Modal and Temporal Logics

Colin StirlingSchool of Informatics

University of Edinburgh

July 24, 2003

cps wssa 03 today

1

SummaryIntroduced transition systems

• a set of states S

• a set of labels A

• a set of transitions: s a−→ s′ where s, s′ ∈ S, a ∈ A

tick

Cl

cps wssa 03 today

2

SummaryOr Kripke structure where labels appear at states (“colours”)

p, q

r

q

s

s’

s’’

cps wssa 03 today

3

SummaryModal logic

Φ ::= tt | ff | Φ1 ∧ Φ2 | Φ1 ∨ Φ2 | [K]Φ | 〈K〉Φ

Semantics E |= Φ

E |= ttE 6|= ffE |= Φ ∧Ψ iff E |= Φ and E |= ΨE |= Φ ∨Ψ iff E |= Φ or E |= ΨE |= [K]Φ iff ∀F ∈ {E′ : E a−→ E′ and a ∈ K}. F |= ΦE |= 〈K〉Φ iff ∃F ∈ {E′ : E a−→ E′ and a ∈ K}. F |= Φ

cps wssa 03 today

4

SummaryKripke model = Kripke structure + L : Colours → S.

Modal Logic: Syntax

Φ ::= p | ¬p | Φ1 ∧ Φ2 | Φ1 ∨ Φ2 | [−]Φ | 〈−〉Φ

cps wssa 03 today

5

SummarySemantics

E |= p iff E ∈ L(p)E |= ¬p iff E 6∈ L(p)E |= Φ ∧Ψ iff E |= Φ and E |= ΨE |= Φ ∨Ψ iff E |= Φ or E |= ΨE |= [−]Φ iff ∀F ∈ {E′ : E −→ E′}. F |= ΦE |= 〈−〉Φ iff ∃F ∈ {E′ : E a−→ E′}. F |= Φ

cps wssa 03 today

6

Summary: Bisimulation on Transition SystemsA binary relation B between states of a transition system is a bisimulationprovided that, whenever (E, F ) ∈ B and a ∈ A,

• if E a−→ E′ then F a−→ F ′ for some F ′ such that (E′, F ′) ∈ B, and

• if F a−→ F ′ then E a−→ E′ for some E′ such that (E′, F ′) ∈ B

Two states E and F are bisimulation equivalent , E ∼ F , if there is abisimulation relation B such that (E, F ) ∈ B.

cps wssa 03 today

7

Summary: Bisimulation on Kripke ModelsA binary relation B between states of a Kripke model is a bisimulation providedthat, whenever (E, F ) ∈ B

• for all colours p, E ∈ L(p) iff F ∈ L(p)

• if E −→ E′ then F −→ F ′ for some F ′ such that (E′, F ′) ∈ B, and

• if F −→ F ′ then E −→ E′ for some E′ such that (E′, F ′) ∈ B

Two states E and F are bisimulation equivalent , E ∼ F , if there is abisimulation relation B such that (E, F ) ∈ B.

cps wssa 03 today

8

Summary: Invariance

• E ≡ F if for all modal Φ, E |= Φ iff F |= Φ.

(E and F have the same modal properties.)

• Proposition if E ∼ F then E ≡ F

• Proposition if E and F belongs to a finitely branching transitionsystem/Kripke model and E ≡ F then E ∼ F .

cps wssa 03 today

9

Summary: Unfolding

A transition system/Kripke model can be unfolded into a (bisimulationequivalent) possibly infinite tree

p, q

r

q

s

s’

s’’

becomes

cps wssa 03 today

10s

s

s

....

........ .......

s’

s’’

s’

cps wssa 03 today

11

Computational Properties

• Satisfiability Problem “Given a modal formula Φ, is Φ satisfiable(realisable)?” is NP-complete.

• Finite Tree Property If Φ is satisfiable then Φ is satisfiable in a transitionsystem/Kripke model that is a finite tree. (Hence, also Finite ModelProperty: if Φ is satisfiable then Φ is satisfiable in a finite transitionsystem/Kripke model.)

• Model Checking Problem “Given a finite transition system/Kripke model, astate E of it, and a modal formula, does E |= Φ ?” is P-complete.

cps wssa 03 today

12

Mutual Exclusion: Crucial Properties

• Mutual exclusion

• Absence of deadlock

• Absence of starvation

PROBLEM : None of these properties is expressible in modal logic!

cps wssa 03 today

13

Summary: Runs

• A run from state E0 is a finite or infinite length sequence of transitions

E0a1−→ E1

a2−→ . . . an−→ Enan+1−→ . . . with “maximal” length.

• Similarly, for a Kripke model.

• A run is a branch in the unfolded transition system/Kripke model .

cps wssa 03 today

14

Beyond Modal LogicRuns provide a means for expressing long term features .

• Mutual exclusion: no run has the property that two components are in theircritical section at the same time.

• Absence of deadlock: every run has infinite length

• Absence of starvation: in every run if a component requests entry intocritical section then eventually that component will be in its critical section

cps wssa 03 today

15

Summary: Temporal Operators on Runs

• Next: (K)Φ

E0a1−→ E1

a2−→ . . . Eiai+1−→ . . .

a1 ∈ K |= . . .Φ

• Until: ΦU Ψ. Note: the index i can be 0

E0a1−→ E1

a2−→ . . . Eiai+1−→ . . .

|= |= . . . |=Φ Φ Ψ

cps wssa 03 today

16

Summary: Temporal Operators on Runs II

• Eventually: F Ψ = ttUΨ. The index i can be 0

E0a1−→ E1

a2−→ . . . Eiai+1−→ . . .

. . . |=Ψ

• Always: G Ψ = ¬F¬Ψ

E0a1−→ E1

a2−→ . . . Eiai+1−→ . . .

|= |= . . . |=Ψ Ψ Ψ . . .

cps wssa 03 today

17

Summary: Linear Time Temporal Logic (LTL)Syntax

Φ ::= p | ¬Φ | Φ1 ∧ Φ2 | (−)Φ | ΦU Ψ

Semantics

A state E of a Kripke model satisfies an LTL formula Φ, written E |= Φ,

if for any run π from E, the run π |= Φ.

cps wssa 03 today

18

Summary: InvarianceE ≡ F if for all LTL Φ, E |= Φ iff F |= Φ.

Proposition If E ∼ F then E ≡ F .

Proof Sketch Bisimulation equivalence preserves runs.

cps wssa 03 today

19

Summary: Computational Properties I

• Satisfiability Problem “Given an LTL formula Φ, is Φ satisfiable (realisable)?”is PSPACE-complete.

• “Tree” Model Property If Φ is satisfiable then Φ is satisfiable in a transitionsystem/Kripke model that is a (regular) infinite tree whose branching degreeis one.

cps wssa 03 today

20

Summary: Computational Properties II

• Finite Model Property If Φ is satisfiable then Φ is satisfiable in a finitetransition system/Kripke model (that is eventually cyclic).

E ...

• Model Checking Problem “Given a finite transition system/Kripke model, astate E of it, and an LTL formula, does E |= Φ?” is PSPACE-complete.

cps wssa 03 today

21

Branching Time LogicsFor each temporal operator such as F, create two variants

• AF “for all runs eventually” (strong)

• EF “for some run eventually” (weak)

Modal operators are also branching time temporal operators

• [K] = A¬(K)¬

• 〈K〉 = E (K)

Therefore, we can extend modal logic with branching time temporal operators.

cps wssa 03 today

22

Computation Tree Logic (CTL)Syntax

Φ ::= tt | ¬Φ | Φ1 ∧ Φ2 | 〈K〉Φ | A(Φ1 UΦ2) | E(Φ1 UΦ2)

Semantics

Define when a state of a transition system satisfies a CTL formula.

cps wssa 03 today

23

Semantics of CTLThe new clauses

E |= ¬Φ iff E 6|= Φ

E0 |= A(Φ UΨ) iff for all runs E0a1−→ E1

a2−→ . . .there is i ≥ 0 with Ei |= Ψ andfor all j : 0 ≤ j < i, Ej |= Φ

E0 |= E(Φ U Ψ) iff for some run E0a1−→ E1

a2−→ . . .there is i ≥ 0 with Ei |= Ψ andfor all j : 0 ≤ j < i, Ej |= Φ

cps wssa 03 today

24

Derived OperatorsAF Φ = A(ttU Φ)

E F Φ = E(ttU Φ)

AG Φ = ¬EF¬Φ

EG Φ = ¬AF¬Φ

• Safety “nothing bad ever happens”: in every run bad is never true. A G good

• Liveness “something good eventually happens”: in every run good is eventuallytrue. A F good

• Weak Safety in some run bad is never true. E G good

• Weak Liveness in some run good is eventually true. E F good

cps wssa 03 today

25

Example: Crossing

E E

E

E

E E

E

E E

E

1 2

4 5

8 6 9

1110

3

E7

car train

car

car

train

train

ccross

______

tcross

______

τ

τ

τ

τ

τ

Crossing

train

car

τ

τ

τ

ccross

tcross

It is never the case that a train and a car can cross at the same time

AG([tcross]ff ∨ [ccross]ff)

cps wssa 03 today

26

Example: Mutual Exclusion

• Mutual exclusion: AG ([exit1]ff ∨ [exit2] ff)

• Absence of deadlock: AG 〈−〉 tt

• Absence of starvation (for one component): AG [req1] AF 〈exit1〉 tt

cps wssa 03 today

27

Exercise

p p,q

r

p

E F

G

H

Which of the following are true?

E |= A(p U q) E |= A F rE |= E F r E |= E G pE |= A F(E G r ∨ EG p)

cps wssa 03 today

28

Exercise: Which are Valid, Unsatisfiable, Neither?V U N

AG Φ → AF Φ

EG Φ → AF Φ

AF(Φ ∨Ψ) → AF Φ ∨AF Ψ

AG Φ → (Φ ∧ [−]AGΦ

AG AFΦ → EF E GΦ

AF AG Φ → AG AF Φ

AG(¬Φ ∨ 〈−〉Φ) ∧ Φ ∧AF¬Φ

AG(Φ → Ψ) → (AG Φ → AG Ψ)

cps wssa 03 today

29

ExerciseLet E ≡ F if for all CTL Φ, E |= Φ iff F |= Φ.

Prove the following:

Proposition If E ∼ F then E ≡ F .

cps wssa 03 today

30

Computational Properties

• Satisfiability Problem “Given an CTL formula Φ, is Φ satisfiable ?” isEXPTIME-complete.

• Tree Model Property If Φ is satisfiable then Φ is satisfiable in a transitionsystem/Kripke model that is a (regular) infinite tree.

• Finite Model Property If Φ is satisfiable then Φ is satisfiable in a finite transitionsystem/Kripke model.

• Model Checking Problem “Given a finite transition system/Kripke model, astate E of it, and a CTL formula, does E |= Φ ?” is P-complete.

cps wssa 03 today

31

Incomparability of LTL and CTLA formula of Φ of LTL is equivalent to a formula Ψ of CTL if for every modeland state E, E |= Φ iff E |= Ψ.

• CTL and LTL are expressively incomparable .

• EF AG p is not expressible in LTL and F G p is not expressible in CTL

p p

E

p

F

cps wssa 03 today

32

• Open Question: which formulas of LTL are in CTL? (Known: which formulasof CTL are in LTL.)

cps wssa 03 today

33

CTL∗

Syntax

Allow the facility to have branching time formulas with arbitrary embeddings oflinear time and boolean operators.

Φ ::= p | ¬Φ | Φ1 ∧ Φ2 | (−)Φ | ΦU Ψ | AΦ

Example formula: A(FG Φ∧GF Ψ)

cps wssa 03 today

34

Semantics of CTL∗

A state E of a Kripke model satisfies an CTL∗ formula Φ, written E |= Φ, if forany run π from E, the run π |= Φ.

π(0) is initial state of π

π |= AΦ iff for any run π′ if π′(0) = π(0)then π′ |= Φ

CTL∗ contains both LTL and CTL.

Let E ≡ F if for all Φ ∈ CTL∗, E |= Φ iff F |= Φ.

Proposition If E ∼ F then E ≡ F .

cps wssa 03 today

35

Computational Properties

• Satisfiability Problem “Given a CTL∗ formula Φ, is Φ satisfiable ?” is2EXPTIME-complete.

• Tree Model Property If Φ is satisfiable then Φ is satisfiable in a transitionsystem/Kripke model that is a (regular) infinite tree.

• Finite Model Property If Φ is satisfiable then Φ is satisfiable in a finite transitionsystem/Kripke model.

• Model Checking Problem “Given a finite transition system/Kripke model, astate E of it, and a CTL∗ formula, does E |= Φ?” is PSPACE-complete.

cps wssa 03 today

36

Model Checking CTL Formulas‖Φ ‖ = {E : E |= Φ} in a fixed model.

Model checking is “bottom up” by computing ‖Ψ ‖ for any subformula of Φ andthen computing ‖Φ ‖.

• ‖¬Φ1 ‖ = −‖Φ1 ‖,

• ‖Φ1 ∧ Φ2 ‖ = ‖Φ1 ‖ ∩ ‖Φ2 ‖

• ‖ 〈K〉Φ ‖ = {F : ∃F ′ ∈ ‖Φ ‖, a ∈ K.F a−→ F ′}

cps wssa 03 today

37

Model Checking CTL

• ‖E(ΦU Ψ) ‖ =⋃

Si where S1 = ‖Ψ ‖ and

Si+1 = Si ∪ {F ∈ ‖Φ ‖ : ∃a, F ′ ∈ Si. Fa−→ F ′}

• ‖A(ΦU Ψ) ‖ =⋃

Si where S1 = ‖Ψ ‖ and

Si+1 = Si ∪ {F ∈ ‖Φ ‖ : ∃a, F ′. F a−→ F ′ and ∀a, F ′. if F a−→ F ′ then F ′ ∈Si}

Direct backwards reachability computation for E U in transition graph. For A Uit is forward reachability which can be implemented efficiently using depth firstsearch.

Both are fixed point computations: essence of model checking

cps wssa 03 today

38

Temporal Operators as Fixed points

1. E(ΦU Ψ) ≡ Ψ ∨ (Φ ∧ 〈−〉E(ΦU Ψ))

2. A(Φ U Ψ) ≡ Ψ ∨ (Φ ∧ 〈−〉tt ∧ [−]A(ΦU Ψ))

Syntactically: property X such that

1. X ≡ Ψ ∨ (Φ ∧ 〈−〉X)

2. X ≡ Ψ ∨ (Φ ∧ 〈−〉tt ∧ [−]X)

cps wssa 03 today

39

Temporal Operators as Fixed pointsSemantically: set of states S = f(S) where f is

1. λx.‖Ψ ∨ (Φ ∧ 〈−〉x) ‖

2. λx.‖Ψ ∨ (Φ ∧ 〈−〉tt ∧ [−]x) ‖

If S = f(S) then S is a fixed point of f .

In both cases f is monotonic : S ⊆ S′ → f(S) ⊆ f(S′)

f is essentially modal (using 〈−〉 and [−]).

cps wssa 03 today

40

Fixed pointsS is a prefixed point of f , if f(S) ⊆ S

S is a postfixed point of f , if S ⊆ f(S)

Proposition If f is monotonic (w.r.t ⊆) then f

1. has a least fixed point,⋂

{S : f(S) ⊆ S}

2. has a greatest fixed point,⋃

{S : S ⊆ f(S)}

Exercise: Prove this.

cps wssa 03 today

41

Example

• S = f(S) when f = λx.‖Ψ ∨ (Φ ∧ 〈−〉x) ‖

• There can be many different fixed points of f .

• The one wanted that expresses E(ΦU Ψ) is the least fixed point.

• Exercise: what does the greatest fixed point of f express?

cps wssa 03 today

42

Example

• AG Φ ≡ Φ ∧ [−]AG Φ. Computing ‖AG Φ ‖: Simple depth first search,that stops when reach a state in ‖¬Φ ‖.

• ‖AG Φ ‖ =⋂

Si where S1 = ‖Φ ‖ and

Si+1 = Si ∩ {F ∈ Si : ∀a, F ′.F a−→ F ′ implies F ′ ∈ Si}

• Syntactically: Property X such that X ≡ Φ ∧ [−]X

Semantically: fixed point of f = λx.‖Φ ∧ [−]x ‖

• Required property, A G Φ, is greatest fixed point of f

• Exercise: What does the least fixed point of f express?

cps wssa 03 today

43

ExerciseWhat property is defined by the following fixed points?

1. X ≡ Φ ∨ 〈−〉X least

2. X ≡ Φ ∧ 〈−〉X greatest

3. X ≡ Φ ∧ [−][−]X greatest

cps wssa 03 today

44

A SchedulerProblem: assume n tasks when n > 1.

ai initiates the ith task and bi signals its completion

The scheduler plans the order of task initiation, ensuring

1. actions a1 . . . an carried out cyclically and tasks may terminate in any order

2. but a task can not be restarted until its previous operation has finished.(ai and bi happen alternately for each i. )

More complex temporal properties. Not expressible in CTL∗ (“not firstorder”but are “regular”).

Expressible using fixed points

cps wssa 03 today

45

Modal Logic+Z ranges over propositional variables

Φ ::= Z | tt | ff | Φ1 ∧ Φ2 | Φ1 ∨ Φ2 | [K]Φ | 〈K〉Φ

• |= refined to |=V where V is a valuation that assigns a set of states V(X) toeach variable X

E |=V X iff E ∈ V(X)

• ‖Φ ‖ refined too: ‖Φ ‖V = {E : E |=V Φ}

• V[S/X] is valuation V′ like V except V′(X) = S.

cps wssa 03 today

46

Modal Logic+ IIProposition The function λx.‖Φ ‖V[x/X] is monotonic for any modal Φ.

• If ¬ explicitly in logic then above not true: ¬X: λx.− x not monotonic.

However, define when Φ is positive in X: if X occurs within an even numberof negations in Φ

Proposition If Φ is positive in X then λx.‖Φ ‖V[x/X] is monotonic

1. Property given by least fixed point of λx.‖Φ ‖V[x/X] is written µX.Φ.

2. Property given by greatest fixed point of λx.‖Φ ‖V[x/X] is written νX.Φ.

Alternative basis for temporal logic: modal logic + fixed points

cps wssa 03 today