Linear Time Temporal Logic

1
Linear Time Temporal Logic

• Course on Logics for Knowledge Representation and
  Reasoning
• ICT Int. 2003

2
Outline

• Temporal Logic
• LTL formal definition
• LTL verification
• CTL vs. LTL
• Conclusions

3
Temporal Logic
4
History of Temporal Logic

• Designed by philosophers to study the way that
  time is used in natural language arguments
• Reviewed by Prior PR57, PR67
• Brought to Computer Science by Pnueli PN77
• Has proved to be useful for specification of
  concurrent systems

5
Representing Concurrent Systems

• Use Kripke structure to represent concurrent
  systems M (S, S0, R, L), where
• S set of all states of the system
• S0 set of initial states
• R transition relation between states
• L a function that associates each state with
  set of propositions true in that state
• Temporal logic is used to represent a mechanism
  which relates states of the system

6
Kripke Model

• Set of states S
• q1,q2,q3
• Set of initial states S0
• q1
• Set of atomic propositions AP
• a,b

q1
a
a,b
b
q3
q2
7
Fairness

• Interested in the correctness along fair
  computation paths
• Weak (Büchi) fairness
• an action can not be enabled forever without
  being taken
• necessary for modeling asynchronous models
• Strong (Streett) fairnness
• an action can not be enabled infinitely often
  without being taken
• necessary for modeling synchronous interaction

8
Framework

• Temporal Logic is a class of Modal Logic
• Allows qualitatively describing and reasoning
  about changes of the truth values over time
• Usually implicit time representation
• Provides variety of temporal operators
  (sometimes, always)
• Different views of time (branching vs. linear,
  discrete vs. continuous, past vs. future, etc.)

9
Branching versus Linear Time

• Linear only one possible future in a moment
• Look at individual computations
• Branching may split to different courses
  depending on possible futures
• Look at the tree of computations

10
LTL Formal Definition
11
LTL

• In LTL time is
• implicit,
• discrete,
• has an initial moment with no predecessors, and
• infinite in the future
• The model of LTL formula is infinite sequence of
  states p s0, s1, s2,

12
LTL (contd)

• Elements
• Atomic propositions AP
• Boolean operators ? ? ?
• Temporal operators G F X U R
• Syntax
• F P
• F ? ? ? ? ? ? F ? F
• G F F F X F ? U ? ? R ?

13
Semantic Intuition

• G f - always f
• F f eventually f
• X f next state
• f U r until
• f R r releases

14
Semantic

• Semantic is given with respect to path
• p s0 s1 s2
• Suffix of trace starting at si
• pi si si1 si2
• A system satisfies an LTL formula f if each path
  through the system satisfy f.

15
Semantic (contd)

• p a iff a ? s0
• p ?? iff not p ?
• p ? ? ? iff p ? and p ?
• p ? ? ? iff p ? or p ?
• p X ? iff p1 ?
• p F ? iff exists i ? 0 pi ?
• p G ? iff for all i ? 0 pi ?
• p ? U ? iff exists i ? 0 pi ?
• and for all 0 ? j lt n. pj ?
• p ? R ? iff for all j ? 0, if for
  every i lt j
• not pi ? then pj ?

16
LTL Identities

• G ? ?F??
• F ? (true U ?)
• ? R ? ?(?? U ??)
• Every LTL formula f can be rewritten using only
  operators ? ? X U

17
LTL Verification
18
State Sequences as Words

• Let AP be the finite set of atomic propositions
  of the formula f.
• Let S 2AP be the alphabet over AP.
• Every sequence of states is an ? word in S?
• a P0, P1, P2, where Pi L(si).
• A word a is a model of formula f iff a f
• Example for f p ?(q U q) p,,q,p,q?
• Let Mod(f) denote the set of models of f.
• Automata theory automata are computational
  devices to determine whether a word belongs to
  language.

19
Automata Theory

• Automaton A (Q,S,d,I,F)
• Q set of states
• S finite alphabet
• d transition relation
• I set of initial states
• F set of acceptance states
• A run ? of A on ? word a
• ? q0,q1,q2,, s.t. q0 ? I and (qi,ai,qi1) ? d
• The run ? is accepting if
• Inf(?) F ?

20
Automata for LTL Formula

• Generalized Büchi Automaton (GBA) A is
• A (Q,S,d,I,FT), where FT is
• FT lt F1, F2, , Fkgt
• A run ? is accepting if Inf(?) Fi ?
• for every 1 i k
• A set of models Mod(f) of formula f is ?-regular
  and we can construct a GBA A for the formula s.t.
• Mod(f) L(A(f)), where L(A(f)) is a language
  accepted by Automata A

21
Automata Construction

• Closure of the formula f is the smallest set of
  formulas containing f and satisfying
• ?? ?CL(f) iff ? ?CL(f)
• If ? ? ? ?CL(f) then ?,? ?CL(f)
• If X ? ?CL(f) then ? ?CL(f)
• If ?X ? ?CL(f) then X?? ?CL(f)
• If ? U ? ?CL(f) then ?,?, X ? U ? ?CL(f)

22
Automata Construction (contd)

• An Atom is maximal locally consistent subset of
  CL(f).
• A set A CL(f) is an atom iff
• ? ? A iff ?? not ? A
• ? ? ? ? A iff ? or ? ? A
• ? U ? ? A iff ? ? A or (? ? A and X (? U ?) ? A)
• AT(f) is a set of atoms.

23
Automata Construction (contd)

• Construct an Automaton A (Q,S,d,I,FT) for a
  given formula f
• Q AT
• For A, B ? AT and P ? S, (A,P,B) ? d iff
• A AP P
• For all Xf1 ? CL(f), Xf1 ? A iff f1 ? B
• I A ? AT f ? A
• Let formulas f1 U ?1, , fk U ?k be all Until
  formulas in CL(f). Then FT (F1,F2,,Fk), where
• Fi A ? AT not fi U ?i ? A or ?i ? A

24
Model Checking Algorithm

• To check whether the LTL formula f is valid over
  Fair Kripke Structure K (S,R,S0,L,FT), perform
  the following steps
• Build a GBA A(K) over S 2AP as follows
• Q S, I S0, Acceptance table is FT
• (s,P,s) ? d iff (s,s) ? R and L(s) AP P
• Build an Automaton A(f) for the formula f
• K f iff L(A(K)) L(A(f))
• Complexity O(K2f)

25
LTL vs CTL Vardi02
26
Comparison

• Different views of time branching with linear
• Incomparable expressive power
• FGp is not expressible in CTL
• AGEFp is not expressible in LTL
• Performance
• CTL run in time O(Pxf)
• LTL run in time O(Px2O(f)) and space
  O((flog(P))2)
• CTL characterizes bisimulation
• CTL is more used in industry

27
Disadvantages of CTL

• CTL is unintuitive and difficult to use
• In most important cases complexity is comparable
  to LTL or even worse (reactive systems,
  hierarchical systems)
• Hardly applicable for compositional verification
  and semi-formal verification
• On formulas which expressible both in LTL and CTL
  performance is equal or may be made equal
• Bisimulation is about structure while we are
  interested in behaviors

28
Advantages of LTL

• LTL is more natural for verification
• Suits well for compositional and semi-formal
  verification
• Allow application of different techniques for
  state-space reduction
• Uniform approach for model treatment (language
  containment and automata theory)
• Bounded model checking

29
Disadvantages of LTL

• For compositional reasoning specification
  language should be as expressive as modeling
  language
• BUT! LTL cannot express finite-state systems
• Corollary LTL is too weak
• We need more expressive temporal specification
  language

30
Solutions

• ETL VW94 extension with temporal connectives
  representing ?-automata
• Linear µ-calculus BB87 extended LTL with
  fixpoint operators
• QPTL SVW87 extension of LTL with quantification
  over propositional variables
• FTL by Intel Armoni02

31
Conclusions

• LTL suits better for verification of concurrent
  reactive systems
• CTL can be used as back-end for linear-time model
  checkers
• The linear-time model checking technology is
  still an open issue

32
References
33
References
34
References