Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and...
Transcript of Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and...
![Page 1: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/1.jpg)
Introduction to Linear-Time Temporal Logic
CSE 814 1 Introduction to LTL
![Page 2: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/2.jpg)
Outline
• Motivation for TL in general • Types of properties to be expressed in TL • Structures on which LTL formulas are
evaluated • Syntax & semantics of LTL formulas • Example LTL identities • Example specifications
CSE 814 Introduction to LTL 2
![Page 3: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/3.jpg)
Why Temporal Logic?
• Classical logic is good for describing static structures: a fixed world
• Most computing systems are dynamic: worlds change over time
• Introduce temporal operators to describe how worlds change over time w/o explicitly referring to time
CSE 814 Introduction to LTL 3
![Page 4: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/4.jpg)
Why Temporal Logic?
• Want to be able to specify and verify properties about how a system changes over time (world = system state)
• Properties of interest include – Safety: “Nothing bad will happen” – Liveness: “Something good will happen” – Fairness: Independent subsystems make progress
• Properties not directly expressible as constraints on a 1-step transition relation
CSE 814 Introduction to LTL 4
![Page 5: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/5.jpg)
Resource sharing and deadlock
• Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5) philosophers alternately think and eat at a round table – n chopsticks, one between each pair – a philosopher needs the chopstick on the left and on the right to eat
• Greedy heuristic: – Each phil repeatedly: picks up an available chopstick and holds
onto it; when other is available, picks it up and eats; puts both chopsticks
• Deadlock: The system should not reach a state in which no further action is possible
CSE 814 Introduction to LTL 5
![Page 6: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/6.jpg)
Greedy algorithm: Deadlock
CSE 814 Introduction to LTL 6
![Page 7: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/7.jpg)
Resource sharing and starvation
• Less greedy heuristic: – pick up right chopstick only if left is also available
• Prevents deadlock
• Livelock, Starvation: When a subsystem is prevented from taking any action because of resource contention
CSE 814 Introduction to LTL 7
![Page 8: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/8.jpg)
Less Greedy algorithm: Starvation
CSE 814 8 Introduction to LTL
![Page 9: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/9.jpg)
Fairness Assumptions
• Weak Fairness: Any action that is continuously enabled will eventually occur – Guarantees that a philosopher holding both chopsticks eventually
puts them down – Does not prevent previous scenario for less greedy philosophers
• Strong Fairness: Any action that is enabled infinitely often will eventually occur – Prevents previous scenario (since picking up right fork is enabled
infinitely often) – But is it enough to guarantee all philosophers eat infinitely often?
CSE 814 Introduction to LTL 9
![Page 10: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/10.jpg)
Why Temporal Logic?
Allows specification of properties such as • Safety: Nothing bad ever happen
– e.g., no deadlock – e.g., no violation of mutual exclusion
• Liveness: Something good eventually happens – e.g., if a chopstick is held, it is eventually put down – e.g., a program eventually terminates
• Fairness: Describe assumptions necessary to guarantee that a subsystem makes progress – e.g., if a philosopher’s chopstick is available infinitely often, the
philosopher will eventually get to pick it up (strong fairness) CSE 814 Introduction to LTL 10
![Page 11: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/11.jpg)
Temporal Logics • Introduce temporal operators to describe how worlds
change over time w/o explicitly referring to time • Vary in how they view time
– Linear time: quantify over the worlds in an execution path
– Branching time: quantify over both execution paths and worlds
• Underlying both: Computation abstracted as a finite-state labeled transition system (LTS)
CSE 814 Introduction to LTL 11
![Page 12: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/12.jpg)
Propositions and States
• LTL is defined relative to a set of primitive propositions, P
• Example primitive proposition: – waiti,L “phil i is waiting to pick up the left fork” – eati “phil i is eating” – turni,j “it is phil i’s turn to use fork j” – inCSA “process A is executing in a critical section” – x = 0 “the value of variable x is 0” – p@1 “process p is at line 1”
• A state, s, is defined by the set of primitive propositions that are true in that state – i.e.,
CSE 814 Introduction to LTL 12
![Page 13: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/13.jpg)
LTL Temporal Operators
• Quantify over the states in a sequence of states.
• Informally, given PLTL formulas, f and g – Next f: “ f is true at the next state”
– Henceforth f: “f is true at all future states”
– Eventually f: “f is true at some future state”
– f until g: “g is true at some future state and f is true at each state until then”
• Alternate notations: – X for “Next” instead of circle, G for “Henceforth” instead of a box – F for “Eventually” instead of a diamond
CSE 814 Introduction to LTL 13
![Page 14: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/14.jpg)
Syntax of LTL
• The set of well-formed LTL formulas (relative to P ) is defined inductively by the following formation rules:
CSE 814 Introduction to LTL 14
![Page 15: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/15.jpg)
Semantics of LTL
Terminology: • xx • xx • xx
CSE 814 Introduction to LTL 15
![Page 16: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/16.jpg)
Semantics of LTL
CSE 814 Introduction to LTL 16
![Page 17: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/17.jpg)
Semantics of LTL
CSE 814 Introduction to LTL 17
Henceforth f :
(�, j) |= 2f i↵ 8 k · (k � j ) (�, k) |= f )
Eventually f :
(�, j) |= 3f i↵ 9 k · (k � j ^ (�, k) |= f )
L. K. Dillon For slides on PLTL
![Page 18: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/18.jpg)
Semantics of LTL
CSE 814 Introduction to LTL 18
Strong until -- because g must be satisfied in the future
![Page 19: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/19.jpg)
Semantics of LTL
CSE 814 Introduction to LTL 19
Boolean operators defined in the usual manner
. . .
![Page 20: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/20.jpg)
Some LTL identities
• Henceforth and Eventually are duals:
• Henceforth and Eventually are idempotent:
• Henceforth, Eventually are derivable from Until
• Waits for (weak until) operator, W, can be defined
CSE 814 Introduction to LTL 20
![Page 21: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/21.jpg)
Some LTL identities
• Distributive properties
• Many other identities … CSE 814 Introduction to LTL 21
![Page 22: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/22.jpg)
Some example specifications
Suppose inCSX denotes “process X is in the critical section”
• Process A and B are never both in their critical sections at the same time (mutual exclusion)
• Neither process monopolizes the critical section
CSE 814 Introduction to LTL 22
![Page 23: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/23.jpg)
Some example specifications • Given primitive proposition:
– waiti,R “phil i is waiting to pick up the right fork” – eati “phil i is eating” – turni,j “it is phil i’s turn to use fork j”
• A philosopher waits continuously until she eats
Corollary: No (hungry) philosopher starves
CSE 814 Introduction to LTL 23
![Page 24: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/24.jpg)
Some example specifications
• The philosophers take turns “fairly”
CSE 814 Introduction to LTL 24
![Page 25: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/25.jpg)
Exercise • Given primitive proposition:
– beginp “control is as the start of procedure p” – prep “procedure p’s precondition is true” – endp “control is at the end of procedure p” – postp “procedure p’s post condition is true” – inp “control is in procedure p”
• Write a temporal logic formula that expresses partial correctness
• Write a temporal logic formula that expresses total correctness
CSE 814 Introduction to LTL 25
![Page 26: Introduction to Linear-Time Temporal Logiccse814/Lectures/14_introLTL.pdfResource sharing and deadlock • Dining philosophers: abstracts a resource sharing paradigm – n (≥ 5)](https://reader030.fdocuments.in/reader030/viewer/2022041000/5ea01349799eaf4d736590a7/html5/thumbnails/26.jpg)
Acknowledgements • Formal Methods: Lecture III: Linear Time Temporal Logic, A. Artale,
Free University of Bolzano, http://web.iitd.ac.in/~sumeet/slide3.pdf • An Introduction to Temporal Logics, M. Lawford, McMaster
University, https://www.cas.mcmaster.ca/~lawford/.../model.pdf • V.S. Alagar, K. Periyasamy, Specification of Software Systems,
Chapter 11, DOI 10.1007/978-0-85729-277-3_11 • Temporal Verification of Reactive Systems, Z. Manna & A. Pnueli,
Springer, 1995.
CSE 814 Introduction to LTL 26