Introduction to Formal Methods Chapter 03: Temporal Logics
Roberto Sebastiani
DISI, Università di Trento, Italy – [email protected] URL: http://disi.unitn.it/rseba/DIDATTICA/fm2020/ Teaching assistant: Enrico Magnago– [email protected]
CDLM in Informatica, academic year 2019-2020
last update: Monday 18th May, 2020, 14:48
Copyright notice: some material (text, figures) displayed in these slides is courtesy of R. Alur, M. Benerecetti, A. Cimatti, M. Di Natale, P. Pandya, M. Pistore, M. Roveri, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be displayed in public without containing this copyright notice.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 1 / 108 Outline
1 Some background on Boolean Logic
2 Generalities on temporal logics
3 Linear Temporal Logic – LTL
4 Some LTL Model Checking Examples
5 Computation Tree Logic – CTL
6 Some CTL Model Checking Examples
7 LTL vs. CTL
8 Fairness & Fair Kripke Models
9 Exercises
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 2 / 108 Some background on Boolean Logic Outline
1 Some background on Boolean Logic
2 Generalities on temporal logics
3 Linear Temporal Logic – LTL
4 Some LTL Model Checking Examples
5 Computation Tree Logic – CTL
6 Some CTL Model Checking Examples
7 LTL vs. CTL
8 Fairness & Fair Kripke Models
9 Exercises
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 3 / 108 Some background on Boolean Logic Boolean logic
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 4 / 108 Some background on Boolean Logic Basic notation & definitions
Boolean formula >, ⊥ are formulas A propositional atom A1, A2, A3, ... is a formula; if ϕ1 and ϕ2 are formulas, then ¬ϕ1, ϕ1 ∧ ϕ2, ϕ1 ∨ ϕ2, ϕ1 → ϕ2, ϕ1 ← ϕ2, ϕ1 ↔ ϕ2 are formulas.
Atoms(ϕ): the set {A1, ..., AN } of atoms occurring in ϕ. Literal: a propositional atom Ai (positive literal) or its negation ¬Ai (negative literal)
Notation: if l := ¬Ai , then ¬l := Ai W Clause: a disjunction of literals j lj (e.g., (A1 ∨ ¬A2 ∨ A3 ∨ ...)) V Cube: a conjunction of literals j lj (e.g., (A1 ∧ ¬A2 ∧ A3 ∧ ...))
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 5 / 108 ∧, ∨ and ↔ are commutative: (ϕ1 ∧ ϕ2) ⇐⇒ (ϕ2 ∧ ϕ1) (ϕ1 ∨ ϕ2) ⇐⇒ (ϕ2 ∨ ϕ1) (ϕ1 ↔ ϕ2) ⇐⇒ (ϕ2 ↔ ϕ1) ∧ and ∨ are associative: ((ϕ1 ∧ ϕ2) ∧ ϕ3) ⇐⇒ (ϕ1 ∧ (ϕ2 ∧ ϕ3)) ⇐⇒ (ϕ1 ∧ ϕ2 ∧ ϕ3) ((ϕ1 ∨ ϕ2) ∨ ϕ3) ⇐⇒ (ϕ1 ∨ (ϕ2 ∨ ϕ3)) ⇐⇒ (ϕ1 ∨ ϕ2 ∨ ϕ3)
Note
Some background on Boolean Logic Semantics of Boolean operators
Truth table:
ϕ1 ϕ2 ¬ϕ1 ϕ1 ∧ ϕ2 ϕ1 ∨ ϕ2 ϕ1 → ϕ2 ϕ1 ← ϕ2 ϕ1 ↔ ϕ2 ⊥ ⊥ > ⊥ ⊥ > > > ⊥ > > ⊥ > > ⊥ ⊥ > ⊥ ⊥ ⊥ > ⊥ > ⊥ > > ⊥ > > > > >
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 6 / 108 Some background on Boolean Logic Semantics of Boolean operators
Truth table:
ϕ1 ϕ2 ¬ϕ1 ϕ1 ∧ ϕ2 ϕ1 ∨ ϕ2 ϕ1 → ϕ2 ϕ1 ← ϕ2 ϕ1 ↔ ϕ2 ⊥ ⊥ > ⊥ ⊥ > > > ⊥ > > ⊥ > > ⊥ ⊥ > ⊥ ⊥ ⊥ > ⊥ > ⊥ > > ⊥ > > > > >
Note ∧, ∨ and ↔ are commutative: (ϕ1 ∧ ϕ2) ⇐⇒ (ϕ2 ∧ ϕ1) (ϕ1 ∨ ϕ2) ⇐⇒ (ϕ2 ∨ ϕ1) (ϕ1 ↔ ϕ2) ⇐⇒ (ϕ2 ↔ ϕ1) ∧ and ∨ are associative: ((ϕ1 ∧ ϕ2) ∧ ϕ3) ⇐⇒ (ϕ1 ∧ (ϕ2 ∧ ϕ3)) ⇐⇒ (ϕ1 ∧ ϕ2 ∧ ϕ3) ((ϕ1 ∨ ϕ2) ∨ ϕ3) ⇐⇒ (ϕ1 ∨ (ϕ2 ∨ ϕ3)) ⇐⇒ (ϕ1 ∨ ϕ2 ∨ ϕ3)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 6 / 108 Boolean logic can be expressed in terms of {¬, ∧} (or {¬, ∨}) only
Some background on Boolean Logic Syntactic Properties of Boolean Operators
¬¬ϕ1 ⇐⇒ ϕ1 (ϕ1 ∨ ϕ2) ⇐⇒¬ (¬ϕ1 ∧ ¬ϕ2) ¬(ϕ1 ∨ ϕ2) ⇐⇒ (¬ϕ1 ∧ ¬ϕ2) (ϕ1 ∧ ϕ2) ⇐⇒ ¬(¬ϕ1 ∨ ¬ϕ2) ¬(ϕ1 ∧ ϕ2) ⇐⇒ (¬ϕ1 ∨ ¬ϕ2) (ϕ1 → ϕ2) ⇐⇒ (¬ϕ1 ∨ ϕ2) ¬(ϕ1 → ϕ2) ⇐⇒ (ϕ1 ∧ ¬ϕ2) (ϕ1 ← ϕ2) ⇐⇒ (ϕ1 ∨ ¬ϕ2) ¬(ϕ1 ← ϕ2) ⇐⇒ (¬ϕ1 ∧ ϕ2) (ϕ1 ↔ ϕ2) ⇐⇒ ((ϕ1 → ϕ2) ∧ (ϕ1 ← ϕ2)) ⇐⇒ ((¬ϕ1 ∨ ϕ2) ∧ (ϕ1 ∨ ¬ϕ2)) ¬(ϕ1 ↔ ϕ2) ⇐⇒ (¬ϕ1 ↔ ϕ2) ⇐⇒ (ϕ1 ↔ ¬ϕ2) ⇐⇒ ((ϕ1 ∨ ϕ2) ∧ (¬ϕ1 ∨ ¬ϕ2))
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 7 / 108 Some background on Boolean Logic Syntactic Properties of Boolean Operators
¬¬ϕ1 ⇐⇒ ϕ1 (ϕ1 ∨ ϕ2) ⇐⇒¬ (¬ϕ1 ∧ ¬ϕ2) ¬(ϕ1 ∨ ϕ2) ⇐⇒ (¬ϕ1 ∧ ¬ϕ2) (ϕ1 ∧ ϕ2) ⇐⇒ ¬(¬ϕ1 ∨ ¬ϕ2) ¬(ϕ1 ∧ ϕ2) ⇐⇒ (¬ϕ1 ∨ ¬ϕ2) (ϕ1 → ϕ2) ⇐⇒ (¬ϕ1 ∨ ϕ2) ¬(ϕ1 → ϕ2) ⇐⇒ (ϕ1 ∧ ¬ϕ2) (ϕ1 ← ϕ2) ⇐⇒ (ϕ1 ∨ ¬ϕ2) ¬(ϕ1 ← ϕ2) ⇐⇒ (¬ϕ1 ∧ ϕ2) (ϕ1 ↔ ϕ2) ⇐⇒ ((ϕ1 → ϕ2) ∧ (ϕ1 ← ϕ2)) ⇐⇒ ((¬ϕ1 ∨ ϕ2) ∧ (ϕ1 ∨ ¬ϕ2)) ¬(ϕ1 ↔ ϕ2) ⇐⇒ (¬ϕ1 ↔ ϕ2) ⇐⇒ (ϕ1 ↔ ¬ϕ2) ⇐⇒ ((ϕ1 ∨ ϕ2) ∧ (¬ϕ1 ∨ ¬ϕ2))
Boolean logic can be expressed in terms of {¬, ∧} (or {¬, ∨}) only
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 7 / 108 ⇓ (((A1 ↔ A2) → (A3 ↔ A4))∧ ((A3 ↔ A4) → (A1 ↔ A2))) ⇓ (((A1 → A2) ∧ (A2 → A1)) → ((A3 → A4) ∧ (A4 → A3)))∧ (((A3 → A4) ∧ (A4 → A3)) → (((A1 → A2) ∧ (A2 → A1))))
Some background on Boolean Logic TREE and DAG representation of formulas: example
Formulas can be represented either as trees or as DAGS: DAG representation can be up to exponentially smaller
(A1 ↔ A2) ↔ (A3 ↔ A4)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 8 / 108 ⇓ (((A1 → A2) ∧ (A2 → A1)) → ((A3 → A4) ∧ (A4 → A3)))∧ (((A3 → A4) ∧ (A4 → A3)) → (((A1 → A2) ∧ (A2 → A1))))
Some background on Boolean Logic TREE and DAG representation of formulas: example
Formulas can be represented either as trees or as DAGS: DAG representation can be up to exponentially smaller
(A1 ↔ A2) ↔ (A3 ↔ A4) ⇓ (((A1 ↔ A2) → (A3 ↔ A4))∧ ((A3 ↔ A4) → (A1 ↔ A2)))
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 8 / 108 Some background on Boolean Logic TREE and DAG representation of formulas: example
Formulas can be represented either as trees or as DAGS: DAG representation can be up to exponentially smaller
(A1 ↔ A2) ↔ (A3 ↔ A4) ⇓ (((A1 ↔ A2) → (A3 ↔ A4))∧ ((A3 ↔ A4) → (A1 ↔ A2))) ⇓ (((A1 → A2) ∧ (A2 → A1)) → ((A3 → A4) ∧ (A4 → A3)))∧ (((A3 → A4) ∧ (A4 → A3)) → (((A1 → A2) ∧ (A2 → A1))))
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 8 / 108 Some background on Boolean Logic TREE and DAG representation of formulas: example (cont)
A1A2 A2 A1 A3A4 A4 A3 A3A4 A4 A3 A1A2 A2 A1 Tree Representation
A1A2 A3 A4 DAG Representation Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 9 / 108 Some background on Boolean Logic Basic notation & definitions (cont)
Total truth assignment µ for ϕ: µ : Atoms(ϕ) 7−→ {>, ⊥}. Partial Truth assignment µ for ϕ: µ : A 7−→ {>, ⊥}, A ⊂ Atoms(ϕ). Set and formula representation of an assignment: µ can be represented as a set of literals: EX: {µ(A1) := >, µ(A2) := ⊥} =⇒ {A1, ¬A2} µ can be represented as a formula (cube): EX: {µ(A1) := >, µ(A2) := ⊥} =⇒ (A1 ∧ ¬A2)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 10 / 108 a partial truth assignment µ satisfies ϕ iff it makes ϕ evaluate to true (Ex: {A1} |= (A1 ∨ A2)) =⇒ if µ satisfies ϕ, then all its total extensions satisfy ϕ (Ex: {A1, A2} |= (A1 ∨ A2) and {A1, ¬A2} |= (A1 ∨ A2)) ϕ is satisfiable iff µ |= ϕ for some µ ϕ1 entails ϕ2 (ϕ1 |= ϕ2): ϕ1 |= ϕ2 iff µ |= ϕ1 =⇒ µ |= ϕ2 for every µ ϕ is valid( |= ϕ): |= ϕ iff µ |= ϕ for every µ Property ϕ is valid ⇐⇒ ¬ϕ is not satisfiable
Some background on Boolean Logic Basic notation & definitions (cont) a total truth assignment µ satisfies ϕ (µ |= ϕ): µ |= Ai ⇐⇒ µ(Ai ) = > µ |= ¬ϕ ⇐⇒ not µ |= ϕ µ |= ϕ1 ∧ ϕ2 ⇐⇒ µ |= ϕ1 and µ |= ϕ2 µ |= ϕ1 ∨ ϕ2 ⇐⇒ µ |= ϕ1 or µ |= ϕ2 µ |= ϕ1 → ϕ2 ⇐⇒ if µ |= ϕ1, then µ |= ϕ2 µ |= ϕ1 ↔ ϕ2 ⇐⇒ µ |= ϕ1 iff µ |= ϕ2
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 11 / 108 ϕ is satisfiable iff µ |= ϕ for some µ ϕ1 entails ϕ2 (ϕ1 |= ϕ2): ϕ1 |= ϕ2 iff µ |= ϕ1 =⇒ µ |= ϕ2 for every µ ϕ is valid( |= ϕ): |= ϕ iff µ |= ϕ for every µ Property ϕ is valid ⇐⇒ ¬ϕ is not satisfiable
Some background on Boolean Logic Basic notation & definitions (cont) a total truth assignment µ satisfies ϕ (µ |= ϕ): µ |= Ai ⇐⇒ µ(Ai ) = > µ |= ¬ϕ ⇐⇒ not µ |= ϕ µ |= ϕ1 ∧ ϕ2 ⇐⇒ µ |= ϕ1 and µ |= ϕ2 µ |= ϕ1 ∨ ϕ2 ⇐⇒ µ |= ϕ1 or µ |= ϕ2 µ |= ϕ1 → ϕ2 ⇐⇒ if µ |= ϕ1, then µ |= ϕ2 µ |= ϕ1 ↔ ϕ2 ⇐⇒ µ |= ϕ1 iff µ |= ϕ2 a partial truth assignment µ satisfies ϕ iff it makes ϕ evaluate to true (Ex: {A1} |= (A1 ∨ A2)) =⇒ if µ satisfies ϕ, then all its total extensions satisfy ϕ (Ex: {A1, A2} |= (A1 ∨ A2) and {A1, ¬A2} |= (A1 ∨ A2))
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 11 / 108 ϕ1 entails ϕ2 (ϕ1 |= ϕ2): ϕ1 |= ϕ2 iff µ |= ϕ1 =⇒ µ |= ϕ2 for every µ ϕ is valid( |= ϕ): |= ϕ iff µ |= ϕ for every µ Property ϕ is valid ⇐⇒ ¬ϕ is not satisfiable
Some background on Boolean Logic Basic notation & definitions (cont) a total truth assignment µ satisfies ϕ (µ |= ϕ): µ |= Ai ⇐⇒ µ(Ai ) = > µ |= ¬ϕ ⇐⇒ not µ |= ϕ µ |= ϕ1 ∧ ϕ2 ⇐⇒ µ |= ϕ1 and µ |= ϕ2 µ |= ϕ1 ∨ ϕ2 ⇐⇒ µ |= ϕ1 or µ |= ϕ2 µ |= ϕ1 → ϕ2 ⇐⇒ if µ |= ϕ1, then µ |= ϕ2 µ |= ϕ1 ↔ ϕ2 ⇐⇒ µ |= ϕ1 iff µ |= ϕ2 a partial truth assignment µ satisfies ϕ iff it makes ϕ evaluate to true (Ex: {A1} |= (A1 ∨ A2)) =⇒ if µ satisfies ϕ, then all its total extensions satisfy ϕ (Ex: {A1, A2} |= (A1 ∨ A2) and {A1, ¬A2} |= (A1 ∨ A2)) ϕ is satisfiable iff µ |= ϕ for some µ
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 11 / 108 ϕ is valid( |= ϕ): |= ϕ iff µ |= ϕ for every µ Property ϕ is valid ⇐⇒ ¬ϕ is not satisfiable
Some background on Boolean Logic Basic notation & definitions (cont) a total truth assignment µ satisfies ϕ (µ |= ϕ): µ |= Ai ⇐⇒ µ(Ai ) = > µ |= ¬ϕ ⇐⇒ not µ |= ϕ µ |= ϕ1 ∧ ϕ2 ⇐⇒ µ |= ϕ1 and µ |= ϕ2 µ |= ϕ1 ∨ ϕ2 ⇐⇒ µ |= ϕ1 or µ |= ϕ2 µ |= ϕ1 → ϕ2 ⇐⇒ if µ |= ϕ1, then µ |= ϕ2 µ |= ϕ1 ↔ ϕ2 ⇐⇒ µ |= ϕ1 iff µ |= ϕ2 a partial truth assignment µ satisfies ϕ iff it makes ϕ evaluate to true (Ex: {A1} |= (A1 ∨ A2)) =⇒ if µ satisfies ϕ, then all its total extensions satisfy ϕ (Ex: {A1, A2} |= (A1 ∨ A2) and {A1, ¬A2} |= (A1 ∨ A2)) ϕ is satisfiable iff µ |= ϕ for some µ ϕ1 entails ϕ2 (ϕ1 |= ϕ2): ϕ1 |= ϕ2 iff µ |= ϕ1 =⇒ µ |= ϕ2 for every µ
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 11 / 108 Property ϕ is valid ⇐⇒ ¬ϕ is not satisfiable
Some background on Boolean Logic Basic notation & definitions (cont) a total truth assignment µ satisfies ϕ (µ |= ϕ): µ |= Ai ⇐⇒ µ(Ai ) = > µ |= ¬ϕ ⇐⇒ not µ |= ϕ µ |= ϕ1 ∧ ϕ2 ⇐⇒ µ |= ϕ1 and µ |= ϕ2 µ |= ϕ1 ∨ ϕ2 ⇐⇒ µ |= ϕ1 or µ |= ϕ2 µ |= ϕ1 → ϕ2 ⇐⇒ if µ |= ϕ1, then µ |= ϕ2 µ |= ϕ1 ↔ ϕ2 ⇐⇒ µ |= ϕ1 iff µ |= ϕ2 a partial truth assignment µ satisfies ϕ iff it makes ϕ evaluate to true (Ex: {A1} |= (A1 ∨ A2)) =⇒ if µ satisfies ϕ, then all its total extensions satisfy ϕ (Ex: {A1, A2} |= (A1 ∨ A2) and {A1, ¬A2} |= (A1 ∨ A2)) ϕ is satisfiable iff µ |= ϕ for some µ ϕ1 entails ϕ2 (ϕ1 |= ϕ2): ϕ1 |= ϕ2 iff µ |= ϕ1 =⇒ µ |= ϕ2 for every µ ϕ is valid( |= ϕ): |= ϕ iff µ |= ϕ for every µ
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 11 / 108 Some background on Boolean Logic Basic notation & definitions (cont) a total truth assignment µ satisfies ϕ (µ |= ϕ): µ |= Ai ⇐⇒ µ(Ai ) = > µ |= ¬ϕ ⇐⇒ not µ |= ϕ µ |= ϕ1 ∧ ϕ2 ⇐⇒ µ |= ϕ1 and µ |= ϕ2 µ |= ϕ1 ∨ ϕ2 ⇐⇒ µ |= ϕ1 or µ |= ϕ2 µ |= ϕ1 → ϕ2 ⇐⇒ if µ |= ϕ1, then µ |= ϕ2 µ |= ϕ1 ↔ ϕ2 ⇐⇒ µ |= ϕ1 iff µ |= ϕ2 a partial truth assignment µ satisfies ϕ iff it makes ϕ evaluate to true (Ex: {A1} |= (A1 ∨ A2)) =⇒ if µ satisfies ϕ, then all its total extensions satisfy ϕ (Ex: {A1, A2} |= (A1 ∨ A2) and {A1, ¬A2} |= (A1 ∨ A2)) ϕ is satisfiable iff µ |= ϕ for some µ ϕ1 entails ϕ2 (ϕ1 |= ϕ2): ϕ1 |= ϕ2 iff µ |= ϕ1 =⇒ µ |= ϕ2 for every µ ϕ is valid( |= ϕ): |= ϕ iff µ |= ϕ for every µ Property ϕ is valid ⇐⇒ ¬ϕ is not satisfiable
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 11 / 108 µ |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2)=⇒ µ |= ψ1 ∨ ψ2 0 0 µ |= ψ1 ∨ ψ2 =⇒ µ ∧ A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) or 0 µ ∧ ¬A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 equi-satisfiable] 0 0 0 µ 6|= ψ1 and µ |= ψ2 =⇒ µ ∧ A3 |= ψ1 ∨ ψ2 and 0 µ ∧ A3 6|= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 not equivalent]
ϕ1 and ϕ2 are equi-satisfiable iff exists µ1 s.t. µ1 |= ϕ1 iff exists µ2 s.t. µ2 |= ϕ2 ϕ1, ϕ2 equivalent ⇓ 6⇑ ϕ1, ϕ2 equi-satisfiable def def EX: ϕ1 = ψ1 ∨ ψ2 and ϕ2 = (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) s.t. A3 not in ψ1 ∨ ψ2, are equi-satisfiable but not equivalent:
Typically used when ϕ2 is the result of applying some def transformation T to ϕ1: ϕ2 = T (ϕ1): we say that T is validity-preserving[satisfiability-preserving] iff T (ϕ1) and ϕ1 are equivalent [equi-satisfiable]
Some background on Boolean Logic Equivalence and equi-satisfiability
ϕ1 and ϕ2 are equivalent iff, for every µ, µ |= ϕ1 iff µ |= ϕ2
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 12 / 108 µ |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2)=⇒ µ |= ψ1 ∨ ψ2 0 0 µ |= ψ1 ∨ ψ2 =⇒ µ ∧ A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) or 0 µ ∧ ¬A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 equi-satisfiable] 0 0 0 µ 6|= ψ1 and µ |= ψ2 =⇒ µ ∧ A3 |= ψ1 ∨ ψ2 and 0 µ ∧ A3 6|= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 not equivalent]
ϕ1, ϕ2 equivalent ⇓ 6⇑ ϕ1, ϕ2 equi-satisfiable def def EX: ϕ1 = ψ1 ∨ ψ2 and ϕ2 = (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) s.t. A3 not in ψ1 ∨ ψ2, are equi-satisfiable but not equivalent:
Typically used when ϕ2 is the result of applying some def transformation T to ϕ1: ϕ2 = T (ϕ1): we say that T is validity-preserving[satisfiability-preserving] iff T (ϕ1) and ϕ1 are equivalent [equi-satisfiable]
Some background on Boolean Logic Equivalence and equi-satisfiability
ϕ1 and ϕ2 are equivalent iff, for every µ, µ |= ϕ1 iff µ |= ϕ2 ϕ1 and ϕ2 are equi-satisfiable iff exists µ1 s.t. µ1 |= ϕ1 iff exists µ2 s.t. µ2 |= ϕ2
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 12 / 108 µ |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2)=⇒ µ |= ψ1 ∨ ψ2 0 0 µ |= ψ1 ∨ ψ2 =⇒ µ ∧ A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) or 0 µ ∧ ¬A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 equi-satisfiable] 0 0 0 µ 6|= ψ1 and µ |= ψ2 =⇒ µ ∧ A3 |= ψ1 ∨ ψ2 and 0 µ ∧ A3 6|= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 not equivalent]
def def EX: ϕ1 = ψ1 ∨ ψ2 and ϕ2 = (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) s.t. A3 not in ψ1 ∨ ψ2, are equi-satisfiable but not equivalent:
Typically used when ϕ2 is the result of applying some def transformation T to ϕ1: ϕ2 = T (ϕ1): we say that T is validity-preserving[satisfiability-preserving] iff T (ϕ1) and ϕ1 are equivalent [equi-satisfiable]
Some background on Boolean Logic Equivalence and equi-satisfiability
ϕ1 and ϕ2 are equivalent iff, for every µ, µ |= ϕ1 iff µ |= ϕ2 ϕ1 and ϕ2 are equi-satisfiable iff exists µ1 s.t. µ1 |= ϕ1 iff exists µ2 s.t. µ2 |= ϕ2 ϕ1, ϕ2 equivalent ⇓ 6⇑ ϕ1, ϕ2 equi-satisfiable
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 12 / 108 µ |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2)=⇒ µ |= ψ1 ∨ ψ2 0 0 µ |= ψ1 ∨ ψ2 =⇒ µ ∧ A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) or 0 µ ∧ ¬A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 equi-satisfiable] 0 0 0 µ 6|= ψ1 and µ |= ψ2 =⇒ µ ∧ A3 |= ψ1 ∨ ψ2 and 0 µ ∧ A3 6|= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 not equivalent] Typically used when ϕ2 is the result of applying some def transformation T to ϕ1: ϕ2 = T (ϕ1): we say that T is validity-preserving[satisfiability-preserving] iff T (ϕ1) and ϕ1 are equivalent [equi-satisfiable]
Some background on Boolean Logic Equivalence and equi-satisfiability
ϕ1 and ϕ2 are equivalent iff, for every µ, µ |= ϕ1 iff µ |= ϕ2 ϕ1 and ϕ2 are equi-satisfiable iff exists µ1 s.t. µ1 |= ϕ1 iff exists µ2 s.t. µ2 |= ϕ2 ϕ1, ϕ2 equivalent ⇓ 6⇑ ϕ1, ϕ2 equi-satisfiable def def EX: ϕ1 = ψ1 ∨ ψ2 and ϕ2 = (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) s.t. A3 not in ψ1 ∨ ψ2, are equi-satisfiable but not equivalent:
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 12 / 108 0 0 µ |= ψ1 ∨ ψ2 =⇒ µ ∧ A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) or 0 µ ∧ ¬A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 equi-satisfiable] 0 0 0 µ 6|= ψ1 and µ |= ψ2 =⇒ µ ∧ A3 |= ψ1 ∨ ψ2 and 0 µ ∧ A3 6|= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 not equivalent] Typically used when ϕ2 is the result of applying some def transformation T to ϕ1: ϕ2 = T (ϕ1): we say that T is validity-preserving[satisfiability-preserving] iff T (ϕ1) and ϕ1 are equivalent [equi-satisfiable]
Some background on Boolean Logic Equivalence and equi-satisfiability
ϕ1 and ϕ2 are equivalent iff, for every µ, µ |= ϕ1 iff µ |= ϕ2 ϕ1 and ϕ2 are equi-satisfiable iff exists µ1 s.t. µ1 |= ϕ1 iff exists µ2 s.t. µ2 |= ϕ2 ϕ1, ϕ2 equivalent ⇓ 6⇑ ϕ1, ϕ2 equi-satisfiable def def EX: ϕ1 = ψ1 ∨ ψ2 and ϕ2 = (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) s.t. A3 not in ψ1 ∨ ψ2, are equi-satisfiable but not equivalent: µ |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2)=⇒ µ |= ψ1 ∨ ψ2
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 12 / 108 0 0 0 µ 6|= ψ1 and µ |= ψ2 =⇒ µ ∧ A3 |= ψ1 ∨ ψ2 and 0 µ ∧ A3 6|= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 not equivalent] Typically used when ϕ2 is the result of applying some def transformation T to ϕ1: ϕ2 = T (ϕ1): we say that T is validity-preserving[satisfiability-preserving] iff T (ϕ1) and ϕ1 are equivalent [equi-satisfiable]
Some background on Boolean Logic Equivalence and equi-satisfiability
ϕ1 and ϕ2 are equivalent iff, for every µ, µ |= ϕ1 iff µ |= ϕ2 ϕ1 and ϕ2 are equi-satisfiable iff exists µ1 s.t. µ1 |= ϕ1 iff exists µ2 s.t. µ2 |= ϕ2 ϕ1, ϕ2 equivalent ⇓ 6⇑ ϕ1, ϕ2 equi-satisfiable def def EX: ϕ1 = ψ1 ∨ ψ2 and ϕ2 = (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) s.t. A3 not in ψ1 ∨ ψ2, are equi-satisfiable but not equivalent: µ |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2)=⇒ µ |= ψ1 ∨ ψ2 0 0 µ |= ψ1 ∨ ψ2 =⇒ µ ∧ A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) or 0 µ ∧ ¬A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 equi-satisfiable]
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 12 / 108 Typically used when ϕ2 is the result of applying some def transformation T to ϕ1: ϕ2 = T (ϕ1): we say that T is validity-preserving[satisfiability-preserving] iff T (ϕ1) and ϕ1 are equivalent [equi-satisfiable]
Some background on Boolean Logic Equivalence and equi-satisfiability
ϕ1 and ϕ2 are equivalent iff, for every µ, µ |= ϕ1 iff µ |= ϕ2 ϕ1 and ϕ2 are equi-satisfiable iff exists µ1 s.t. µ1 |= ϕ1 iff exists µ2 s.t. µ2 |= ϕ2 ϕ1, ϕ2 equivalent ⇓ 6⇑ ϕ1, ϕ2 equi-satisfiable def def EX: ϕ1 = ψ1 ∨ ψ2 and ϕ2 = (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) s.t. A3 not in ψ1 ∨ ψ2, are equi-satisfiable but not equivalent: µ |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2)=⇒ µ |= ψ1 ∨ ψ2 0 0 µ |= ψ1 ∨ ψ2 =⇒ µ ∧ A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) or 0 µ ∧ ¬A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 equi-satisfiable] 0 0 0 µ 6|= ψ1 and µ |= ψ2 =⇒ µ ∧ A3 |= ψ1 ∨ ψ2 and 0 µ ∧ A3 6|= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 not equivalent]
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 12 / 108 Some background on Boolean Logic Equivalence and equi-satisfiability
ϕ1 and ϕ2 are equivalent iff, for every µ, µ |= ϕ1 iff µ |= ϕ2 ϕ1 and ϕ2 are equi-satisfiable iff exists µ1 s.t. µ1 |= ϕ1 iff exists µ2 s.t. µ2 |= ϕ2 ϕ1, ϕ2 equivalent ⇓ 6⇑ ϕ1, ϕ2 equi-satisfiable def def EX: ϕ1 = ψ1 ∨ ψ2 and ϕ2 = (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) s.t. A3 not in ψ1 ∨ ψ2, are equi-satisfiable but not equivalent: µ |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2)=⇒ µ |= ψ1 ∨ ψ2 0 0 µ |= ψ1 ∨ ψ2 =⇒ µ ∧ A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) or 0 µ ∧ ¬A3 |= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 equi-satisfiable] 0 0 0 µ 6|= ψ1 and µ |= ψ2 =⇒ µ ∧ A3 |= ψ1 ∨ ψ2 and 0 µ ∧ A3 6|= (ψ1 ∨ ¬A3) ∧ (A3 ∨ ψ2) [ϕ1, ϕ2 not equivalent] Typically used when ϕ2 is the result of applying some def transformation T to ϕ1: ϕ2 = T (ϕ1): we say that T is validity-preserving[satisfiability-preserving] iff T (ϕ1) and ϕ1 are equivalent [equi-satisfiable] Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 12 / 108 Some background on Boolean Logic Complexity
For N variables, there are up to 2N truth assignments to be checked. The problem of deciding the satisfiability of a propositional formula is NP-complete The most important logical problems (validity, inference, entailment, equivalence, ...) can be straightforwardly reduced to satisfiability, and are thus (co)NP-complete. ⇓ No existing worst-case-polynomial algorithm.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 13 / 108 Some background on Boolean Logic POLARITY of subformulas Positive/negative occurrences ϕ occurs positively in ϕ; if ¬ϕ1 occurs positively [negatively] in ϕ, then ϕ1 occurs negatively [positively] in ϕ if ϕ1 ∧ ϕ2 or ϕ1 ∨ ϕ2 occur positively [negatively] in ϕ, then ϕ1 and ϕ2 occur positively [negatively] in ϕ; if ϕ1 → ϕ2 occurs positively [negatively] in ϕ, then ϕ1 occurs negatively [positively] in ϕ and ϕ2 occurs positively [negatively] in ϕ; if ϕ1 ↔ ϕ2 occurs in ϕ, then ϕ1 and ϕ2 occur positively and negatively in ϕ; EX: ϕ1 occurs positively in ¬(ϕ1 → ϕ2) ϕ2 occurs negatively in ¬(ϕ1 → ϕ2) intuition: ϕ1 occurs positively [negatively] in ϕ iff it occurs under the scope of an (implicit) even [odd] number of negations. =⇒ Polarity: the number of nested negations modulo 2.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 14 / 108 Some background on Boolean Logic Substitution
Properties
If ϕ1 is equivalent to ϕ2, then ϕ[ϕ1|ϕ2] is equivalent to ϕ:
|= (ϕ1 ↔ ϕ2) ⇓ |= ϕ[ϕ1|ϕ2] ↔ ϕ
If ϕ2 entails ϕ1 and ϕ1 occurs only positively in ϕ, then ϕ[ϕ1|ϕ2] entails ϕ:
ϕ2 |= ϕ1 ⇓ ϕ[ϕ1|ϕ2] |= ϕ dual case for negative occurrence
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 15 / 108 Some background on Boolean Logic Negative normal form (NNF)
ϕ is in Negative normal form iff it is given only by the recursive applications of ∧, ∨ to literals. every ϕ can be reduced into NNF: (i) substituting all →’s and ↔’s:
ϕ1 → ϕ2 =⇒ ¬ϕ1 ∨ ϕ2 ϕ1 ↔ ϕ2 =⇒ (¬ϕ1 ∨ ϕ2) ∧ (ϕ1 ∨ ¬ϕ2)
(ii) pushing down negations recursively:
¬(ϕ1 ∧ ϕ2) =⇒ ¬ϕ1 ∨ ¬ϕ2 ¬(ϕ1 ∨ ϕ2) =⇒ ¬ϕ1 ∧ ¬ϕ2 ¬¬ϕ1 =⇒ ϕ1
The reduction is linear if a DAG representation is used. Preserves the equivalence of formulas.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 16 / 108 ⇓ ((((A1 → A2) ∧ (A1 ← A2)) → ((A3 → A4) ∧ (A3 ← A4)))∧ (((A1 → A2) ∧ (A1 ← A2)) ← ((A3 → A4) ∧ (A3 ← A4)))) ⇓ ((¬((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4)))∧ (((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ¬((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4)))) ⇓ ((((A1 ∧ ¬A2) ∨ (¬A1 ∧ A2)) ∨ ((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4)))∧ (((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ((A3 ∧ ¬A4) ∨ (¬A3 ∧ A4))))
Some background on Boolean Logic NNF: example
(A1 ↔ A2) ↔ (A3 ↔ A4)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 17 / 108 ⇓ ((¬((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4)))∧ (((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ¬((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4)))) ⇓ ((((A1 ∧ ¬A2) ∨ (¬A1 ∧ A2)) ∨ ((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4)))∧ (((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ((A3 ∧ ¬A4) ∨ (¬A3 ∧ A4))))
Some background on Boolean Logic NNF: example
(A1 ↔ A2) ↔ (A3 ↔ A4) ⇓ ((((A1 → A2) ∧ (A1 ← A2)) → ((A3 → A4) ∧ (A3 ← A4)))∧ (((A1 → A2) ∧ (A1 ← A2)) ← ((A3 → A4) ∧ (A3 ← A4))))
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 17 / 108 ⇓ ((((A1 ∧ ¬A2) ∨ (¬A1 ∧ A2)) ∨ ((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4)))∧ (((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ((A3 ∧ ¬A4) ∨ (¬A3 ∧ A4))))
Some background on Boolean Logic NNF: example
(A1 ↔ A2) ↔ (A3 ↔ A4) ⇓ ((((A1 → A2) ∧ (A1 ← A2)) → ((A3 → A4) ∧ (A3 ← A4)))∧ (((A1 → A2) ∧ (A1 ← A2)) ← ((A3 → A4) ∧ (A3 ← A4)))) ⇓ ((¬((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4)))∧ (((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ¬((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4))))
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 17 / 108 Some background on Boolean Logic NNF: example
(A1 ↔ A2) ↔ (A3 ↔ A4) ⇓ ((((A1 → A2) ∧ (A1 ← A2)) → ((A3 → A4) ∧ (A3 ← A4)))∧ (((A1 → A2) ∧ (A1 ← A2)) ← ((A3 → A4) ∧ (A3 ← A4)))) ⇓ ((¬((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4)))∧ (((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ¬((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4)))) ⇓ ((((A1 ∧ ¬A2) ∨ (¬A1 ∧ A2)) ∨ ((¬A3 ∨ A4) ∧ (A3 ∨ ¬A4)))∧ (((¬A1 ∨ A2) ∧ (A1 ∨ ¬A2)) ∨ ((A3 ∧ ¬A4) ∨ (¬A3 ∧ A4))))
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 17 / 108 Note For each non-literal subformula ϕ, ϕ and ¬ϕ have different representations =⇒ they are not shared.
Some background on Boolean Logic NNF: example (cont)
−B1 B2 B1 −B2
A1 −A2 −A1 A2 −A3 A4 A3 −A4 −A1 A2 A1 −A2A3−A4 −A3 A4 Tree Representation
−B1 B2 B1 −B2
A1 −A2 −A1 A2 −A3 A4 A3 −A4
DAG Representation
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 18 / 108 Some background on Boolean Logic NNF: example (cont)
−B1 B2 B1 −B2
A1 −A2 −A1 A2 −A3 A4 A3 −A4 −A1 A2 A1 −A2A3−A4 −A3 A4 Tree Representation
−B1 B2 B1 −B2
A1 −A2 −A1 A2 −A3 A4 A3 −A4
DAG Representation Note For each non-literal subformula ϕ, ϕ and ¬ϕ have different representations =⇒ they are not shared.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 18 / 108 Some background on Boolean Logic Optimized polynomial representations
And-Inverter Graphs, Reduced Boolean Circuits, Boolean Expression Diagrams Maximize the sharing in DAG representations: {∧, ↔, ¬}-only, negations on arcs, sorting of subformulae, lifting of ¬’s over ↔’s,...
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 19 / 108 Some background on Boolean Logic Conjunctive Normal Form (CNF)
ϕ is in Conjunctive normal form iff it is a conjunction of disjunctions of literals: L K ^ _i lji i=1 ji =1
the disjunctions of literals WKi l are called clauses ji =1 ji Easier to handle: list of lists of literals. =⇒ no reasoning on the recursive structure of the formula
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 20 / 108 (i) converting it into NNF (not indispensible); (ii) applying recursively the DeMorgan’s Rule: (ϕ1 ∧ ϕ2) ∨ ϕ3 =⇒ (ϕ1 ∨ ϕ3) ∧ (ϕ2 ∨ ϕ3) Worst-case exponential. Atoms(CNF(ϕ)) = Atoms(ϕ). CNF(ϕ) is equivalent to ϕ. Rarely used in practice.
Some background on Boolean Logic Classic CNF Conversion CNF(ϕ)
Every ϕ can be reduced into CNF by, e.g.,
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 21 / 108 (ii) applying recursively the DeMorgan’s Rule: (ϕ1 ∧ ϕ2) ∨ ϕ3 =⇒ (ϕ1 ∨ ϕ3) ∧ (ϕ2 ∨ ϕ3) Worst-case exponential. Atoms(CNF(ϕ)) = Atoms(ϕ). CNF(ϕ) is equivalent to ϕ. Rarely used in practice.
Some background on Boolean Logic Classic CNF Conversion CNF(ϕ)
Every ϕ can be reduced into CNF by, e.g., (i) converting it into NNF (not indispensible);
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 21 / 108 Worst-case exponential. Atoms(CNF(ϕ)) = Atoms(ϕ). CNF(ϕ) is equivalent to ϕ. Rarely used in practice.
Some background on Boolean Logic Classic CNF Conversion CNF(ϕ)
Every ϕ can be reduced into CNF by, e.g., (i) converting it into NNF (not indispensible); (ii) applying recursively the DeMorgan’s Rule: (ϕ1 ∧ ϕ2) ∨ ϕ3 =⇒ (ϕ1 ∨ ϕ3) ∧ (ϕ2 ∨ ϕ3)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 21 / 108 Some background on Boolean Logic Classic CNF Conversion CNF(ϕ)
Every ϕ can be reduced into CNF by, e.g., (i) converting it into NNF (not indispensible); (ii) applying recursively the DeMorgan’s Rule: (ϕ1 ∧ ϕ2) ∨ ϕ3 =⇒ (ϕ1 ∨ ϕ3) ∧ (ϕ2 ∨ ϕ3) Worst-case exponential. Atoms(CNF(ϕ)) = Atoms(ϕ). CNF(ϕ) is equivalent to ϕ. Rarely used in practice.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 21 / 108 Worst-case linear.
Atoms(CNFlabel (ϕ)) ⊇ Atoms(ϕ).
CNFlabel (ϕ) is equi-satisfiable w.r.t. ϕ. More used in practice.
Some background on Boolean Logic
Labeling CNF conversion CNFlabel (ϕ)
Every ϕ can be reduced into CNF by, e.g., applying recursively bottom-up the rules: ϕ =⇒ ϕ[(li ∨ lj )|B] ∧ CNF(B ↔ (li ∨ lj )) ϕ =⇒ ϕ[(li ∧ lj )|B] ∧ CNF(B ↔ (li ∧ lj )) ϕ =⇒ ϕ[(li ↔ lj )|B] ∧ CNF(B ↔ (li ↔ lj )) li , lj being literals and B being a “new” variable.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 22 / 108 Some background on Boolean Logic
Labeling CNF conversion CNFlabel (ϕ)
Every ϕ can be reduced into CNF by, e.g., applying recursively bottom-up the rules: ϕ =⇒ ϕ[(li ∨ lj )|B] ∧ CNF(B ↔ (li ∨ lj )) ϕ =⇒ ϕ[(li ∧ lj )|B] ∧ CNF(B ↔ (li ∧ lj )) ϕ =⇒ ϕ[(li ↔ lj )|B] ∧ CNF(B ↔ (li ↔ lj )) li , lj being literals and B being a “new” variable. Worst-case linear.
Atoms(CNFlabel (ϕ)) ⊇ Atoms(ϕ).
CNFlabel (ϕ) is equi-satisfiable w.r.t. ϕ. More used in practice.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 22 / 108 Some background on Boolean Logic
Labeling CNF conversion CNFlabel (ϕ) (cont.)
CNF(B ↔ (li ∨ lj )) ⇐⇒ (¬B ∨ li ∨ lj )∧ (B ∨ ¬li )∧ (B ∨ ¬lj ) CNF(B ↔ (li ∧ lj )) ⇐⇒ (¬B ∨ li )∧ (¬B ∨ lj )∧ (B ∨ ¬li ¬lj ) CNF(B ↔ (li ↔ lj )) ⇐⇒ (¬B ∨ ¬li ∨ lj )∧ (¬B ∨ li ∨ ¬lj )∧ (B ∨ li ∨ lj )∧ (B ∨ ¬li ∨ ¬lj )
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 23 / 108 Some background on Boolean Logic
Labeling CNF conversion CNFlabel – example
B15
B13 B14
B9 B10 B11 B12
B1 B2 B3 B4 B5 B6 B7 B8
−A3A1 A5 −A4 −A3 A4 A2 −A6 A1A4 A3 −A5 −A2 A6 A1 −A4
CNF(B1 ↔ (¬A3 ∨ A1)) ∧ ... ∧ CNF(B8 ↔ (A1 ∨ ¬A4)) ∧ CNF(B9 ↔ (B1 ↔ B2)) ∧ ... ∧ CNF(B12 ↔ (B7 ∧ B8)) ∧ CNF(B13 ↔ (B9 ∨ B10)) ∧ CNF(B14 ↔ (B11 ∨ B12)) ∧ CNF(B15 ↔ (B13 ∧ B14)) ∧ B15
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 24 / 108 Pro: smaller in size:
CNF(B → (li ∨ lj )) = (¬B ∨ li ∨ lj ) CNF(((li ∨ lj ) → B)) = (¬li ∨ B) ∧ (¬lj ∨ B)
Con: looses backward propagation: unlike with CNF(B ↔ (li ∨ lj )), with CNF(B → (li ∨ lj )) we can no more infer that B is true from the fact that li is true or lj is true.
Some background on Boolean Logic
Labeling CNF conversion CNFlabel (variant)
As in the previous case, applying instead the rules:
ϕ =⇒ ϕ[(li ∨ lj )|B] ∧ CNF(B → (li ∨ lj )) if (li ∨ lj ) pos. ϕ =⇒ ϕ[(li ∨ lj )|B] ∧ CNF((li ∨ lj ) → B) if (li ∨ lj ) neg. ϕ =⇒ ϕ[(li ∧ lj )|B] ∧ CNF(B → (li ∧ lj )) if (li ∧ lj ) pos. ϕ =⇒ ϕ[(li ∧ lj )|B] ∧ CNF((li ∧ lj ) → B) if (li ∧ lj ) neg. ϕ =⇒ ϕ[(li ↔ lj )|B] ∧ CNF(B → (li ↔ lj )) if (li ↔ lj ) pos. ϕ =⇒ ϕ[(li ↔ lj )|B] ∧ CNF((li ↔ lj ) → B) if (li ↔ lj ) neg.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 25 / 108 Con: looses backward propagation: unlike with CNF(B ↔ (li ∨ lj )), with CNF(B → (li ∨ lj )) we can no more infer that B is true from the fact that li is true or lj is true.
Some background on Boolean Logic
Labeling CNF conversion CNFlabel (variant)
As in the previous case, applying instead the rules:
ϕ =⇒ ϕ[(li ∨ lj )|B] ∧ CNF(B → (li ∨ lj )) if (li ∨ lj ) pos. ϕ =⇒ ϕ[(li ∨ lj )|B] ∧ CNF((li ∨ lj ) → B) if (li ∨ lj ) neg. ϕ =⇒ ϕ[(li ∧ lj )|B] ∧ CNF(B → (li ∧ lj )) if (li ∧ lj ) pos. ϕ =⇒ ϕ[(li ∧ lj )|B] ∧ CNF((li ∧ lj ) → B) if (li ∧ lj ) neg. ϕ =⇒ ϕ[(li ↔ lj )|B] ∧ CNF(B → (li ↔ lj )) if (li ↔ lj ) pos. ϕ =⇒ ϕ[(li ↔ lj )|B] ∧ CNF((li ↔ lj ) → B) if (li ↔ lj ) neg.
Pro: smaller in size:
CNF(B → (li ∨ lj )) = (¬B ∨ li ∨ lj ) CNF(((li ∨ lj ) → B)) = (¬li ∨ B) ∧ (¬lj ∨ B)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 25 / 108 Some background on Boolean Logic
Labeling CNF conversion CNFlabel (variant)
As in the previous case, applying instead the rules:
ϕ =⇒ ϕ[(li ∨ lj )|B] ∧ CNF(B → (li ∨ lj )) if (li ∨ lj ) pos. ϕ =⇒ ϕ[(li ∨ lj )|B] ∧ CNF((li ∨ lj ) → B) if (li ∨ lj ) neg. ϕ =⇒ ϕ[(li ∧ lj )|B] ∧ CNF(B → (li ∧ lj )) if (li ∧ lj ) pos. ϕ =⇒ ϕ[(li ∧ lj )|B] ∧ CNF((li ∧ lj ) → B) if (li ∧ lj ) neg. ϕ =⇒ ϕ[(li ↔ lj )|B] ∧ CNF(B → (li ↔ lj )) if (li ↔ lj ) pos. ϕ =⇒ ϕ[(li ↔ lj )|B] ∧ CNF((li ↔ lj ) → B) if (li ↔ lj ) neg.
Pro: smaller in size:
CNF(B → (li ∨ lj )) = (¬B ∨ li ∨ lj ) CNF(((li ∨ lj ) → B)) = (¬li ∨ B) ∧ (¬lj ∨ B)
Con: looses backward propagation: unlike with CNF(B ↔ (li ∨ lj )), with CNF(B → (li ∨ lj )) we can no more infer that B is true from the fact that li is true or lj is true. Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 25 / 108 Some background on Boolean Logic
Labeling CNF conversion CNFlabel (ϕ) (cont.)
CNF(B → (li ∨ lj )) ⇐⇒ (¬B ∨ li ∨ lj ) CNF(B ← (li ∨ lj )) ⇐⇒ (B ∨ ¬li )∧ (B ∨ ¬lj ) CNF(B → (li ∧ lj )) ⇐⇒ (¬B ∨ li )∧ (¬B ∨ lj ) CNF(B ← (li ∧ lj )) ⇐⇒ (B ∨ ¬li ¬lj ) CNF(B → (li ↔ lj )) ⇐⇒ (¬B ∨ ¬li ∨ lj )∧ (¬B ∨ li ∨ ¬lj ) CNF(B ← (li ↔ lj )) ⇐⇒ (B ∨ li ∨ lj )∧ (B ∨ ¬li ∨ ¬lj )
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 26 / 108 Some background on Boolean Logic
Labeling CNF conversion CNFlabel – example
B15
B13 B14
B9 B10 B11 B12
B1 B2 B3 B4 B5 B6 B7 B8
−A3A1 A5 −A4 −A3 A4 A2 −A6 A1A4 A3 −A5 −A2 A6 A1 −A4 Basic Improved CNF(B1 ↔ (¬A3 ∨ A1)) ∧ CNF(B1 ↔ (¬A3 ∨ A1)) ∧ ... ∧ ... ∧ CNF(B8 ↔ (A1 ∨ ¬A4)) ∧ CNF(B8 → (A1 ∨ ¬A4)) ∧ CNF(B9 ↔ (B1 ↔ B2)) ∧ CNF(B9 → (B1 ↔ B2)) ∧ ... ∧ ... ∧ CNF(B12 ↔ (B7 ∧ B8)) ∧ CNF(B12 → (B7 ∧ B8)) ∧ CNF(B13 ↔ (B9 ∨ B10)) ∧ CNF(B13 → (B9 ∨ B10)) ∧ CNF(B14 ↔ (B11 ∨ B12)) ∧ CNF(B14 → (B11 ∨ B12)) ∧ CNF(B15 ↔ (B13 ∧ B14)) ∧ CNF(B15 → (B13 ∧ B14)) ∧ B15 B15
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 27 / 108 Some background on Boolean Logic
Labeling CNF conversion CNFlabel – further optimizations
Do not apply CNFlabel when not necessary: (e.g., CNFlabel (ϕ1 ∧ ϕ2) =⇒ CNFlabel (ϕ1) ∧ ϕ2, if ϕ2 already in CNF) Apply Demorgan’s rules where it is more effective: (e.g., CNFlabel (ϕ1 ∧(A → (B∧C))) =⇒ CNFlabel (ϕ1)∧(¬A∨B)∧(¬A∨C) exploit the associativity of ∧’s and ∨’s: ... (A1 ∨ (A2 ∨ A3)) ... =⇒ ...CNF(B ↔ (A1 ∨ A2 ∨ A3))... | {z } B before applying CNFlabel , rewrite the initial formula so that to maximize the sharing of subformulas (RBC, BED) ...
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 28 / 108 Generalities on temporal logics Outline
1 Some background on Boolean Logic
2 Generalities on temporal logics
3 Linear Temporal Logic – LTL
4 Some LTL Model Checking Examples
5 Computation Tree Logic – CTL
6 Some CTL Model Checking Examples
7 LTL vs. CTL
8 Fairness & Fair Kripke Models
9 Exercises
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 29 / 108 an infinite an infinite set of computation tree computation paths
Generalities on temporal logics Computation tree vs. computation paths
Consider the following Kripke structure:
!done done
Its execution can be seen as:
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 30 / 108 an infinite computation tree
Generalities on temporal logics Computation tree vs. computation paths
Consider the following Kripke structure:
!done done
Its execution can be seen as:
an infinite set of computation paths
!done !done !done !done
!done !done !done done .....
!done !done done done
!done done done done
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 30 / 108 Generalities on temporal logics Computation tree vs. computation paths
Consider the following Kripke structure:
!done done
Its execution can be seen as: an infinite set of an infinite computation paths computation tree
!done !done !done !done !done
!done !done !done done !done done .....
!done !done done done !done done done
!done done done done !done done done done
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 30 / 108 Linear Temporal Logic (LTL) interpreted over each path of the Kripke structure linear model of time temporal operators “Medieval”: “since birth, one’s destiny is set”. Computation Tree Logic (CTL) interpreted over computation tree of Kripke model branching model of time temporal operators plus path quantifiers “Humanistic”: “one makes his/her own destiny step-by-step”.
Generalities on temporal logics Temporal Logics
Express properties of “Reactive Systems” nonterminating behaviours, without explicit reference to time.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 31 / 108 Computation Tree Logic (CTL) interpreted over computation tree of Kripke model branching model of time temporal operators plus path quantifiers “Humanistic”: “one makes his/her own destiny step-by-step”.
Generalities on temporal logics Temporal Logics
Express properties of “Reactive Systems” nonterminating behaviours, without explicit reference to time. Linear Temporal Logic (LTL) interpreted over each path of the Kripke structure linear model of time temporal operators “Medieval”: “since birth, one’s destiny is set”.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 31 / 108 Generalities on temporal logics Temporal Logics
Express properties of “Reactive Systems” nonterminating behaviours, without explicit reference to time. Linear Temporal Logic (LTL) interpreted over each path of the Kripke structure linear model of time temporal operators “Medieval”: “since birth, one’s destiny is set”. Computation Tree Logic (CTL) interpreted over computation tree of Kripke model branching model of time temporal operators plus path quantifiers “Humanistic”: “one makes his/her own destiny step-by-step”.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 31 / 108 Linear Temporal Logic – LTL Outline
1 Some background on Boolean Logic
2 Generalities on temporal logics
3 Linear Temporal Logic – LTL
4 Some LTL Model Checking Examples
5 Computation Tree Logic – CTL
6 Some CTL Model Checking Examples
7 LTL vs. CTL
8 Fairness & Fair Kripke Models
9 Exercises
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 32 / 108 if ϕ1 and ϕ2 are LTL formulae, then ¬ϕ1, ϕ1 ∧ ϕ2, ϕ1 ∨ ϕ2, ϕ1 → ϕ2, ϕ1 ↔ ϕ2 are LTL formulae;
if ϕ1 and ϕ2 are LTL formulae, then Xϕ1, ϕ1Uϕ2, Gϕ1, Fϕ1 are LTL formulae, where X, G, F, U are the “next”, “globally”, “eventually”,“until” temporal operators respectively. Another operator R “releases” (the dual of U) is used sometimes.
Linear Temporal Logic – LTL Linear Temporal Logic (LTL): Syntax
An atomic proposition is a LTL formula;
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 33 / 108 if ϕ1 and ϕ2 are LTL formulae, then Xϕ1, ϕ1Uϕ2, Gϕ1, Fϕ1 are LTL formulae, where X, G, F, U are the “next”, “globally”, “eventually”,“until” temporal operators respectively. Another operator R “releases” (the dual of U) is used sometimes.
Linear Temporal Logic – LTL Linear Temporal Logic (LTL): Syntax
An atomic proposition is a LTL formula;
if ϕ1 and ϕ2 are LTL formulae, then ¬ϕ1, ϕ1 ∧ ϕ2, ϕ1 ∨ ϕ2, ϕ1 → ϕ2, ϕ1 ↔ ϕ2 are LTL formulae;
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 33 / 108 Another operator R “releases” (the dual of U) is used sometimes.
Linear Temporal Logic – LTL Linear Temporal Logic (LTL): Syntax
An atomic proposition is a LTL formula;
if ϕ1 and ϕ2 are LTL formulae, then ¬ϕ1, ϕ1 ∧ ϕ2, ϕ1 ∨ ϕ2, ϕ1 → ϕ2, ϕ1 ↔ ϕ2 are LTL formulae;
if ϕ1 and ϕ2 are LTL formulae, then Xϕ1, ϕ1Uϕ2, Gϕ1, Fϕ1 are LTL formulae, where X, G, F, U are the “next”, “globally”, “eventually”,“until” temporal operators respectively.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 33 / 108 Linear Temporal Logic – LTL Linear Temporal Logic (LTL): Syntax
An atomic proposition is a LTL formula;
if ϕ1 and ϕ2 are LTL formulae, then ¬ϕ1, ϕ1 ∧ ϕ2, ϕ1 ∨ ϕ2, ϕ1 → ϕ2, ϕ1 ↔ ϕ2 are LTL formulae;
if ϕ1 and ϕ2 are LTL formulae, then Xϕ1, ϕ1Uϕ2, Gϕ1, Fϕ1 are LTL formulae, where X, G, F, U are the “next”, “globally”, “eventually”,“until” temporal operators respectively. Another operator R “releases” (the dual of U) is used sometimes.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 33 / 108 Linear Temporal Logic – LTL LTL semantics: intuitions
LTL is given by the standard boolean logic enhanced with the following temporal operators, which operate through paths hs0, s1, ..., sk , ...i:
“Next” X: Xϕ is true in st iff ϕ is true in st+1
“Finally” (or “eventually”) F: Fϕ is true in st iff ϕ is true in some st0 with t0 ≥ t
“Globally” (or “henceforth”) G: Gϕ is true in st iff ϕ is true in all st0 with t0 ≥ t 0 “Until” U: ϕUψ is true in st iff, for some state st0 s.t t ≥ t: ψ is true in st0 and 00 0 ϕ is true in all states st00 s.t. t ≤ t < t 0 “Releases” R: ϕRψ is true in st iff, for all states st0 s.t. t ≥ t: ψ is true or 00 0 ϕ is true in some states st00 with t ≤ t < t “ψ can become false only if ϕ becomes true first"
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 34 / 108 Linear Temporal Logic – LTL LTL semantics: intuitions
finally P globally P
F P G P
next P P until q
X P P U q
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 35 / 108 Linear Temporal Logic – LTL LTL: Some Noteworthy Examples
Safety: “it never happens that a train is arriving and the bar is up” G(¬(train_arriving ∧ bar_up)) Liveness: “if input, then eventually output” G(input → Foutput) Releases: “the device is not working if you don’t first repair it” (repair_device R ¬working_device) Fairness: “infinitely often send ” GFsend Strong fairness: “infinitely often send implies infinitely often recv.” GFsend → GFrecv
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 36 / 108 Linear Temporal Logic – LTL LTL Formal Semantics
π, si |= a iff a ∈ L(si ) π, si |= ¬ϕ iff π, si 6|= ϕ π, si |= ϕ ∧ ψ iff π, si |= ϕ and π, si |= ψ π, si |= Xϕ iff π, si+1 |= ϕ π, si |= Fϕ iff for some j ≥ i : π, sj |= ϕ π, si |= Gϕ iff for all j ≥ i : π, sj |= ϕ π, si |= ϕUψ iff for some j ≥ i :(π, sj |= ψ and for all k s.t. i ≤ k < j : π, sk |= ϕ) π, si |= ϕRψ iff for all j ≥ i :(π, sj |= ψ or for some k s.t. i ≤ k < j : π, sk |= ϕ)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 37 / 108 Given an infinite sequence π = s0, s1, s2,... π, si |= φ if φ is true in state si of π. π |= φ if φ is true in the initial state s0 of π. The LTL model checking problem M |= φ check if π |= φ for every path π of the Kripke structure M (e.g., φ = Fdone)
Linear Temporal Logic – LTL LTL Formal Semantics (cont.)
LTL properties are evaluated over paths, i.e., over infinite, linear sequences of states: π = s0 → s1 → · · · → st → st+1 → · · ·
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 38 / 108 The LTL model checking problem M |= φ check if π |= φ for every path π of the Kripke structure M (e.g., φ = Fdone)
Linear Temporal Logic – LTL LTL Formal Semantics (cont.)
LTL properties are evaluated over paths, i.e., over infinite, linear sequences of states: π = s0 → s1 → · · · → st → st+1 → · · · Given an infinite sequence π = s0, s1, s2,... π, si |= φ if φ is true in state si of π. π |= φ if φ is true in the initial state s0 of π.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 38 / 108 Linear Temporal Logic – LTL LTL Formal Semantics (cont.)
LTL properties are evaluated over paths, i.e., over infinite, linear sequences of states: π = s0 → s1 → · · · → st → st+1 → · · · Given an infinite sequence π = s0, s1, s2,... π, si |= φ if φ is true in state si of π. π |= φ if φ is true in the initial state s0 of π. The LTL model checking problem M |= φ check if π |= φ for every path π of the Kripke structure M (e.g., φ = Fdone)
!done !done !done !done
!done !done !done done .....
!done !done done done
!done done done done !done done
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 38 / 108 E.g. if φ is a LTL formula and two paths π1 and π2 are s.t. π1 |= φ and π2 |= ¬φ.
Important Remark M 6|= φ 6=⇒ M |= ¬φ (!!)
Linear Temporal Logic – LTL The LTL model checking problem M |= φ: remark
The LTL model checking problem M |= φ π |= φ for every path π of the Kripke structure M
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 39 / 108 E.g. if φ is a LTL formula and two paths π1 and π2 are s.t. π1 |= φ and π2 |= ¬φ.
Linear Temporal Logic – LTL The LTL model checking problem M |= φ: remark
The LTL model checking problem M |= φ π |= φ for every path π of the Kripke structure M
Important Remark M 6|= φ 6=⇒ M |= ¬φ (!!)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 39 / 108 Linear Temporal Logic – LTL The LTL model checking problem M |= φ: remark
The LTL model checking problem M |= φ π |= φ for every path π of the Kripke structure M
Important Remark M 6|= φ 6=⇒ M |= ¬φ (!!)
E.g. if φ is a LTL formula and two paths π1 and π2 are s.t. π1 |= φ and π2 |= ¬φ.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 39 / 108 Linear Temporal Logic – LTL Example: M 6|= φ 6=⇒ M |= ¬φ
def ω def ω ¬ ¬ Let π1 = {s1} , π2 = {s2} . p q s M 6|= Gp, in fact: 1 pq π1 6|= Gp s0 π2 |= Gp M 6|= ¬Gp, in fact: p¬q π1 |= ¬Gp s2 π2 6|= ¬Gp
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 40 / 108 Note LTL can be defined in terms of ∧, ¬, X, U only
Exercise
Prove that ϕ1Rϕ2 ⇐⇒ Gϕ2 ∨ ϕ2U(ϕ1 ∧ ϕ2)
Linear Temporal Logic – LTL Syntactic properties of LTL operators
ϕ1 ∨ ϕ2 ⇐⇒¬ (¬ϕ1 ∧ ¬ϕ2) ... F ϕ1 ⇐⇒> Uϕ1 G ϕ1 ⇐⇒ ⊥Rϕ1 Fϕ1 ⇐⇒ ¬G¬ϕ1 Gϕ1 ⇐⇒¬ F¬ϕ1 ¬Xϕ1 ⇐⇒ X¬ϕ1 ϕ1Rϕ2 ⇐⇒¬ (¬ϕ1U¬ϕ2) ϕ1Uϕ2 ⇐⇒ ¬(¬ϕ1R¬ϕ2)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 41 / 108 Exercise
Prove that ϕ1Rϕ2 ⇐⇒ Gϕ2 ∨ ϕ2U(ϕ1 ∧ ϕ2)
Linear Temporal Logic – LTL Syntactic properties of LTL operators
ϕ1 ∨ ϕ2 ⇐⇒¬ (¬ϕ1 ∧ ¬ϕ2) ... F ϕ1 ⇐⇒> Uϕ1 G ϕ1 ⇐⇒ ⊥Rϕ1 Fϕ1 ⇐⇒ ¬G¬ϕ1 Gϕ1 ⇐⇒¬ F¬ϕ1 ¬Xϕ1 ⇐⇒ X¬ϕ1 ϕ1Rϕ2 ⇐⇒¬ (¬ϕ1U¬ϕ2) ϕ1Uϕ2 ⇐⇒ ¬(¬ϕ1R¬ϕ2)
Note LTL can be defined in terms of ∧, ¬, X, U only
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 41 / 108 Linear Temporal Logic – LTL Syntactic properties of LTL operators
ϕ1 ∨ ϕ2 ⇐⇒¬ (¬ϕ1 ∧ ¬ϕ2) ... F ϕ1 ⇐⇒> Uϕ1 G ϕ1 ⇐⇒ ⊥Rϕ1 Fϕ1 ⇐⇒ ¬G¬ϕ1 Gϕ1 ⇐⇒¬ F¬ϕ1 ¬Xϕ1 ⇐⇒ X¬ϕ1 ϕ1Rϕ2 ⇐⇒¬ (¬ϕ1U¬ϕ2) ϕ1Uϕ2 ⇐⇒ ¬(¬ϕ1R¬ϕ2)
Note LTL can be defined in terms of ∧, ¬, X, U only
Exercise
Prove that ϕ1Rϕ2 ⇐⇒ Gϕ2 ∨ ϕ2U(ϕ1 ∧ ϕ2)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 41 / 108 Linear Temporal Logic – LTL Proof of ϕRψ ⇔ (Gψ ∨ ψU(ϕ ∧ ψ))
[Solution proposed by the student Samuel Valentini, 2016] (All state indexes below are implicitly assumed to be ≥ 0.)
⇒: Let π be s.t. π, s0 |= ϕRψ
If ∀j, π, sj |= ψ, then π, s0 |= Gψ. Otherwise, let sk be the first state s.t. π, sk 6|= ψ. 0 Since π, s0 |= ϕRψ, then k > 0 and exists k < k s.t. π, Sk 0 |= ϕ 0 By construction, π, sk 0 |= ϕ ∧ ψ and, for every w < k , π, sw |= ψ, so that π, s0 |= ψU(ϕ ∧ ψ). Thus, π, s0 |= Gψ ∨ ψU(ϕ ∧ ψ)
⇐: Let π be s.t. π, s0 |= Gψ ∨ ψU(ϕ ∧ ψ)
If π, s0 |= Gψ, then ∀j, π, sj |= ψ, so that π, s0 |= ϕRψ. Otherwise, π, s0 |= ψU(ϕ ∧ ψ). Let sk be the first state s.t. π, sk 6|= ψ. 0 by construction, ∃k such that π, Sk 0 |= ϕ ∧ ψ 0 by the definition of k, we have that k < k and ∀w < k, π, Sw |= ψ. Thus π, s0 |= ϕRψ
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 42 / 108 Linear Temporal Logic – LTL Strength of LTL operators
Gϕ |= ϕ |= Fϕ Gϕ |= Xϕ |= Fϕ Gϕ |= XX...Xϕ |= Fϕ ϕUψ |= Fψ Gψ |= ϕRψ
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 43 / 108 Linear Temporal Logic – LTL LTL tableaux rules
Let ϕ1 and ϕ2 be LTL formulae:
Fϕ1 ⇐⇒ (ϕ1 ∨ XFϕ1) Gϕ1 ⇐⇒ (ϕ1 ∧ XGϕ1) ϕ1Uϕ2 ⇐⇒ (ϕ2 ∨ (ϕ1 ∧ X(ϕ1Uϕ2))) ϕ1Rϕ2 ⇐⇒ (ϕ2 ∧ (ϕ1 ∨ X(ϕ1Rϕ2)))
If applied recursively, rewrite an LTL formula in terms of atomic and X-formulas:
(pUq) ∧ (G¬p) =⇒ (q ∨ (p ∧ X(pUq))) ∧ (¬p ∧ XG¬p)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 44 / 108 Linear Temporal Logic – LTL Tableaux rules: a quote
“After all... tomorrow is another day." [Scarlett O’Hara, “Gone with the Wind”] Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 45 / 108 Some LTL Model Checking Examples Outline
1 Some background on Boolean Logic
2 Generalities on temporal logics
3 Linear Temporal Logic – LTL
4 Some LTL Model Checking Examples
5 Computation Tree Logic – CTL
6 Some CTL Model Checking Examples
7 LTL vs. CTL
8 Fairness & Fair Kripke Models
9 Exercises
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 46 / 108 YES: There is no reachable state in which (C1 ∧ C2) holds!
Some LTL Model Checking Examples Example 1: mutual exclusion (safety)
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= G¬(C1 ∧ C2)?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 47 / 108 Some LTL Model Checking Examples Example 1: mutual exclusion (safety)
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= G¬(C1 ∧ C2)?
YES: There is no reachable state in which (C1 ∧ C2) holds!
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 47 / 108 NO: there is an infinite cyclic solution in which C1 never holds!
Some LTL Model Checking Examples Example 2: liveness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= FC1 ?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 48 / 108 Some LTL Model Checking Examples Example 2: liveness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= FC1 ?
NO: there is an infinite cyclic solution in which C1 never holds!
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 48 / 108 YES: every path starting from each state where T1 holds passes through a state where C1 holds.
Some LTL Model Checking Examples Example 3: liveness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= G(T1 → FC1)?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 49 / 108 Some LTL Model Checking Examples Example 3: liveness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= G(T1 → FC1)?
YES: every path starting from each state where T1 holds passes through a state where C1 holds.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 49 / 108 NO: e.g., in the initial state, there is an infinite cyclic solution in which C1 never holds!
Some LTL Model Checking Examples Example 4: fairness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= GFC1 ?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 50 / 108 Some LTL Model Checking Examples Example 4: fairness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= GFC1 ? NO: e.g., in the initial state, there is an infinite cyclic solution in which C1 never holds!
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 50 / 108 YES: every path which visits T1 infinitely often also visits C1 infinitely often (see liveness property of previous example).
Some LTL Model Checking Examples Example 5: strong fairness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= GFT1 → GFC1 ?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 51 / 108 Some LTL Model Checking Examples Example 5: strong fairness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= GFT1 → GFC1 ?
YES: every path which visits T1 infinitely often also visits C1 infinitely often (see liveness property of previous example).
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 51 / 108 YES: C1 in paths only strictly after T1 has occured.
Some LTL Model Checking Examples Example 6: Releases
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= T1R¬C1 ?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 52 / 108 Some LTL Model Checking Examples Example 6: Releases
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= T1R¬C1 ?
YES: C1 in paths only strictly after T1 has occured.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 52 / 108 NO: a counter-example is the ∞-shaped loop: (N1, N2), {(T 1, N2), (C1, N2), (C1, T 2), (N1, T 2), (N1, C2), (T 1, C2)}ω
Some LTL Model Checking Examples Example 7: XF
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2 M |= XF(turn = 0)?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 53 / 108 Some LTL Model Checking Examples Example 7: XF
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2 M |= XF(turn = 0)? NO: a counter-example is the ∞-shaped loop: (N1, N2), {(T 1, N2), (C1, N2), (C1, T 2), (N1, T 2), (N1, C2), (T 1, C2)}ω
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 53 / 108 let π ∈ M s.t. π |= GFT =⇒ π, si |= FT for each si ∈ π =⇒ π, sj |= T for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sj |= FC for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sk |= C for each si ∈ π, for some sj ∈ π s.t.j ≥ i and for some k ≥ j =⇒ π, sk |= C for each si ∈ π and for some k ≥ i =⇒ π |= GFC =⇒ M |= GFT → GFC.
YES: if M |= G(T → FC), then M |= GFT → GFC ! let M |= G(T → FC).
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) =⇒ GFT → GFC ?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 54 / 108 let π ∈ M s.t. π |= GFT =⇒ π, si |= FT for each si ∈ π =⇒ π, sj |= T for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sj |= FC for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sk |= C for each si ∈ π, for some sj ∈ π s.t.j ≥ i and for some k ≥ j =⇒ π, sk |= C for each si ∈ π and for some k ≥ i =⇒ π |= GFC =⇒ M |= GFT → GFC.
let M |= G(T → FC).
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) =⇒ GFT → GFC ? YES: if M |= G(T → FC), then M |= GFT → GFC !
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 54 / 108 let π ∈ M s.t. π |= GFT =⇒ π, si |= FT for each si ∈ π =⇒ π, sj |= T for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sj |= FC for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sk |= C for each si ∈ π, for some sj ∈ π s.t.j ≥ i and for some k ≥ j =⇒ π, sk |= C for each si ∈ π and for some k ≥ i =⇒ π |= GFC =⇒ M |= GFT → GFC.
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) =⇒ GFT → GFC ? YES: if M |= G(T → FC), then M |= GFT → GFC ! let M |= G(T → FC).
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 54 / 108 =⇒ π, si |= FT for each si ∈ π =⇒ π, sj |= T for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sj |= FC for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sk |= C for each si ∈ π, for some sj ∈ π s.t.j ≥ i and for some k ≥ j =⇒ π, sk |= C for each si ∈ π and for some k ≥ i =⇒ π |= GFC =⇒ M |= GFT → GFC.
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) =⇒ GFT → GFC ? YES: if M |= G(T → FC), then M |= GFT → GFC ! let M |= G(T → FC). let π ∈ M s.t. π |= GFT
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 54 / 108 =⇒ π, sj |= T for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sj |= FC for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sk |= C for each si ∈ π, for some sj ∈ π s.t.j ≥ i and for some k ≥ j =⇒ π, sk |= C for each si ∈ π and for some k ≥ i =⇒ π |= GFC =⇒ M |= GFT → GFC.
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) =⇒ GFT → GFC ? YES: if M |= G(T → FC), then M |= GFT → GFC ! let M |= G(T → FC). let π ∈ M s.t. π |= GFT =⇒ π, si |= FT for each si ∈ π
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 54 / 108 =⇒ π, sj |= FC for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sk |= C for each si ∈ π, for some sj ∈ π s.t.j ≥ i and for some k ≥ j =⇒ π, sk |= C for each si ∈ π and for some k ≥ i =⇒ π |= GFC =⇒ M |= GFT → GFC.
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) =⇒ GFT → GFC ? YES: if M |= G(T → FC), then M |= GFT → GFC ! let M |= G(T → FC). let π ∈ M s.t. π |= GFT =⇒ π, si |= FT for each si ∈ π =⇒ π, sj |= T for each si ∈ π and for some sj ∈ π s.t.j ≥ i
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 54 / 108 =⇒ π, sk |= C for each si ∈ π, for some sj ∈ π s.t.j ≥ i and for some k ≥ j =⇒ π, sk |= C for each si ∈ π and for some k ≥ i =⇒ π |= GFC =⇒ M |= GFT → GFC.
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) =⇒ GFT → GFC ? YES: if M |= G(T → FC), then M |= GFT → GFC ! let M |= G(T → FC). let π ∈ M s.t. π |= GFT =⇒ π, si |= FT for each si ∈ π =⇒ π, sj |= T for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sj |= FC for each si ∈ π and for some sj ∈ π s.t.j ≥ i
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 54 / 108 =⇒ π, sk |= C for each si ∈ π and for some k ≥ i =⇒ π |= GFC =⇒ M |= GFT → GFC.
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) =⇒ GFT → GFC ? YES: if M |= G(T → FC), then M |= GFT → GFC ! let M |= G(T → FC). let π ∈ M s.t. π |= GFT =⇒ π, si |= FT for each si ∈ π =⇒ π, sj |= T for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sj |= FC for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sk |= C for each si ∈ π, for some sj ∈ π s.t.j ≥ i and for some k ≥ j
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 54 / 108 =⇒ π |= GFC =⇒ M |= GFT → GFC.
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) =⇒ GFT → GFC ? YES: if M |= G(T → FC), then M |= GFT → GFC ! let M |= G(T → FC). let π ∈ M s.t. π |= GFT =⇒ π, si |= FT for each si ∈ π =⇒ π, sj |= T for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sj |= FC for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sk |= C for each si ∈ π, for some sj ∈ π s.t.j ≥ i and for some k ≥ j =⇒ π, sk |= C for each si ∈ π and for some k ≥ i
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 54 / 108 =⇒ M |= GFT → GFC.
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) =⇒ GFT → GFC ? YES: if M |= G(T → FC), then M |= GFT → GFC ! let M |= G(T → FC). let π ∈ M s.t. π |= GFT =⇒ π, si |= FT for each si ∈ π =⇒ π, sj |= T for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sj |= FC for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sk |= C for each si ∈ π, for some sj ∈ π s.t.j ≥ i and for some k ≥ j =⇒ π, sk |= C for each si ∈ π and for some k ≥ i =⇒ π |= GFC
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 54 / 108 Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) =⇒ GFT → GFC ? YES: if M |= G(T → FC), then M |= GFT → GFC ! let M |= G(T → FC). let π ∈ M s.t. π |= GFT =⇒ π, si |= FT for each si ∈ π =⇒ π, sj |= T for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sj |= FC for each si ∈ π and for some sj ∈ π s.t.j ≥ i =⇒ π, sk |= C for each si ∈ π, for some sj ∈ π s.t.j ≥ i and for some k ≥ j =⇒ π, sk |= C for each si ∈ π and for some k ≥ i =⇒ π |= GFC =⇒ M |= GFT → GFC.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 54 / 108 NO!. Counter example:
GFT → GFC is satisfied G(T → FC) is not satisfied (Counter-example proposed by the student Vaishak Belle, 2008)
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) ⇐= GFT → GFC ?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 55 / 108 Counter example:
GFT → GFC is satisfied G(T → FC) is not satisfied (Counter-example proposed by the student Vaishak Belle, 2008)
Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) ⇐= GFT → GFC ? NO!.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 55 / 108 Some LTL Model Checking Examples Example: G(T → FC) vs. GFT → GFC
G(T → FC) ⇐= GFT → GFC ? NO!. Counter example:
¬C, T ¬C, ¬T
GFT → GFC is satisfied G(T → FC) is not satisfied (Counter-example proposed by the student Vaishak Belle, 2008)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 55 / 108 Computation Tree Logic – CTL Outline
1 Some background on Boolean Logic
2 Generalities on temporal logics
3 Linear Temporal Logic – LTL
4 Some LTL Model Checking Examples
5 Computation Tree Logic – CTL
6 Some CTL Model Checking Examples
7 LTL vs. CTL
8 Fairness & Fair Kripke Models
9 Exercises
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 56 / 108 if ϕ1 and ϕ2 are CTL formulae, then ¬ϕ1, ϕ1 ∧ ϕ2, ϕ1 ∨ ϕ2, ϕ1 → ϕ2, ϕ1 ↔ ϕ2 are CTL formulae;
if ϕ1 and ϕ2 are CTL formulae, then AXϕ1, A(ϕ1Uϕ2), AGϕ1, AFϕ1, EXϕ1, E(ϕ1Uϕ2), EGϕ1, EFϕ1,, are CTL formulae. (E(ϕ1Rϕ2) and A(ϕ1Rϕ2) never used in practice.)
Computation Tree Logic – CTL Computational Tree Logic (CTL): Syntax
An atomic proposition is a CTL formula;
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 57 / 108 if ϕ1 and ϕ2 are CTL formulae, then AXϕ1, A(ϕ1Uϕ2), AGϕ1, AFϕ1, EXϕ1, E(ϕ1Uϕ2), EGϕ1, EFϕ1,, are CTL formulae. (E(ϕ1Rϕ2) and A(ϕ1Rϕ2) never used in practice.)
Computation Tree Logic – CTL Computational Tree Logic (CTL): Syntax
An atomic proposition is a CTL formula;
if ϕ1 and ϕ2 are CTL formulae, then ¬ϕ1, ϕ1 ∧ ϕ2, ϕ1 ∨ ϕ2, ϕ1 → ϕ2, ϕ1 ↔ ϕ2 are CTL formulae;
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 57 / 108 Computation Tree Logic – CTL Computational Tree Logic (CTL): Syntax
An atomic proposition is a CTL formula;
if ϕ1 and ϕ2 are CTL formulae, then ¬ϕ1, ϕ1 ∧ ϕ2, ϕ1 ∨ ϕ2, ϕ1 → ϕ2, ϕ1 ↔ ϕ2 are CTL formulae;
if ϕ1 and ϕ2 are CTL formulae, then AXϕ1, A(ϕ1Uϕ2), AGϕ1, AFϕ1, EXϕ1, E(ϕ1Uϕ2), EGϕ1, EFϕ1,, are CTL formulae. (E(ϕ1Rϕ2) and A(ϕ1Rϕ2) never used in practice.)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 57 / 108 Computation Tree Logic – CTL CTL semantics: intuitions
CTL is given by the standard boolean logic enhanced with the operators AX, AG, AF, AU, EX, EG, EF, EU:
“Necessarily Next” AX: AXϕ is true in st iff ϕ is true in every successor state st+1
“Possibly Next” EX: EXϕ is true in st iff ϕ is true in one successor state st+1
“Necessarily in the future” (or “Inevitably”) AF: AFϕ is true in st iff 0 ϕ is inevitably true in some st0 with t ≥ t
“Possibly in the future” (or “Possibly”) EF: EFϕ is true in st iff ϕ 0 may be true in some st0 with t ≥ t
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 58 / 108 Computation Tree Logic – CTL CTL semantics: intuitions [cont.]
“Globally” (or “always”) AG: AGϕ is true in st iff ϕ is true in all st0 with t0 ≥ t
“Possibly henceforth” EG: EGϕ is true in st iff ϕ is possibly true henceforth
“Necessarily Until” AU: A(ϕUψ) is true in st iff necessarily ϕ holds until ψ holds.
“Possibly Until” EU: E(ϕUψ) is true in st iff possibly ϕ holds until ψ holds.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 59 / 108 Computation Tree Logic – CTL CTL semantics: intuitions [cont.]
until q finally P globally P next P P
AFP AGP AXP A[P U q ]
EFP EGP EXP E[P U q ]
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 60 / 108 Computation Tree Logic – CTL CTL Formal Semantics Let (si , si+1,...) be a path outgoing from state si in M
M, si |= a iff a ∈ L(si ) M, si |= ¬ϕ iff M, si 6|= ϕ M, si |= ϕ ∨ ψ iff M, si |= ϕ or M, si |= ψ M, si |= AXϕ iff for all (si , si+1,...), M, si+1 |= ϕ M, si |= EXϕ iff for some (si , si+1,...), M, si+1 |= ϕ M, si |= AGϕ iff for all (si , si+1,...), for all j ≥ i.M, sj |= ϕ M, si |= EGϕ iff for some (si , si+1,...), for all j ≥ i.M, sj |= ϕ M, si |= AFϕ iff for all (si , si+1,...), for some j ≥ i.M, sj |= ϕ M, si |= EFϕ iff for some (si , si+1,...), for some j ≥ i.M, sj |= ϕ M, si |= A(ϕUψ) iff for all (si , si+1,...), for some j ≥ i. (M, sj |= ψ and forall k s.t. i ≤ k < j.M, sk |= ϕ) M, si |= E(ϕUψ) iff for some (si , si+1,...), for some j ≥ i. (M, sj |= ψ and forall k s.t. i ≤ k < j.M, sk |= ϕ)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 61 / 108 Every temporal operator (F, G, X, U) is preceded by a path quantifier (A or E). Universal modalities (AF, AG, AX, AU): the temporal formula is true in all the paths starting in the current state. Existential modalities (EF, EG, EX, EU): the temporal formula is true in some path starting in the current state.
Computation Tree Logic – CTL Formal Semantics (cont.)
CTL properties (e.g. AFdone) are evaluated over trees.
!done
!done done
!done done done
!done done !done done done done
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 62 / 108 Universal modalities (AF, AG, AX, AU): the temporal formula is true in all the paths starting in the current state. Existential modalities (EF, EG, EX, EU): the temporal formula is true in some path starting in the current state.
Computation Tree Logic – CTL Formal Semantics (cont.)
CTL properties (e.g. AFdone) are evaluated over trees.
!done
!done done
!done done done
!done done !done done done done
Every temporal operator (F, G, X, U) is preceded by a path quantifier (A or E).
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 62 / 108 Existential modalities (EF, EG, EX, EU): the temporal formula is true in some path starting in the current state.
Computation Tree Logic – CTL Formal Semantics (cont.)
CTL properties (e.g. AFdone) are evaluated over trees.
!done
!done done
!done done done
!done done !done done done done
Every temporal operator (F, G, X, U) is preceded by a path quantifier (A or E). Universal modalities (AF, AG, AX, AU): the temporal formula is true in all the paths starting in the current state.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 62 / 108 Computation Tree Logic – CTL Formal Semantics (cont.)
CTL properties (e.g. AFdone) are evaluated over trees.
!done
!done done
!done done done
!done done !done done done done
Every temporal operator (F, G, X, U) is preceded by a path quantifier (A or E). Universal modalities (AF, AG, AX, AU): the temporal formula is true in all the paths starting in the current state. Existential modalities (EF, EG, EX, EU): the temporal formula is true in some path starting in the current state.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 62 / 108 E.g. if φ is a universal formula A... and two initial states s0, s1 are s.t. M, s0 |= φ and M, s1 6|= φ M 6|= φ =⇒ M |= ¬φ if M has only one initial state
Important Remark M 6|= φ 6=⇒ M |= ¬φ (!!)
Computation Tree Logic – CTL The CTL model checking problem M |= φ
The CTL model checking problem M |= φ M, s |= φ for every initial state s ∈ I of the Kripke structure
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 63 / 108 E.g. if φ is a universal formula A... and two initial states s0, s1 are s.t. M, s0 |= φ and M, s1 6|= φ M 6|= φ =⇒ M |= ¬φ if M has only one initial state
Computation Tree Logic – CTL The CTL model checking problem M |= φ
The CTL model checking problem M |= φ M, s |= φ for every initial state s ∈ I of the Kripke structure
Important Remark M 6|= φ 6=⇒ M |= ¬φ (!!)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 63 / 108 M 6|= φ =⇒ M |= ¬φ if M has only one initial state
Computation Tree Logic – CTL The CTL model checking problem M |= φ
The CTL model checking problem M |= φ M, s |= φ for every initial state s ∈ I of the Kripke structure
Important Remark M 6|= φ 6=⇒ M |= ¬φ (!!)
E.g. if φ is a universal formula A... and two initial states s0, s1 are s.t. M, s0 |= φ and M, s1 6|= φ
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 63 / 108 Computation Tree Logic – CTL The CTL model checking problem M |= φ
The CTL model checking problem M |= φ M, s |= φ for every initial state s ∈ I of the Kripke structure
Important Remark M 6|= φ 6=⇒ M |= ¬φ (!!)
E.g. if φ is a universal formula A... and two initial states s0, s1 are s.t. M, s0 |= φ and M, s1 6|= φ M 6|= φ =⇒ M |= ¬φ if M has only one initial state
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 63 / 108 Computation Tree Logic – CTL Example: M 6|= φ 6=⇒ M |= ¬φ
M 6|= AGp, in fact:
M, s1 6|= AGp ¬p¬q (e.g., {s1, ...} is a s1 counter-example) pq M, s |= AGp 2 s0 M 6|= ¬AGp, in fact:
M, s1 |= ¬AGp p¬q (i.e., M, s |= EF¬p) 1 s2 M, s2 6|= ¬AGp (i.e., M, s2 6|= EF¬p)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 64 / 108 Note CTL can be defined in terms of ∧, ¬, EX, EG, EU only
Exercise:
prove that A(ϕ1Uϕ2) ⇐⇒ ¬EG¬ϕ2 ∧ ¬E(¬ϕ2U(¬ϕ1 ∧ ¬ϕ2))
Computation Tree Logic – CTL Syntactic properties of CTL operators
ϕ1 ∨ ϕ2 ⇐⇒¬ (¬ϕ1 ∧ ¬ϕ2) ... A(ϕ1Uϕ2) ⇐⇒¬ E(¬ϕ2U(¬ϕ1 ∧ ¬ϕ2)) ∧ ¬EG¬ϕ2 EF ϕ1 ⇐⇒ E(>Uϕ1) AGϕ1 ⇐⇒¬ EF¬ϕ1 AF ϕ1 ⇐⇒¬ EG¬ϕ1 AXϕ1 ⇐⇒¬ EX¬ϕ1
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 65 / 108 Exercise:
prove that A(ϕ1Uϕ2) ⇐⇒ ¬EG¬ϕ2 ∧ ¬E(¬ϕ2U(¬ϕ1 ∧ ¬ϕ2))
Computation Tree Logic – CTL Syntactic properties of CTL operators
ϕ1 ∨ ϕ2 ⇐⇒¬ (¬ϕ1 ∧ ¬ϕ2) ... A(ϕ1Uϕ2) ⇐⇒¬ E(¬ϕ2U(¬ϕ1 ∧ ¬ϕ2)) ∧ ¬EG¬ϕ2 EF ϕ1 ⇐⇒ E(>Uϕ1) AGϕ1 ⇐⇒¬ EF¬ϕ1 AF ϕ1 ⇐⇒¬ EG¬ϕ1 AXϕ1 ⇐⇒¬ EX¬ϕ1
Note CTL can be defined in terms of ∧, ¬, EX, EG, EU only
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 65 / 108 Computation Tree Logic – CTL Syntactic properties of CTL operators
ϕ1 ∨ ϕ2 ⇐⇒¬ (¬ϕ1 ∧ ¬ϕ2) ... A(ϕ1Uϕ2) ⇐⇒¬ E(¬ϕ2U(¬ϕ1 ∧ ¬ϕ2)) ∧ ¬EG¬ϕ2 EF ϕ1 ⇐⇒ E(>Uϕ1) AGϕ1 ⇐⇒¬ EF¬ϕ1 AF ϕ1 ⇐⇒¬ EG¬ϕ1 AXϕ1 ⇐⇒¬ EX¬ϕ1
Note CTL can be defined in terms of ∧, ¬, EX, EG, EU only
Exercise:
prove that A(ϕ1Uϕ2) ⇐⇒ ¬EG¬ϕ2 ∧ ¬E(¬ϕ2U(¬ϕ1 ∧ ¬ϕ2))
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 65 / 108 Computation Tree Logic – CTL Strength of CTL operators
A[OP]ϕ |= E[OP]ϕ, s.t. [OP] ∈ {X, F, G, U} AGϕ |= ϕ |= AFϕ , EGϕ |= ϕ |= EFϕ AGϕ |= AXϕ |= AFϕ , EGϕ |= EXϕ |= EFϕ AGϕ |= AX...AXϕ |= AFϕ , EGϕ |= EX...EXϕ |= EFϕ A(ϕUψ) |= AFψ, E(ϕUψ) |= EFψ
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 66 / 108 Computation Tree Logic – CTL CTL tableaux rules
Let ϕ1 and ϕ2 be CTL formulae: AFϕ1 ⇐⇒ (ϕ1 ∨ AXAFϕ1) AGϕ1 ⇐⇒ (ϕ1 ∧ AXAGϕ1) A(ϕ1Uϕ2) ⇐⇒ (ϕ2 ∨ (ϕ1 ∧ AXA(ϕ1Uϕ2))) EFϕ1 ⇐⇒ (ϕ1 ∨ EXEFϕ1) EGϕ1 ⇐⇒ (ϕ1 ∧ EXEGϕ1) E(ϕ1Uϕ2) ⇐⇒ (ϕ2 ∨ (ϕ1 ∧ EXE(ϕ1Uϕ2))) Recursive definitions of AF, AG, AU, EF, EG, EU. If applied recursively, rewrite a CTL formula in terms of atomic, AX- and EX-formulas:
A(pUq) ∧ (EG¬p) =⇒ (q ∨ (p ∧ AXA(pUq))) ∧ (¬p ∧ EXEG¬p)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 67 / 108 Computation Tree Logic – CTL Tableaux rules: a quote
“After all... tomorrow is another day." [Scarlett O’Hara, “Gone with the Wind”] Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 68 / 108 Some CTL Model Checking Examples Outline
1 Some background on Boolean Logic
2 Generalities on temporal logics
3 Linear Temporal Logic – LTL
4 Some LTL Model Checking Examples
5 Computation Tree Logic – CTL
6 Some CTL Model Checking Examples
7 LTL vs. CTL
8 Fairness & Fair Kripke Models
9 Exercises
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 69 / 108 YES: There is no reachable state in which (C1 ∧ C2) holds! (Same as the G¬(C1 ∧ C2) in LTL.)
Some CTL Model Checking Examples Example 1: mutual exclusion (safety)
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AG¬(C1 ∧ C2)?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 70 / 108 Some CTL Model Checking Examples Example 1: mutual exclusion (safety)
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AG¬(C1 ∧ C2)?
YES: There is no reachable state in which (C1 ∧ C2) holds! (Same as the G¬(C1 ∧ C2) in LTL.)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 70 / 108 YES: every path starting from each state where T1 holds passes through a state where C1 holds (Same as G(T1 → FC1) in LTL.)
Some CTL Model Checking Examples Example 2: liveness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AG(T1 → AF C1)?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 71 / 108 Some CTL Model Checking Examples Example 2: liveness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AG(T1 → AF C1)?
YES: every path starting from each state where T1 holds passes through a state where C1 holds (Same as G(T1 → FC1) in LTL.) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 71 / 108 NO: e.g., in the initial state, there is an infinite cyclic solution in which C1 never holds! (Same as GFC1 in LTL.)
Some CTL Model Checking Examples Example 3: fairness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AGAFC1 ?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 72 / 108 Some CTL Model Checking Examples Example 3: fairness
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AGAFC1 ? NO: e.g., in the initial state, there is an infinite cyclic solution in which C1 never holds! (Same as GFC1 in LTL.)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 72 / 108 NO: there is an infinite 8-shaped cyclic solution in which (turn = 0) never holds!
Some CTL Model Checking Examples Example 3: fairness (2)
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2 M |= AGAF(turn = 0)?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 73 / 108 Some CTL Model Checking Examples Example 3: fairness (2)
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2 M |= AGAF(turn = 0)? NO: there is an infinite 8-shaped cyclic solution in which (turn = 0) never holds!
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 73 / 108 YES: from each state where N1 holds there is a path leading to a state where T1 holds (No corresponding LTL formula.)
Some CTL Model Checking Examples Example 4: blocking
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AG(N1 → EF T1)?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 74 / 108 Some CTL Model Checking Examples Example 4: blocking
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AG(N1 → EF T1)?
YES: from each state where N1 holds there is a path leading to a state where T1 holds (No corresponding LTL formula.) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 74 / 108 NO: e.g., in the initial state, there is an infinite cyclic solution in which N1 holds and T1 never holds! (Same as LTL formula G(N1 → FT1).)
Some CTL Model Checking Examples Example 5: blocking (2)
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AG(N1 → AF T1)?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 75 / 108 Some CTL Model Checking Examples Example 5: blocking (2)
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AG(N1 → AF T1)? NO: e.g., in the initial state, there is an infinite cyclic solution in which N1 holds and T1 never holds! (Same as LTL formula G(N1 → FT1).) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 75 / 108 YES: there is an infinite cyclic solution where N1 always holds (No corresponding LTL formula.)
Some CTL Model Checking Examples Example 6:
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= EGN1 ?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 76 / 108 Some CTL Model Checking Examples Example 6:
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= EGN1 ?
YES: there is an infinite cyclic solution where N1 always holds (No corresponding LTL formula.)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 76 / 108 YES: there is an infinite cyclic solution where N1 always holds, and from every state you necessarily reach one state of such cycle (No corresponding LTL formula.)
Some CTL Model Checking Examples Example 7:
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AFEGN1 ?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 77 / 108 Some CTL Model Checking Examples Example 7:
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AFEGN1 ?
YES: there is an infinite cyclic solution where N1 always holds, and from every state you necessarily reach one state of such cycle (No corresponding LTL formula.) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 77 / 108 LTL vs. CTL Outline
1 Some background on Boolean Logic
2 Generalities on temporal logics
3 Linear Temporal Logic – LTL
4 Some LTL Model Checking Examples
5 Computation Tree Logic – CTL
6 Some CTL Model Checking Examples
7 LTL vs. CTL
8 Fairness & Fair Kripke Models
9 Exercises
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 78 / 108 many LTL formulas cannot be expressed in CTL (e.g. fairness LTL formulas) E.g., GFT1 → GFC1, FGϕ some formulas can be expressed both in LTL and in CTL (typically LTL formulas with operators of nesting depth 1, and/or with operators occurring positively) E.g., G¬(C1 ∧ C2), FC1, G(T1 → FC1), GFC1
LTL vs. CTL LTL vs. CTL: expressiveness
many CTL formulas cannot be expressed in LTL (e.g., those containing existentially quantified subformulas) E.g., AG(N1 → EFT1), AFAGϕ
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 79 / 108 some formulas can be expressed both in LTL and in CTL (typically LTL formulas with operators of nesting depth 1, and/or with operators occurring positively) E.g., G¬(C1 ∧ C2), FC1, G(T1 → FC1), GFC1
LTL vs. CTL LTL vs. CTL: expressiveness
many CTL formulas cannot be expressed in LTL (e.g., those containing existentially quantified subformulas) E.g., AG(N1 → EFT1), AFAGϕ many LTL formulas cannot be expressed in CTL (e.g. fairness LTL formulas) E.g., GFT1 → GFC1, FGϕ
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 79 / 108 LTL vs. CTL LTL vs. CTL: expressiveness
many CTL formulas cannot be expressed in LTL (e.g., those containing existentially quantified subformulas) E.g., AG(N1 → EFT1), AFAGϕ many LTL formulas cannot be expressed in CTL (e.g. fairness LTL formulas) E.g., GFT1 → GFC1, FGϕ some formulas can be expressed both in LTL and in CTL (typically LTL formulas with operators of nesting depth 1, and/or with operators occurring positively) E.g., G¬(C1 ∧ C2), FC1, G(T1 → FC1), GFC1
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 79 / 108 LTL vs. CTL LTL vs. CTL: expressiveness
many CTL formulas cannot be expressed in LTL (e.g., those containing existentially quantified subformulas) E.g., AG(N1 → EFT1), AFAGϕ many LTL formulas cannot be expressed in CTL (e.g. fairness LTL formulas) E.g., GFT1 → GFC1, FGϕ some formulas can be expressed both in LTL and in CTL (typically LTL formulas with operators of nesting depth 1, and/or with operators occurring positively) E.g., G¬(C1 ∧ C2), FC1, G(T1 → FC1), GFC1
LTL CTL
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 79 / 108 LTL vs. CTL Example: AFAGp vs. FGp
(Example developed by the students Andrea Mattioli and Mirko Boniatti, 2005.)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 80 / 108 CTL M.C. problems are typically handled with symbolic M.C. approaches (Clarke & McMillan) LTL M.C. problems can be reduced to CTL M.C. problems under fairness constraints (Clarke et al.)
LTL vs. CTL LTL vs. CTL: M.C. Algorithms
LTL M.C. problems are typically handled with automata- based M.C. approaches (Wolper & Vardi)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 81 / 108 LTL M.C. problems can be reduced to CTL M.C. problems under fairness constraints (Clarke et al.)
LTL vs. CTL LTL vs. CTL: M.C. Algorithms
LTL M.C. problems are typically handled with automata- based M.C. approaches (Wolper & Vardi) CTL M.C. problems are typically handled with symbolic M.C. approaches (Clarke & McMillan)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 81 / 108 LTL vs. CTL LTL vs. CTL: M.C. Algorithms
LTL M.C. problems are typically handled with automata- based M.C. approaches (Wolper & Vardi) CTL M.C. problems are typically handled with symbolic M.C. approaches (Clarke & McMillan) LTL M.C. problems can be reduced to CTL M.C. problems under fairness constraints (Clarke et al.)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 81 / 108 Semantics: A, E, X, G, F, U as in CTL A, E: quantify on paths (as in CTL) X, G, F, U: (as in LTL) as in CTL, but X, G, F, U not necessarily preceded by A,E
LTL vs. CTL CTL*
Syntax: let p’s, ϕ’s, ψ’s being propositions, state formulae and path formulae respectively: p, ¬ϕ, ϕ1 ∧ ϕ2, Aψ, Eψ are state formulae (properties of the set of paths starting from a state) ϕ, ¬ψ, ψ1 ∧ ψ2, Xψ, Gψ, Fψ, ψ1Uψ2 are path formulae (properties of a path)
Remark In principle in CTL* one may have sequences of nested path quantifiers. In such case, the most internal one dominates:
M, s |= AEψ iff M, s |= Eψ, M, s |= EAψ iff M, s |= Aψ.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 82 / 108 LTL vs. CTL CTL*
Syntax: let p’s, ϕ’s, ψ’s being propositions, state formulae and path formulae respectively: p, ¬ϕ, ϕ1 ∧ ϕ2, Aψ, Eψ are state formulae (properties of the set of paths starting from a state) ϕ, ¬ψ, ψ1 ∧ ψ2, Xψ, Gψ, Fψ, ψ1Uψ2 are path formulae (properties of a path) Semantics: A, E, X, G, F, U as in CTL A, E: quantify on paths (as in CTL) X, G, F, U: (as in LTL) as in CTL, but X, G, F, U not necessarily preceded by A,E
Remark In principle in CTL* one may have sequences of nested path quantifiers. In such case, the most internal one dominates:
M, s |= AEψ iff M, s |= Eψ, M, s |= EAψ iff M, s |= Aψ.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 82 / 108 ϕ in CTL =⇒ ϕ in CTL* (e.g., AG(N1 → EFT1)
ϕ in LTL =⇒ Aϕ in CTL* (e.g., A(GFT1 → GFC1) LTL ∪ CTL ⊂ CTL* (e.g., E(GFp → GFq) )
LTL vs. CTL CTL* vs LTL & CTL
CTL* subsumes both CTL and LTL
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 83 / 108 ϕ in LTL =⇒ Aϕ in CTL* (e.g., A(GFT1 → GFC1) LTL ∪ CTL ⊂ CTL* (e.g., E(GFp → GFq) )
LTL vs. CTL CTL* vs LTL & CTL
CTL* subsumes both CTL and LTL
ϕ in CTL =⇒ ϕ in CTL* (e.g., AG(N1 → EFT1)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 83 / 108 LTL ∪ CTL ⊂ CTL* (e.g., E(GFp → GFq) )
LTL vs. CTL CTL* vs LTL & CTL
CTL* subsumes both CTL and LTL
ϕ in CTL =⇒ ϕ in CTL* (e.g., AG(N1 → EFT1)
ϕ in LTL =⇒ Aϕ in CTL* (e.g., A(GFT1 → GFC1)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 83 / 108 LTL vs. CTL CTL* vs LTL & CTL
CTL* subsumes both CTL and LTL
ϕ in CTL =⇒ ϕ in CTL* (e.g., AG(N1 → EFT1)
ϕ in LTL =⇒ Aϕ in CTL* (e.g., A(GFT1 → GFC1) LTL ∪ CTL ⊂ CTL* (e.g., E(GFp → GFq) )
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 83 / 108 LTL vs. CTL CTL* vs LTL & CTL
CTL* subsumes both CTL and LTL
ϕ in CTL =⇒ ϕ in CTL* (e.g., AG(N1 → EFT1)
ϕ in LTL =⇒ Aϕ in CTL* (e.g., A(GFT1 → GFC1) LTL ∪ CTL ⊂ CTL* (e.g., E(GFp → GFq) )
CTL*
LTL CTL
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 83 / 108 LTL vs. CTL “You have no respect for logic. (...) I have no respect for those who have no respect for logic.” https://www.youtube.com/watch?v=uGstM8QMCjQ
(Arnold Schwarzenegger in “Twins”)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 84 / 108 Fairness & Fair Kripke Models Outline
1 Some background on Boolean Logic
2 Generalities on temporal logics
3 Linear Temporal Logic – LTL
4 Some LTL Model Checking Examples
5 Computation Tree Logic – CTL
6 Some CTL Model Checking Examples
7 LTL vs. CTL
8 Fairness & Fair Kripke Models
9 Exercises
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 85 / 108 No: in principle, somebody might remain in the restroom forever, hindering the access to everybody else in practice, it is considered reasonable to assume that everybody exits the restroom after a finite amount of time
Does this policy guarantee that everybody entering the queue will eventually access the restroom?
=⇒ it is reasonable enough to assume the protocol suitable under the condition that each user is infinitely often outside the restroom such a condition is called fairness condition
Fairness & Fair Kripke Models The need for fairness conditions: intuition
Consider a public restroom. A standard access policy is “first come first served” (e.g., a queue-based protocol).
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 86 / 108 No: in principle, somebody might remain in the restroom forever, hindering the access to everybody else in practice, it is considered reasonable to assume that everybody exits the restroom after a finite amount of time =⇒ it is reasonable enough to assume the protocol suitable under the condition that each user is infinitely often outside the restroom such a condition is called fairness condition
Fairness & Fair Kripke Models The need for fairness conditions: intuition
Consider a public restroom. A standard access policy is “first come first served” (e.g., a queue-based protocol). Does this policy guarantee that everybody entering the queue will eventually access the restroom?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 86 / 108 in practice, it is considered reasonable to assume that everybody exits the restroom after a finite amount of time =⇒ it is reasonable enough to assume the protocol suitable under the condition that each user is infinitely often outside the restroom such a condition is called fairness condition
Fairness & Fair Kripke Models The need for fairness conditions: intuition
Consider a public restroom. A standard access policy is “first come first served” (e.g., a queue-based protocol). Does this policy guarantee that everybody entering the queue will eventually access the restroom? No: in principle, somebody might remain in the restroom forever, hindering the access to everybody else
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 86 / 108 =⇒ it is reasonable enough to assume the protocol suitable under the condition that each user is infinitely often outside the restroom such a condition is called fairness condition
Fairness & Fair Kripke Models The need for fairness conditions: intuition
Consider a public restroom. A standard access policy is “first come first served” (e.g., a queue-based protocol). Does this policy guarantee that everybody entering the queue will eventually access the restroom? No: in principle, somebody might remain in the restroom forever, hindering the access to everybody else in practice, it is considered reasonable to assume that everybody exits the restroom after a finite amount of time
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 86 / 108 such a condition is called fairness condition
Fairness & Fair Kripke Models The need for fairness conditions: intuition
Consider a public restroom. A standard access policy is “first come first served” (e.g., a queue-based protocol). Does this policy guarantee that everybody entering the queue will eventually access the restroom? No: in principle, somebody might remain in the restroom forever, hindering the access to everybody else in practice, it is considered reasonable to assume that everybody exits the restroom after a finite amount of time =⇒ it is reasonable enough to assume the protocol suitable under the condition that each user is infinitely often outside the restroom
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 86 / 108 Fairness & Fair Kripke Models The need for fairness conditions: intuition
Consider a public restroom. A standard access policy is “first come first served” (e.g., a queue-based protocol). Does this policy guarantee that everybody entering the queue will eventually access the restroom? No: in principle, somebody might remain in the restroom forever, hindering the access to everybody else in practice, it is considered reasonable to assume that everybody exits the restroom after a finite amount of time =⇒ it is reasonable enough to assume the protocol suitable under the condition that each user is infinitely often outside the restroom such a condition is called fairness condition
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 86 / 108 Do M |= AG(T1 → AFC1), M |= AG(T2 → AFC2) still hold?
Fairness & Fair Kripke Models The need for fairness conditions: an example
Consider a variant of the mutual exclusion in which one process can stay permanently in the critical zone
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 87 / 108 Fairness & Fair Kripke Models The need for fairness conditions: an example
Consider a variant of the mutual exclusion in which one process can stay permanently in the critical zone
Do M |= AG(T1 → AFC1), M |= AG(T2 → AFC2) still hold?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 87 / 108 Fairness & Fair Kripke Models The need for fairness conditions: an example [cont.]
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AG(T1 → AFC1) M |= AG(T2 → AFC2)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 88 / 108 Fairness & Fair Kripke Models The need for fairness conditions: an example [cont.]
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
M |= AG(T1 → AFC1)? M |= AG(T2 → AFC2)?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 89 / 108 Fairness & Fair Kripke Models The need for fairness conditions: an example [cont.]
N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
AG(T1 → AFC1)? AG(T2 → AFC2)? NO: E.g., it can cycle forever in {C1, T2, turn = 1} =⇒ Unfair protocol: one process might never be served
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 90 / 108 AGAFϕ (GFϕ) is called fairness conditions Intuitively, fairness conditions are used to eliminate behaviours in which a certain condition ϕ never holds:
¬EFEG¬ϕ
(“it is never reached a state from which ϕ is forever false”) Example: it is not desirable that, once a process is in the critical section, it never exits: AGAF¬C1 (¬EFEGC1)
A fair condition ϕi can be represented also by the set fi of states where ϕi holds (fi := {s : M, s |= ϕi })
Fairness & Fair Kripke Models Fairness conditions
It is desirable that certain (typically Boolean) conditions ϕ’s hold infinitely often: AGAFϕ (GFϕ in LTL)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 91 / 108 Intuitively, fairness conditions are used to eliminate behaviours in which a certain condition ϕ never holds:
¬EFEG¬ϕ
(“it is never reached a state from which ϕ is forever false”) Example: it is not desirable that, once a process is in the critical section, it never exits: AGAF¬C1 (¬EFEGC1)
A fair condition ϕi can be represented also by the set fi of states where ϕi holds (fi := {s : M, s |= ϕi })
Fairness & Fair Kripke Models Fairness conditions
It is desirable that certain (typically Boolean) conditions ϕ’s hold infinitely often: AGAFϕ (GFϕ in LTL) AGAFϕ (GFϕ) is called fairness conditions
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 91 / 108 Example: it is not desirable that, once a process is in the critical section, it never exits: AGAF¬C1 (¬EFEGC1)
A fair condition ϕi can be represented also by the set fi of states where ϕi holds (fi := {s : M, s |= ϕi })
Fairness & Fair Kripke Models Fairness conditions
It is desirable that certain (typically Boolean) conditions ϕ’s hold infinitely often: AGAFϕ (GFϕ in LTL) AGAFϕ (GFϕ) is called fairness conditions Intuitively, fairness conditions are used to eliminate behaviours in which a certain condition ϕ never holds:
¬EFEG¬ϕ
(“it is never reached a state from which ϕ is forever false”)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 91 / 108 A fair condition ϕi can be represented also by the set fi of states where ϕi holds (fi := {s : M, s |= ϕi })
Fairness & Fair Kripke Models Fairness conditions
It is desirable that certain (typically Boolean) conditions ϕ’s hold infinitely often: AGAFϕ (GFϕ in LTL) AGAFϕ (GFϕ) is called fairness conditions Intuitively, fairness conditions are used to eliminate behaviours in which a certain condition ϕ never holds:
¬EFEG¬ϕ
(“it is never reached a state from which ϕ is forever false”) Example: it is not desirable that, once a process is in the critical section, it never exits: AGAF¬C1 (¬EFEGC1)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 91 / 108 Fairness & Fair Kripke Models Fairness conditions
It is desirable that certain (typically Boolean) conditions ϕ’s hold infinitely often: AGAFϕ (GFϕ in LTL) AGAFϕ (GFϕ) is called fairness conditions Intuitively, fairness conditions are used to eliminate behaviours in which a certain condition ϕ never holds:
¬EFEG¬ϕ
(“it is never reached a state from which ϕ is forever false”) Example: it is not desirable that, once a process is in the critical section, it never exits: AGAF¬C1 (¬EFEGC1)
A fair condition ϕi can be represented also by the set fi of states where ϕi holds (fi := {s : M, s |= ϕi })
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 91 / 108 E.g., every path visiting infinitely often state 2 is a fair path.
a set of fairness conditions F = {f1,..., fn}, with fi ⊆ S. E.g., {{2}} := {{s : M, s |= q}} = {GFq} is the set of fairness conditions of the Kripke model above
Fair path π: at least one state for each fi occurs infinitely often in π (ϕi holds infinitely often in π: π |= GFϕi )
Fairness & Fair Kripke Models Fair Kripke models p 1
A Fair Kripke model MF := hS, R, I, AP, L, Fi q consists of 4 2 a set of states S; a set of initial states I ⊆ S; 3 p a set of transitions R ⊆ S × S; a set of atomic propositions AP; a labeling L ⊆ S × AP;
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 92 / 108 E.g., every path visiting infinitely often state 2 is a fair path.
E.g., {{2}} := {{s : M, s |= q}} = {GFq} is the set of fairness conditions of the Kripke model above
Fair path π: at least one state for each fi occurs infinitely often in π (ϕi holds infinitely often in π: π |= GFϕi )
Fairness & Fair Kripke Models Fair Kripke models p 1
A Fair Kripke model MF := hS, R, I, AP, L, Fi q consists of 4 2 a set of states S; a set of initial states I ⊆ S; 3 p a set of transitions R ⊆ S × S; a set of atomic propositions AP; a labeling L ⊆ S × AP; a set of fairness conditions F = {f1,..., fn}, with fi ⊆ S.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 92 / 108 E.g., every path visiting infinitely often state 2 is a fair path.
Fair path π: at least one state for each fi occurs infinitely often in π (ϕi holds infinitely often in π: π |= GFϕi )
Fairness & Fair Kripke Models Fair Kripke models p 1
A Fair Kripke model MF := hS, R, I, AP, L, Fi q consists of 4 2 a set of states S; a set of initial states I ⊆ S; 3 p a set of transitions R ⊆ S × S; a set of atomic propositions AP; a labeling L ⊆ S × AP; a set of fairness conditions F = {f1,..., fn}, with fi ⊆ S. E.g., {{2}} := {{s : M, s |= q}} = {GFq} is the set of fairness conditions of the Kripke model above
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 92 / 108 E.g., every path visiting infinitely often state 2 is a fair path.
Fairness & Fair Kripke Models Fair Kripke models p 1
A Fair Kripke model MF := hS, R, I, AP, L, Fi q consists of 4 2 a set of states S; a set of initial states I ⊆ S; 3 p a set of transitions R ⊆ S × S; a set of atomic propositions AP; a labeling L ⊆ S × AP; a set of fairness conditions F = {f1,..., fn}, with fi ⊆ S. E.g., {{2}} := {{s : M, s |= q}} = {GFq} is the set of fairness conditions of the Kripke model above
Fair path π: at least one state for each fi occurs infinitely often in π (ϕi holds infinitely often in π: π |= GFϕi )
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 92 / 108 Fairness & Fair Kripke Models Fair Kripke models p 1
A Fair Kripke model MF := hS, R, I, AP, L, Fi q consists of 4 2 a set of states S; a set of initial states I ⊆ S; 3 p a set of transitions R ⊆ S × S; a set of atomic propositions AP; a labeling L ⊆ S × AP; a set of fairness conditions F = {f1,..., fn}, with fi ⊆ S. E.g., {{2}} := {{s : M, s |= q}} = {GFq} is the set of fairness conditions of the Kripke model above
Fair path π: at least one state for each fi occurs infinitely often in π (ϕi holds infinitely often in π: π |= GFϕi ) E.g., every path visiting infinitely often state 2 is a fair path.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 92 / 108 Path quantifiers apply only to fair paths:
MF , s |= Aϕ iff π, s |= ϕ for every fair path π s.t. s ∈ π MF , s |= Eϕ iff π, s |= ϕ for some fair path π s.t. s ∈ π Fair state: a state from which at least one fair path originates, that is, a state s is a fair state in MF iff MF , s |= EGtrue.
Fairness & Fair Kripke Models CTL M.C. with Fair Kripke Models
Fair Kripke Models restrict the M.C. process to fair paths:
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 93 / 108 Fair state: a state from which at least one fair path originates, that is, a state s is a fair state in MF iff MF , s |= EGtrue.
Fairness & Fair Kripke Models CTL M.C. with Fair Kripke Models
Fair Kripke Models restrict the M.C. process to fair paths: Path quantifiers apply only to fair paths:
MF , s |= Aϕ iff π, s |= ϕ for every fair path π s.t. s ∈ π MF , s |= Eϕ iff π, s |= ϕ for some fair path π s.t. s ∈ π
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 93 / 108 Fairness & Fair Kripke Models CTL M.C. with Fair Kripke Models
Fair Kripke Models restrict the M.C. process to fair paths: Path quantifiers apply only to fair paths:
MF , s |= Aϕ iff π, s |= ϕ for every fair path π s.t. s ∈ π MF , s |= Eϕ iff π, s |= ϕ for some fair path π s.t. s ∈ π Fair state: a state from which at least one fair path originates, that is, a state s is a fair state in MF iff MF , s |= EGtrue.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 93 / 108 YES: every fair path satisfies the conditions
Fairness & Fair Kripke Models Fairness: example F := {{ not C1},{not C2}}
N1, N2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
not C2 not C1
MF |= AG(T1 → AFC1)? MF |= AG(T2 → AFC2)?
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 94 / 108 Fairness & Fair Kripke Models Fairness: example F := {{ not C1},{not C2}}
N1, N2 turn=0
T1, N2 N1, T2 turn=1 turn=2
C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2
C1, T2 T1, C2 turn=1 turn=2
not C2 not C1
MF |= AG(T1 → AFC1)? MF |= AG(T2 → AFC2)? YES: every fair path satisfies the conditions
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 94 / 108 Remark: fair LTL M.C. When model checking an LTL formula ψ, fairness conditions can be encoded into the formula itself:
n ^ M{f1,...,fn} |= ψ ⇐⇒ M |= ( GFfi ) → ψ. i=1
Fairness & Fair Kripke Models CTL M.C. vs. LTL M.C. with Fair Kripke Models
Remark: fair CTL M.C. When model checking a CTL formula ψ, fairness conditions cannot be encoded into the formula itself:
n ^ M{f1,...,fn} |= ψ 6⇐⇒ M |= ( AGAFfi ) → ψ. i=1
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 95 / 108 Fairness & Fair Kripke Models CTL M.C. vs. LTL M.C. with Fair Kripke Models
Remark: fair CTL M.C. When model checking a CTL formula ψ, fairness conditions cannot be encoded into the formula itself:
n ^ M{f1,...,fn} |= ψ 6⇐⇒ M |= ( AGAFfi ) → ψ. i=1
Remark: fair LTL M.C. When model checking an LTL formula ψ, fairness conditions can be encoded into the formula itself:
n ^ M{f1,...,fn} |= ψ ⇐⇒ M |= ( GFfi ) → ψ. i=1
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 95 / 108 Fairness & Fair Kripke Models Vn Ex. CTL: M{f1,...,fn} |= ψ 6⇐⇒ M |= ( i=1 AGAFfi ) → ψ.
[Example provided by the student Davide Kirchner, 2014]
¬pq p¬q pq Mp s0 s1 s2
M ¬pq p¬q pq s0 s1 s2
Mp 6|= AGq M |= (AGAFp) → AGq
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 96 / 108 Fairness & Fair Kripke Models Vn Ex. CTL: M{f1,...,fn} |= ψ 6⇐⇒ M |= ( i=1 EGEFfi ) → ψ.
[Example provided by the student Daniele Giuliani, 2019]
p¬q ¬pq Mp!q s2 s1
¬ M p q ¬pq s2 s1
Mp!q 6|= EFEGq M |= (EGEFp) → EFEGq
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 97 / 108 Fairness & Fair Kripke Models Vn Ex. LTL (1): M{f1,...,fn} |= ψ ⇐⇒ M |= ( i=1 GFfi ) → ψ.
¬pq p¬q pq Mp s0 s1 s2
M ¬pq p¬q pq s0 s1 s2
Mp 6|= Gq M 6|= (GFp) → Gq
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 98 / 108 Fairness & Fair Kripke Models Vn Ex. LTL (2): M{f1,...,fn} |= ψ ⇐⇒ M |= ( i=1 GFfi ) → ψ.
¬p¬q pq ¬pq Mp s0 s1 s2
M ¬p¬q pq ¬pq s0 s1 s2
Mp |= Gq M |= (GFp) → Gq
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 99 / 108 Exercises Outline
1 Some background on Boolean Logic
2 Generalities on temporal logics
3 Linear Temporal Logic – LTL
4 Some LTL Model Checking Examples
5 Computation Tree Logic – CTL
6 Some CTL Model Checking Examples
7 LTL vs. CTL
8 Fairness & Fair Kripke Models
9 Exercises
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 100 / 108 [ Solution: we introduce fresh Boolean variables naming the subformulas of ϕ: B z }| { B1 B2 B3 B4 z }| { z }| { z }| { z }| { ((¬A1 ∧ ¬A2) ∨ ( A7 ∧ A4) ∨ (¬A3 ∧ A2) ∨ ( A5 ∧ ¬A4)) from which we obtain: (B) ∧ (¬B ∨ B1 ∨ B2 ∨ B3 ∨ B4) ∧ (¬B ∨ ¬A ) ∧ (¬B ∨ ¬A ) ∧ 1 1 1 2 . (¬B2 ∨ A7) ∧ (¬B2 ∨ A4) ∧ (¬B3 ∨ ¬A3) ∧ (¬B3 ∨ A2) ∧ (¬B4 ∨ A5) ∧ (¬B4 ∨ ¬A4) ]
Exercises Ex: Labeled CNF-ization
Consider the following Boolean formula ϕ:
((¬A1 ∧ ¬A2) ∨ ( A7 ∧ A4) ∨ (¬A3 ∧ A2) ∨ ( A5 ∧ ¬A4))
Using the improved CNFlabel conversion, produce the CNF formula CNFlabel (ϕ).
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 101 / 108 Exercises Ex: Labeled CNF-ization
Consider the following Boolean formula ϕ:
((¬A1 ∧ ¬A2) ∨ ( A7 ∧ A4) ∨ (¬A3 ∧ A2) ∨ ( A5 ∧ ¬A4))
Using the improved CNFlabel conversion, produce the CNF formula CNFlabel (ϕ).
[ Solution: we introduce fresh Boolean variables naming the subformulas of ϕ: B z }| { B1 B2 B3 B4 z }| { z }| { z }| { z }| { ((¬A1 ∧ ¬A2) ∨ ( A7 ∧ A4) ∨ (¬A3 ∧ A2) ∨ ( A5 ∧ ¬A4)) from which we obtain: (B) ∧ (¬B ∨ B1 ∨ B2 ∨ B3 ∨ B4) ∧ (¬B ∨ ¬A ) ∧ (¬B ∨ ¬A ) ∧ 1 1 1 2 . (¬B2 ∨ A7) ∧ (¬B2 ∨ A4) ∧ (¬B3 ∨ ¬A3) ∧ (¬B3 ∨ A2) ∧ (¬B4 ∨ A5) ∧ (¬B4 ∨ ¬A4)
] Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 101 / 108 [ Solution:
ϕ ⇒ ¬(((¬A1 → ¬A2) ∧ (¬A3 → A4)) ∨ (( A5 → A6) ∧ ( A7 → ¬A8))) ⇒ (¬((¬A1 → ¬A2) ∧ (¬A3 → A4)) ∧ ¬(( A5 → A6) ∧ ( A7 → ¬A8))) ⇒ ((¬(¬A1 → ¬A2) ∨ ¬(¬A3 → A4)) ∧ (¬( A5 → A6) ∨ ¬( A7 → ¬A8))) ⇒ (((¬A1 ∧ A2) ∨ (¬A3 ∧ ¬A4)) ∧ (( A5 ∧ ¬A6) ∨ ( A7 ∧ A8))) = ϕ0
]
Exercises Ex: NNF conversion
Consider the following Boolean formula ϕ:
¬(((¬A1 → ¬A2) ∧ (¬A3 → A4)) ∨ (( A5 → A6) ∧ ( A7 → ¬A8)))
Compute the Negative Normal Form of ϕ, called ϕ0.
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 102 / 108 Exercises Ex: NNF conversion
Consider the following Boolean formula ϕ:
¬(((¬A1 → ¬A2) ∧ (¬A3 → A4)) ∨ (( A5 → A6) ∧ ( A7 → ¬A8)))
Compute the Negative Normal Form of ϕ, called ϕ0.
[ Solution:
ϕ ⇒ ¬(((¬A1 → ¬A2) ∧ (¬A3 → A4)) ∨ (( A5 → A6) ∧ ( A7 → ¬A8))) ⇒ (¬((¬A1 → ¬A2) ∧ (¬A3 → A4)) ∧ ¬(( A5 → A6) ∧ ( A7 → ¬A8))) ⇒ ((¬(¬A1 → ¬A2) ∨ ¬(¬A3 → A4)) ∧ (¬( A5 → A6) ∨ ¬( A7 → ¬A8))) ⇒ (((¬A1 ∧ A2) ∨ (¬A3 ∧ ¬A4)) ∧ (( A5 ∧ ¬A6) ∨ ( A7 ∧ A8))) = ϕ0
]
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 102 / 108 [ Solution: true ]
[ Solution: true ]
[ Solution: false ]
[ Solution: true ]
Exercises Exercise: LTL Model Checking (path)
Consider the following path π:
¬p¬q ¬pq p¬q p¬q p¬q s0 s1 s2 s3 s4
For each of the following facts, say if it is true of false in LTL.
(a) π, s0 |= GFq
(b) π, s0 |= FG(q ↔ ¬p)
(c) π, s2 |= Gp
(d) π, s2 |= pUq
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 103 / 108 [ Solution: true ]
[ Solution: false ]
[ Solution: true ]
Exercises Exercise: LTL Model Checking (path)
Consider the following path π:
¬p¬q ¬pq p¬q p¬q p¬q s0 s1 s2 s3 s4
For each of the following facts, say if it is true of false in LTL.
(a) π, s0 |= GFq [ Solution: true ]
(b) π, s0 |= FG(q ↔ ¬p)
(c) π, s2 |= Gp
(d) π, s2 |= pUq
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 103 / 108 [ Solution: false ]
[ Solution: true ]
Exercises Exercise: LTL Model Checking (path)
Consider the following path π:
¬p¬q ¬pq p¬q p¬q p¬q s0 s1 s2 s3 s4
For each of the following facts, say if it is true of false in LTL.
(a) π, s0 |= GFq [ Solution: true ]
(b) π, s0 |= FG(q ↔ ¬p) [ Solution: true ]
(c) π, s2 |= Gp
(d) π, s2 |= pUq
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 103 / 108 [ Solution: true ]
Exercises Exercise: LTL Model Checking (path)
Consider the following path π:
¬p¬q ¬pq p¬q p¬q p¬q s0 s1 s2 s3 s4
For each of the following facts, say if it is true of false in LTL.
(a) π, s0 |= GFq [ Solution: true ]
(b) π, s0 |= FG(q ↔ ¬p) [ Solution: true ]
(c) π, s2 |= Gp [ Solution: false ]
(d) π, s2 |= pUq
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 103 / 108 Exercises Exercise: LTL Model Checking (path)
Consider the following path π:
¬p¬q ¬pq p¬q p¬q p¬q s0 s1 s2 s3 s4
For each of the following facts, say if it is true of false in LTL.
(a) π, s0 |= GFq [ Solution: true ]
(b) π, s0 |= FG(q ↔ ¬p) [ Solution: true ]
(c) π, s2 |= Gp [ Solution: false ]
(d) π, s2 |= pUq [ Solution: true ] Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 103 / 108 [ Solution: true ]
[ Solution: true ]
[ Solution: true ]
[ Solution: false ]
Exercises Ex: LTL Model Checking
Consider the following Kripke Model M:
pq s0 ¬pq p¬q s2 s1
For each of the following facts, say if it is true or false in LTL.
(a) M |= (pUq)
(b) M |= G(¬p → F¬q)
(c) M |= Gp → Gq
(d) M |= FGp
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 104 / 108 [ Solution: true ]
[ Solution: true ]
[ Solution: false ]
Exercises Ex: LTL Model Checking
Consider the following Kripke Model M:
pq s0 ¬pq p¬q s2 s1
For each of the following facts, say if it is true or false in LTL.
(a) M |= (pUq) [ Solution: true ] (b) M |= G(¬p → F¬q)
(c) M |= Gp → Gq
(d) M |= FGp
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 104 / 108 [ Solution: true ]
[ Solution: false ]
Exercises Ex: LTL Model Checking
Consider the following Kripke Model M:
pq s0 ¬pq p¬q s2 s1
For each of the following facts, say if it is true or false in LTL.
(a) M |= (pUq) [ Solution: true ] (b) M |= G(¬p → F¬q) [ Solution: true ] (c) M |= Gp → Gq
(d) M |= FGp
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 104 / 108 [ Solution: false ]
Exercises Ex: LTL Model Checking
Consider the following Kripke Model M:
pq s0 ¬pq p¬q s2 s1
For each of the following facts, say if it is true or false in LTL.
(a) M |= (pUq) [ Solution: true ] (b) M |= G(¬p → F¬q) [ Solution: true ] (c) M |= Gp → Gq [ Solution: true ] (d) M |= FGp
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 104 / 108 Exercises Ex: LTL Model Checking
Consider the following Kripke Model M:
pq s0 ¬pq p¬q s2 s1
For each of the following facts, say if it is true or false in LTL.
(a) M |= (pUq) [ Solution: true ] (b) M |= G(¬p → F¬q) [ Solution: true ] (c) M |= Gp → Gq [ Solution: true ] (d) M |= FGp [ Solution: false ]
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 104 / 108 [ Solution: false ]
[ Solution: false ]
[ Solution: true ]
[ Solution: true ]
Exercises Ex: CTL Model Checking
Consider the following Kripke Model M:
pq s2 ¬pq p¬q s0 s1
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬p
(b) M |= EGp
(c) M |= A(pUq)
(d) M |= E(pU¬q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 105 / 108 [ Solution: false ]
[ Solution: true ]
[ Solution: true ]
Exercises Ex: CTL Model Checking
Consider the following Kripke Model M:
pq s2 ¬pq p¬q s0 s1
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬p [ Solution: false ] (b) M |= EGp
(c) M |= A(pUq)
(d) M |= E(pU¬q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 105 / 108 [ Solution: true ]
[ Solution: true ]
Exercises Ex: CTL Model Checking
Consider the following Kripke Model M:
pq s2 ¬pq p¬q s0 s1
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬p [ Solution: false ] (b) M |= EGp [ Solution: false ] (c) M |= A(pUq)
(d) M |= E(pU¬q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 105 / 108 [ Solution: true ]
Exercises Ex: CTL Model Checking
Consider the following Kripke Model M:
pq s2 ¬pq p¬q s0 s1
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬p [ Solution: false ] (b) M |= EGp [ Solution: false ] (c) M |= A(pUq) [ Solution: true ] (d) M |= E(pU¬q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 105 / 108 Exercises Ex: CTL Model Checking
Consider the following Kripke Model M:
pq s2 ¬pq p¬q s0 s1
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬p [ Solution: false ] (b) M |= EGp [ Solution: false ] (c) M |= A(pUq) [ Solution: true ] (d) M |= E(pU¬q) [ Solution: true ]
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 105 / 108 [ Solution: false ]
[ Solution: false ]
[ Solution: true ]
[ Solution: false ]
Exercises Ex: CTL Model Checking
Consider the following Kripke Model M:
pq s0 p¬q ¬pq s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬q
(b) M |= EGq
(c) M |= ((AGAFp ∨ AGAFq) ∧ (AGAF¬p ∨ AGAF¬q)) → q
(d) M |= AFEG(p ∧ q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 106 / 108 [ Solution: false ]
[ Solution: true ]
[ Solution: false ]
Exercises Ex: CTL Model Checking
Consider the following Kripke Model M:
pq s0 p¬q ¬pq s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬q [ Solution: false ] (b) M |= EGq
(c) M |= ((AGAFp ∨ AGAFq) ∧ (AGAF¬p ∨ AGAF¬q)) → q
(d) M |= AFEG(p ∧ q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 106 / 108 [ Solution: true ]
[ Solution: false ]
Exercises Ex: CTL Model Checking
Consider the following Kripke Model M:
pq s0 p¬q ¬pq s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬q [ Solution: false ] (b) M |= EGq [ Solution: false ] (c) M |= ((AGAFp ∨ AGAFq) ∧ (AGAF¬p ∨ AGAF¬q)) → q
(d) M |= AFEG(p ∧ q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 106 / 108 [ Solution: false ]
Exercises Ex: CTL Model Checking
Consider the following Kripke Model M:
pq s0 p¬q ¬pq s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬q [ Solution: false ] (b) M |= EGq [ Solution: false ] (c) M |= ((AGAFp ∨ AGAFq) ∧ (AGAF¬p ∨ AGAF¬q)) → q [ Solution: true ] (d) M |= AFEG(p ∧ q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 106 / 108 Exercises Ex: CTL Model Checking
Consider the following Kripke Model M:
pq s0 p¬q ¬pq s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬q [ Solution: false ] (b) M |= EGq [ Solution: false ] (c) M |= ((AGAFp ∨ AGAFq) ∧ (AGAF¬p ∨ AGAF¬q)) → q [ Solution: true ] (d) M |= AFEG(p ∧ q) [ Solution: false ]
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 106 / 108 [ Solution: true ]
[ Solution: true ]
[ Solution: false ]
[ Solution: true ]
Exercises Ex: Fair CTL Model Checking
Consider the following fair Kripke Model M:
F1 pq F2 s0 p¬q ¬pq s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬p
(b) M |= A(pU¬q)
(c) M |= AX¬q
(d) M |= AGAF¬p
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 107 / 108 [ Solution: true ]
[ Solution: false ]
[ Solution: true ]
Exercises Ex: Fair CTL Model Checking
Consider the following fair Kripke Model M:
F1 pq F2 s0 p¬q ¬pq s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬p [ Solution: true ] (b) M |= A(pU¬q)
(c) M |= AX¬q
(d) M |= AGAF¬p
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 107 / 108 [ Solution: false ]
[ Solution: true ]
Exercises Ex: Fair CTL Model Checking
Consider the following fair Kripke Model M:
F1 pq F2 s0 p¬q ¬pq s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬p [ Solution: true ] (b) M |= A(pU¬q) [ Solution: true ] (c) M |= AX¬q
(d) M |= AGAF¬p
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 107 / 108 [ Solution: true ]
Exercises Ex: Fair CTL Model Checking
Consider the following fair Kripke Model M:
F1 pq F2 s0 p¬q ¬pq s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬p [ Solution: true ] (b) M |= A(pU¬q) [ Solution: true ] (c) M |= AX¬q [ Solution: false ] (d) M |= AGAF¬p
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 107 / 108 Exercises Ex: Fair CTL Model Checking
Consider the following fair Kripke Model M:
F1 pq F2 s0 p¬q ¬pq s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= AF¬p [ Solution: true ] (b) M |= A(pU¬q) [ Solution: true ] (c) M |= AX¬q [ Solution: false ] (d) M |= AGAF¬p [ Solution: true ] Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 107 / 108 [ Solution: true ]
[ Solution: true ]
[ Solution: true ]
[ Solution: false ]
Exercises Ex: Fair CTL Model Checking
Consider the following fair Kripke Model M: pq s0 p¬q ¬pq s1 s2
where the fairness properties are expressed by the following CTL formula: AGAF¬q.
For each of the following facts, say if it is true or false in CTL.
(a) M |= EF(p ∧ q)
(b) M |= AGAFp
(c) M |= AF¬q
(d) M |= AG(¬p ∨ ¬q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 108 / 108 [ Solution: true ]
[ Solution: true ]
[ Solution: true ]
[ Solution: false ]
Exercises Ex: Fair CTL Model Checking
Consider the following fair Kripke Model M: pq s0 p¬q ¬pq F1 s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= EF(p ∧ q)
(b) M |= AGAFp
(c) M |= AF¬q
(d) M |= AG(¬p ∨ ¬q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 108 / 108 [ Solution: true ]
[ Solution: true ]
[ Solution: false ]
Exercises Ex: Fair CTL Model Checking
Consider the following fair Kripke Model M: pq s0 p¬q ¬pq F1 s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= EF(p ∧ q) [ Solution: true ] (b) M |= AGAFp
(c) M |= AF¬q
(d) M |= AG(¬p ∨ ¬q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 108 / 108 [ Solution: true ]
[ Solution: false ]
Exercises Ex: Fair CTL Model Checking
Consider the following fair Kripke Model M: pq s0 p¬q ¬pq F1 s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= EF(p ∧ q) [ Solution: true ] (b) M |= AGAFp [ Solution: true ] (c) M |= AF¬q
(d) M |= AG(¬p ∨ ¬q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 108 / 108 [ Solution: false ]
Exercises Ex: Fair CTL Model Checking
Consider the following fair Kripke Model M: pq s0 p¬q ¬pq F1 s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= EF(p ∧ q) [ Solution: true ] (b) M |= AGAFp [ Solution: true ] (c) M |= AF¬q [ Solution: true ] (d) M |= AG(¬p ∨ ¬q)
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 108 / 108 Exercises Ex: Fair CTL Model Checking
Consider the following fair Kripke Model M: pq s0 p¬q ¬pq F1 s1 s2
For each of the following facts, say if it is true or false in CTL.
(a) M |= EF(p ∧ q) [ Solution: true ] (b) M |= AGAFp [ Solution: true ] (c) M |= AF¬q [ Solution: true ] (d) M |= AG(¬p ∨ ¬q) [ Solution: false ]
Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 108 / 108