3Q R 4 Negated 5 QvR 1,2
6 ¬P 2,4
conclusion ¬Q
7 3,4
8 R 5,7
9 4,8
And finally, resolving away R in lines 4 and 8, we get the empty
clause, which is false. often draw this little black box to
indicate that reached the desired contradiction.
 HORN FORMULA DEFINITION

CS/IS F214 H = (p q)^ (t^r T) ^ (p^r^s )

Logic in Computer Science
BITS Pilani Horn formulas are conjunctions of Horn
Pilani Campus
clauses
Horn clause is an implication whose
assumption A is a conjunction of proposition
MODULE: HORN CLAUSE of type P and whose conclusion is also of type
P (P::= | T | atom).

30-11-2024 0

HORN FORMULA DEFINITION HORN FORMULA OTHER DEFINITION

H = (p q) ^ (t^r T) ^ (p^r^s ) A formula is a Horn formula if it is in CNF and

In other words: every disjunction contains at most one
1 or more clauses separated by AND positive literal.
Each clause must have: Horn clauses are clauses, which contain at
NO negations
most one positive literal.
One implication
The left hand side of implication: H=(p V ~q) ^ (~c V ~p V q) ^ (~t V ~r) ^ d
can be one or more of ( | T | atom) separated by an AND
The right hand side of implication:
H =(q p) ^ (c^p q) ^ (t^r ) ^ (T d)
must be one of ( | T | atom)
 30-11-2024

Grammar Horn Formulas

HORN FORMULA CONT.
Grammar for Horn Formulas A Horn formula is a
(FH) conjunction of Horn clauses
Horn formula allows to efficiently compute FH ---> CH
satisfiability. FH ---> CH FH
If a set of formulas is not satisfiable
There is a contradiction / inconsistency in the
rules
Useful to build a knowledge base
A Prolog program can also be seen as a
relational database containing rules as
well as facts.
5

30-11-2024 30-11-2024

Grammar Horn Formulas Grammar Horn Formulas

Grammar for Horn Formulas A Horn formula is a Grammar for Horn Formulas A Horn formula is a
(FH) conjunction of Horn clauses (FH) conjunction of Horn clauses
FH ---> CH FH ---> CH
FH ---> CH FH where a Horn clause is an FH ---> CH FH where a Horn clause is an
CH ---> (Ps --> P) implication CH ---> ( Ps --> P ) implication of the form:
Ps ---> P Ps ---> P p1 p2 ... pk --> q
Ps ---> P Ps Ps ---> P Ps

6 7
 30-11-2024 30-11-2024

Grammar Horn Formulas Logic Programming - Prolog

Grammar for Horn Formulas A Horn formula is a conjunction
(FH) of Horn clauses HORN clauses form the basis of the programming language
Prolog
FH ---> CH
Of course Prolog uses predicates rather than
FH ---> CH FH where a Horn clause is an
propositions.
CH ---> (Ps --> P) implication of the form:
A program in Prolog is a collection of rules
Ps ---> P p1 p2 ... pk --> q
where each rule is a Horn clause.
Ps ---> P Ps e.g. grandparent(X,Y) :- parent(X,Z), parent(Z,Y).
P --- where pi (for each i) and q are:
is a Horn clause:
P --- either atomic propositions
parent(X,Z) parent(Z,Y) --> grandparent(X,Y).
P ---> q or atomic values (i.e. TRUE
or FALSE) A query is answered (i.e. resolved) in Prolog by finding a
for any atomic proposition q proof for the query using the given rules.

Sundar B. CS&IS, BITS Pilani 8 Sundar B. CS&IS, BITS Pilani 9

30-11-2024 30-11-2024

Prolog Programming and Complexity When is a Conjunction of Horn Clauses Unsatisfiable?

The execution overhead in a Prolog program When is a Horn formula satisfiable?
When is a Horn clause satisfiable?
i.e. finding whether the conjunction of Horn clauses is
satisfiable p --> q is satisfiable for any atomic propositions p and q
is polynomial-time. But a Horn clause may be formed out of atomic values (TRUE
That is the reason Prolog is designed around facts and rules and FALSE) as well:
which are Horn clauses. TRUE --> FALSE is not satisfiable.
When is a conjunction of Horn clauses not satisfiable?
Consider C1 of the form p1-->q1 and C2 of the form p2-->q2:
What if q1 and p2 are the same but p1 is TRUE and q2 is
FALSE.
Can you generalize this?

10 11
 THE ALGORITHM TO TEST FOR SATISFIABILITY The Algorithm to test for Satisfiability
(T q) ^ (T s) ^ (w ) ^ (p^q^s v) ^ (v s) ^ (T r)
Function HORN ( )
//precondition: is a Horn formula
^(r p)
//postcondition: HORN ( ) decides the satisfiability for Mark: q, s, r through (T q),(T s),(T r)
{ (T q) ^ (T s) ^ (w ) ^ (p^q^s v) ^ (v s) ^ (T r)
mark all occurrences of T in ^(r p)
while there is a conjunct p1 ^ p2 ^ pn P of
such that all pj are marked but P is not Mark: p through (r p)
mark P (T q) ^ (T s) ^ (w ) ^ (p^q^s v) ^ (v s) ^ (T r)
end while ^(r p)
if is marked
return Mark: v through (p^q^s v)
else (T q) ^ (T s) ^ (w ) ^ (p^q^s v) ^ (v s) ^ (T r)
return ^(r p)
end if
}
Return?
Satisfiable

THE ALGORITHM TO TEST FOR SATISFIABILITY

Function HORN ( )
//precondition: is a Horn formula
CS/IS F214
//postcondition: HORN ( ) decides the satisfiability for Logic in Computer Science
{ BITS Pilani
Pilani Campus
mark all occurrences of T in
while there is a conjunct p1 ^ p2 ^ pn P of
such that all pj are marked but P is not
mark P
end while
if is marked
return MODULE: A BRIEF LOOK AT PROLOG
else
return
end if
}

30-11-2024 15
 30-11-2024

/* At the Zoo */
Prolog

Prolog: Programming in Logic elephant(george).

elephant(mary).

Resolution refutation panda(chi_chi).

Control strategy: goal-directed and depth-first panda(ming_ming).
-of-support)
dangerous(X) :- big_teeth(X).
dangerous(X) :- venomous(X).

guess(X, tiger) :- stripey(X), big_teeth(X), isaCat(X).

guess(X, koala) :- arboreal(X), sleepy(X).
guess(X, zebra) :- stripey(X), isaHorse(X).

16

REPRESENTING A CLAUSE LOGIC PROGRAMMING CLAUSE

Consider this clause: p q r s A clause in the form:

It can be written as: ( p r) q s ( p r) (q s)
p1 ; p2 ;...; pm : q1 , q2 ,..., qn .
is equivalent to:
In Logic programming, it is shown as:
p1 p2 ... pm q1 q2 ... qn
(q s) ( p r) or q1 q2 ... qn p1 p2 ... pm
q; s : p, r.
if q1 q 2 ... q n is true, then at least one of
Easy way: positive literals on the left, negative literals p1 , p 2 ,..., p m is true.
on the right
18 19
 ANOTHER EXAMPLE HORN CLAUSE
Write the following expression as Logic Programming Clauses: A Horn clause is a clause with at most one positive
p (s r) q (r t) literal:
Conversion to CNF:
p ( s r) q ( r t) Rules e.g. p1 1, q2, ..., qn.
Facts e.g. p2
Symmetry of ( p q) ( s r q) ( r t) Queries (or goals) y. e.g. r1, r2, ..., rm.
allows for sets notation
of a CNF ( p q), ( s r q), ( r t)
Symmetry Horn clauses simplify the implementation of logic
allows for set notation p, q , q, s, r , r,t programming languages and are therefore used in Prolog.
of clauses

As Logic Prog. p; q : . q; r : s. t : r.
20 21

A PROGRAM RESOLUTION IN LOGIC PROGRAMMING

A logic programming program P is defined as a finite Program P (facts and rules in clause form)
set of rules and facts.
Goal G negated and added to program P
For example, To prove G, we need to show P { G} is inconsistent
rule1 fact1 rule2 fact2 Complementary literals

Rules and facts (with exactly one positive literal) are q, t p. , s. Parent clauses
called definite clauses and therefore a program defined Resolving upon p, being on
different sides of
by them is called a definite program.
q, t s. Resolvent
22 23
 EXAMPLE (1) EXAMPLE (2)

Program , A1. If Henry has two days off, then if the weather is bad, Henry is
not fishing.
Query A2. if Henry is not fishing and is not drinking in a pub with his
This is already the negated form of our goal!
friends, then he is watching TV at home.
A3. If Henry is working, then he is neither drinking in a pub with
q. : his friends nor watching TV at home.

: Q. If Henry is not watching TV at home and he has two days off,

then he is drinking in a pub with his friends provided that the
weather is bad.
empty clause, inconsistency
therefore p is satisfiable
24 true 04_Resolution 25

York University CSE

3401 V. Movahedi

EXAMPLE (2) (CONT.) EXAMPLE (2) (CONT.)

From logical point of view, we want to prove Q, given A1. If Henry has two days off, then if the p: H has two days off
weather is bad, Henry is not fishing. q: weather is bad
A1, A2, A3. { A 1 , A 2 , A 3 } Q . r: H is fishing
A2. if Henry is not fishing and is not drinking
in a pub with his friends, then he is s: H is drinking in a pub with
By refutation principle, the consistency of watching TV at home. his friends
C {A1, A2, A3} { Q} t: H is watching TV at home
A3. If Henry is working, then he is neither
u: H is working
is examined. drinking in a pub with his friends nor
watching TV at home.
Step 1: Represent as propositional formulas
Step 2: Represent as clauses Q.If Henry is not watching TV at home and ~
Step 3: Determine the consistency of C A3. ( s & t)
he has two days off, then he is drinking in ~
If C is consistent, answer NO (false) a pub with his friends provided that the
Q. (~t & p)
If C is inconsistent, answer YES (true) weather is bad.
26 27
 York University CSE York University CSE
3401 V. Movahedi 3401 V. Movahedi

EXAMPLE (2) (CONT.) EXAMPLE (2) (CONT.)

Conversion to clause form Determining the consistency of {C1, C2, ..., C8}
A1: p (q r) p q r C1 : p, q, r.
: p, q, r. r, s,t : . : u, s. : u,t. : t. p : . q : . : s.
A2 : ( r s) t ( r s) t r s t C2 r, s,t : .
A3 : u ( s t) u ( s t) ( u s) ( u t)
C1 C2 C3 C4 C5 C6 C7 C8
C3 : u, s.
C4 : u,t. : q, r. r,s :
Q: ( t p) (q s) ( t p) ( q s) t p q s
C5 : t.
C6 p: . : r. r:
C7 q: .
C8 : s. 04_Resolution 28 04_Resolution : . 29

York University CSE

3401 V. Movahedi

EXAMPLE (2) (CONT.)

C={C1, C2, ..., C8} is inconsistent (by resolution/

refutation)
Therefore Q is provable (deducible)
Answer: YES (true)
Logic in Computer Science
CS/ IS F214
This is how Prolog answers Queries. If the empty
Rajesh Kumar
string is deduced, Prolog answers YES (or TRUE).
Lecture19-20: Model checking
BITS Pilani
30 Pilani Campus
Therac-25 Radiation
Overdosing (1985-87) Ariane 5 Crash (1996

Radiation machine for Crash of the european

treatment of cancer Ariane 5-missile in June
patients. 1996 Costs: more than
At least 6 cases of 500 million US$
overdosage in period1985 Source: software flaw in
-times the control software.
dosis)Three cancer A data conversion from a
patients died. 64-bit floating point to 16-
Source: Design error in the bit signed integer.
control software (race Efficiency considerations
condition) Software written had led to the disabling of
in assembly language the software handler (in
Ada)
BITS Pilani, Pilani Campus BITS Pilani, Pilani Campus

FDIV Bug (1994) The Importance of Software

Correctness
FDIV Bug (1994) FDIV Rapidly increasing integration of ICT in different
=floating point division unit Applications embedded systems communication
Certain floating point protocols transportation systems reliability increasingly
division operations depends on software!
performed produced
incorrect results.
Defects can be fatal and extremely costly products
subject to mass-production safety-critical systems.
flawed processors were
replaced) + enormous
image loss of Intel
Corp.Source: flawless
realization of floating-point
division
BITS Pilani, Pilani Campus BITS Pilani, Pilani Campus
What is System Verification?
System verification amounts to check whether a system
fulfillsthe qualitative requirements that have been
identified.
Verification not equal to validation
BITS Pilani, Pilani Campus
Formal Methods
Intuitive description
Formal methods offer a large potential for: obtaining an
early integration of verification in the design process
providing more effective verification techniques (higher
coverage) reducing the verification time.
Usage of formal methods. Highly recommended by IEC,
FAA, and NASA for safety-critical software.
BITS Pilani, Pilani Campus
Software Verification Techniques
Peer reviewing
static technique: manual code inspection, no software
execution, detects between 31 and 93% of defects with
median of about 60%subtle errors (concurrency and
algorithm defects) hard to catch.
Testing
dynamic technique in which software is executed.
Some figures
30% to 50% of software project costs devoted to testing more time
and effort is spent on validation than on construction
accepted defect density: about 1 defects per 1,000 code lines
BITS Pilani, Pilani Campus
Formal Verification Techniques
for Property P
Deductive methods: method: provide a formal proof that P
holds tool: theorem prover/proof assistant or proof
checker
applicable if: system has form of a mathematical theory
Model checking method: systematic check on P in all states
tool: model checker (Spin,NuSMV,UppAal, ...)
applicable if: system generates (finite) behavioural model
Model-based simulation or testing method: test for P by
exploring possible behaviours
applicable if: system defines an executable model.
BITS Pilani, Pilani Campus
Simulation and Testing Model checking

Basic procedure: take a model (simulation) or a realisation What is model checking?

(testing) stimulate it with certain inputs, i.e., the tests For later classes:
1. What is a model?
Important drawbacks: number of possible behaviours is 2. What are the properties?
very large (or even infinite) unexplored behaviours may
contain the fatal bug.
About testing. . .testing/simulation can show the presence
of errors, not their absence.

BITS Pilani, Pilani Campus BITS Pilani, Pilani Campus

Linear-time properties
AP = p1, p2, . . . , pk

Rajesh Kumar
Slide credits: B. Srivathsan

1/8 6/17
 AP = p 1 , p 2, . . . , p k AP = p1, p2, . . . , pk
PowerSet(AP) = , p1 , . . . , pk , PowerSet(AP) = , p1 , . . . , pk ,
p1, p2 , p1, p3 , . . . , p k 1 , pk , p1, p2 , p1, p3 , . . . , p k 1 , pk ,
.. . .. .
p1, p2, . . . , pk p 1, p 2 , . . . , p k

Trace(Execution) is an infinite word over PowerSet(AP)

6/17 6/17

p1 p1, p2
AP = p 1 , p 2, . . . , p k request=1 request=1
ready busy
PowerSet(AP) = , p1 , . . . , pk ,
p1, p2 , p1, p3 , . . . , p k 1 , pk ,
.. .
p1, p2, . . . , pk

request=0 request=0
ready busy

Trace(Execution) is an infinite word over PowerSet(AP) p2

Traces:

Traces(TS) is the Trace(o ) o is an execution of the TS

6/17 7/17
 p1 p1, p2 p1 p1, p2
request=1 request=1 request=1 request=1
ready busy ready busy

request=0 request=0 request=0 request=0

ready busy ready busy

p2 p2

Traces: .. . Traces: .. .
p2 p2 p2 p2 p2 p2 .. .

7/17 7/17

p1 p1, p2 p1 p1, p2
request=1 request=1 request=1 request=1
ready busy ready busy

request=0 request=0 request=0 request=0

ready busy ready busy

p2 p2

Traces: .. . Traces: .. .
p2 p2 p2 p2 p2 p2 .. . p2 p2 p2 p2 p2 p2 .. .
p1 p1, p2 p2 p1, p2 p2 p1, p2 .. . p1 p1, p2 p2 p1, p2 p2 p1, p2 .. .
p1, p2 p1, p2 p1, p2 p1, p2 p1, p2 .. .

7/17 7/17
 p1 p1, p2
request=1 request=1
ready busy

Traces of a TS describe its behaviour with respect to the atomic

propositions
request=0 request=0
ready busy

p2

Traces: .. .
p2 p2 p2 p2 p2 p2 .. .
p1 p1, p2 p2 p1, p2 p2 p1, p2 .. .
p1, p2 p1, p2 p1, p2 p1, p2 p1, p2 .. .
..
7/17 8/17

Behaviour of TS
Atomic propositions Coming next: What is a property?

Set of its traces

9/17 10/17
 AP-INF = set of infinite words over PowerSet(AP) AP-INF = set of infinite words over PowerSet(AP)

Property 1: p1 is always true

11/17 11/17

AP-INF = set of infinite words over PowerSet(AP) AP-INF = set of infinite words over PowerSet(AP)

Property 1: p1 is always true Property 1: p1 is always true

A0A1A2 AP-INF each Ai contains p1 A0A1A2 AP-INF each Ai contains p1

p1 p1 p1 p1 p1 p1 p1 .. . p1 p1 p1 p1 p1 p1 p1 .. .
p1 p1, p2 p1 p1, p2 p1 p1, p2 .. . p1 p1, p2 p1 p1, p2 p1 p1, p2 .. .
.. ..
Property 2: p1 is true at least once and p2 is always true

11/17 11/17
 AP-INF = set of infinite words over PowerSet(AP)

Property 1: p1 is always true

AP-INF = set of infinite words overPowerSet(AP)
A0A1A2 AP-INF each Ai contains p1

p1 p1 p1 p1 p1 p1 p1 .. .
p1 p1, p2 p1 p1, p2 p1 p1, p2 .. .
..
A property over AP is a subset of AP-INF
Property 2: p1 is true at least once and p2 is always true

A0A1A2 AP-INF exists Ai containing p1 and every Aj contains p2

p2 p1, p2 p2 p2 p2 p1, p2 p2 .. .
p1,p2 p2 p2 p2 p2 p2 .. .
.
.

11/17 12/17

Behaviour of TS Property over AP

Atomic propositions Subset of AP-INF

When does a transition system satisfy a property?
Set of its traces

13/17 14/17
 AP = p1, p2 AP = p1, p2

Transition System Transition System Property

p1 p1, p2 p1 p1, p2
request=1 request=1 request=1 request=1
ready busy ready busy

request=0 request=0 request=0 request=0

ready busy ready busy

p2 p2

15/17 15/17

AP = p1, p2 AP = p1, p2

Transition System Property Transition System Property

p1 p1, p2 p1 p1, p2
request=1 request=1 request=1 request=1
ready busy ready busy

G p1 G p1

request=0 request=0 request=0 request=0

ready busy ready busy

p2 p2

Transition system TS satisfies property P if

Traces(TS) P

15/17 15/17
 A property over AP is a subset of AP-INF A property over AP is a subset of AP-INF

hence also called Linear-time

property

16/17 16/17

Behaviour of TS Property over AP

Atomic propositions Subset of AP-INF

Set of its traces

Different LT
Properties:
When does system Invariants
satisfy
property?

17/17 2/11
 Atomic propositions AP = p1, p2
Atomic propositions AP = p1, p2
p1: request=1 p2: status=busy
p1: request=1 p2: status=busy

p1 p1, p2 p1 p1, p2
request=1 request=1
request=1 request=1 ready busy
ready busy

request=0 request=0
ready busy

p2
request=0 request=0
ready busy

p2

3/11 5/11

Atomic propositions AP = p1, p2 AP-INF = set of infinite words over PowerSet(AP) Atomic propositions AP = p1, p2 AP-INF = set of infinite words over PowerSet(AP)

p1: request=1 p2: status=busy Property 1: p1 is always true p1: request=1 p2: status=busy Property 1: p1 is always true

p1 p1, p2 A0A1A2 AP-INF each Ai contains p1 p1 p1, p2 A0A1A2 AP-INF each Ai contains p1
request=1 request=1 request=1 request=1
ready busy p1 p1 p1 p1 p1 p1 p1 .. . ready busy p1 p1 p1 p1 p1 p1 p1 .. .
p1 p1, p2 p1 p1, p2 p1 p1, p2 .. . p1 p1, p2 p1 p1, p2 p1 p1, p2 .. .

.. ..

request=0 request=0 request=0 request=0

ready busy ready busy
Property 1 is written as G p1
p2 p2

5/11 5/11
Atomic propositions AP = p1, p2 AP-INF = set of infinite words over PowerSet(AP) Atomic propositions AP = p1, p2
AP-INF = set of infinite words over PowerSet(AP)
p1: request=1 p2: status=busy Property 1: p1 is always true p1: request=1 p2: status=busy
Property 2: p1 p2 is alwaystrue
p1 p1, p2 A0A1A2 AP-INF each Ai contains p1 p1 p1, p2
A0A1A2 AP-INF each Ai satisfies p1 p2
request=1 request=1 request=1 request=1
ready busy p1 p1 p1 p1 p1 p1 p1 .. . ready busy
p1 p1, p2 p1 p1, p2 p1 p1, p2 .. . p1 p1 p1 p1 p1 p1 p1 .. .

..

request=0 request=0 request=0 request=0

ready busy
Property 1 is written as G p1 ready busy

p2 p2

Above TS does not satisfy G p1

5/11 6/11

Atomic propositions AP = p1, p2 Atomic propositions AP = p1, p2

AP-INF = set of infinite words over PowerSet(AP) AP-INF = set of infinite words over PowerSet(AP)
p1: request=1 p2: status=busy p1: request=1 p2: status=busy
Property 2: p1 p2 is alwaystrue Property 2: p1 p2 is alwaystrue
p1 p1, p2 p1 p1, p2
A0A1A2 AP-INF each Ai satisfies p1 p2 A0A1A2 AP-INF each Ai satisfies p1 p2
request=1 request=1 request=1 request=1
ready busy ready busy
p1 p1 p1 p1 p1 p1 p1 .. . p1 p1 p1 p1 p1 p1 p1 .. .

request=0 request=0 request=0 request=0

ready busy ready busy
Property 2 is written as G p1 p2 Property 2 is written as G p1 p2
p2 p2

Above TS does not satisfy G p1 p2

6/11 6/11
 Invariants Invariants

AP-INF = set of infinite words over PowerSet(AP) AP-INF = set of infinite words over PowerSet(AP)

Property: Ø is always true Property: Ø is always true

(where Ø is a boolean expression over AP) (where Ø is a boolean expression over AP)

A0A1A2 AP-INF each Ai satisfies Ø A0A1A2 AP-INF each Ai satisfies Ø

A property of the above form is called invariant property

It is written as G Ø

7/11 7/11

Algorithm
Atomic propositions AP = p1, p2, p3,p4

p1: pr1.location=crit p2: pr1.location=wait

p3: pr2.location=crit p4: pr2.location=wait

Input: A TS and property G Ø
Output: Does TS satisfy invariant G Ø?

non-crit wait non-crit wait

y:=y+1 y>0:y:=y-1 y:=y+1 y>0:y:=y-1

exiting crit exiting crit

Above TS satisfies invariant property G (p 1 p 3)

8/11 9/11
 Atomic propositions AP = p1, p2

p1: request=1 p2: status=busy

Safety properties
p1 p1, p2
request=1 request=1
ready busy

request=0 request=0
ready busy

p2

2/11 3/11

AP-INF = set of infinite words over PowerSet(AP) AP-INF = set of infinite words over PowerSet(AP)
Atomic propositions AP = p1, p2 Atomic propositions AP = p1, p2
Property: Always: if p1 is true, then in the next step p2 is true Property: Always: if p1 is true, then in the next step p2 is true
p1: request=1 p2: status=busy p1: request=1 p2: status=busy
A0A1A2 AP-INF if Ai contains p1, then Ai+1 contains p 2 A0A1A2 AP-INF if Ai contains p1, then Ai+1 contains p 2
p1 p1, p2 p1 p1, p2
p1 p2 p1 p1, p 2 p2 p1 p1, p2 .. . p1 p2 p1 p1, p 2 p2 p1 p1, p2 .. .
request=1 request=1 request=1 request=1
ready busy p2 p2 p2 p2 p2 p2 .. . ready busy p2 p2 p2 p2 p2 p2 .. .
.. . .. .

. .
. .

request=0 request=0 request=0 request=0

ready busy ready busy

p2 p2 Property is written as G ( p1 Xp2 )

3/11 3/11
 X operator
AP-INF = set of infinite words over PowerSet(AP)
Atomic propositions AP = p1, p2
Property: Always: if p1 is true, then in the next step p2 is true
p1: request=1 p2: status=busy
A0A1A2 AP-INF if Ai contains p1, then Ai+1 contains p 2
G (p1 XXp2):
p1, p2
p1
request=1 request=1
p1 p2 p1 p1, p 2 p2 p1 p1, p2 .. .
Always: if p1 is true then in the next to next step p2 is true
ready busy p2 p2 p2 p2 p2 p2 .. .
.. .

.
.
F (p1 X p1):

request=0 request=0
Somewhere: p1 is true and in the next step it becomesfalse
ready busy

p2 Property is written as G ( p1 Xp2 )

Above TS satisfies this property

3/11 4/11

while a <= 20 while b <= 30 while a <= 20 while b <= 30

a := a+1 b:=b+1 a := a+1 b:=b+1
b := b+2 a:=a+2 b := b+2 a:=a+2

l1 m1 l1 m1

a:= a+1 b:= b+1 a:= a+1 b:= b+1

a <= 20 b <= 30 a <= 20 b <= 30
b:= b+2 a:= a+2 b:= b+2 a:= a+2

l2 m2 l2 m2

Check: Whenever a 10, in the next to next step b 12

5/11 5/11
 Atomic propositions AP = p1, p2 Atomic propositions AP = p1, p2

p1 : a >= 10 p2 : b >= 12 p1 : a >= 10 p2 : b >= 12

l1 m1 l1 m1

a:= a+1 b:= b+1 a:= a+1 b:= b+1

a <= 20 b <= 30 a <= 20 b <= 30
b:= b+2 a:= a+2 b:= b+2 a:= a+2

l2 m2 l2 m2

Check: G ( p1 XXp2 )

6/11 6/11

Atomic propositions AP = p1, p2

p1 : a >= 10 p2 : b >= 12

l1 m1
Coming next: idea of safety properties
a:= a+1 b:= b+1
a <= 20 b <= 30
b:= b+2 a:= a+2

l2 m2

Check: G ( p1 XXp2 )

6/11 7/11
 Property 1: if p1 is true, then p2 should be true in the next step Property 1: if p1 is true, then p2 should be true in the next step

p1 p2 p1 p2

Property 2: if p1 is true, then p2 should be true in the next to next step

p1 . . . p2

8/11 8/11

Safety properties
Property 1: if p1 is true, then p2 should be true in the next step
AP-INF = set of infinite words over PowerSet(AP)

p1 p2 P: a property over AP

Property contains all words where something bad is absent

Property 2: if p1 is true, then p2 should be true in the next to next step

p1 . . . p2

8/11 9/11
 Safety properties Safety properties
AP-INF = set of infinite words over PowerSet(AP) AP-INF = set of infinite words over PowerSet(AP)

P: a property over AP P: a property over AP

p1 p2 p1 p2

p1 . . . p2 Bad-Prefixes p1 . . . p2 Bad-Prefixes

.. . .. .

P is a safety property if there exists a set Bad-Prefixes such that P is a safety property if there exists a set Bad-Prefixes such that
P is the set of all words that do not start with a Bad-Prefix

9/11 9/11

Invariants are special cases of safety properties

Safety properties

Avoiding bad prefixes

Property: Always p1 is true
X operator

p1 -Prefixe

10/11 11/11
 Safety: Something bad never happens

Liveness properties

2/11 3/11

G p: Always p

...
Safety: Something bad never happens

F p: Sometime p
Liveness: Something good happens infinitely often
...

...

3/11 4/11
 Summary
G p: Always p

...
Behaviour of a TS described as a set of its traces

A property is a set of infinite words over PowerSet ( AP )

F p: Sometime p (Linear-time property)

TS satisfies property if its traces are contained in the property

...
Invariants, Safety, Liveness
Important concepts: Atomic propositions, X operator

G F p: Infinitely often p

...

4/11 2/2

Safety Properties Safety Properties

Bad events never happen Bad events never happen
deadlock: two processes waiting for input from each other, deadlock: two processes waiting for input from each other,
the system is unable to perform a transition. the system is unable to perform a transition.
no reachable state satisfies a condition, no reachable state satisfies a condition,
e.g. never two processes in critical section at the same time e.g. never two processes in critical section at the same time
Can be refuted by a finite behaviour Can be refuted by a finite behaviour
Ex.: it is never the case that p. Ex.: it is never the case that p.
Safety Properties Liveness Properties
Bad events never happen
deadlock: two processes waiting for input from each other, Something desirable will eventually happen
the system is unable to perform a transition.
sooner or later this will happen
no reachable state satisfies a condition,
e.g. never two processes in critical section at the same time Can be refuted by infinite behaviour
Can be refuted by a finite behaviour
Ex.: it is never the case that p.

an infinite behaviour can be typically presented as a loop

28 / 96 29 / 96

Liveness Properties Liveness Properties

Something desirable will eventually happen Something desirable will eventually happen
sooner or later this will happen sooner or later this will happen
Can be refuted by infinite behaviour Can be refuted by infinite behaviour
p
p

an infinite behaviour can be typically presented as a loop an infinite behaviour can be typically presented as a loop

29 / 96 29 / 96
Fairness Properties Fairness Properties

Something desirable will happen infinitely often Something desirable will happen infinitely often
important subcase of liveness important subcase of liveness
whenever a subroutine takes control, it will always return it (sooner or later) whenever a subroutine takes control, it will always return it (sooner or later)
Can be refuted by infinite behaviour Can be refuted by infinite behaviour
a subroutine takes control and never returns it a subroutine takes control and never returns it

p p

p p
p p
p p

an infinite behaviour can be typically presented as a loop an infinite behaviour can be typically presented as a loop

30 / 96 30 / 96

Computation tree vs. computation paths Computation tree vs. computation paths

Consider the following Kripke structure: Consider the following Kripke structure:

!done done !done done

Its execution can be seen as: Its execution can be seen as:

32 / 96 32 / 96
Computation tree vs. computation paths Computation tree vs. computation paths

Consider the following Kripke structure: Consider the following Kripke structure:

!done done !done done

Its execution can be seen as: Its execution can be seen as:
an infinite set of an infinite an infinite set of an infinite
computation paths computation tree computation paths computation tree
!done !done !done !done !done !done !done !done !done

!done !done !done done !done !done !done done !done done

..... .....
!done !done done done !done !done done done !done done done

!done done done done !done done done done !done done done done

32 / 96 32 / 96

Temporal Logics Temporal Logics

Express properties of Express properties of

nonterminating behaviours, nonterminating behaviours,
without explicit reference to time. without explicit reference to time.
Linear Temporal Logic (LTL) Linear Temporal Logic (LTL)
interpreted over each path of the Kripke structure interpreted over each path of the Kripke structure
linear model of time linear model of time
temporal operators temporal operators
birth, destiny is birth, destiny is
Computation Tree Logic (CTL) Computation Tree Logic (CTL)
interpreted over computation tree of Kripke model interpreted over computation tree of Kripke model
branching model of time branching model of time
temporal operators plus path quantifiers temporal operators plus path quantifiers
makes his/her own destiny step-by- makes his/her own destiny step-by-

33 / 96 33 / 96
Temporal Logics Linear Temporal Logic (LTL): Syntax

Express properties of Reactive Systems

nonterminating behaviours,
without explicit reference to time.
An atomic proposition is a LTL formula;
Linear Temporal Logic (LTL)
if 1 and 2 are LTL formulae, then ¬ 1, 1 2, 1 2, 1 2, 1 2, 1 2 are
interpreted over each path of the Kripke structure
linear model of time LTL formulae;
temporal operators if 1 and 2 are LTL formulae, then X 1, G 1, F 1, 1U 2 are LTL formulae, where X, G, F,
Medieval : since birth, one s destiny is set . U are the temporal operators respectively.
Computation Tree Logic (CTL) Another operator R (the dual of U) is used sometimes.
interpreted over computation tree of Kripke model
branching model of time
temporal operators plus path quantifiers
Humanistic : one makes his/her own destiny step-by-step .

33 / 96 36 / 96

Linear Temporal Logic (LTL): Syntax Linear Temporal Logic (LTL): Syntax

An atomic proposition is a LTL formula; An atomic proposition is a LTL formula;

if 1 and 2 are LTL formulae, then ¬ 1, 1 2, 1 2, 1 2, 1 2, 1 2 are if 1 and 2 are LTL formulae, then ¬ 1, 1 2, 1 2, 1 2, 1 2, 1 2 are
LTL formulae; LTL formulae;
if 1 and 2 are LTL formulae, then X 1, G 1, F 1, 1U 2 are LTL formulae, where X, G, F, if 1 and 2 are LTL formulae, then X 1, G 1, F 1, 1U 2 are LTL formulae, where X, G, F,
U are the temporal operators respectively. U are the temporal operators respectively.
Another operator R (the dual of U) is used sometimes. Another operator R (the dual of U) is used sometimes.

36 / 96 36 / 96
Linear Temporal Logic (LTL): Syntax LTL semantics: intuitions

LTL is given by the standard boolean logic enhanced with the following temporal operators,
which operate through paths s0, s1, ..., sk , ... :
An atomic proposition is a LTL formula; Next X: X is true in st iff is true in st+1
if 1 and 2 are LTL formulae, then ¬ 1, 1 Finally (or F: F is true in st iff is true in some st' with t t
2, 1 2, 1 2, 1 2, 1 2 are
LTL formulae; Globally (or G: G is true in st iff is true in all st' with t t
if 1 and 2 are LTL formulae, then X 1, G 1, F 1, 1U 2 are LTL formulae, where X, G, F, Until U: U is true in st iff, for some state s t ' s.t t t:
U are the temporal operators respectively. is true in s t ' and
is true in all states st ' ' s.t. t t < t
Another operator R (the dual of U) is used sometimes.
Releases R: R is true in st iff, for all states s t ' s.t. t t:
is true or
is true in some states st ' ' with t t < t
can become false only if becomes true first"

36 / 96 37 / 96

LTL semantics: intuitions LTL: Some Noteworthy Examples

finally P globally P Safety: never happens that a train is arriving and the bar is
G(¬(train_arriving bar_up))

Liveness: input, then eventually

FP GP G(input Foutput)

Releases: device is not working if you first repair

(repair_device R ¬working_device)
next P P until q Fairness: often send
GFsend
Strong fairness: often send implies infinitely often
XP PUq GFsend GFrecv
38 / 96 39 / 96
LTL Formal Semantics LTL Formal Semantics (cont.)
LTL properties are evaluated over paths, i.e., over infinite, linear sequences of states:
= s0 s1 ··· st st+1 ···
si |= a iff a L(si ) Given an infinite sequence = s0 , s1 , s2 , . . .
si |= ¬ iff si |= , si |= if is true in state si of .
si |= iff si |= and |= if is true in the initial state s0 of .
si |= The LTL model checking problem M |=
si |= X iff si+1 |= check if |= for every path of the Kripke structure M (e.g., = Fdone)
si |= F iff for some j i : , sj |=
si |= G iff for all j i : , sj |=
si |= U iff for some j i :( , sj |= and
for all k s.t. i k < j : , sk |= )
si |= R iff for all j i :( , sj |= or
for some k s.t. i k < j : , sk |= )

40 / 96 41 / 96

LTL Formal Semantics (cont.) LTL Formal Semantics (cont.)

LTL properties are evaluated over paths, i.e., over infinite, linear sequences of states: LTL properties are evaluated over paths, i.e., over infinite, linear sequences of states:
= s0 s1 ··· st st+1 ··· = s0 s1 ··· st st+1 ···
Given an infinite sequence = s0 , s1 , s2 , . . . Given an infinite sequence = s0 , s1 , s2 , . . .
, si |= if is true in state si of . , si |= if is true in state si of .
|= if is true in the initial state s0 of . |= if is true in the initial state s0 of .
The LTL model checking problem M |= The LTL model checking problem M |=
check if |= for every path of the Kripke structure M (e.g., = Fdone) check if |= for every path of the Kripke structure M (e.g., = Fdone)
!done !done !done !done

!done !done !done done

.....
!done !done done done

!done done done done

!done done
41 / 96 41 / 96
Syntactic properties of LTL operators Syntactic properties of LTL operators

1 2 ¬(¬ 1 ¬ 2) 1 2 ¬(¬ 1 ¬ 2)
... ...
F 1 TU 1 F 1 TU 1
G 1 R 1 G 1 R 1
F 1 ¬G¬ 1 F 1 ¬G¬ 1
G 1 ¬F¬ 1 G 1 ¬F¬ 1
¬X 1 X¬ 1 ¬X 1 X¬ 1
1R 2 ¬(¬ 1 U¬ 2) 1R 2 ¬(¬ 1 U¬ 2)
1U 2 ¬(¬ 1 R¬ 2) 1U 2 ¬(¬ 1 R¬ 2)

Note Note
LTL can be defined in terms of , ¬, X, U only LTL can be defined in terms of , ¬, X, U only

Exercise Exercise
Prove that 1R 2 G 2 2 U( 1 2) Prove that 1R 2 G 2 2 U( 1 2)

44 / 96 44 / 96

Example 1: mutual exclusion (safety) Example 1: mutual exclusion (safety)

N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 N = noncritical, T = trying, C = critical N1, N2 User 1 User 2

turn=0 turn=0

T1, N2 N1, T2 T1, N2 N1, T2

turn=1 turn=2 turn=1 turn=2

C1, N2 T1, T2 T1, T2 N1, C2 C1, N2 T1, T2 T1, T2 N1, C2

turn=1 turn=1 turn=2 turn=2 turn=1 turn=1 turn=2 turn=2

C1, T2 T1, C2 C1, T2 T1, C2

turn=1 turn=2 turn=1 turn=2

M |= G¬(C1 C2 ) ? M |= G¬(C1 C2 ) ?
YES: There is no reachable state in which (C1 C2) holds!
50 / 96 50 / 96
Example 2: liveness Example 2: liveness

N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 N = noncritical, T = trying, C = critical N1, N2 User 1 User 2

turn=0 turn=0

T1, N2 N1, T2 T1, N2 N1, T2

turn=1 turn=2 turn=1 turn=2

C1, N2 T1, T2 T1, T2 N1, C2 C1, N2 T1, T2 T1, T2 N1, C2

turn=1 turn=1 turn=2 turn=2 turn=1 turn=1 turn=2 turn=2

C1, T2 T1, C2 C1, T2 T1, C2

turn=1 turn=2 turn=1 turn=2

M |= FC1 ? M |= FC1 ?
NO: there is an infinite cyclic solution in which C1 never holds!
51 / 96 51 / 96

Example 3: liveness Example 3: liveness

N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 N = noncritical, T = trying, C = critical N1, N2 User 1 User 2

turn=0 turn=0

T1, N2 N1, T2 T1, N2 N1, T2

turn=1 turn=2 turn=1 turn=2

C1, N2 T1, T2 T1, T2 N1, C2 C1, N2 T1, T2 T1, T2 N1, C2

turn=1 turn=1 turn=2 turn=2 turn=1 turn=1 turn=2 turn=2

C1, T2 T1, C2 C1, T2 T1, C2

turn=1 turn=2 turn=1 turn=2

M |= G(T1 FC1 ) ? M |= G(T1 FC1 ) ?

YES: every path starting from each state where T1 holds passes through a state where C1 holds.

52 / 96 52 / 96
Example 4: fairness Example 4: fairness

N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 N = noncritical, T = trying, C = critical N1, N2 User 1 User 2

turn=0 turn=0

T1, N2 N1, T2 T1, N2 N1, T2

turn=1 turn=2 turn=1 turn=2

C1, N2 T1, T2 T1, T2 N1, C2 C1, N2 T1, T2 T1, T2 N1, C2

turn=1 turn=1 turn=2 turn=2 turn=1 turn=1 turn=2 turn=2

C1, T2 T1, C2 C1, T2 T1, C2

turn=1 turn=2 turn=1 turn=2

M |= GFC1 ? M |= GFC1 ?
NO: e.g., in the initial state, there is an infinite cyclic solution in which C1 never holds!

53 / 96 53 / 96

Example 5: strong fairness Example 5: strong fairness

N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 N = noncritical, T = trying, C = critical N1, N2 User 1 User 2

turn=0 turn=0

T1, N2 N1, T2 T1, N2 N1, T2

turn=1 turn=2 turn=1 turn=2

C1, N2 T1, T2 T1, T2 N1, C2 C1, N2 T1, T2 T1, T2 N1, C2

turn=1 turn=1 turn=2 turn=2 turn=1 turn=1 turn=2 turn=2

C1, T2 T1, C2 C1, T2 T1, C2

turn=1 turn=2 turn=1 turn=2

M |= GFT1 GFC1 ? M |= GFT1 GFC1 ?

YES: every path which visits T1 infinitely often also visits C1 infinitely often
(see liveness property of previous example).
54 / 96 54 / 96
Example 6: blocking Example 6: blocking

N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 N = noncritical, T = trying, C = critical N1, N2 User 1 User 2

turn=0 turn=0

T1, N2 N1, T2 T1, N2 N1, T2

turn=1 turn=2 turn=1 turn=2

C1, N2 T1, T2 T1, T2 N1, C2 C1, N2 T1, T2 T1, T2 N1, C2

turn=1 turn=1 turn=2 turn=2 turn=1 turn=1 turn=2 turn=2

C1, T2 T1, C2 C1, T2 T1, C2

turn=1 turn=2 turn=1 turn=2

M |= G(N1 F T1 ) ? M |= G(N1 F T1 ) ?
NO: e.g., in the initial state, there is an infinite cyclic solution in which N1 holds and T1 never
holds!
55 / 96 55 / 96

Computation Tree Logic

p1 p2
s0 s1

Transition System

s3 s2

p1, p3 p2
Rajesh Kumar
Slide credits : B. Srivathsan

1/35 3/35
 p1 p2 p1 p2
s0 s1 s0 s1

Transition System Transition System

s3 s2 s3 s2

p1, p3 p2 p1, p3 p2

Paths s0 s1 s3 s3 s3 s3 .. . Paths s0 s1 s3 s3 s3 s3 .. .
s0 s1 s2 s3 s2 s3 .. . s0 s1 s2 s3 s2 s3 .. .

Traces p1 p2 p 1 , p3 p 1 , p3 p 1 , p3 p 1 , p3 .. .

p1 p2 p2 p 1 , p3 p2 p 1 , p3 p2 p 1 , p3 .. .

3/35 3/35

p1 p2
s0
s0 s1

A tree view of the transition system ...

s1

s3 s2
s3 s2
p1, p3 p2

s3 s2 s3
... obtained by repeatedly unfolding it
s3 s2 s3 s3 s2

.. .. .. .. ..

4/35 5/35
 Computation tree

p1 p2
s0
LTL talks about properties of paths
s0 s1

s1

s3 s2
s3 s2
p1, p3 p2

s3 s2 s3

s3 s2 s3 s3 s2

.. .. .. .. ..

5/35 6/35

LTL talks about properties of paths

Coming next: Properties of trees

.. .. .. .. ..

6/35 7/35
 Exists a path satisfying F( red )

.. .. .. .. .. .. .. .. .. ..

7/35 8/35

Exists a path satisfying G( red )

.. .. .. .. .. .. .. .. .. ..

8/35 10/35
 Properties of trees
Exists a path satisfying blue U red

Type 1: Exists a path satisfying CTL formulaØ

.. .. .. .. ..

10/35 11/35

Properties of trees
Exists a path satisfying F( red ) : E F ( red )

Type 1: Exists a path satisfying CTL formulaØ

E operator: EØ

.. .. .. .. ..

11/35 12/35
Exists a path satisfying G( red ): E G ( red ) Exists a path satisfying blue U red : E ( blue U red )

.. .. .. .. .. .. .. .. .. ..

13/35 15/35

All paths satisfy F( red )

.. .. .. .. .. .. .. .. .. ..

16/35 16/35
 All paths satisfy G( red )

.. .. .. .. .. .. .. .. .. ..

17/35 17/35

Properties of trees

Type 2: All paths satisfy LTL formula Ø

.. .. .. .. ..

18/35 20/35
 Properties of trees
All paths satisfy F( red ) : A F( red )

Type 2: All paths satisfy CTL formula Ø

A operator: AØ

.. .. .. .. ..

20/35 21/35

Properties of trees
All paths satisfy G( red ) : A G( red )

Exists a path satisfying path property Ø : EØ

All paths satisfy path property Ø : AØ

Coming next: Mixing A and E

.. .. .. .. ..

22/35 25/35
 Recall... Recall...
Exists a path satisfying F( red ) : E F ( red ) All paths satisfy G( red ) : A G( red )

.. .. .. .. .. .. .. .. .. ..

26/35 27/35

E F A G (red)

.. .. .. .. .. .. .. .. .. ..

28/35 28/35
 Path formulae
A F A G (red)
:= X Ø1 Ø1 U Ø2 F Ø1 G Ø1

.. .. .. .. ..
.. .. .. .. ..
29/35 5/25

State formulae State formulae

Ø := true p i Ø1 Ø2 Ø1 Ø := true p i Ø1 Ø2 Ø1 E

Path formula
pi AP Ø1, Ø2 : State formulae pi AP Ø1, Ø2 : State formulae

.. .. .. .. .. .. .. .. .. ..
6/25 6/25
 State formulae

Ø := true p i Ø1 Ø2 Ø1 E A

Path formula
pi AP Ø1, Ø2 : State formulae

MODULE: TEMPORAL LOGICS

Linear Temporal Logic Remaining Temporal Operators:
Adequate Sets, LTL model checking
.. .. .. .. ..
6/25 30-11-2024 Sundar B. CS&IS, BITS Pilani

R /* read Release
 30-11-2024 30-11-2024

Formulas and Interpretation Formulas and Interpretation

Semantics of binary temporal operators: |= W iff there is some i such that i |= and for all
j = 1,..., i-1, j |= ; or all k>=1 k |=
Let M = (S, , L) be a model and = s1 s2 be a path
in M. [No guarantee on might happen]
Example: execute_program W stackoverflow: the program
Then define the satisfaction relation |= as follows: execution is continued unless there is stack overflow.
|= U iff there is some i such that i |= and |= R iff for some i>=1 i |= and for all j = 1,..., i, j
for all j = 1,..., i-1, j |= |= ; or all k>=1 k |=

true forever.
Example: arrived_at_terminal R driver_on_duty: upon arrival
of train at the terminal the driver on duty is released.

3 4

30-11-2024 30-11-2024

Adequate / Complete Set of Operators Adequate / Complete Set of Operators

Q: Do we need all three binary operators? Q: Do we need all three unary operators?
Weak-until can expressed using until : G and F are duals (of each other):
W ( U ) (G ) G (F )
and vice-versa Can X be expressed using the other operators?
U ( W ) (F ) No. How do you argue (or prove) this?

Release is the dual of until : X is a dual of itself:

U ( R ) (X ) (X )

5 6
 30-11-2024 30-11-2024

Adequate / Complete Set of Operators Adequate / Complete Set of Operators

Q: Do we need any unary operators? Thus each of the following sets would be adequate:
X cannot be expressed in terms of other operators. { X, U }
{ X, R }
What about F ? { X, W }
F True U

Use this to derive G in terms of the binary operators!

7 8

30-11-2024

Distributive Properties

F( ) (F ) (F )
CS/IS F214 Prove this.
Logic in Computer Science denotes semantic equivalence
BITS Pilani
Pilani Campus

F( ) (F ) (F )
Prove this:
F( ) --> (F ) (F ) is always TRUE
MODULE: TEMPORAL LOGICS but
Linear Temporal Logic Temporal Operators: (F ) (F ) --> F ( ) is not always TRUE
Properties Provide a counter-example.

30-11-2024 9 10
 30-11-2024

Distributive Properties

Since
G (F ) CS/IS F214
we can derive this: Logic in Computer Science
G( ) F( ( ))
BITS Pilani
Pilani Campus

F( ))
((F ) (F ))
(F ) (F )
(G ) (G ) MODULE: TEMPORAL LOGICS
LTL Semantics and Model Checking

11 30-11-2024 Sundar B. CS&IS, BITS Pilani 0

30-11-2024 30-11-2024

LTL Model Checking: Input Simplification LTL - Automating Evaluation of Formulas

Before we look at the model checking algorithm, we simplify
the syntax of the input formulas by using an adequate set of Should the evaluation algorithm generate one path at a time
operators: and evaluate the formula in that path?
[Propositional:] and i.e.
[Temporal:] X , G, and U. repeat
generate a path and evaluate in
Propositional operators such as and --> can be eliminated: until (there are no more paths)
and form an adequate set.

What about the other temporal operators? because each path is infinite and evaluating in one path
e.g. They can be rewritten using U. may not terminate!

Sundar B. CS&IS, BITS Pilani 1 Sundar B. CS&IS, BITS Pilani 2

 30-11-2024 30-11-2024

LTL - Automating Evaluation of Formulas LTL Model Checking Algorithm

But as it turns out: Thus we end up with a model-checking algorithm which

we can traverse the state machine (i.e. the graph) while takes as inputs
evaluating the formula! i. a model (i.e. a state machine) M = (S, , L) and
ii. an LTL formula
This is achieved by a marking or a labeling algorithm: and outputs:
traverse the graph that is the state machine: the set of states in S that satisfy .
mark (or label) each state s with the (sub-)formulas i.e. the signature of this procedure is:
that are satisfied in s. SetOfStates MC(Model M, Formula )
From this output, we can
Will this terminate? decide M,s |= by
Note that there is only a finite number of states! verifying s MC(M, )

Sundar B. CS&IS, BITS Pilani 3 Sundar B. CS&IS, BITS Pilani 4

30-11-2024 30-11-2024

LTL Model Checking Marking Algorithm LTL Marking Algorithm: Information Propagation

Given S, , L, and the marking algorithm How does information propagate along paths?
1. recursively decomposes into sub-formulas For instance, say, we need to verify whether G is
satisfied in a state, say, s1 in this model M:
2. marks each s in S with sub-formulas that are satisfied in s
and s4 ...
3. propagates this information to predecessor(s) of a state
as necessary. s1 s2 ...
Note that we are working with a finite state machine and
therefore the graph has a finite number of vertices. s3 ...
Then we can evaluate M,s1|= G
But our paths are infinite because there are cycles in the
graph. by evaluating
(M,s1|= ) AND
How does information propagate (step 3) along
cycles? (M,s2|= G ) AND (M,s3|= G ) AND (M,s4|= G )

Sundar B. CS&IS, BITS Pilani 5 Sundar B. CS&IS, BITS Pilani 6

 30-11-2024 30-11-2024

LTL Marking Algorithm: Recursive Evaluation LTL Marking Algorithm: Recursive on and M
Evaluation is recursive on the given formula and the given Computing whether M,s|= is done recursively on and M
model : The given formula is finite:
i.e. the result is an aggregate of the results of i.e. the recursion on would terminate
evaluating the formula or its subformulas on the But recursion on paths starting from s may not terminate:
given state and its successors. because, a path may be cyclic.
Computing whether M,s|= is done recursively on and M
where the latter is an aggregation of recursive evaluation
on paths starting from s

Sundar B. CS&IS, BITS Pilani 7 Sundar B. CS&IS, BITS Pilani 8

30-11-2024 30-11-2024

Marking : Information Propagation Along a Cycle Marking: Solving Recursive Equations

For instance, given this model M, s4 ... Fix-point Theorem (w/o proof):
computing M,s1|= G could require The solution to a recursive equation of the form:
computing M,s3|= G s1 s2 ... f(X) = { ... f(X) ... }
which in turn could require
computing M,s5|= G s5 s6
is the (least) fixed point of f for all monotonic f
s3
which in turn could require
computing M,s6|= G A fixed point of a function f, is a value X, such that f(X) = X
which in turn could require i.e. computationally, we can iterate over values of X,
computing M,s1|= G
until we find the least value X such that f(X) = X
In general, we have the following question: and that value would be a solution to the recursive
Given an equation of the form equation.
MC(M, s, ) = { ... MC(M, s, ) ... }
how do you compute a solution? What is the f in our algorithm?

Sundar B. CS&IS, BITS Pilani 9 Sundar B. CS&IS, BITS Pilani 10

 30-11-2024 30-11-2024

LTL Marking Algorithm: Termination LTL Model Checking: Marking Algorithm

MC(St, , L, , s) // marking algorithm
Thus our marking algorithm would evaluate a formula at a if is:
state s in model M by FALSE: done /* no state satisfies FALSE */
(basis): evaluating sub-formulas of at s TRUE: done /* all states implicitly marked TRUE */
(step): evaluating or its sub-formulas at successors of s p for some atomic proposition p:
and aggregating the results
mark state s with p, if p is in L(s)
The evaluation will proceed by marking
i.e. updating in each state, the set of satisfied sub-formulas
until evaluation does not change:
i.e. sets of satisfied sub-formulas remain as in
previous iteration.

Sundar B. CS&IS, BITS Pilani 11 Sundar B. CS&IS, BITS Pilani 12

30-11-2024 30-11-2024

MC(St, , L, , s) // marking algorithm MC(St, , L, , s) // marking algorithm [contd.]

if is: if is:
1 2 : G :
if s is marked with 1 and 2 then mark it with 1 2 repeat {
mark state s with G if
: Recursive calls: MC s is marked with and
if s is not marked with then mark it with all its successors are marked with G
} until no change
Recursive calls: MC

X : ?? /* complete this! */

Sundar B. CS&IS, BITS Pilani 13 Sundar B. CS&IS, BITS Pilani 14

 30-11-2024 30-11-2024

MC(St, , L, , s) // marking algorithm [contd.] LTL Model Checking Recursion and Fix-Point Computation

if is: Notes on the marking algorithm:

1 U 2:
The no change condition in the two repeat loops (for the G
if s is marked with 2 then mark it with 1 U 2
case and the U case)
else repeat {
is essentially a test for the fix-point:
mark a state s with 1 U 2
MC(M, ,s) is computed iteratively on the states in M
if it is marked with 1 and
all of its successors are marked with 1 U
until its value (i.e. the set of satisfied sub-formulas in
2
s) remains unchanged!
} until (no change)

Sundar B. CS&IS, BITS Pilani 15 Sundar B. CS&IS, BITS Pilani 16

30-11-2024

LTL Model Checking Time Taken

Notes on the marking algorithm:
The time taken by mark(S, , L, ) is CS/IS F214
C *| | * |S| * | | steps Logic in Computer Science
where | | denotes the number of operators in
BITS Pilani
Pilani Campus

and |S| denotes the number of states

and | | denotes the number of edges, which is
(upper-)bounded by |S| * |S|
and C is a constant MODULE: TEMPORAL LOGICS
CTL Semantics and Model Checking

Sundar B. CS&IS, BITS Pilani 17 30-11-2024 Sundar B. CS&IS, BITS Pilani 0

 30-11-2024 30-11-2024

Computation Tree Logic (CTL) - Syntax CTL Model Checking: Input Simplification
Before we look at a model checking algorithm,
Grammar (Gr_CTL):
we simplify the syntax of the input formulas by using an
---> p | | | --> | adequate set of operators:
---> AX | EX
[Propositional:] and
---> AF | EF
[Temporal:] AF, EU, and EX.
---> AG | EG
We will assume that the following equivalences are used in order
---> A[ U ] | E[ U ] to rewrite the input formula:
1) (AF ) EG Eliminate EG and AG
Note: 2) (EF ) AG
Quantifiers A and E are never used separately from the 3) E[T U ] EF Eliminate EF
temporal operators and
Temporal Operators F, G, X, and U are never used
4) (EX ) AX Eliminate AX
without the quantifiers. 5) (E[ U ( )] EG ) A[ U ] Eliminate AU

Sundar B. CS&IS, BITS Pilani 1 Sundar B. CS&IS, BITS Pilani 2

30-11-2024 30-11-2024

CTL Semantics Evaluation of Formulas CTL - Automating Evaluation of Formulas

Evaluation of a formula would require checking all paths Should the evaluation algorithm generate one path at a time and
evaluate the formula in that path? i.e.
until
repeat
a universally (or existentially) quantified formula is generate a path and evaluate in
falsified (or satisfied respectively) in one path or until (there are no more paths)
all paths are exhausted. Issue:
each path is infinite and evaluating in one path may not
Should the model-checking algorithm generate all paths at terminate!
once? i.e. But :
1. generate all paths in M and store in PATHS we can traverse the state machine (i.e. the graph) while
evaluating the formula!
2. for each in PATHS { evaluate in } This is achieved by a marking or a labeling algorithm:
This is not necessary traverse the graph (i.e. the state machine):
because evaluation may not be necessary in all paths! mark (or label) each state s with the (sub-)formulas that
are satisfied in s.

Sundar B. CS&IS, BITS Pilani 3 Sundar B. CS&IS, BITS Pilani 4

 30-11-2024 30-11-2024

CTL Model Checking Algorithm CTL Model Checking Marking Algorithm

Thus we need an algorithm mark with Given S, , L, and the marking algorithm
inputs 1. recursively decomposes into sub-formulas
i. a model M = (S, , L) and 2. marks each s in S with sub-formulas that are satisfied in
ii. a formula s and
and output: 3. propagates this information to predecessor(s) of a state
the set of states in S that satisfy . as necessary.
Note that we are working with a finite state machine and
therefore the graph has a finite number of vertices.
Then we can
But our paths are infinite because there are cycles in the
decide M,s |= by graph.
verifying s mark(M, ) How does information propagate (step 3) along
cycles?

Sundar B. CS&IS, BITS Pilani 5 Sundar B. CS&IS, BITS Pilani 6

30-11-2024 30-11-2024

CTL Marking Algorithm: Information Propagation CTL Marking Algorithm: Information Propagation
Evaluation is recursive on the given formula and the given
How does information propagate along paths? model :
For instance, say, we need to verify whether EF is i.e. the result is an aggregate of the results of
satisfied in state say s1 in this model M:
evaluating the formula or its subformulas on the
s4 ... given state and its successors.
Computing whether M,s|= is done recursively on and M
s1 s2 ... where the latter is an aggregation of recursive evaluation
on paths starting from s
s3 ... The given formula is finite:
Then we can evaluate M,s1|= EF i.e. the recursion on would terminate
by evaluating But recursion on paths starting from s may not terminate:
(M,s1|= ) OR (M,s2|= EF ) OR (M,s3|= EF ) OR (M,s4|= EF ) because, a path may be cyclic.

Sundar B. CS&IS, BITS Pilani 7 Sundar B. CS&IS, BITS Pilani 8

 30-11-2024 30-11-2024

CTL Marking Algorithm: Information Propagation CTL Marking Algorithm: Information Propagation
For instance, given this model M, s4 ... Theorem (w/o proof):
computing M,s1|= EF could require The solution to a recursive equation of the form:
computing M,s3|= EF s1 s2 ... f(X) = { ... f(X) ... }
which in turn could require
computing M,s5|= EF s5 s6
is the (least) fixed point of f.
s3
which in turn could require
computing M,s6|= EF A fixed point of a function f, is a value X, such that f(X) = X
which in turn could require i.e. computationally, we can iterate over values of X,
computing M,s1|= EF
until we find the least value X such that f(X) = X
In general, we have the following question: and that value would be a solution to the recursive
Given an equation of the form equation.
mc(M, s, ) = { ... mc(M, s, ) ... }
how do you compute a solution?
Sundar B. CS&IS, BITS Pilani 9 Sundar B. CS&IS, BITS Pilani 10

30-11-2024 30-11-2024

CTL Marking Algorithm: Information Propagation CTL Model Checking: Marking Algorithm
mark(S, , L, )
Thus our marking algorithm would evaluate a formula at a if is:
state s in model M by FALSE: done /* no state satisfies FALSE */
(basis): evaluating sub-formulas of at s TRUE: done /* all states implicitly marked TRUE */
(step): evaluating or its sub-formulas at successors of s p for some atomic proposition p:
and aggregating the results
mark state s with p, if p is in L(s)
until evaluation does not change:
1 2:
i.e. evaluation in each state remains as is
if a state s is already marked with 1 and 2 then mark
it with 1 2
:
if a state s is not already marked with then mark it
with

Sundar B. CS&IS, BITS Pilani 11 Sundar B. CS&IS, BITS Pilani 12

 30-11-2024 30-11-2024

CTL Model Checking: Marking Algorithm [contd.] CTL Model Checking: Algorithm [contd.]
if is: if is:
AF : EX :
if a state s is marked with , then mark it with AF mark a state s with EX
repeat { if at least one of its successors is marked with
mark a state s with AF if
all its successors are marked with AF E[ 1 U 2]:
if a state s is marked with 2 then mark it with 1 U
} until no change 2
repeat {
mark a state s with 1 U 2
if it is marked with 1 and
at least one of its successors is marked with 1 U 2
} until (no change)

Sundar B. CS&IS, BITS Pilani 13 Sundar B. CS&IS, BITS Pilani 14

30-11-2024 30-11-2024

CTL Model Checking Recursion and Fix-Point Computation CTL Model Checking Time Taken
Notes on the marking algorithm: Notes on the marking algorithm:
The no change condition in the two repeat loops (for the The time taken by mark(S, , L, ) is
AF case and the EU case) C *| | * |S| * | | steps
is essentially a test for the fix-point: where | | denotes the number of operators in
mark(M,s, ) is computed iteratively on the states and |S| denotes the number of states
in M and | | denotes the number of edges, which is
until its value (i.e. the set of satisfied sub-formulas (upper-)bounded by |S| * |S|
in s) remains unchanged! and C is a constant

Sundar B. CS&IS, BITS Pilani 15 Sundar B. CS&IS, BITS Pilani 16