190 likes | 306 Views
Implementing an LTL-to-Büchi Translator in Erlang. A ProTest Experience Report Hans Svensson Chalmers University of Technology Edinburgh – 2009-09-05. Background. McErlang was going public Encoding properties using hand-written Erlang monitors not very user friendly
E N D
Implementing an LTL-to-Büchi Translator in Erlang A ProTest Experience Report Hans Svensson Chalmers University of Technology Edinburgh – 2009-09-05
Background McErlang was going public Encoding properties using hand-written Erlang monitors not very user friendly Wanted to provide support for properties in LTL No existing LTL-to-Büchi implementation in Erlang Licensing issues Aesthetics
LTL formulas If AP is a non-empty and finite set of atomic propositions, the LTL formulas are: All p ∍ AP are LTL formulas If ϕ and Ψ are LTL formulas, then ¬ ϕ, ϕ ∧ Ψ, X ϕ, ϕ U Ψ are LTL formulas
LTL formulas p p p p q Linear Time Logic, i.e. discrete steps in a linear fashion. NeXt - X p is true if p is true in the ‘next step’ Until – p Uq is true if p is true in all steps until a step where q is true
LTL formulas For convenience additional operators are often defined, such as: Always - ⎕ ϕ ≣ ¬ (true U ¬ ϕ) Eventually - ◇ ϕ ≣ true Uϕ
LTL Model Checking Specification (LTL formula) (Finite) model of the system (state-transition graph) Not directly checkable Close correspondence between LTL formulas and Büchi automata [Wolper et. al. 83] McErlang can check against Büchi automaton
Büchi automata • A Büchi automaton is a tuple <Σ,Q,Δ,Q0,F> • Σ is the alphabet • Q is the finite set of states • Δ ⊆ Q x Σ x Q is the transition relation • Q0 is the set of initial states • F ⊆ Q is the set of accepting states • A Büchi automaton accepts infinite sequences iff there exists a path that visits an accepting state infinitely often
Büchi automata a s1 s2 b a b • Σ = {a,b} • Q = {s1,s2} • Q0= {s1} • Δ = {(s1,a, s2), (s2,a, s2), (s2,b, s1), (s1,b, s1)} • F = {s2}
Translating LTL to Büchi Intuition: Express everything in terms of Until Repeatedly expand: p U q = q ∨ (p ∧ X (p U q)) Keep track of equivalent steps
Translation – Three steps Rewrite – Use heuristics to simplify LTL formula [Somenzi & Bloem 00] Core translation- construct basic Büchi automaton using repeated expansion. (Tableau-based algorithm) [Gerth et.al. 96] Reduce and Optimize –apply simplification and reduction algorithms [Etessami & Holzmann 00]
Implementation Quite straightforward from the literature!? NO! Don’t start implementing just yet! First think about properties for the system In this case the properties are known in literature! [Tauriainen & Heljanko 02]
Testing the translation Generate ϕ ϕ ¬ ϕ LTL-to-Büchi translator A LTL-to-Büchi translator A BA BA BA BA ¬ ϕ ϕ Intersection ¬ ϕ ϕ ⊗ Check emptiness OK Fail
Testing the translation prop_test_ltl2buchi(LTL2B_1,LTL2B_2) -> ?FORALL(Phi, ltl_formula(), begin BA1 = LTL2B_1(Phi), BA2 = LTL2B_2(ltl:negate(Phi)), BA1xBA2 = buchi:intersection(BA1,BA2), buchi:is_empty(BA1xBA2) end). Testing using QuickCheck Straightforward translation into property
Generating LTL formulas ltl_formula() -> ?SIZED(Size, ltl_formula(Size)). ltl_formula(0) -> lprop(); ltl_formula(S) -> Smaller = ltl_formula(S div 2), oneof([ {land,Smaller,Smaller}, {lor,Smaller,Smaller}, {next,ltl_formula(S – 1)}, {eventually,ltl_formula(S - 1)}, {always, ltl_formula(S - 1)}, {lnot, ltl_formula(S – 1)}]).
Implementation Almost trivial!! Implement algorithms and check with QuickCheck Errors are found early, and counter examples show where the errors are. More tests were used, described in the paper.
Results Passes an extensive amount of QuickCheck tests Performs on par (or better) than the reference implementations* (JavaPathExplorer LTL2Büchi and Wring) * Disclaimer: Only measured for random LTL formulas
Distribution • Included in McErlang distribution (only translator) • Full version can be retrieved from GitHub: http://github.com/hanssv/Erlang-LTL2Buchi/ • Test code and example parser is included.
Conclusions Property Driven Development works!* (But we already knew that) Implementation gets simpler More confidence in correctness * Although this project fits exceptionally well into the PDD idea…
ProTest This project was sponsored by: EU FP7 Collaborative project ProTest(grant number 215868) http://www.protest-project.eu