4/20/20151 Metodi formali dello sviluppo software a.a.2013/2014 Prof. Anna Labella

4/20/ Esempio di verifica: mutua esclusione

4/20/ Esempio di verifica: mutua esclusione Altri requisiti: Un processo può sempre richiedere di entrare nella sezione critica L’alternanza non è necessaria

4/20/ Espressività di LTL Sicurezza G  ( c 1  c 2 ) Liveness G (t i  Fc i ) Non blocco ???? Non stretta sequenzializzazione: neghiamo G ( c 1  ( c 1 W (  c 1  (  c 1 W c 2 ) ))

4/20/ Esempio di verifica: mutua esclusione Ogni singolo processo n  t  c  n  t  c  …….. Un processo può sempre richiedere di entrare nella sezione critica L’alternanza non è necessaria

4/20/ Primo tentativo

4/20/ Espressività di LTL Sicurezza G  ( c 1  c 2 ) vero Liveness G (t i  Fc i ) falso s 0  s 1  s 3  s 7  s 1  s 3  s 7  …. Non blocco ???? Non stretta sequenzializzazione: neghiamo G ( c 1  ( c 1 W (  c 1  (  c 1 W c 2 ) )) falso s 0  s 5  s 3  s 4  s 5  s 3  s 4  ….

4/20/ Secondo tentativo

4/20/ Maggiore espressività Poter quantificare sui cammini In LTL la soddisfacibilità era definita soltanto sui cammini; da qui veniva passata allo stato iniziale

4/20/ Semantics of X and U Semantics of X:  |= X p Semantics of U:  |= p U q  1 |= p1 |= p  j |= p j |= p  i |= q i |= q 

4/20/ Linear time and Branching time Linear : only one possible future in a moment –Look at individual computations Branching: may split to different courses depending on possible futures –Look at the tree of computations s0 s1 s3 s0 s2 s0 s1... s0s2s3s1... s0 s1s0... s0 s1... s0 s2 s3 s1

4/20/ Computation Trees State transition structure (Kripke Model) Infinite computation tree for initial state s 1 a b a ac s1s1 s3s3 s1s1 s2s2 a b

4/20/ CTL – Computation Tree Logic Path quantifiers - describe branching structure of the tree –A (for all computation paths) –E (for some computation path = there exists a path) Temporal operators - describe properties of a path through the tree –X (next time, next state) –F (eventually, finally) –G (always, globally) –U (until) –W (weak until)

4/20/ Operators and Quantifiers State operators –G a :a holds globally –F a :a holds eventually –X a :a holds at the next state –a U b:a holds until b holds –A W b:a holds until b possibly holds –Path quantifiers –E: along at least one path (there exists …) –A:along all paths (for all …)

4/20/ CTL – Computational Tree Logic CTL* - a powerful branching-time temporal logic CTL – a branching-time fragment of CTL* In CTL every temporal operator (G,F,X,U,W) must be immediately preceded by a path quantifier (A,E) We need both state formulae and path formulae to recursively define the logic

4/20/ CTL Formulas Temporal logic formulas are evaluated w.r.to a state in the model State formulas –apply to a specific state Path formulas –apply to all states along a specific path

4/20/ Basic CTL Formulas E X (f) –true in state s if f is true in some successor of s (there exists a next state of s for which f holds) A X (f) –true in state s if f is true for all successors of s (for all next states of s f is true) E G (f) – true in s if f holds in every state along some path emanating from s (there exists a path ….) A G (f) –true in s if f holds in every state along all paths emanating from s (for all paths ….globally )

4/20/ Basic CTL Formulas - cont ’d E F (g) –there exists a path which eventually contains a state in which g is true A F (g) –for all paths, eventually there is state in which g holds E F, A F are special case of E [f U g], A [f U g] –E F (g) = E [ true U g ], A F (g) = A [ true U g ] f U g (f until g) –true if there is a state in the path where g holds, and at every previous state f holds

4/20/ CTL Operators - examples s o |= E F g g soso soso g g g s o |= A F g s o |= E G g gsoso g g s o |= A G g soso g g g g gg

4/20/ CTL Temporal operators are immediately preceded by a path quantifier The following are a complete set ¬p, p  q, AX p, EX p, A( p U q), E( p U q) Others can be derived –EF p  E(true U P) –AF p  A(true U p) –EG p  ¬ AF ¬ p –AG p  ¬ EF ¬p

4/20/ Typical CTL Formulas E F ( start  ¬ ready ) –eventually a state is reached where start holds and ready does not hold A G ( req  A F ack ) –any time request occurs, it will be eventually acknowledged A G ( E F restart ) –from any state it is possible to get to the restart state

4/20/ Minimal set of CTL Formulas Full set of operators –Boolean: ¬, , , ,  –temporal:E, A, X, F, G, U, W Minimal set sufficient to express any CTL formula –Boolean:¬,  –temporal:E, X, U Examples: f  g = ¬(¬f  ¬g), F f = true U f, A (f ) = ¬E(¬f )

4/20/ Logica CTL (CTL*)

4/20/ LTL: le formule sono pensate precedute da A Linear time operators. The following are a complete set ¬ p, p  q, X p, p U q Others can be derived –p  q  ¬(¬p  ¬q) –p  q  ¬p  q –F p  (true U p) –G p  (p U false)

4/20/ LTL and CTL LTL (Linear Temporal Logic) - Reasoning about infinite sequence of states π: s 0, s 1, s 2, … CTL (Computation Tree Logic) – Reasoning on a computation tree. –Temporal operators are immediately preceded by a path quantifier (e.g. A F p ) CTL vs. LTL – different expressive power –EFp is not expressible in LTL –FGp is not expressible in CTL

4/20/ CTL* Syntax An atomic proposition is a state formula A state formula is also a path formula If a, b are state formulae, so are ¬a, a  b, a  b, If p is a path formula, E p is a state formula If p, q are path formulae, so are ¬p, p  q, p  q If p, q are path formulae, so are X p, pUq, pRq,

4/20/ CTL* Semantics If formula q holds at state s (path  ), we write: s |= q (  |= q) s |= p, p  A iff p  L(s) [label of s] s |= ¬ a, iff s |# a s |= a  b, iff s |= a and s |= b s |= E p, iff   from state s, s.t.  |= p  |= ¬ p, iff  |# p  |= p  q, iff  |= p and  |= q  |= X p, iff  1 |= p (p reachable in next state)

4/20/ Logiche a confronto

4/20/ Logiche a confronto

4/20/