Semantically Equivalent Formulas Let Φ and ψ be formulas of propositional logic. We say that Φ and ψ are semantically equivalent iff Φ ╞ ψ ψ ╞ Φ hold. In that case we write Φ ≡ ψ. Further, we call Φ valid if ╞ Φ holds.

Examples of equivalent formulas p → q ≡ ¬p  q p → q ≡ ¬q → ¬p p  q → p ≡ r  ¬r p  q → r ≡ p → (q →r)

Lemma Given propositional logic formulas Φ1, Φ2, …, Φn, ψ, we have iff ╞ Φ1 →(Φ2 → (Φ3 → … → (Φn → ψ)))

Literal A literal is either an atom p or the negation of an atom ¬p.

Conjunctive Normal Form (CNF) A formula Φ is in conjunctive normal form (CNF) if it is of the form ψ1  ψ2  ….  ψn for some n ≥ 1, such that ψi is a literal, or a disjunction of literal, for all 1 ≤ i ≤ n.

Examples for CNF formulas (¬q  p  r)  (¬p  r)  q (p  r)  (¬p  r)  (p  ¬r)

Lemma A disjunction of literals L1  L2  ….  Lm is valid (i.e., ╞ L1  L2  ….  Lm) iff there are 1 ≤ i, j ≤ m such that Li is ¬Lj.

Satisfiable formulas Given a formula Φ in a propositional logic, we say that Φ is satisfiable if there exists an assignment of truth values to its propositional atoms such that Φ is true.

Proposition Let Φ be a formula of propositional logic. Then Φ is satisfiable iff ¬Φ is not valid.

Φ is Φ1  Φ2: return CNF(Φ1)  CNF(Φ2) function CNF(Φ) /* pre-condition: Φ implication free and in NNF*/ /* post-condition: CNF(Φ) computes an equivalent CNF for Φ */ begin function case Φ is a literal : return Φ Φ is Φ1  Φ2: return CNF(Φ1)  CNF(Φ2) Φ is Φ1  Φ2: return DISTR(CNF(Φ1), CNF(Φ2) ) end case end function

η1 is η11  η12 : return DISTR(η11 , η2)  DISTR(η12 , η2) function DISTR(η1, η2): /* pre-condition: η1 and η2 are in CNF */ /* post-condition: DISTR(η1, η2) computes a CNF for η1 η2 */ begin function case η1 is η11  η12 : return DISTR(η11 , η2)  DISTR(η12 , η2) η2 is η21  η22 : return DISTR(η1 , η21)  DISTR(η1 , η22) otherwise (= no conjunction): return η1 η2 end case end function

function NNF(Φ) /* pre-condition: Φ is implication free */ /* post-condition: NNF(Φ) computes a NNF for Φ */ begin function case Φ is a literal : return Φ Φ is ¬¬Φ1 : return NNF(Φ1) Φ is Φ1  Φ2 : return NNF(Φ1)  NNF(Φ2) Φ is Φ1  Φ2 : return NNF(Φ1)  NNF(Φ2) Φ is ¬(Φ1  Φ2) : return NNF(¬Φ1  ¬Φ2) Φ is ¬(Φ1  Φ2) : return NNF(¬Φ1  ¬Φ2) end case end function

Φ = ¬p  q → p  (r → q) IMPL_FREE Φ = ¬ IMPL_FREE (¬p  q )  IMPL_FREE (p (r → q)) = ¬((IMPL_FREE ¬p )  (IMPL_FREE q ))  IMPL_FREE (p (r → q)) = ¬((¬p )  IMPL_FREE q )  IMPL_FREE (p (r → q)) = ¬ (¬p  q )  IMPL_FREE (p (r → q)) = ¬ (¬p  q )  ((IMPL_FREE (p)  IMPL_FREE (r → q)) = ¬ (¬p  q )  (p  IMPL_FREE (r → q)) = ¬ (¬p  q )  (p  (¬ (IMPL_FREE r)  IMPL_FREE (q))) = ¬ (¬p  q )  (p  (¬ r  IMPL_FREE (q))) = ¬ (¬p  q )  (p  (¬ r  q))

IMPL_FREE Φ = ¬ (¬p  q )  (p  (¬ r  q)) NNF (IMPL_FREE Φ ) = NNF (¬ (¬p  q ))  NNF (p  (¬ r  q)) = NNF (¬ (¬p )  ¬q ))  NNF (p  (¬ r  q)) = (NNF (¬¬p ))  (NNF (¬q ))  NNF (p  (¬ r  q)) = (p  (NNF (¬q )))  NNF (p  (¬ r  q)) = (p  ¬q )  NNF (p  (¬ r  q)) = (p  ¬q )  ((NNF p)  (NNF (¬ r  q))) = (p  ¬q )  ( p  (NNF (¬ r  q))) = (p  ¬q )  ( p  ((NNF (¬ r))  (NNF q))) = (p  ¬q )  ( p  (¬ r  (NNF q))) = (p  ¬q )  ( p  (¬ r  q))

NNF (IMPL_FREE Φ) = (p  ¬q )  ( p  (¬ r  q)) CNF(NNF (IMPL_FREE Φ)) = CNF ((p  ¬q )  ( p  (¬r  q))) = DISTR ( CNF (p  ¬q ), CNF (p  (¬ r  q))) = DISTR (p  ¬q , CNF (p  (¬ r  q))) = DISTR (p  ¬q , p  (¬ r  q)) = DISTR (p  ¬q , p)  DISTR (p  ¬q , ¬ r  q) = (p  ¬q  p)  DISTR (p  ¬q , ¬ r  q) = (p  ¬q  p)  (p  ¬q  ¬ r  q)

Horn Formula Φ is a formula Φ of propositional logic if it is of the form ψ1  ψ2 ...  ψn for some n ≥ 1 such that ψi is of the form p1  p2 ...  pki → qi for some ki ≥ 1, where p1, p1, …, pki, qi are atoms, ┴ or T. We call such ψi a Horn clause.

Examples of Horn formulas (p  q  s → p)  (q  r → p)  (p  s → s) (p  q  s → ┴)  (q  r → p)  (T → s) (p2  p3  p5 → p13) (T→ p2)  (p5  p11 → ┴)

Examples of non-Horn formulas (p  q  s → ¬p)  (q  r → p)  (p  s → s) (p  q  s → ┴)  (¬q  r → p)  (T → s) (p2  p3  p5 → p13  p27)  (T→ p2)  (p5  p11 → ┴) (p2  p3  p5 → p13 ) (T→ p2)  (p5  p11  ┴)

function HORN(Φ) /* Pre-condition : Φ is a Horn formula*/ /* Post-condition : HORN(Φ) decides the satisfiability for Φ */ begin function mark all atoms p where T → p is a sub-formula of Φ; while there is a sub-formula p1  p2 ...  pki → qi of Φ such that all pj are marked but qi is not do if qi ≡ ┴ then return ‘unsatisfiable’ else mark qi for all such subformulas end while return ‘satisfiable’ end function

Theorem The algorithm HORN is correct for the satisfiability decision problem of Horn formulas and has no more than n cycles in its while-loop if n is the number of atoms in Φ. HORN always terminates on correct input.

Kripke structure Let AP be a set of atomic propositions. A Kripke structure M over AP is a four tuple M= (S, S0, R, L) where S is a finite set of states S0 S is the set of initial states. R S × S is a transition relation that must be total, that is for every state s S there is a state s’ S such that R (s, s’). L: S  2 AP is a function that labels each state with the set of atomic proposition in that state. A path in the structure M from a state s is an infinite sequence of states ω = s0 s1 s2 … such that s0 = s and R (si, si+1) holds for all i ≥ 0.

First order representation of Kipke structures We use interpreted first order formulas to describe concurrent systems. We use usual logical connectives (and , or , implies , not , and so on) and universal ( ) and existential ( ) quantifications. Let V = {v1, …, vn} be the set of system variables. We assume that the variables in V range over a finite set D. A valuation for V is a function that associated a value in D with each variable v in V. Thus, s is a valuation for V when s: V  D. A state of a concurrent system can be viewed as a valuation for the set of its variables V. Let V’ = {v’1, …, v’n}. We think of the variables in V as present state variables and the variables in V’ as next state variables.

First order representation of Kipke structures Let M = (S, S0, R, L) be a Kripke structure. S is the set of all valuations for all variables of the system which can be described by a proposition S. Usually, S = True. The set of initial states S0 can be described by a proposition (on the set of variables) S0. R can be described by a proposition R such that for any two states s and s’, R(s, s’) holds if R evaluates to True when each variable v is assigned the value s(v) and each variable v’ is assigned the value s(v’). The labeling function L:S  2AP is defined so that L(s) is the subset of all atomic propositions true in s which can be described by some appropriate proposition.

A simple example We consider a simple system with variables x and y that range over D = {0, 1}. Thus, a valuation for the variables x and y is just a pair (d1, d2) D × D where d1 is the value for x and d2 is the value for y. The system consists of one transition x := (x +y) mod 2, Which starts from the state in which x = 1 and y = 1.

A simple example with transition x := (x +y) mod 2 S = True S0 (x, y) ≡ x = 1  y = 1 R (x, y, x’, y’) ≡ x’ = (x +y) mod 2  y’ = y

A simple example with transition x := (x +y) mod 2 The Kripke structure M = (S, S0, R, L) for this system is simply: S = D × D. S0 = {(1,1)} R = {((1,1), (0,1)), ((0,1), (1,1)), ((1,0), (1,0)), ((0,0), (0,0))}. L(1,1) = {x =1, y = 1}, L(0,1) = {x =0, y = 1}, L(1,0) = {x =1, y = 0}, L(0,0) = {x =0, y = 0}. The only path in the Kripke structure that starts in the initial state is (1,1) (0,1) (1,1) (0,1) ….

Concurrent systems A concurrent system consists of a set of components that execute together. Normally, the components have some means of communicating with each other.

Modes of execution We will consider two modes of execution: Asynchronous or interleaved execution, in which only one component makes a step at a time, and synchronous execution, in which all of the components make a step at the same time

Modes of communication We will also distinguish three modes of communication. Components can either communicate by changing the value of shared variables or by exchanging messages using queues or some handshaking protocols.

A modulo 8 counter

Synchronous circuit A modulo 8 counter The transitions of the circuit are given by v’0 = v0 v’1 = v0 v1 v’2 = (v0  v1) v2 R0 (v, v’) ≡ (v’0 ↔ v0) R1 (v, v’) ≡ (v’1 ↔ v0 v1) R2 (v, v’) ≡ (v’2 ↔ (v0  v1) v2) R (v, v’) ≡ R0 (v, v’)  R1 (v, v’)  R2 (v, v’)

Synchronous circuit General case Let V = {v0, …., vn-1} and V’ = {v’0, …., v’n-1} Let v’i = fi (V), 1= 0, …, n-1. Define Ri (v, v’) ≡ ( v’i ↔ fi (V)). Then, the transition relation can be described as R (v, v’) ≡ R0 (v, v’)  …  Rn-1 (v, v’).

Asynchronous circuit General case In this case, the transition relation can be described as R (v, v’) ≡ R0 (v, v’)  …  Rn-1 (v, v’), Where Ri (v, v’) ≡ ( v’i ↔ fi (V)) j ≠ i (v’j ↔ vj )).

Example Let V = {v0, v1}, v’0 = v0 v1 and v’1 = v0 v1. Let s be a state with v0 = 1  v1 = 1. For the synchronous model, the only successor of s is the state v0 = 0  v1 = 0. For the asynchronous model, the state s has two successors: 1. v0 = 0  v1 = 1 ( the assignment to v0 is taken first). 2. v0 = 1  v1 = 0 ( the assignment to v1 is taken first).

Labeled program Given a statement P, the labeled statement PL is defined as follows: If P is not a composite statement then P = PL. . If P = P1; P2 then PL = P1L ; l’’ : P2L. If P = if b then P1 else P2 end if, then PL = if b then l1 : P1L else l2 : P2L end if. If P = while b do P1 end while, then PL = while b do l1 : P1L end while.

Some assumptions We assume that P is a labeled statement and that the entry and exit points of P are labeled by m and m’, respectively. Let pc be a special variable called the program counter that ranges over the set of program labels and an additional value ┴ called the undefined value. Let V denote the set of program variables, V’ the set of primed variables for V, and pc’ the primed variables for pc. Let same (Y) = y ε Y (y’ = y).

The set of initial states of P Given some condition pre (V) on the initial variables for P, S0 (V, pc) ≡ pre (V)  pc = m.

The transition relation for P C (l, P, l’) describes the set of transitions in P as a disjunction of all transitions in the set. Assignment: C ( l, v ← e, l’) ≡ pc = l  pc’ = l’  v’ = e  same (V \ {v}) Skip: C ( l, skip, l’) ≡ pc = l  pc’ = l’  same (V) Sequential composition: C ( l, P1; l’’ : P2, l’) ≡ C ( l, P1, l’’)  C ( l’’, P2, l’)

The transition relation for P (continued) Conditional: C (l, if b then l1: P1 else l2 : P2 end if, l’) is the disjunction of the following formulas: pc = l  pc’ = l1  b  same (V) pc = l  pc’ = l2  b  same (V) C (l1, P1, l’) C (l2, P2, l’)

The transition relation for P (continued) While: C (l, while b do l1 : P1 end while, l’) is the disjunction of the following formulas: pc = l  pc’ = l1  b  same (V) pc = l  pc’ = l’  b  same (V) C (l1, P1, l)

Concurrent programs A concurrent program consists of a set of processes that can be executed in parallel. A process is a sequential program. Let Vi be the set of variables that can be changed by process Pi. V is the set of all program variables. pci is the program counter of process Pi. PC is the set of all program counters. A concurrent program has the form cobegin P1 || P2 … || Pn coend where P1, …, Pn are processes.

Labeling transformation We assume that no two labels are identical and that the entry and exit points of P are labeled m and m’, respectively. If P = cobegin P1 || P2 … || Pn coend, then PL = cobegin l1 : P1L l’1 || l2 : P2L l’2 || … || ln : PnL l’n coend.

The set of initial states of P S0 (V, pc) ≡ pre (V)  pc = m  i = 1, … n (pci = ┴ )

The transition relation for P C (l, cobegin l1 : P1L l’1 || … || ln : PnL l’n coend, l’) Is the disjunction of three formulas: pc = l  pc’1 = l1  …  pc’n = ln  pc’ = ┴ pc = ┴  pc1 = l’1  …  pcn = l’n  pc’ = l’  i = 1, … n (pc’i = ┴) i = 1, … n (C (li, Pi, l’i)  (same (V \ Vi)  same (PC \ {pci}))

Shared variables Wait: Lock (v) (= wait (v = 0)): Unlock (v): C (l, wait (b), l’) is a disjunction of the following two formulas: (pci = l  pc’i = l  b  same (Vi)) (pci = l  pc’i = l’  b  same (Vi)) Lock (v) (= wait (v = 0)): C (l, lock (v), l’) is a disjunction of the following two formulas: (pci = l  pc’i = l  v = 1  same (Vi)) (pci = l  pc’i = l’  v = 0  v’ = 1  same (Vi \ {v})) Unlock (v): C (l, unlock (v), l’) ≡ pci = l  pc’i = l’  v’ = 0  same (Vi \ {v})

A simple mutual exclusion program P = m: cobegin P0 || P1 coend m’ P0 :: l0 : while True do NC0 : wait (turn = 0); CR0 : turn :=1; end while; l’0 P1 :: l1 : while True do NC1 : wait (turn = 1); CR1 : turn := 0; l’1

Kripke structure pc takes values in the set { m, m’, ┴ }. pci takes values in the set { li, l’i, NCi, CRi, ┴ }. V = V0 = V1 = {turn}. PC = {pc, pc0, pc1}.

The set of initial states of P S0 (V, PC) ≡ pc = m  pc0 = ┴  pc1 = ┴.

The transition relation for P R (V, PC, V’, PC’) is the disjunction of the following four formulas: pc = m  pc’0 = l0  pc’1 = l1  pc’ = ┴. pc0 = l’0  pc1 = l’1  pc’ = m’  pc’0 = ┴  pc’1 = ┴. C (l0, P0, l’0)  same (pc, pc1). C (l1, P1, l’1)  same (pc, pc0).

The transition relation of Pi For each process Pi, C (li, Pi, l’i) is the disjunction of: pci = li  pc’i = NCi  True  same (turn) pci = NCi  pc’i = CRi  turn = i  same (turn) pci = CRi  pc’i = li  turn’ = (i+1) mod 2 pci = NCi  pc’i = NCi  turn ≠ i  same (turn) pci = li  pc’i = l’i  False  same (turn)

turn = 0 turn = 1 CR1, l0 ┴, ┴ l1, NC0 l0, NC1 l0, l1 CR0, l1 NC0, NC1 CR1, NC0 CR0, NC1 turn = 1 CR1, l0 ┴, ┴ NC0, NC1 l1, NC0 l0, NC1 l0, l1 CR0, l1

Syntax of Computational Tree Logic (CTL) Φ ::= ┴ | T | p | (¬Φ) | (Φ  Φ) | (Φ  Φ) | (Φ → Φ) | AX Φ | EX Φ | A[Φ U Φ] | E[Φ U Φ] | AG Φ | EG Φ | AF Φ | EG Φ where p ranges over atomic formulas.

Convention The unary connectives (consisting of ¬ and the temporal connectives AG, EG, AF, AX and EX) bind most tightly. Next in the order come  and ; and after that come → , AU and EU.

Some examples of well-formed CTL formulas (EG r) AG (q → EG r) (AG q) → (EG r) EF E[r U q] A[p U EF r] EF EG p → AF r (EF EG p) → AF r EF EG (p → AF r)

Some examples of not well-formed CTL formulas FG r A ¬G¬p F[r U q] EF (r U q) AEF r AF [(r U q)  (p U q)]

CTL Subformulas Definition: A subformula of a CTL formula Φ is any formula ψ whose parse tree is a subtree of Φ‘s parse tree.

The parse tree for A[AX ¬p U E[EX (p  q) U ¬p]] AU AX EU ¬ EX ¬  p p p q

Semantics of Computational Tree Logic (CTL) Let M = (S, R, L) be a Kripke structure. Given any state s in S, we define whether a CTL formula Φ holds in state s. We denote this by M, s ╞ Φ, where ╞ is the satisfaction relation.

The satisfaction relation ╞ is defined by structural induction on all CTL formulas: M, s ╞ T and ¬(M, s ╞ ┴) for all s ε S. M, s ╞ p iff p ε L(s). M, s ╞ ¬Φ iff ¬(M, s ╞ Φ). M, s ╞ Φ1  Φ2 iff M, s ╞ Φ1 and M, s ╞ Φ2. M, s ╞ Φ1  Φ2 iff M, s ╞ Φ1 or M, s ╞ Φ2. M, s ╞ Φ1 → Φ2 iff ¬(M, s ╞ Φ1) or M, s ╞ Φ2. M, s ╞ AX Φ iff for all s1 such that (s, s1) ε R, we have M, s1 ╞ Φ . Thus, AX says: ‘in every next state’. M, s ╞ EX Φ iff for some s1 such that (s, s1) ε R, we have M, s1 ╞ Φ . Thus, EX says: ‘in some next state’.

The satisfaction relation ╞ is defined by structural induction on all CTL formulas: (continued) M, s ╞ AG Φ iff for all paths s1 s2 s3 … where s1 equals s, and all si along the path, we have such that (si, si+1) ε R, we have M, si ╞ Φ . Thus, AG says: ‘for all computation paths beginning s the property Φ holds globally’. M, s ╞ EG Φ iff there is a path s1 s2 s3 … where s1 equals s, and all si along the path, we have such that (s, s1) ε R, we have M, si ╞ Φ . Thus, AG says: ‘there exists a computation path beginning s such that Φ holds globally along the path’. M, s ╞ AF Φ iff for all paths s1 s2 s3 … where s1 equals s, there is some si such that M, si ╞ Φ. Thus, AF says: ‘for all computation paths beginning in s there will be some future state where Φ holds’.

The satisfaction relation ╞ is defined by structural induction on all CTL formulas: (continued) M, s ╞ EF Φ iff there is a path s1 s2 s3 … where s1 equals s, and for some si along the path, we have M, si ╞ Φ. Thus, EF says: ‘there exists a computation path beginning in s such that Φ holds in some future state’. M, s ╞ A[Φ1 U Φ2] iff for all paths s1 s2 s3 … where s1 equals s, that path satisfies Φ1 U Φ2, i.e., there is some si along the path, such that M, si ╞ Φ2, and, for each j < i, we have M, sj╞ Φ1. Thus, A[Φ1 U Φ2] says: ‘all computation paths beginning in s satisfy that Φ1 until Φ2 holds on it’. M, s ╞ E[Φ1 U Φ2] iff there is a path s1 s2 s3 … where s1 equals s, and that path satisfies Φ1 U Φ2, i.e., there is some sj along the path, such that M, si ╞ Φ2, and, for each j < i, we have M, sj ╞ Φ1. Thus, E[Φ1 U Φ2] says: ‘there exists a computation path beginning in s such that Φ1 until Φ2 holds on it’.

A system whose starting state satisfies EF Φ

A system whose starting state satisfies EG Φ

A system whose starting state satisfies AG Φ

A system whose starting state satisfies AF Φ

Some examples for the following system M: p, q s0 M, s0 ╞ p  q M, s0 ╞ ¬r M, s0 ╞ T M, s0 ╞ EX (q  r) M, s0 ╞ ¬AX (q  r) M, s0 ╞ ¬EF (p  r) M, s2 ╞ EG r M, s2 ╞ AG r M, s0 ╞ AF r M, s0 ╞ E[(p  q) U r] M, s0 ╞ A[p U r] q, r r s1 s2

Other examples for CTL logic It is possible to get a state where started holds but ready does not hold: EF (started  ¬ready) For any state, if a request (of some resource) occurs, then it will eventually be acknowledged: AG (requested → AF acknowledged) A certain process is enabled indefinitely often on every computation path: AG (AF enabled) Whatever happens, a certain process will eventually be permanently deadlocked: AF (AG deadlocked)

Other examples for CTL logic (continued) From any state it is possible to get a restart state: AG (EF restart) An upwards traveling elevator at the second floor does not change its direction when it has passengers wishing to go to the fifth floor: AG (floor=2  direction=up  ButtonPressed5 → A[direction=up U floor=5]) The elevator can remain idle on the third floor with its doors closed: AG (floor=3  idle  door=closed → EG (floor=3  idle  door=closed))

Semantically equivalent CTL formulas Definition: Two CTL formulas Φ and ψ are said to be semantically equivalent if any state in any Kripke structure which satisfies one of them also satisfies the other; we denote this by Φ ≡ ψ.

Important equivalences between CTL formulas ¬AF Φ ≡ EG ¬Φ ¬EF Φ ≡ AG ¬Φ ¬AX Φ ≡ EX ¬Φ AF Φ ≡ A[T U Φ] EF Φ ≡ E[T U Φ] A[p U q] ≡ ¬(E[¬q U (¬p  ¬q)]  EG ¬q)

Theorem: The set of operators ┴, ¬ and  together with AF, EU and EX are adequate for CTL: any CTL formula can be transformed into a semantically equivalent CTL formula which uses only those logical connectives.

Other interesting equivalences AG Φ ≡ Φ  AX AG Φ EG Φ ≡ Φ  EX EG Φ AF Φ ≡ Φ  AX AF Φ EF Φ ≡ Φ  EX EF Φ A[Φ U ψ] ≡ ψ  (Φ  AX A[Φ U ψ]) E[Φ U ψ] ≡ ψ  (Φ  EX E[Φ U ψ])

Example: mutual exclusion When concurrent processes share a resource, it may be necessary to ensure that they do not have access to it at the same time. We therefore identify certain critical sections of each process code and arrange that only one process can be in its critical section at a time. The problem we are faced with is to find a protocol for determining which process is allowed to enter its critical section at which time.

Some expected properties for mutual exclusion Safety: The protocol allows only one process to be in its critical section at a time. Liveness: Whenever any process wants to enter its critical section, it will eventually be permitted to do so. Non-blocking: A process can always request to enter its critical section. No strict sequencing: Processes need not enter their critical section in strict sequence.

A simple example of two processes n = a process is in a non-critical state t = a process tries to enter in its critical section c = a process is in its critical section

A first-attempt model for mutual exclusion n1n2 s1 s5 n1t2 t1n2 t1t2 n1c2 s2 c1n2 s3 s6 c1t2 t1c2 s4 s7

CTL formulas for the system properties Safety: Φ1 = AG ¬(c1  c2). (o.k.) Liveness: Φ2 = AG (t1 → AF c1). (not o.k.) because there exists a computation path, namely, s1 → s3 → s7 → s1 →… on which c1 is always false. Non-blocking: Φ3= AG (n1 → EX t1). (o.k.) No strict sequencing: EF (c1  E[c1 U (¬c1  E[¬c2 U c1])]). (o.k.)

A second-attempt model for mutual exclusion n1n2 s1 s5 n1t2 t1n2 t1t2 t1t2 n1c2 s2 c1n2 s3 s6 s9 c1t2 t1c2 s4 s7

Syntax of Linear-time temporal logic (LTL) Definition: Linear-time temporal logic (LTL) has the following syntax given in Backus Naur form Φ ::= p | (¬Φ) | (Φ  Φ) | (Φ U Φ) | (G Φ)| (F Φ)| (X Φ) where p is any propositional atom.

Semantics of Linear Tree Logic (LTL) Let M = (S, R, L) be a Kripke structure. Given a path σ = s1 s2 s3 … in M, where s1 is the initial state, and for all si along the path, such that (si, si+1) ε R, we define whether a LTL formula Φ holds in the path σ denoted as M, σ ╞ Φ, where ╞ is the satisfaction relation. Let σi = si si+1 ... denote the suffix of σ starting at si.

The satisfaction relation ╞ is defined by structural induction on all of LTL formulas: M, σ ╞ T and ¬(M, s ╞ ┴) for all s ε S. M, σ ╞ p iff p ε L(s1). M, σ ╞ ¬Φ iff ¬(M, σ ╞ Φ). M, σ ╞ Φ1  Φ2 iff M, σ ╞ Φ1 and M, σ ╞ Φ2. M, σ ╞ X Φ iff M, σ2 ╞ Φ, M, σ ╞ G Φ iff, for all i ≥ 1, M, σi ╞ Φ, M, σ ╞ F Φ iff, for some i ≥ 1, M, σi ╞ Φ, M, σ ╞ Φ U ψ iff, there is some i ≥ 1 such that M, σi ╞ ψ and for all j = 1 … i-1 we have M, σj ╞ Φ.

Semantically equivalent LTL formulas Definition: Two LTL formulas Ф and ψ are semantically equivalent, writing as Ф ≡ ψ, if they are true for the same paths in each model. An LTL formula Ф is satisfied in a state s of a model if Ф is satisfied in every path starting at s.

Some semantically equivalent LTL formulas G Ф ≡ ¬F ¬Ф F Ф ≡ ¬G ¬Ф F(Ф  ψ) ≡ F Ф  F ψ G(Ф  ψ) ≡ G Ф  G ψ Ф U ψ ≡ ¬(¬ ψ U (¬Ф  ¬ψ))  F ψ

Syntax of CTL* The CTL* formulas are divided into two classes: state formulas, which are evaluated in states: Φ ::= p | T | (¬Φ) | (Φ  Φ) | A[α] | E[α], path formulas, which are evaluated along paths: α ::= Φ | (¬α) | (α  α) | (α U α) | (G α) | (F α) | (X α) where Φ is any state formula.

LTL and CTL as subsets of CTL* Although the syntax of LTL does not include A and E, the semantic viewpoint of LTL is that we consider all paths. Therefore, the LTL formula α is equivalent to the CTL* formula A[α] CTL is the fragment of CTL* in which we restrict the form of path formulas to α ::= (Φ U Φ) | (G Φ) | (F Φ) | (X Φ).

Example of in CTL but not in LTL: ψ1 = AG EF p Whenever we have got to, we can always get back to a state in which p is true. This is useful, e.g., in finding deadlocks in protocols. M M’ s t s ¬p p ¬p

Example of in CTL*, but neither in CTL nor in LTL: ψ2 = E[GF p] Saying, there is a path with infinitely many p.

Example of in LTL but not in CTL: ψ3 = AG (p → F q) Saying that if there are infinitely many p along the path, then there is an occurrence of q. This is an interesting thing to be able to say,; for example, many fairness constraints are of the form ‘infinitely often requested implies eventually acknowledged’.

Example of in LTL and CTL: ψ4 = AG (p → AF q) in CTL, or G (p → F q) in LTL Saying, any p is eventually followed by a q.

Example G p and AF AG p are not semantically equivalent, since FG p is satisfied, whereas AF AG p is not satisfied, in the model p ¬p p

weak until W The formula A[p W q] is true in a state if, along all paths from that state, p is true from the present state until the first state in which q is true, if any. In particular, if there is no q state on a path, then p needs to hold for all states of that path.

weak until W (continued) In LTL and CTL*, weak Until may be defined in terms of the ordinary Until, as follows: p W q ≡ (p U q)  G p For CTL, we have: E[p W q] ≡ E[p U q]  EG p A[p W q] ≡ ¬E[¬q U ¬(p  q)]