1. Formal Methods in software development
a.a.2018/2019
Prof. Anna Labella
5/16/2019

2. Temporal logic Let us want to express the following properties
x ((file(x) requested(x)) y (y≥a  print(x,y))
y (y≥a  works(x))
The constant a as well as the variable y, of type “time”
If a file is requested to be printed, eventually it will be printed
After an amount a of time, x will begin to work
5/16/2019

3. Temporal logic One could use typed variables and first order logic
making a distinction between temporal and dominion references
Or one can use modal operators
x ((file(x) requested(x))  F print(x))
G works(x))
F means eventually
G means always
5/16/2019

4. Some hypotheses on temporal structure
Discrete/ Continuous
Linear / Branching
5/16/2019

5. LTL: syntax Warning: Operators not connectives
They bind more tightly than connectives
5/16/2019

6. Exercises
5/16/2019

7. LTL: syntax It would be possible to introduce a proof theory for LTL,
but we are not interested in it because we are going to
to use LTL in Model Checking.
[see Ben Ari]
5/16/2019

8. Semantics: transition systems
Abstract models: states and transitions
LTS: Automata without terminal states
(Kripke structures)
A set S of states
with a relation ®  S  S
s.t. for every s there is s’, (s,s’)  ®
with a labeling function
L: S ® finite sets of coherent literals
5/16/2019

9. LTL: semantics
We are dealing with paths intended as an infinite series of states
States or paths? States are starting points of paths
suffixes of paths are still paths
5/16/2019

10. LTL: semantics (satisfaction)
5/16/2019

11. LTL: satisfiability

12. Semantics: examples  |=  O-----O-----O-----O-----O , ’  …
, ’  …
5/16/2019

13. Semantics of G and F Semantics of G:  |= G p Semantics of F:  |= F p
O-----O-----O-----O-----O----
p p p p p
Semantics of F:  |= F p
O-----O-----O-----O-----O p
5/16/2019

14. Semantics of X and U Semantics of X: 1 |= X p 1 2 |= p
Semantics of U:  |= p U q
j|= p
i |= q 
5/16/2019

15. Semantics: more examples
a modal formula can be true or false in a path
e.g. in this trace: O-----O-----O-----O-----O------…..
pq p¬q p¬q pq pq …
p ∨ ¬q true: is true in the first state of the trace
X¬q true, because q is false in the second state
XXq false, because q is false in the third state
Gp true, because p is true in all states
Gq false, because q is not true in all states (it is true only in some states)
5/16/2019

16. Semantics: more examples
in the same trace: O-----O-----O-----O-----O------…..
pq p¬q p¬q pq pq …
GFq true: for all states of the sequence, there is some future point where q is true
pU¬q true: p is true until ¬q becomes true; (in the first state p is true, then ¬q becomes true)
qUXXq true: in the first state q is true, in the second state XXq is true (because q is true two states later)
G(pUXXq) not straightforward to check: all states have to be checked for qUXXq in turn, check XXq in all states
5/16/2019

17. Exercises
5/16/2019

18. LTL: equivalences

19. LTL: definability F  ≅ T U  “eventually” G  ≅  W  “always”
U ≅ (W)  (F) “until”
W ≅ (U)  (G) “until possibly”
5/16/2019

20. LTL
“next” operator
5/16/2019

21. LTL: what does hold (exercises)
G ()  (G  G )
G 
 F 
G  X
X  F
G  F
X() ≅ X X
5/16/2019

22. LTL: reductions (transitivity on paths) G   GG while
GG   G is always valid
5/16/2019

23. LTL An internal induction rule w.r.t. time   X G(  X ) (  G )
5/16/2019

24. Exercises
5/16/2019