specs temporal logic

8/3/2019 SPECS Temporal Logic

1/36

Specification Checking : TemporalLogic

Software Model Checking:Theory and Practice

Lecture: Specification Checking -Temporal Logic

Copyright2004,MattDwyer,John Hatcliff,andRobby.Thesyllabusandalllecturesforthiscoursearecopyrighted

materialsandmaynotbeusedinothercoursesettingsoutsideofKansasStateUniversityandtheUniversityofNebraska

intheircurrentformormodifiedformwithouttheexpresswrittenpermissionofoneofthecopyrightholders.Duringthis

course,studentsareprohibitedfromsellingnotestoorbeingpaidfortakingnotesbyanypersonorcommercialfirm

withouttheexpresswrittenpermissionofoneofthecopyrightholders.


2/36

Specification Checking : Temporal Logic

Objectives Understand why temporal logic can be a useful

formalism for specifying properties ofconcurrent/reactive systems.

Understand the intuition behind ComputationTree Logic (CTL) the specification logic usede.g., in the well-known SMV model-checker.

Be able to confidently apply Linear TemporalLogic (LTL) the specification logic used in e.g.,

Bogor and SPIN to specify simple propertiesof systems.

Understand the formal semantics of LTL.


3/36


Outline CTL by example

LTL by example

LTL formal definition

Common properties to be stated forconcurrent systems and how they can bespecified using LTL

Bogors support for LTL


4/36


To Do Show never claims being generated from

LTL formula For you to dos


5/36


Reasoning about Executions

We want to reason about execution trees tree node = snap shot of the programs state

Reasoning consists of two layers defining predicates on the program states (control points,

variable values)

expressing temporal relationships between those predicates

0.1

0.2

0 .3 1 .1

0 .4 1 .1 2 .1 0.3 1.2

1 .1 2 .1 0 .4 1.2 2 .1 1 .1 2 .20 .4 0 .4 1 .2 2.1 0 .4 1 .3 2 .1


6/36


Why Use Temporal Logic? Requirements of concurrent, distributed, and

reactive systems are often phrased asconstraints on sequences of events or statesorconstraints on execution paths.

Temporal logic provides a formal, expressive,and compact notation for realizing suchrequirements.

The temporal logics we consider are also

strongly tied to various computationalframeworks (e.g., automata theory) whichprovides a foundation for building verification

tools.


7/36


Syntax

Computational Tree Logic (CTL) ::= P primitive propositions

| ! | && | || | -> propositional connectives| AG | EG | AF | EF temporal operators| AX | EX | A[ U ] | E[ U ]


8/36


Semantic Intuition

Syntax



AG p along Allpaths p holds Globally

EG p there Existsa path where p holds Globally

AF p along Allpaths p holds at some state in the Future

EF p there Existsa path where p holds at some state in the Future

path quantifier

temporal operator


9/36


Semantic Intuition

Syntax



AX p along Allpaths, p holds in the neXtstate

EX p there Existsa path where p holds in the neXtstate

A[p U q] along Allpaths, p holds Untilq holds

E[p U q] there Existsa path where p holds Untilq holds


10/36


Computation Tree Logicp

p

p

p p p

p

p

p

p

p

p p p p

AG p


11/36


Computation Tree LogicEG p p

p

p

p


12/36


Computation Tree LogicAF p

p

p p p

p

p


13/36


Computation Tree LogicEF p

p


14/36


Computation Tree LogicAX p

p

p p

p

p p

p

p

p


15/36


Computation Tree LogicEX p

p

p

p

p p p


16/36


Computation Tree LogicA[p U q] p

p

p

q q p

p

q

q

p

p


17/36


Computation Tree LogicE[p U q] p

p

q q p

p

q

q

q


18/36


Example CTL Specifications

AG(requested -> AF acknowledged)

For any state, a request (e.g., for someresource) will eventually be acknowledged


19/36


Example CTL Specifications

From any state, it is possible to get to a restart state

AG(EF restart)


20/36


Example CTL SpecificationsAn upwards travelling elevator at the second floor doesnot changes its direction when it has passengerswaiting to go to the fifth floor

AG((floor=2 && direction=up && button5pressed)-> A[direction=up U floor=5])


22/36


CTL Notes Invented by E. Clarke and E. A. Emerson

(early 1980s)

Specification language for Symbolic ModelVerifier (SMV) model-checker

SMV is a symbolicmodel-checker instead ofan explicit-statemodel-checker

Symbolic model-checking uses BinaryDecision Diagrams (BDDs) to representboolean functions (both transition system andspecification


23/36


Linear Time LogicRestrict path quantification to ALL (no EXISTS)


24/36


Linear Time LogicRestrict path quantification to ALL (no EXISTS)

Reason in terms of branching traces instead of branching trees


25/36


Linear Time Logic (LTL)

[] always

eventually

U until

::= P primitive propositions| ! | && | || | -> propositional connectives| [] | | U | X temporal operators

Syntax

Semantic Intuition


26/36


Linear Time Logic

Along all paths, it must be the case that globally (I.e., ineach state we come to) eventually p will hold

Expresses a form of fairness p must occur infinitely often along the path

To check under the assumption of fair traces, check[]p ->

p p p

[]p


27/36


Linear Time Logic

Along all paths, eventually it is the case that p holds ateach state) (i.e., eventually permanently p)

Any path contains only finitely many !p states

p p p

pp p p p

[]p


28/36


Linear Time Logic

p unless q, or p waiting for q, or p weak-until q

p p p

pp p p p

p W q []p || (p U q)=

ppppp

pp p p pqqqqq

q

q p p pqqppp


29/36


Semantics for LTL Semantics of LTL is given with respect to a

(usually infinite) path or trace = s1 s2 s3

We write i for the suffix starting at si, e.g., 3 = s3 s4 s5

A system satisfies an LTL formula fif each paththrough the system satisfies f.


30/36


Semantics of LTL For pAP:

|= p p L(s1) |= p p L(s1) |= f g |= f and |= g

|= f g |= f or |= g

|= Xf 2 |= f

|= f i >= 1. i |= f

|= []f i >= 1. i|= f

|= (f U g) i >= 1. i |= gand j : 1 j < i-1. j |= f


31/36


LTL Notes Invented by Prior (1960s), and first use

to reason about concurrent systems by A.Pnueli, Z. Manna, etc.

LTL model-checkers are usually explicit-

state checkers due to connection betweenLTL and automata theory

Most popular LTL-based checker is SPIN(G. Holzman)


32/36


Comparing LTL and CTL

CTL is not strictly more expression than LTL (and viceversa)

CTL* invented by Emerson and Halpern in 1986 to unifyCTL and LTL

We believe that almost all properties that one wants to expressabout software lie in intersection of LTL and CTL

CTL LTL

CTL*


33/36


Bogor Support As for regular properties, Bogor defines an

extension for LTL properties Property extension is the same

LTL extension

Implemented bybogor.module.property.ltl.LinearTemporalLogicModule

Supports Atomic propositions and literals (e.g., true/false)

Propositional connectives (e.g., and, or) Temporal operators (e.g., always, eventually)


34/36


LTL extensionextension LTL for edu.ksu.cis.projects.bogor.module.property.ltl.LinearTemporalLogicModule

{

typedef Formula;

expdef LTL.Formula prop(string);

expdef LTL.Formula literal(boolean);

expdef LTL.Formula always(LTL.Formula);

expdef LTL.Formula eventually(LTL.Formula);

expdef LTL.Formula negation(LTL.Formula);

expdef LTL.Formula until(LTL.Formula, LTL.Formula);expdef LTL.Formula release(LTL.Formula, LTL.Formula);

expdef LTL.Formula equivalence(LTL.Formula, LTL.Formula);

expdef LTL.Formula implication(LTL.Formula, LTL.Formula);

expdef LTL.Formula conjunction(LTL.Formula, LTL.Formula);

expdef LTL.Formula disjunction(LTL.Formula, LTL.Formula);

expdef boolean temporalProperty(Property.ObservableDictionary,

LTL.Formula);

}


35/36


An ExampleMutual exclusion in ReadersWriters

fun mutualExclusion() returns boolean= LTL.temporalProperty(

Property.createObservableDictionary(

Property.createObservableKey(

"someReading", activeReaders>0),

Property.createObservableKey(

"someWriting", activeWriters>0)

),

LTL.always(

LTL.implication(

LTL.prop("someReading"),

LTL.negation(LTL.prop("someWriting"))

)

)

);


36/36


Bogor ConfigurationUse the defaults except for these settings

edu.ksu.cis.projects.bogor.module.IStateFactory=

edu.ksu.cis.projects.bogor.module.property.fsa.FSAStateFactory

edu.ksu.cis.projects.bogor.ast.transform.ISystemTransformer=

edu.ksu.cis.projects.bogor.module.property.ltl.LtlSystemTransformer

edu.ksu.cis.projects.bogor.module.ISearcher=

edu.ksu.cis.projects.bogor.module.property.buechi.NestedFSASearcher

edu.ksu.cis.projects.bogor.module.IStateManager.stateAugmenter=

edu.ksu.cis.projects.bogor.module.property.fsa.FSAStateAugmenter

ltlFunId=mutualExclusion

specs temporal logic

Documents