Semantically Equivalent Formulas Let and be formulas of
Semantically Equivalent Formulas • Let Φ and ψ be formulas of propositional logic. We say that Φ and ψ are semantically equivalent iff Φ╞ψ ψ╞Φ hold. In that case we write Φ ≡ ψ. Further, we call Φ valid if ╞Φ holds.
Examples of equivalent formulas • • p → q ≡ ¬p q p → q ≡ ¬q → ¬p p q → p ≡ r ¬r p q → r ≡ p → (q →r)
Lemma • Given propositional logic formulas Φ 1, Φ 2, …, Φn, ψ, we have Φ 1, Φ 2, …, Φn ╞ ψ iff ╞ Φ 1 →(Φ 2 → (Φ 3 → … → (Φn → ψ)))
Literal • A literal is either an atom p or the negation of an atom ¬p.
Conjunctive Normal Form (CNF) • A formula Φ is in conjunctive normal form (CNF) if it is of the form ψ1 ψ2 …. ψn for some n ≥ 1, such that ψi is a literal, or a disjunction of literal, for all 1 ≤ i ≤ n.
Examples for CNF formulas • (¬q p r) (¬p r) q • (p r) (¬p r) (p ¬r)
Lemma • A disjunction of literals L 1 L 2 …. Lm is valid (i. e. , ╞ L 1 L 2 …. Lm) iff there are 1 ≤ i, j ≤ m such that Li is ¬Lj.
Satisfiable formulas • Given a formula Φ in a propositional logic, we say that Φ is satisfiable if there exists an assignment of truth values to its propositional atoms such that Φ is true.
Proposition • Let Φ be a formula of propositional logic. Then Φ is satisfiable iff ¬Φ is not valid.
function CNF(Φ) /* pre-condition: Φ implication free and in NNF*/ /* post-condition: CNF(Φ) computes an equivalent CNF for Φ */ begin function case Φ is a literal : return Φ Φ is Φ 1 Φ 2: return CNF(Φ 1) CNF(Φ 2) Φ is Φ 1 Φ 2: return DISTR(CNF(Φ 1), CNF(Φ 2) ) end case end function
function DISTR(η 1, η 2): /* pre-condition: η 1 and η 2 are in CNF */ /* post-condition: DISTR(η 1, η 2) computes a CNF for η 1 η 2 */ begin function case η 1 is η 11 η 12 : return DISTR(η 11 , η 2) DISTR(η 12 , η 2) η 2 is η 21 η 22 : return DISTR(η 1 , η 21) DISTR(η 1 , η 22) otherwise (= no conjunction): return η 1 η 2 end case end function
function NNF(Φ) /* pre-condition: Φ is implication free */ /* post-condition: NNF(Φ) computes a NNF for Φ */ begin function case Φ is a literal : return Φ Φ is ¬¬Φ 1 : return NNF(Φ 1) Φ is Φ 1 Φ 2 : return NNF(Φ 1) NNF(Φ 2) Φ is ¬(Φ 1 Φ 2) : return NNF(¬Φ 1 ¬Φ 2) end case end function
Φ = ¬p q → p (r → q) IMPL_FREE Φ = ¬ IMPL_FREE (¬p q ) IMPL_FREE (p (r → q)) = ¬((IMPL_FREE ¬p ) (IMPL_FREE q )) IMPL_FREE (p (r → q)) = ¬((¬p ) IMPL_FREE q ) IMPL_FREE (p (r → q)) = ¬ (¬p q ) ((IMPL_FREE (p) IMPL_FREE (r → q)) = ¬ (¬p q ) (p (¬ (IMPL_FREE r) IMPL_FREE (q))) = ¬ (¬p q ) (p (¬ r q))
NNF (IMPL_FREE Φ) = (p ¬q ) ( p (¬ r q)) CNF(NNF (IMPL_FREE Φ)) = CNF ((p ¬q ) ( p (¬r q))) = DISTR ( CNF (p ¬q ), CNF (p (¬ r q))) = DISTR (p ¬q , p (¬ r q)) = DISTR (p ¬q , p) DISTR (p ¬q , ¬ r q) = (p ¬q p) (p ¬q ¬ r q)
Horn Formula Φ • is a formula Φ of propositional logic if it is of the form ψ1 ψ2. . . ψn for some n ≥ 1 such that ψi is of the form p 1 p 2. . . pki → qi for some ki ≥ 1, where p 1, …, pki, qi are atoms, ┴ or T. We call such ψi a Horn clause.
Examples of Horn formulas • (p q s → p) (q r → p) (p s → s) • (p q s → ┴) (q r → p) (T → s) • (p 2 p 3 p 5 → p 13) (T→ p 2) (p 5 p 11 → ┴)
Examples of non-Horn formulas • • (p q s → ¬p) (q r → p) (p s → s) (p q s → ┴) (¬q r → p) (T → s) (p 2 p 3 p 5 → p 13 p 27) (T→ p 2) (p 5 p 11 → ┴) (p 2 p 3 p 5 → p 13 ) (T→ p 2) (p 5 p 11 ┴)
function HORN(Φ) /* Pre-condition : Φ is a Horn formula*/ /* Post-condition : HORN(Φ) decides the satisfiability for Φ */ begin function mark all atoms p where T → p is a sub-formula of Φ; while there is a sub-formula p 1 p 2. . . pki → qi of Φ such that all pj are marked but qi is not do if qi ≡ ┴ then return ‘unsatisfiable’ else mark qi for all such subformulas end while return ‘satisfiable’ end function
Theorem • The algorithm HORN is correct for the satisfiability decision problem of Horn formulas and has no more than n cycles in its while-loop if n is the number of atoms in Φ. HORN always terminates on correct input.
Kripke structure Let AP be a set of atomic propositions. A Kripke structure M over AP is a four tuple M= (S, S 0, R, L) where 1. S is a finite set of states 2. S 0 S is the set of initial states. 3. R S × S is a transition relation that must be total, that is for every state s S there is a state s’ S such that R (s, s’). 4. L: S 2 AP is a function that labels each state with the set of atomic proposition in that state. A path in the structure M from a state s is an infinite sequence of states ω = s 0 s 1 s 2 … such that s 0 = s and R (si, si+1) holds for all i ≥ 0.
First order representation of Kipke structures • We use interpreted first order formulas to describe concurrent systems. • We usual logical connectives (and , or , implies , not , and so on) and universal ( ) and existential ( ) quantifications. • Let V = {v 1, …, vn} be the set of system variables. We assume that the variables in V range over a finite set D. • A valuation for V is a function that associated a value in D with each variable v in V. Thus, s is a valuation for V when s: V D. • A state of a concurrent system can be viewed as a valuation for the set of its variables V. • Let V’ = {v’ 1, …, v’n}. We think of the variables in V as present state variables and the variables in V’ as next state variables.
First order representation of Kipke structures Let M = (S, S 0, R, L) be a Kripke structure. • S is the set of all valuations for all variables of the system which can be described by a proposition S. Usually, S = True. • The set of initial states S 0 can be described by a proposition (on the set of variables) S 0. • R can be described by a proposition R such that for any two states s and s’, R(s, s’) holds if R evaluates to True when each variable v is assigned the value s(v) and each variable v’ is assigned the value s(v’). • The labeling function L: S 2 AP is defined so that L(s) is the subset of all atomic propositions true in s which can be described by some appropriate proposition.
A simple example We consider a simple system with variables x and y that range over D = {0, 1}. Thus, a valuation for the variables x and y is just a pair (d 1, d 2) D × D where d 1 is the value for x and d 2 is the value for y. The system consists of one transition x : = (x +y) mod 2, Which starts from the state in which x = 1 and y = 1.
A simple example with transition x : = (x +y) mod 2 • S = True • S 0 (x, y) ≡ x = 1 y = 1 • R (x, y, x’, y’) ≡ x’ = (x +y) mod 2 y’ = y
A simple example with transition x : = (x +y) mod 2 The Kripke structure M = (S, S 0, R, L) for this system is simply: • S = D × D. • S 0 = {(1, 1)} • R = {((1, 1), (0, 1)), ((0, 1), (1, 1)), ((1, 0), (1, 0)), ((0, 0), (0, 0))}. • L(1, 1) = {x =1, y = 1}, L(0, 1) = {x =0, y = 1}, L(1, 0) = {x =1, y = 0}, L(0, 0) = {x =0, y = 0}. The only path in the Kripke structure that starts in the initial state is (1, 1) (0, 1) ….
Concurrent systems • A concurrent system consists of a set of components that execute together. • Normally, the components have some means of communicating with each other.
Modes of execution We will consider two modes of execution: Asynchronous or interleaved execution, in which only one component makes a step at a time, and synchronous execution, in which all of the components make a step at the same time
Modes of communication • We will also distinguish three modes of communication. Components can either communicate by changing the value of shared variables or by exchanging messages using queues or some handshaking protocols.
A modulo 8 counter
Synchronous circuit A modulo 8 counter The transitions of the circuit are given by • v’ 0 = v 0 • v’ 1 = v 0 v 1 • v’ 2 = (v 0 v 1) v 2 • R 0 (v, v’) ≡ (v’ 0 ↔ v 0) • R 1 (v, v’) ≡ (v’ 1 ↔ v 0 v 1) • R 2 (v, v’) ≡ (v’ 2 ↔ (v 0 v 1) v 2) • R (v, v’) ≡ R 0 (v, v’) R 1 (v, v’) R 2 (v, v’)
Synchronous circuit General case • • Let V = {v 0, …. , vn-1} and V’ = {v’ 0, …. , v’n-1} Let v’i = fi (V), 1= 0, …, n-1. Define Ri (v, v’) ≡ ( v’i ↔ fi (V)). Then, the transition relation can be described as R (v, v’) ≡ R 0 (v, v’) … Rn-1 (v, v’).
Asynchronous circuit General case • In this case, the transition relation can be described as R (v, v’) ≡ R 0 (v, v’) … Rn-1 (v, v’), Where Ri (v, v’) ≡ ( v’i ↔ fi (V)) j ≠ i (v’j ↔ vj )).
Example • Let V = {v 0, v 1}, v’ 0 = v 0 v 1 and v’ 1 = v 0 v 1. • Let s be a state with v 0 = 1 v 1 = 1. • For the synchronous model, the only successor of s is the state v 0 = 0 v 1 = 0. • For the asynchronous model, the state s has two successors: • 1. v 0 = 0 v 1 = 1 ( the assignment to v 0 is taken first). • 2. v 0 = 1 v 1 = 0 ( the assignment to v 1 is taken first).
Labeled program Given a statement P, the labeled statement PL is defined as follows: • If P is not a composite statement then P = PL. . • If P = P 1; P 2 then PL = P 1 L ; l’’ : P 2 L. • If P = if b then P 1 else P 2 end if, then PL = if b then l 1 : P 1 L else l 2 : P 2 L end if. • If P = while b do P 1 end while, then PL = while b do l 1 : P 1 L end while.
Some assumptions • We assume that P is a labeled statement and that the entry and exit points of P are labeled by m and m’, respectively. • Let pc be a special variable called the program counter that ranges over the set of program labels and an additional value ┴ called the undefined value. • Let V denote the set of program variables, V’ the set of primed variables for V, and pc’ the primed variables for pc. • Let same (Y) = y ε Y (y’ = y).
The set of initial states of P • Given some condition pre (V) on the initial variables for P, S 0 (V, pc) ≡ pre (V) pc = m.
The transition relation for P • C (l, P, l’) describes the set of transitions in P as a disjunction of all transitions in the set. • Assignment: C ( l, v ← e, l’) ≡ pc = l pc’ = l’ v’ = e same (V {v}) • Skip: C ( l, skip, l’) ≡ pc = l pc’ = l’ same (V) • Sequential composition: C ( l, P 1; l’’ : P 2, l’) ≡ C ( l, P 1, l’’) C ( l’’, P 2, l’)
The transition relation for P (continued) • Conditional: C (l, if b then l 1: P 1 else l 2 : P 2 end if, l’) is the disjunction of the following formulas: • pc = l pc’ = l 1 b same (V) • pc = l pc’ = l 2 b same (V) • C (l 1, P 1, l’) • C (l 2, P 2, l’)
The transition relation for P (continued) • While: C (l, while b do l 1 : P 1 end while, l’) is the disjunction of the following formulas: • pc = l pc’ = l 1 b same (V) • pc = l pc’ = l’ b same (V) • C (l 1, P 1, l)
Concurrent programs • A concurrent program consists of a set of processes that can be executed in parallel. A process is a sequential program. • Let Vi be the set of variables that can be changed by process Pi. V is the set of all program variables. • pci is the program counter of process Pi. PC is the set of all program counters. • A concurrent program has the form cobegin P 1 || P 2 … || Pn coend where P 1, …, Pn are processes.
Labeling transformation • We assume that no two labels are identical and that the entry and exit points of P are labeled m and m’, respectively. • If P = cobegin P 1 || P 2 … || Pn coend, then PL = cobegin l 1 : P 1 L l’ 1 || l 2 : P 2 L l’ 2 || … || ln : Pn. L l’n coend.
The set of initial states of P S 0 (V, pc) ≡ pre (V) pc = m i = 1, … n (pci = ┴ )
The transition relation for P C (l, cobegin l 1 : P 1 L l’ 1 || … || ln : Pn. L l’n coend, l’) Is the disjunction of three formulas: • pc = l pc’ 1 = l 1 … pc’n = ln pc’ = ┴ • pc = ┴ pc 1 = l’ 1 … pcn = l’n pc’ = l’ • i = 1, … n (pc’i = ┴) (C (li, Pi, l’i) (same (V Vi) same (PC {pci}))
Shared variables • Wait: • • C (l, wait (b), l’) is a disjunction of the following two formulas: (pci = l pc’i = l b same (Vi)) (pci = l pc’i = l’ b same (Vi)) • Lock (v) (= wait (v = 0)): • • C (l, lock (v), l’) is a disjunction of the following two formulas: (pci = l pc’i = l v = 1 same (Vi)) (pci = l pc’i = l’ v = 0 v’ = 1 same (Vi {v})) • Unlock (v): C (l, unlock (v), l’) ≡ pci = l pc’i = l’ v’ = 0 same (Vi {v})
A simple mutual exclusion program P = m: cobegin P 0 || P 1 coend m’ P 0 : : l 0 : while True do NC 0 : wait (turn = 0); CR 0 : turn : =1; end while; l’ 0 P 1 : : l 1 : while True do NC 1 : wait (turn = 1); CR 1 : turn : = 0; end while; l’ 1
Kripke structure • pc takes values in the set { m, m’, ┴ }. • pci takes values in the set { li, l’i, NCi, CRi, ┴ }. • V = V 0 = V 1 = {turn}. • PC = {pc, pc 0, pc 1}.
The set of initial states of P • S 0 (V, PC) ≡ pc = m pc 0 = ┴ pc 1 = ┴.
The transition relation for P • R (V, PC, V’, PC’) is the disjunction of the following four formulas: • pc = m pc’ 0 = l 0 pc’ 1 = l 1 pc’ = ┴. • pc 0 = l’ 0 pc 1 = l’ 1 pc’ = m’ pc’ 0 = ┴ pc’ 1 = ┴. • C (l 0, P 0, l’ 0) same (pc, pc 1). • C (l 1, P 1, l’ 1) same (pc, pc 0).
The transition relation of Pi • • • For each process Pi, C (li, Pi, l’i) is the disjunction of: pci = li pc’i = NCi True same (turn) pci = NCi pc’i = CRi turn = i same (turn) pci = CRi pc’i = li turn’ = (i+1) mod 2 pci = NCi pc’i = NCi turn ≠ i same (turn) pci = li pc’i = l’i False same (turn)
turn = 0 ┴, ┴ turn = 1 ┴, ┴ turn = 0 l 0, l 1 turn = 0 l 0, NC 1 turn = 0 turn = 1 l 0, l 1 turn = 0 l 1, NC 0 turn = 0 CR 0, l 1 NC 0, NC 1 turn = 0 CR 0, NC 1 turn = 1 l 0, NC 1 turn = 1 CR 1, l 0 turn = 1 l 1, NC 0 turn = 1 NC 0, NC 1 turn = 0 CR 1, NC 0
Syntax of Computational Tree Logic (CTL) Φ : : = ┴ | T | p | (¬Φ) | (Φ → Φ) | AX Φ | EX Φ | A[Φ U Φ] | E[Φ U Φ] | AG Φ | EG Φ | AF Φ | EG Φ where p ranges over atomic formulas.
Convention • The unary connectives (consisting of ¬ and the temporal connectives AG, EG, AF, AX and EX) bind most tightly. Next in the order come and ; and after that come → , AU and EU.
Some examples of well-formed CTL formulas • • (EG r) AG (q → EG r) (AG q) → (EG r) EF E[r U q] A[p U EF r] EF EG p → AF r (EF EG p) → AF r EF EG (p → AF r)
Some examples of not well-formed CTL formulas • • • FG r A ¬G¬p F[r U q] EF (r U q) AEF r AF [(r U q) (p U q)]
CTL Subformulas • Definition: A subformula of a CTL formula Φ is any formula ψ whose parse tree is a subtree of Φ‘s parse tree.
The parse tree for A[AX ¬p U E[EX (p q) U ¬p]] AU AX EU ¬ EX ¬ p p p q
Semantics of Computational Tree Logic (CTL) • Let M = (S, R, L) be a Kripke structure. Given any state s in S, we define whether a CTL formula Φ holds in state s. We denote this by M, s ╞ Φ, where ╞ is the satisfaction relation.
The satisfaction relation ╞ is defined by structural induction on all CTL formulas: • • M, s ╞ T and ¬(M, s ╞ ┴) for all s ε S. M, s ╞ p iff p ε L(s). M, s ╞ ¬Φ iff ¬(M, s ╞ Φ). M, s ╞ Φ 1 Φ 2 iff M, s ╞ Φ 1 and M, s ╞ Φ 2. M, s ╞ Φ 1 Φ 2 iff M, s ╞ Φ 1 or M, s ╞ Φ 2. M, s ╞ Φ 1 → Φ 2 iff ¬(M, s ╞ Φ 1) or M, s ╞ Φ 2. M, s ╞ AX Φ iff for all s 1 such that (s, s 1) ε R, we have M, s 1 ╞ Φ. Thus, AX says: ‘in every next state’. • M, s ╞ EX Φ iff for some s 1 such that (s, s 1) ε R, we have M, s 1 ╞ Φ. Thus, EX says: ‘in some next state’.
The satisfaction relation ╞ is defined by structural induction on all CTL formulas: (continued) • M, s ╞ AG Φ iff for all paths s 1 s 2 s 3 … where s 1 equals s, and all si along the path, we have such that (si, si+1) ε R, we have M, si ╞ Φ. Thus, AG says: ‘for all computation paths beginning s the property Φ holds globally’. • M, s ╞ EG Φ iff there is a path s 1 s 2 s 3 … where s 1 equals s, and all si along the path, we have such that (s, s 1) ε R, we have M, si ╞ Φ. Thus, AG says: ‘there exists a computation path beginning s such that Φ holds globally along the path’. • M, s ╞ AF Φ iff for all paths s 1 s 2 s 3 … where s 1 equals s, there is some si such that M, si ╞ Φ. Thus, AF says: ‘for all computation paths beginning in s there will be some future state where Φ holds’.
The satisfaction relation ╞ is defined by structural induction on all CTL formulas: (continued) • M, s ╞ EF Φ iff there is a path s 1 s 2 s 3 … where s 1 equals s, and for some si along the path, we have M, si ╞ Φ. Thus, EF says: ‘there exists a computation path beginning in s such that Φ holds in some future state’. • M, s ╞ A[Φ 1 U Φ 2] iff for all paths s 1 s 2 s 3 … where s 1 equals s, that path satisfies Φ 1 U Φ 2, i. e. , there is some si along the path, such that M, si ╞ Φ 2, and, for each j < i, we have M, sj╞ Φ 1. Thus, A[Φ 1 U Φ 2] says: ‘all computation paths beginning in s satisfy that Φ 1 until Φ 2 holds on it’. • M, s ╞ E[Φ 1 U Φ 2] iff there is a path s 1 s 2 s 3 … where s 1 equals s, and that path satisfies Φ 1 U Φ 2, i. e. , there is some sj along the path, such that M, si ╞ Φ 2, and, for each j < i, we have M, sj ╞ Φ 1. Thus, E[Φ 1 U Φ 2] says: ‘there exists a computation path beginning in s such that Φ 1 until Φ 2 holds on it’.
A system whose starting state satisfies EF Φ Φ
A system whose starting state satisfies EG Φ Φ
A system whose starting state satisfies AG Φ Φ Φ
A system whose starting state satisfies AF Φ Φ Φ
Some examples for the following system M: p, q s 0 s 1 • • • q, r M, s 0 ╞ p q M, s 0 ╞ ¬r M, s 0 ╞ T M, s 0 ╞ EX (q r) M, s 0 ╞ ¬AX (q r) M, s 0 ╞ ¬EF (p r) M, s 2 ╞ EG r M, s 2 ╞ AG r M, s 0 ╞ AF r M, s 0 ╞ E[(p q) U r] M, s 0 ╞ A[p U r] r s 2
Other examples for CTL logic • It is possible to get a state where started holds but ready does not hold: EF (started ¬ready) • For any state, if a request (of some resource) occurs, then it will eventually be acknowledged: AG (requested → AF acknowledged) • A certain process is enabled indefinitely often on every computation path: AG (AF enabled) • Whatever happens, a certain process will eventually be permanently deadlocked: AF (AG deadlocked)
Other examples for CTL logic (continued) • From any state it is possible to get a restart state: AG (EF restart) • An upwards traveling elevator at the second floor does not change its direction when it has passengers wishing to go to the fifth floor: AG (floor=2 direction=up Button. Pressed 5 → A[direction=up U floor=5]) • The elevator can remain idle on the third floor with its doors closed: AG (floor=3 idle door=closed → EG (floor=3 idle door=closed))
Semantically equivalent CTL formulas • Definition: Two CTL formulas Φ and ψ are said to be semantically equivalent if any state in any Kripke structure which satisfies one of them also satisfies the other; we denote this by Φ ≡ ψ.
Important equivalences between CTL formulas • • • ¬AF Φ ≡ EG ¬Φ ¬EF Φ ≡ AG ¬Φ ¬AX Φ ≡ EX ¬Φ AF Φ ≡ A[T U Φ] EF Φ ≡ E[T U Φ] A[p U q] ≡ ¬(E[¬q U (¬p ¬q)] EG ¬q)
Theorem: • The set of operators ┴, ¬ and together with AF, EU and EX are adequate for CTL: any CTL formula can be transformed into a semantically equivalent CTL formula which uses only those logical connectives.
Example: mutual exclusion • When concurrent processes share a resource, it may be necessary to ensure that they do not have access to it at the same time. • We therefore identify certain critical sections of each process code and arrange that only one process can be in its critical section at a time. • The problem we are faced with is to find a protocol for determining which process is allowed to enter its critical section at which time.
Some expected properties for mutual exclusion • Safety: The protocol allows only one process to be in its critical section at a time. • Liveness: Whenever any process wants to enter its critical section, it will eventually be permitted to do so. • Non-blocking: A process can always request to enter its critical section. • No strict sequencing: Processes need not enter their critical section in strict sequence.
A simple example of two processes • n = a process is in a non-critical state • t = a process tries to enter in its critical section • c = a process is in its critical section
A first-attempt model for mutual exclusion s 0 n 1 n 2 s 1 s 2 n 1 t 2 t 1 n 2 s 5 t 1 t 2 c 1 n 2 n 1 c 2 s 3 c 1 t 2 s 4 s 6 t 1 c 2 s 7
CTL formulas for the system properties • Safety: Φ 1 = AG ¬(c 1 c 2). (o. k. ) • Liveness: Φ 2 = AG (t 1 → AF c 1). (not o. k. ) because there exists a computation path, namely, s 1 → s 3 → s 7 → s 1 →… on which c 1 is always false. • Non-blocking: Φ 3= AG (n 1 → EX t 1). (o. k. ) • No strict sequencing: EF (c 1 E[c 1 U (¬c 1 E[¬c 2 U c 1])]). (o. k. )
A second-attempt model for mutual exclusion s 0 n 1 n 2 s 1 s 2 n 1 t 2 t 1 n 2 t 1 t 2 c 1 n 2 s 3 c 1 t 2 s 4 s 5 t 1 t 2 s 9 n 1 c 2 s 6 t 1 c 2 s 7
Syntax of Linear-time temporal logic (LTL) • Definition: Linear-time temporal logic (LTL) has the following syntax given in Backus Naur form Φ : : = p | (¬Φ) | (Φ U Φ) | (G Φ)| (F Φ)| (X Φ) where p is any propositional atom.
Semantics of Linear Tree Logic (LTL) • Let M = (S, R, L) be a Kripke structure. Given a path σ = s 1 s 2 s 3 … in M, where s 1 is the initial state, and for all si along the path, such that (si, si+1) ε R, we define whether a LTL formula Φ holds in the path σ denoted as M, σ ╞ Φ, where ╞ is the satisfaction relation. • Let σi = si si+1. . . denote the suffix of σ starting at si.
The satisfaction relation ╞ is defined by structural induction on all of LTL formulas: • • M, σ ╞ T and ¬(M, s ╞ ┴) for all s ε S. M, σ ╞ p iff p ε L(s 1). M, σ ╞ ¬Φ iff ¬(M, σ ╞ Φ). M, σ ╞ Φ 1 Φ 2 iff M, σ ╞ Φ 1 and M, σ ╞ Φ 2. M, σ ╞ X Φ iff M, σ2 ╞ Φ, M, σ ╞ G Φ iff, for all i ≥ 1, M, σi ╞ Φ, M, σ ╞ F Φ iff, for some i ≥ 1, M, σi ╞ Φ, M, σ ╞ Φ U ψ iff, there is some i ≥ 1 such that M, σi ╞ ψ and for all j = 1 … i-1 we have M, σj ╞ Φ.
Semantically equivalent LTL formulas • Definition: Two LTL formulas Ф and ψ are semantically equivalent, writing as Ф ≡ ψ, if they are true for the same paths in each model. An LTL formula Ф is satisfied in a state s of a model if Ф is satisfied in every path starting at s.
Syntax of CTL* The CTL* formulas are divided into two classes: • state formulas, which are evaluated in states: Φ : : = p | T | (¬Φ) | (Φ Φ) | A[α] | E[α], • path formulas, which are evaluated along paths: α : : = Φ | (¬α) | (α U α) | (G α) | (F α) | (X α) where Φ is any state formula.
LTL and CTL as subsets of CTL* • Although the syntax of LTL does not include A and E, the semantic viewpoint of LTL is that we consider all paths. Therefore, the LTL formula α is equivalent to the CTL* formula A[α] • CTL is the fragment of CTL* in which we restrict the form of path formulas to α : : = (Φ U Φ) | (G Φ) | (F Φ) | (X Φ).
Example of in CTL but not in LTL: ψ1 = AG EF p • Whenever we have got to, we can always get back to a state in which p is true. This is useful, e. g. , in finding deadlocks in protocols. M s t ¬p p M’ s ¬p
Example of in CTL*, but neither in CTL nor in LTL: ψ2 = E[GF p] • Saying, there is a path with infinitely many p.
Example of in LTL but not in CTL: ψ3 = AG (p → F q) • Saying that if there are infinitely many p along the path, then there is an occurrence of q. • This is an interesting thing to be able to say, ; for example, many fairness constraints are of the form ‘infinitely often requested implies eventually acknowledged’.
Example of in LTL and CTL: ψ4 = AG (p → AF q) in CTL, or G (p → F q) in LTL • Saying, any p is eventually followed by a q.
Example • G p and AF AG p are not semantically equivalent, since FG p is satisfied, whereas AF AG p is not satisfied, in the model p ¬p p
weak until W • The formula A[p W q] is true in a state if, along all paths from that state, p is true from the present state until the first state in which q is true, if any. In particular, if there is no q state on a path, then p needs to hold for all states of that path.
weak until W (continued) • In LTL and CTL*, weak Until may be defined in terms of the ordinary Until, as follows: p W q ≡ (p U q) G p • For CTL, we have: E[p W q] ≡ E[p U q] EG p A[p W q] ≡ ¬E[¬q U ¬(p q)]
- Slides: 92