SOEN331 – Winter 2018Introduction to Formal Methods for

Software Engineering

Tutorial 6

Linear Temporal Logic (LTL)

Textbook: chapter 11 – sections 11.2, 11.3.1, 11.3.2

Basic Temporal Operators

SOEN331-W18-LTutorial 6: LTL 2

Examples

SOEN331-W18-LTutorial 6: LTL 3

Examples

SOEN331-W18-LTutorial 6: LTL 4

Exercises (in class)

1. The backup server never shuts down 2. A process will eventually execute 3. The sun will rise eventually 4. The sun will rise infinite number of times 5. It is always the case that sunset will

eventually follow sunrise 6. Eventually proposition P holds forever

SOEN331-W18-LTutorial 6: LTL 5

SOEN331-W18-LTutorial 6: LTL

More Temporal Logic Operators

6

Examples■ It is always the case that the system remains at state

active until 08:00 or it remains active unless it is disabled

■ The server has been up since it has been switched on

SOEN331-W18-LTutorial 6: LTL 7

■ “A procedure executes unless it throws an exception” ■ Which of the following translations is correct?

A)

B)

exercises

SOEN331-W18-LTutorial 6: LTL

wrong

correct

8

Examples

SOEN331-W18-LTutorial 6: LTL 9

Examples

SOEN331-W18-LTutorial 6: LTL 10

Examples

SOEN331-W18-LTutorial 6: LTL 11

Exercises on LTL (1) 1. Always, if an email is sent through the network, then it will

eventually be delivered. 2. If a car is parked and the meter has expired, then at the

next moment it will be ticketed. 3. The gate remains closed until the train leaves the crossing. 4. If the water level in a tank is high in time i , i ≥ 0, then at

time i+1 alarm rings 5. Getting a rank in studies and excelling in sports is not

always possible.

SOEN331-W18-LTutorial 6: LTL 12

Exercises on LTL (2) 6. if the printer is on and the front of a file is received by it at time i then the printer will start printing the file at some future time instance j, j ≥ i, and continue printing until the end of file is reached at some time instance k, k >j. 7. The program execution is continued unless there is stack overflow. 8. The gate remains open since the train crossed the gate. 9. Arrival of train at the terminal the driver on duty is released. 10. The traffic light is green infinitely often 11. The traffic light is red only in finite number of time instances.

SOEN331-W18-LTutorial 6: LTL 13

Exercises on LTL (3) 12. The resource must not be simultaneously accessed by a writer and a reader.

■ NOTE: This is a particular instance of the safety property called mutual exclusion (between writers and readers).

13. Both writer and reader access the resource infinitely often. This refers to liveness. 14. If a client attempts to obtain access continuously then a client succeeds at least once. This refers to fairness.

SOEN331-W18-LTutorial 6: LTL 14

Visualize behavior of a program(2)■ Consider a program specification given by the

following temporal formula:

■ Visualize the behavior of the program ■ Is there a scenario under which the program

will terminate? SOEN331-W18-LTutorial 6: LTL 15

Visualize behavior of a program(2)

SOEN331-W18-LTutorial 6: LTL 16

Exercises on LTL (4) Visualizing patterns of behavior: 15. What pattern of behavior does the following temporal formula specify?

SOEN331-W18-LTutorial 6: LTL 17

Specification case study: resource controller

(2ND HOUR OF THE TUTORIAL)

■ This example of a ‘Parent’ allocating sweets to two children (one called ‘Jack’, the other called ‘Jill’) will introduce the specification of broadcast communication: • the Parent has a bag of sweets; • each child wants a sweet, and can ask for one; • the Parent will only give out one sweet at a time.

■ Provide temporal specifications of the Parent and both children Jack and Jill

18

Parent specification (1)

■ if Jill asked for a sweet, then Jill will eventually receive one;

■ if Jack asked for a sweet, then Jack will eventually receive one;

■ at most one child can receive a sweet at the start;

■ at most one child can receive a sweet at any moment after that.

19

Parent specification (2)■ Let’s define the following propositions:

■ Parent receives communications via asked_jill and asked_jack

■ Parent effectively sends communications through give_jill and give_jack.

20

Jill specification■ Jill asks for a sweet initially ■ Jill requests a sweet as often as possible (in

every possible state). ■ Jill does not care about communication back

from Parent ■ New Proposition:

■ req_jill - true when Jill asks for a sweet.

SOEN331-W18-LTutorial 6: LTL 21

Jack specification■ Jack but will only make a request for

sweets at every second moment in time ■ New Propositions:

■ req_jack - true when Jack asks for a sweet. ■ Wait - true when Jack waits

■ Note: wait is an internal proposition and so is not involved in any communication.

SOEN331-W18-LTutorial 6: LTL 22

Specification of the system Parent, Jack and Jill together with communications formulae Comms(Jack, Parent) and

Comms(Jill, Parent)

■ Pattern of communication:

SOEN331-W18-LTutorial 6: LTL 23