- By
**cate** - Follow User

- 102 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' LTL Model Checking' - cate

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### LTL Model Checking

Radu Iosif ([email protected])

Linear Temporal Logic (LTL)

- Not exclusively for model checking
- Also meant for deduction(Manna, Pnueli)
- So, there must be some equationsinvolving LTL terms

Kripke Structures

- AP = {p, q, r, … } is a set of atomic propositions
- K = <S, R, L> is a K-structure, where:
- S is a finite set of states
- R S x S is a transition relation
- L : S P(AP)is a labeling function
- w=x0, x1, … = s0, s1, … such that xi L(si) for all i 0

LTL Syntax

- p AP is a formula
- true is a formula
- if f, g are formulae, then:
- f
- f g
- X f
- f U g

are formulae

LTL Semantics

Defined on Kripke structures K=(S, R, L):

- K, = true always
- K, = p iff = s0,s1,…and p L(s0)
- K, = f iff not K, = f
- K, = fg iff K, = f or K, = g
- K, = X f iff = s0,s1,s2, …and K, s1,s2, … = f
- K, = f U g iff k 0 . K, = g and 0 i < k K, = f

LTL Syntactic Sugar

We write:

- false true
- fg (f g)
- Fg true U g
- Gf F (f)
- f W g (Gf ) (f U g) (weak until)
- f V g (f U g) (release)

LTL equations

f U g = g (f X(f U g))

f V g = g (f X(f V g))

= (g f) (g X(f V g))

- hold for every K, assuming that is an infinite path

LTL model checking

The model checking problem:

- find whether a path generated by a Kripke structure K is a model for a LTL formula f (notation K, = f)

To model check an LTL formula f:

- first negate it then derive the negation normal form
- Then build an automaton [A f] out of the negated formula
- The problem is reduced to finding out whether

L(A f) L(K) =

Negation normal form: example

((A U (B U C)) D) = (A U (B U C)) D

= (A V (B U C)) D

= (A V (B V C)) D

TABLEAU

A tableau is a proof process represented by a graph, in which edges represents actually steps taken by the prover, and nodes intermediate states in the proof

A node in the tableau consists of:

- name = unique name of the node
- incoming = set of ancestors
- new = current proof obligation
- old = already met proof obligation
- next = proof obligation in the next state

Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {}

name = Node2 incoming = {init}

new = {q} old = {p U q} next = {}

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}

Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {}

name = Node2 incoming = {init}

new = {q} old = {p U q} next = {}

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}

name = Node2’ incoming = {init}

new = {} old = {q, p U q} next = {}

Tableau for p U q

Nodes ={2’}

name = Node2’ incoming = {init}

new = {} old = {q, p U q} next = {}

name = Node2’’ incoming = {Node2’}

new = {} old = {} next = {}

Tableau for p U q

Nodes ={2’, 2’’}

name = Node2’ incoming = {init}

new = {} old = {q, p U q} next = {}

name = Node2’’ incoming = {Node2’, Node2’’}

new = {} old = {} next = {}

name = Node2’’’ incoming = {Node2’’}

new = {} old = {} next = {}

Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {2’, 2’’}

name = Node2 incoming = {init}

new = {q} old = {p U q} next = {}

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}

name = Node3’ incoming = {init}

new = {} old = {p, p U q} next = {p U q}

Tableau for p U q

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}

Nodes ={2’, 2’’, 3’}

name = Node3’ incoming = {init}

new = {} old = {p, p U q} next = {p U q}

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}

name = Node4 incoming = {Node3’}

new = {q} old = {pUq} next = {}

name = Node5 incoming = {Node3’}

new = {p} old = {pUq} next = {pUq}

Tableau for p U qNodes ={2’, 2’’, 3’}

Tableau for p U q

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}

name = Node4 incoming = {Node3’}

new = {q} old = {pUq} next = {}

name = Node5 incoming = {Node3’}

new = {p} old = {pUq} next = {pUq}

name = Node4’ incoming = {Node3’}

new = {} old = {q, pUq} next = {}

Tableau for p U q

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}

name = Node4 incoming = {Node3’}

new = {q} old = {pUq} next = {}

name = Node5 incoming = {Node3’}

new = {p} old = {pUq} next = {pUq}

name = Node5 incoming = {Node3’}

new = {} old = {p, pUq} next = {pUq}

Resulting automaton

init

{p}

{q}

Node2’

{q}

Node3’

{p}

{} = true

Node2’’

An LTL formula f is satisfied iff there exists an infinite path in Af containing an acceptance state infinitely often

{} = true

Automata-Theoretic model checking

- Invented by Vardi and Wolper in the 80’s
- Implemented in SPIN in the 90’s
- Language intersection problem L(A f) L(K) = is reduced to:
- computing the synchronous product (A f ) x K
- checking whether the synchronous product contains an acceptance cycle
- if so, there exists a violation of f on some execution path of K
- the model checker will show us the counterexample

Download Presentation

Connecting to Server..