\documentclass[a4paper]{scrartcl} \usepackage[backend=biber,natbib]{biblatex} \bibliography{library} \usepackage{amsmath} \usepackage{amsthm} \usepackage{amssymb} \let\leq\leqslant \let\le\leqslant % See http://www.ams.org/faq?faq_id=212 for the trick to add qed at the end of % definitions and examples. \newtheoremstyle{mydefinition}% {2em}{2em}% Space above and below {}% Body font {}% Indent {\bfseries}% Theorem head font {}% Punctuation after theorem head {0pt}% Space after theorem head {\thmname{#1}\thmnumber{ #2}.\quad #3\\[4pt]}% Theorem head spec \theoremstyle{mydefinition} \newtheorem{xdefinition}{Definition} \newenvironment{definition}% {\renewcommand{\qedsymbol}{$\blacksquare$}\pushQED{\qed}\begin{xdefinition}}% {\popQED\end{xdefinition}} \newtheoremstyle{myexample}% {2em}{2em}% Space above and below {}% Body font {}% Indent {\itshape}% Theorem head font {}% Punctuation after theorem head {0pt}% Space after theorem head {\thmname{#1}\thmnumber{ #2}.\quad #3\\[4pt]}% Theorem head spec \theoremstyle{myexample} \newtheorem{xexample}{Example} \newenvironment{example}% {\renewcommand{\qedsymbol}{$\blacksquare$}\pushQED{\qed}\begin{xexample}}% {\popQED\end{xexample}} \newtheorem{xremark}{Remark} \newenvironment{remark}% {\renewcommand{\qedsymbol}{$\blacksquare$}\pushQED{\qed}\begin{xremark}}% {\popQED\end{xremark}} \usepackage{mathtools} \usepackage{mdframed} \usepackage{tikz} \usetikzlibrary{automata,positioning} \usepackage{relsize} \usepackage{parskip} \usepackage{cleveref} \usepackage{stackengine} \crefname{figure}{Figure}{Figures} \usepackage[color]{changebar} \newif\ifchangebar\changebarfalse \let\oldcbend\cbend \def\cbend{\oldcbend\changebarfalse} \newcommand{\erin}{\ifchangebar\cbend\fi\cbcolor{yellow}\cbstart\changebartrue} \newcommand{\camil}{\ifchangebar\cbend\fi\cbcolor{red}\cbstart\changebartrue} \renewcommand*{\arraystretch}{1.3} \DeclareMathOperator{\defeq}{\overset{\text{def}}{=}} \DeclareMathOperator{\Uop}{\mathbf{U}} \DeclareMathOperator{\Wop}{\mathbf{W}} \DeclareMathOperator{\Xop}{\bigcirc} \DeclareMathOperator{\Fop}{\lozenge} \DeclareMathOperator{\Gop}{\square} \DeclareMathOperator{\Sop}{\mathbf{S}} \DeclareMathOperator{\Pop}{\bigcirc^{--1}} \title{Model Checking} \subtitle{Assignment 1} \author{Camil Staps \and Erin van der Veen} \begin{document} \maketitle \section{Past Modalities in LTL} % Explain that past Modalities are not necessary for a complete logic % Explain that PLTL does make the logic more succinct (Paper 1) %TODO: Give example on what kind of things we want to express with PLTL \erin As mentioned in Remark 5.16, LTL can be extended with \emph{past modalities}. This section discusses this extension. The combination of LTL and Past Modalities is often called \enquote{LTL-Past} or PLTL. For the sake of brevity we will use the second (PLTL) to denote this combination. When temporal logic was first introduced by Arthur N. Prior in his 1957 book~\cite{Prior1957}, the logic consisted of both past and future modalities. Only later, when it was shown that past modalities do not increase the expressive power of LTL~\cite{Gabbay1980}, computing scientists stopped considering past modalities for reasons of minimality. \erin In 2003, Nicolas Markey showed that while past modalities do not increase expressive power, they can make LTL formulas exponentially more succinct~\cite{Markey2003}. In other words, there is a class of PLTL formulae% \footnote{In keeping with the style of the rest of the book, we alternate between \enquote{formulas} and \enquote{formulae} and wish the reader best of luck with this.} for which the size of all equivalent LTL formulas is $\Omega\left(2^n\right)$. Markey achieves this proof by providing a formula that is in exactly this class. Besides being smaller, PLTL formulas can also be easier to write and understand, as examples below will demonstrate. They are also included in many model checking tools, such as NuSMV. For this reason, it is useful to discuss them here. \cbend \subsection{Syntax} % Provide formal syntax % Provide intuitive semantics %TODO: Provide formal semantics \erin This subsection describes the syntax and semantics of PLTL.% \footnote{% Given that PLTL is an extension of LTL, we are left with two options. The first option is to define the entire syntax of PLTL without considering that we have already defined LTL. This option is slightly more verbose, but does not depend on subsection 5.1.1. The second option, which we will adopt here, builds on the syntax and semantics that are already defined for LTL formulae.} All LTL formulae are PLTL formulae. Two additional operators are added: $\Pop$ (pronounced \enquote{previously}) and $\Sop$ (pronounced \enquote{since}). The $\Pop$-modality is comparable to $\Xop$. Formula $\Pop\phi$ holds at some moment if $\phi$ held in the previous \enquote{step}. The $\Sop$-modality is comparable to $\Uop$: $\phi_1\Sop\phi_2$ holds if $\phi_2$ held at some previous moment and $\phi_1$ held ever after that moment up to and including the current moment. \begin{definition}[Syntax of PLTL] PLTL formulae over the set $LTL$ of LTL formulae are formed according to the following grammar: $$ \phi ::= l \mid \Pop \phi \mid \phi_1 \Sop \phi_2 $$ where $l \in LTL$. \end{definition} \camil The precedence order of the LTL operators remains the same. $\Pop$ binds equally strong as $\Xop$ and $\lnot$. $\Sop$ takes precedence over $\Uop$, and like $\Uop$ is right-associative. As with LTL, we can also derive additional operators in PLTL. They can be seen as counterparts of the derived LTL modalities $\square$ and $\lozenge$: $\square^{-1}$ (\enquote{was always}, since the beginning until now) and $\lozenge^{-1}$ (\enquote{was sometime}, now or at some point before now). \erin \begin{definition}[Derived PLTL operators] Given $\phi \in PLTL$, then: \begin{equation*} \Fop^{-1} \phi \defeq \top \Sop \phi \qquad \Gop^{-1} \phi \defeq \neg \Fop^{-1} \neg \phi \qedhere \end{equation*} \end{definition} Their intuitive meaning is as follows. $\Fop^{-1} \phi$ ensures that at some point in the past $\phi$ was true. $\Gop^{-1} \phi$ is satisfied when there is no moment in the past on which $\phi$ did not hold. In other words, $\Gop^{-1}$ entails that $\phi$ held globally until this point. \Cref{fig:PLTL_intuitive} shows the intuitive meanings of the past modalities for the simple case where $a$ and $b$ are the only atomic propositions. The left hand side of the figure shows some PLTL formulae; the right hand side shows sequences for which this formula holds. Since we need to also consider the past, we include an arrow that points to the state for which the formula holds. \begin{figure} \tikzset{intuitive semantics/.style={shorten >=1pt,node distance=16mm,on grid,initial text={},baseline=-0.5ex,->}} \tikzset{state/.append style={minimum size=15pt}} \tikzset{arbitrary/.style={state,label={[font=\relsize{-2}]arbitrary}}} \centering \[\begin{array}{rcl} \text{since} & a \Sop b & \begin{tikzpicture}[intuitive semantics] \node (0) {\dots}; \node[arbitrary] (1) [right of=0] {}; \node[state,label=$b$] (2) [right of=1] {}; \node[state,label=$a$] (3) [right of=2] {}; \node[state,label=$a$,initial below] (4) [right of=3] {}; \node[arbitrary] (5) [right of=4] {}; \node (6) [right of=5] {\dots}; \path (0) edge (1)(1) edge (2)(2) edge (3)(3) edge (4)(4) edge (5)(5) edge (6); \end{tikzpicture}\\ \text{previously} & \Pop a & \begin{tikzpicture}[intuitive semantics] \node (0) {\dots}; \node[arbitrary] (1) [right of=0] {}; \node[arbitrary] (2) [right of=1] {}; \node[state,label=$a$] (3) [right of=2] {}; \node[arbitrary,initial below] (4) [right of=3] {}; \node[arbitrary] (5) [right of=4] {}; \node (6) [right of=5] {\dots}; \path (0) edge (1)(1) edge (2)(2) edge (3)(3) edge (4)(4) edge (5)(5) edge (6); \end{tikzpicture}\\ \text{was sometime} & \Fop^{-1} a & \begin{tikzpicture}[intuitive semantics] \node (0) {\dots}; \node[arbitrary] (1) [right of=0] {}; \node[state,label=$a$] (2) [right of=1] {}; \node[arbitrary] (3) [right of=2] {}; \node[arbitrary,initial below] (4) [right of=3] {}; \node[arbitrary] (5) [right of=4] {}; \node (6) [right of=5] {\dots}; \path (0) edge (1)(1) edge (2)(2) edge (3)(3) edge (4)(4) edge (5)(5) edge (6); \end{tikzpicture}\\ \text{was always} & \Gop^{-1} a & \begin{tikzpicture}[intuitive semantics] \node (0) {\dots}; \node[state,label=$a$] (1) [right of=0] {}; \node[state,label=$a$] (2) [right of=1] {}; \node[state,label=$a$] (3) [right of=2] {}; \node[state,label=$a$,initial below] (4) [right of=3] {}; \node[arbitrary] (5) [right of=4] {}; \node (6) [right of=5] {\dots}; \path (0) edge (1)(1) edge (2)(2) edge (3)(3) edge (4)(4) edge (5)(5) edge (6); \end{tikzpicture} \end{array}\] \caption{Intuitive semantics of past modalities.} \label{fig:PLTL_intuitive} \end{figure} \camil Dual modalities, like the LTL $\square\lozenge$ \enquote{infinitely often} and \enquote{eventually forever}, are less useful in PLTL. $\square^{-1}\lozenge^{-1}\phi$ intuitively holds when at every point in the past, $\phi$ held or there was a previous moment at which $\phi$ held. This is satisfied precisely when $\phi$ held at the first moment in time. Interestingly, $\lozenge^{-1}\square^{-1}\phi$ means the same: it holds when $\phi$ held from the beginning until some moment in the past. The reason that dual modalities in PLTL are less useful is that we still consider traces with a fixed starting point. Thus, while with future modalities it is possible to look infinitely far in the future, it is not possible to look infinitely far in the past. %TODO: Give examples of semantics along the lines of subsection 5.1.1. Before turning to the formal semantics in the next subsection, we provide some examples. \begin{example}[Properties for a Traffic Light] We return to the traffic light of Example 5.4. Since dual past modalities are less useful than dual future modalities, we cannot express the liveness property $\square\lozenge\textsl{green}$ with a pure past formula. However, the requirement \enquote{once red, the light cannot become green immediately} \emph{can} be expressed with past modalities. To rewrite it, consider that this requirements is equivalent to \enquote{if green, the light cannot have been red previously}. This yields the formula: \[\square\left(\textsl{green} \rightarrow \lnot \Pop\textsl{red}\right) \qedhere\] \end{example} \begin{example}[Properties for an Authentication System] \citet{FiterauBrostean2017} use past modalities to describe properties of the Secure Shell (SSH) protocol. One property says that if a channel is opened, there must have been some successful authentication attempt in the past~\citep[p.~149]{FiterauBrostean2017}. Also, since that successful authentication, no authentication failure must have occurred. This formula is intuitively expressed by $\square(\textsl{hasOpenedChannel} \rightarrow \lnot \textsl{authFailure} \Sop \textsl{authSuccess})$. Expressing this property in LTL is obscure and tedious. One way uses the Weak Until operator from Section 5.1.5: %TODO please check that this is actually equivalent \begin{align*} & \lnot \textsl{hasOpenedChannel} \Wop\\ & \quad (\textsl{authSuccess} \land (\square \textsl{authFailure} \rightarrow \lnot \textsl{hasOpenedChannel} \Uop \textsl{authSuccess})) \qedhere \end{align*} \end{example} \cbend \subsection{Semantics} \erin The semantics of LTL and PLTL are defined in a very similar way. However, we must make some modifications to the definitions. \camil In particular, the $\vDash$ operator must be redefined. Recall that for LTL we wrote $\sigma \vDash \phi$ when $\sigma$ satisfies $\phi$ and $\sigma[i\dots]$ for the suffix of $\sigma$ starting in the $(j+1)$st symbol. The latter notation effectively loses information about the prefix. In the case of PLTL, we cannot lose this information. For this reason, we use a satisfaction relation at a specific index. We will write this as $\sigma \vDash_i \phi$, read as \enquote{$\sigma$ satisfies $\phi$ at $i$}.% \footnote{% The notation used in literature varies. \citet{Lichtenstein1985} use $(\sigma,i) \vDash \phi$; \citet{Markey2003} uses $\sigma,i \vDash \phi$. Although the difference is minor, we find $\vDash_i$ more intuitive because it shows that the object being checked is the same in $\sigma\vDash_i\phi$ and $\sigma\vDash_j\phi$.} We use $\sigma \vDash \phi$ as a shorthand for $\sigma \vDash_0 \phi$. \erin \begin{definition}[Semantics of PLTL (Interpretation over Words)] Let $\phi$ be a PLTL formula over $AP$. The LT property induced by $\phi$ is $$Words(\phi) = \{\sigma \in \left(2^{AP}\right)^\omega \mid \sigma \vDash \phi\}$$ where $\vDash\ \subseteq \left(2^{AP}\right)^\omega \times \mathbb{N} \times PLTL$ is the smallest relation with the properties in \cref{fig:PLTL-semantics}. \end{definition} \camil Note that we must redefine the satisfaction relation for the LTL operators, because $\vDash$ is now a ternary relation. \begin{figure} \centering \begin{mdframed} $$ \begin{matrix*}[l] \sigma &\vDash_i & \text{true}\\ \sigma &\vDash_i & a &\text{iff} & a\in A_i\\ \sigma &\vDash_i & \phi_1\land\phi_2 &\text{iff} & \text{$\sigma\vDash_i\phi_1$ and $\sigma\vDash_i\phi_2$}\\ \sigma &\vDash_i & \lnot\phi &\text{iff} & \sigma \nvDash_i \phi\\ \sigma &\vDash_i & \bigcirc\phi &\text{iff} & \sigma \vDash_{i+1} \phi\\ \sigma &\vDash_i & \phi_1\Uop\phi_2 &\text{iff} & \exists_{j \le 0}.\text{$\sigma \vDash_j \phi_2$ and $\sigma \vDash_i \phi_1$ for all $0 \le i < j$}\\ \sigma &\vDash_i & \phi_1\Sop\phi_2 &\text{iff} & \exists_{j \le i}.\text{$\sigma \vDash_j \phi_2$ and $\sigma \vDash_k \phi_1$ for all $j < k \le i$}\\ \sigma &\vDash_i & \Pop\phi &\text{iff} & i \geq 1 \wedge \sigma \vDash_{i-1} \phi \end{matrix*} $$ \end{mdframed} \caption{PLTL semantics for infinite words $\sigma=A_0A_1A_2\dots \in \left(2^{AP}\right)^\omega$.} \label{fig:PLTL-semantics} \end{figure} \erin \begin{definition}[Semantics of PLTL over Paths and States] Let $TS = (S, Act, \rightarrow, I, AP, L)$ be a transition system without terminal states, and let $\phi$ be an PLTL-formula over AP. \begin{itemize} \item For infinite path fragments $\pi$ of $TS$, the satisfaction relation is defined by $$\pi \vDash \phi \Leftrightarrow trace(\pi) \vDash \phi$$ \item For state $s \in S$, the satisfaction relation $\vDash$ is defined by $$s \vDash \phi \Leftrightarrow \forall_{\pi \in Paths(s)}[\pi \vDash \phi]$$ \item $TS$ satisfies $\phi$, denoted by $TS \vDash \phi$ if $Traces \vDash \phi$, if $Traces(TS) \subseteq Words(\phi)$ \qedhere \end{itemize} \end{definition} In order to make these definitions suitable for use with our PLTL operators, we must provide their semantics. \Cref{fig:PLTL-semantics} shows the formal semantics of the operators defined in the grammar. Note that we need to add a index $i$, since we must also be able to look in the past. Given these definitions, it is possible to derive the formal semantics of the $\Fop^{-1}$ and $\Gop^{-1}$ operators as well: $$ \begin{matrix*}[l] \sigma &\vDash_i &\Fop^{-1}\phi &\text{iff} &\exists_{k \leq i}[\sigma \vDash_k \phi]\\ \sigma &\vDash_i &\Gop^{-1}\phi &\text{iff} &\forall_{k \leq i}[\sigma \vDash_k \phi] \end{matrix*} $$ \subsubsection{Specifying Properties} % TODO Once operator \camil \begin{remark}[Other Notations] % TODO: I don't find this place logical for this remark, but it is the same place as Remark 5.16 in the book. Like for LTL, many different notations are used in literature for PLTL. These include $\mathbf X^{-1}, \mathbf G^{-1}, \mathbf F^{-1}$~\citep[e.g.]{Markey2003}, but also \raisebox{-1pt}{\tikz\draw[black,fill=black](0,0)circle(.4em);}$,\blacksquare,\blacklozenge$~\citep[e.g.]{Gabbay1989} or $\stackinset{c}{}{c}{}{$\cdot$}{$\bigcirc$},\boxdot,\stackinset{c}{}{c}{}{$\cdot$}{$\lozenge$}$~\citep[e.g.]{Havelund2002}. % It is always fun to come up with new versions and watch people struggling to reproduce them in \LaTeX. \end{remark} \erin \subsubsection{Equivalence of PLTL Formulae} Now that we have defined the formal semantics of PLTL, we can define equivalence on PLTL formulas. \begin{definition}[Equivalence of PLTL Formulae] PLTL formulae $\phi_1,\phi_2$ are equivalent, denoted $\phi_1 \equiv \phi_2$ iff they verify the following property: \[\text{for any path } \pi \text{ and any position } i, \pi \vDash_i \phi \Leftrightarrow \pi \vDash_i \psi \qedhere\] \end{definition} Additionally, we can define another form of equivalence, initial equivalence: \begin{definition}[Initial Equivalence of PLTL Formulae] PLTL formulae $\phi_1,\phi_2$ are initial equivalent, denoted $\phi_1 \equiv_0 \phi_2$ iff they verify the following property: \[\text{for any path } \pi, \pi \vDash_0 \phi \Leftrightarrow \pi \vDash_0 \psi \qedhere\] \end{definition} \cbend \subsection{LTL and PLTL} %TODO: Consider/Analyse differences between LTL and PLTL \subsection{PLTL to LTL} %TODO: Provide the syntactic algorithm to convert PLTL to LTL %TODO: Provide algorithm via automata to convert PLTL to LTL %TODO: In both cases make use of examples from SSH Paper %TODO: (Section?) Assess if PLTL is actually more succinct using the examples from the SSH Paper \subsection{Minimal Bad Prefix in NuSMV} %TODO: Given a formula of the form vw^\omega, can we find a n \in \mathbb{N} such that vw^n is a bad prefix? \section{Summary} % TODO: points to be added to 5.3 \section{Bibliographic Notes} % TODO: points to be added to 5.4 % A possibly helpful list is at https://cstheory.stackexchange.com/a/29452 % Also the bibliography file should be worked through. \section{Contribution} %TODO: Like we are some immature group of children, we have to provide proof of contribution \camil Erin has started writing the text. This text was then copy-edited, slightly corrected where needed and expanded by Camil. (The result was then copy-edited, slightly corrected where needed and expanded by Erin. The result was then copy-edited, slightly corrected where needed and expanded by Camil.)$^\omega$ In the above, yellow bars indicate content primarily contributed by Erin, whereas red bars indicate content primarily contributed by Camil. Unfortunately, disabilities of the \textsf{changebar} package make it impossible to indicate the fine-grainedness of our redaction process. \cbend \printbibliography \end{document}