Introduction to Formal Methods Chapter 03: Temporal Logics Roberto Sebastiani DISI, Università di Trento, Italy – [email protected] URL: http://disi.unitn.it/rseba/DIDATTICA/fm2020/ Teaching assistant: Enrico Magnago– [email protected] CDLM in Informatica, academic year 2019-2020 last update: Monday 18th May, 2020, 14:48 Copyright notice: some material (text, figures) displayed in these slides is courtesy of R. Alur, M. Benerecetti, A. Cimatti, M. Di Natale, P. Pandya, M. Pistore, M. Roveri, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be displayed in public without containing this copyright notice. Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 1 / 108 Outline 1 Some background on Boolean Logic 2 Generalities on temporal logics 3 Linear Temporal Logic – LTL 4 Some LTL Model Checking Examples 5 Computation Tree Logic – CTL 6 Some CTL Model Checking Examples 7 LTL vs. CTL 8 Fairness & Fair Kripke Models 9 Exercises Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 2 / 108 Some background on Boolean Logic Outline 1 Some background on Boolean Logic 2 Generalities on temporal logics 3 Linear Temporal Logic – LTL 4 Some LTL Model Checking Examples 5 Computation Tree Logic – CTL 6 Some CTL Model Checking Examples 7 LTL vs. CTL 8 Fairness & Fair Kripke Models 9 Exercises Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 3 / 108 Some background on Boolean Logic Boolean logic Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 4 / 108 Some background on Boolean Logic Basic notation & definitions Boolean formula >; ? are formulas A propositional atom A1; A2; A3; ::: is a formula; if '1 and '2 are formulas, then :'1, '1 ^ '2, '1 _ '2, '1 ! '2, '1 '2, '1 $ '2 are formulas. Atoms('): the set fA1; :::; AN g of atoms occurring in '. Literal: a propositional atom Ai (positive literal) or its negation :Ai (negative literal) Notation: if l := :Ai , then :l := Ai W Clause: a disjunction of literals j lj (e.g., (A1 _:A2 _ A3 _ :::)) V Cube: a conjunction of literals j lj (e.g., (A1 ^ :A2 ^ A3 ^ :::)) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 5 / 108 ^, _ and $ are commutative: ('1 ^ '2) () ('2 ^ '1) ('1 _ '2) () ('2 _ '1) ('1 $ '2) () ('2 $ '1) ^ and _ are associative: (('1 ^ '2) ^ '3) () ('1 ^ ('2 ^ '3)) () ('1 ^ '2 ^ '3) (('1 _ '2) _ '3) () ('1 _ ('2 _ '3)) () ('1 _ '2 _ '3) Note Some background on Boolean Logic Semantics of Boolean operators Truth table: '1 '2 :'1 '1 ^ '2 '1 _ '2 '1 ! '2 '1 '2 '1 $ '2 ?? > ? ? > > > ? > > ? > > ? ? > ? ? ? > ? > ? > > ? > > > > > Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 6 / 108 Some background on Boolean Logic Semantics of Boolean operators Truth table: '1 '2 :'1 '1 ^ '2 '1 _ '2 '1 ! '2 '1 '2 '1 $ '2 ?? > ? ? > > > ? > > ? > > ? ? > ? ? ? > ? > ? > > ? > > > > > Note ^, _ and $ are commutative: ('1 ^ '2) () ('2 ^ '1) ('1 _ '2) () ('2 _ '1) ('1 $ '2) () ('2 $ '1) ^ and _ are associative: (('1 ^ '2) ^ '3) () ('1 ^ ('2 ^ '3)) () ('1 ^ '2 ^ '3) (('1 _ '2) _ '3) () ('1 _ ('2 _ '3)) () ('1 _ '2 _ '3) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 6 / 108 Boolean logic can be expressed in terms of f:; ^g (or f:; _g) only Some background on Boolean Logic Syntactic Properties of Boolean Operators ::'1 () '1 ('1 _ '2) (): (:'1 ^ :'2) :('1 _ '2) () (:'1 ^ :'2) ('1 ^ '2) () :(:'1 _:'2) :('1 ^ '2) () (:'1 _:'2) ('1 ! '2) () (:'1 _ '2) :('1 ! '2) () ('1 ^ :'2) ('1 '2) () ('1 _:'2) :('1 '2) () (:'1 ^ '2) ('1 $ '2) () (('1 ! '2) ^ ('1 '2)) () ((:'1 _ '2) ^ ('1 _:'2)) :('1 $ '2) () (:'1 $ '2) () ('1 $ :'2) () (('1 _ '2) ^ (:'1 _:'2)) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 7 / 108 Some background on Boolean Logic Syntactic Properties of Boolean Operators ::'1 () '1 ('1 _ '2) (): (:'1 ^ :'2) :('1 _ '2) () (:'1 ^ :'2) ('1 ^ '2) () :(:'1 _:'2) :('1 ^ '2) () (:'1 _:'2) ('1 ! '2) () (:'1 _ '2) :('1 ! '2) () ('1 ^ :'2) ('1 '2) () ('1 _:'2) :('1 '2) () (:'1 ^ '2) ('1 $ '2) () (('1 ! '2) ^ ('1 '2)) () ((:'1 _ '2) ^ ('1 _:'2)) :('1 $ '2) () (:'1 $ '2) () ('1 $ :'2) () (('1 _ '2) ^ (:'1 _:'2)) Boolean logic can be expressed in terms of f:; ^g (or f:; _g) only Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 7 / 108 + (((A1 $ A2) ! (A3 $ A4))^ ((A3 $ A4) ! (A1 $ A2))) + (((A1 ! A2) ^ (A2 ! A1)) ! ((A3 ! A4) ^ (A4 ! A3)))^ (((A3 ! A4) ^ (A4 ! A3)) ! (((A1 ! A2) ^ (A2 ! A1)))) Some background on Boolean Logic TREE and DAG representation of formulas: example Formulas can be represented either as trees or as DAGS: DAG representation can be up to exponentially smaller (A1 $ A2) $ (A3 $ A4) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 8 / 108 + (((A1 ! A2) ^ (A2 ! A1)) ! ((A3 ! A4) ^ (A4 ! A3)))^ (((A3 ! A4) ^ (A4 ! A3)) ! (((A1 ! A2) ^ (A2 ! A1)))) Some background on Boolean Logic TREE and DAG representation of formulas: example Formulas can be represented either as trees or as DAGS: DAG representation can be up to exponentially smaller (A1 $ A2) $ (A3 $ A4) + (((A1 $ A2) ! (A3 $ A4))^ ((A3 $ A4) ! (A1 $ A2))) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 8 / 108 Some background on Boolean Logic TREE and DAG representation of formulas: example Formulas can be represented either as trees or as DAGS: DAG representation can be up to exponentially smaller (A1 $ A2) $ (A3 $ A4) + (((A1 $ A2) ! (A3 $ A4))^ ((A3 $ A4) ! (A1 $ A2))) + (((A1 ! A2) ^ (A2 ! A1)) ! ((A3 ! A4) ^ (A4 ! A3)))^ (((A3 ! A4) ^ (A4 ! A3)) ! (((A1 ! A2) ^ (A2 ! A1)))) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 8 / 108 Some background on Boolean Logic TREE and DAG representation of formulas: example (cont) A1A2 A2 A1 A3A4 A4 A3 A3A4 A4 A3 A1A2 A2 A1 Tree Representation A1A2 A3 A4 DAG Representation Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 9 / 108 Some background on Boolean Logic Basic notation & definitions (cont) Total truth assignment µ for ': µ : Atoms(') 7−! f>; ?g. Partial Truth assignment µ for ': µ : A 7−! f>; ?g, A ⊂ Atoms('). Set and formula representation of an assignment: µ can be represented as a set of literals: EX: fµ(A1) := >; µ(A2) := ?g =) fA1; :A2g µ can be represented as a formula (cube): EX: fµ(A1) := >; µ(A2) := ?g =) (A1 ^ :A2) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 10 / 108 a partial truth assignment µ satisfies ' iff it makes ' evaluate to true (Ex: fA1g j= (A1 _ A2)) =) if µ satisfies ', then all its total extensions satisfy ' (Ex: fA1; A2g j= (A1 _ A2) and fA1; :A2g j= (A1 _ A2)) ' is satisfiable iff µ j= ' for some µ '1 entails '2 ('1 j= '2): '1 j= '2 iff µ j= '1 =) µ j= '2 for every µ ' is valid( j= '): j= ' iff µ j= ' for every µ Property ' is valid () :' is not satisfiable Some background on Boolean Logic Basic notation & definitions (cont) a total truth assignment µ satisfies ' (µ j= '): µ j= Ai () µ(Ai ) = > µ j= :' () not µ j= ' µ j= '1 ^ '2 () µ j= '1 and µ j= '2 µ j= '1 _ '2 () µ j= '1 or µ j= '2 µ j= '1 ! '2 () if µ j= '1; then µ j= '2 µ j= '1 $ '2 () µ j= '1 iff µ j= '2 Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 11 / 108 ' is satisfiable iff µ j= ' for some µ '1 entails '2 ('1 j= '2): '1 j= '2 iff µ j= '1 =) µ j= '2 for every µ ' is valid( j= '): j= ' iff µ j= ' for every µ Property ' is valid () :' is not satisfiable Some background on Boolean Logic Basic notation & definitions (cont) a total truth assignment µ satisfies ' (µ j= '): µ j= Ai () µ(Ai ) = > µ j= :' () not µ j= ' µ j= '1 ^ '2 () µ j= '1 and µ j= '2 µ j= '1 _ '2 () µ j= '1 or µ j= '2 µ j= '1 ! '2 () if µ j= '1; then µ j= '2 µ j= '1 $ '2 () µ j= '1 iff µ j= '2 a partial truth assignment µ satisfies ' iff it makes ' evaluate to true (Ex: fA1g j= (A1 _ A2)) =) if µ satisfies ', then all its total extensions satisfy ' (Ex: fA1; A2g j= (A1 _ A2) and fA1; :A2g j= (A1 _ A2)) Roberto Sebastiani Ch. 03: Temporal Logics Monday 18th May, 2020 11 / 108 '1 entails '2 ('1 j= '2): '1 j= '2 iff µ j= '1 =) µ j= '2 for every µ ' is valid( j= '): j= ' iff µ j= ' for every µ Property ' is valid () :' is not satisfiable Some background on Boolean Logic Basic notation & definitions (cont) a total truth assignment µ satisfies ' (µ j= '): µ j= Ai () µ(Ai ) = > µ j= :' () not µ j= ' µ j= '1 ^ '2 () µ j= '1 and µ j= '2 µ j= '1 _ '2 () µ j= '1 or µ j= '2 µ j= '1 ! '2 () if µ j= '1; then µ j= '2 µ j= '1 $ '2 () µ j= '1 iff µ j= '2 a partial truth assignment µ satisfies ' iff it makes ' evaluate to true (Ex: fA1g j= (A1 _ A2)) =) if µ satisfies ', then all its total extensions satisfy ' (Ex: fA1; A2g j= (A1 _ A2) and fA1; :A2g j= (A1 _ A2)) ' is satisfiable iff µ j= ' for some µ Roberto Sebastiani Ch.