270 likes | 288 Views
Learn about LTL semantics, Büchi automata, & rewriting in formal verification. Explore formula translation, automaton construction, and minimization. Discover the core translation concept to build Büchi automata efficiently.
E N D
LTL to Büchi Automata Flavio Lerda
LTL Formulas • Subset of CTL* • Distinct from CTL • AFG p LTL • f CTL . f ≠ AFG p • Contains a single universal quantifier • The path formula f holds for every path • Commonly: • A is omitted • G is replaced by (box or always) • F is replaced by (diamond or eventually)
Examples of LTL formulas • Always eventually p: • p • AGF p or AG AF p • Always after p eventually q • ( p q) • AG (p -> F q) or AG (p -> AF q) • Fairness • ( p ) • A ((GF p) ) Not a CTL formula
LTL Semantics • Derived from the CTL* semantics • Given an infinite execution trace=s0s1… ╞ p p(s0) ╞ ¬ ¬( ╞ ) ╞ 1 2 ╞ 1 ╞ 2 ╞ 1 2 ╞ 1 ╞ 2 ╞ i 0 i╞ ╞ i 0 i╞ ╞ 1 U 2i 0 i╞ 2 0 j< i j╞ 1 i is the suffix of starting at si
Büchi Automata • Automaton which accepts infinite traces • A Büchi automaton is 4-tupleS, I,, F • S is a finite set of states • I S is a set of initial states • S S is a transition relation • F S is a set of accepting states • An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example S0 S1 S2 1=S0S1S2S2S2S2… ACCEPTED 2=S0S1S2S1S2S1… ACCEPTED 3=S0S1S2S1S1S1… REJECTED
LTL and Büchi Automata • LTL formula • Represents a set of infinite traces which satisfy such formula • Büchi Automaton • Accepts a set of infinite traces • We can build an automaton which accepts all and only the infinite traces represented by an LTL formula
Labeled Büchi Automata • Given a set of atomic proposition P • Define a labeling function : S 2P • Each state is assigned a set of propositions that must be true • Similar to the labeling for the model M
Generating Büchi Automata • We need a procedure to generate a Büchi automaton given an LTL formula • Efficiently • Formulas are usually small • Büchi automaton exponential in the size of the formula • The cost of model checking is proportional to the size of the automaton • Non-deterministic Büchi automata are not equivalent to deterministic Büchi automata • Cannot use automata minimization algorithms • Finding the minimal automata is exponential
Approach • Formula rewriting • Rewrite the formula in negated normal form • Apply rewriting rules • Core translation • Turns an LTL formula into a generalized Büchi automaton • Degeneralization • Turns a generalized Büchi automaton into a Büchi automaton
Rewriting • Negated normal form • Negation appears only in front of literals • Use the following identities • ¬¬ = • ¬G = F ¬ • ¬F = G ¬ • ¬( U ) = (¬) V (¬) • ¬( V ) = (¬) U (¬) • V (sometimes R) is the Release operator • Dual of Until
Rewriting • Additional rewriting rules • They are not guaranteed to yield smaller automata • The size of the automaton is exponential in the size of the formula • Examples • (X ) U (X ) X ( U ) • (X ) (X ) X ( ) • GF GF GF ( )
Rewriting • The core algorithm only handles • , , V, U • Use the following: • F T U • G ¬F ¬ ¬(T U ¬) = F V
Core Translation Idea • Make use of the following U ( X( U )) V ( X( V ))
Example F p T p p Old:{} New:{TU p} Next:{} (TU p) Old:{TU p} New:{T} Next:{TU p} Old:{TU p} New:{} Next:{TU p} Old:{TU p} New:{p} Next:{} Old:{TU p, p} New:{} Next:{} Old:{} New:{} Next:{} Old:{TU p} Next:{TU p} Old:{TU p, p} Next:{} Old:{} Next:{}
Core Translation • Node • Represent a sub-formula • Contain information about the past, the present and the future • State • Represents a state in the final automaton • They are the nodes that have fully expanded
Core Translation • Expansion • Select a formula from the New field • If it is a literal, add it to the Oldfield • Otherwise • (New{},Next{}) and (New{},Next{}) • U (New{},New{ U }) and (New{},Next{}) • V (New{},New{ V }) and (New{,},Next{}) • U ( X( U )) • V ( X( V ))
Core Translation • Nodes to states • If a node has no New formulas • Create a new node with all the Nextformulas • Create an edge between the two nodes • Check if there is any equivalent state • With the same Next field • With the same Old field
Core Translation • Accepting states • Generalized Büchi automaton • Multiple accepting sets • One for each Until sub-formula ( U ) • Such that • The Oldfield doesn’t contain U or • The Oldfield does contain
Degeneralization • Turn a generalized Büchi automaton into a Büchi automaton • Consider as many copies of the automaton as the number of accepting sets • Replace incoming edges from accepting states with edges to the next copy • Each cycle must go through every copy • Each cycle must contains accepting states from each accepting set
Example F a F b T a b a b 2 1 T T 1,2
Example T T a b a b a b T T T T
Example T T a b a b a b T T T T
Example T T a b a b a T T T
Example T a b a T T T
T a b a T T T Example
Optimizations • Can be done at each stage • Try to minimize • The number of states and transitions • The number of accepting states • Involve • Strongly connected components • Fair (bi)simulation • Expensive but • The Büchi automaton is usually small • The saving during verification can be very high