1 / 92

# Semantically Equivalent Formulas - PowerPoint PPT Presentation

Semantically Equivalent Formulas. Let Φ and ψ be formulas of propositional logic. We say that Φ and ψ are semantically equivalent iff Φ ╞ ψ ψ ╞ Φ hold. In that case we write Φ ≡ ψ . Further, we call Φ valid if ╞ Φ holds.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Semantically Equivalent Formulas' - tibor

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

• Let Φ and ψbe formulas of propositional logic. We say that Φ and ψare semantically equivalent iff

Φ ╞ ψ

ψ ╞ Φ

hold. In that case we write Φ≡ψ. Further, we call Φ valid if

╞ Φ

holds.

• p → q ≡ ¬p  q

• p → q ≡ ¬q → ¬p

• p  q → p ≡ r  ¬r

• p  q → r ≡ p → (q →r)

• Given propositional logic formulas Φ1, Φ2, …, Φn, ψ, we have

Φ1, Φ2, …, Φn ╞ ψ

iff

╞ Φ1 →(Φ2 → (Φ3 → … → (Φn → ψ)))

• A literal is either an atom p or the negation of an atom ¬p.

• A formula Φ is in conjunctive normal form (CNF) if it is of the form

ψ1ψ2 …. ψn

for some n ≥ 1, such that ψi is a literal, or a disjunction of literal, for all 1 ≤ i ≤ n.

• (¬q  p  r)  (¬p  r)  q

• (p  r)  (¬p  r)  (p  ¬r)

• A disjunction of literals L1 L2 ….  Lm is valid (i.e., ╞ L1 L2 ….  Lm) iff there are 1 ≤ i, j ≤ m such that Li is ¬Lj.

• Given a formula Φ in a propositional logic, we say that Φ is satisfiable if there exists an assignment of truth values to its propositional atoms such that Φ is true.

• Let Φ be a formula of propositional logic. Then Φ is satisfiable iff ¬Φ is not valid.

function CNF(Φ)

/* pre-condition: Φ implication free and in NNF*/

/* post-condition: CNF(Φ) computes an equivalent CNF for Φ */

begin function

case

Φ is a literal : returnΦ

Φ is Φ1 Φ2: return CNF(Φ1)  CNF(Φ2)

Φ is Φ1 Φ2: return DISTR(CNF(Φ1), CNF(Φ2) )

end case

end function

function DISTR(η1, η2):

/* pre-condition: η1 and η2 are in CNF */

/* post-condition: DISTR(η1, η2) computes a CNF for η1η2 */

begin function

case

η1 is η11  η12 : return DISTR(η11 , η2)  DISTR(η12 , η2)

η2 is η21  η22 : return DISTR(η1 , η21)  DISTR(η1 , η22)

otherwise (= no conjunction): returnη1η2

end case

end function

function NNF(Φ)

/* pre-condition: Φ is implication free */

/* post-condition: NNF(Φ) computes a NNF for Φ */

begin function

case

Φ is a literal : returnΦ

Φ is ¬¬Φ1 : return NNF(Φ1)

Φ is Φ1 Φ2 : return NNF(Φ1)  NNF(Φ2)

Φ is Φ1 Φ2 : return NNF(Φ1)  NNF(Φ2)

Φ is ¬(Φ1 Φ2) : return NNF(¬Φ1 ¬Φ2)

Φ is ¬(Φ1 Φ2): return NNF(¬Φ1 ¬Φ2)

end case

end function

Φ = ¬p  q → p  (r → q)

IMPL_FREE Φ = ¬ IMPL_FREE (¬p  q )  IMPL_FREE (p (r → q))

= ¬((IMPL_FREE ¬p )  (IMPL_FREE q ))  IMPL_FREE (p (r → q))

= ¬((¬p )  IMPL_FREE q )  IMPL_FREE (p (r → q))

= ¬ (¬p  q )  IMPL_FREE (p (r → q))

= ¬ (¬p  q )  ((IMPL_FREE (p)  IMPL_FREE (r → q))

= ¬ (¬p  q )  (p  IMPL_FREE (r → q))

= ¬ (¬p  q )  (p  (¬ (IMPL_FREE r)  IMPL_FREE (q)))

= ¬ (¬p  q )  (p  (¬ r  IMPL_FREE (q)))

= ¬ (¬p  q )  (p  (¬ r  q))

IMPL_FREE Φ = ¬ (¬p  q )  (p  (¬ r  q)) NNF (IMPL_FREE Φ )

= NNF (¬ (¬p  q ))  NNF (p  (¬ r  q))

= NNF (¬ (¬p )  ¬q ))  NNF (p  (¬ r  q))

= (NNF (¬¬p ))  (NNF (¬q ))  NNF (p  (¬ r  q))

= (p  (NNF (¬q )))  NNF (p  (¬ r  q))

= (p  ¬q )  NNF (p  (¬ r  q))

= (p  ¬q )  ((NNF p)  (NNF (¬ r  q)))

= (p  ¬q )  ( p  (NNF (¬ r  q)))

= (p  ¬q )  ( p  ((NNF (¬ r))  (NNF q)))

= (p  ¬q )  ( p  (¬ r  (NNF q)))

= (p  ¬q )  ( p  (¬ r  q))

NNF (IMPL_FREE Φ) = (p  ¬q )  ( p  (¬ r  q))CNF(NNF (IMPL_FREE Φ))

= CNF ((p  ¬q )  ( p  (¬r  q)))

= DISTR ( CNF (p  ¬q ), CNF (p  (¬ r  q)))

= DISTR (p  ¬q , CNF (p  (¬ r  q)))

= DISTR (p  ¬q , p  (¬ r  q))

= DISTR (p  ¬q , p)  DISTR (p  ¬q ,¬ r  q)

= (p  ¬q p)  DISTR (p  ¬q ,¬ r  q)

= (p  ¬q p)  (p  ¬q ¬ r  q)

• is a formula Φ of propositional logic if it is of the form ψ1 ψ2 ...  ψn for some n ≥ 1 such that ψi is of the form

p1 p2 ...  pki → qi

for some ki ≥ 1, where p1, p1, …, pki, qi are

atoms, ┴ or T. We call such ψi a Horn clause.

• (p  q  s → p)  (q  r → p)  (p  s → s)

• (p  q  s → ┴)  (q  r → p)  (T → s)

• (p2 p3 p5 →p13) (T→p2) (p5 p11 → ┴)

• (p  q  s → ¬p)  (q  r → p)  (p  s → s)

• (p  q  s → ┴)  (¬q  r → p)  (T → s)

• (p2 p3 p5 →p13  p27)  (T→p2) (p5 p11 → ┴)

• (p2 p3 p5 →p13 ) (T→p2) (p5 p11  ┴)

function HORN(Φ)

/* Pre-condition : Φ is a Horn formula*/

/* Post-condition : HORN(Φ) decides the satisfiability for Φ */

begin function

mark all atoms p where T → p is a sub-formula of Φ;

while there is a sub-formula p1 p2 ...  pki → qi of Φ such that all pj

are marked but qi is not do

if qi ≡ ┴ then return ‘unsatisfiable’

else mark qi for all such subformulas

end while

return ‘satisfiable’

end function

• The algorithm HORN is correct for the satisfiability decision problem of Horn formulas and has no more than n cycles in its while-loop if n is the number of atoms in Φ. HORN always terminates on correct input.

Let AP be a set of atomic propositions. A Kripke structure M

over AP is a four tuple M= (S, S0, R, L) where

• S is a finite set of states

• S0 S is the set of initial states.

• R S × S is a transition relation that must be total, that is for every state s S there is a state s’ S such that R (s, s’).

• L: S  2 AP is a function that labels each state with the set of atomic proposition in that state.

A path in the structure M from a state s is an infinite sequence of states

ω = s0 s1 s2 … such that s0 = s and R (si, si+1) holds for all i ≥ 0.

First order representationof Kipke structures

• We use interpreted first order formulas to describe concurrent systems.

• We use usual logical connectives (and , or , implies , not , and so on) and universal ( ) and existential ( ) quantifications.

• Let V = {v1, …, vn} be the set of system variables. We assume that the variables in V range over a finite set D.

• A valuation for V is a function that associated a value in D with each variable v in V. Thus, s is a valuation for V when s: V  D.

• A state of a concurrent system can be viewed as a valuation for the set of its variables V.

• Let V’ = {v’1, …, v’n}. We think of the variables in V as present state variables and the variables in V’ as next state variables.

First order representationof Kipke structures

Let M = (S, S0, R, L) be a Kripke structure.

• S is the set of all valuations for all variables of the system which can be described by a propositionS. Usually, S = True.

• The set of initial states S0 can be described by a proposition (on the set of variables) S0.

• R can be described by a proposition Rsuch that for any two states s and s’, R(s, s’) holds if R evaluates to True when each variable v is assigned the value s(v) and each variable v’ is assigned the value s(v’).

• The labeling function L:S  2AP is defined so that L(s) is the subset of all atomic propositions true in s which can be described by some appropriate proposition.

We consider a simple system with variables x and y that range

over D = {0, 1}. Thus, a valuation for the variables x and y is

just a pair (d1, d2) D × D where d1 is the value for x and d2 is

the value for y. The system consists of one transition

x := (x +y) mod 2,

Which starts from the state in which x = 1 and y = 1.

A simple example with transition x := (x +y) mod 2

• S = True

• S0 (x, y) ≡ x = 1  y = 1

• R (x, y, x’, y’) ≡ x’ = (x +y) mod 2  y’ = y

A simple example with transition x := (x +y) mod 2

The Kripke structure M = (S, S0, R, L) for this system is simply:

• S = D × D.

• S0 = {(1,1)}

• R = {((1,1), (0,1)), ((0,1), (1,1)), ((1,0), (1,0)), ((0,0), (0,0))}.

• L(1,1) = {x =1, y = 1}, L(0,1) = {x =0, y = 1}, L(1,0) = {x =1, y = 0}, L(0,0) = {x =0, y = 0}.

The only path in the Kripke structure that starts in the initial state is

(1,1) (0,1) (1,1) (0,1) ….

• A concurrent system consists of a set of components that execute together.

• Normally, the components have some means of communicating with each other.

We will consider two modes of execution: Asynchronous or interleaved execution, in which only one component makes a step at a time, and synchronous execution, in which all of the components make a step at the same time

• We will also distinguish three modes of communication. Components can either communicate by changing the value of shared variables or by exchanging messages using queues or some handshaking protocols.

Synchronous circuitA modulo 8 counter

The transitions of the circuit are given by

• v’0 = v0

• v’1 = v0 v1

• v’2 = (v0 v1) v2

• R0 (v, v’) ≡ (v’0 ↔ v0)

• R1 (v, v’) ≡ (v’1 ↔ v0 v1)

• R2 (v, v’) ≡ (v’2 ↔ (v0  v1)v2)

• R (v, v’) ≡ R0 (v, v’)  R1 (v, v’)  R2 (v, v’)

Synchronous circuitGeneral case

• Let V = {v0, …., vn-1} and V’ = {v’0, …., v’n-1}

• Let v’i = fi (V), 1= 0, …, n-1.

• Define Ri (v, v’) ≡ ( v’i ↔ fi (V)).

• Then, the transition relation can be described as

R (v, v’) ≡ R0 (v, v’)  …  Rn-1 (v, v’).

Asynchronous circuitGeneral case

• In this case, the transition relation can be described as

R (v, v’) ≡ R0 (v, v’)  …  Rn-1 (v, v’),

Where

Ri (v, v’) ≡ ( v’i ↔ fi (V)) j ≠ i (v’j ↔ vj )).

• Let V = {v0, v1}, v’0 = v0 v1 and v’1 = v0 v1.

• Let s be a state with v0 = 1  v1 = 1.

• For the synchronous model, the only successor of s is the state v0 = 0  v1 = 0.

• For the asynchronous model, the state s has two successors:

• 1. v0 = 0  v1 = 1 ( the assignment to v0 is taken first).

• 2. v0 = 1  v1 = 0 ( the assignment to v1 is taken first).

Given a statement P, the labeled statement PL is defined as follows:

• If P is not a composite statement then P = PL. .

• If P = P1; P2 then PL = P1L ; l’’ : P2L.

• If P = if b then P1else P2end if, then

PL = if b then l1 : P1Lelse l2 : P2Lend if.

• If P = while b do P1 end while, then PL = while b do l1 : P1Lend while.

• We assume that P is a labeled statement and that the entry and exit points of P are labeled by m and m’, respectively.

• Let pc be a special variable called the program counter that ranges over the set of program labels and an additional value ┴ called the undefined value.

• Let V denote the set of program variables, V’ the set of primed variables for V, and pc’ the primed variables for pc.

• Let same (Y) = y ε Y (y’ = y).

• Given some condition pre (V) on the initial variables for P,

S0 (V, pc) ≡pre (V)  pc = m.

• C (l, P, l’) describes the set of transitions in P as a disjunction of all transitions in the set.

• Assignment:

C ( l, v ← e, l’) ≡ pc =l  pc’ = l’  v’ = e  same (V \ {v})

• Skip:

C ( l, skip, l’) ≡ pc =l  pc’ = l’  same (V)

• Sequential composition:

C ( l, P1; l’’ : P2, l’) ≡ C ( l, P1, l’’)  C ( l’’, P2, l’)

• Conditional:

C (l, if b then l1: P1else l2 : P2end if, l’) is the disjunction of the following formulas:

• pc = l  pc’ = l1  b  same (V)

• pc = l  pc’ = l2  b  same (V)

• C (l1, P1, l’)

• C (l2, P2, l’)

• While:

C (l, while b do l1 : P1 end while, l’) is the disjunction of the following formulas:

• pc = l  pc’ = l1  b  same (V)

• pc = l  pc’ = l’  b  same (V)

• C (l1, P1, l)

• A concurrent program consists of a set of processes that can be executed in parallel. A process is a sequential program.

• Let Vi be the set of variables that can be changed by process Pi. V is the set of all program variables.

• pci is the program counter of process Pi. PC is the set of all program counters.

• A concurrent program has the form

cobegin P1 || P2 … || Pncoend

where P1, …, Pn are processes.

• We assume that no two labels are identical and that the entry and exit points of P are labeled m and m’, respectively.

• If P = cobegin P1 || P2 … || Pncoend, then

PL = cobegin l1 : P1L l’1 || l2 : P2L l’2 || … || ln : PnL l’ncoend.

S0 (V, pc) ≡pre (V)  pc = m  i= 1, … n (pci = ┴ )

C (l, cobegin l1 : P1Ll’1 || … || ln : PnL l’ncoend,l’)

Is the disjunction of three formulas:

• pc = l  pc’1 = l1  …  pc’n = ln  pc’ = ┴

• pc = ┴  pc1 = l’1  …  pcn = l’n  pc’ = l’  i= 1, … n (pc’i = ┴)

• i= 1, … n (C (li, Pi, l’i)  (same (V \ Vi)  same (PC \ {pci}))

• Wait:

C (l, wait (b), l’) is a disjunction of the following two formulas:

• (pci = l  pc’i = l  b  same (Vi))

• (pci = l  pc’i = l’  b  same (Vi))

• Lock (v) (= wait (v = 0)):

C (l, lock (v), l’) is a disjunction of the following two formulas:

• (pci = l  pc’i = l  v = 1  same (Vi))

• (pci = l  pc’i = l’  v = 0  v’ = 1  same (Vi \ {v}))

• Unlock (v):

C (l, unlock (v), l’) ≡ pci = l  pc’i = l’  v’ = 0  same (Vi \ {v})

A simple mutual exclusion programP = m: cobegin P0 || P1 coend m’

P0 :: l0 : while Truedo

NC0 : wait (turn = 0);

CR0 : turn :=1;

end while;

l’0

P1 :: l1 : whileTrue do

NC1 : wait (turn = 1);

CR1 : turn := 0;

end while;

l’1

• pc takes values in the set { m, m’, ┴ }.

• pci takes values in the set { li, l’i, NCi, CRi, ┴ }.

• V = V0 = V1 = {turn}.

• PC = {pc, pc0, pc1}.

• S0 (V, PC) ≡ pc = m  pc0 = ┴  pc1 = ┴.

• R (V, PC, V’, PC’) is the disjunction of the following four formulas:

• pc = m  pc’0 = l0  pc’1 = l1  pc’ = ┴.

• pc0 = l’0  pc1 = l’1  pc’ = m’  pc’0 = ┴  pc’1 = ┴.

• C (l0, P0, l’0)  same (pc, pc1).

• C (l1, P1, l’1)  same (pc, pc0).

For each process Pi, C (li, Pi, l’i) is the disjunction of:

• pci = li pc’i = NCi  True  same (turn)

• pci = NCi pc’i = CRi  turn = i same (turn)

• pci = CRi pc’i = li  turn’ = (i+1) mod 2

• pci = NCi pc’i = NCi  turn ≠ i same (turn)

• pci = li pc’i = l’i  False  same (turn)

┴, ┴

turn = 1

┴, ┴

turn = 0

l0, l1

turn = 1

l0, l1

turn = 0

l0, NC1

turn = 0

l1, NC0

turn = 1

l0, NC1

turn = 1

l1, NC0

turn = 0

NC0, NC1

turn = 0

CR0, l1

turn = 1

CR1, l0

turn = 1

NC0, NC1

turn = 0

CR1, NC0

turn = 0

CR0, NC1

Syntax of Computational Tree Logic (CTL)

Φ ::= ┴ | T | p | (¬Φ) | (Φ  Φ) | (Φ  Φ) |

(Φ → Φ) | AX Φ | EX Φ | A[Φ U Φ] |

E[Φ U Φ] | AG Φ | EG Φ | AF Φ | EG Φ

where p ranges over atomic formulas.

• The unary connectives (consisting of ¬ and the temporal connectives AG, EG, AF, AX and EX) bind most tightly. Next in the order come  and ; and after that come →, AU and EU.

• (EG r)

• AG (q → EG r)

• (AG q) → (EG r)

• EF E[r U q]

• A[p U EF r]

• EF EG p → AF r

• (EF EG p) → AF r

• EF EG (p → AF r)

• FG r

• A ¬G¬p

• F[r U q]

• EF (r U q)

• AEF r

• AF [(r U q)  (p U q)]

• Definition: A subformula of a CTL formula Φ is any formula ψ whose parse tree is a subtree of Φ‘s parse tree.

The parse tree for A[AX ¬p U E[EX (p  q) U ¬p]]

AU

AX

EU

¬

EX

¬

p

p

p

q

Semantics of Computational Tree Logic (CTL)

• Let M = (S, R, L) be a Kripke structure. Given any state s in S, we define whether a CTL formula Φ holds in state s. We denote this by

M, s ╞ Φ,

where ╞ is the satisfaction relation.

The satisfaction relation╞ is defined by structural induction on all CTL formulas:

• M, s ╞ T and ¬(M, s ╞ ┴) for all s ε S.

• M, s ╞ p iff p ε L(s).

• M, s ╞ ¬Φ iff ¬(M, s ╞ Φ).

• M, s ╞ Φ1 Φ2 iff M, s ╞ Φ1 and M, s ╞ Φ2.

• M, s ╞ Φ1  Φ2 iff M, s ╞ Φ1 or M, s ╞ Φ2.

• M, s ╞ Φ1→ Φ2 iff ¬(M, s ╞ Φ1) or M, s ╞ Φ2.

• M, s ╞ AX Φ iff for all s1 such that (s, s1) ε R, we have M, s1 ╞ Φ . Thus, AX says: ‘in every next state’.

• M, s ╞ EX Φ iff for some s1 such that (s, s1) ε R, we have M, s1 ╞ Φ . Thus, EX says: ‘in some next state’.

The satisfaction relation╞ is defined by structural induction on all CTL formulas: (continued)

• M, s ╞ AG Φ iff for all paths s1 s2 s3 … where s1 equals s, and all si along the path, we have such that (si, si+1) ε R, we have M, si ╞ Φ . Thus, AG says: ‘for all computation paths beginning s the property Φ holds globally’.

• M, s ╞ EG Φ iff there is a path s1 s2 s3 … where s1 equals s, and all si along the path, we have such that (s, s1) ε R, we have M, si ╞ Φ . Thus, AG says: ‘there exists a computation path beginning s such that Φ holds globally along the path’.

• M, s ╞ AF Φ iff for all paths s1 s2 s3 … where s1 equals s, there is some si such that M, si ╞ Φ. Thus, AF says: ‘for all computation paths beginning in s there will be some future state where Φ holds’.

The satisfaction relation╞ is defined by structural induction on all CTL formulas: (continued)

• M, s ╞ EF Φ iff there is a path s1 s2 s3 … where s1 equals s, and for some si along the path, we have M, si ╞ Φ. Thus, EF says: ‘there exists a computation path beginning in s such that Φ holds in some future state’.

• M, s ╞ A[Φ1 U Φ2] iff for all paths s1 s2 s3 … where s1 equals s, that path satisfies Φ1 U Φ2, i.e., there is some si along the path, such that

M, si ╞ Φ2, and, for each j < i, we have M, sj╞ Φ1. Thus, A[Φ1 U Φ2] says: ‘all computation paths beginning in s satisfy that Φ1 until Φ2 holds on it’.

• M, s ╞ E[Φ1 U Φ2] iff there is a path s1 s2 s3 … where s1 equals s, and that path satisfies Φ1 U Φ2, i.e., there is some sj along the path, such that M, si ╞ Φ2, and, for each j < i, we have M, sj ╞ Φ1. Thus, E[Φ1 U Φ2] says: ‘there exists a computation path beginning in s such that Φ1 until Φ2 holds on it’.

Φ

Φ

Φ

Φ

Φ

Φ

Φ

Φ

Φ

Φ

p, q

s0

• M, s0 ╞ p  q

• M, s0 ╞ ¬r

• M, s0 ╞ T

• M, s0 ╞ EX (q  r)

• M, s0 ╞ ¬AX (q  r)

• M, s0 ╞ ¬EF (p  r)

• M, s2 ╞ EG r

• M, s2 ╞ AG r

• M, s0 ╞ AF r

• M, s0 ╞ E[(p  q) U r]

• M, s0 ╞ A[p U r]

q, r

r

s1

s2

• It is possible to get a state where started holds but ready does not hold: EF (started  ¬ready)

• For any state, if a request (of some resource) occurs, then it will eventually be acknowledged:

AG (requested → AF acknowledged)

• A certain process is enabled indefinitely often on every computation path:

AG (AF enabled)

• Whatever happens, a certain process will eventually be permanently deadlocked: AF (AG deadlocked)

• From any state it is possible to get a restart state: AG (EF restart)

• An upwards traveling elevator at the second floor does not change its direction when it has passengers wishing to go to the fifth floor:

AG (floor=2  direction=up  ButtonPressed5 → A[direction=up U floor=5])

• The elevator can remain idle on the third floor with its doors closed:

AG (floor=3  idle  door=closed → EG (floor=3  idle  door=closed))

• Definition: Two CTL formulas Φ and ψ are said to be semantically equivalent if any state in any Kripke structure which satisfies one of them also satisfies the other; we denote this by Φ ≡ ψ.

• ¬AF Φ ≡ EG ¬Φ

• ¬EF Φ ≡ AG ¬Φ

• ¬AX Φ ≡ EX ¬Φ

• AF Φ ≡ A[T U Φ]

• EF Φ ≡ E[T U Φ]

• A[p U q] ≡ ¬(E[¬q U (¬p  ¬q)]  EG ¬q)

• The set of operators ┴, ¬ and  together with AF, EU and EX are adequate for CTL: any CTL formula can be transformed into a semantically equivalent CTL formula which uses only those logical connectives.

• AG Φ ≡ Φ AX AG Φ

• EG Φ ≡ Φ EX EG Φ

• AF Φ ≡ Φ AX AF Φ

• EF Φ ≡ Φ EX EF Φ

• A[Φ U ψ] ≡ ψ  (Φ  AX A[Φ U ψ])

• E[Φ U ψ] ≡ ψ  (Φ  EX E[Φ U ψ])

• When concurrent processes share a resource, it may be necessary to ensure that they do not have access to it at the same time.

• We therefore identify certain critical sections of each process code and arrange that only one process can be in its critical section at a time.

• The problem we are faced with is to find a protocol for determining which process is allowed to enter its critical section at which time.

• Safety: The protocol allows only one process to be in its critical section at a time.

• Liveness: Whenever any process wants to enter its critical section, it will eventually be permitted to do so.

• Non-blocking: A process can always request to enter its critical section.

• No strict sequencing: Processes need not enter their critical section in strict sequence.

• n = a process is in a non-critical state

• t = a process tries to enter in its critical section

• c = a process is in its critical section

s0

n1n2

s1

s5

n1t2

t1n2

t1t2

n1c2

c1n2

s2

s3

s6

c1t2

t1c2

s4

s7

Safety:Φ1 = AG ¬(c1 c2). (o.k.)

Liveness:Φ2 = AG (t1 → AF c1). (not o.k.)

because there exists a computation path, namely, s1 → s3 → s7 → s1 →… on which c1 is always false.

Non-blocking:Φ3= AG (n1 → EX t1). (o.k.)

No strict sequencing: EF (c1 E[c1 U (¬c1 E[¬c2 U c1])]). (o.k.)

CTL formulas for the system properties

s0

n1n2

s1

s5

n1t2

t1n2

t1t2

t1t2

n1c2

c1n2

s2

s3

s6

s9

c1t2

t1c2

s4

s7

• Definition:Linear-time temporal logic (LTL) has the following syntax given in Backus Naur form

Φ ::= p | (¬Φ) | (ΦΦ) | (ΦUΦ) | (G Φ)| (F Φ)| (X Φ) where p is any propositional atom.

Semantics of Linear Tree Logic (LTL)

• Let M = (S, R, L) be a Kripke structure. Given a path σ = s1 s2 s3 … in M, where s1 is the initial state, and for all si along the path, such that (si, si+1) ε R, we define whether a LTL formula Φ holds in the path σ denoted as

M, σ ╞ Φ,

where ╞ is the satisfaction relation.

• Let σi= si si+1 ... denote the suffix of σ starting at si.

The satisfaction relation╞ is defined by structural induction on all of LTL formulas:

• M, σ ╞ T and ¬(M, s ╞ ┴) for all s ε S.

• M, σ ╞ p iff p ε L(s1).

• M, σ ╞ ¬Φ iff ¬(M, σ ╞ Φ).

• M, σ ╞ Φ1 Φ2 iff M, σ ╞ Φ1 and M, σ ╞ Φ2.

• M, σ ╞ X Φ iff M, σ2 ╞ Φ,

• M, σ ╞ G Φ iff, for all i ≥ 1, M, σi ╞ Φ,

• M, σ ╞ F Φ iff, for some i ≥ 1, M, σi ╞ Φ,

• M, σ ╞ Φ U ψ iff, there is some i ≥ 1 such that M, σi ╞ ψ and for all j = 1 … i-1 we have M, σj ╞ Φ.

• Definition: Two LTL formulas Ф and ψ are semantically equivalent, writing as Ф≡ψ, if they are true for the same paths in each model. An LTL formula Ф is satisfied in a state s of a model if Ф is satisfied in every path starting at s.

• G Ф≡ ¬F ¬Ф

• F Ф≡ ¬G ¬Ф

• F(Ф ψ) ≡ F Ф F ψ

• G(Фψ) ≡ G ФG ψ

• Ф U ψ≡ ¬(¬ ψ U (¬Ф  ¬ψ))  F ψ

The CTL* formulas are divided into two classes:

• state formulas, which are evaluated in states:

Φ ::= p | T | (¬Φ) | (Φ Φ) | A[α] | E[α],

• path formulas, which are evaluated along paths:

α ::= Φ | (¬α) | (αα) | (αUα) | (G α) | (F α) | (X α)

where Φ is any state formula.

• Although the syntax of LTL does not include A and E, the semantic viewpoint of LTL is that we consider all paths. Therefore, the LTL formula α is equivalent to the CTL* formula A[α]

• CTL is the fragment of CTL* in which we restrict the form of path formulas to

α ::= (ΦUΦ) | (G Φ) | (F Φ) | (X Φ).

Example of in CTL but not in LTL: ψ1 = AG EF p

• Whenever we have got to, we can always get back to a state in which p is true. This is useful, e.g., in finding deadlocks in protocols.

M

M’

s

t

s

¬p

p

¬p

Example of in CTL*, but neither in CTL nor in LTL: ψ2 = E[GF p]

• Saying, there is a path with infinitely many p.

Example of in LTL but not in CTL: ψ3 = AG (p → F q)

• Saying that if there are infinitely many p along the path, then there is an occurrence of q.

• This is an interesting thing to be able to say,; for example, many fairness constraints are of the form ‘infinitely often requested implies eventually acknowledged’.

Example of in LTL and CTL: ψ4 = AG (p → AF q) in CTL, or G (p → F q) in LTL

• Saying, any p is eventually followed by a q.

• G p and AF AG p are not semantically equivalent, since FG p is satisfied, whereas AF AG p is not satisfied, in the model

p

p

¬p

• The formula A[p W q] is true in a state if, along all paths from that state, p is true from the present state until the first state in which q is true, if any. In particular, if there is no q state on a path, then p needs to hold for all states of that path.

weak until W (continued)

• In LTL and CTL*, weak Until may be defined in terms of the ordinary Until, as follows:

p W q ≡ (p U q)  G p

• For CTL, we have:

E[p W q] ≡ E[p U q]  EG p

A[p W q] ≡ ¬E[¬q U ¬(p  q)]