1 / 36

LTL Model Checking

LTL Model Checking. Flavio Lerda. LTL Model Checking. LTL Subset of CTL* of the form: A f where f is a path formula LTL model checking Model checking of a property expressed as an LTL formula: Given a model M and an initial state s 0 : M,s 0 ╞ A f. LTL Formulas. Subset of CTL*

rmelchor
Download Presentation

LTL Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. LTL Model Checking Flavio Lerda

  2. LTL Model Checking • LTL • Subset of CTL* of the form: A f where f is a path formula • LTL model checking • Model checking of a property expressed as an LTL formula: • Given a model M and an initial state s0: M,s0╞ A f

  3. LTL Formulas • Subset of CTL* • Distinct from CTL • AFG p  LTL •  f  CTL . f ≠ AFG p • Contains a single universal quantifier • The path formula f holds for every path • Commonly: • A is omitted • G is replaced by  (box or always) • F is replaced by  (diamond or eventually)

  4. Examples of LTL formulas • Always eventually p: •   p • AGF p or AG AF p • Always after p eventually q •  ( p  q) • AG (p -> F q) or AG (p -> AF q) • Fairness • (   p )   • A ((GF p)  ) Not a CTL formula

  5. LTL Semantics • Derived from the CTL* semantics • Given an infinite execution trace=s0s1… ╞ p  p(s0) ╞ ¬   ¬( ╞  ) ╞ 1  2 ╞ 1  ╞ 2 ╞ 1  2 ╞ 1  ╞ 2 ╞  i 0 i╞  ╞  i 0 i╞  ╞ 1 U 2i 0 i╞ 2  0  j< i j╞ 1

  6. LTL Model Checking • Given a model M and an LTL formula  • All traces of M must satisfy  • If a trace of M does not satisfy  • Counterexample • M is the set of traces of M •  is the set of traces that satisfy  • M  • Equivalently M ¬=

  7. Büchi Automata • Automaton which accepts infinite traces • A Büchi automaton is 4-tupleS, I,, F • S is a finite set of states • I S is a set of initial states •   S S is a transition relation • F S is a set of accepting states • An infinite sequence of states is accepted iff it contains accepting states infinitely often

  8. Example S0 S1 S2 1=S0S1S2S2S2S2… ACCEPTED 2=S0S1S2S1S2S1… ACCEPTED 3=S0S1S2S1S1S1… REJECTED

  9. Büchi Automata • Büchi automata are non-deterministic: • The next state is not uniquely defined •  is a transition relation not a transition function • Deterministic Büchi automata are not equivalent to (non-deterministic) Büchi automata: • Cannot convert any Büchi automaton into a deterministic equivalent one • There exists no optimal and efficient minimization algorithmfor non-deterministic automata

  10. LTL and Büchi Automata • LTL formula • Represents a set of infinite traces which satisfy such formula • Büchi Automaton • Accepts a set of infinite traces • We can build an automaton which accepts all and only the infinite traces represented by an LTL formula

  11. Labeled Büchi Automata • Given a set of atomic proposition P • Define a labeling function : S  2P • Each state is assigned a set of propositions that must be true • All the other propositions must be false • Similar to the labeling for the model M

  12. LTL Model Checking • Given a model M and an LTL formula  • Build the Buchi automaton B¬ • Compute product of M and B¬ • Each state of M is labeled with propositions • Each state of B¬ is labeled with propositions • Match states with the same labels • The product accepts the traces of M that are also traces of B¬ (M ¬) • If the product accepts any sequence • We have found a counterexample

  13. Nested Depth First Search • The product is a Büchi automaton • How do we find accepted sequences? • Accepted sequences must contain a cycle • In order to contain accepting states infinitely often • We are interested only in cycles that contain at least an accepting state • During depth first search start a second search when we are in an accepting states • If we can reach the same state again we have a cycle (and a counterexample)

  14. Example

  15. Example

  16. Nested Depth First Search procedureDFS(s) visited = visited {s} for each successor s’ of s ifs’  visitedthen DFS(s’) ifs’ is accepting then DFS2(s’, s’) end if end if end for end procedure

  17. Nested Depth First Search procedure DFS2(s, seed) visited2 = visited2 {s} for each successor s’ of s ifs’ = seed then return “Cycle Detect”; end if if s’  visited2then DFS2(s’, seed) end if end for end procedure

  18. Generating Büchi Automata • We need a procedure to generate a Büchi automaton given an LTL formula • Efficiently • Formulas are usually small • Büchi automaton exponential in the size of the formula • The cost of model checking is polynomial to the size of the automaton • Non-deterministic Büchi automata are not equivalentto deterministic Büchi automata • Cannotuse automata minimization algorithms • Finding the minimal automata is NP-complete

  19. Approach • Formula rewriting • Rewrite the formula in negation normal form • Apply rewriting rules • Core translation • Turns an LTL formula into a generalized Büchi automaton • Degeneralization • Turns a generalized Büchi automaton into a Büchi automaton

  20. Rewriting • Negation normal form • Negation appears only in front of literals • Use the following identities • ¬¬ =  • ¬G = F ¬ • ¬F = G ¬ • ¬(U) = (¬)V (¬) • ¬(V) = (¬)U (¬) • V (sometimes R) is the Release operator • Dual of Until

  21. Rewriting • Additional rewriting rules: • Reduce the size of the formula • They are not guaranteed to yield smaller automaton • The size of the automaton is exponential in the size of the formula • Examples: • (X ) U (X ) X ( U ) • (X )  (X ) X (  ) • GF   GF   GF (  )

  22. as before Generalized Büchi Automata • Büchi automaton with multiple sets of accepting states • A generalized Büchi automaton is 4-tupleS, I,, F  • S is a finite set of states • I S is a set of initial states •   S S is a transition relation • F = {F1, …, Fn} 2S is a set of sets of accepting states • An infinite sequence of states is accepted iff it contains infinitely often accepting states from each of the accepting sets

  23. Core Translation • Make use of the following recurrence equations: •  U =   (  X( U )) •  V =   (  X( V )) • The operator V (release) is the dual of U: •  V  ( U) • We need V (release) because we want the formula in negation normal form • Negation appears only in front of atomic propositions • The core translations only handles , , U, V: • Rewriting of: • G = Ufalse • F = trueU

  24. Example F p T p p Old:{} New:{TU p} Next:{} (TU p) TU p = p  (T  X(TU p)) Old:{TU p} New:{} Next:{TU p} Old:{TU p} New:{T} Next:{TU p} Old:{TU p} New:{p} Next:{} Old:{TU p, p} New:{} Next:{} Old:{} New:{} Next:{} Old:{TU p} Next:{TU p} Old:{TU p, p} Next:{} Old:{} Next:{} 1 2 3

  25. Core Translation • Node • Represent a sub-formula • Contain information about the past, the present and the future • Conjunction of formulas as sets • State • Represents a state in the final automaton • They are the nodes that have fully expanded

  26. Core Translation • Expansion • Select a formula from the New field • If it is a literal, add it to the Oldfield • Otherwise •     (New{},Next{}) and (New{},Next{}) •  U   (New{},Next{ U }) and (New{},Next{}) •  V   (New{},Next{ V }) and (New{,},Next{}) •  U    (  X( U )) •  V    (  X( V ))

  27. Core Translation • Nodes to states • If a node has no New formulas • Create a new node with all the Nextformulas • Create an edge between the two nodes • Check if there is any equivalent state • With the same Next field • With the same Old field

  28. Core Translation • Accepting states • Generalized Büchi automaton • Multiple accepting sets • One for each Until sub-formula ( U ) • Such that • The Oldfield doesn’t contain  U  or • The Oldfield does contain 

  29. Degeneralization • Turn a generalized Büchi automaton into a Büchi automaton • Consider as many copies of the automaton as the number of accepting sets • Replace incoming edges from accepting states with edges to the next copy • Each cycle must go through every copy • Each cycle must contains accepting states from each accepting set

  30. Example F a  F b T a b a b 2 1 T T 1,2

  31. Example T T a b a b a b T T T T

  32. Example T T a b a b a b T T T T

  33. Example T T a b a b a T T T

  34. Example T a b a T T T

  35. T a b a T T T Example

  36. Optimizations • Can be done at each stage • Try to minimize • The number of states and transitions • The number of accepting states • Involve • Strongly connected components • Fair (bi)simulation • Expensive but • The Büchi automaton is usually small • The saving during verification can be very high

More Related