EE 144/244: Fundamental Algorithms for

System Modeling, Analysis, and Optimization

Fall 2014

Temporal logic

Stavros TripakisUniversity of California, Berkeley

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 1 / 27

Why temporal logic

a formal specification language=

a way to specify what we want mathematically(unambiguously!)

Amir Pnueli (1941 - 2009) won the ACM Turing Award, in part forproposing to use temporal logic for specification.

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 2 / 27

Example: Specification of the SpaceWire Protocol

(European Space Agency standard)

From Sanjit Seshia.

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 3 / 27

Temporal Logics

Many variants: for linear, branching, timed, continuous, security,..., properties

We will look at LTL (for so-called linear-time properties) andCTL (for so-called branching-time properties).

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 4 / 27

LTL (Linear Temporal Logic) – SyntaxLTL1 formulas are defined by the following grammar:

φ ::= p | q | ...| φ1 ∧ φ2 | ¬φ1

| Gφ1

| Fφ1

| Xφ1

| φ1 Uφ2

Intuition:Gφ: globally φ (always φ), also written 2φ.Fφ: in the future φ (eventually φ), also written 3φ.Xφ: next φ, also written ©φ.

φ1 Uφ2: φ1 until φ2.1This is PLTL: Propositional LTL (there is also first-order LTL with

quantifiers ∀,∃).Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 5 / 27

LTL – Semantics: IntuitionLTL formulas are evaluated over infinite sequences (executiontraces).Satisfaction relation looks like this – for LTL formula φ and infinitetrace σ:

σ |= φ

formula mnemonicformula mnemonicproposition (must hold now)always globallyalways, globallyfinally, future, eventuallynext stepnext stepuntil

11

Intuitive semantics

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 6 / 27

LTL: examples

GFp

G(p→ Fq)

pU (q U (p ∧ r))

What do these formulas intuitively mean?

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 7 / 27

LTL – Semantics: FormallyWe want to define formally the satisfaction relation: σ |= φ.

What kind of object is σ ?

An infinite trace of sets of atomic propositions:

σ ∈ (2P )ω.

That is,σ = σ0, σ1, σ2, · · ·

where σi ⊆ P for all i. P is the set of all atomic propositions.

Let P = {p, q}. Examples of traces:

σ = {p}, {q}, {p}, {q}, {p}, ...ρ = {p}, {p}, {p}, {p}, {p}, ...τ = {p}, {q}, {p, q}, {}, {p, q}, .... . .

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 8 / 27

LTL – Semantics: Formally

Letσ = σ0, σ1, σ2, · · ·

Notation: σ[i..] = σi, σi+1, σi+2, · · ·

Satisfaction relation defined recursively on the syntax of a formula:

σ |= p iff p ∈ σ0σ |= φ1 ∧ φ2 iff σ |= φ1 and σ |= φ2

σ |= ¬φ iff σ 6|= φσ |= Gφ iff ∀i = 0, 1, ... : σ[i..] |= φσ |= Fφ iff ∃i = 0, 1, ... : σ[i..] |= φσ |= Xφ iff σ[1..] |= φσ |= φ1 Uφ2 iff ∃i = 0, 1, ... : σ[i..] |= φ2 ∧

∀0 ≤ j < i : σ[j..] |= φ1

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 9 / 27

LTL – Semantics: FormallyLet

σ = σ0, σ1, σ2, · · ·

Notation: σ[i..] = σi, σi+1, σi+2, · · ·

Satisfaction relation defined recursively on the syntax of a formula:

σ |= p iff p ∈ σ0 p holds at the first (current) stepσ |= φ1 ∧ φ2 iff σ |= φ1 and σ |= φ2σ |= ¬φ iff σ 6|= φσ |= Gφ iff ∀i = 0, 1, ... : σ[i..] |= φ φ holds for every suffix of σσ |= Fφ iff ∃i = 0, 1, ... : σ[i..] |= φ φ holds for some suffix of σσ |= Xφ iff σ[1..] |= φ φ holds for the suffix starting at the next stepσ |= φ1 Uφ2 iff ∃i = 0, 1, ... : σ[i..] |= φ2 ∧

∀0 ≤ j < i : σ[j..] |= φ1φ2 holds for some suffix of σ andφ1 holds for all previous suffixes

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 10 / 27

LTL Semantics: Summary

11

Linear Temporal Logic (LTL)

LTL formulas: Statements about an execution trace

Here, p is propositional logic formula and is either a propositional logic or an LTL formula.

formula meaning

Here p is a propositional logic formula and φ, φ1, φ2 are propositionallogic formulas or LTL formulas.

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 11 / 27

State machines and temporal logic

State machine = implementation (the system we want to verify).

LTL formula = specification (the property that we want the systemto satisfy).

The model checking problem: does a given system (e.g., statemachine) satisfy a given temporal logic specification (e.g., LTLformula) ?

Meaning: all execution traces of the system must satisfy the LTLformula.

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 12 / 27

Execution traces of a state machineA run of a Mealy machine (I, O, S, s0, δ, λ) is a (finite or infinite)sequence of states / transitions:

s0x0/y0−→ s1

x1/y1−→ s2x2/y2−→ s3 · · ·

such that

∀i : xi ∈ I, yi ∈ O∀i : si+1 = δ(si, xi)

∀i : yi = λ(si, xi)

The observable I/O behavior (trace) corresponding to the above runis

{x0, y0} −→ {x1, y1} −→ {x2, y2} −→ · · ·Here we assume that only I/O are observable. We could also define tracesthat expose the internal state of the machine. E.g., we may want to statethe requirement that a certain register never has a certain value.

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 13 / 27

System models can also be Transition Systems

Transition system: an even more basic model than state machines:

Transition system = states + transitions (+ labels)

Possibly infinite sets of states/transitions.

Can describe infinite-state systems (e.g., programs with integeror real variables).

Can also be used in non-discrete systems (e.g., timed or hybridautomata, as we will see later).

Form the basis for the semantics of temporal logics (LTL, CTL,...) and other equivalences between systems such as(bi-)simulation.

Many variants: Labeled Transition Systems, Kripke Structures, ...

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 14 / 27

Example: Labeled Transition System

In a LTS the labels are on the transitions.Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 15 / 27

Example: Kripke Structure

In a KS the labels are on the states. Each state is labeled with a setof atomic propositions (those that hold on that state).

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 16 / 27

The model-checking problem for LTL

Given a transition system M and an LTL formula φ, check that alltraces of M satisfy φ.

We write this as:M |= φ

(read “M satisfies φ”).

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 17 / 27

Examples

Let’s find transition systems satisfying or violating the following LTLformulas:

Gp

Fp

GFp

G(p→ Fq)

pU q

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 18 / 27

Interesting facts about LTL

Can we express Gp using only F, p, and boolean operators?

Vice versa, can we express F in terms of G?

Can we express F in terms of U ?

Can we express X in terms of G, F, U ?

I Cannot be done!

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 19 / 27

LTL – more examples

See http://embedded.eecs.berkeley.edu/eecsx44/lectures/

Fall2013/TemporalLogic.pdf.

Errata:

Slides 13-14: “if and only if it holds” should be “if and only if pholds”.

Slide 19: F(p⇒ (XXq)) should be G(p⇒ (XXq)).

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 20 / 27

SAFETY and LIVENESS

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 21 / 27

Safety and Liveness

Two important classes of properties.

Safety property: something “bad” does not happen.I E.g., system never crashes, division by zero never happens,

voltage stays always ≤ K (never exceeds K), etc.I Finite length error trace.

Liveness property: something “good” must happen.I E.g., every request must eventually receive a response.I Infinite length error trace.

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 22 / 27

Safety and Liveness

Are these LTL properties safety, liveness, something else?

Gp: safety.

Fp: liveness.

Xp: safety.

pU q: “both”.

GFp: liveness.

G(p⇒ Fq): liveness.

G(p⇒ Xq): safety.

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 23 / 27

Safety and Liveness – Formally

Let P be a set of atomic propositions.2P is the powerset of P .(2P )∗ is the set of all finite sequences over P .(2P )ω is the set of all infinite sequences over P .

What is a property, formally?

A property A is a set of traces: A ⊆ (2P )ω.

Examples:

A = (2P )ω: A holds on all traces (every trace is in A, i.e., everytrace satisfies property A).

A = ∅: no trace satisfies A.

A = the set of all traces satisfying GFp.

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 24 / 27

Safety and Liveness – FormallyLet A be a property = set of (infinite) traces.

For a trace σ, and length k ∈ N, we denote by σ[1..k] the finiteprefix σ1 · · ·σk of σ.

A is a safety property if

∀σ 6∈ A : ∃k ∈ N : ∀ρ ∈ (2P )ω : σ[1..k] · ρ 6∈ A

i.e., for any σ violating the safety property, there exists a badprefix σ[1..k], such that no matter how we extend this prefix wecan no longer satisfy the safety property.

A is a liveness property if

∀σ ∈ (2P )∗ : ∃ρ ∈ (2P )ω : σ · ρ ∈ A

i.e., every finite trace can be extended, by appending a goodsuffix, into an infinite trace which satisfies the liveness property.

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 25 / 27

Safety and Liveness – Formally

Theorem ([Alpern and Schneider, 1985])

Every property is the intersection of a safety property and a livenessproperty.

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 26 / 27

BibliographyAlpern, B. and Schneider, F. B. (1985).

Defining liveness.Information Processing Letters, 21(4):181 – 185.

Baier, C. and Katoen, J.-P. (2008).

Principles of Model Checking.MIT Press.

Clarke, E., Grumberg, O., and Peled, D. (2000).

Model Checking.MIT Press.

Emerson, E. A. (1990).

Handbook of theoretical computer science (vol. b).chapter Temporal and modal logic, pages 995–1072. MIT Press.

Huth, M. and Ryan, M. (2004).

Logic in Computer Science: Modelling and Reasoning about Systems.Cambridge University Press.

Manna, Z. and Pnueli, A. (1991).

The Temporal Logic of Reactive and Concurrent Systems: Specification.Springer-Verlag, New York.

Manna, Z. and Pnueli, A. (1995).

Temporal Verification of Reactive Systems: Safety.Springer-Verlag, New York.

Pnueli, A. (1981).

A temporal logic of concurrent programs.Theoretical Computer Science, 13:45–60.

Stavros Tripakis (UC Berkeley) EE 144/244, Fall 2014 Temporal logic 27 / 27