Embed Size (px)
DESCRIPTION
Semantically Equivalent Formulas. Let Φ and ψ be formulas of propositional logic. We say that Φ and ψ are semantically equivalent iff Φ ╞ ψ ψ ╞ Φ hold. In that case we write Φ ≡ ψ . Further, we call Φ valid if ╞ Φ holds. - PowerPoint PPT Presentation
Citation preview
Semantically Equivalent Formulas
• Let Φ and ψ be formulas of propositional logic. We say that Φ and ψ are semantically equivalent iff
Φ ╞ ψ ψ ╞ Φ hold. In that case we write Φ ≡ ψ.
Further, we call Φ valid if ╞ Φ holds.
Examples of equivalent formulas
• p → q ≡ ¬p q• p → q ≡ ¬q → ¬p
• p q → p ≡ r ¬r
• p q → r ≡ p → (q →r)
Lemma
• Given propositional logic formulas Φ1, Φ2, …, Φn, ψ, we have
Φ1, Φ2, …, Φn ╞ ψ
iff
╞ Φ1 →(Φ2 → (Φ3 → … → (Φn → ψ)))
Literal
• A literal is either an atom p or the negation of an atom ¬p.
Conjunctive Normal Form (CNF)
• A formula Φ is in conjunctive normal form (CNF) if it is of the form
ψ1 ψ2 …. ψn
for some n ≥ 1, such that ψi is a literal, or a disjunction of literal, for all 1 ≤ i ≤ n.
Examples for CNF formulas
• (¬q p r) (¬p r) q• (p r) (¬p r) (p ¬r)
Lemma
• A disjunction of literals L1 L2 …. Lm is valid (i.e., ╞ L1 L2 …. Lm) iff there are 1 ≤ i, j ≤ m such that Li is ¬Lj.
Satisfiable formulasSatisfiable formulas
• Given a formula Φ in a propositional logic, we say that Φ is satisfiable if there exists an assignment of truth values to its propositional atoms such that Φ is true.
Proposition
• Let Φ be a formula of propositional logic. Then Φ is satisfiable iff ¬Φ is not valid.
function CNF(Φ)
/* pre-condition: Φ implication free and in NNF*//* post-condition: CNF(Φ) computes an equivalent CNF for Φ */
begin function case Φ is a literal : return Φ
Φ is Φ1 Φ2: return CNF(Φ1) CNF(Φ2)
Φ is Φ1 Φ2: return DISTR(CNF(Φ1), CNF(Φ2) ) end caseend function
function DISTR(η1, η2):
/* pre-condition: η1 and η2 are in CNF */ /* post-condition: DISTR(η1, η2) computes a CNF for η1 η2 */
begin function case η1 is η11 η12 : return DISTR(η11 , η2) DISTR(η12 , η2) η2 is η21 η22 : return DISTR(η1 , η21) DISTR(η1 , η22) otherwise (= no conjunction): return η1 η2
end caseend function
function NNF(Φ)
/* pre-condition: Φ is implication free *//* post-condition: NNF(Φ) computes a NNF for Φ */begin function case Φ is a literal : return Φ Φ is ¬¬Φ1 : return NNF(Φ1) Φ is Φ1 Φ2 : return NNF(Φ1) NNF(Φ2) Φ is Φ1 Φ2 : return NNF(Φ1) NNF(Φ2) Φ is ¬(Φ1 Φ2) : return NNF(¬Φ1 ¬Φ2) Φ is ¬(Φ1 Φ2) : return NNF(¬Φ1 ¬Φ2)
end caseend function
Φ = ¬p q → p (r → q)
IMPL_FREE Φ = ¬ IMPL_FREE (¬p q ) IMPL_FREE (p (r → q))
= ¬((IMPL_FREE ¬p ) (IMPL_FREE q )) IMPL_FREE (p (r → q))
= ¬((¬p ) IMPL_FREE q ) IMPL_FREE (p (r → q))
= ¬ (¬p q ) IMPL_FREE (p (r → q))
= ¬ (¬p q ) ((IMPL_FREE (p) IMPL_FREE (r → q))
= ¬ (¬p q ) (p IMPL_FREE (r → q))
= ¬ (¬p q ) (p (¬ (IMPL_FREE r) IMPL_FREE (q)))
= ¬ (¬p q ) (p (¬ r IMPL_FREE (q)))
= ¬ (¬p q ) (p (¬ r q))
IMPL_FREE Φ = ¬ (¬p q ) (p (¬ r q))
NNF (IMPL_FREE Φ )
= NNF (¬ (¬p q )) NNF (p (¬ r q))
= NNF (¬ (¬p ) ¬q )) NNF (p (¬ r q))
= (NNF (¬¬p )) (NNF (¬q )) NNF (p (¬ r q))
= (p (NNF (¬q ))) NNF (p (¬ r q))
= (p ¬q ) NNF (p (¬ r q))
= (p ¬q ) ((NNF p) (NNF (¬ r q)))
= (p ¬q ) ( p (NNF (¬ r q)))
= (p ¬q ) ( p ((NNF (¬ r)) (NNF q)))
= (p ¬q ) ( p (¬ r (NNF q)))
= (p ¬q ) ( p (¬ r q))
NNF (IMPL_FREE Φ) = (p ¬q ) ( p (¬ r q))CNF(NNF (IMPL_FREE Φ))
= CNF ((p ¬q ) ( p (¬r q)))
= DISTR ( CNF (p ¬q ), CNF (p (¬ r q)))
= DISTR (p ¬q , CNF (p (¬ r q)))
= DISTR (p ¬q , p (¬ r q))
= DISTR (p ¬q , p) DISTR (p ¬q , ¬ r q)
= (p ¬q p) DISTR (p ¬q , ¬ r q)
= (p ¬q p) (p ¬q ¬ r q)
Horn Formula Φ
• is a formula Φ of propositional logic if it is of the form ψ1 ψ2 ... ψn for some n ≥ 1 such that ψi is of the form
p1 p2 ... pki → qi
for some ki ≥ 1, where p1, p1, …, pki, qi are
atoms, ┴ or T. We call such ψi a Horn clause.
Examples of Horn formulas
• (p q s → p) (q r → p) (p s → s)• (p q s → ┴) (q r → p) (T → s)
• (p2 p3 p5 → p13) (T→ p2) (p5 p11 → ┴)
Examples of non-Horn formulas
• (p q s → ¬p) (q r → p) (p s → s)• (p q s → ┴) (¬q r → p) (T → s)
• (p2 p3 p5 → p13 p27) (T→ p2) (p5 p11 → ┴)
• (p2 p3 p5 → p13 ) (T→ p2) (p5 p11 ┴)
function HORN(Φ)
/* Pre-condition : Φ is a Horn formula*/
/* Post-condition : HORN(Φ) decides the satisfiability for Φ */
begin function
mark all atoms p where T → p is a sub-formula of Φ;
while there is a sub-formula p1 p2 ... pki → qi of Φ such that all pj
are marked but qi is not do
if qi ≡ ┴ then return ‘unsatisfiable’
else mark qi for all such subformulas
end while
return ‘satisfiable’
end function
Theorem
• The algorithm HORN is correct for the satisfiability decision problem of Horn formulas and has no more than n cycles in its while-loop if n is the number of atoms in Φ. HORN always terminates on correct input.
Kripke structure
Let AP be a set of atomic propositions. A Kripke structure M
over AP is a four tuple M= (S, S0, R, L) where
1. S is a finite set of states
2. S0 S is the set of initial states.
3. R S × S is a transition relation that must be total, that is for every state s S there is a state s’ S such that R (s, s’).
4. L: S 2 AP is a function that labels each state with the set of atomic proposition in that state.
A path in the structure M from a state s is an infinite sequence of states
ω = s0 s1 s2 … such that s0 = s and R (si, si+1) holds for all i ≥ 0.
First order representationof Kipke structures
• We use interpreted first order formulas to describe concurrent systems.
• We use usual logical connectives (and , or , implies , not , and so on) and universal ( ) and existential ( ) quantifications.
• Let V = {v1, …, vn} be the set of system variables. We assume that the variables in V range over a finite set D.
• A valuation for V is a function that associated a value in D with each variable v in V. Thus, s is a valuation for V when s: V D.
• A state of a concurrent system can be viewed as a valuation for the set of its variables V.
• Let V’ = {v’1, …, v’n}. We think of the variables in V as present state variables and the variables in V’ as next state variables.
First order representationof Kipke structures
Let M = (S, S0, R, L) be a Kripke structure.• S is the set of all valuations for all variables of the system which can
be described by a proposition S. Usually, S = True.• The set of initial states S0 can be described by a proposition (on the
set of variables) S0.
• R can be described by a proposition R such that for any two states s and s’, R(s, s’) holds if R evaluates to True when each variable v is assigned the value s(v) and each variable v’ is assigned the value s(v’).
• The labeling function L:S 2AP is defined so that L(s) is the subset of all atomic propositions true in s which can be described by some appropriate proposition.
A simple example
We consider a simple system with variables x and y that range
over D = {0, 1}. Thus, a valuation for the variables x and y is
just a pair (d1, d2) D × D where d1 is the value for x and d2 is
the value for y. The system consists of one transition
x := (x +y) mod 2,
Which starts from the state in which x = 1 and y = 1.
A simple example with transition x := (x +y) mod 2
• S = True
• S0 (x, y) ≡ x = 1 y = 1
• R (x, y, x’, y’) ≡ x’ = (x +y) mod 2 y’ = y
A simple example with transition x := (x +y) mod 2
The Kripke structure M = (S, S0, R, L) for this system is simply:
• S = D × D.
• S0 = {(1,1)}
• R = {((1,1), (0,1)), ((0,1), (1,1)), ((1,0), (1,0)), ((0,0), (0,0))}.• L(1,1) = {x =1, y = 1}, L(0,1) = {x =0, y = 1}, L(1,0) = {x =1, y = 0},
L(0,0) = {x =0, y = 0}.
The only path in the Kripke structure that starts in the initial state is
(1,1) (0,1) (1,1) (0,1) ….
Concurrent systems
• A concurrent system consists of a set of components that execute together.
• Normally, the components have some means of communicating with each other.
Modes of execution
We will consider two modes of execution: Asynchronous or interleaved execution, in which only one component makes a step at a time, and synchronous execution, in which all of the components make a step at the same time
Modes of communication
• We will also distinguish three modes of communication. Components can either communicate by changing the value of shared variables or by exchanging messages using queues or some handshaking protocols.
A modulo 8 counter
v2 v1
v0
Synchronous circuitA modulo 8 counter
The transitions of the circuit are given by
• v’0 = v0
• v’1 = v0 v1
• v’2 = (v0 v1) v2
• R0 (v, v’) ≡ (v’0 ↔ v0)
• R1 (v, v’) ≡ (v’1 ↔ v0 v1)
• R2 (v, v’) ≡ (v’2 ↔ (v0 v1) v2)
• R (v, v’) ≡ R0 (v, v’) R1 (v, v’) R2 (v, v’)
Synchronous circuitGeneral case
• Let V = {v0, …., vn-1} and V’ = {v’0, …., v’n-1}• Let v’i = fi (V), 1= 0, …, n-1.• Define Ri (v, v’) ≡ ( v’i ↔ fi (V)).• Then, the transition relation can be
described as
R (v, v’) ≡ R0 (v, v’) … Rn-1 (v, v’).
Asynchronous circuitGeneral case
• In this case, the transition relation can be described as
R (v, v’) ≡ R0 (v, v’) … Rn-1 (v, v’),
Where
Ri (v, v’) ≡ ( v’i ↔ fi (V)) j ≠ i (v’j ↔ vj )).
Example
• Let V = {v0, v1}, v’0 = v0 v1 and v’1 = v0 v1.• Let s be a state with v0 = 1 v1 = 1.• For the synchronous model, the only
successor of s is the state v0 = 0 v1 = 0.• For the asynchronous model, the state s has
two successors:• 1. v0 = 0 v1 = 1 ( the assignment to v0 is
taken first).• 2. v0 = 1 v1 = 0 ( the assignment to v1 is
taken first).
Labeled program
Given a statement P, the labeled statement PL is defined as follows:
• If P is not a composite statement then P = PL. .
• If P = P1; P2 then PL = P1L ; l’’ : P2
L.
• If P = if b then P1 else P2 end if, then
PL = if b then l1 : P1L else l2 : P2
L end if.
• If P = while b do P1 end while, then PL = while b do l1 : P1
L end while.
Some assumptions
• We assume that P is a labeled statement and that the entry and exit points of P are labeled by m and m’, respectively.
• Let pc be a special variable called the program counter that ranges over the set of program labels and an additional value ┴ called the undefined value.
• Let V denote the set of program variables, V’ the set of primed variables for V, and pc’ the primed variables for pc.
• Let same (Y) = y ε Y (y’ = y).
The set of initial states of P
• Given some condition pre (V) on the initial variables for P,
S0 (V, pc) ≡ pre (V) pc = m.
The transition relation for P
• C (l, P, l’) describes the set of transitions in P as a disjunction of all transitions in the set.
• Assignment:
C ( l, v ← e, l’) ≡ pc = l pc’ = l’ v’ = e same (V \ {v})• Skip:
C ( l, skip, l’) ≡ pc = l pc’ = l’ same (V)• Sequential composition:
C ( l, P1; l’’ : P2, l’) ≡ C ( l, P1, l’’) C ( l’’, P2, l’)
The transition relation for P (continued)
• Conditional:
C (l, if b then l1: P1 else l2 : P2 end if, l’) is the disjunction of the following formulas:
• pc = l pc’ = l1 b same (V)
• pc = l pc’ = l2 b same (V)
• C (l1, P1, l’)
• C (l2, P2, l’)
The transition relation for P (continued)
• While:
C (l, while b do l1 : P1 end while, l’) is the disjunction of the following formulas:
• pc = l pc’ = l1 b same (V)
• pc = l pc’ = l’ b same (V)
• C (l1, P1, l)
Concurrent programs
• A concurrent program consists of a set of processes that can be executed in parallel. A process is a sequential program.
• Let Vi be the set of variables that can be changed by process Pi. V is the set of all program variables.
• pci is the program counter of process Pi. PC is the set of all program counters.
• A concurrent program has the form
cobegin P1 || P2 … || Pn coend
where P1, …, Pn are processes.
Labeling transformation
• We assume that no two labels are identical and that the entry and exit points of P are labeled m and m’, respectively.
• If P = cobegin P1 || P2 … || Pn coend, then
PL = cobegin l1 : P1L
l’1 || l2 : P2L l’2 || … || ln : Pn
L l’n coend.
The set of initial states of P
S0 (V, pc) ≡ pre (V) pc = m i = 1, … n (pci = ┴ )
The transition relation for P
C (l, cobegin l1 : P1L
l’1 || … || ln : PnL l’n coend, l’)
Is the disjunction of three formulas:
• pc = l pc’1 = l1 … pc’n = ln pc’ = ┴
• pc = ┴ pc1 = l’1 … pcn = l’n pc’ = l’ i = 1, … n (pc’i = ┴)
• i = 1, … n (C (li, Pi, l’i) (same (V \ Vi) same (PC \ {pci}))
Shared variables
• Wait: C (l, wait (b), l’) is a disjunction of the following two formulas:• (pci = l pc’i = l b same (Vi))• (pci = l pc’i = l’ b same (Vi))
• Lock (v) (= wait (v = 0)): C (l, lock (v), l’) is a disjunction of the following two formulas:• (pci = l pc’i = l v = 1 same (Vi))• (pci = l pc’i = l’ v = 0 v’ = 1 same (Vi \ {v}))
• Unlock (v): C (l, unlock (v), l’) ≡ pci = l pc’i = l’ v’ = 0 same (Vi \ {v})
A simple mutual exclusion programP = m: cobegin P0 || P1 coend m’
P0 :: l0 : while True do
NC0 : wait (turn = 0);
CR0 : turn :=1;
end while;
l’0P1 :: l1 : while True do
NC1 : wait (turn = 1);
CR1 : turn := 0;
end while;
l’1
Kripke structure
• pc takes values in the set { m, m’, ┴ }.
• pci takes values in the set { li, l’i, NCi, CRi, ┴ }.
• V = V0 = V1 = {turn}.
• PC = {pc, pc0, pc1}.
The set of initial states of P
• S0 (V, PC) ≡ pc = m pc0 = ┴ pc1 = ┴.
The transition relation for P
• R (V, PC, V’, PC’) is the disjunction of the following four formulas:
• pc = m pc’0 = l0 pc’1 = l1 pc’ = ┴.
• pc0 = l’0 pc1 = l’1 pc’ = m’ pc’0 = ┴ pc’1 = ┴.
• C (l0, P0, l’0) same (pc, pc1).
• C (l1, P1, l’1) same (pc, pc0).
The transition relation of Pi
For each process Pi, C (li, Pi, l’i) is the disjunction of:
• pci = li pc’i = NCi True same (turn)
• pci = NCi pc’i = CRi turn = i same (turn)
• pci = CRi pc’i = li turn’ = (i+1) mod 2
• pci = NCi pc’i = NCi turn ≠ i same (turn)
• pci = li pc’i = l’i False same (turn)
turn = 0CR1, NC0
turn = 0CR0, NC1
turn = 1CR1, l0
turn = 0┴, ┴
turn = 1┴, ┴
turn = 1NC0, NC1
turn = 1l1, NC0
turn = 1l0, NC1
turn = 1l0, l1
turn = 0l1, NC0
turn = 0l0, l1
turn = 0NC0, NC1
turn = 0CR0, l1
turn = 0l0, NC1
Syntax of Computational Tree Logic (CTL)
Φ ::= ┴ | T | p | (¬Φ) | (Φ Φ) | (Φ Φ) |
(Φ → Φ) | AX Φ | EX Φ | A[Φ U Φ] |
E[Φ U Φ] | AG Φ | EG Φ | AF Φ | EG Φ
where p ranges over atomic formulas.
Convention
• The unary connectives (consisting of ¬ and the temporal connectives AG, EG, AF, AX and EX) bind most tightly. Next in the order come and ; and after that come → , AU and EU.
Some examples of well-formed CTL formulas
• (EG r)• AG (q → EG r)• (AG q) → (EG r)• EF E[r U q]• A[p U EF r]• EF EG p → AF r• (EF EG p) → AF r• EF EG (p → AF r)
Some examples of not well-formed CTL formulas
• FG r
• A ¬G¬p
• F[r U q]
• EF (r U q)
• AEF r
• AF [(r U q) (p U q)]
CTL Subformulas
• Definition: A subformula of a CTL formula Φ is any formula ψ whose parse tree is a subtree of Φ‘s parse tree.
The parse tree for A[AX ¬p U E[EX (p q) U ¬p]]
AU
AX EU
EX ¬¬
p p
p q
Semantics of Computational Tree Logic (CTL)
• Let M = (S, R, L) be a Kripke structure. Given any state s in S, we define whether a CTL formula Φ holds in state s. We denote this by
M, s ╞ Φ,
where ╞ is the satisfaction relation.
The satisfaction relation ╞ is defined by structural induction on all CTL formulas:
• M, s ╞ T and ¬(M, s ╞ ┴) for all s ε S.• M, s ╞ p iff p ε L(s).• M, s ╞ ¬Φ iff ¬(M, s ╞ Φ).
• M, s ╞ Φ1 Φ2 iff M, s ╞ Φ1 and M, s ╞ Φ2.
• M, s ╞ Φ1 Φ2 iff M, s ╞ Φ1 or M, s ╞ Φ2.
• M, s ╞ Φ1 → Φ2 iff ¬(M, s ╞ Φ1) or M, s ╞ Φ2.
• M, s ╞ AX Φ iff for all s1 such that (s, s1) ε R, we have M, s1 ╞ Φ . Thus, AX says: ‘in every next state’.
• M, s ╞ EX Φ iff for some s1 such that (s, s1) ε R, we have M, s1 ╞ Φ . Thus, EX says: ‘in some next state’.
The satisfaction relation ╞ is defined by structural induction on all CTL formulas: (continued)
• M, s ╞ AG Φ iff for all paths s1 s2 s3 … where s1 equals s, and all si along the path, we have such that (si, si+1) ε R, we have M, si ╞ Φ . Thus, AG says: ‘for all computation paths beginning s the property Φ holds globally’.
• M, s ╞ EG Φ iff there is a path s1 s2 s3 … where s1 equals s, and all si along the path, we have such that (s, s1) ε R, we have M, si ╞ Φ . Thus, AG says: ‘there exists a computation path beginning s such that Φ holds globally along the path’.
• M, s ╞ AF Φ iff for all paths s1 s2 s3 … where s1 equals s, there is some si such that M, si ╞ Φ. Thus, AF says: ‘for all computation paths beginning in s there will be some future state where Φ holds’.
The satisfaction relation ╞ is defined by structural induction on all CTL formulas: (continued)
• M, s ╞ EF Φ iff there is a path s1 s2 s3 … where s1 equals s, and for some si along the path, we have M, si ╞ Φ. Thus, EF says: ‘there exists a computation path beginning in s such that Φ holds in some future state’.
• M, s ╞ A[Φ1 U Φ2] iff for all paths s1 s2 s3 … where s1 equals s, that path satisfies Φ1 U Φ2, i.e., there is some si along the path, such that
M, si ╞ Φ2, and, for each j < i, we have M, sj╞ Φ1. Thus, A[Φ1 U Φ2] says: ‘all computation paths beginning in s satisfy that Φ1 until Φ2 holds on it’.
• M, s ╞ E[Φ1 U Φ2] iff there is a path s1 s2 s3 … where s1 equals s, and that path satisfies Φ1 U Φ2, i.e., there is some sj along the path, such that M, si ╞ Φ2, and, for each j < i, we have M, sj ╞ Φ1. Thus, E[Φ1 U Φ2] says: ‘there exists a computation path beginning in s such that Φ1 until Φ2 holds on it’.
A system whose starting state satisfies EF Φ
Φ
A system whose starting state satisfies EG Φ
Φ
Φ
Φ
A system whose starting state satisfies AG Φ
Φ
Φ
Φ
Φ
Φ
ΦΦ
Φ
Φ
Φ
A system whose starting state satisfies AF Φ
Φ ΦΦ
Φ
Φ
Some examples for the following system M:
• M, s0 ╞ p q• M, s0 ╞ ¬r• M, s0 ╞ T• M, s0 ╞ EX (q r)• M, s0 ╞ ¬AX (q r)• M, s0 ╞ ¬EF (p r)• M, s2 ╞ EG r• M, s2 ╞ AG r• M, s0 ╞ AF r• M, s0 ╞ E[(p q) U r]• M, s0 ╞ A[p U r]
p, q
q, r r
s0
s1 s2
Other examples for CTL logic
• It is possible to get a state where started holds but ready does not hold: EF (started ¬ready)
• For any state, if a request (of some resource) occurs, then it will eventually be acknowledged:
AG (requested → AF acknowledged)• A certain process is enabled indefinitely often on every computation
path:
AG (AF enabled)• Whatever happens, a certain process will eventually be permanently
deadlocked: AF (AG deadlocked)
Other examples for CTL logic (continued)
• From any state it is possible to get a restart state: AG (EF restart)• An upwards traveling elevator at the second floor does not change
its direction when it has passengers wishing to go to the fifth floor:
AG (floor=2 direction=up ButtonPressed5 → A[direction=up U floor=5])
• The elevator can remain idle on the third floor with its doors closed:
AG (floor=3 idle door=closed → EG (floor=3 idle door=closed))
Semantically equivalent CTL formulas
• Definition: Two CTL formulas Φ and ψ are said to be semantically equivalent if any state in any Kripke structure which satisfies one of them also satisfies the other; we denote this by Φ ≡ ψ.
Important equivalences between CTL formulas
• ¬AF Φ ≡ EG ¬Φ
• ¬EF Φ ≡ AG ¬Φ
• ¬AX Φ ≡ EX ¬Φ
• AF Φ ≡ A[T U Φ]
• EF Φ ≡ E[T U Φ]
• A[p U q] ≡ ¬(E[¬q U (¬p ¬q)] EG ¬q)
Theorem:
• The set of operators ┴, ¬ and together with AF, EU and EX are adequate for CTL: any CTL formula can be transformed into a semantically equivalent CTL formula which uses only those logical connectives.
Other interesting equivalences
• AG Φ ≡ Φ AX AG Φ
• EG Φ ≡ Φ EX EG Φ
• AF Φ ≡ Φ AX AF Φ
• EF Φ ≡ Φ EX EF Φ
• A[Φ U ψ] ≡ ψ (Φ AX A[Φ U ψ])
• E[Φ U ψ] ≡ ψ (Φ EX E[Φ U ψ])
Example: mutual exclusion
• When concurrent processes share a resource, it may be necessary to ensure that they do not have access to it at the same time.
• We therefore identify certain critical sections of each process code and arrange that only one process can be in its critical section at a time.
• The problem we are faced with is to find a protocol for determining which process is allowed to enter its critical section at which time.
Some expected properties for mutual exclusion
• Safety: The protocol allows only one process to be in its critical section at a time.
• Liveness: Whenever any process wants to enter its critical section, it will eventually be permitted to do so.
• Non-blocking: A process can always request to enter its critical section.
• No strict sequencing: Processes need not enter their critical section in strict sequence.
A simple example of two processes
• n = a process is in a non-critical state
• t = a process tries to enter in its critical section
• c = a process is in its critical section
A first-attempt model for mutual exclusion
n1n2
n1t2t1n2
t1t2
c1n2n1c2
t1c2c1t2
s0
s1 s5
s2 s3
s4 s7
s6
CTL formulas for the system properties
• Safety: Φ1 = AG ¬(c1 c2). (o.k.)
• Liveness: Φ2 = AG (t1 → AF c1). (not o.k.)
because there exists a computation path, namely, s1 → s3 → s7 → s1 →… on which c1 is always false.
• Non-blocking: Φ3= AG (n1 → EX t1). (o.k.)
• No strict sequencing: EF (c1 E[c1 U (¬c1 E[¬c2 U c1])]). (o.k.)
A second-attempt model for mutual exclusion
n1n2
n1t2t1n2
t1t2c1n2n1c2
t1c2c1t2
s0
s1 s5
s2s3
s4 s7
s6
t1t2
s9
Syntax of Linear-time temporal logic (LTL)
• Definition: Linear-time temporal logic (LTL) has the following syntax given in Backus Naur form
Φ ::= p | (¬Φ) | (Φ Φ) | (Φ U Φ) | (G Φ)| (F Φ)| (X Φ) where p is any propositional atom.
Semantics of Linear Tree Logic (LTL)
• Let M = (S, R, L) be a Kripke structure. Given a path σ = s1 s2 s3 … in M, where s1 is the initial state, and for all si along the path, such that (si, si+1) ε R, we define whether a LTL formula Φ holds in the path σ denoted as
M, σ ╞ Φ,
where ╞ is the satisfaction relation.
• Let σi = si si+1 ... denote the suffix of σ starting at si.
The satisfaction relation ╞ is defined by structural induction on all of LTL formulas:
• M, σ ╞ T and ¬(M, s ╞ ┴) for all s ε S.
• M, σ ╞ p iff p ε L(s1).
• M, σ ╞ ¬Φ iff ¬(M, σ ╞ Φ).
• M, σ ╞ Φ1 Φ2 iff M, σ ╞ Φ1 and M, σ ╞ Φ2.
• M, σ ╞ X Φ iff M, σ2 ╞ Φ, • M, σ ╞ G Φ iff, for all i ≥ 1, M, σi ╞ Φ,• M, σ ╞ F Φ iff, for some i ≥ 1, M, σi ╞ Φ,• M, σ ╞ Φ U ψ iff, there is some i ≥ 1 such that M, σi ╞ ψ
and for all j = 1 … i-1 we have M, σj ╞ Φ.
Semantically equivalent LTL formulas
• Definition: Two LTL formulas Ф and ψ are semantically equivalent, writing as Ф ≡ ψ, if they are true for the same paths in each model. An LTL formula Ф is satisfied in a state s of a model if Ф is satisfied in every path starting at s.
Some semantically equivalent LTL formulas
• G Ф ≡ ¬F ¬Ф
• F Ф ≡ ¬G ¬Ф
• F(Ф ψ) ≡ F Ф F ψ
• G(Ф ψ) ≡ G Ф G ψ
• Ф U ψ ≡ ¬(¬ ψ U (¬Ф ¬ψ)) F ψ
Syntax of CTL*
The CTL* formulas are divided into two classes:• state formulas, which are evaluated in states:
Φ ::= p | T | (¬Φ) | (Φ Φ) | A[α] | E[α],• path formulas, which are evaluated along paths:
α ::= Φ | (¬α) | (α α) | (α U α) | (G α) | (F α) | (X α)
where Φ is any state formula.
LTL and CTL as subsets of CTL*
• Although the syntax of LTL does not include A and E, the semantic viewpoint of LTL is that we consider all paths. Therefore, the LTL formula α is equivalent to the CTL* formula A[α]
• CTL is the fragment of CTL* in which we restrict the form of path formulas to
α ::= (Φ U Φ) | (G Φ) | (F Φ) | (X Φ).
Example of in CTL but not in LTL: ψ1 = AG EF p
• Whenever we have got to, we can always get back to a state in which p is true. This is useful, e.g., in finding deadlocks in protocols.
M M’s t s
¬p p ¬p
Example of in CTL*, but neither in CTL nor in LTL: ψ2 = E[GF p]
• Saying, there is a path with infinitely many p.
Example of in LTL but not in CTL: ψ3 = AG (p → F q)
• Saying that if there are infinitely many p along the path, then there is an occurrence of q.
• This is an interesting thing to be able to say,; for example, many fairness constraints are of the form ‘infinitely often requested implies eventually acknowledged’.
Example of in LTL and CTL: ψ4 = AG (p → AF q) in CTL, or G (p → F q) in LTL
• Saying, any p is eventually followed by a q.
Example
• G p and AF AG p are not semantically equivalent, since FG p is satisfied, whereas AF AG p is not satisfied, in the model
p ¬p p
weak until W
• The formula A[p W q] is true in a state if, along all paths from that state, p is true from the present state until the first state in which q is true, if any. In particular, if there is no q state on a path, then p needs to hold for all states of that path.
weak until W (continued)
• In LTL and CTL*, weak Until may be defined in terms of the ordinary Until, as follows:
p W q ≡ (p U q) G p• For CTL, we have:
E[p W q] ≡ E[p U q] EG p
A[p W q] ≡ ¬E[¬q U ¬(p q)]
