3. Linear Temporal Logic

(1)

3. Linear Temporal Logic

Huixing Fang

School of Information Engineering Yangzhou University

(2)

Outline

1 Syntax

2 _Semantics

3 Specifying Properties

4 Equivalence of LTL Formulae

5 Weak Until, Release, and Positive Normal Form

6 Fairness in LTL

(3)

1 Syntax

Definition 1 (Syntax of LTL)

ϕ ::= true | a | ϕ1∧ ϕ2| ¬ϕ | #ϕ | ϕ1Uϕ2

where a ∈ AP. Precedence order: ¬ =_{# > U > ∧.}

atomic prop. a s0 a s1 s2 s3 ... next operator #a s0 s1 a s2 s3 ... until operator aUb s0 a s1 a s2 b s3 ... eventually ♦b _s0 _s1 _s2 _s3b ... a a a a

The until operator allows to derive modalities:

1 ♦(“eventually”)

♦ϕ = trueUϕ

2 (“always”)

(4)

1 Syntax

Example 2

mutual exclusion: (¬crit1∨ ¬crit2) (1)

railroad-crossing: (train is near → gate is closed) (2)

progress property: _{(request → ♦response)} (3)

traffic light: (yellow ∨#¬red) (4)

infinitely often: ♦ϕ (5)

eventually forever: ♦ϕ (6)

unconditional fairness: ♦criti (7)

strong fairness: ♦waiti → ♦criti (8)

(5)

Outline

1 Syntax

2 _Semantics

(6)

2 Semantics

Definition 3 (Semantics of LTL over Infinite Words)

The satisfaction relation between interpretation σ = A0A1A2... ∈ (2AP)ω

and LTL formula is defined as follows: 1. σ |= true

2. σ |= a iff A0|= a, i.e., a ∈ A0

3. σ |= ϕ1∧ ϕ2 iff σ |= ϕ1 and σ |= ϕ2

4. σ |= ¬ϕ iff σ 6|= ϕ

5. σ |=_#ϕ iff suffix (σ, 1) = A1A2A3... |= ϕ

6. σ |= ϕ1Uϕ2 iff there exists j ≥ 0 such that

suffix (σ, j) = AjAj+1Aj+2... |= ϕ2 and

suffix (σ, i ) = AiAi +1Ai +2... |= ϕ1, for 0 ≤ i < j LT property of LTL formula ϕ: Words(ϕ) = {σ ∈ (2AP)ω | σ |= ϕ}.

(7)

2 Semantics

Review of execution, paths and traces

For transition system TS with labeling function L : S → 2AP_,

1 execution: states + actions,s₀ −→α1 s₁ −→α2 s₂ −→ ...α3 2 paths: sequences of states,π = s₀ s₁ s₂ ...

3 _{traces: sequences of sets of atomic propositions}

trace(π) = L(s0)L(s1)L(s2)... ∈ (2AP)ω

Semantics of ♦ and over Infinite Words

For σ = A0A1A2... ∈ (2AP)ω, and LTL formula ϕ

1. σ |= ♦ϕ iff there exists j ≥ 0 such that AjAj+1Aj+2... |= ϕ

(8)

2 Semantics

Definition 4 (Semantics of LTL over Paths and States)

Let TS = (S, Act, →, S0, AP, L) without terminal states, and let ϕ be an

LTL formula over AP.

1 _{For infinite path fragment π of TS, the |= relation is defined by}

π = s0s1s2... |= ϕ iff trace(π) |= ϕ

iff trace(π) ∈ Words(ϕ) = {σ ∈ (2AP)ω | σ |= ϕ}

2 _{For state s ∈ S, the |= relation is defined by}

s |= ϕ iff ∀π ∈ Paths(s). π |= ϕ iff s |= Words(ϕ)

iff Traces(s) ⊆ Words(ϕ)

Paths(s) = set of all maximal path fragments starting in state s Traces(s) = {trace(π) | π ∈ Paths(s)}

(9)

2 Semantics

Example 5 (LTL-semantics over paths)

s0 {a} s1 ∅ s2 {a, b} AP = {a, b} π = s0s1s2s2... trace(π) = L(s0)L(s1)L(s2)... = {a}∅{a, b}ω π |= a, π 6|= b π |=_{#(¬a ∧ ¬b)} π |=_{##(a ∧ b)} π |= (¬b)U(a ∧ b)

(10)

2 Semantics

Example 6 (LTL-semantics over paths)

s0 {a} s1 ∅ s2 {a, b} AP = {a, b} π = s0s1s0s1... trace(π) = L(s0)L(s1)L(s0)L(s1)... = {a}∅{a}∅ π |= a Ub, (?) π |= ♦b → (aUb), (?) π |=_{##¬b, (?)} π |= a, (?) π |= ♦a, (?) π |= ♦a, (?)

(11)

2 Semantics

Definition 7 (Interpretation of LTL formulas over TS)

Let TS = (S, Act, →, S0, AP, L) without terminal states, and let ϕ be an

LTL formula over AP.

TS |= ϕ iff s0 |= ϕ for all s0∈ S0

iff trace(π) |= ϕ for all π ∈ Paths(TS) iff Traces(TS) ⊆ Words(ϕ)

iff TS |= Words(ϕ)

Review-1: An LT property over AP is a language E of infinite words over the alphabet Σ = 2AP, i.e., E ⊆ (2AP)ω.

Review-2: Satisfaction relation |= for TS and LT property E , TS |= E iff

(12)

Outline

1 Syntax

2 _Semantics

6 Fairness in LTL

(13)

3 Specifying Properties

LTL-formulas for MUTEX protocols, AP = {wait1, crit1, wait2, crit2}

1 the mutual exclusion property

ϕm= (¬crit1∨ ¬crit2)

2 every process enters the critical section infinitely often

ϕ` = ♦crit1∧ ♦crit2

3 every waiting process finally enters its critical section

(14)

Outline

1 Syntax

2 _Semantics

6 Fairness in LTL

(15)

4 Equivalence of LTL Formulae

Definition 8 (Equivalence of LTL formulas)

LTL formulae ϕ1, ϕ2. ϕ1≡ ϕ2 iff Words(ϕ1) = Words(ϕ2) iff for all

transition systems T , T |= ϕ1⇔ T |= ϕ2. Duality Rule: ¬_{#ϕ ≡ #¬ϕ} Proof: A0A1... |= ¬_#ϕ iff A0A1... 6|=#ϕ iff A1A2... 6|= ϕ iff A1A2... |= ¬ϕ iff A0A1A2... |=_#¬ϕ

(16)

4 Equivalence of LTL Formulae

The expansion laws describe the temporal modalities U, ♦, and by means of a recursive equivalence.

1 until: ϕUψ ≡ ψ ∨ (ϕ ∧# ϕUψ ) least fixed point

2 _{eventually: ♦ψ ≡ ψ ∨}# ♦ψ least fixed point

3 always: ψ ≡ ψ ∧# ψ greatest fixed point

(17)

4 Equivalence of LTL Formulae

Until is the Least Solution of the Expansion Law (Lemma 5.18)

For LTL formuae ϕ and ψ, Words(ϕUψ) is the least LT property

P ⊆ (2AP)ω such that:

Words(ψ) ∪ {A0A1A2... ∈ Words(ϕ) | A1A2... ∈ P} ⊆ P (∗) Moreover, Words(ϕUψ) agrees with the set

Words(ψ) ∪ {A0A1A2... ∈ Words(ϕ) | A1A2... ∈ Words(ϕUψ)}

The formulation “least LT property satisfying condition (*)” means that the following conditions hold:

1 P = Words(ϕUψ) satisfies (∗)

(18)

Outline

1 Syntax

2 _Semantics

6 Fairness in LTL

(19)

5 Weak Until, Release, and Positive Normal Form

The weak until operator W:

ϕWψ = (ϕUψ) ∨ ϕ

Deriving “always” and “until” from “weak until”: ϕ ≡ ϕWfalse

ϕUψ ≡ (ϕWψ) ∧ ♦ψ

Duality of U and W:

¬(ϕUψ) ≡ (¬ψ)W(¬ϕ ∧ ¬ψ) ¬(ϕWψ) ≡ (¬ψ)U(¬ϕ ∧ ¬ψ)

(20)

5 Weak Until, Release, and Positive Normal Form

Expansion laws for U and W:

ϕUψ ≡ ψ ∨ (ϕ ∧_#(ϕUψ)) ϕWψ ≡ ψ ∨ (ϕ ∧_#(ϕWψ))

Weak-Until is the Greatest Solution of the Expansion Law (Lemma 5.19)

Words(ϕUψ) is the smallest LT-property P such that

Words(ψ) ∪ {A0A1A2... ∈ Words(ϕ) | A1A2... ∈ P} ⊆ P Words(ϕWψ) is the largest LT-property P such that

(21)

5 Weak Until, Release, and Positive Normal Form

Positive Normal Form for LTL (Weak-until PNF)

For a ∈ AP, the set of LTL formulae in weak-until positive normal form

(weak-until PNF) is given by:

ϕ ::= true | false | a | ¬a|ϕ1∧ ϕ2 | ϕ1∨ ϕ2| #ϕ | ϕ1Uϕ2| ϕ1Wϕ2

PNF also sometimes called negation normal form (NNF) ♦ and can be derived:

♦ϕ = trueUϕ ϕ = ϕWfalse

(22)

5 Weak Until, Release, and Positive Normal Form

Each LTL formula can be transformed into an equivalent LTL formula in PNF by using the following transformations:

¬true false ¬false true ¬¬ϕ ϕ ¬(ϕ ∧ ψ) ¬ϕ ∨ ¬ψ ¬#ϕ #¬ϕ ¬(ϕUψ) (ϕ ∧ ¬ψ)W(¬ϕ ∧ ¬ψ) .. .

(23)

Outline

1 Syntax

2 _Semantics

(24)

6 Fairness in LTL

Fairness Constraints

1 Unconditional fairness: e.g.,“Every process gets its turn infinitely

often.”

2 _{Strong fairness: e.g., “Every process that is enabled infinitely often}

gets its turn infinitely often.”

3 _{Weak fairness: e.g., “Every process that is continuously enabled from}

(25)

6 Fairness in LTL

Definition 9 (Unconditional, Strong, and Weak Fairness)

For transition system TS = (S, Act, →, I, AP, L) without terminal states,

A ⊆ Act, and infinite execution fragment ρ = s0

α0

−→ s₁ α1

−→ ... of TS:

1 ρ is unconditionally A-fair whenever

∞

∃ j. αj ∈ A. 2 ρ is strongly A-fair whenever (

∞

∃ j. Act(sj) ∩ A 6= ∅) ⇒ (

∞

∃ j. αj ∈ A). 3 ρ is weakly A-fair whenever (

∞

∀ j. Act(sj) ∩ A 6= ∅) ⇒ (

∞

∃ j. αj ∈ A).

∞

∃ j : there are infinitely many j.

∞

∀ j : for nearly all j, for all, except for finitely many j. The variable j ranges over the natural numbers.

For state s, let Act(s) denote the set of actions that are executable in state s,

(26)

6 Fairness in LTL

Definition 10 (Fairness Assumption)

A fairness assumption for Act is a triple

F = (F_ucond, Fstrong, Fweak)

with Fucond, Fstrong, Fweak ⊆ 2Act. Execution ρ is F -fairif 1 it is unconditionally A-fair forall A ∈ F_ucond,

2 _{it is strongly A-fair for}_all _{A ∈ F}_strong_{, and} 3 _{it is weakly A-fair for} _all_{A ∈ F}_weak_.

Remark: A is a set of actions.

1 FairPathsF(s) : the set of F -paths of s (i.e., infinite F -fair path

fragments that start in state s).

2 _FairPathsF_{(TS) : set of F -fair paths that start in some initial state}

(27)

6 Fairness in LTL

Definition 11 (Fair Satisfaction Relation for LT Properties)

Let P be an LT property over AP and F a fairness assumption over Act. Transition system TS = (S, Act, →, I, AP, L) fairly satisfies P, notation

TS |=F P, iff FairTracesF(TS) ⊆ P.

In case a transition system has traces that are not F -fair, then in general we are confronted with a situation

TS |=F P whereas TS 6|= P

By restricting the validity of a property to the set of fair paths, the verification can be restricted to “realistic” executions.

(28)

6 Fairness in LTL

Definition 12 (LTL Fairness Constraints and Assumptions)

Let Φ and Ψ be propositional logic formulae over AP.

1 An unconditional LTL fairness constraint is an LTL formula of the

form

ufair = ♦Ψ.

2 A strong LTL fairness condition is an LTL formula of the form

sfair = ♦Φ → ♦Ψ.

3 _{A weak LTL fairness constraint is an LTL formula of the form}

wfair = ♦Φ → ♦Ψ.

An LTL fairness assumption is a conjunction of LTL fairness constraints (of any arbitrary type).

(29)

6 Fairness in LTL

Notations:

1 LTL fairness assumptions are a conjunction of unconditional, strong,

and weak fairness assumptions: fair = ufair ∧ sfair ∧ wfair .

2 Set of all fair paths starting in s,

FairPaths(s) = {π ∈ Paths(s) | π |= fair }

3 _{Set of all traces induced by fair paths starting in s,}

FairTraces(s) = {trace(π) | π ∈ FairPaths(s)}

Definition 13 (Satisfaction Relation for LTL with Fairness)

For state s in transition system TS (over AP) without terminal states, LTL formula ϕ, and LTL fairness assumption fair let

s |=fair ϕ iff ∀π ∈ FairPaths(s). π |= ϕ and

(30)

6 Fairness in LTL

Theorem 14 (Reduction of |=fair to |=)

For transition system TS without terminal states, LTL formula ϕ, and LTL fairness assumption fair :

(31)

Outline

1 Syntax

2 _Semantics

(32)

7 Automata-Based LTL Model Checking

For transition system TS and LTL formula ϕ, let A be an NBA

(Nondeterministic B¨uchi Automaton) with Lω(A) = Words(¬ϕ) :

TS |= ϕ iff Traces(TS) ⊆ Words(ϕ)

iff Traces(TS) ∩ ((2AP)ω\ Words(ϕ)) = ∅ iff Traces(TS) ∩ Words(¬ϕ) = ∅

(33)

7 Automata-Based LTL Model Checking

Algorithm 1: Automaton-based LTL model checking

Input: finite transition system TS and LTL formula ϕ (both over AP) Output: “yes” if TS |= ϕ; otherwise, “no” plus a counterexample

1 Construct an NBA A¬ϕ such that Lω(A¬ϕ) = Words(¬ϕ)

2 Construct the product transition system TS ⊗ A¬ϕ

3 if ∃π ∈ Pahts(TS ⊗ A¬ϕ) satisfying the accepting condition of A then 4 return “no” and an expressive prefix of π

5 else

6 return “yes”

(34)

7 Automata-Based LTL Model Checking

TS |= LTL-formula ϕ

iff Traces(TS) ∩ Lω(A¬ϕ) = ∅

iff there is NO path hs0, q0ihs1, q1ihs2, q2i...

in TS ⊗ A¬ϕ s.t. qi ∈ F for infinitely many i ∈ N

(35)

7 Automata-Based LTL Model Checking

Definition 15 (Nondeterministic B¨uchi Automaton (NBA))

A B¨uchi automaton (NBA) A is a tuple A = (Q, Σ, δ, Q0, F ) where

Q is a finite set of states,

Σ is an alphabet,

δ : Q × Σ → 2Q is a transition function,

Q0 ⊆ Q is a set of initial states, and

F ⊆ Q is a set of accept states, called the acceptance set.

Arun for σ = A0A1A2... ∈ Σω denotes an infinite sequence q0q1q2...

of states in A such that q0 ∈ Q0 and qi Ai

−→ q_{i +1} for i ≥ 0.

Run q0q1q2... is accepting if qi ∈ F for infinitely many indices i ∈ N.

(36)

7 Automata-Based LTL Model Checking

Definition 16 (Nonblocking NBA)

Let A = (Q, Σ, δ, Q0, F ) be an NBA. A is callednonblocking if

δ(q, a) 6= ∅ for all states q and all symbols a ∈ Σ.

Remark: For each NBA A there exists a nonblocking NBA trap(A) with |trap(A)| = O(|A|) and A ≡ trap(A).

In nonblocking NBA trap(A),

δ0(q, A) =    δ(q, A) if q ∈ Q and δ(q, A) 6= ∅ {qtrap} otherwise

trap(A) is obtained from A by inserting a nonaccept trapping state qtrap

(37)

7 Automata-Based LTL Model Checking

Definition 17 (Product of Transition System and NBA)

Let TS = (S, Act, →, I, AP, L) be a transition system without terminal

states and A = (Q, 2AP, δ, Q0, F ) a nonblocking NBA. Then, TS ⊗ A is

the following transition system:

TS ⊗ A = (S × Q, Act, →0, I0, AP0, L0)

where →0 is the smallest relation defined by the rule

s −−→ t ∧ pα −−→ qL(t) hs, pi−−→α 0ht, qi and I0 = {hs0, qi | so ∈ I ∧ ∃q0 ∈ Q0. q0 L(s0) −−−→ q},

(38)

7.1 From LTL to NBA

Construction of an NBA Aϕ satisfying Lω(Aϕ) = Words(ϕ) for the LTL

formula ϕ

LTL formula ϕ ↓

Generalized Nondeterministic B¨uchi automaton Gϕ

↓

(39)

7.1 From LTL to NBA

Definition 18 (Generalized NBA (GNBA))

A generalized NBA is a tuple G = (Q, Σ, δ, Q0, F ) where Q, Σ, δ, Q0 are

defined as for an NBA, and F is a (possibly empty) subset of 2Q.

The elements F ∈ F are called acceptance sets. The infinite run

q0q1q2... ∈ Qω is called acceptingif

∀F ∈ F . (∞∃ j ∈ N. qj ∈ F ) .

The accepted language of G is:

L_ω(G ) = {σ ∈ Σω | there exists an accepting run for σ in G}

(40)

7.1 From LTL to NBA

Let infinite word σ = A0A1A2... ∈ Words(ϕ), an infinite words

−

σ= B0B1B2... satisfies

ψ ∈ Bi iff AiAi +1Ai +2... |= ψ (ψ ∈ closure(ϕ))

Example 19

If ϕ = a U(¬a ∧ b), σ = {a}{a, b}{b}... then

closure(ϕ) = {a, b, ¬a, ¬b, ¬a ∧ b, ¬(¬a ∧ b), ϕ, ¬ϕ}

B0 = {a, ¬b, ¬(¬a ∧ b), ϕ}

B1 = {a, b, ¬(¬a ∧ b), ϕ}

B2 = {¬a, b, ¬a ∧ b, ϕ}

...

(41)

7.1 From LTL to NBA

Definition 20 (Closure of ϕ)

The closure of LTL formula ϕ is the set closure(ϕ) consisting of all subformulae ψ of ϕ and their negation ¬ψ (where ψ and ¬¬ψ are identified).

Definition 21 (Elementary Sets of Formulae)

B ⊆ closure(ϕ) is elementary if it is consistent with respect to

propositional logic, maximal, and locally consistent with respect to the until operator.

(42)

7.1 From LTL to NBA

Properties of elementary sets of formulae

1 _{B is} _consistent_{with respect to propositional logic, for all}

ϕ1∧ ϕ2, ψ ∈ closure(ϕ):

ϕ1∧ ϕ2∈ B ⇔ ϕ1∈ B and ϕ2∈ B

ψ ∈ B ⇒ ¬ψ 6∈ B

true ∈ closure(ϕ) ⇒ true ∈ B.

2 _{B is} _{locally consistent}_{with respect to the until operator, for all}

ϕ1Uϕ2 ∈ closure(ϕ):

ϕ2∈ B ⇒ ϕ1Uϕ2∈ B

ϕ1Uϕ2∈ B and ϕ26∈ B ⇒ ϕ1∈ B.

3 _{B is} _maximal_{, for all ψ ∈ closure(ϕ):} ψ 6∈ B ⇒ ¬ψ ∈ B.

(43)

7.1 From LTL to NBA

Theorem 22 (GNBA for LTL Formula)

For any LTL formula ϕ (over AP) there exists a GNBA Gϕ over the

alphabet 2A_{P such that} 1 Words(ϕ) = L_ω(G_ϕ).

2 G_ϕ can be constructed in time and space 2O(|ϕ|).

(44)

7.1 From LTL to NBA

Let ϕ be an LTL formula over AP. Let Gϕ = (Q, 2AP, δ, Q0, F ) : Q : set of all elementary sets of formulae B ⊆ closure(ϕ),

Q0 = {B ∈ Q | ϕ ∈ B},

F = {Fϕ1Uϕ2 | ϕ1Uϕ2 ∈ closure(ϕ)}, where Fϕ1Uϕ2 = {B ∈ Q | ϕ1Uϕ26∈ B or ϕ2 ∈ B}.

The transition relation δ : Q × 2AP → 2Q _{is given by:}

If A 6= B ∩ AP, then δ(B, A) = ∅

If A = B ∩ AP, then δ(B, A) is the set of all elementary sets of formulae B0 satisfying

1 _{for every}#ψ ∈ closure(ϕ): #ψ ∈ B ⇔ ψ ∈ B0_{, and} 2 _{for every ϕ}₁_Uϕ2∈ closure(ϕ):

(45)

7.1 From LTL to NBA

Theorem 23

From each GNBA G there exists an NBA A with Lω(G ) = Lω(A).

Proof. Let G = (Q, Σ, δ, Q0, F ), with F = {F1, ..., Fk} and

1 _{If k = 1 then G is an NBA}

2 _{If k ≥ 2 then NBA A results from k copies of G :}

A = (Q0, Σ, δ0, Q₀0, F0) where: Q0= Q × {1, ..., k},

Q₀0 = Q0× {1} = {hq0, 1i | q0∈ Q0}, and

F0 = F1× {1} = {hqF, 1i | qF ∈ F1}.

The transition function δ0 :

δ0(hq, i i, A) =    {hq0_{, i i | q}0 _{∈ δ(q, A)}} _{if q 6∈ F} i

(46)

7.2 Complexity of LTL to NBA

For each LTL formula ϕ, there is an NBA A s.t. Lω(A) = Words(ϕ) and

size(A) ≤ 2cl (ϕ)· |ϕ| = 2O|ϕ|

1 _{From LTL formula ϕ to GNBA G of size 2}cl (ϕ)

2 From GNBA G to NBA A of size size(G ) · |F |

(47)

7.3 Complexity of LTL Model Checking

Theorem 24

The LTL model-checking problem is PSPACE-complete (PSPACE and PSPACE-hard).

1 PTIME (or briefly P) denotes the class of all decision problems that

can be solved by a deterministic polytime algorithm

2 NP denotes the class of all decision problems that can be solved by a

nondeterministic polytime algorithm.

3 _PSPACE _{denotes the class of all decision problems that can be}

solved by a deterministic polyspace algorithm.

4 _{Decision problem P is}_PSPACE-hard_{if all problems in PSPACE are}

(48)

Summary

1 _{LTL is a logic for formalizing path-based properties}

2 _{LTL formulae can be transformed algorithmically into}

nondeterministic B¨uchi automata (NBA). This transformation can

cause an exponential blowup.

3 The LTL model-checking problem can be solved by a nested

depth-first search in the product of the given transition system and an NBA for the negated formula.

4 The time complexity of the automata-based model-checking

algorithm for LTL is linear in the size of the transition system and exponential in the length of the formula