Msphinx.addnodesdocument)}( rawsourcechildren]( translations LanguagesNode)}(hhh](h pending_xref)}(hhh]docutils.nodesTextChinese (Simplified)}parenthsba attributes}(ids]classes]names]dupnames]backrefs] refdomainstdreftypedoc reftarget2/translations/zh_CN/trace/rv/linear_temporal_logicmodnameN classnameN refexplicitutagnamehhh ubh)}(hhh]hChinese (Traditional)}hh2sbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget2/translations/zh_TW/trace/rv/linear_temporal_logicmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hItalian}hhFsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget2/translations/it_IT/trace/rv/linear_temporal_logicmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hJapanese}hhZsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget2/translations/ja_JP/trace/rv/linear_temporal_logicmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hKorean}hhnsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget2/translations/ko_KR/trace/rv/linear_temporal_logicmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hSpanish}hhsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget2/translations/sp_SP/trace/rv/linear_temporal_logicmodnameN classnameN refexplicituh1hhh ubeh}(h]h ]h"]h$]h&]current_languageEnglishuh1h hh _documenthsourceNlineNubhsection)}(hhh](htitle)}(hLinear temporal logich]hLinear temporal logic}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhL/var/lib/git/docbuild/linux/Documentation/trace/rv/linear_temporal_logic.rsthKubh)}(hhh](h)}(h Introductionh]h Introduction}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh paragraph)}(hRuntime verification monitor is a verification technique which checks that the kernel follows a specification. It does so by using tracepoints to monitor the kernel's execution trace, and verifying that the execution trace sastifies the specification.h]hRuntime verification monitor is a verification technique which checks that the kernel follows a specification. It does so by using tracepoints to monitor the kernel’s execution trace, and verifying that the execution trace sastifies the specification.}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hXIInitially, the specification can only be written in the form of deterministic automaton (DA). However, while attempting to implement DA monitors for some complex specifications, deterministic automaton is found to be inappropriate as the specification language. The automaton is complicated, hard to understand, and error-prone.h]hXIInitially, the specification can only be written in the form of deterministic automaton (DA). However, while attempting to implement DA monitors for some complex specifications, deterministic automaton is found to be inappropriate as the specification language. The automaton is complicated, hard to understand, and error-prone.}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK hhhhubh)}(hThus, RV monitors based on linear temporal logic (LTL) are introduced. This type of monitor uses LTL as specification instead of DA. For some cases, writing the specification as LTL is more concise and intuitive.h]hThus, RV monitors based on linear temporal logic (LTL) are introduced. This type of monitor uses LTL as specification instead of DA. For some cases, writing the specification as LTL is more concise and intuitive.}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(h4Many materials explain LTL in details. One book is::h]h3Many materials explain LTL in details. One book is:}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh literal_block)}(hZChristel Baier and Joost-Pieter Katoen: Principles of Model Checking, The MIT Press, 2008.h]hZChristel Baier and Joost-Pieter Katoen: Principles of Model Checking, The MIT Press, 2008.}hjsbah}(h]h ]h"]h$]h&] xml:spacepreserveuh1jhhhKhhhhubeh}(h] introductionah ]h"] introductionah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(hGrammarh]hGrammar}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hUnlike some existing syntax, kernel's implementation of LTL is more verbose. This is motivated by considering that the people who read the LTL specifications may not be well-versed in LTL.h]hUnlike some existing syntax, kernel’s implementation of LTL is more verbose. This is motivated by considering that the people who read the LTL specifications may not be well-versed in LTL.}(hj-hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubhdefinition_list)}(hhh](hdefinition_list_item)}(h:Grammar: ltl ::= opd | ( ltl ) | ltl binop ltl | unop ltl h](hterm)}(hGrammar:h]hGrammar:}(hjHhhhNhNubah}(h]h ]h"]h$]h&]uh1jFhhhK#hjBubh definition)}(hhh]h)}(h0ltl ::= opd | ( ltl ) | ltl binop ltl | unop ltlh]h0ltl ::= opd | ( ltl ) | ltl binop ltl | unop ltl}(hj[hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK#hjXubah}(h]h ]h"]h$]h&]uh1jVhjBubeh}(h]h ]h"]h$]h&]uh1j@hhhK#hj=ubjA)}(hmOperands (opd): true, false, user-defined names consisting of upper-case characters, digits, and underscore. h](jG)}(hOperands (opd):h]hOperands (opd):}(hjyhhhNhNubah}(h]h ]h"]h$]h&]uh1jFhhhK'hjuubjW)}(hhh]h)}(h\true, false, user-defined names consisting of upper-case characters, digits, and underscore.h]h\true, false, user-defined names consisting of upper-case characters, digits, and underscore.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK&hjubah}(h]h ]h"]h$]h&]uh1jVhjuubeh}(h]h ]h"]h$]h&]uh1j@hhhK'hj=hhubjA)}(h3Unary Operators (unop): always eventually next not h](jG)}(hUnary Operators (unop):h]hUnary Operators (unop):}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jFhhhK-hjubjW)}(hhh]h)}(halways eventually next noth]halways eventually next not}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK*hjubah}(h]h ]h"]h$]h&]uh1jVhjubeh}(h]h ]h"]h$]h&]uh1j@hhhK-hj=hhubjA)}(h8Binary Operators (binop): until and or imply equivalent h](jG)}(hBinary Operators (binop):h]hBinary Operators (binop):}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jFhhhK4hjubjW)}(hhh]h)}(huntil and or imply equivalenth]huntil and or imply equivalent}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK0hjubah}(h]h ]h"]h$]h&]uh1jVhjubeh}(h]h ]h"]h$]h&]uh1j@hhhK4hj=hhubeh}(h]h ]h"]h$]h&]uh1j;hjhhhhhNubh)}(hXThis grammar is ambiguous: operator precedence is not defined. Parentheses must be used.h]hXThis grammar is ambiguous: operator precedence is not defined. Parentheses must be used.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK6hjhhubeh}(h]grammarah ]h"]grammarah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(hExample linear temporal logich]hExample linear temporal logic}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhK:ubj)}(h+RAIN imply (GO_OUTSIDE imply HAVE_UMBRELLA)h]h+RAIN imply (GO_OUTSIDE imply HAVE_UMBRELLA)}hj/sbah}(h]h ]h"]h$]h&]jjforcelanguagenonehighlight_args}uh1jhhhK;hjhhubh)}(h@means: if it is raining, going outside means having an umbrella.h]h@means: if it is raining, going outside means having an umbrella.}(hjBhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK?hjhhubj)}(hRAIN imply (WET until not RAIN)h]hRAIN imply (WET until not RAIN)}hjPsbah}(h]h ]h"]h$]h&]jjj=j>j?j@}uh1jhhhKAhjhhubh)}(hDmeans: if it is raining, it is going to be wet until the rain stops.h]hDmeans: if it is raining, it is going to be wet until the rain stops.}(hj_hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKEhjhhubj)}(hRAIN imply eventually not RAINh]hRAIN imply eventually not RAIN}hjmsbah}(h]h ]h"]h$]h&]jjj=j>j?j@}uh1jhhhKGhjhhubh)}(h3means: if it is raining, rain will eventually stop.h]h3means: if it is raining, rain will eventually stop.}(hj|hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKKhjhhubh)}(hThe above examples are referring to the current time instance only. For kernel verification, the `always` operator is usually desirable, to specify that something is always true at the present and for all future. For example::h](haThe above examples are referring to the current time instance only. For kernel verification, the }(hjhhhNhNubhtitle_reference)}(h`always`h]halways}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhx operator is usually desirable, to specify that something is always true at the present and for all future. For example:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKMhjhhubj)}(h'always (RAIN imply eventually not RAIN)h]h'always (RAIN imply eventually not RAIN)}hjsbah}(h]h ]h"]h$]h&]jjuh1jhhhKQhjhhubh)}(h#means: *all* rain eventually stops.h](hmeans: }(hjhhhNhNubhemphasis)}(h*all*h]hall}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh rain eventually stops.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKShjhhubh)}(heIn the above examples, `RAIN`, `GO_OUTSIDE`, `HAVE_UMBRELLA` and `WET` are the "atomic propositions".h](hIn the above examples, }(hjhhhNhNubj)}(h`RAIN`h]hRAIN}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh, }(hjhhhNhNubj)}(h `GO_OUTSIDE`h]h GO_OUTSIDE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh, }hjsbj)}(h`HAVE_UMBRELLA`h]h HAVE_UMBRELLA}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh and }(hjhhhNhNubj)}(h`WET`h]hWET}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh# are the “atomic propositions”.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKUhjhhubeh}(h]example-linear-temporal-logicah ]h"]example linear temporal logicah$]h&]uh1hhhhhhhhK:ubh)}(hhh](h)}(hMonitor synthesish]hMonitor synthesis}(hj=hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj:hhhhhKYubh)}(hTo synthesize an LTL into a kernel monitor, the `rvgen` tool can be used: `tools/verification/rvgen`. The specification needs to be provided as a file, and it must have a "RULE = LTL" assignment. For example::h](h0To synthesize an LTL into a kernel monitor, the }(hjKhhhNhNubj)}(h`rvgen`h]hrvgen}(hjShhhNhNubah}(h]h ]h"]h$]h&]uh1jhjKubh tool can be used: }(hjKhhhNhNubj)}(h`tools/verification/rvgen`h]htools/verification/rvgen}(hjehhhNhNubah}(h]h ]h"]h$]h&]uh1jhjKubhp. The specification needs to be provided as a file, and it must have a “RULE = LTL” assignment. For example:}(hjKhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK[hj:hhubj)}(hJRULE = always (ACQUIRE imply ((not KILLED and not CRASHED) until RELEASE))h]hJRULE = always (ACQUIRE imply ((not KILLED and not CRASHED) until RELEASE))}hj}sbah}(h]h ]h"]h$]h&]jjuh1jhhhK_hj:hhubh)}(hRwhich says: if `ACQUIRE`, then `RELEASE` must happen before `KILLED` or `CRASHED`.h](hwhich says: if }(hjhhhNhNubj)}(h `ACQUIRE`h]hACQUIRE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh, then }(hjhhhNhNubj)}(h `RELEASE`h]hRELEASE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh must happen before }(hjhhhNhNubj)}(h`KILLED`h]hKILLED}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh or }(hjhhhNhNubj)}(h `CRASHED`h]hCRASHED}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKahj:hhubh)}(hMThe LTL can be broken down using sub-expressions. The above is equivalent to:h]hMThe LTL can be broken down using sub-expressions. The above is equivalent to:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKdhj:hhubh block_quote)}(hj.. code-block:: RULE = always (ACQUIRE imply (ALIVE until RELEASE)) ALIVE = not KILLED and not CRASHED h]j)}(hVRULE = always (ACQUIRE imply (ALIVE until RELEASE)) ALIVE = not KILLED and not CRASHEDh]hVRULE = always (ACQUIRE imply (ALIVE until RELEASE)) ALIVE = not KILLED and not CRASHED}hjsbah}(h]h ]h"]h$]h&]jjj=j>j?j@}uh1jhhhKfhjubah}(h]h ]h"]h$]h&]uh1jhhhKfhj:hhubh)}(hFrom this specification, `rvgen` generates the C implementation of a Buchi automaton - a non-deterministic state machine which checks the satisfiability of the LTL. See Documentation/trace/rv/monitor_synthesis.rst for details on using `rvgen`.h](hFrom this specification, }(hj hhhNhNubj)}(h`rvgen`h]hrvgen}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubh generates the C implementation of a Buchi automaton - a non-deterministic state machine which checks the satisfiability of the LTL. See Documentation/trace/rv/monitor_synthesis.rst for details on using }(hj hhhNhNubj)}(h`rvgen`h]hrvgen}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubh.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKkhj:hhubeh}(h]monitor-synthesisah ]h"]monitor synthesisah$]h&]uh1hhhhhhhhKYubh)}(hhh](h)}(h Referencesh]h References}(hjGhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjDhhhhhKqubh)}(h?One book covering model checking and linear temporal logic is::h]h>One book covering model checking and linear temporal logic is:}(hjUhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKshjDhhubj)}(hZChristel Baier and Joost-Pieter Katoen: Principles of Model Checking, The MIT Press, 2008.h]hZChristel Baier and Joost-Pieter Katoen: Principles of Model Checking, The MIT Press, 2008.}hjcsbah}(h]h ]h"]h$]h&]jjuh1jhhhKuhjDhhubh)}(hHFor an example of using linear temporal logic in software testing, see::h]hGFor an example of using linear temporal logic in software testing, see:}(hjqhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKxhjDhhubj)}(hXLRuijie Meng, Zhen Dong, Jialin Li, Ivan Beschastnikh, and Abhik Roychoudhury. 2022. Linear-time temporal logic guided greybox fuzzing. In Proceedings of the 44th International Conference on Software Engineering (ICSE '22). Association for Computing Machinery, New York, NY, USA, 1343–1355. https://doi.org/10.1145/3510003.3510082h]hXLRuijie Meng, Zhen Dong, Jialin Li, Ivan Beschastnikh, and Abhik Roychoudhury. 2022. Linear-time temporal logic guided greybox fuzzing. In Proceedings of the 44th International Conference on Software Engineering (ICSE '22). Association for Computing Machinery, New York, NY, USA, 1343–1355. https://doi.org/10.1145/3510003.3510082}hjsbah}(h]h ]h"]h$]h&]jjuh1jhhhKzhjDhhubh)}(h5The kernel's LTL monitor implementation is based on::h]h6The kernel’s LTL monitor implementation is based on:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjDhhubj)}(hX^Gerth, R., Peled, D., Vardi, M.Y., Wolper, P. (1996). Simple On-the-fly Automatic Verification of Linear Temporal Logic. In: Dembiński, P., Średniawa, M. (eds) Protocol Specification, Testing and Verification XV. PSTV 1995. IFIP Advances in Information and Communication Technology. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-34892-6_1h]hX^Gerth, R., Peled, D., Vardi, M.Y., Wolper, P. (1996). Simple On-the-fly Automatic Verification of Linear Temporal Logic. In: Dembiński, P., Średniawa, M. (eds) Protocol Specification, Testing and Verification XV. PSTV 1995. IFIP Advances in Information and Communication Technology. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-34892-6_1}hjsbah}(h]h ]h"]h$]h&]jjuh1jhhhKhjDhhubeh}(h] referencesah ]h"] referencesah$]h&]uh1hhhhhhhhKqubeh}(h]linear-temporal-logicah ]h"]linear temporal logicah$]h&]uh1hhhhhhhhKubeh}(h]h ]h"]h$]h&]sourcehuh1hcurrent_sourceN current_lineNsettingsdocutils.frontendValues)}(hN generatorN datestampN source_linkN source_urlN toc_backlinksentryfootnote_backlinksK sectnum_xformKstrip_commentsNstrip_elements_with_classesN strip_classesN report_levelK halt_levelKexit_status_levelKdebugNwarning_streamN tracebackinput_encoding utf-8-siginput_encoding_error_handlerstrictoutput_encodingutf-8output_encoding_error_handlerjerror_encodingutf-8error_encoding_error_handlerbackslashreplace language_codeenrecord_dependenciesNconfigN id_prefixhauto_id_prefixid dump_settingsNdump_internalsNdump_transformsNdump_pseudo_xmlNexpose_internalsNstrict_visitorN_disable_configN_sourceh _destinationN _config_files]7/var/lib/git/docbuild/linux/Documentation/docutils.confafile_insertion_enabled raw_enabledKline_length_limitM'pep_referencesN pep_base_urlhttps://peps.python.org/pep_file_url_templatepep-%04drfc_referencesN rfc_base_url&https://datatracker.ietf.org/doc/html/ tab_widthKtrim_footnote_reference_spacesyntax_highlightlong smart_quotessmartquotes_locales]character_level_inline_markupdoctitle_xform docinfo_xformKsectsubtitle_xform image_loadinglinkembed_stylesheetcloak_email_addressessection_self_linkenvNubreporterNindirect_targets]substitution_defs}substitution_names}refnames}refids}nameids}(jjjjjjj7j4jAj>jju nametypes}(jjjj7jAjuh}(jhjhjjj4jj>j:jjDu footnote_refs} citation_refs} autofootnotes]autofootnote_refs]symbol_footnotes]symbol_footnote_refs] footnotes] citations]autofootnote_startKsymbol_footnote_startK id_counter collectionsCounter}Rparse_messages]transform_messages] transformerN include_log] decorationNhhub.