Requirements and Specifications

We now turn our attention to the way in which requirements —i.e., the properties that we

expect from a correct protocol — are specified. The techniques proposed in this dissertation support requirements expressed either as Linear Temporal Logic (ltl) formulas, or directly as Büchi monitors.3_{To make the presentation self-contained, we now briefly describe the syntax} and semantics ofltland describe how we use monitors (possibly constructed from theltl

formulas) to characterize the correctness of protocols. Linear Temporal Logic

Given a set of atomic propositionsAP, the syntax of Linear Temporal Logic (ltl) formulas over these atomic propositions is given by the following rules:

• Ifp∈AP, thenpis anltlformula

• Ifϕ₁andϕ₂areltlformulas, then so are¬ϕ₁,ϕ₁∧ϕ₂,_Xϕ₁, andϕ_1Uϕ₂.

Other commonly used operators and connectives can be defined in terms of these basic operators using the standard equivalences. We list a few of them here:

• ϕ₁∨ϕ₂≡¬(¬ϕ₁∧ ¬ϕ₂) • Fϕ1≡trueUϕ1

• Gϕ1≡¬F¬ϕ1

• ϕ_1Rϕ₂≡¬(¬ϕ_1U¬ϕ₂) • ϕ_1Wϕ₂≡(ϕ_1Uϕ₂)∨_Gϕ₁

We define the semantics of anltlformula overexecutionsofesms andesm-sks. Given the set

of typesT, a set of function symbolsF, anesmoresm-skA=hL,l₀,I,O,V,σ₀,R,Fs,Fwi,

we let the set of atomic propositions AP be the set of all Boolean valued expressions over V∪{loc}which do not involve Boolean connectives. Here,loc∈/ Vis a distinguished variable that tracks thelocationofA, whose values are allowed to range overL, and the only operation

allowed on this type is comparison of values of equality. Given a states_,(l,σ), wherel∈L andσ∈SV, an interpretationI, and an atomic predicatep∈AP, we say thatssatisfiesp under

the interpretationI, written ass

I pif and only ifp0, which is obtained by substitutinglfor every occurrence oflocinpandσ(v)for every occurrence ofvinp, for each variablev∈V is equivalent totrue. We extend the notion of satisfiability to arbitrary Boolean expressions 3_Everyltl_{formula can be translated into a (possibly non-deterministic) Büchi monitor, but there exist Büchi}

— which are just atomic propositions composed with Boolean connectives — in the natural manner.

Given an infinite execution e _,s₀ → s₁ → · · · ofA, under an interpretationI, where s_i,(l_i,σ_i)fori_>0, the satisfaction semantics of anltlformulaϕovereare inductively defined as follows, whereϕ₁andϕ₂are subformulas ofϕ, andpis an atomic proposition;_i.e., p∈AP. Note that we use the notatione

I ϕto denote that the executione(also under the interpretationI) satisfies theltlformulaϕunder the interpretationI.

• Ifϕ≡p, then,e

I pif and only ifs0 I p. • Ifϕ≡ϕ₁∧ϕ₂, thene

I ϕif and only ife I ϕ1ande I ϕ2. • Ifϕ≡¬ϕ₁, thene

I ϕif and only if it is not the case thate I ϕ1. • Ifϕ≡_Xϕ₁thene

I ϕif and only ifs1 I ϕ1. • Ifϕ≡ϕ_1Uϕ₂, thene

I ϕif and only if∃j>0(sj _I ϕ2∧∀i < j(si _I ϕ1)).

The semantics for the other operators such asF,G,RandW, can be deduced by using the

equivalences mentioned earlier to expressltlformulas involving these operators in terms of the basic operatorsXandU.

We can now define the satisfaction semantics of anesmoresm-skAwith respect to an

ltlformulaϕas follows:Asatisfiesϕ, under an interpretationI, writtenA

I ϕif and only if foreveryexecutioneofA(also under the interpretationI), we have thate _I ϕ.

Algorithmically, this check is usually performed by translating the negation of the ltl

formula,i.e.,¬ϕ, into a Büchi monitor with accepting states and checking if the synchronous

product of the Büchi monitor andAadmits a fair accepting cycle. We defer a detailed description of this model-checking algorithm until Section 8.3, but we now provide a brief description of the (Büchi and safety) monitors used in this process.

Monitors

Everyltlformulaϕcan be translated into a (possibly non-deterministic) Büchi automaton (BA) or Büchi monitor which can then be used to algorithmically check if a given transition system satisfies theltlformulaϕ. The translation fromltlto BA takes time exponential in the size of theltlformula, and has been studied extensively in literature [WVS83, LP85, VW94, DGV99, EH00, SB00, GO01, BKRS12, Dur14], and will not be covered in detail in this dissertation. We will assume that the requirements which are specified usingltlformulas have already been translated into Büchi monitors, whose form we describe in this section. This translation

can be accomplished using widely available tools likeltl2ba[GO01],ltl3ba[BKRS12], or

spot[Dur14] for instance.

Consider anesmoresm-skA_,hL,l₀,I,O,V,σ₀,R,Fs,Fwi. Recall thatSV is the set of

all valuations of the set of variablesV. We denote the set of all_statesofAasS_,L×S_{V. A} monitoroverAis an automatonM,hQ,q0,∆i. HereQis the set of automaton states,q0∈Q is the initial state and∆⊆ Q×S×Qis a transition relation. We denote the_synchronous composition ofAwithMasAkM. The semantics of such a synchronous composition are standard: Each timeAmakes a transition,Mmakes a transition as well. Suppose the current state ofMisq, and the state ofAiss∈S, thenMcan (non-deterministically) transition to any stateq0such that(q,s,q0)∈ ∆. The notion of an execution is extended in the natural manner to the productAkM, by augmenting the state with a component denoting the state q∈Qof the monitorM, and we write(l,σ,q) −→(l0,σ0,q0), where the locationsl,l0 ∈L, the valuationsσ,σ0∈S_V andq,q0∈Qif and only if(l,σ)−→(l0,σ0), and(q,(l,σ),q0)∈∆. The notion of reachability also follows naturally from the extended notion of an execution. The compositionAkM_inheritsthe the fairness assumptions fromA, and an executioneof AkMunder an interpretationIis fair if and only if the projection ofeontoAis fair, under the interpretationI.4

Asafetymonitor is a monitor augmented with a set oferrorstates. In other words, a safety

monitorMs,hQ,q0,∆,Qerri, whereQerr⊆Qis a set of error states. An finite executione

ofAkM_sis called_erroneousif the monitorM_sis in a stateq∈Q_errin the last state of the executione. Given an interpretationI,AsatisfiesM_sunder the interpretationI, written as A

I Ms, if and only ifAkMsadmits no erroneous executions under the interpretationI,i.e.,

a state where the monitor component of the stateq∈Q_erris not reachable.

Alivenessmonitor is a monitor augmented with a set ofacceptingstates. In other words,

a liveness monitorM_{l ,} hQ,q₀,∆,Q_acci, whereQ_acc ⊆ Qis a set of accepting states. An infinite execution eofA k Mlis called an acceptingexecution if the monitorMlvisits an

accepting state infinitely many times ine. Given an interpretationI, we say thatAsatisfiesMl

under the interpretationI, written asA

I Mlif and only if every fair execution ofAkMl,

under the interpretationI, is not an accepting execution.

Although we have made a distinction between liveness and safety monitors for ease of expo- sition, especially in the later chapters of this dissertation, we note that both safety and liveness 4_{An executioneofAkMis projected ontoAby simply dropping the component forMin each state and each}

monitors can be expressed as (possibly non-deterministic) Büchi monitors with accepting states. This is immediately obvious in the case of liveness monitors of the form we have described above: a liveness monitor is itself a Büchi monitor withQ_acc as the set of accepting states of the Büchi monitor. One can express a safety monitor as a Büchi monitor by settingQ_acc=Q_err and adding a self-loop from every stateq∈Q_err,_i.e., by adding(q,(l,σ),q)for everyq∈Q_err and for every(l,σ)∈ Sto∆, thereby allowing it to accept infinite executions. Further, we also allow monitors to besymmetricin the same manner as foresms andesm-sks. Finally, we

say that anesmoresm-skAsatisfies theltlspecificationϕunder an interpretationI, if and only ifA

I M, whereMis the Büchi monitor corresponding to theltlformula¬ϕ.