robust linear temporal logic - csl16.lif.univ-mrs.frcsl16.lif.univ-mrs.fr/static/media/talk15/csl...
TRANSCRIPT
Robust Linear Temporal Logic
Paulo Tabuada 1 Daniel Neider 1,2
1University of California, Los Angeles
2RWTH Aachen University
25th EACSL Annual Conference on Computer Science Logic
Marseille, France29 September 2016
Motivation
ϕ ⇒ ψ
Environment assumption System guarantee
Paulo Tabuada and Daniel Neider: Robust LTL 1
Motivation
ϕ ⇒ ψ
Environment assumption System guarantee
Desired Notion of Robustness (from Wikipedia on fault tolerance)
“[...] If its operating quality decreases at all, the decrease isproportional to the severity of the failure, as compared to a naivelydesigned system in which even a small failure can cause totalbreakdown. [...]”
Paulo Tabuada and Daniel Neider: Robust LTL 1
Motivation
ϕ ⇒ ψ
Environment assumption System guarantee
GoalDevelop a semantics for LTL capturing “robustness”
I Here: only the fragment LTL( , ); full LTL on arXiv
Design Goals
1. Robustness should be internal to the logic2. Familiarity with LTL should be the only prerequisite
Paulo Tabuada and Daniel Neider: Robust LTL 1
Motivation
ϕ ⇒ ψ
Environment assumption System guarantee
GoalDevelop a semantics for LTL capturing “robustness”
I Here: only the fragment LTL( , ); full LTL on arXiv
Design Goals
1. Robustness should be internal to the logic2. Familiarity with LTL should be the only prerequisite
Paulo Tabuada and Daniel Neider: Robust LTL 1
Linear Temporal LogicSyntax of LTL( , )Let P be a (finite, nonempty) set of atomic propositions
I Each p ∈ P is an LTL( , ) formula; andI if ϕ,ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ, ϕ, and ϕ
Semantics of LTL( , ) . . .. . . is a function W : ΦLTL( , ) × (2P)ω → B inductively defined by
W (p, σ) ={1 if p ∈ σ(0)0 if p /∈ σ(0)
W (¬ϕ, σ) = 1−W (ϕ, σ)W (ϕ ∨ ψ, σ) = max {W (ϕ, σ),W (ψ, σ)}W ( ϕ, σ) = inf i≥0 {W (ϕ, σi ..)}W ( ϕ, σ) = supi≥0 {W (ϕ, σi ..)}
a b a ∨ b max {a, b} a ∧ b min {a, b}
0 0 0 0 0 00 1 1 1 0 01 0 1 1 0 01 1 1 1 1 1
Paulo Tabuada and Daniel Neider: Robust LTL 2
Linear Temporal LogicSyntax of LTL( , )Let P be a (finite, nonempty) set of atomic propositions
I Each p ∈ P is an LTL( , ) formula; andI if ϕ,ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ, ϕ, and ϕ
Semantics of LTL( , ) . . .. . . is a function W : ΦLTL( , ) × (2P)ω → B inductively defined by
W (p, σ) ={1 if p ∈ σ(0)0 if p /∈ σ(0)
W (¬ϕ, σ) = 1−W (ϕ, σ)W (ϕ ∨ ψ, σ) = max {W (ϕ, σ),W (ψ, σ)}W ( ϕ, σ) = inf i≥0 {W (ϕ, σi ..)}W ( ϕ, σ) = supi≥0 {W (ϕ, σi ..)}
a b a ∨ b max {a, b} a ∧ b min {a, b}
0 0 0 0 0 00 1 1 1 0 01 0 1 1 0 01 1 1 1 1 1
Paulo Tabuada and Daniel Neider: Robust LTL 2
Linear Temporal LogicSyntax of LTL( , )Let P be a (finite, nonempty) set of atomic propositions
I Each p ∈ P is an LTL( , ) formula; andI if ϕ,ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ, ϕ, and ϕ
Semantics of LTL( , ) . . .. . . is a function W : ΦLTL( , ) × (2P)ω → B inductively defined by
W (p, σ) ={1 if p ∈ σ(0)0 if p /∈ σ(0)
W (¬ϕ, σ) = 1−W (ϕ, σ)W (ϕ ∨ ψ, σ) = max {W (ϕ, σ),W (ψ, σ)}W ( ϕ, σ) = inf i≥0 {W (ϕ, σi ..)}W ( ϕ, σ) = supi≥0 {W (ϕ, σi ..)}
a b a ∨ b max {a, b} a ∧ b min {a, b}
0 0 0 0 0 00 1 1 1 0 01 0 1 1 0 01 1 1 1 1 1
Paulo Tabuada and Daniel Neider: Robust LTL 2
Linear Temporal LogicSyntax of LTL( , )Let P be a (finite, nonempty) set of atomic propositions
I Each p ∈ P is an LTL( , ) formula; andI if ϕ,ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ, ϕ, and ϕ
Semantics of LTL( , ) . . .. . . is a function W : ΦLTL( , ) × (2P)ω → B inductively defined by
W (p, σ) ={1 if p ∈ σ(0)0 if p /∈ σ(0)
W (¬ϕ, σ) = 1−W (ϕ, σ)
W (ϕ ∨ ψ, σ) = max {W (ϕ, σ),W (ψ, σ)}W ( ϕ, σ) = inf i≥0 {W (ϕ, σi ..)}W ( ϕ, σ) = supi≥0 {W (ϕ, σi ..)}
a b a ∨ b max {a, b} a ∧ b min {a, b}
0 0 0 0 0 00 1 1 1 0 01 0 1 1 0 01 1 1 1 1 1
Paulo Tabuada and Daniel Neider: Robust LTL 2
Linear Temporal LogicSyntax of LTL( , )Let P be a (finite, nonempty) set of atomic propositions
I Each p ∈ P is an LTL( , ) formula; andI if ϕ,ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ, ϕ, and ϕ
Semantics of LTL( , ) . . .. . . is a function W : ΦLTL( , ) × (2P)ω → B inductively defined by
W (p, σ) ={1 if p ∈ σ(0)0 if p /∈ σ(0)
W (¬ϕ, σ) = 1−W (ϕ, σ)W (ϕ ∨ ψ, σ) = max {W (ϕ, σ),W (ψ, σ)}
W ( ϕ, σ) = inf i≥0 {W (ϕ, σi ..)}W ( ϕ, σ) = supi≥0 {W (ϕ, σi ..)}
a b a ∨ b max {a, b} a ∧ b min {a, b}
0 0 0 0 0 00 1 1 1 0 01 0 1 1 0 01 1 1 1 1 1
Paulo Tabuada and Daniel Neider: Robust LTL 2
Linear Temporal LogicSyntax of LTL( , )Let P be a (finite, nonempty) set of atomic propositions
I Each p ∈ P is an LTL( , ) formula; andI if ϕ,ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ, ϕ, and ϕ
Semantics of LTL( , ) . . .. . . is a function W : ΦLTL( , ) × (2P)ω → B inductively defined by
W (p, σ) ={1 if p ∈ σ(0)0 if p /∈ σ(0)
W (¬ϕ, σ) = 1−W (ϕ, σ)W (ϕ ∨ ψ, σ) = max {W (ϕ, σ),W (ψ, σ)}
W ( ϕ, σ) = inf i≥0 {W (ϕ, σi ..)}W ( ϕ, σ) = supi≥0 {W (ϕ, σi ..)}
a b a ∨ b max {a, b} a ∧ b min {a, b}
0 0 0 0 0 00 1 1 1 0 01 0 1 1 0 01 1 1 1 1 1
Paulo Tabuada and Daniel Neider: Robust LTL 2
Linear Temporal LogicSyntax of LTL( , )Let P be a (finite, nonempty) set of atomic propositions
I Each p ∈ P is an LTL( , ) formula; andI if ϕ,ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ, ϕ, and ϕ
Semantics of LTL( , ) . . .. . . is a function W : ΦLTL( , ) × (2P)ω → B inductively defined by
W (p, σ) ={1 if p ∈ σ(0)0 if p /∈ σ(0)
W (¬ϕ, σ) = 1−W (ϕ, σ)W (ϕ ∨ ψ, σ) = max {W (ϕ, σ),W (ψ, σ)}W ( ϕ, σ) = inf i≥0 {W (ϕ, σi ..)}
W ( ϕ, σ) = supi≥0 {W (ϕ, σi ..)}
a b a ∨ b max {a, b} a ∧ b min {a, b}
0 0 0 0 0 00 1 1 1 0 01 0 1 1 0 01 1 1 1 1 1
Paulo Tabuada and Daniel Neider: Robust LTL 2
Linear Temporal LogicSyntax of LTL( , )Let P be a (finite, nonempty) set of atomic propositions
I Each p ∈ P is an LTL( , ) formula; andI if ϕ,ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ, ϕ, and ϕ
Semantics of LTL( , ) . . .. . . is a function W : ΦLTL( , ) × (2P)ω → B inductively defined by
W (p, σ) ={1 if p ∈ σ(0)0 if p /∈ σ(0)
W (¬ϕ, σ) = 1−W (ϕ, σ)W (ϕ ∨ ψ, σ) = max {W (ϕ, σ),W (ψ, σ)}W ( ϕ, σ) = inf i≥0 {W (ϕ, σi ..)}W ( ϕ, σ) = supi≥0 {W (ϕ, σi ..)}
a b a ∨ b max {a, b} a ∧ b min {a, b}
0 0 0 0 0 00 1 1 1 0 01 0 1 1 0 01 1 1 1 1 1
Paulo Tabuada and Daniel Neider: Robust LTL 2
Different Shades of False
Consider the specification p ⇒ q. How can p be violated?
Weakening
p¬p p
(1, 1, 1, 1)
p¬p p
(0, 1, 1, 1)
p¬p p
(0, 0, 1, 1)
p¬p p
(0, 0, 0, 1)
p¬p ¬p
(0, 0, 0, 0)
Paulo Tabuada and Daniel Neider: Robust LTL 3
Different Shades of False
Consider the specification p ⇒ q. How can p be violated?
Weakening
p¬p p
(1, 1, 1, 1)
p¬p p
(0, 1, 1, 1)
p¬p p
(0, 0, 1, 1)
p¬p p
(0, 0, 0, 1)
p¬p ¬p
(0, 0, 0, 0)
Paulo Tabuada and Daniel Neider: Robust LTL 3
Different Shades of False
Consider the specification p ⇒ q. How can p be violated?
Weakening
p¬p p
(1, 1, 1, 1)
p¬p p
(0, 1, 1, 1)
p¬p p
(0, 0, 1, 1)
p¬p p
(0, 0, 0, 1)
p¬p ¬p
(0, 0, 0, 0)
Paulo Tabuada and Daniel Neider: Robust LTL 3
Different Shades of False
Consider the specification p ⇒ q. How can p be violated?
Weakening
p¬p p
(1, 1, 1, 1)
p¬p p
(0, 1, 1, 1)
p¬p p
(0, 0, 1, 1)
p¬p p
(0, 0, 0, 1)
p¬p ¬p
(0, 0, 0, 0)
Paulo Tabuada and Daniel Neider: Robust LTL 3
Different Shades of False
Consider the specification p ⇒ q. How can p be violated?
Weakening
p¬p p
(1, 1, 1, 1)
p¬p p
(0, 1, 1, 1)
p¬p p
(0, 0, 1, 1)
p¬p p
(0, 0, 0, 1)
p¬p ¬p
(0, 0, 0, 0)
Paulo Tabuada and Daniel Neider: Robust LTL 3
Different Shades of False
Consider the specification p ⇒ q. How can p be violated?
Weakening
p¬p p
(1, 1, 1, 1)
p¬p p
(0, 1, 1, 1)
p¬p p
(0, 0, 1, 1)
p¬p p
(0, 0, 0, 1)
p¬p ¬p
(0, 0, 0, 0)
Paulo Tabuada and Daniel Neider: Robust LTL 3
Different Shades of False
Consider the specification p ⇒ q. How can p be violated?
Weakening
p¬p p (1, 1, 1, 1)
p¬p p (0, 1, 1, 1)
p¬p p (0, 0, 1, 1)
p¬p p (0, 0, 0, 1)
p¬p ¬p (0, 0, 0, 0)
shades
offalse
true
falsePaulo Tabuada and Daniel Neider: Robust LTL 3
Different Shades of False
Consider the specification p ⇒ q. How can p be violated?
Weakening
p¬p p (1, 1, 1, 1)
p¬p p (0, 1, 1, 1)
p¬p p (0, 0, 1, 1)
p¬p p (0, 0, 0, 1)
p¬p ¬p (0, 0, 0, 0)
B4
Paulo Tabuada and Daniel Neider: Robust LTL 3
A Da Costa Algebra over B4
Elements of B4 are ordered:
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
We introduce the following four operations:
I a u b = min {a, b}I a t b = max {a, b}
I a ={
(0, 0, 0, 0) if a = (1, 1, 1, 1)(1, 1, 1, 1) otherwise
I a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Negation
(1, 1, 1, 1) (0, 0, 0, 0)
(0, 1, 1, 1) (1, 1, 1, 1)
(0, 0, 1, 1) (1, 1, 1, 1)
(0, 0, 0, 1) (1, 1, 1, 1)
(0, 0, 0, 0) (1, 1, 1, 1)
The structure (B4, <,u,t, · ,→) is a so-called da Costa algebra
Paulo Tabuada and Daniel Neider: Robust LTL 4
A Da Costa Algebra over B4
Elements of B4 are ordered:
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
We introduce the following four operations:I a u b = min {a, b}I a t b = max {a, b}
I a ={
(0, 0, 0, 0) if a = (1, 1, 1, 1)(1, 1, 1, 1) otherwise
I a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Negation
(1, 1, 1, 1) (0, 0, 0, 0)
(0, 1, 1, 1) (1, 1, 1, 1)
(0, 0, 1, 1) (1, 1, 1, 1)
(0, 0, 0, 1) (1, 1, 1, 1)
(0, 0, 0, 0) (1, 1, 1, 1)
The structure (B4, <,u,t, · ,→) is a so-called da Costa algebra
Paulo Tabuada and Daniel Neider: Robust LTL 4
A Da Costa Algebra over B4
Elements of B4 are ordered:
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
We introduce the following four operations:I a u b = min {a, b}I a t b = max {a, b}
I a ={
(0, 0, 0, 0) if a = (1, 1, 1, 1)(1, 1, 1, 1) otherwise
I a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Negation
(1, 1, 1, 1) (0, 0, 0, 0)
(0, 1, 1, 1) (1, 1, 1, 1)
(0, 0, 1, 1) (1, 1, 1, 1)
(0, 0, 0, 1) (1, 1, 1, 1)
(0, 0, 0, 0) (1, 1, 1, 1)
The structure (B4, <,u,t, · ,→) is a so-called da Costa algebra
Paulo Tabuada and Daniel Neider: Robust LTL 4
A Da Costa Algebra over B4
Elements of B4 are ordered:
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
We introduce the following four operations:I a u b = min {a, b}I a t b = max {a, b}
I a ={
(0, 0, 0, 0) if a = (1, 1, 1, 1)(1, 1, 1, 1) otherwise
I a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Negation
(1, 1, 1, 1) (0, 0, 0, 0)
(0, 1, 1, 1) (1, 1, 1, 1)
(0, 0, 1, 1) (1, 1, 1, 1)
(0, 0, 0, 1) (1, 1, 1, 1)
(0, 0, 0, 0) (1, 1, 1, 1)
The structure (B4, <,u,t, · ,→) is a so-called da Costa algebra
Paulo Tabuada and Daniel Neider: Robust LTL 4
A Da Costa Algebra over B4
Elements of B4 are ordered:
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
We introduce the following four operations:I a u b = min {a, b}I a t b = max {a, b}
I a ={
(0, 0, 0, 0) if a = (1, 1, 1, 1)(1, 1, 1, 1) otherwise
I a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Negation
(1, 1, 1, 1) (0, 0, 0, 0)
(0, 1, 1, 1) (1, 1, 1, 1)
(0, 0, 1, 1) (1, 1, 1, 1)
(0, 0, 0, 1) (1, 1, 1, 1)
(0, 0, 0, 0) (1, 1, 1, 1)
The structure (B4, <,u,t, · ,→) is a so-called da Costa algebra
Paulo Tabuada and Daniel Neider: Robust LTL 4
A Da Costa Algebra over B4
Elements of B4 are ordered:
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
We introduce the following four operations:I a u b = min {a, b}I a t b = max {a, b}
I a ={
(0, 0, 0, 0) if a = (1, 1, 1, 1)(1, 1, 1, 1) otherwise
I a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Negation
(1, 1, 1, 1) (0, 0, 0, 0)
(0, 1, 1, 1) (1, 1, 1, 1)
(0, 0, 1, 1) (1, 1, 1, 1)
(0, 0, 0, 1) (1, 1, 1, 1)
(0, 0, 0, 0) (1, 1, 1, 1)
The structure (B4, <,u,t, · ,→) is a so-called da Costa algebra
Paulo Tabuada and Daniel Neider: Robust LTL 4
Robust Semantics
We use new symbols , and call this “logic” rLTL
The semantics of rLTL( , ) is a functionV : ΦrLTL( , ) × (2P)ω → B4 inductively defined by
I V (p, σ) ={
(1, 1, 1, 1) if p ∈ σ(0)(0, 0, 0, 0) otherwise
I V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)I V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)I V (¬ϕ, σ) = V (ϕ, σ)I V (ϕ⇒ ψ, σ) = V (ϕ, σ)→ V (ψ, σ)I V ( p, σ) = ( p, p, p, p)I V ( ϕ, σ) = ( ϕ1, ϕ2, ϕ3, ϕ4)
σ σ(0) σ(1) σ(2)
V (ϕ, σi ..) (0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1) · · ·
ϕ1: 000 . . .
ϕ2: 100 . . .
ϕ3: 111 . . .
ϕ4: 111 . . .
Paulo Tabuada and Daniel Neider: Robust LTL 5
Robust Semantics
We use new symbols , and call this “logic” rLTL
The semantics of rLTL( , ) is a functionV : ΦrLTL( , ) × (2P)ω → B4 inductively defined by
I V (p, σ) ={
(1, 1, 1, 1) if p ∈ σ(0)(0, 0, 0, 0) otherwise
I V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)I V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)I V (¬ϕ, σ) = V (ϕ, σ)I V (ϕ⇒ ψ, σ) = V (ϕ, σ)→ V (ψ, σ)I V ( p, σ) = ( p, p, p, p)I V ( ϕ, σ) = ( ϕ1, ϕ2, ϕ3, ϕ4)
σ σ(0) σ(1) σ(2)
V (ϕ, σi ..) (0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1) · · ·
ϕ1: 000 . . .
ϕ2: 100 . . .
ϕ3: 111 . . .
ϕ4: 111 . . .
Paulo Tabuada and Daniel Neider: Robust LTL 5
Robust Semantics
We use new symbols , and call this “logic” rLTL
The semantics of rLTL( , ) is a functionV : ΦrLTL( , ) × (2P)ω → B4 inductively defined by
I V (p, σ) ={
(1, 1, 1, 1) if p ∈ σ(0)(0, 0, 0, 0) otherwise
I V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)I V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)I V (¬ϕ, σ) = V (ϕ, σ)I V (ϕ⇒ ψ, σ) = V (ϕ, σ)→ V (ψ, σ)
I V ( p, σ) = ( p, p, p, p)I V ( ϕ, σ) = ( ϕ1, ϕ2, ϕ3, ϕ4)
σ σ(0) σ(1) σ(2)
V (ϕ, σi ..) (0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1) · · ·
ϕ1: 000 . . .
ϕ2: 100 . . .
ϕ3: 111 . . .
ϕ4: 111 . . .
Paulo Tabuada and Daniel Neider: Robust LTL 5
Robust Semantics
We use new symbols , and call this “logic” rLTL
The semantics of rLTL( , ) is a functionV : ΦrLTL( , ) × (2P)ω → B4 inductively defined by
I V (p, σ) ={
(1, 1, 1, 1) if p ∈ σ(0)(0, 0, 0, 0) otherwise
I V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)I V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)I V (¬ϕ, σ) = V (ϕ, σ)I V (ϕ⇒ ψ, σ) = V (ϕ, σ)→ V (ψ, σ)I V ( p, σ) = ( p, p, p, p)
I V ( ϕ, σ) = ( ϕ1, ϕ2, ϕ3, ϕ4)
σ σ(0) σ(1) σ(2)
V (ϕ, σi ..) (0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1) · · ·
ϕ1: 000 . . .
ϕ2: 100 . . .
ϕ3: 111 . . .
ϕ4: 111 . . .
Paulo Tabuada and Daniel Neider: Robust LTL 5
Robust Semantics
We use new symbols , and call this “logic” rLTL
The semantics of rLTL( , ) is a functionV : ΦrLTL( , ) × (2P)ω → B4 inductively defined by
I V (p, σ) ={
(1, 1, 1, 1) if p ∈ σ(0)(0, 0, 0, 0) otherwise
I V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)I V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)I V (¬ϕ, σ) = V (ϕ, σ)I V (ϕ⇒ ψ, σ) = V (ϕ, σ)→ V (ψ, σ)I V ( p, σ) = ( p, p, p, p)
I V ( ϕ, σ) = ( ϕ1, ϕ2, ϕ3, ϕ4)
σ σ(0) σ(1) σ(2)
V (ϕ, σi ..) (0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1) · · ·
ϕ1: 000 . . .
ϕ2: 100 . . .
ϕ3: 111 . . .
ϕ4: 111 . . .
Paulo Tabuada and Daniel Neider: Robust LTL 5
Robust Semantics
We use new symbols , and call this “logic” rLTL
The semantics of rLTL( , ) is a functionV : ΦrLTL( , ) × (2P)ω → B4 inductively defined by
I V (p, σ) ={
(1, 1, 1, 1) if p ∈ σ(0)(0, 0, 0, 0) otherwise
I V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)I V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)I V (¬ϕ, σ) = V (ϕ, σ)I V (ϕ⇒ ψ, σ) = V (ϕ, σ)→ V (ψ, σ)I V ( p, σ) = ( p, p, p, p)
I V ( ϕ, σ) = ( ϕ1, ϕ2, ϕ3, ϕ4)
σ σ(0) σ(1) σ(2)
V (ϕ, σi ..) (0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1) · · ·
ϕ1: 000 . . .
ϕ2: 100 . . .
ϕ3: 111 . . .
ϕ4: 111 . . .
Paulo Tabuada and Daniel Neider: Robust LTL 5
Robust Semantics
We use new symbols , and call this “logic” rLTL
The semantics of rLTL( , ) is a functionV : ΦrLTL( , ) × (2P)ω → B4 inductively defined by
I V (p, σ) ={
(1, 1, 1, 1) if p ∈ σ(0)(0, 0, 0, 0) otherwise
I V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)I V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)I V (¬ϕ, σ) = V (ϕ, σ)I V (ϕ⇒ ψ, σ) = V (ϕ, σ)→ V (ψ, σ)I V ( p, σ) = ( p, p, p, p)
I V ( ϕ, σ) = ( ϕ1, ϕ2, ϕ3, ϕ4)
σ σ(0) σ(1) σ(2)
V (ϕ, σi ..) (0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1) · · ·
ϕ1: 000 . . .
ϕ2: 100 . . .
ϕ3: 111 . . .
ϕ4: 111 . . .
Paulo Tabuada and Daniel Neider: Robust LTL 5
Robust Semantics
We use new symbols , and call this “logic” rLTL
The semantics of rLTL( , ) is a functionV : ΦrLTL( , ) × (2P)ω → B4 inductively defined by
I V (p, σ) ={
(1, 1, 1, 1) if p ∈ σ(0)(0, 0, 0, 0) otherwise
I V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)I V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)I V (¬ϕ, σ) = V (ϕ, σ)I V (ϕ⇒ ψ, σ) = V (ϕ, σ)→ V (ψ, σ)I V ( ϕ, σ) = ( ϕ1, ϕ2, ϕ3, ϕ4)
I V ( ϕ, σ) = ( ϕ1, ϕ2, ϕ3, ϕ4)
σ σ(0) σ(1) σ(2)
V (ϕ, σi ..) (0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1) · · ·
ϕ1: 000 . . .
ϕ2: 100 . . .
ϕ3: 111 . . .
ϕ4: 111 . . .
Paulo Tabuada and Daniel Neider: Robust LTL 5
Robust Semantics
We use new symbols , and call this “logic” rLTL
The semantics of rLTL( , ) is a functionV : ΦrLTL( , ) × (2P)ω → B4 inductively defined by
I V (p, σ) ={
(1, 1, 1, 1) if p ∈ σ(0)(0, 0, 0, 0) otherwise
I V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)I V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)I V (¬ϕ, σ) = V (ϕ, σ)I V (ϕ⇒ ψ, σ) = V (ϕ, σ)→ V (ψ, σ)I V ( ϕ, σ) = ( ϕ1, ϕ2, ϕ3, ϕ4)I V ( ϕ, σ) = ( ϕ1, ϕ2, ϕ3, ϕ4)
σ σ(0) σ(1) σ(2)
V (ϕ, σi ..) (0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1) · · ·
ϕ1: 000 . . .
ϕ2: 100 . . .
ϕ3: 111 . . .
ϕ4: 111 . . .
Paulo Tabuada and Daniel Neider: Robust LTL 5
Example
Consider p ⇒ q, and assume V ( p ⇒ q, σ) = (1, 1, 1, 1)
Recall: a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Paulo Tabuada and Daniel Neider: Robust LTL 6
Example
Consider p ⇒ q, and assume V ( p ⇒ q, σ) = (1, 1, 1, 1)
I If p holds, then p evaluates to (1, 1, 1, 1). Hence, q has toevaluate to (1, 1, 1, 1), which means that q holds
I If p holds (and p does not), then p evaluates to(0, 1, 1, 1). Hence, q has to evaluate to (0, 1, 1, 1) or higher,which implies that q holds
I Similarly, p implies q and p implies q
Recall: a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Paulo Tabuada and Daniel Neider: Robust LTL 6
Example
Consider p ⇒ q, and assume V ( p ⇒ q, σ) = (1, 1, 1, 1)
I If p holds, then p evaluates to (1, 1, 1, 1). Hence, q has toevaluate to (1, 1, 1, 1), which means that q holds
I If p holds (and p does not), then p evaluates to(0, 1, 1, 1). Hence, q has to evaluate to (0, 1, 1, 1) or higher,which implies that q holds
I Similarly, p implies q and p implies q
Recall: a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Paulo Tabuada and Daniel Neider: Robust LTL 6
Example
Consider p ⇒ q, and assume V ( p ⇒ q, σ) = (1, 1, 1, 1)
I If p holds, then p evaluates to (1, 1, 1, 1). Hence, q has toevaluate to (1, 1, 1, 1), which means that q holds
I If p holds (and p does not), then p evaluates to(0, 1, 1, 1). Hence, q has to evaluate to (0, 1, 1, 1) or higher,which implies that q holds
I Similarly, p implies q and p implies q
Recall: a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Paulo Tabuada and Daniel Neider: Robust LTL 6
Example
Consider p ⇒ q, and assume V ( p ⇒ q, σ) < (1, 1, 1, 1)
I If V ( p ⇒ q, σ) = b < (1, 1, 1, 1), then
V ( q, σ) = b and V ( p, σ) > b
I Thus, value V ( p ⇒ q, σ) describes which weakenedguarantee follows from the environment assumption whenever theintended system guarantee does not follow
Recall: a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Paulo Tabuada and Daniel Neider: Robust LTL 6
Example
Consider p ⇒ q, and assume V ( p ⇒ q, σ) < (1, 1, 1, 1)
I If V ( p ⇒ q, σ) = b < (1, 1, 1, 1), then
V ( q, σ) = b and V ( p, σ) > b
I Thus, value V ( p ⇒ q, σ) describes which weakenedguarantee follows from the environment assumption whenever theintended system guarantee does not follow
Recall: a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Paulo Tabuada and Daniel Neider: Robust LTL 6
Example
Consider p ⇒ q, and assume V ( p ⇒ q, σ) < (1, 1, 1, 1)
I If V ( p ⇒ q, σ) = b < (1, 1, 1, 1), then
V ( q, σ) = b and V ( p, σ) > b
I Thus, value V ( p ⇒ q, σ) describes which weakenedguarantee follows from the environment assumption whenever theintended system guarantee does not follow
Recall: a→ b ={
(1, 1, 1, 1) if a ≤ bb otherwise
Paulo Tabuada and Daniel Neider: Robust LTL 6
Expressiveness
TheoremLTL( , ) and rLTL( , ) are equally expressive:
I Given an LTL( , ) formula ψ, one can construct an rLTL( , )formula ϕ such that for σ ∈ (2P)ω
V (ϕ, σ) = (1, 1, 1, 1) if and only if W (ψ, σ) = 1
I Given an rLTL( , ) formula ϕ and b ∈ B4, one can construct anLTL( , ) formula ψ such that for σ ∈ (2P)ω
V (ϕ, σ) = b if and only if W (ψ, σ) = 1
However, |ψ| ∈ O(c |ϕ|) for a suitable c ≥ 4
Paulo Tabuada and Daniel Neider: Robust LTL 7
Expressiveness
TheoremLTL( , ) and rLTL( , ) are equally expressive:
I Given an LTL( , ) formula ψ, one can construct an rLTL( , )formula ϕ such that for σ ∈ (2P)ω
V (ϕ, σ) = (1, 1, 1, 1) if and only if W (ψ, σ) = 1
I Given an rLTL( , ) formula ϕ and b ∈ B4, one can construct anLTL( , ) formula ψ such that for σ ∈ (2P)ω
V (ϕ, σ) = b if and only if W (ψ, σ) = 1
However, |ψ| ∈ O(c |ϕ|) for a suitable c ≥ 4
Paulo Tabuada and Daniel Neider: Robust LTL 7
Expressiveness
TheoremLTL( , ) and rLTL( , ) are equally expressive:
I Given an LTL( , ) formula ψ, one can construct an rLTL( , )formula ϕ such that for σ ∈ (2P)ω
V (ϕ, σ) = (1, 1, 1, 1) if and only if W (ψ, σ) = 1
I Given an rLTL( , ) formula ϕ and b ∈ B4, one can construct anLTL( , ) formula ψ such that for σ ∈ (2P)ω
V (ϕ, σ) = b if and only if W (ψ, σ) = 1
However, |ψ| ∈ O(c |ϕ|) for a suitable c ≥ 4
Paulo Tabuada and Daniel Neider: Robust LTL 7
Expressiveness
TheoremLTL( , ) and rLTL( , ) are equally expressive:
I Given an LTL( , ) formula ψ, one can construct an rLTL( , )formula ϕ such that for σ ∈ (2P)ω
V (ϕ, σ) = (1, 1, 1, 1) if and only if W (ψ, σ) = 1
I Given an rLTL( , ) formula ϕ and b ∈ B4, one can construct anLTL( , ) formula ψ such that for σ ∈ (2P)ω
V (ϕ, σ) = b if and only if W (ψ, σ) = 1
However, |ψ| ∈ O(c |ϕ|) for a suitable c ≥ 4
Paulo Tabuada and Daniel Neider: Robust LTL 7
Complexity ResultsTheoremGiven an rLTL( , ) formula ϕ and a set B ⊆ B4, one can constructa generalized Büchi Automaton AB
ϕ such that for all σ ∈ (2P)ω
V (ϕ, σ) ∈ B if and only if σ ∈ L(ABϕ).
ABϕ comprises O(5|ϕ|) states and at most 4 · |ϕ| acceptance sets.
Time complexity
rLTL( , ) LTL
Model checking 5|ϕ| 2|ϕ|
Synthesis 25|ϕ| 22|ϕ|
Paulo Tabuada and Daniel Neider: Robust LTL 8
Complexity ResultsTheoremGiven an rLTL( , ) formula ϕ and a set B ⊆ B4, one can constructa generalized Büchi Automaton AB
ϕ such that for all σ ∈ (2P)ω
V (ϕ, σ) ∈ B if and only if σ ∈ L(ABϕ).
ABϕ comprises O(5|ϕ|) states and at most 4 · |ϕ| acceptance sets.
Time complexity
rLTL( , ) LTL
Model checking 5|ϕ| 2|ϕ|
Synthesis 25|ϕ| 22|ϕ|
Paulo Tabuada and Daniel Neider: Robust LTL 8
Quality
Consider the formula p ⇒ q
We prefer
¬q ≺ q ≺ q ≺ q ≺ q
(0, 0, 0, 0)︸ ︷︷ ︸False
< (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)︸ ︷︷ ︸Shades of true
a ={
(1, 1, 1, 1) if a = (0, 0, 0, 0)(0, 0, 0, 0) otherwise
An algebra with this negation is called Heyting algebra
Paulo Tabuada and Daniel Neider: Robust LTL 9
Quality
Consider the formula p ⇒ q
We prefer
¬q ≺ q ≺ q ≺ q ≺ q
(0, 0, 0, 0)︸ ︷︷ ︸False
< (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)︸ ︷︷ ︸Shades of true
a ={
(1, 1, 1, 1) if a = (0, 0, 0, 0)(0, 0, 0, 0) otherwise
An algebra with this negation is called Heyting algebra
Paulo Tabuada and Daniel Neider: Robust LTL 9
Quality
Consider the formula p ⇒ q
We prefer
¬q ≺ q ≺ q ≺ q ≺ q
(0, 0, 0, 0)︸ ︷︷ ︸False
< (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)︸ ︷︷ ︸Shades of true
a ={
(1, 1, 1, 1) if a = (0, 0, 0, 0)(0, 0, 0, 0) otherwise
An algebra with this negation is called Heyting algebra
Paulo Tabuada and Daniel Neider: Robust LTL 9
ConclusionSummary
I We introduced a semanticsfor LTL capturing robustness
I We demonstrated how toleverage the existing wealthof techniques for LTL
Future Work
I Address the “problem” of operators that work differently fromclassical logics (e.g., “¬¬ϕ 6= ϕ”)
I Can we improve on the size of ABϕ?
I Do (complexity) results for LTL fragments carry over (e.g.,GR(1))?
Get the full paper from arXiv!
Paulo Tabuada and Daniel Neider: Robust LTL 10
From rLTL to LTL
Construct for an rLTL( , ) (sub-)formula ϕ four LTL( , ) formulasψ1
ϕ, ψ2ϕ, ψ
3ϕ, ψ
4ϕ such that for σ ∈ (2P)ω and j ∈ {1, . . . , 4}
Vj(ϕ, σ) = 1 if and only if σ |= ψjϕ
1. If ϕ = p, then ψjϕ := p
2. If ϕ = ϕ1 ∧ ϕ2, then ψjϕ := ψj
ϕ1 ∧ ψjϕ2
3. If ϕ = ϕ1 ∨ ϕ2, then ψjϕ := ψj
ϕ1 ∨ ψjϕ2
4. If ϕ = ϕ′, then ψjϕ := ψj
ϕ′
5. If ϕ = ϕ′, then ψ1ϕ := ψ1
ϕ′ , ψ2ϕ := ψ2
ϕ′ , . . .6. If ϕ = ¬ϕ′, then ψj
ϕ := ¬(ψ1ϕ′ ∧ ψ2
ϕ′ ∧ ψ3ϕ′ ∧ ψ4
ϕ′)7. If ϕ = ϕ1 ⇒ ϕ2, then ψj
ϕ :=(∨
k=1,...,4 ψkϕ1 ∧ ¬ψ
kϕ1
)⇒ ψj
ϕ2
Note: |ψjϕ| ∈ O(c |ϕ|) for a suitable c ≥ 4
Paulo Tabuada and Daniel Neider: Robust LTL 11
From rLTL( , ) to Generalized Büchi Automata
σ {p} {q} ∅ {q} ∅ . . .LT
L pq
p ∨ q(p ∨ q)
1010
0
110
0
000
0
110
0
000
. . .
rLT
L pq
p ∨ q(p ∨ q)
1111000011110011
0000
111111110011
0000
000000000011
0000
111111110011
0000
000000000011
. . .
I States: valuations of subformulasI Transitions: defined according to expansion rulesI Acceptance conditions: assert that an infinite run respects the
temporal operators
Paulo Tabuada and Daniel Neider: Robust LTL 12
From rLTL( , ) to Generalized Büchi Automata
σ {p} {q} ∅ {q} ∅ . . .LT
L pq
p ∨ q(p ∨ q)
1010
0
110
0
000
0
110
0
000
. . .
rLT
L pq
p ∨ q(p ∨ q)
1111000011110011
0000
111111110011
0000
000000000011
0000
111111110011
0000
000000000011
. . .
I States: valuations of subformulasI Transitions: defined according to expansion rulesI Acceptance conditions: assert that an infinite run respects the
temporal operators
Paulo Tabuada and Daniel Neider: Robust LTL 12
From rLTL( , ) to Generalized Büchi Automata
σ {p} {q} ∅ {q} ∅ . . .LT
L pq
p ∨ q(p ∨ q)
1010
0
110
0
000
0
110
0
000
. . .
rLT
L pq
p ∨ q(p ∨ q)
1111000011110011
0000
111111110011
0000
000000000011
0000
111111110011
0000
000000000011
. . .
I States: valuations of subformulasI Transitions: defined according to expansion rulesI Acceptance conditions: assert that an infinite run respects the
temporal operators
Paulo Tabuada and Daniel Neider: Robust LTL 12
Expansion Rule for
Recall: ϕ = ( ϕ1, ϕ2, ϕ3, ϕ4)
ϕ1 = ϕ1 ∧ ϕ1
ϕ2 = ϕ2 ∨ ϕ2
ϕ3 = ϕ3 ∧ ϕ3
ϕ4 = ϕ4 ∨ ϕ4
Paulo Tabuada and Daniel Neider: Robust LTL 13
Expansion Rule for
Recall: ϕ = ( ϕ1, ϕ2, ϕ3, ϕ4)
ϕ1 = ϕ1 ∧ ϕ1
ϕ2 = ϕ1 ∨ ϕ2
ϕ3 = ϕ4 ∧ ϕ3
ϕ4 = ϕ4 ∨ ϕ4
Paulo Tabuada and Daniel Neider: Robust LTL 13
The automaton ABϕ
[1111000011110011
]
[0000111111110011
]
q0000
q0001
...
q1111
q0
ε
ε
Note: ABϕ has 5|ϕ| + 6 states
Paulo Tabuada and Daniel Neider: Robust LTL 14