1、Linear Temporal LogicSafety vs. Liveness Safety : something bad never happensA counterexample is an finite execution leading to something badhappening (e.g. an assertion violation). Liveness : something good eventually happensA counterexample is an infinite execution on which nothing goodhappens (e.
2、g. the program does not terminate).Verification of Reactive Systems Classical verification a la Floyd-Hoare considered three problems: Partial Correctness : P iff for any s|= , if P terminates on s, then P(s) |= Total Correctness : P iff for any s|= , P terminates on s and P(s) |= Termination :P ter
3、minates on s Need to reason about infinite computations : systems that are in continuous interaction with their environment servers, control systems, etc. e.g. “every request is eventually answered”Reasoning about infinite sequences of states Linear Temporal Logic is interpreted on infinite sequence
4、s of states Each state in the sequence gives an interpretation to the atomicpropositions Temporal operators indicate in which states a formula should beinterpretedExample 1 Consider the sequence of states:p,q p,q (p,q p,q)Starting from position 2, q holds forever. a50Kripke StructuresLet P = p,q,r,.
5、 be a finite alphabet of atomic propositions.A Kripke structure is a tuple K = S,s0,L where: S is a set of states, s0 S a designated initial state, : SS is a transition relation, L : S 2P is a labeling function.Paths in Kripke StructuresA path in K is an infinite sequence : s0,s1,s2. such that, for
6、alli 0, we have si si+1.By (i) we denote the i-th state on the path.By i we denote the suffix si,si+1,si+2inf() = sS | s appears infinitely often on If S is finite and is infinite, then inf() negationslash= .Linear Temporal Logic: SyntaxThe alphabet of LTL is composed of: atomic proposition symbols
7、p,q,r,., boolean connectives , temporal connectives ,a50,a51,U,R.The set of LTL formulae is defined inductively, as follows: any atomic proposition is a formula, if and are formulae, then and , for , arealso formulae. if and are formulae, then , a50, a51, U and R areformulae, nothing else is a formu
8、la.Temporal Operators is read at the next time (in the next state) a50 is read always in the future (in all future states) a51 is read eventually (in some future state) U is read until R is read releasesLinear Temporal Logic: SemanticsK, |= p pL(0)K, |= K, negationslash|= K, |= K, |= and K, |= K, |=
9、 K,1 |= K, |= U there exists k N such that K,k |= and K,i |= for all 0 i|u|: let j = j +|v| (uvn+1)j = (uvn)j |= 2 for all |u|+|v| ij +|v| . (uvn+1)i = (uvn)i|v| |= 1 for all i|u|+|v| . (uv)vn)i |= 1 (uv)vn1)i |= 1 the direction is left to the reader.Theorem 2 LTL is strictly less expressive than S1
10、S.LTL Model CheckingSystem verification using LTL Let K be a model of a reactive system (finite computations can beturned into infinite ones by repeating the last state infinitely often) Given an LTL formula over a set of atomic propositions P,specifying all bad behaviors, we build a Buchi automaton
11、 A thataccepts all sequences over 2P satisfying .Q: Since LTL S1S, this automaton can be built, so why bother? Check whether L(A)L(K) = . In case it is not, we obtain acounterexample.Generalized Buchi AutomataLet = a,b,. be a finite alphabet.A generalized Buchi automaton (GBA) over is A = S,I,T,F, w
12、here: S is a finite set of states, I S is a set of initial states, T SS is a transition relation, F = F1,.,Fk 2S is a set of sets of final states.A run of a GBA is said to be accepting iff, for all 1 ik, we haveinf()Fi negationslash= GBA and BA are equivalentLet A = S,I,T,F, where F = F1,.,Fk.Build
13、A = S,I,T,F: S = S1,.,k, I = I1, (s,i,a,t,j) T iff (s,t) T and: j = i if snegationslashFi, j = (i mod k) + 1 if sFi. F = F1 1.The idea of the constructionLet K = S,s0,L be a Kripke structure over a set of atomicpropositions P, : NS be an infinite path through K, and be anLTL formula.To determine whe
14、ther K, |= , we label with sets of subformulae of in a way that is compatible with LTL semantics.ClosureLet be an LTL formula written in negation normal form.The closure of is the set Cl() 2L(LTL): Cl() Cl() Cl() 1 2 Cl() 1,2 Cl(), for all ,U,R.Example 4 Cl(a51p) = Cl(Up) = a51p,p,a50Q: What is the
15、size of the closure relative to the size of ?Labeling rulesGiven : N 2P and , we define : N 2Cl() as follows: for p P, if p(i) then p(i), and if p(i) then pnegationslash(i) if 1 2 (i) then 1 (i) and 2 (i) if 1 2 (i) then 1 (i) or 2 (i)Labeling rulesU (U)R (R) if (i) then (i+ 1) if 1U2 (i) then eithe
16、r 2 (i), or 1 (i) and1U2 (i+ 1) if 1R2 (i) then 2 (i) and either 1 (i) or1R2 (i+ 1)Interpreting labelingsA sequence satisfies a formula if one can find a labeling satisfying: the labeling rules above (0), and if 1U2 (i), then for some j i, 2 (j) (the eventualitycondition)Building the GBA A =S,I,T,FT
17、he automaton A is the set of labeling rules + the eventualitycondition(s) ! = 2P is the alphabet S 2Cl(), such that, for all sS : 1 2 s1 s and 2 s 1 2 s1 s or 2 s I = sS | s, (s,t) T iff: for all p P, psp, and pspnegationslash, s t, 1U2 s2 s or 1 s and 1U2 t 1R2 s2 s and 1 s or 1R2 tBuilding the GBA
18、 A =S,I,T,F for each eventuality U Cl(), the transition relation ensures thatthis will appear until the first occurrence of it is sufficient to ensure that, for each U Cl(), one goesinfinitely often either through a state in which this does not appear,or through a state in which both U and appear let 1U1,.nUn be the “until” subformulae of F = F1,.,Fn, where:Fi = sS | iUi s and i s or iUi negationslashsfor all 1 in.
