# Temporal Logics. Computation Tree Logic

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Temporal Logics CTL: definition, relationship between operators, adequate sets, specifying properties, safety/liveness/fairness Modeling: sequential, concurrent systems; maximum parallelism/interleaving LTL: definition, relationship between operators, CTL vs. LTL CTL* Property patterns 1 Computation Tree Logic Computational tree logic - propositional branching time logic, permitting explicit quantification over all possible futures. Fixed set of atomic formulas ( p, q, r), standing for atomic descriptions of a system: The printer is busy There are currently no requested jobs for the printer Conveyer belt is stopped Choice of atomic propositions depends on our intension (but usually does not involve time) 2

2 Computation Tree Logic (Cont d) Syntax: 1.,, and every atomic proposition is a CTL formula 2. If f and g are CTL formulae, then so are f, f g, f g, AX f, EX f, A[ f Ug], E[ f Ug], AF f, EF f, AG f, EG f, A[ f Rg], E[ f Rg], A[ f Wg], E[ f Wg] Temporal operators - quantifier (A or E) followed by F (future), G (global), U (until), R (release), W (weak until) or X (next). 3 CTL Syntax - Cont d Which of these are well-formed and which are not: EG r FG r AG AF r E [A [p 1 U p 2 ] U p 3 ] AF [(r U q) (p U r)] EF E[r U q] AF[(r U q) (p U r)] 4

3 Formulas, Subformulas and Parse Trees Draw parse tree for E[A[p U q] U r] Draw parse tree for AG(p A[p U ( p A[ p U q])]) Definition: A subformula of a CTL formula φ is any formula ψ whose parse tree is a subtree of φ s parse tree. 5 Semantics of CTL M,s = f means that formula f is true in state s. M is often omitted since we always talk about the same model. E.g. s = p q π = π 0 π 1 π 2... is a path π 0 is the current state (root) π i+1 is π i s successor state. Then, AX f = π π 1 = f EX f = π π 1 = f AG f = π i π i = f EG f = π i π i = f AF f = π i π i = f EF f = π i π i = f 6

4 Semantics (Cont d) A[ f U g] = π i π i = g j 0 j < i π j = f E[ f U g] = π i π i = g i 0 j < i π j = f A[ f R g] = π j 0 ( i < j π i = f) π j = g E[ f R g] = π j 0 ( i < j π i = f) π j = g Note: the i in i could be 0. 7 Examples A process is enabled infinitely often on every computation path. A process will eventually be deadlocked. It is always possible to get to a restart state. An elevator does not change direction when it has passengers wishing to go in the same direction. An elevator can remain idle on the third floor with its doors closed Which situation does this signify: AG(p AF(s AX(AF(t))) 8

5 Relationship between CTL operators AX f = EX f AF f = EG f EF f = AG f AF f = A[ U f ] EF f = E[ U f ] A[ U f ] = E[ U f ] = f A[ f U g] = E[ g U ( f g)] EG g A[ f W g] = E[ g U ( f g)] (weak until) E[ f U g] = A[ g W ( f g)] AG f = f AX AG f EG f = f EX EG f AF f = f AX AF f EF f = f EX EF f A[ f U g] = g (f AX A[ f U g]) E[ f U g] = g (f EX E[ f U g]) E[ f U g] = A[ f R g] A[ f U g] = E[ f R g] 9 Adequate Sets Definition: A set of connectives is adequate if all connectives can be expressed using it. Example: {, } is adequate for propositional logic: a b = ( a b). Theorem: The set of operators, and together with EX, EG, and EU is adequate for CTL, e.g., AF (a AX b) = EG (a AX b) = EG( a EX b). EU - reachability. EG - non-termination (presence of infinite behaviours) Other adequate sets: {AU, EU, EX}, {AF, EU, EX} Theorem: Every adequate set has to include EU. 10

6 Sublanguages of CTL ACTL - CTL with only universal path quantifiers (AX, AF, AG, AU, AR) ECTL - CTL with only existential path quantifiers (EX, EF, EG, EU, ER) Positive normal form (pnf) negations applied only to atomic propositions. Then, need,, and both U and R operators. Also called negation normal form (nnf). Exercise: convert (AG A[p U q]) to pnf: 11 Property Types: Safety Safety: nothing bad ever happens Invariants: x is always less than 10 Deadlock freedom: the system never reaches a state where no moves are possible Mutual exclusion: the system never reaches a state where two processes are in the critical section As soon as you see the bad thing, you know the property is false (so they are falsified by a finite prefix of an execution trace) 12

7 Liveness Properties Liveness: something good will eventually happen Termination: the system eventually terminates Response: if action X occurs then eventually action Y will occur Need to keep looking for the good thing forever Liveness can only be falsified by an infinite-suffix of an execution trace Practically, a counter-example here is a set of states starting from initial one and going through a loop where you get stuck and never reach the good thing. 13 Using CTL Mutual Exclusion Problem. Aimed to ensure that two processes do not have access to some shared resource (database, file on disk, etc.) at the same time. Identify critical sections and ensure that at most one process is in that section. Interested in the following properties: (Type?): The protocol allows only one process to be in its critical section at any time. Formalization: Why is this not enough? (Type?): Whenever any process wants to enter its critical section, it will eventually be permitted to do so. Formalization: (Type?): A process can always request to enter its critical section. Formalization: 14

8 The first modeling attempt s0 n1 n2 s1 t1 n2 s5 n1 t2 s2 c1 n2 s4 t1 t2 s6 n1 c2 s3 c1 t2 s7 t1 c2 Does it work? 15 Second modeling attempt Works! s0 n1 n2 s1 t1 n2 s5 n1 t2 s2 c1 n2 s3 t1 t2 s9 t1 t2 s6 n1 c2 s4 c1 t2 s7 t1 c2 The problem is a bit simplified (cannot stay in critical forever!) What happens if we do want to model this? 16

9 Notion of Fairness Fairness: a path π is fair w.r.t. property ψ if ψ is true on π infinitely often. We may want to evaluate A and E constraints only over those paths. Examples: each process will run infinitely often; a process can stay in a critical section arbitrarily long, as long as it eventually leaves. Two types of fairness: simple Property φ is true infinitely often. and compound If φ is true infinitely often, then ψ is also true infinitely often. In this course we will deal only with simple fairness. 17 Formal Definition of Fairness Let C = {ψ 1,ψ 2,...,ψ n } be a set of n fairness constraints. A computation path s 0,s 1,... is fair w.r.t. C if for each i there are infinitely many j s.t. s j = ψ i, that is, each ψ i is true infinitely often along the path. We use A C and E C for the operators A and E restricted to fair paths. E C U, E C G and E C X form an adequate set. E C G holds in a state if it is the beginning of a fair path. Also, a path is fair iff any suffix of it is fair. Finally, E C [φuψ] = E[φU(ψ E C G )] Can fairness be expressed in CTL? E C Xφ = EX(φ E C G ) 18

10 Kripke Structures (Our Model) Formula is defined with respect to a model M = AP,S,s 0,R,I, where AP is a set of atomic propositions S is a set of states s 0 S is the start state R is a transition relation (every state has a successor) I is a set of interpretations specifying which propositions are true in each state. Example: s0 s1 s0 s1 s2 s3 s2 s3 s4 s4 sd How to deal with deadlock states? 19 Where Do Models Come from? Example: x, y: {0, 1} x := (x + y) mod 2 initial state: x = 1, y = 1 Description: S 0 (x,y) x = 1 y = 1 R(x,y,x,y ) x = (x+y)mod 2 y = y Pictorially: Which states are reachable? 20

11 Models of Concurrency Maximum parallelism (synchronous) simultaneous execution of atomic actions in all system modules capable of performing an operation. Interleaving (asynchronous) concurrent execution of modules is represented by interleaving of their atomic actions. Example: A B D E C MP: AD BE CD BE AD... INT: A D B C E B A B D... COMB: AD AE BE Modeling systems (Cont d) Communication: shared vars, message passing, handshaking Sequential statements: atomic (assignment, skip, wait, lock, unlock), composition (P 1 ; P 2 ), condition (if b then P 1 else P 2 ), loop (while b do P) Concurrency: cobegin P 1 P 2... P n coend Model state of each process using variable pc. 22

12 Example P0::l0: while True do NC0: wait (turn=0); CR0: turn := 1; end while l0 P1:: l1: while True do NC1: wait (turn=1); CR1: turn := 0; end while l1 Variables: pc i : {l i,l i,nc i,cr i, } turn: shared, initial value =??? Initial: S 0 (V,PC) pc 0 = pc 1 = 23 Transition Relation R(V,V,PC,PC ) = pc i = l i pc i = NC i True same(turn) pc i = NC i pc i = CR i turn = i same(turn) pc i = CR i pc i = l i turn = (i+1)mod 2 pc i = NC i pc i = NC i turn i same(turn) pc i = l i pc i = l i False same(turn) 24

13 Picture 25 LTL If p is an atomic propositional formula, it is a formula in LTL. If p and q are LTL formulas, so are p q, p q, p, p U q, p W q, p R q, p (next), p(eventually), p (always) Interpretation: over computations π : ω 2 AP which assigns truth values to the elements of AP at each time instant: π = f iff π 1 = f π = f U g iff i π i = g j 0 j < i π j = f π = f iff i π i = f π = f iff i π i = f Here, π 0 initial state of the system Two other operators: p W q = p (p U q) (p unless q, p waiting for q, p weak-until q) p R q = ( p U q) (release) 26

14 Some Temporal Properties p = p p = True U p p = p p W q = p (p U q) p R q = ( p U q) p = p p p = p p p U q = q (p (p U q)) A property ϕ holds in a model if it holds on every path emanating from the initial state. 27 Expressing Properties in LTL Good for safety ( ) and liveness ( ) properties. p q If p holds in initial state s 0, then q holds at s j for some j 0. q Each path contains infinitely many q s. q At most a finite number of states in each path satisfy q. Property q eventually stabilizes. (p U q) always p remains true at least until q becomes true. ( (p U q)) never is there a point in the execution such that p remains true at least until q becomes true. Express: it is not true that p is true at least until the point s.t. for all paths q is true at least until r is true 28

15 Fairness properties Fairness (strong): if something is attempted or requested infinitely often, then it will be successful/allocated infinitely often Example: p processes ready(p) run(p) Different forms of fairness: ( attempt) ( succeed) ( attempt) ( succeed) ( attempt) ( succeed) ( attempt) ( succeed) 29 Syntactically: LTL simpler than CTL Semantically: incomparable! Comparison of LTL and CTL CTL formula EF p is not expressible in LTL LTL formula p not expressible in CTL. Question: What about AF AG p? Model: self-loop on p, transition on p to a state with a self-loop on p. AFAG p is false, FG p is true. Most useful formulas expressible in both: Invariance: p and AG p Liveness (response): (p q) and AG(p AFq). LTL and CTL coincide if the model has only one path! 30

16 Path quantifiers: A and E CTL*: Unifying CTL and LTL Temporal quantifiers: X ( ), F ( ), G ( ), U, R State formulas: 1. p AP 2. If f and g are state formulas, then f, f g, f g are state formulas. 3. If f is a path formula then E f and A f are state formulas Path formulas: 1. every state formula 2. If f and g are path formulas, then f, f g, f g, X f, G f, F f, f U g, f R g are path formulas. CTL* the set of all state formulas. Examples: A(FG p), AG p, A(FG p) AG(EF p) Formal semantics: see the book, p. 29. How to think of LTL as a subset of CTL*? 31 Property Patterns: Motivations 1. Temporal properties are not always easy to write or read. Ex: ((Q R R) (P ( R U (S R)) U R) Meaning: P triggers S between Q (e.g., end of system initialization) and R (start of system shutdown) 2. Most useful properties: specifiable both in CTL and LTL. Ex: Action Q must respond to action P: CTL: AG(P AF Q) LTL: (P Q) Ex: Action S precedes P after Q CTL: A[ Q U (Q A[ P U S])) LTL: Q (Q ( P U S)) 32

17 Manna & Pnueli Classification Canonical forms: Safety: p Guarantee: p Obligation: q p Response: p Persistence: p Reactivity: p q Source: Zohar Manna and Amir Pnueli. The Temporal Logic of Reactive and Concurrent Systems: Specification. Springer-Verlag, 1992 A preferred classification: based on the semantics rather than syntax of properties so that non-experts can use it! 33 Pattern Hierarchy Developed by Dwyer, Avrunin, Corbett Goal: specifying and reusing property specifications for model-checking Property Patterns Occurrence Order Absence Universality Existence Bounded Existence Precedence Response Chain Precedence Chain Response Occurrence Patterns - require states/events to occur or not Absence: A given state/event does not occur within a given scope Existence: A given state/event must occur within a given scope Bounded existence: A given state/event must occur k times (at least k times, at most k times) within a given scope Universality: A given state/event must occur throughout a given scope 34

18 Pattern Hierarchy (Cont d) Property Patterns Occurrence Order Absence Universality Existence Bounded Existence Precedence Response Chain Precedence Chain Response Order Patterns - constrain the order of states/events Precedence: A state/event P must always be preceded by a state/event Q within a scope Response: A state/event P must always be followed by a state/event Q with a scope Chain precedence: A sequence of states/events P 1,..., P n must always be preceded by a sequence of states/events Q 1,...,Q m with a scope Chain Response: A sequence of states/events P 1,..., P n must always be followed by a sequence of states/events Q 1,..., Q m within a scope 35 Pattern Scopes Global Before R After Q Between Q and R After Q Until R State/Event Sequence Q R Q Q R Q 36

19 Using the System Example: Between an enqueue() and empty() there must be a dequeue() Propositions: enqueue(), empty(), dequeue() Pattern and Scope: existence pattern with between scope Property: dequeue() exists between enqueue() and empty() LTL: ((enqueue() empty()) ( empty() W (dequeue() empty()))) CTL: AG(enqueue() empty() A[ empty() W (dequeue() empty())]) Homework: more usage of patterns, some subtle points (open/closed intervals, between vs. after-until) 37 food for the slide eater 38

### Introduction to Software Verification

Introduction to Software Verification Orna Grumberg Lectures Material winter 2013-14 Lecture 4 5.11.13 Model Checking Automated formal verification: A different approach to formal verification Model Checking

### logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

5. LTL, CTL Last part: Alloy logic language, static/dynamic models SAT solvers Today: Temporal Logic (LTL, CTL) Verified Software Systems 1 Overview How can we model check of a program or system? Modeling

### Model Checking II Temporal Logic Model Checking

1/32 Model Checking II Temporal Logic Model Checking Edmund M Clarke, Jr School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 2/32 Temporal Logic Model Checking Specification Language:

### Model Checking: An Introduction

Announcements Model Checking: An Introduction Meeting 2 Office hours M 1:30pm-2:30pm W 5:30pm-6:30pm (after class) and by appointment ECOT 621 Moodle problems? Fundamentals of Programming Languages CSCI

### Software Modeling and Verification

Software Modeling and Verification Alessandro Aldini DiSBeF - Sezione STI University of Urbino Carlo Bo Italy 3-4 February 2015 Algorithmic verification Correctness problem Is the software/hardware system

### Formal Verification Methods 3: Model Checking

Formal Verification Methods 3: Model Checking John Harrison Intel Corporation Marktoberdorf 2003 Fri 1st August 2003 (11:25 12:10) This presentation was not given in Marktoberdorf since it mostly duplicates

### CISC422/853: Formal Methods

Outline CISC422/853: Formal Methods in Software Engineering: Computer-Aided Verification Topic 7: Specifying, or How to Describe How the System Should (or Should Not) Behave Juergen Dingel Feb, 2009 Readings:

### Formal Verification and Linear-time Model Checking

Formal Verification and Linear-time Model Checking Paul Jackson University of Edinburgh Automated Reasoning 21st and 24th October 2013 Why Automated Reasoning? Intellectually stimulating and challenging

### Software Model Checking: Theory and Practice

Software Model Checking: Theory and Practice Lecture: Secification Checking - Temoral Logic Coyright 2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are coyrighted

### Software Verification and Testing. Lecture Notes: Temporal Logics

Software Verification and Testing Lecture Notes: Temporal Logics Motivation traditional programs (whether terminating or non-terminating) can be modelled as relations are analysed wrt their input/output

### Algorithmic Software Verification

Algorithmic Software Verification (LTL Model Checking) Azadeh Farzan What is Verification Anyway? Proving (in a formal way) that program satisfies a specification written in a logical language. Formal

### Formal Verification by Model Checking

Formal Verification by Model Checking Natasha Sharygina Carnegie Mellon University Guest Lectures at the Analysis of Software Artifacts Class, Spring 2005 1 Outline Lecture 1: Overview of Model Checking

### Development of dynamically evolving and self-adaptive software. 1. Background

Development of dynamically evolving and self-adaptive software 1. Background LASER 2013 Isola d Elba, September 2013 Carlo Ghezzi Politecnico di Milano Deep-SE Group @ DEIB 1 Requirements Functional requirements

### Testing LTL Formula Translation into Büchi Automata

Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland

### http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86

Atlantic Electronic http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86 AUTOMATED RECOGNITION OF STUTTER INVARIANCE OF LTL FORMULAS Jeffrey Dallien 1 and Wendy

### Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Today s Agenda Quiz 4 Temporal Logic Formal Methods in Software Engineering 1 Automata and Logic Introduction Buchi Automata Linear Time Logic Summary Formal Methods in Software Engineering 2 1 Buchi Automata

### Formal Verification of Software

Formal Verification of Software Sabine Broda Department of Computer Science/FCUP 12 de Novembro de 2014 Sabine Broda (DCC-FCUP) Formal Verification of Software 12 de Novembro de 2014 1 / 26 Formal Verification

### Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

University of Texas at El Paso DigitalCommons@UTEP Departmental Technical Reports (CS) Department of Computer Science 8-1-2007 Using Patterns and Composite Propositions to Automate the Generation of Complex

### Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Acknowledgments Introduction to SPIN Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck Ralf Huuck COMP 4152 1 Ralf Huuck COMP 4152 2 PROMELA/SPIN PROMELA (PROcess MEta

### Automata-based Verification - I

CS3172: Advanced Algorithms Automata-based Verification - I Howard Barringer Room KB2.20: email: howard.barringer@manchester.ac.uk March 2006 Supporting and Background Material Copies of key slides (already

### FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC Alessandro Artale Faculty of Computer Science Free University of Bolzano Room 2.03 artale@inf.unibz.it http://www.inf.unibz.it/ artale/ Some material (text,

### A Propositional Dynamic Logic for CCS Programs

A Propositional Dynamic Logic for CCS Programs Mario R. F. Benevides and L. Menasché Schechter {mario,luis}@cos.ufrj.br Abstract This work presents a Propositional Dynamic Logic in which the programs are

### The Model Checker SPIN

The Model Checker SPIN Author: Gerard J. Holzmann Presented By: Maulik Patel Outline Introduction Structure Foundation Algorithms Memory management Example/Demo SPIN-Introduction Introduction SPIN (Simple(

### Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Introduction Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification Advanced Topics in Software Engineering 1 Concurrent Programs Characterized by

### On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems 29 August 2011 What are workflows to us? Plans or schedules that map users or resources to tasks Such mappings may

### LTL: Linear-time logic. LTL is another important temporal logic. In LTL the future is seen as a sequence of states, so the future is seen as a path.

LTL: Linear-time logic LTL is another imortant temoral logic. In LTL the future is seen as a sequence of states, so the future is seen as a ath. We can consider a set of aths, however we don t have an

### Path Querying on Graph Databases

Path Querying on Graph Databases Jelle Hellings Hasselt University and transnational University of Limburg 1/38 Overview Graph Databases Motivation Walk Logic Relations with FO and MSO Relations with CTL

### Fundamentals of Software Engineering

Fundamentals of Software Engineering Model Checking with Temporal Logic Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner

### Lecture 9 verifying temporal logic

Basics of advanced software systems Lecture 9 verifying temporal logic formulae with SPIN 21/01/2013 1 Outline for today 1. Introduction: motivations for formal methods, use in industry 2. Developing models

### tutorial: hardware and software model checking

tutorial: hardware and software model checking gerard holzmann and anuj puri { gerard anuj } @research.bell-labs.com Bell Labs, USA outline introduction (15 mins) theory and algorithms system modeling

### Predicate Logic. PHI 201 Introductory Logic Spring 2011

Predicate Logic PHI 201 Introductory Logic Spring 2011 This is a summary of definitions in Predicate Logic from the text The Logic Book by Bergmann et al. 1 The Language PLE Vocabulary The vocabulary of

### Algorithms for Model Checking (2IW55)

Algorithms for Model Checking (2IW55) Lecture 2 Fairness & Basic Model Checking Algorithm for CTL and fair CTL based on strongly connected components Chapter 4.1, 4.2 + SIAM Journal of Computing 1(2),

### Software Engineering using Formal Methods

Software Engineering using Formal Methods Model Checking with Temporal Logic Wolfgang Ahrendt 24th September 2013 SEFM: Model Checking with Temporal Logic /GU 130924 1 / 33 Model Checking with Spin model

### A Logic Approach for LTL System Modification

A Logic Approach for LTL System Modification Yulin Ding and Yan Zhang School of Computing & Information Technology University of Western Sydney Kingswood, N.S.W. 1797, Australia email: {yding,yan}@cit.uws.edu.au

### mywbut.com Propositional Logic inference rules

Propositional Logic inference rules 1 5.5 Rules of Inference Here are some examples of sound rules of inference. Each can be shown to be sound once and for all using a truth table. The left column contains

### Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications Sayantan Das Prasenjit Basu Ansuman Banerjee Pallab Dasgupta P.P. Chakrabarti Department of Computer Science & Engineering

### System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

System modeling Business process modeling how to do it right Partially based on Process Anti-Patterns: How to Avoid the Common Traps of Business Process Modeling, J Koehler, J Vanhatalo, IBM Zürich, 2007.

### T-79.186 Reactive Systems: Introduction and Finite State Automata

T-79.186 Reactive Systems: Introduction and Finite State Automata Timo Latvala 14.1.2004 Reactive Systems: Introduction and Finite State Automata 1-1 Reactive Systems Reactive systems are a class of software

### v1.0 Sistemi Concorrenti e di Rete LS II Facoltà di Ingegneria - Cesena a.a 2008/2009 [module 1.2] THE CONCURRENT PROGRAMMING ABSTRACTION

v1.0 Sistemi Concorrenti e di Rete LS II Facoltà di Ingegneria - Cesena a.a 2008/2009 [module 1.2] THE CONCURRENT PROGRAMMING ABSTRACTION SISCO LS - II Facoltà Ingegneria - Cesena 1 FROM PROGRAMS TO MODELS

### 5 Program Correctness

5 Program Correctness 5.1. Introduction For any application, the designer of a distributed system has the responsibility of certifying the correctness of the system, before users start using it. This guarantee

### Fundamentals of Software Engineering

Fundamentals of Software Engineering Model Checking with Temporal Logic Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner

### Validated Templates for Specification of Complex LTL Formulas

Validated Templates for Specification of Complex LTL Formulas Salamah Salamah Department of Electrical, computer, Software, and Systems Engineering Embry Riddle Aeronautical University 600 S. Clyde Morris

### Introducing Formal Methods. Software Engineering and Formal Methods

Introducing Formal Methods Formal Methods for Software Specification and Analysis: An Overview 1 Software Engineering and Formal Methods Every Software engineering methodology is based on a recommended

Verication by Finitary Abstraction Weizmann Institute of Sciences and Universite Joseph Fourier, Grenoble Fourth International Spin Workshop (SPIN'98) Paris 2.11.98 Joint work with: Y. Kesten Ben Gurion

### Feature Specification and Automated Conflict Detection

Feature Specification and Automated Conflict Detection AMY P. FELTY University of Ottawa and KEDAR S. NAMJOSHI Bell Laboratories Large software systems, especially in the telecommunications field, are

### Business Process Verification: The Application of Model Checking and Timed Automata

Business Process Verification: The Application of Model Checking and Timed Automata Luis E. Mendoza Morales Processes and Systems Department, Simón Bolívar University, P.O. box 89000, Baruta, Venezuela,

### Bounded LTL Model Checking with Stable Models

Under consideration for publication in Theory and Practice of Logic Programming 1 Bounded LTL Model Checking with Stable Models KEIJO HELJANKO and ILKKA NIEMELÄ Helsinki University of Technology Department

### LTL Model Checking with Logic Based Petri Nets

LTL Model Checking with Logic Based Petri Nets Tristan M. Behrens and Jürgen Dix IfI Technical Report Series IfI-07-04 Impressum Publisher: Institut für Informatik, Technische Universität Clausthal Julius-Albert

### Simulative Model Checking of Steady State and Time-Unbounded Temporal Operators

Simulative Model Checking of Steady State and Time-Unbounded Temporal Operators Christian Rohr Department of Computer Science Brandenburg University of Technology Cottbus June 25, 2012 Outline 1 Introduction

### Static Program Transformations for Efficient Software Model Checking

Static Program Transformations for Efficient Software Model Checking Shobha Vasudevan Jacob Abraham The University of Texas at Austin Dependable Systems Large and complex systems Software faults are major

### CTL + is Complete for Double Exponential Time

CTL + is Complete for Double Exponential Time Jan Johannsen and Martin Lange Institut für Informatik Ludwig-Maximilians-Universität München Munich, Germany {jjohanns,mlange}@informatik.uni-muenchen.de

### 2 Temporal Logic Model Checking

Bounded Model Checking Using Satisfiability Solving Edmund Clarke 1, Armin Biere 2, Richard Raimi 3, and Yunshan Zhu 4 1 Computer Science Department, CMU, 5000 Forbes Avenue Pittsburgh, PA 15213, USA,

### Virtual Time and Timeout in Client-Server Networks

Virtual Time and Timeout in Client-Server Networks Jayadev Misra July 13, 2011 Contents 1 Introduction 2 1.1 Background.............................. 2 1.1.1 Causal Model of Virtual Time...............

### Predicate Logic Review

Predicate Logic Review UC Berkeley, Philosophy 142, Spring 2016 John MacFarlane 1 Grammar A term is an individual constant or a variable. An individual constant is a lowercase letter from the beginning

### Discrete Mathematics, Chapter 5: Induction and Recursion

Discrete Mathematics, Chapter 5: Induction and Recursion Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 5 1 / 20 Outline 1 Well-founded

### Truth Conditional Meaning of Sentences. Ling324 Reading: Meaning and Grammar, pg

Truth Conditional Meaning of Sentences Ling324 Reading: Meaning and Grammar, pg. 69-87 Meaning of Sentences A sentence can be true or false in a given situation or circumstance. (1) The pope talked to

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### Agenda. Quick Overview Properties, Automata and State Machines Model Checking. Pallab Dasgupta, Dept. of Computer Sc & Engg, IIT Kharagpur

Model Checking Agenda Quick Overview Properties, Automata and State Machines Model Checking 2 Formal Property Verification What is formal property verification? Verification of formal properties? Formal

### Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Model checking test models Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl February 14, 2014 Abstract This thesis is about model checking testing models. These testing

### Semantics and Verification of Software

Semantics and Verification of Software Lecture 21: Nondeterminism and Parallelism IV (Equivalence of CCS Processes & Wrap-Up) Thomas Noll Lehrstuhl für Informatik 2 (Software Modeling and Verification)

### Model Checking LTL Properties over C Programs with Bounded Traces

Noname manuscript No. (will be inserted by the editor) Model Checking LTL Properties over C Programs with Bounded Traces Jeremy Morse 1, Lucas Cordeiro 2, Denis Nicole 1, Bernd Fischer 1,3 1 Electronics

### Concepts of Concurrent Computation

Chair of Software Engineering Concepts of Concurrent Computation Bertrand Meyer Sebastian Nanz Lecture 3: Synchronization Algorithms Today's lecture In this lecture you will learn about: the mutual exclusion

### Software Active Online Monitoring Under. Anticipatory Semantics

Software Active Online Monitoring Under Anticipatory Semantics Changzhi Zhao, Wei Dong, Ji Wang, Zhichang Qi National Laboratory for Parallel and Distributed Processing P.R.China 7/21/2009 Overview Software

### Lecture 7: Concurrency control. Rasmus Pagh

Lecture 7: Concurrency control Rasmus Pagh 1 Today s lecture Concurrency control basics Conflicts and serializability Locking Isolation levels in SQL Optimistic concurrency control Transaction tuning Transaction

### Rigorous Software Development CSCI-GA 3033-009

Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 11 Semantics of Programming Languages Denotational Semantics Meaning of a program is defined as the mathematical

### HECTOR a software model checker with cooperating analysis plugins. Nathaniel Charlton and Michael Huth Imperial College London

HECTOR a software model checker with cooperating analysis plugins Nathaniel Charlton and Michael Huth Imperial College London Introduction HECTOR targets imperative heap-manipulating programs uses abstraction

### INF5140: Specification and Verification of Parallel Systems

Motivation INF5140: Specification and Verification of Parallel Systems Lecture 1 Introduction: Formal Methods Gerardo Schneider Department of Informatics University of Oslo INF5140, Spring 2009 Outline

### VeriTech - A Framework for Translating among Model Description Notations

Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) VeriTech - A Framework for Translating among Model Description Notations Orna Grumberg and Shmuel Katz Computer Science

### On strong fairness in UNITY

On strong fairness in UNITY H.P.Gumm, D.Zhukov Fachbereich Mathematik und Informatik Philipps Universität Marburg {gumm,shukov}@mathematik.uni-marburg.de Abstract. In [6] Tsay and Bagrodia present a correct

### Program Synthesis is a Game

Program Synthesis is a Game Barbara Jobstmann CNRS/Verimag, Grenoble, France Outline Synthesis using automata- based game theory. MoBvaBon, comparison with MC and LTL. Basics Terminology Reachability/Safety

### Access Control Based on Dynamic Monitoring for Detecting Software Malicious Behaviours

Access Control Based on Dynamic Monitoring for Detecting Software Malicious Behaviours K. Adi, L. Sullivan & A. El Kabbal Computer Security Research Laboratory http://w3.uqo.ca/lrsi NCAC'05 1 Motivation

### The Predicate Calculus in AI

Last time, we: The Predicate Calculus in AI Motivated the use of Logic as a representational language for AI (Can derive new facts syntactically - simply by pushing symbols around) Described propositional

### Research Article Towards Support for Software Model Checking: Improving the Efficiency of Formal Specifications

Advances in Software Engineering Volume 2011, Article ID 869182, 13 pages doi:10.1155/2011/869182 Research Article Towards Support for Software Model Checking: Improving the Efficiency of Formal Specifications

### Iterated Dynamic Belief Revision. Sonja Smets, University of Groningen. website: http://www.vub.ac.be/clwf/ss

LSE-Groningen Workshop I 1 Iterated Dynamic Belief Revision Sonja Smets, University of Groningen website: http://www.vub.ac.be/clwf/ss Joint work with Alexandru Baltag, COMLAB, Oxford University LSE-Groningen

### Temporal Logic [Syntax and Semantics]

Temporal Logic [ and s] Michael Fisher Department of Computer Science, University of Liverpool, UK [MFisher@liverpool.ac.uk] An Introduction to Practical Formal Methods Using Temporal Logic c Michael Fisher

### INF5140: Specification and Verification of Parallel Systems

INF5140: Specification and Verification of Parallel Systems Lecture 7 LTL into Automata and Introduction to Promela Gerardo Schneider Department of Informatics University of Oslo INF5140, Spring 2007 Gerardo

### Context-Bounded Model Checking of LTL Properties for ANSI-C Software. Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole Model Checking C Model checking: normally applied to formal state transition

### introduction to program monitoring

introduction to program monitoring CS 119 part II beyond assert and print course website http://www.runtime-verification.org/course09 action standing order: sell when price drops more than 2% within 1

### Cassandra. References:

Cassandra References: Becker, Moritz; Sewell, Peter. Cassandra: Flexible Trust Management, Applied to Electronic Health Records. 2004. Li, Ninghui; Mitchell, John. Datalog with Constraints: A Foundation

### CHAPTER 7 GENERAL PROOF SYSTEMS

CHAPTER 7 GENERAL PROOF SYSTEMS 1 Introduction Proof systems are built to prove statements. They can be thought as an inference machine with special statements, called provable statements, or sometimes

Test Case Generation for Ultimately Periodic Paths Joint work with Saddek Bensalem Hongyang Qu Stavros Tripakis Lenore Zuck Accepted to HVC 2007 How to find the condition to execute a path? (weakest precondition

### Algorithms for Monitoring Real-time Properties

Algorithms for Monitoring Real-time Properties David Basin, Felix Klaedtke, and Eugen Zălinescu Computer Science Department, ETH Zurich, Switzerland Abstract. We present and analyze monitoring algorithms

### Universität Stuttgart Fakultät Informatik, Elektrotechnik und Informationstechnik

Universität Stuttgart Fakultät Informatik, Elektrotechnik und Informationstechnik Infinite State Model-Checking of Propositional Dynamic Logics Stefan Göller and Markus Lohrey Report Nr. 2006/04 Institut

### UPPAAL tutorial. Timed Automata in UPPAAL. What s inside UPPAAL The UPPAAL input languages (i.e. TA and TCTL in UPPAAL) Location Invariants

UPPAAL tutorial What s inside UPPAAL The UPPAAL inut languages (i.e. TA and TCTL in UPPAAL) 1 Timed Automata in UPPAAL Clock Assignments Location Invariants Variable Assignments n x=5, y>3 clock

### monitoring with regular expressions

monitoring with regular expressions CS 119 the propositional case RE-based monitoring systems This course JavaMOP : http://fsl.cs.uiuc.edu/index.php/javamop Tracematches : http://abc.comlab.ox.ac.uk/papers

### Proofs by induction, Alphabet, Strings [1] Proofs by Induction

Proofs by induction, Alphabet, Strings [1] Proofs by Induction Proposition: If f(0) = 0 and f(n + 1) = f(n) + n + 1 then, for all n N, we have f(n) = n(n + 1)/2 Let S(n) be f(n) = n(n + 1)/2 We prove S(0)

### First Order Predicate Logic. Lecture 4

First Order Predicate Logic Lecture 4 First Order Predicate Logic Limitation of Propositional Logic The facts: peter is a man, paul is a man, john is a man can be symbolized by P, Q and R respectively

### Software safety - DEF-STAN 00-55

Software safety - DEF-STAN 00-55 Where safety is dependent on the safety related software (SRS) fully meeting its requirements, demonstrating safety is equivalent to demonstrating correctness with respect

### Monitoring Metric First-order Temporal Properties

Monitoring Metric First-order Temporal Properties DAVID BASIN, FELIX KLAEDTKE, SAMUEL MÜLLER, and EUGEN ZĂLINESCU, ETH Zurich Runtime monitoring is a general approach to verifying system properties at

### Finite Automata. Reading: Chapter 2

Finite Automata Reading: Chapter 2 1 Finite Automaton (FA) Informally, a state diagram that comprehensively captures all possible states and transitions that a machine can take while responding to a stream

### Fixed-Point Logics and Computation

1 Fixed-Point Logics and Computation Symposium on the Unusual Effectiveness of Logic in Computer Science University of Cambridge 2 Mathematical Logic Mathematical logic seeks to formalise the process of

### Combining Software and Hardware Verification Techniques

Formal Methods in System Design, 21, 251 280, 2002 c 2002 Kluwer Academic Publishers. Manufactured in The Netherlands. Combining Software and Hardware Verification Techniques ROBERT P. KURSHAN VLADIMIR

### Model Checking of Software

Model Checking of Software Patrice Godefroid Bell Laboratories, Lucent Technologies SpecNCheck Page 1 August 2001 A Brief History of Model Checking Prehistory: transformational programs and theorem proving

### Discrete Mathematics, Chapter : Predicate Logic

Discrete Mathematics, Chapter 1.4-1.5: Predicate Logic Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 1.4-1.5 1 / 23 Outline 1 Predicates

### Schedule. Logic (master program) Literature & Online Material. gic. Time and Place. Literature. Exercises & Exam. Online Material

OLC mputational gic Schedule Time and Place Thursday, 8:15 9:45, HS E Logic (master program) Georg Moser Institute of Computer Science @ UIBK week 1 October 2 week 8 November 20 week 2 October 9 week 9

### Modeling Concurrent Systems. System Implementation. A Client/Server System. 1. A Client/Server System

Modeling Concurrent Systems Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at 1. A Client/Server

### On Recognizable Timed Languages FOSSACS 2004

On Recognizable Timed Languages Oded Maler VERIMAG Grenoble France Amir Pnueli NYU and Weizmann New York and Rehovot USA FOSSACS 2004 Nutrition Facts Classical (Untimed) Recognizability Timed Languages

### 2 using read and write operations. A schedule is called correct" if we can find a serial schedule that is equivalent" to it. Given a set of transactio

1 1. CONCURRENCY CONTROL CS 242: Operating Systems Transactions Prasun Dewan The synchronization primitives we have seen so far are not as high-level as we might want them to be since they require programmers