LTL Model Checking - PowerPoint PPT Presentation

About This Presentation

Title:

LTL Model Checking

Description:

In order to contain accepting states infinitely often ... is accepted iff it contains infinitely often accepting states from each of the accepting sets ... – PowerPoint PPT presentation

Number of Views:54

Avg rating:3.0/5.0

Slides: 37

Provided by: flavio7

Learn more at: http://www.cs.cmu.edu

Category:

more less

Transcript and Presenter's Notes

Title: LTL Model Checking

1
LTL Model Checking

Flavio Lerda

2
LTL Model Checking

LTL
Subset of CTL of the form
A f
where f is a path formula
LTL model checking
Model checking of a property expressed as an LTL
formula
Given a model M and an initial state s0
M,s0 A f

3
LTL Formulas

Subset of CTL
Distinct from CTL
AFG p ? LTL
? f ? CTL . f ? AFG p
Contains a single universal quantifier
The path formula f holds for every path
Commonly
A is omitted
G is replaced by ? (box or always)
F is replaced by ? (diamond or eventually)

4
Examples of LTL formulas

Always eventually p
? ? p
AGF p or AG AF p
Always after p eventually q
? ( p ??? q)
AG (p -gt F q) or AG (p -gt AF q)
Fairness
( ? ? p ) ? ?
A ((GF p) ? ?)

Not a CTL formula
5
LTL Semantics

Derived from the CTL semantics
Given an infinite execution trace ?s0s1
? p ?? p(s0)
? ? ?? ( ? ? )
? ?1 ?? ?2?? ? ?1 ? ? ?2
? ?1 ? ?2?? ? ?1 ? ? ?2
? ? ?????i?? 0 ?i ?
? ? ?????i?? 0 ?i ?
? ?1 U ?2????i?? 0 ?i ?2 ? ?0 ? j?lt i ?j ?1

6
LTL Model Checking

Given a model M and an LTL formula ?
All traces of M must satisfy ?
If a trace of M does not satisfy ?
Counterexample
?M is the set of traces of M
?? is the set of traces that satisfy ?
?M ? ??
Equivalently ?M ? ????

7
Büchi Automata

Automaton which accepts infinite traces
A Büchi automaton is 4-tuple??S, I,??, F?
S is a finite set of states
I?? S is a set of initial states
? ? S?? S is a transition relation
F?? S is a set of accepting states
An infinite sequence of states is accepted iff it
contains accepting states infinitely often

8
Example
S0
S1
S2
?1S0S1S2S2S2S2
ACCEPTED
?2S0S1S2S1S2S1
ACCEPTED
?3S0S1S2S1S1S1
REJECTED
9
Büchi Automata

Büchi automata are non-deterministic
The next state is not uniquely defined
? is a transition relation not a transition
function
Deterministic Büchi automata are not equivalent
to (non-deterministic) Büchi automata
Cannot convert any Büchi automaton into a
deterministic equivalent one
There exists no optimal and efficient
minimization algorithm for non-deterministic
automata

10
LTL and Büchi Automata

LTL formula
Represents a set of infinite traces which satisfy
such formula
Büchi Automaton
Accepts a set of infinite traces
We can build an automaton which accepts all and
only the infinite traces represented by an LTL
formula

11
Labeled Büchi Automata

Given a set of atomic proposition P
Define a labeling function
? S ? 2P
Each state is assigned a set of propositions that
must be true
All the other propositions must be false
Similar to the labeling for the model M

12
LTL Model Checking

Given a model M and an LTL formula ?
Build the Buchi automaton B?
Compute product of M and B?
Each state of M is labeled with propositions
Each state of B? is labeled with propositions
Match states with the same labels
The product accepts the traces of M that are also
traces of B? (?M ? ??)
If the product accepts any sequence
We have found a counterexample

13
Nested Depth First Search

The product is a Büchi automaton
How do we find accepted sequences?
Accepted sequences must contain a cycle
In order to contain accepting states infinitely
often
We are interested only in cycles that contain at
least an accepting state
During depth first search start a second search
when we are in an accepting states
If we can reach the same state again we have a
cycle (and a counterexample)

14
Example
15
Example
16
Nested Depth First Search

procedure DFS(s)
visited visited ?? s
for each successor s of s
if s ? visited then
DFS(s)
if s is accepting then
DFS2(s, s)
end if
end if
end for
end procedure

17
Nested Depth First Search

procedure DFS2(s, seed)
visited2 visited2 ?? s
for each successor s of s
if s seed then
return Cycle Detect
end if
if s ? visited2 then
DFS2(s, seed)
end if
end for
end procedure

18
Generating Büchi Automata

We need a procedure to generate a Büchi automaton
given an LTL formula
Efficiently
Formulas are usually small
Büchi automaton exponential in the size of the
formula
The cost of model checking is polynomial to the
size of the automaton
Non-deterministic Büchi automata are not
equivalent to deterministic Büchi automata
Cannot use automata minimization algorithms
Finding the minimal automata is NP-complete

19
Approach

Formula rewriting
Rewrite the formula in negation normal form
Apply rewriting rules
Core translation
Turns an LTL formula into a generalized Büchi
automaton
Degeneralization
Turns a generalized Büchi automaton into a Büchi
automaton

20
Rewriting

Negation normal form
Negation appears only in front of literals
Use the following identities
? ?
G ? F ?
F ? G ?
(? U ?) (?) V (?)
(? V ?) (?) U (?)
V (sometimes R) is the Release operator
Dual of Until

21
Rewriting

Additional rewriting rules
Reduce the size of the formula
They are not guaranteed to yield smaller
automaton
The size of the automaton is exponential in the
size of the formula
Examples
(X ?) U (X ?)?? X (? U ?)
(X ?) ? (X ?)?? X (? ? ?)
GF ? ? GF ? ? GF (? ? ?)

22
Generalized Büchi Automata

Büchi automaton with multiple sets of accepting
states
A generalized Büchi automaton is 4-tuple??S,
I,??, F ?
S is a finite set of states
I?? S is a set of initial states
? ? S?? S is a transition relation
F F1, , Fn?? 2S is a set of sets of
accepting states
An infinite sequence of states is accepted iff it
contains infinitely often accepting states from
each of the accepting sets

23
Core Translation

Make use of the following recurrence equations
? U ?? ? ? (? ? X(? U ?))
? V ?? ? ? (? ? X(? V ?))
The operator V (release) is the dual of U
? V ??? ??(?? U???)
We need V (release) because we want the formula
in negation normal form
Negation appears only in front of atomic
propositions
The core translations only handles ?, ?, U, V
Rewriting of
G ? ? U false
F ? true U ?

24
Example
F p
T
p
p
Old NewT U p Next
(T U p)
T U p p ? (T ? X(T U p))
OldT U p NewT NextT U p
OldT U p Newp Next
OldT U p New NextT U p
OldT U p, p New Next
Old New Next
OldT U p NextT U p
OldT U p, p Next
Old Next
1
2
3
25
Core Translation

Node
Represent a sub-formula
Contain information about the past, the present
and the future
Conjunction of formulas as sets
State
Represents a state in the final automaton
They are the nodes that have fully expanded

26
Core Translation

Expansion
Select a formula from the New field
If it is a literal, add it to the Old field
Otherwise
? ? ? ?
(New?,Next) and (New?,Next)
? U ? ?
(New?,Next? U ?) and (New?,Next)
? V ? ?
(New?,Next? V ?) and (New?,?,Next)

? U ??? ? ? (? ? X(? U ?)) ? V ??? ? ? (? ? X(? V
?))
27
Core Translation

Nodes to states
If a node has no New formulas
Create a new node with all the Next formulas
Create an edge between the two nodes
Check if there is any equivalent state
With the same Next field
With the same Old field

28
Core Translation

Accepting states
Generalized Büchi automaton
Multiple accepting sets
One for each Until sub-formula (? U ?)
Such that
The Old field doesnt contain ? U ?
or
The Old field does contain ?

29
Degeneralization

Turn a generalized Büchi automaton into a Büchi
automaton
Consider as many copies of the automaton as the
number of accepting sets
Replace incoming edges from accepting states with
edges to the next copy
Each cycle must go through every copy
Each cycle must contains accepting states from
each accepting set

30
Example
F a ? F b
T
a
b
a
b
2
1
T
T
1,2
31
Example
T
T
a
b
a
b
a
b
T
T
T
T
32
Example
T
T
a
b
a
b
a
b
T
T
T
T
33
Example
T
T
a
b
a
b
a
T
T
T
34
Example
T
a
b
a
T
T
T
35
Example
36
Optimizations