Referencing previous state in Promela LTL statement

Question

I'm getting started with Promela, and I'm having trouble expressing some LTL formulas.

An example is the following sequence value that I'd like to assert is monotonically increasing. Intuitively I want to write that in the next state, sequence is >= its previous value, but looking through documentation, I don't see a way to express this. Is there a method for expressing this type of formula?

byte sequence = 0;
ltl p0 { [] sequence >= prev(sequence) }
... processes that manipulate sequence ...

Assuming that it's possible to express the monotonically increasing property of sequence above, I'm wondering if there is a syntax for wildcard array indexing. Similar to the above example, I intuitively want to reference all previous index entries.

byte values[N];
byte index = 0;
ltl p1 { values[0..index-1] are monotonically increasing }
... processes ...

Thanks a lot for your help. Promela seems really great :)

I appreciate your questions. **a)** *monotone increasing* functions are s.t. `f(x+1) > f(x)`, you encoded a *monotone non-decreasing* function, i.e. `f(x+1) >= f(x)`. In my answer I assumed the comparison operator `>=` is what you want. **b)** Questions containing [multiple, seemingly unrelated, questions](https://meta.stackexchange.com/questions/120633/what-do-we-do-with-multiple-question-questions) should really be split into multiple questions; it makes querying for duplicates easier, since titles can match the content of the question more closely, and it results in a cleaner *Q/A*. — Patrick Trentin, Sep 15 '17 at 19:22
Thanks Patrick. I still need to dig into your answer, but regarding the multiple questions in one post: I should have known better. Is there a method for splitting? I could just edit this post and re-submit another question for the second part? — Noah Watkins, Sep 15 '17 at 19:49
That appears to be the most sensible option, although mine was intended merely as a suggestion for the future. I don't think anyone is going to bother flagging your post about this issue: we are currently in a very small and little followed sub-community of stackoverflow. There are plenty of *multiple-questions-packed-questions* here from *1-rep* users, the only reason I suggested this is because you have *high-rep*. I updated my answer a couple of times, in case you missed anything. — Patrick Trentin, Sep 15 '17 at 19:54

Patrick Trentin · Accepted Answer · 2017-09-17T06:30:46.080

AFAIK,

Monotonically Non-decreasing Sequence.

Linear Temporal Logic has a X operator that allows one to express a property that refers to a boolean condition holding in the next state, as opposed to the previous state.

However, one cannot directly compare an integer value of the current state with that of the next state within an LTL formula, because X evaluates to a Boolean value.

In theory, what one can do is to encode the <= operator over the integer as a Boolean property by bit-blasting it, e.g. by means of some clever use of the modulo operator or bitwise operations (it should not be too hard with unsigned variables) and a bit-to-bit comparison of the corresponding Boolean values (see final note).

From a modeling point of view, however, the easiest approach is to enrich your model with a prev_value variable and simply check that in each state the property prev_value <= cur_value holds. Notice that in this case you should use the d_step command to group together the two value assignments, so that they are conflated within a single state with no intermediate transitions, e.g.

...
byte prev_value;
byte cur_value;
...
d_step {
    prev_value = cur_value;
    cur_value = ... non-blocking function ...
}

Otherwise, the invariant property relating prev_value to cur_value may result to be broken on the corresponding automaton for some state s_i. (note: this would actually not hinder the verification of the specific LTL property you are interested in, but it can be an issue with other formulas)

Wildcard Indexing.

If I understand correctly, you want to express a property s.t. --in each state-- only memory locations from 0 up to index-1 are required to be monotonically non-decreasing, with index being a variable which can change value (arbitrarily?).

The structure of such property should be:

ltl p1 {
    [] (
        ((1 <= index) -> "... values[0] is monotonically non-decreasing ...") &&
        ((2 <= index) -> "... values[1] is monotonically non-decreasing ...") &&
        ((3 <= index) -> "... values[2] is monotonically non-decreasing ...") &&
        ...
        ((N <= index) -> "... values[N-1] is monotonically non-decreasing ...")
    )
}

I believe the answer to your question is no. However, I suggest you to use macros for the C preprocessor to simplify the encoding of your properties and avoid writing the same things over and over again.

Note:

Let's take curr_int and next_int 0-1 Integer variables s.t. next_int is equal to the value of curr_int in the next state (aka, curr_int is the previous value of next_int), and a curr Boolean variable s.t. curr is true if and only if curr_int is equal to 1.

Then, by the LTL semantics, X curr is true if and only if curr_int (next_int) is equal to 1 in the next (current) state.

Consider the following truth-table for state s_i:

curr_int | next_int | curr_int <= next_int

    0    |     0    |          1
    0    |     1    |          1
    1    |     0    |          0
    1    |     1    |          1

From the above definitions, we can rewrite it as:

  curr   |  X curr  |         EXPR

  false  |  false   |         true
  false  |  true    |         true
  true   |  false   |         false
  true   |  true    |         true

From the truth-table it's can be seen that EXPR corresponds to

  !curr v (X curr)

which can be more elegantly rewritten as

  curr -> (X curr)

Thich is our final LTL-encodeable version of curr_int <= next_int for a given state s_i, when both are 0-1 Integer variables.

This answer is great. A few questions/notes. Regarding the first part of the post: since the minimum value of cur_value is 0, I was tempted to use an ltl formula like a latch that only asserted the prev <= cur relation after cur_value becomes > 0. But, prev_value isn't part of the system being modeled, so no big deal setting it to 0 initially too. The final question is: ltl { prev <= cur } didn't work; it was never violated. I needed ltl { [] prev <= cur }. Intuitive I thought [] would be implied. What am I missing in the understanding here? I'll dig into the second part of the question tmrw. — Noah Watkins, Sep 16 '17 at 02:58
@NoahWatkins in this case initialising `prev` to `0` is sufficient, yes. Any simple atomic proposition `P` is checked only for the initial state `s_0`. If you want `P` to hold for *every state* in the execution path, you write `[] P`, i.e. *globally P*. If you want `P` to hold for some set of states `S`, you write `[] (state_is_in(S) -> P)`, where `state_is_in(S)` is an atomic proposition that is true only when the current state belongs to a given set of states `S`. — Patrick Trentin, Sep 16 '17 at 04:44
To define `S` you can use *label references* over the *Promela* source code, or simply write expressions referring to the values of some (or all) variables. If you had to enforce `prev < cur` and both `prev` and `cur` were to be *unsigned*, you would want to skip checking `prev < cur` for the initial states up until you start increasing `cur`, i.e. `((prev = 0) && (cur = 0)) U ([] (prev < cur))` says that `prev` and `cur` are `0` from the initial state up to a certain state `s_i`, which we don't know precisely when it is, from which point on `prev < cur` holds forever. — Patrick Trentin, Sep 16 '17 at 04:51

Serge · Answer 2 · 2017-09-21T14:14:57.287

There is no such symbol in Promela. Yet any Past Time LTL formula can be translated into Future Time LTL (probably even more cumbersome one).

Not sure though is there an easy way to compare values of variables in different states.

Also check LTL specification pattern repository for past.

See discusssion in CS stackexhange

https://cstheory.stackexchange.com/questions/29444/do-past-time-ltl-and-future-time-ltl-have-the-same-expressiveness

Referencing previous state in Promela LTL statement

2 Answers2