modal and temporal logics - university of edinburghhomepages.inf.ed.ac.uk/cps/uruguay2.pdf7 summary:...
TRANSCRIPT
Modal and Temporal Logics
Colin StirlingSchool of Informatics
University of Edinburgh
July 24, 2003
cps wssa 03 today
1
SummaryIntroduced transition systems
• a set of states S
• a set of labels A
• a set of transitions: s a−→ s′ where s, s′ ∈ S, a ∈ A
tick
Cl
cps wssa 03 today
2
SummaryOr Kripke structure where labels appear at states (“colours”)
p, q
r
q
s
s’
s’’
cps wssa 03 today
3
SummaryModal logic
Φ ::= tt | ff | Φ1 ∧ Φ2 | Φ1 ∨ Φ2 | [K]Φ | 〈K〉Φ
Semantics E |= Φ
E |= ttE 6|= ffE |= Φ ∧Ψ iff E |= Φ and E |= ΨE |= Φ ∨Ψ iff E |= Φ or E |= ΨE |= [K]Φ iff ∀F ∈ {E′ : E a−→ E′ and a ∈ K}. F |= ΦE |= 〈K〉Φ iff ∃F ∈ {E′ : E a−→ E′ and a ∈ K}. F |= Φ
cps wssa 03 today
4
SummaryKripke model = Kripke structure + L : Colours → S.
Modal Logic: Syntax
Φ ::= p | ¬p | Φ1 ∧ Φ2 | Φ1 ∨ Φ2 | [−]Φ | 〈−〉Φ
cps wssa 03 today
5
SummarySemantics
E |= p iff E ∈ L(p)E |= ¬p iff E 6∈ L(p)E |= Φ ∧Ψ iff E |= Φ and E |= ΨE |= Φ ∨Ψ iff E |= Φ or E |= ΨE |= [−]Φ iff ∀F ∈ {E′ : E −→ E′}. F |= ΦE |= 〈−〉Φ iff ∃F ∈ {E′ : E a−→ E′}. F |= Φ
cps wssa 03 today
6
Summary: Bisimulation on Transition SystemsA binary relation B between states of a transition system is a bisimulationprovided that, whenever (E, F ) ∈ B and a ∈ A,
• if E a−→ E′ then F a−→ F ′ for some F ′ such that (E′, F ′) ∈ B, and
• if F a−→ F ′ then E a−→ E′ for some E′ such that (E′, F ′) ∈ B
Two states E and F are bisimulation equivalent , E ∼ F , if there is abisimulation relation B such that (E, F ) ∈ B.
cps wssa 03 today
7
Summary: Bisimulation on Kripke ModelsA binary relation B between states of a Kripke model is a bisimulation providedthat, whenever (E, F ) ∈ B
• for all colours p, E ∈ L(p) iff F ∈ L(p)
• if E −→ E′ then F −→ F ′ for some F ′ such that (E′, F ′) ∈ B, and
• if F −→ F ′ then E −→ E′ for some E′ such that (E′, F ′) ∈ B
Two states E and F are bisimulation equivalent , E ∼ F , if there is abisimulation relation B such that (E, F ) ∈ B.
cps wssa 03 today
8
Summary: Invariance
• E ≡ F if for all modal Φ, E |= Φ iff F |= Φ.
(E and F have the same modal properties.)
• Proposition if E ∼ F then E ≡ F
• Proposition if E and F belongs to a finitely branching transitionsystem/Kripke model and E ≡ F then E ∼ F .
cps wssa 03 today
9
Summary: Unfolding
A transition system/Kripke model can be unfolded into a (bisimulationequivalent) possibly infinite tree
p, q
r
q
s
s’
s’’
becomes
cps wssa 03 today
10s
s
s
....
........ .......
s’
s’’
s’
cps wssa 03 today
11
Computational Properties
• Satisfiability Problem “Given a modal formula Φ, is Φ satisfiable(realisable)?” is NP-complete.
• Finite Tree Property If Φ is satisfiable then Φ is satisfiable in a transitionsystem/Kripke model that is a finite tree. (Hence, also Finite ModelProperty: if Φ is satisfiable then Φ is satisfiable in a finite transitionsystem/Kripke model.)
• Model Checking Problem “Given a finite transition system/Kripke model, astate E of it, and a modal formula, does E |= Φ ?” is P-complete.
cps wssa 03 today
12
Mutual Exclusion: Crucial Properties
• Mutual exclusion
• Absence of deadlock
• Absence of starvation
PROBLEM : None of these properties is expressible in modal logic!
cps wssa 03 today
13
Summary: Runs
• A run from state E0 is a finite or infinite length sequence of transitions
E0a1−→ E1
a2−→ . . . an−→ Enan+1−→ . . . with “maximal” length.
• Similarly, for a Kripke model.
• A run is a branch in the unfolded transition system/Kripke model .
cps wssa 03 today
14
Beyond Modal LogicRuns provide a means for expressing long term features .
• Mutual exclusion: no run has the property that two components are in theircritical section at the same time.
• Absence of deadlock: every run has infinite length
• Absence of starvation: in every run if a component requests entry intocritical section then eventually that component will be in its critical section
cps wssa 03 today
15
Summary: Temporal Operators on Runs
• Next: (K)Φ
E0a1−→ E1
a2−→ . . . Eiai+1−→ . . .
a1 ∈ K |= . . .Φ
• Until: ΦU Ψ. Note: the index i can be 0
E0a1−→ E1
a2−→ . . . Eiai+1−→ . . .
|= |= . . . |=Φ Φ Ψ
cps wssa 03 today
16
Summary: Temporal Operators on Runs II
• Eventually: F Ψ = ttUΨ. The index i can be 0
E0a1−→ E1
a2−→ . . . Eiai+1−→ . . .
. . . |=Ψ
• Always: G Ψ = ¬F¬Ψ
E0a1−→ E1
a2−→ . . . Eiai+1−→ . . .
|= |= . . . |=Ψ Ψ Ψ . . .
cps wssa 03 today
17
Summary: Linear Time Temporal Logic (LTL)Syntax
Φ ::= p | ¬Φ | Φ1 ∧ Φ2 | (−)Φ | ΦU Ψ
Semantics
A state E of a Kripke model satisfies an LTL formula Φ, written E |= Φ,
if for any run π from E, the run π |= Φ.
cps wssa 03 today
18
Summary: InvarianceE ≡ F if for all LTL Φ, E |= Φ iff F |= Φ.
Proposition If E ∼ F then E ≡ F .
Proof Sketch Bisimulation equivalence preserves runs.
cps wssa 03 today
19
Summary: Computational Properties I
• Satisfiability Problem “Given an LTL formula Φ, is Φ satisfiable (realisable)?”is PSPACE-complete.
• “Tree” Model Property If Φ is satisfiable then Φ is satisfiable in a transitionsystem/Kripke model that is a (regular) infinite tree whose branching degreeis one.
cps wssa 03 today
20
Summary: Computational Properties II
• Finite Model Property If Φ is satisfiable then Φ is satisfiable in a finitetransition system/Kripke model (that is eventually cyclic).
E ...
• Model Checking Problem “Given a finite transition system/Kripke model, astate E of it, and an LTL formula, does E |= Φ?” is PSPACE-complete.
cps wssa 03 today
21
Branching Time LogicsFor each temporal operator such as F, create two variants
• AF “for all runs eventually” (strong)
• EF “for some run eventually” (weak)
Modal operators are also branching time temporal operators
• [K] = A¬(K)¬
• 〈K〉 = E (K)
Therefore, we can extend modal logic with branching time temporal operators.
cps wssa 03 today
22
Computation Tree Logic (CTL)Syntax
Φ ::= tt | ¬Φ | Φ1 ∧ Φ2 | 〈K〉Φ | A(Φ1 UΦ2) | E(Φ1 UΦ2)
Semantics
Define when a state of a transition system satisfies a CTL formula.
cps wssa 03 today
23
Semantics of CTLThe new clauses
E |= ¬Φ iff E 6|= Φ
E0 |= A(Φ UΨ) iff for all runs E0a1−→ E1
a2−→ . . .there is i ≥ 0 with Ei |= Ψ andfor all j : 0 ≤ j < i, Ej |= Φ
E0 |= E(Φ U Ψ) iff for some run E0a1−→ E1
a2−→ . . .there is i ≥ 0 with Ei |= Ψ andfor all j : 0 ≤ j < i, Ej |= Φ
cps wssa 03 today
24
Derived OperatorsAF Φ = A(ttU Φ)
E F Φ = E(ttU Φ)
AG Φ = ¬EF¬Φ
EG Φ = ¬AF¬Φ
• Safety “nothing bad ever happens”: in every run bad is never true. A G good
• Liveness “something good eventually happens”: in every run good is eventuallytrue. A F good
• Weak Safety in some run bad is never true. E G good
• Weak Liveness in some run good is eventually true. E F good
cps wssa 03 today
25
Example: Crossing
E E
E
E
E E
E
E E
E
1 2
4 5
8 6 9
1110
3
E7
car train
car
car
train
train
ccross
______
tcross
______
τ
τ
τ
τ
τ
Crossing
train
car
τ
τ
τ
ccross
tcross
It is never the case that a train and a car can cross at the same time
AG([tcross]ff ∨ [ccross]ff)
cps wssa 03 today
26
Example: Mutual Exclusion
• Mutual exclusion: AG ([exit1]ff ∨ [exit2] ff)
• Absence of deadlock: AG 〈−〉 tt
• Absence of starvation (for one component): AG [req1] AF 〈exit1〉 tt
cps wssa 03 today
27
Exercise
p p,q
r
p
E F
G
H
Which of the following are true?
E |= A(p U q) E |= A F rE |= E F r E |= E G pE |= A F(E G r ∨ EG p)
cps wssa 03 today
28
Exercise: Which are Valid, Unsatisfiable, Neither?V U N
AG Φ → AF Φ
EG Φ → AF Φ
AF(Φ ∨Ψ) → AF Φ ∨AF Ψ
AG Φ → (Φ ∧ [−]AGΦ
AG AFΦ → EF E GΦ
AF AG Φ → AG AF Φ
AG(¬Φ ∨ 〈−〉Φ) ∧ Φ ∧AF¬Φ
AG(Φ → Ψ) → (AG Φ → AG Ψ)
cps wssa 03 today
29
ExerciseLet E ≡ F if for all CTL Φ, E |= Φ iff F |= Φ.
Prove the following:
Proposition If E ∼ F then E ≡ F .
cps wssa 03 today
30
Computational Properties
• Satisfiability Problem “Given an CTL formula Φ, is Φ satisfiable ?” isEXPTIME-complete.
• Tree Model Property If Φ is satisfiable then Φ is satisfiable in a transitionsystem/Kripke model that is a (regular) infinite tree.
• Finite Model Property If Φ is satisfiable then Φ is satisfiable in a finite transitionsystem/Kripke model.
• Model Checking Problem “Given a finite transition system/Kripke model, astate E of it, and a CTL formula, does E |= Φ ?” is P-complete.
cps wssa 03 today
31
Incomparability of LTL and CTLA formula of Φ of LTL is equivalent to a formula Ψ of CTL if for every modeland state E, E |= Φ iff E |= Ψ.
• CTL and LTL are expressively incomparable .
• EF AG p is not expressible in LTL and F G p is not expressible in CTL
p p
E
p
F
cps wssa 03 today
32
• Open Question: which formulas of LTL are in CTL? (Known: which formulasof CTL are in LTL.)
cps wssa 03 today
33
CTL∗
Syntax
Allow the facility to have branching time formulas with arbitrary embeddings oflinear time and boolean operators.
Φ ::= p | ¬Φ | Φ1 ∧ Φ2 | (−)Φ | ΦU Ψ | AΦ
Example formula: A(FG Φ∧GF Ψ)
cps wssa 03 today
34
Semantics of CTL∗
A state E of a Kripke model satisfies an CTL∗ formula Φ, written E |= Φ, if forany run π from E, the run π |= Φ.
π(0) is initial state of π
π |= AΦ iff for any run π′ if π′(0) = π(0)then π′ |= Φ
CTL∗ contains both LTL and CTL.
Let E ≡ F if for all Φ ∈ CTL∗, E |= Φ iff F |= Φ.
Proposition If E ∼ F then E ≡ F .
cps wssa 03 today
35
Computational Properties
• Satisfiability Problem “Given a CTL∗ formula Φ, is Φ satisfiable ?” is2EXPTIME-complete.
• Tree Model Property If Φ is satisfiable then Φ is satisfiable in a transitionsystem/Kripke model that is a (regular) infinite tree.
• Finite Model Property If Φ is satisfiable then Φ is satisfiable in a finite transitionsystem/Kripke model.
• Model Checking Problem “Given a finite transition system/Kripke model, astate E of it, and a CTL∗ formula, does E |= Φ?” is PSPACE-complete.
cps wssa 03 today
36
Model Checking CTL Formulas‖Φ ‖ = {E : E |= Φ} in a fixed model.
Model checking is “bottom up” by computing ‖Ψ ‖ for any subformula of Φ andthen computing ‖Φ ‖.
• ‖¬Φ1 ‖ = −‖Φ1 ‖,
• ‖Φ1 ∧ Φ2 ‖ = ‖Φ1 ‖ ∩ ‖Φ2 ‖
• ‖ 〈K〉Φ ‖ = {F : ∃F ′ ∈ ‖Φ ‖, a ∈ K.F a−→ F ′}
cps wssa 03 today
37
Model Checking CTL
• ‖E(ΦU Ψ) ‖ =⋃
Si where S1 = ‖Ψ ‖ and
Si+1 = Si ∪ {F ∈ ‖Φ ‖ : ∃a, F ′ ∈ Si. Fa−→ F ′}
• ‖A(ΦU Ψ) ‖ =⋃
Si where S1 = ‖Ψ ‖ and
Si+1 = Si ∪ {F ∈ ‖Φ ‖ : ∃a, F ′. F a−→ F ′ and ∀a, F ′. if F a−→ F ′ then F ′ ∈Si}
Direct backwards reachability computation for E U in transition graph. For A Uit is forward reachability which can be implemented efficiently using depth firstsearch.
Both are fixed point computations: essence of model checking
cps wssa 03 today
38
Temporal Operators as Fixed points
1. E(ΦU Ψ) ≡ Ψ ∨ (Φ ∧ 〈−〉E(ΦU Ψ))
2. A(Φ U Ψ) ≡ Ψ ∨ (Φ ∧ 〈−〉tt ∧ [−]A(ΦU Ψ))
Syntactically: property X such that
1. X ≡ Ψ ∨ (Φ ∧ 〈−〉X)
2. X ≡ Ψ ∨ (Φ ∧ 〈−〉tt ∧ [−]X)
cps wssa 03 today
39
Temporal Operators as Fixed pointsSemantically: set of states S = f(S) where f is
1. λx.‖Ψ ∨ (Φ ∧ 〈−〉x) ‖
2. λx.‖Ψ ∨ (Φ ∧ 〈−〉tt ∧ [−]x) ‖
If S = f(S) then S is a fixed point of f .
In both cases f is monotonic : S ⊆ S′ → f(S) ⊆ f(S′)
f is essentially modal (using 〈−〉 and [−]).
cps wssa 03 today
40
Fixed pointsS is a prefixed point of f , if f(S) ⊆ S
S is a postfixed point of f , if S ⊆ f(S)
Proposition If f is monotonic (w.r.t ⊆) then f
1. has a least fixed point,⋂
{S : f(S) ⊆ S}
2. has a greatest fixed point,⋃
{S : S ⊆ f(S)}
Exercise: Prove this.
cps wssa 03 today
41
Example
• S = f(S) when f = λx.‖Ψ ∨ (Φ ∧ 〈−〉x) ‖
• There can be many different fixed points of f .
• The one wanted that expresses E(ΦU Ψ) is the least fixed point.
• Exercise: what does the greatest fixed point of f express?
cps wssa 03 today
42
Example
• AG Φ ≡ Φ ∧ [−]AG Φ. Computing ‖AG Φ ‖: Simple depth first search,that stops when reach a state in ‖¬Φ ‖.
• ‖AG Φ ‖ =⋂
Si where S1 = ‖Φ ‖ and
Si+1 = Si ∩ {F ∈ Si : ∀a, F ′.F a−→ F ′ implies F ′ ∈ Si}
• Syntactically: Property X such that X ≡ Φ ∧ [−]X
Semantically: fixed point of f = λx.‖Φ ∧ [−]x ‖
• Required property, A G Φ, is greatest fixed point of f
• Exercise: What does the least fixed point of f express?
cps wssa 03 today
43
ExerciseWhat property is defined by the following fixed points?
1. X ≡ Φ ∨ 〈−〉X least
2. X ≡ Φ ∧ 〈−〉X greatest
3. X ≡ Φ ∧ [−][−]X greatest
cps wssa 03 today
44
A SchedulerProblem: assume n tasks when n > 1.
ai initiates the ith task and bi signals its completion
The scheduler plans the order of task initiation, ensuring
1. actions a1 . . . an carried out cyclically and tasks may terminate in any order
2. but a task can not be restarted until its previous operation has finished.(ai and bi happen alternately for each i. )
More complex temporal properties. Not expressible in CTL∗ (“not firstorder”but are “regular”).
Expressible using fixed points
cps wssa 03 today
45
Modal Logic+Z ranges over propositional variables
Φ ::= Z | tt | ff | Φ1 ∧ Φ2 | Φ1 ∨ Φ2 | [K]Φ | 〈K〉Φ
• |= refined to |=V where V is a valuation that assigns a set of states V(X) toeach variable X
E |=V X iff E ∈ V(X)
• ‖Φ ‖ refined too: ‖Φ ‖V = {E : E |=V Φ}
• V[S/X] is valuation V′ like V except V′(X) = S.
cps wssa 03 today
46
Modal Logic+ IIProposition The function λx.‖Φ ‖V[x/X] is monotonic for any modal Φ.
• If ¬ explicitly in logic then above not true: ¬X: λx.− x not monotonic.
However, define when Φ is positive in X: if X occurs within an even numberof negations in Φ
Proposition If Φ is positive in X then λx.‖Φ ‖V[x/X] is monotonic
1. Property given by least fixed point of λx.‖Φ ‖V[x/X] is written µX.Φ.
2. Property given by greatest fixed point of λx.‖Φ ‖V[x/X] is written νX.Φ.
Alternative basis for temporal logic: modal logic + fixed points
cps wssa 03 today