Formal Methods in software development a.a.2018/2019 Prof. Anna Labella 5/16/2019

Temporal logic Let us want to express the following properties x ((file(x) requested(x)) y (y≥a  print(x,y)) y (y≥a  works(x)) The constant a as well as the variable y, of type “time” If a file is requested to be printed, eventually it will be printed After an amount a of time, x will begin to work 5/16/2019

Temporal logic One could use typed variables and first order logic making a distinction between temporal and dominion references Or one can use modal operators x ((file(x) requested(x))  F print(x)) G works(x)) F means eventually G means always 5/16/2019

Some hypotheses on temporal structure Discrete/ Continuous Linear / Branching 5/16/2019

LTL: syntax Warning: Operators not connectives They bind more tightly than connectives 5/16/2019

Exercises 5/16/2019

LTL: syntax It would be possible to introduce a proof theory for LTL, but we are not interested in it because we are going to to use LTL in Model Checking. [see Ben Ari] 5/16/2019

Semantics: transition systems Abstract models: states and transitions LTS: Automata without terminal states (Kripke structures) A set S of states with a relation ®  S  S s.t. for every s there is s’, (s,s’)  ® with a labeling function L: S ® finite sets of coherent literals 5/16/2019

LTL: semantics We are dealing with paths intended as an infinite series of states States or paths? States are starting points of paths suffixes of paths are still paths 5/16/2019

LTL: semantics (satisfaction) 5/16/2019

LTL: satisfiability

Semantics: examples  |=  O-----O-----O-----O-----O , ’  … , ’  … 5/16/2019

Semantics of G and F Semantics of G:  |= G p Semantics of F:  |= F p O-----O-----O-----O-----O---- p p p p p Semantics of F:  |= F p O-----O-----O-----O-----O---- p 5/16/2019

Semantics of X and U Semantics of X: 1 |= X p 1 2 |= p Semantics of U:  |= p U q j|= p i |= q  5/16/2019

Semantics: more examples a modal formula can be true or false in a path e.g. in this trace: O-----O-----O-----O-----O------….. pq p¬q p¬q pq pq … p ∨ ¬q true: is true in the first state of the trace X¬q true, because q is false in the second state XXq false, because q is false in the third state Gp true, because p is true in all states Gq false, because q is not true in all states (it is true only in some states) 5/16/2019

Semantics: more examples in the same trace: O-----O-----O-----O-----O------….. pq p¬q p¬q pq pq … GFq true: for all states of the sequence, there is some future point where q is true pU¬q true: p is true until ¬q becomes true; (in the first state p is true, then ¬q becomes true) qUXXq true: in the first state q is true, in the second state XXq is true (because q is true two states later) G(pUXXq) not straightforward to check: all states have to be checked for qUXXq in turn, check XXq in all states 5/16/2019

Exercises 5/16/2019

LTL: equivalences

LTL: definability F  ≅ T U  “eventually” G  ≅  W  “always” U ≅ (W)  (F) “until” W ≅ (U)  (G) “until possibly” 5/16/2019

LTL “next” operator 5/16/2019

LTL: what does hold (exercises) G ()  (G  G ) G   F  G  X X  F G  F X() ≅ X X 5/16/2019

LTL: reductions (transitivity on paths) G   GG while GG   G is always valid 5/16/2019

LTL An internal induction rule w.r.t. time   X G(  X ) (  G ) 5/16/2019

Exercises 5/16/2019