Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Methods in software development

Published byΜόνιμος Ζάνος Modified over 6 years ago

Similar presentations

Presentation on theme: "Formal Methods in software development"— Presentation transcript:

1 Formal Methods in software development
a.y.2017/2018 Prof. Anna Labella 1/17/2019

2 LTL: what is expressible
Safety properties G ¬  Liveness properties GF or G(F) 1/17/2019

3 LTS: Automata without terminal states
Semantics: transition systems Abstract models: states and transitions LTS: Automata without terminal states Kripke structures ®  S  S 1/17/2019

4 LTL Characterising linear time G ((G )  (G))  (GG)
,  Lefthand holds, righthand does not 1/17/2019

5 LTL: what is expressible
1/17/2019

6 LTL: what is not expressible
1/17/2019

7 Infinite computation tree for initial state s1
Computation Trees: labelled TS a b ac s1 s3 s1 s2 a b ac State transition structure (Kripke Model) Infinite computation tree for initial state s1 1/17/2019

8 Linear time and Branching time
Linear: only one possible future in a moment Look at individual computations Branching: may split to different courses depending on possible futures Look at the tree of computations s0 s2 s3 s1 s0 s1 s3 s2 ... s0 s2 s3 s1 ... 1/17/2019

9 Operators and Quantifiers
State operators G f : f holds globally F f : f holds eventually X f : f holds at the next state f U y : f holds until y holds f W y : f holds until y possibly holds Path quantifiers E: along at least one path (there exists …) A: along all paths (for all …) 1/17/2019

10 CTL characterisation Temporal operators must be immediately preceded by a path quantifier 1/17/2019

11 Typical CTL Formulas E F ( start  ¬ ready ) A G ( req  A F ack )
eventually a state is reached where start holds and ready does not hold A G ( req  A F ack ) any time request occurs, it will be eventually acknowledged A G ( E F restart ) from any state it is possible to get to the restart state 1/17/2019

12 CTL semantics E X (f) A X (f) E G (f) A G (f)
true in state s if f is true in some successor of s (there exists a next state of s for which f holds) A X (f) true in state s if f is true for all successors of s (for all next states of s f is true) E G (f) true in s if f holds in every state along some path emanating from s (there exists a path ….) A G (f) true in s if f holds in every state along all paths emanating from s (for all paths ….globally ) 1/17/2019

13 E F, A F are special cases of E [f Uy], A [f Uy]
E F (y) there exists a path which eventually contains a state in which y is true A F (y) for all paths, eventually there is state in which y holds E F (f U y) there exists a path where (f U y) is true A F (f U y) for all paths (f U y) is true E F, A F are special cases of E [f Uy], A [f Uy] E F (y) = E [ true U y ], A F (y) = A [ true U y ] 1/17/2019

14 CTL Operators - examples
so |= E F y y so so y so |= A F y y so |= E G y y so so |= A G y so y y 1/17/2019

15 Minimal set of CTL Formulas
Full set of operators Boolean: ¬, , , ,  temporal: E, A, X, F, G, U, W Minimal set sufficient to express any CTL formula Boolean: ¬,  temporal: E, X, U Examples: f  y = ¬(¬f  ¬y), F f = true U f , A (f ) = ¬E(¬f ) 1/17/2019

16 CTL* – Computation Tree Logic
Path quantifiers - describe branching structure of the tree A (for all computation paths) E (for some computation path = there exists a path) Temporal operators - describe properties of a path through the tree X (next time, next state) F (eventually, finally) G (always, globally) U (until) W (weak until) 1/17/2019

17 CTL* Formulas Temporal logic formulas are evaluated w.r.to a state in the model State formulas apply to a specific state Path formulas apply to all states along a specific path 1/17/2019

18 CTL* Syntax An atomic proposition p is a state formula
A state formula is also a path formula If f, y are state formulae, so are ¬f, fy, fy, If a is a path formula, E a is a state formula If a, b are path formulae, so are ¬a, ab , ab If a, b are path formulae, so are X a, aUb 1/17/2019

19 Summing up (CTL*) 1/17/2019

20 CTL* Semantics If formula f holds at state s (path ), we write: s |= f ( |= a) s |= p, p is an atomic formula, iff p  L(s) [label of s] s |= ¬ f, iff s |≠ f s |= f y, iff s |= f and s |= y s |= E f, iff   from state s, s.t.  |= f  |= ¬ a, iff  |≠ a  |= a b, iff  |= a and  |= b  |= X a, iff 1 |= a (a reachable in next state)  |= a U b, iff  |= a until  |= b 1/17/2019

21 CTL – Computational Tree Logic
CTL* - a powerful branching-time temporal logic CTL – a branching-time fragment of CTL* In CTL every temporal operator (G,F,X,U,W) must be immediately preceded by a path quantifier (A,E) We need both state formulae and path formulae to recursively define the logic 1/17/2019

22 More expressivity in CTL than in LTL?
Quantifying on paths In LTL formulas are always quantified through A 1/17/2019

23 LTL: blocks of operators must be thought as preceded by A always
Linear time operators. The following are a complete set ¬f , fy , Xf, f U y Others can be derived f  y  ¬(¬f  ¬y) f y  ¬f y F f  (true U f) G f (f U false) 1/17/2019

24 CTL: what is expressible? 1
1/17/2019

25 CTL: what is expressible? 2
1/17/2019

26 Expressivity of LTL and CTL
Safety G ( c1 c2) Liveness G (ti Fci) Safety AG ( c1 c2) Liveness AG (ti AFci) 1/17/2019

27 LTL and CTL LTL (Linear Temporal Logic) - Reasoning about infinite sequence of states π: s0, s1, s2, … CTL (Computation Tree Logic) – Reasoning on a computation tree. Temporal operators are immediately preceded by a path quantifier (e.g. A F p ) CTL vs. LTL – different expressive power EFp is not expressible in LTL FGp is not expressible in CTL 1/17/2019

28 Comparing logics 1/17/2019

29 Comparing logics 1/17/2019

30 Exercises 1/17/2019

31 Exercises 1/17/2019

32 LTL: what does hold (exercises)
G ()  (G  G ) G   F  G  X X  F G  F X() ≅ X X 1/17/2019

Download ppt "Formal Methods in software development"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 

1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 
François Fages MPRI Bio-info 2007 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraint Programming.

François Fages MPRI Bio-info 2007 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraint Programming.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.

卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Similar presentations

Ads by Google