Lecture 3 Automata-Based Representation of Linear-Time Properties and Linear Temporal Logic (LTL) Richard M. Murray Nok Wongpiromsarn Ufuk Topcu EECI, 14 May 2012 Outline Principles of Model • Automata-based representation of Checking, linear-time properties Christel Baier and • Syntax and semantics of LTL Joost-Pieter Katoen. • Specifying properties in LTL MIT Press, 2008. • Equivalence of LTL formulas • Fairness in LTL Chapter 5 • Other temporal logics (if time) Representations of linear-time properties Two more representations of linear-time properties: • Automata-based: • Linear temporal logic (LTL): readable by machine readable by humans • LTL is a formal language for describing linear-time properties • It provides particularly useful operators for constructing linear-time properties without explicitly specifying sets (of, e.g., infinite sequences of subsets of atomic propositions) 2 Nondeterministic finite automaton (NFA) A nondeterministic finite automaton =(Q, Σ, δ,Q0,F) is a tuple with - A is a set of states, A - Σ is an alphabet, - δ : Q Σ 2Q is a transition function, × → - Q0 Q is a set of initial states, and - F ⊆Q is a set of accept (or: final) states. ⊆ set of finite words Q = q0,q1,q2 , Σ = A, B { } { } Q0 = q0 ,F= q2 Let w = A ...A Σ∗ be a finite word. { } { } 1 n ∈ A run for w in is a finite sequence of δ(q0,A)= q0 , δ(q0,B)= q0,q1 A states q q ...q s.t. δ(q1,A)={q2}, δ(q1,B)={q2 } 0 1 n { } { } - q0 Q0 δ(q2,A)= , δ(q0,B)= ∈A ∅ ∅ - q i+1 q for all 0 i<n. word run i −−−→ i+1 ≤ empty word q0 A run q0q1 ...qn is called accepting if qn F . ∈ B q0q1 A finite word in accepted if it leads to an accepting run. ABA q0q0q0q0 BBA q0q0q0q0 The accepted language ( ) of is the set BA q0q1q2 L A A of finite words in Σ∗ accepted by . BBA q0q0q1q2 A accepted 3 NFA: =(Q, Σ, δ,Q ,F) A 0 Regular safety properties language (set of finite words) A set Σ∗ of finite strings is called a regular language L ⊆ accepted by if there is a nondeterministic finite automaton s.t. = ( ). the NFA A L L A A safety property Psafe over AP is called regular if its set of bad prefixes constitutes a regular language over 2AP . That is: NFA s.t. ( ) = bad prefixes of P ∃ A L A safe yellow Example: AP = {red, green, yellow} “Each red must be preceded immediately by a yellow” q1 is a regular safety property. yellow ¬ red Sample bad prefixes: ¬yellow∧ • {}{}{red} • {}{red} q0 red • {yellow}{yellow}{green}{red} ¬yellow∧ • ¬ A0A1 ...An s.t. n>0, red An, and yellow / An 1 red ∈ ∈ − general form of minimal bad prefixes q2 4 Verifying regular safety properties Given a transition system TS and a regular safety property Psafe, both over the atomic propositions AP. Let be an NFA s.t. ( )=BadP ref(P ). A L A safe TS = Psafe iff T races(TS) Psafe | ⊆ AP ω iff T races(TS) ((2 ) Psafe)= ∩ \ ∅AP ω iff T races(TS) BadP ref(Psafe).(2 ) = iff pref(T races∩(TS)) BadP ref(P )= ∅ ∩ safe ∅ iff pref(T races(TS)) ( )= AP ω ∩ L A ∅ (2 ) finite prefixes (2AP )ω P \ safe T races(TS) Psafe For words w and σ, w.σ denotes their concatenation. 5 Invariant Safety Liveness state condition something bad something good never happens will happen eventually violated at any infinite run violated only by infinite individual states violating the property runs has a finite prefix verification: find the verification: based on verification: reachable states and check nondeterministic finite the invariant condition automaton which accepts ? “finite runs” 6 Nondeterministic Buchi automaton (NBA) A nondeterministic Buchi automaton is same as an NFA =(Q, Σ, δ,Q0,F) with its runs interpreted differently. A Let w = A A ... Σω be an infinite string. A run for w in 1 2 ∈ A is an infinite sequence q0q1 ... of states s.t. - q0 Q0 and ∈A A A AP = {red, green} - q 1 q 2 q 3 .... 0 −−→ 1 −−→ 2 −−→ A run is accepting if q F for infinitely many j. j ∈ A string w is accepted by if there is an accepting run of w in . A A input word: ( ): set of infinite strings accepted by . Lω A A green green green ... { }{}{ }{}{ }{} A set of infinite string Σω is run: Lω ⊆ called an ω-regular language if there q0q1q0q1q0q1 ... is an NBA s.t. = ( ). A Lω Lω A input word: ( green, red green red )ω { }{}{ }{ } The NBA on the right accepts the infinite words run: q0q1q0q1q0q1 ... satisfying the LT property: “infinitely often green.” 7 NBA: =(Q, Σ, δ,Q0,F) ω -regular properties A An LT property P over AP is called ω-regular if P is an ω-regular language over 2AP . Invariant, regular safety, and various liveness properties are ω-regular. Let P be an ω-regular property and be an NBA that represents the ”bad traces” for P. A Basic idea behind model checking ω-regular properties: TS = P if and only if Traces(TS) P | ⊆ if and only if Traces(TS) (2AP )ω P = ∩ \ ∅ if and only if Traces(TS) P = ∩ ∅ if and only if Traces(TS) ( ) = ∩ Lω A ∅ 8 Invariant Safety Liveness state condition something bad something good never happens will happen eventually violated at any infinite run violated only by infinite individual states violating the property runs has a finite prefix verification: find the verification: based on verification: based on reachable states and check nondeterministic finite nondeterministic Buchi the invariant condition automaton which accepts automaton which “finite runs” accepts infinite runs 9 Representations of linear-time properties Two more representations of linear-time properties: • Automata-based: • Linear temporal logic (LTL): readable by machine readable by humans • LTL is a formal language for describing linear-time properties • It provides particularly useful operators for constructing linear-time properties without explicitly specifying sets (of, e.g., infinite sequences of subsets of atomic propositions) 10 Temporal logic Two key operators in temporal logic • ◊ “eventually” - a property is satisfied at some point in the future • ¨ “always” - a property is satisfied now and forever into the future “Temporal” refers underlying nature of time • Linear temporal logic ⇒ each moment in time has a well-defined successor moment • Branching temporal logic ⇒ reason about multiple possible time courses • “Temporal” here refers to “ordered events”; no explicit notion of time LTL = linear temporal logic • Specific class of operators for specifying linear time properties • Introduced by Pneuli in the 1970s (recently passed away) • Large collection of tools for specification, design, analysis Other temporal logics • CTL = computation tree logic (branching time; will see later, if time) • TCTL = timed CTL - check to make sure certain events occur in a certain time • TLA = temporal logic of actions (Lamport) [variant of LTL] • µ calculus = add “least fixed point” operator (more tomorrow) 11 Syntax of LTL LTL formulas: • a = atomic proposition • ◯ = “next”: φ is true at next step • U = “until”: φ2 is true at some point, φ1 is true until that time Formula evaluation: evaluate LTL propositions over a sequence of subsets of atomic propositions 12 Additional operators and formulas Derived temporal logic operators • Eventually ◊ϕ := true U ϕ ϕ will become true at some point in the future • Always ¨ϕ := ¬◊¬ϕ ϕ is always true; “(never (eventually (¬ϕ)))” Operator precedence Some common composite operators • Unary binds stronger than binary • p → ◊q p implies eventually q (response) ¬ φ1 U ◯ φ2 = (¬ φ1)U (◯ φ2) • p → q U r p implies q until r (precedence) • ¨◊p always eventually p (progress) • Bind from right to left: ¨◊p = (¨ (◊p)) • ◊¨p eventually always p (stability) p U q U r = p U (q U r) • ◊p → ◊q eventually p implies eventually q • U takes precedence over (correlation) ∧, ∨ and → 13 Semantics: when does a path satisfy an LTL spec? Let φ be an LTL formula over AP. The linear-time property induced by φ is where the satisfaction relation is the smallest relation with the properties For σ=A0 A1 A2..., σ[j...]=Aj Aj+1... For derived operators: Sample derivation: 14 Semantics: when does a system satisfy an LTL spec? Putting together: [Bullet 3 above] [Definition of satisfaction for LT properties] [Definition of Words(φ)] [Bullet 2 above] 15 Example: traffic light System description • Focus on lights in on particular direction • Light can be any of three colors: green, yellow, read • Atomic propositions = light color Ordering specifications • Liveness: “traffic light is green infinitely often” ☐◊green • Chronological ordering: “once red, the light cannot become green immediately” ☐ (red → ¬ ◯ green) • More detailed: “once red, the light always becomes green eventually after being yellow for some time” ☐(red → (◊ green ∧ (¬ green U yellow))) ☐(red → ◯ (red U (yellow ∧ ◯ (yellow U green)))) Progress property • Every request will eventually lead to a response ☐ (request → ◊response) 16 Example: autonomous navigation Specify safe, allowable, required, or desired behavior of system and/ or environment. Reduced Speed Zone ck pt position : x Traffic rules: • No collision (dist(x, Obs) X dist(x, Loc(Veh)) X ) ≥ safe ∧ ≥ safe • Obey speed limits ((x Reduced Speed Zone) (v vreduced)) • Stay in travel lane unless blocked∈ → ≤ • Intersection precedence & merging, stop line, passing,... Goals: • Eventually visit the check point ♦(x =ckpt) • Every time check point is reached, eventually come to start ((x =ckpt) (x = start)) → ♦ Environment assumptions: • Each intersection is clear infinitely often ♦(Intersection = empty) • Limited sensing range, detect obstacles before too late,... 17 ”Quiz” Consider the following transition system with AP = {a,b} Property 1: TS |= [] a? • Yes, all states are labeled with a Property 2: TS |= X (a ^ b)? • No: From s2 or s3, there are transitions for which