Lecture 4 SE Formal SMV Temporal Logic Sep 2022ksk

Formal Software Development And Verification
Methods
Software Engineering Semester-V

LECTURE-4: Linear Temporal Logics-I
Mr. Waqas Ali
Department of Computer Science

University Of Engineering and Technology, Lahore|New Campus
September 27, 2022 Thursday

Outlines 2
1 Objectives
2 Reference Books
3 Review
4 LTL A Few Examples
5 Semantics of LTL
Course Objective 3
Course Objective
Verified hardware and software is one of the grand challenges

of computer science. As the complexity of systems increases
and as computers pervade our day-to-day activities, verification
of systems ranging from cell phones to medical equipment to
aircraft software to secure programs, has become a vibrant and
important field. The field of verification is almost as old as
computer science; some concepts such as the Floyd-Hoare style
of verification is 40 years old. And yet the field has become
a vibrant area of research only in the last 20 years, and has
matured in this period so much that hardware verification is
routinely done in the industry, and software verification tools
such as Microsoft’s SDV (and SLAM) are at the level where they
can be deployed automatically to check software. All this has
been based on a few fundamental techniques and tools, which
we will learn in this course.
Course Contents 4
Course Contents
Finite models and model-checking - Modeling using finite mod-
els, reachability algorithms, Specification logics - LTL on finite
words; automata theoretic model checking algorithms, the SMV
tool, Description Logic, Dataflow analysis of programs with-
out recursion, Handling recursion: pushdown models, reacha-
bility (using games!), dataflow analysis, Symbolic methods for
reachability: Boolean Decision Diagrams, operations on BDDs,
the tools SMV, CTL and CTL model-checking symbolically;
mu-calculus, Software verification: The Floyd-Hoare method
for verifying code, Invariant verification using automatic theo-
rem provers, Satisfiability solvers (SAT solvers); bounded model
checking and testing. Abstraction based model checking, miscel-
laneous topics, Decidable logics and overview of available theo-
rem provers, Predicate abstraction and abstract interpretation,
Handling heaps, Concurrency.
Today’s Objective 5
Today’s Objective
1 Linear Temporal Logics its Syntax and Semantics

2 Some Examples of Modelling in LTL
Review
LTL semantics: intuitions 11
Intuitive Semantics Of Temporal Modalities 12
Intuitive Semantics Of Temporal Modalities
Intuitive semantics of temporal modalities

Intuitive Semantics Of Temporal Modalities 13
Intuitive Semantics Of Temporal Modalities
Intuitive semantics of temporal modalities

Next ⃝, until U and eventually ♢ 14
Next ⃝, until U and eventually ♢
1 □(try_to_send → ⃝delivered)
2 □(try_to_send → try_to_sendUdelivered)
2 □(try_to_send → try_to_sendUdelivered)
3 □(try_to_send → ♢delivered)
neXt Operator 17
neXt Operator
This operator provides a constraint on the next moment in time.
((x = 0) ∧ add 3) ⇒ ⃝(x = 3)

Finally or Eventually 18
Finally or Eventually
φ will be true either now or in the future,

we cannot be sure exactly when it will be true.
sad ⇒ ♢happy
send ⇒ ♢receive
Some Examples: Safety Properties 19
Safety Properties
something bad will not happen
Example: Safety Properties
1 Safety: it never happens that a train is arriving and the bar is

up
G(¬(train_arriving ∧ bar_up))
OR
□(¬(train_arriving ∧ bar_up))
Safety Properties

up
OR
2 The temperature must not be greater than 1200
□¬(reactorT emp > 1200)

Safety Properties

up
OR
2 The temperature must not be greater than 1200
□¬(reactorT emp > 1200)
3
□¬((x = 0) ∧ ⃝ ⃝ ⃝(y = z/x))
Some Examples: Liveness Properties 22
Liveness Properties
something good will happen
Example: Liveness Properties
1 Liveness: if input, then eventually output
G(input → Foutput)
OR
□(input → ♢output)
Liveness Properties
OR
2
♢(x > 5)
Liveness Properties
OR
2
♢(x > 5)
3
□(start ⇒ ♢terminate)
Liveness Properties
OR
2
♢(x > 5)
3
□(start ⇒ ♢terminate)
4
□(trying ⇒ ♢Critical)
Some Examples: Fairness 26
Fairness Properties
Often only really useful when scheduling processes, responding

to messages.
Example: Fairness Properties
1 Fairness:: “infinitely often send”
GFsend
Strong Fairness Properties 27
Strong Fairness Properties
if something is attempted/requested infinitely often, then it will be

successful/allocated infinitely often.
Example: Strong Fairness Properties
1 infinitely often send implies infinitely often recv:
GFsend → GFrecv
OR
□♢send → □♢recv
2
□♢ready ⇒ □♢run
Equivalences in LTL Temporal Operators 28
Equivalences in LTL
The temporal operators □ and ♢ are duals
¬□φ ≡ ♢¬φ
♢(and then □) can be rewritten in terms of U
♢ ≡ ⊤U φ
U and ⃝ Representation
All the temporal operators can be rewritten using the “Until”

and “Next” operators
Distributive Laws for Temporal Operators 29
Distributive Laws for Temporal Operators
1 ♢ distributes over ∨
♢(φ ∨ ψ) ≡ ♢φ ∨ ♢ψ
2 □ distributes over ∧
□(φ ∧ ψ) ≡ □φ ∧ ♢ψ
Negated Normal Form 30
Negated Normal Form
The following equivalences are useful for generating formulas in

Negated Normal Form.
¬ ⃝ φ ≡ ⃝¬φ
¬(φU ψ) ≡ (̸= ψU (¬φ ∧ ¬ψ)) ∨ □¬ψ

LTL Semantics: Intuitions 31
LTL Semantics: Intuitions

LTL is given by the standard boolean logic enhanced with the
following temporal operators, which operate through paths <
s0 , s1 , ..., sk , ... >:

s0 , s1 , ..., sk , ... >:
1 “Next” X: Xφ is true in st iff φ is true in st+1

s0 , s1 , ..., sk , ... >:
2 “Finally” (or “eventually”) F: Fφ is true in st iff φ is true in
some st′ with t′ ≥ t

s0 , s1 , ..., sk , ... >:
3 “Globally” (or “henceforth”) G: Gφ is true in st iff φ is true in
all st′ with t′ ≥ t

s0 , s1 , ..., sk , ... >:
4 “Until” U: φUψ is true in st iff, for some state st′ s.t t′ ≥ t:
1 ψ is true in st′ and
2 φ is true in all states st′′ s t. t ≤ t′′ < t′

s0 , s1 , ..., sk , ... >:
5 “Releases” R: φRψ is true in st iff, for all states st′ s.t t′ ≥ t:
1 ψ is true or
2 φ is true in some states st′′ with t ≤ t′′ < t′

s0 , s1 , ..., sk , ... >:
5 “Releases” R: φRψ is true in st iff, for all states st′ s.t t′ ≥ t:
1 ψ is true or
2 φ is true in some states st′′ with t ≤ t′′ < t′
ψ can become false only if φ becomes true first
LTL Formal Semantics I 38
LTL Formal Semantics

1 LTL properties are evaluated over paths, i.e. over infinite,
linear sequences of states:
π = s0 → s1 → · · · → st → st+1 → . . .
2 Given an infinite sequence π = s0 , s1 , s2 , . . .

1 π, si |= φ if φ is true in state si of π.
2 π |= φ if φ is true in the initial state s0 of π
3 The LTL model checking problem M |= φ
• check if π |= φ for every path π of the Kripke structure M
φ = Fdone
LTL Formal Semantics II 39
Example
φ = Fdone
LTL Formal Semantics 40
LTL Semantics Over Infinite Words
LTL Semantics for infinite words over 2AP
π, si |= a if f a ∈ L(si )
π, si |= ¬φ if f π, si ̸|= φ
π, si |= φ ∧ ψ if f π, si |= φ and π, si |= ψ
π, si |= Xφ if f π, si+1 |= φ
π, si |= Fφ if f f or some j ≥ i : π, sj |= φ
π, si |= Gφ if f f or all j ≥ i : π, sj |= φ
π, si |= φUψ if f f or some j ≥ i : (π, sj |= ψ and
f or all k s.t. i ≤ k < j :πsk |= φ)
Example: Semantics of LTL 41
Example: Semantics of LTL
start s1 s2 s3 start
{a, b} {a, b} {a}
AP = {a, b}
e.g. T S |= □a (or T S |= Ga) : all states are labeled with a
T hus, si |= □a f or i = 1, 2, 3
s1 |= ⃝(a ∧ b) since s2 |= a ∧ b and s2 is the only successor of s1
s2 ̸|= ⃝(a ∧ b) ands3 ̸|= (a ∧ b)
as s3 ∈ P ost(s2 ), s3 ∈ P ost(s3 ) and s3 ̸|= a ∧ b
TS ̸|= ⃝(a ∧ b) as s3 is an initial state f or which s3 ̸|= ⃝(a ∧ b)
Another Example 42
Another Example
start s1 s2 s3 start
{a, b} {a, b} {a}

T S |= □(¬b → □(a ∧ ¬b))
since s3 is the only ¬b state, and a ∧ ¬b ∈ s3
However,
T S ̸|= b ∪ (a ∧ ¬b)
since, initial path (s1 s2 )w does not visit a state for which a ∧ ¬b holds.
Note
(s1 s2 )∗ sw
3 satisf ies b ∪ (a ∧ ¬b)
Practical properties in LTL 43
Practical properties in LTL
Reachability
• simple reachability ♢ψ
• conditional reachability φ∪ψ
Safety
• invariant □φ
Liveness □(φ ⇒ ♢ψ) and others
Fairness □♢φ and others
Length of a Formula 44
Length of a Formula
Let |φ| denote the length of LTL formula φ in terms of the

number of operators in φ.
Example
1 For instance, the length of the formula true and a ∈ AP is 0
2 Formulae ⃝a ∨ b and a ∨ ¬b have length 2, and
3 (⃝a) ∪ (a ∧ ¬b) has length 4.
Semantics over words 45
Semantics over Words

a language that contains all infinite words over the
alphabet 2AP that satisfy φ
Language of W ords(φ)
1 to every LTL formula a single LT property is associated.
2 Then, the semantics is extended to an interpretation over
1 paths and
2 states of a transition system.
Semantics over Words 46

Let φ be an LTL formula over AP.
The LT property induced by φ is
W ords(φ) = {σ ∈ (2AP )ω |σ |= φ}
where |=⊆ (2AP )ω × LT L is the smallest relation with the prop-

erties follows
1 for σ = A0 A1 A2 · · · ∈ (2AP )ω
2 σ[j . . . ] = Aj Aj+1 Aj+3 . . . is the suffix of σ starting in the
(j + 1)st symbol Aj
NOTE
Note that in the definition of the semantics of LTL-formulae the
word fragment σ[j . . . ] cannot be replaced with Aj .
LTL Semantics for infinite words over 2AP I 47
σ |= true
σ |= a if f a ∈ A0 (i.e.A0 |= a)
σ |= φ1 ∧ φ2 if f σ |= φ1 and σ |= φ2
σ |= ¬φ if f σ ̸|= φ
σ |= ⃝φ if f σ[1..] = A1 A2 A3 . . . |= φ
σ |= φ1 ∪ φ2 if f ∃j ⩾ 0 σ[j..] |= φ2 and σ[i..] |= φ1 , f or all 0 ⩽ i < j
LTL Semantics for infinite words over 2AP II 48
σ |= ψ if f ∃j ≥ 0 : σ[j..] |= ψ
σ |= Gψ if f ∀j ≥ 0 : σ[j..] |= ψ
σ |= GF ψ if f ∀j ≥ 0∃i ≥ j : σ[i..] |= ψ
σ |= F Gψ if f ∃j ≥ 0∀i ≥ j : σ[i..] |= ψ
Semantics over paths, states, and transition systems 49
Semantics over States & Paths
Let T S = (S, σ, T , I, AP , L) be an LTS and φ be an LTL for-

mula over AP .
1 For infinite path π of TS, the traces are the words that
are valid in the states of the path.
π |= φ if f trace(π) |= φ
2 A state s ∈ S satisfies φ all paths from s satisfy φ
s |= φ if f ∀π ∈ P aths(s) |= φ
3 A transition system satisfies φ iff φ holds from the initial

state(s)
T S |= φ if f T races(T S) ⊆ W ords(φ) if f ∀s0 ∈ I : s0 |= φ

Semantics for ♢ and □ 50
Semantics for ♢ and □
σ |= ♢φ if f ∃j ⩾ 0 : σ[j..] |= φ
σ |= □φ if f ∀j ⩾ 0 : σ[j..] |= φ
The statement for ♢ is immediate from the definition of ♢ and

the semantics of U .
The statement for □ follows from:
σ |= □φ = ¬♢¬φ if f ¬∃j ⩾ 0 : σ[j . . . ] |= ¬φ

if f ¬∃j ⩾ 0 : σ[j . . . ] ̸|= φ
if f ¬∀j ⩾ 0 : σ[j . . . ] |= φ
Semantics of Negation I 51
Semantics of Negation
For paths, it holds π |= φ iff π ̸|= ¬φ since:
W ords(¬φ) ̸≡ (2AP )ω W ords(φ)

Semantics of Negation II 52
However, the statements
T S ̸|= φ ̸≡ T S |= ¬φ
in general. Instead, we have
T S |= ¬φ ⇒ T S ̸|= φ
Note that
T S ̸|= φ if f T races(T S) ̸⊆ W ords(φ)

if f T races(T S)\W ords(φ) ̸= ∅
if f T races(T S) ∩ W ords(¬φ) ̸= ∅
Semantics of Negation III 53
T S neither satisfies φ nor ¬φ if there are

paths π1 and π2 in TS such that
π1 |= φ and π2 |= ¬φ
References 54
1 Principles of Model Checking, Christel Baier, Joost-Pieter Katoen,

MIT Press 2008.
2 Reactive Systems Modelling, Specification and Verification Luca
Aceto, et al, Cambridge University Press, 2007
3 Slides on Modelling, Specification and Verification of Reactive Systems
4 Slides by Daniel Shahaf: on Temporal Logics I: Theory,
After all... tomorrow is another day.
(Scarlett O’Hara, “Gone with the Wind”)

Lecture 4 SE Formal SMV Temporal Logic Sep 2022ksk

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 4 SE Formal SMV Temporal Logic Sep 2022ksk

Uploaded by

Copyright:

Available Formats

Formal Software Development And Verification

Software Engineering Semester-V

Mr. Waqas Ali

Department of Computer Science

September 27, 2022 Thursday

4 LTL A Few Examples

Verified hardware and software is one of the grand challenges

1 Linear Temporal Logics its Syntax and Semantics

Intuitive Semantics Of Temporal Modalities

Intuitive semantics of temporal modalities

Intuitive Semantics Of Temporal Modalities

Intuitive semantics of temporal modalities

Next ⃝, until U and eventually ♢

Next ⃝, until U and eventually ♢

Next ⃝, until U and eventually ♢

This operator provides a constraint on the next moment in time.

((x = 0) ∧ add 3) ⇒ ⃝(x = 3)

φ will be true either now or in the future,

something bad will not happen

Example: Safety Properties

1 Safety: it never happens that a train is arriving and the bar is

something bad will not happen

Example: Safety Properties

1 Safety: it never happens that a train is arriving and the bar is

2 The temperature must not be greater than 1200

□¬(reactorT emp > 1200)

something bad will not happen

Example: Safety Properties

1 Safety: it never happens that a train is arriving and the bar is

2 The temperature must not be greater than 1200

□¬(reactorT emp > 1200)

something good will happen

Example: Liveness Properties

1 Liveness: if input, then eventually output

something good will happen

Example: Liveness Properties

1 Liveness: if input, then eventually output

something good will happen

Example: Liveness Properties

1 Liveness: if input, then eventually output

something good will happen

Example: Liveness Properties

1 Liveness: if input, then eventually output

Often only really useful when scheduling processes, responding

Example: Fairness Properties

1 Fairness:: “infinitely often send”

Strong Fairness Properties

if something is attempted/requested infinitely often, then it will be

Example: Strong Fairness Properties

1 infinitely often send implies infinitely often recv:

The temporal operators □ and ♢ are duals

♢(and then □) can be rewritten in terms of U

All the temporal operators can be rewritten using the “Until”

Distributive Laws for Temporal Operators

Negated Normal Form

The following equivalences are useful for generating formulas in

¬(φU ψ) ≡ (̸= ψU (¬φ ∧ ¬ψ)) ∨ □¬ψ

LTL Semantics: Intuitions

LTL Semantics: Intuitions

LTL Semantics: Intuitions

LTL Semantics: Intuitions

LTL Semantics: Intuitions

LTL Semantics: Intuitions