Temporal Logic Lecture, October 2019 Temporal logic What I will present today Semantics of CTL More examples of CTL algorithm (mutual exclusion) A better algorithm for computing [[EG ]] A similar algorithm with fairness Connection with fixpoint results on posets Deciding = in LTL j This corresponds to Chapters 2.6 and 2.7 in the book 1 Temporal logic Semantics of CTL s = AX if s0 = for all s0 N(s) j j 2 s = EX if s0 = for some s0 N(s) j j 2 2 Temporal logic Semantics of CTL s = EG if there exists a path σ starting from s such that σ(k) = for all k j j s = EF if there exists a path σ starting from s with σ(k) = for some k j j s = AF if for all path σ starting from s there exists k such that σ(k) = j j s = AG if for all path σ starting from s we have σ(k) = for all k j j 3 Temporal logic Fixpoint characterisation of CTL s = EG means that there exists a path σ starting from s and such that σ(k) j= for all k j Alternatively using EG = EX(EG ) we have seen that [[EG ]] is the greatest set Z such that ^ Z = [[ ]] p9(Z) \ where p9(Y ) = s S N(s) Y = f 2 j \ 6 ;g 4 Temporal logic Fixpoint characterisation of CTL We compute [[EG ]] by the approximation algorithm Z0 = [[ ]] Zn+1 = Zn p9(Zn) \ 5 Temporal logic Fixpoint characterisation of CTL s = AF means that for all path σ starting from s we have σ(k) = for some jk j Alternatively using AF = AX(AF ) we have seen that [[AF ]] is the least set Z such that _ Z = [[ ]] p8(Z) [ where p8(Y ) = s S N(s) Y f 2 j ⊆ g 6 Temporal logic Fixpoint characterisation of CTL We compute [[AF ]] by the approximation/labelling algorithm Z0 = [[ ]] Zn+1 = Zn p8(Zn) [ 7 Temporal logic Alternative algorithm for EG Here is another clever algorithm for computing EG It uses the notion of strongly connected component By duality we get an alternative algorithm for computing AF 8 Directed Graphs In a directed graph G=(V,E), two nodes u and v are strongly connected if and only if there is a path from u to v and a path from v to u. The strongly connected relation is an equivalence relation. Its equivalence classes are the strongly connected components. Directed Graphs In a directed graph G=(V,E), two nodes u and v are strongly connected if and only if there is a path from u to v and a path from v to u. The strongly connected relation is an equivalence relation. Its equivalence classes are the strongly connected components. Every node is in precisely one strongly connected component, since the equivalence classes partition the set of nodes. Component Graph Take a directed graph G=(V,E) and let ≡ be the strongly connected scc relation. Then we can define a graph G = (V/≡, E≡), where the nodes are the strongly connected components of G and there is an edge from component C to component D iff there is an edge in G from a vertex in C to a vertex in D. Temporal logic Strongly Connected Components R is a relation on a set S, so R S S ⊆ × We can consider the reflexive transitive closure R∗ of R R∗(a; b) means that a = b or that there exists a path going from a to b S; R∗ is a preorder We may not have R∗(a; b) R∗(b; a) a = b ^ ! 12 Temporal logic Strongly Connected Components The relation a b defined by ≡ R∗(a; b) R∗(b; a) ^ is a reflexive, symetric and transitive relation This is an equivalence relation A strongly connected component (SCC) of the graph S; R is an equivalence class for the relation a b ≡ 13 Temporal logic Condensation graph If we have two different equivalence classes X and Y we define a new relation R(X; Y ) to mean R(a; b) for all a X and b Y 2 2 This is equivalent to R(a; b) for some a X and b Y 2 2 This new relation R is a strict poset relation The associated graph is a directed acyclic graph This is the condensation graph of the initial graph 14 Temporal logic Strongly Connected Components Linear time algorithms to compute the strongly connected components -Kosaraju -Tarjan -Dijkstra A SCC is non trivial if it contains at least one arrow Note that it may have only one point 15 Temporal logic Alternative algorithm We compute the SCCs of the graph restricted to [[ ]] The \good" states are the one connected to a non trivial SCC Non trivial means that there is at least one arrow in this component Example of this algorithm for mutual exclusion 16 Temporal logic Alternative algorithm with fairness One interesting feature of this algorithm is that we can refine it by asking some fairness constraints A fairness contraint C = 1; : : : ; n is given by formulae s = EGC means that there exists a path σ starting from s such that j σ(k) = for all k and σ is fair for C means that σ(k) = i for infinitely many k, forj each i = 1; : : : ; n j 17 Temporal logic Alternative algorithm with fairness The only modification in the previous algorithm is to look for a non trivial SCC B such that B [[ 1]] = ;:::;B [[ n]] = \ 6 ; \ 6 ; i.e. B meets each [[ i]] for i = 1; : : : ; n 18 Temporal logic Fixpoint characterisation of CTL s = EG means that there exists a path σ starting from s and such that σ(k) j= for all k j Alternatively using EG = EX(EG ) we have seen that [[EG ]] is the greatest set Z such that ^ Z = [[ ]] p9(Z) \ where p9(Y ) = s S N(s) Y = f 2 j \ 6 ;g 19 Temporal logic Fixpoint characterisation of CTL Note that F : Z [[ ]] p9(Z) is a monotone function 7! ^ We have seen the following result Theorem: if F : P ow(S) P ow(S) is a monotone function then it has a greatest fixed point, which! is computed by the approximation algorithm Y0 = S; Yn+1 = F (Yn) until we have Yn+1 = Yn 20 Temporal logic Fixpoint characterisation of CTL So the algorithm for computing the greated fixpoint is (1) Y0 = S; Yn+1 = [[ ]] p9(Yn) \ On the other hand, the approximation/labelling algorithm we have used is given by (2) Z0 = [[ ]];Zn+1 = Zn p9(Zn) \ This is not the same!! How to connect the two algorithms? 21 Temporal logic Discussion The algorithm (2) is more efficient than (1) (1) follows from a general method of computing fixpoint The method we show to prove the correctness of (2) is to prove that (1) and (2) are equivalent without trying to prove directly the correctness of (2) but we rely on the correctness of (1) This is a usual pattern: to prove the correctness of an algorithm w.r.t. a specification it is sometimes easier to prove that this algorithm is equivalent to a less efficient but clearly correct other algorithm 22 Temporal logic Fixpoint We have (1) Y0 = S; Yn+1 = [[ ]] p9(Yn) \ (2) Z0 = [[ ]];Zn+1 = Zn p9(Zn) \ Theorem: We have Yn+1 = Zn for all n 23 Temporal logic Fixpoint To simplify the notation we write A = [[ ]] and p = p9 (1) Y0 = S; Yn+1 = A p(Yn) \ (2) Z0 = A; Zn+1 = Zn p(Zn) \ Lemma: We have A p(Zn) Zn for all n \ ⊆ We prove this by induction on n 24 Temporal logic Fixpoint (1) Y0 = S; Yn+1 = A p(Yn) \ (2) Z0 = A; Zn+1 = Zn p(Zn) \ Lemma: We have A p(Zn) Zn for all n \ ⊆ Theorem: We have Zn = Yn+1 for all n So the labelling algorithm is justified by the fixpoint algorithm! 25 Temporal logic Deciding a LTL formula Theorem: The problem = is decidable j This is a non trivial result I sketch a possible proof since it uses a very interesting method The Tableau Method 26 Temporal logic Tableau method We can consider the following syntax ; ' ::= p p X F G j : j _ j ^ j j j since using de Morgan laws, we can always assume that negation appears only in front of atomic formulae Also 0 1 can be replaced by 0 1 ! : _ We give an algorithm to decide if a finite set of formulae Γ can be satisfied 27 Temporal logic Tableau method For instance (G(p Xp) p Gp) can be written : ! ^ ! G(p Xp) p (Gp) ! ^ ^ : and then G( p Xp) p F ( p) : _ ^ ^ : 28 Temporal logic Good sets A literal is a formula of the form p or p : A finite set ∆ is good if it contains only literals or formulae of the form X It should not contain both p and p : We write X−1∆ the set of such that X ∆ 2 We write ∆; ∆0;::: for good sets Note that the empty set is a good set 29 Temporal logic Tableau method The first step is to compute a list K(Γ) of good sets ∆1;:::; ∆n such that σ = Γ if and only if σ = ∆i for some i j j 30 Temporal logic Tableau method In propositional logic this is like computing a disjunctive normal form K((p q) (r s)) has for elements _ ^ _ p; r and p; s and q; r and q; s K((p q) ( p s)) has for elements _ ^ : _ p; s and q; p and q; s : In LTL we use G XG and F XF ≡ ^ ≡ _ 31 Synthesis of Boolean programs Specication of a Boolean program: If the boss is in, I need to work unless the telephone rings.