Today’s Lecture • Discuss Temporal Logic in depth Lecture 14: Temporal Logic Kenneth M. Anderson Foundations of Software Engineering CSCI 5828 - Spring Semester, 1999 Lecture 14 1 Lecture 14 2 Temporal Logic Example • In classical logic, a predicate’s truth value is static; • P: “the train is approaching the gate” for a given interpretation it is always true or •P ⇒ Q: “if the train approaches the gate, the gate is always false lowered” • In real-life situations, implications are causal • Q: “the gate is lowered before the train is in the gate • R: “the gate remains closed until the train crosses the gate” – if P and P ⇒ Q then Q • We cannot formalize these statements in propositional or – We need P to be true at one point, then if an event predicate logic causes P ⇒ Q to be true, then at the next point, we need P to be false and Q to be true • Think of it in terms of states. S1: P is true, S2: Q is true Lecture 14 3 Lecture 14 4 Concurrent and Reactive Systems Relevant properties • A reactive program is one that continuously • safety: “something bad • liveness: “something good maintains an ongoing interaction with the will not happen” will eventually happen” • Example • Example environment controlled by it. – “the gate will remain closed – “whenever the gate is – Reactive systems may be concurrent and may while a train crosses the directed to raise, it will gate” eventually do so” have to obey strict timing constraints • safety properties • liveness properties – For example, “train approaching gate” and – partial correctness – program termination “gate lowering” are concurrent activities – mutual exclusion – starvation-freedom – deadlock-freedom Lecture 14 5 Lecture 14 6 Notions of Time Discrete or Continuous • Underlying model for time must match the • When operations are continuously varying, a system’s requirements dense model of time is appropriate – The topology of time in this instance is typically a • Temporal logic does not try to define time, proper subset of real numbers only operators that denote change and • If properties are only present at certain time ordering instants, then a discrete model of time is chosen • Types of Time • In this case, the topology is mapped into a subset of the natural numbers – Discrete or Continuous • These models can be bounded and can also be – Linear and Branching broken into distinct intervals Lecture 14 7 Lecture 14 8 Linear and Branching Time Models The specification hierarchy • for any given moment in time • Temporal logic can be used to specify – one may postulate one future time (linear) or requirements, design, and programs several possible future times (branching) – Requirements • branching • behavior model; time constraints between predicates – useful for modeling uncertainty – Design (i.e. alternatives can be considered) • state changes within objects can be specified • We are going to study discrete linear – Programs temporal logic • state changes for entire programs Lecture 14 9 Lecture 14 10 Common techniques Temporal Logic: Syntax • After an object’s state is specified • Vocabulary – Specify formulas for properties that hold over – constants, functions, propositions, states, and predicates • (a) all sequences of all states • It also includes • (b) some sequence of states – constant values • (c) some future state in some sequence of states • boolean constants, natural numbers, ε (empty string or list), ∅ (empty set) • With respect to program states – function symbols – Temporal logic formulas can specify properties • +, −, ∪, ∩ • that hold over (subsets of) executions of the program – predicate symbols • >, ≤, ⊂, ∈ Lecture 14 11 Lecture 14 12 Syntax and Semantics, continued Syntax and Semantics, continued • = (assumed defined for all types) • Additional Well-Formed Formula Rules • A well-formed formula of predicate logic is also a – If f is a well-formed formula, then so are well-formed formula of temporal logic • ¬(f), ¨(f), ²(f), and ¡(f) – Temporal Logic adds – If f and g are well-formed formulas, then so are ∧ ∨ ⇒ ≡ • a sequence of states: S1, S2, …, Sn • (f g), (f g), (f g), and (f g) • a function that assigns to each state, a set of predicates that are • Examples true for that state – ¨(f ⇒ ¡(g)) – Temporal Logic defines three new operators ∃ ∧ • ¨ (always), ² (eventually), and ¡ (next) – q•(head(s) = q) ²(head(s) = q + 1) – ¨(p) ∧ ²(q) ⇒ ¨(p ⇒ ¡(r)) Lecture 14 13 Lecture 14 14 Types of Temporal Logic Interpretation of Temporal Logic • Use of only propositions • An atomic action causes a state change – propositional linear temporal logic • A state history is notated: – σ : S , S , …, S • Use of quantifiers and predicates 1 2 n – It represents the behavior of an object. – first-order linear temporal logic • These states can correspond to either abstract object states in a design or to concrete states in a program. – In order to verify whether the behavior has a property as represented by a formula f, we interpret the formula over the given state history. Lecture 14 15 Lecture 14 16 Interpretation, continued Interpretation, continued • The value of a variable (expression, predicate, …) • To evaluate formulas without temporal operators – for a given state is notated – Step 3: evaluate quantified formulas •s[∀ x • p] = ∀ x • s[p] • s[x], s[e], s[p], s[f] •s[∃ x • p] = ∃ x • s[p] • To evaluate formulas without temporal operators • Example – Step 1: evaluate expressions – state s = (x=-1, y=3, z=1) • Assign values to all free variables – formula (x+y>z) ⇒ (y ≤ 2 * z) – Step 2: evaluate predicates – s[(x+y>z) ⇒ (y ≤ 2 * z)] • For a predicate P(t1, t2, …), define s[P] = P(s[t1], s[t2], …) – = (s[x]+s[y]>s[z]) ⇒ (s[y] ≤ 2 * s[z]) • For formulas, s[¬p] = ¬s[p], s[p ∧ q] = s[p] ∧ s[q], etc. – = (-1 + 3 > 1) ⇒ (3 ≤ 2 * 1) – = (true ⇒ false) (This expression thus evaluates to false for state s) Lecture 14 17 Lecture 14 18 Semantics of Temporal Formulas Examples • ¨P • ¨(lost(x) ⇒ ¬instacks(x)) – P always hold – A lost book is not on the stacks ≥ • ¨P holds at Sj iff P holds at all states Sk, k j • ¨(inc(x) ⇒ ¨inc(x)) • ²P – Once x is incremented, then it is incremented in every – P holds sometimes state thereafter ≥ • ²P holds at Sj iff P holds at some state Sk, k j • ¡ ¨(x = 1) ⇒ (² ¨(y=0) ∧ ²(z = 1)) • ¡P – If at the next step, x becomes permanently 1, then – P holds at the next instant eventually y becomes permanently zero and z • ¡P holds at Sj iff P holds at state Sj+1 eventually becomes 1 Lecture 14 19 Lecture 14 20 Returning to the Train example Train example, continued • Propositions • Assume – G1: the gate is lowered – σ: S0, S1, … where – G2: the gate is closed • S0: G1 ∧ T1 is true (Gate is lowered) – G3: the gate is raised • S1: G2 ∧ T1 is true (Gate is closed) – G4: the gate is open • S2, S3: G2 ∧ T2 is true (Train is crossing) – T1: the train is approaching • S4: G2 ∧ T3 is true (Gate is closed) – T2: the train is crossing the gate • S5: G3 ∧ T3 is true (Gate is raised) – T3: the train has crossed the gate • S6, …: G4 ∧ T3 is true (Gate is open) Lecture 14 21 Lecture 14 22 Train example, continued Additional Temporal Operators • We can conclude the following • Until • ²(G2) is true for states 0, 1, 2, 3, 4; otherwise not – P holds continuously at least until the first occurrence of Q • ¡(G2) is true for states 0, 1, 2, 3; otherwise not • Waiting-For • ¨(G4) is false for states 0-5, and true thereafter – P holds forever or until the first occurrence of Q • Since • ¨(T3) is true for all states ≥ 4 ⇒ – Q has happened at sometime in the past and P has continuously held ever • ¨(T3 ²G4) since – The gate will eventually open, after the train has crossed • Once • ¨²(G4) – P has happened at sometime in the past – There are an infinite number of states where the gate is open • I don’t have the correct font for the symbols of these operations, • ²¨(¬T1 ⇒ G4) instead I will use their name in place of their symbol in formulas – There exists a state where the proposition holds for all later states Lecture 14 23 Lecture 14 24 Frequently used Formulas Examples •f ⇒²g • We will now work through some examples – If f at one state, then eventually g on paper • ¨(f ⇒²g) – Holds for all states – Library Books • ¨(f ⇒¡g) – Communication Channels – If f is true at state n, then g is true in state n+1, f is true at state 0 – A thread-safe queue • ¨(f ⇒ f Until g) – Where f is true, f continues to remain true until g becomes true • ¨(f ⇒ Once g) – In every state where f is true, it was preceded by a state where g is true Lecture 14 25 Lecture 14 26.