Transcript slides

LTL Model Checking
Flavio Lerda
LTL Model Checking
Flavio Lerda
1
LTL Model Checking
Flavio Lerda
LTL Model Checking
• LTL
– Subset of CTL* of the form:
Af
where f is a path formula
• LTL model checking
– Model checking of a property expressed as an
LTL formula:
– Given a model M and an initial state s0:
M,s0╞ A f
2
LTL Model Checking
Flavio Lerda
LTL Formulas
• Subset of CTL*
– Distinct from CTL
• AFG p  LTL
•  f  CTL . f ≠ AFG p
• Contains a single universal quantifier
– The path formula f holds for every path
• Commonly:
– A is omitted
– G is replaced by  (box or always)
– F is replaced by  (diamond or eventually)
3
LTL Model Checking
Flavio Lerda
Examples of LTL formulas
• Always eventually p:
–p
– AGF p or AG AF p
• Always after p eventually q
–  ( p  q)
– AG (p -> F q) or AG (p -> AF q)
• Fairness
–(p)
– A ((GF p)  )
Not a CTL formula
4
LTL Model Checking
Flavio Lerda
LTL Semantics
• Derived from the CTL* semantics
• Given an infinite execution trace =s0s1…
╞ p  p(s0)
╞ ¬   ¬( ╞  )
╞ 1  2 ╞ 1  ╞ 2
╞ 1  2 ╞ 1  ╞ 2
╞  i 0 i╞ 
╞  i 0 i╞ 
╞ 1 U 2i 0 i╞ 2  0  j < i j╞ 1
5
LTL Model Checking
Flavio Lerda
LTL Model Checking
• Given a model M and an LTL formula 
– All traces of M must satisfy 
– If a trace of M does not satisfy 
• Counterexample
– M is the set of traces of M
–  is the set of traces that satisfy 
• M  
• Equivalently M  ¬=
6
LTL Model Checking
Flavio Lerda
Büchi Automata
• Automaton which accepts infinite traces
• A Büchi automaton is 4-tupleS, I,, F
– S is a finite set of states
– I S is a set of initial states
–   S S is a transition relation
– F S is a set of accepting states
• An infinite sequence of states is accepted
iff it contains accepting states infinitely
often
7
LTL Model Checking
Flavio Lerda
Example
S0
S1
S2
1=S0S1S2S2S2S2…
ACCEPTED
2=S0S1S2S1S2S1…
ACCEPTED
3=S0S1S2S1S1S1…
REJECTED
8
LTL Model Checking
Flavio Lerda
Büchi Automata
• Büchi automata are non-deterministic:
– The next state is not uniquely defined
–  is a transition relation not a transition function
• Deterministic Büchi automata are not equivalent
to (non-deterministic) Büchi automata:
– Cannot convert any Büchi automaton into a
deterministic equivalent one
– There exists no optimal and efficient minimization
algorithm for non-deterministic automata
9
LTL Model Checking
Flavio Lerda
LTL and Büchi Automata
• LTL formula
– Represents a set of infinite traces which
satisfy such formula
• Büchi Automaton
– Accepts a set of infinite traces
• We can build an automaton which accepts
all and only the infinite traces represented
by an LTL formula
10
LTL Model Checking
Flavio Lerda
Labeled Büchi Automata
• Given a set of atomic proposition P
– Define a labeling function
: S  2P
– Each state is assigned a set of propositions
that must be true
– All the other propositions must be false
• Similar to the labeling for the model M
11
LTL Model Checking
Flavio Lerda
LTL Model Checking
• Given a model M and an LTL formula 
– Build the Buchi automaton B¬
– Compute product of M and B¬
• Each state of M is labeled with propositions
• Each state of B¬ is labeled with propositions
• Match states with the same labels
– The product accepts the traces of M that are
also traces of B¬ (M  ¬)
– If the product accepts any sequence
• We have found a counterexample
12
LTL Model Checking
Flavio Lerda
Nested Depth First Search
• The product is a Büchi automaton
• How do we find accepted sequences?
– Accepted sequences must contain a cycle
• In order to contain accepting states infinitely often
– We are interested only in cycles that contain
at least an accepting state
– During depth first search start a second
search when we are in an accepting states
• If we can reach the same state again we have a
cycle (and a counterexample)
13
LTL Model Checking
Flavio Lerda
Example
14
LTL Model Checking
Flavio Lerda
Example
15
LTL Model Checking
Flavio Lerda
Nested Depth First Search
procedure DFS(s)
visited = visited  {s}
for each successor s’ of s
if s’  visited then
DFS(s’)
if s’ is accepting then
DFS2(s’, s’)
end if
end if
end for
end procedure
16
LTL Model Checking
Flavio Lerda
Nested Depth First Search
procedure DFS2(s, seed)
visited2 = visited2  {s}
for each successor s’ of s
if s’ = seed then
return “Cycle Detect”;
end if
if s’  visited2 then
DFS2(s’, seed)
end if
end for
end procedure
17
LTL Model Checking
Flavio Lerda
Generating Büchi Automata
• We need a procedure to generate a Büchi
automaton given an LTL formula
– Efficiently
• Formulas are usually small
• Büchi automaton exponential in the size of the formula
• The cost of model checking is polynomial to the size of the
automaton
• Non-deterministic Büchi automata are not equivalent to
deterministic Büchi automata
– Cannot use automata minimization algorithms
• Finding the minimal automata is NP-complete
18
LTL Model Checking
Flavio Lerda
Approach
• Formula rewriting
– Rewrite the formula in negation normal form
– Apply rewriting rules
• Core translation
– Turns an LTL formula into a generalized Büchi
automaton
• Degeneralization
– Turns a generalized Büchi automaton into a
Büchi automaton
19
LTL Model Checking
Flavio Lerda
Rewriting
• Negation normal form
– Negation appears only in front of literals
– Use the following identities
•
•
•
•
•
¬¬ = 
¬G  = F ¬
¬F  = G ¬
¬( U ) = (¬) V (¬)
¬( V ) = (¬) U (¬)
• V (sometimes R) is the Release operator
– Dual of Until
20
LTL Model Checking
Flavio Lerda
Rewriting
• Additional rewriting rules:
– Reduce the size of the formula
– They are not guaranteed to yield smaller automaton
– The size of the automaton is exponential in the size of
the formula
• Examples:
– (X ) U (X ) X ( U )
– (X )  (X ) X (  )
– GF   GF   GF (  )
21
LTL Model Checking
Flavio Lerda
Generalized Büchi Automata
• Büchi automaton with multiple sets of accepting
states
• A generalized Büchi automaton is 4-tupleS, I,,
F 
–
–
–
–
S is a finite set of states
I S is a set of initial states
as before
  S S is a transition relation
F = {F1, …, Fn} 2S is a set of sets of accepting
states
• An infinite sequence of states is accepted iff it
contains infinitely often accepting states from
each of the accepting sets
22
LTL Model Checking
Flavio Lerda
Core Translation
• Make use of the following recurrence equations:
–  U =   (  X( U ))
–  V =   (  X( V ))
• The operator V (release) is the dual of U:
–  V  ( U)
• We need V (release) because we want the
formula in negation normal form
– Negation appears only in front of atomic propositions
• The core translations only handles , , U, V:
– Rewriting of:
• G  =  U false
• F  = true U 
23
LTL Model Checking
Flavio Lerda
Example
Fp
(T U p)
1
Old:{}
New:{T U p}
Next:{}
T
p
T U p = p  (T  X(T U p))
Old:{T U p}
New:{T}
New:{}
Next:{T U p}
Old:{T U p,
p}p}
New:{p}
New:{}
Next:{}
Old:{}
New:{}
Next:{}
Old:{T U p}
Next:{T U p}
Old:{T U p, p}
Next:{}
Old:{}
Next:{}
2
24
3
LTL Model Checking
Flavio Lerda
Core Translation
• Node
– Represent a sub-formula
– Contain information about the past, the
present and the future
• Conjunction of formulas as sets
• State
– Represents a state in the final automaton
– They are the nodes that have fully expanded
25
LTL Model Checking
Flavio Lerda
Core Translation
• Expansion
– Select a formula from the New field
– If it is a literal, add it toUthe
Old
 field
(  X( U ))
 V    (  X( V ))
– Otherwise
• 
(New{},Next{}) and (New{},Next{})
• U
(New{},Next{ U }) and (New{},Next{})
• V
(New{},Next{ V }) and (New{,},Next{})
26
LTL Model Checking
Flavio Lerda
Core Translation
• Nodes to states
– If a node has no New formulas
– Create a new node with all the Next formulas
– Create an edge between the two nodes
– Check if there is any equivalent state
• With the same Next field
• With the same Old field
27
LTL Model Checking
Flavio Lerda
Core Translation
• Accepting states
– Generalized Büchi automaton
• Multiple accepting sets
– One for each Until sub-formula ( U )
– Such that
• The Old field doesn’t contain  U 
or
• The Old field does contain 
28
LTL Model Checking
Flavio Lerda
Degeneralization
• Turn a generalized Büchi automaton into a
Büchi automaton
• Consider as many copies of the automaton as
the number of accepting sets
• Replace incoming edges from accepting states
with edges to the next copy
• Each cycle must go through every copy
• Each cycle must contains accepting states from
each accepting set
29
LTL Model Checking
Flavio Lerda
Example
FaFb
T
a
b
2
1
T
1,2
30
LTL Model Checking
Flavio Lerda
Example
T
a
T
b
a
T
b
T
31
LTL Model Checking
Flavio Lerda
Example
T
a
T
b
a
T
b
T
32
LTL Model Checking
Flavio Lerda
Example
T
a
T
b
a
T
b
T
33
LTL Model Checking
Flavio Lerda
Example
T
a
b
T
T
34
LTL Model Checking
Flavio Lerda
Example
T
a
b
T
T
35
LTL Model Checking
Flavio Lerda
Optimizations
• Can be done at each stage
• Try to minimize
– The number of states and transitions
– The number of accepting states
• Involve
– Strongly connected components
– Fair (bi)simulation
• Expensive but
– The Büchi automaton is usually small
– The saving during verification can be very high
36