LTL: Linear-time logic. LTL is another important temporal logic. In LTL the future is seen as a sequence of states, so the future is seen as a path.

Similar documents
Software Model Checking: Theory and Practice

Software Modeling and Verification

Software Verification and Testing. Lecture Notes: Temporal Logics

1 Gambler s Ruin Problem

Temporal Logics. Computation Tree Logic

Fixed-Point Logics and Computation

Introduction to Software Verification

Formal Verification and Linear-time Model Checking

Development of dynamically evolving and self-adaptive software. 1. Background

Traditional Software Development. Model Requirements and JAVA Programs. Formal Verification & Validation. What is a state?

Algorithmic Software Verification

Introduction to NP-Completeness Written and copyright c by Jie Wang 1

Model Checking LTL Properties over C Programs with Bounded Traces

Models, Formulas and the LTL Model Cheating

Overview of Lecture 3. Model Checking with SPIN. First attempt (revisited) Linear Temporal Logic (LTL) CDP #3

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

CISC422/853: Formal Methods

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

T Reactive Systems: Introduction and Finite State Automata

Automata-based Verification - I

Index Numbers OPTIONAL - II Mathematics for Commerce, Economics and Business INDEX NUMBERS

An important observation in supply chain management, known as the bullwhip effect,

Model Checking II Temporal Logic Model Checking

6.042/18.062J Mathematics for Computer Science December 12, 2006 Tom Leighton and Ronitt Rubinfeld. Random Walks

Automated Route Planning for Milk-Run Transport Logistics with the NuSMV Model Checker

A CTL-Based Logic for Program Abstractions

The fundamental question in economics is 2. Consumer Preferences

Formal Verification by Model Checking

Model Checking: An Introduction

Stability Improvements of Robot Control by Periodic Variation of the Gain Parameters

Stat 134 Fall 2011: Gambler s ruin

More Properties of Limits: Order of Operations

C-Bus Voltage Calculation

Schedule. Logic (master program) Literature & Online Material. gic. Time and Place. Literature. Exercises & Exam. Online Material

Multiperiod Portfolio Optimization with General Transaction Costs

A Logic Approach for LTL System Modification

Failure Behavior Analysis for Reliable Distributed Embedded Systems

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

TOWARDS REAL-TIME METADATA FOR SENSOR-BASED NETWORKS AND GEOGRAPHIC DATABASES

A computational model for MapReduce job flow

Managing specific risk in property portfolios

Stochastic Derivation of an Integral Equation for Probability Generating Functions

Lecture 9 verifying temporal logic

Probabilistic models for mechanical properties of prestressing strands

CHAPTER 7 GENERAL PROOF SYSTEMS

Effect Sizes Based on Means

Grade 7/8 Math Circles Sequences and Series

Path Querying on Graph Databases

Computational Finance The Martingale Measure and Pricing of Derivatives

tutorial: hardware and software model checking

Fluent Software Training TRN Solver Settings. Fluent Inc. 2/23/01

Price Elasticity of Demand MATH 104 and MATH 184 Mark Mac Lean (with assistance from Patrick Chan) 2011W

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

Concurrent Program Synthesis Based on Supervisory Control

The Economics of the Cloud: Price Competition and Congestion

ENFORCING SAFETY PROPERTIES IN WEB APPLICATIONS USING PETRI NETS

FREQUENCIES OF SUCCESSIVE PAIRS OF PRIME RESIDUES

A Modified Measure of Covert Network Performance

Mortgage Trading Exchange (MTE)

Frequentist vs. Bayesian Statistics

Pythagorean Triples and Rational Points on the Unit Circle

c 2009 Je rey A. Miron 3. Examples: Linear Demand Curves and Monopoly

STABILITY OF PNEUMATIC and HYDRAULIC VALVES

Comparing Dissimilarity Measures for Symbolic Data Analysis

Large firms and heterogeneity: the structure of trade and industry under oligopoly

One-Chip Linear Control IPS, F5106H

On Software Piracy when Piracy is Costly

Risk in Revenue Management and Dynamic Pricing

First Law, Heat Capacity, Latent Heat and Enthalpy

WRITING PROOFS. Christopher Heil Georgia Institute of Technology

ALGEBRAIC SIGNATURES FOR SCALABLE WEB DATA INTEGRATION FOR ELECTRONIC COMMERCE TRANSACTIONS

Constructing Automata from Temporal Logic Formulas : A Tutorial

Pressure Drop in Air Piping Systems Series of Technical White Papers from Ohio Medical Corporation

Drinking water systems are vulnerable to

Large Sample Theory. Consider a sequence of random variables Z 1, Z 2,..., Z n. Convergence in probability: Z n

Local Connectivity Tests to Identify Wormholes in Wireless Networks

A Propositional Dynamic Logic for CCS Programs

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Software Engineering using Formal Methods

Normally Distributed Data. A mean with a normal value Test of Hypothesis Sign Test Paired observations within a single patient group

Fundamentals of Software Engineering

Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network

Software Cognitive Complexity Measure Based on Scope of Variables

Memory management. Chapter 4: Memory Management. Memory hierarchy. In an ideal world. Basic memory management. Fixed partitions: multiple programs

Formal Verification of Software

Point Location. Preprocess a planar, polygonal subdivision for point location queries. p = (18, 11)

DETERMINATION OF THE SOIL FRICTION COEFFICIENT AND SPECIFIC ADHESION

The Economics of the Cloud: Price Competition and Congestion

On the predictive content of the PPI on CPI inflation: the case of Mexico

Static and Dynamic Properties of Small-world Connection Topologies Based on Transit-stub Networks

Efficient Partitioning of Memory Systems and Its Importance for Memory Consolidation

HALF-WAVE & FULL-WAVE RECTIFICATION

Universität Stuttgart Fakultät Informatik, Elektrotechnik und Informationstechnik

Calculation of losses in electric power cables as the base for cable temperature analysis

PRIME NUMBERS AND THE RIEMANN HYPOTHESIS

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

F inding the optimal, or value-maximizing, capital

Lectures on the Dirichlet Class Number Formula for Imaginary Quadratic Fields. Tom Weston

INF5140: Specification and Verification of Parallel Systems

Transcription:

LTL: Linear-time logic LTL is another imortant temoral logic. In LTL the future is seen as a sequence of states, so the future is seen as a ath. We can consider a set of aths, however we don t have an existential ath quantifier (the E of CTL), when we interret an LTL formula over a set of aths the formula has to be true of all aths to be true, i.e we are always quantifying universally over all ossible aths in the set. 1

In LTL roositions are interreted not over trees (like CTL does) but over individual aths, As usual there are atomic roosition 1,..., n,... Other formulas are as follows: φ ::= true false φ 1 φ 2 φ 1 φ 2 φ φ φ Gφ Fφ Xφ [φuφ] [φwφ] [φrφ] So we are missing few CTL oerators (the temoral modalities) and adding two new: W, R whose meaning is Weak until and Release 2

Regarding the absence of ath quantifiers A and E. We said that this is because a formula is evaluated on a ath, or a set of aths A set of aths satisfy φ iff every ath in the set satisfy φ. That mean that imlicitly all formulas are universally ath quantified, i.e. [Uq] stands for A[Uq] etc... 3

We don t have ath quantifiers, so we know we can t write things like E ( U q) or E F or A G E F however there are things we can write in LTL that we couldn t write in CTL. Consider F Fq and comare it to his closest CTL relative: AF AFq 4

There are things we can write in CTL but not in LTL, things like on all aths is always true that exists a ath such that... There are things we can write in LTL but not in CTL, like If it is infinitely often the case that then at some oint q 000 111 000 111 00000 11111 00000 11111 00000 11111 A G E G G F Fq... q 5

Remember that in CTL the semantics was defined as a relation K, s = φ where s is a state in the KTS LTL semantics will be defined as a relation K, π = φ where π is a ath in the KTS. we will note aths as follows: π = s 0 s 1... s n and π i = s i... s n i.e. π i is the subath of π starting at s i. 6

Let s see how to give a semantics to LTL. We consider the same structure we used for the semantics of CTL, i.e. a KTS K=(S,,I) Given a KTS K, we are going to define the relation K, π = φ meaning the ath π in K satisfies the formula φ. The definition is by induction on the structure of φ 8

K, π = true K, π = false K, π = iff I(s 0 ) K, π = φ iff K, π = φ K, π = φ 1 φ 2 iff K, π = φ 1 and K, π = φ 2 K, π = φ 1 φ 2 iff K, π = φ 1 or K, π = φ 2 K, π = φ 1 φ 2 iff K, π = φ 1 or K, π = φ 2 K, π = Gφ iff for all aths π i for all i 0 we have K, π i = φ K, π = Fφ iff for some ath π i for some i 0 we have K, π i = φ 9

K, π = Xφ iff K, π 1 = φ K, π = [φ 1 Uφ 2 ] iff exists i 0 such that K, π i = φ 2 and for all j < i, K, π j = φ 1 K, π = [φ 1 Wφ 2 ] iff exists i 0 such that K, π i = φ 2 and for all j < i, K, π j = φ 1 or for all i 0 K, π i = φ 1 K, π = [φ 1 Rφ 2 ] iff exists i 0 such that K, π i = φ 1 and for all j i, K, π j = φ 2 or for all i 0 K, π i = φ 2

Notes: [φ 1 Wφ 2 ] is the same as [φ 1 Uφ 2 ] Gφ 1 [φ 1 Rφ 2 ] is the same as [ φ 1 U φ 2 ] q Until q q Weak Until q q q 01 01 Releases q 10

Few words about aths: Strictly seaking, given a KTS and a state, the aths starting at that state s are all sequences of states starting from s such that if s is in the ath and s s is a transition in the KTS then s is in the ath as well. So the aths (starting at s 0 ) in s0, q q s2 s1 are the sequences of the form (s 0 s 1 ) n s 0 s 2 where n 0 11

Most authors require aths in LTL to be infinite; as such our revious KTS would have no ath. However is easily seen that we can always transform finite aths into infinite ones by adding loos on the ending states. Here is what our revious KTS would become s0,q s2 q s1 Hence to kee things simle we don t require aths to be infinite. Also we may want sometimes to use finite refixes of aths: 12

In the KTS just seen and starting at s 0 we have s 0 s 2, s 0 s 1 s 0 s 1 s 0. (s 0 s 1 ) n s 0 (s 0 s 1 ) n s 0 s 2 (s 0 s 1 ) n s 0 s 1 You should read the aths ending with s 0 and s 1 as finite refixes of aths as you could always extend a ath ending with s 0 with an s 2 and one ending with s 1 with s 0 s 2 13

Here we use finite refixes to illustrate the meaning of LTL formulas: (s 0 s 1 ) n s 0 = Gq, (s 0 s 1 ) n s 0 = Fq, (s 0 s 1 ) n s 0 = GFq (s 0 s 1 ) n s 0 s 1 = G, s 0 s 2 = Gq but {(s 0 s 1 ) n s 0 s 1, s 0 s 2 } = G Gq but {(s 0 s 1 ) n s 0 s 1, s 0 s 2 } = G Gq (s 0 s 1 ) n s 0 = (Uq) what about (s 0 s 1 ) n s 0 s 1 = (qr)? 14

Few equivalences of LTL formulas: Gφ F φ Fφ G φ Xφ X φ (φuψ) φr ψ φuψ (φwψ) Fψ Fφ true Uφ Gφ false Rφ 15

What we can exress with LTL formulas? Over the years few classes of roerties of systems have emerged as suitable to be studied by these temoral logics: what kind of roerties make sense for all ossible systems modeled by KTS? Things like the ower is on, there is enough fuel etc... are not general roerties but the following are: 16

a Reachability : A articular state is reachable from the resent state b Safety: A (bad) roerty will never be satisfied c Liveness: A (good) roerty will always be satisfied by some state in the future c Deadlock freedom: never be reached a dead end state will 17

Safety is to rule out bad (catastrohic) behaviours of the system. For examle in a vending machine an examle of safety is: a state where a drink is given with no money inserted is never met Some more examles: A missile is never launched unless the launch button is ressed A traffic light is not green if its orthogonal light is green A train will not cross a train crossing with the gates in the u osition 18

Liveness is to ensure that the system does what is is meant to do. Examle of liveness: If enough money is in the machine a drink will be released if the launch button is ressed the missile will be launched If the light is orange then it will become red next If the train is aroaching the crossing the gates will go down

So a live and safe system is a system which does what is meant to do and doesn t do things it is not meant to do. That should ensure that the system is well-behaving, shouldn t it? Consider two traffic light in a junction satisfying the liveness and safety conditions described above. Would that be roerly working? 19

Solution: Have you ever been at a red traffic light waiting for the light to become green, and waiting... and waiting... You can have systems where comonents are waiting forever for some other comonent to finish. If A is waiting for B who is waiting for A you have a deadlock. If A is waiting for B, B is roerly working but it never gets back to A you have un-fairness 20

In KTS terms deadlock means that the system has reached a state s which has no successor (i.e. there is no outgoing transition out of s). Informally fairness means that a state that is available infinitely often will eventually be reached, for examle at a junction if it is ossible to turn left then at some oint some car will turn left. Roughly seaking most systems which are safe, live, deadlock free and fair are systems working roerly 21

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information