Ltl model checking
Download
1 / 22

LTL Model Checking - PowerPoint PPT Presentation


  • 102 Views
  • Uploaded on

LTL Model Checking. Radu Iosif ([email protected]). Linear Temporal Logic (LTL) Not exclusively for model checking Also meant for deduction ( Manna, Pnueli) So, there must be some equations involving LTL terms. Kripke Structures AP = {p, q, r, … } is a set of atomic propositions

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' LTL Model Checking' - cate


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ltl model checking

LTL Model Checking

Radu Iosif ([email protected])


Linear Temporal Logic (LTL)

  • Not exclusively for model checking

  • Also meant for deduction(Manna, Pnueli)

  • So, there must be some equationsinvolving LTL terms


Kripke Structures

  • AP = {p, q, r, … } is a set of atomic propositions

  • K = <S, R, L> is a K-structure, where:

    • S is a finite set of states

    • R  S x S is a transition relation

    • L : S  P(AP)is a labeling function

  • w=x0, x1, …   = s0, s1, … such that xi L(si) for all i  0


LTL Syntax

  • p  AP is a formula

  • true is a formula

  • if f, g are formulae, then:

    •  f

    • f  g

    • X f

    • f U g

      are formulae


LTL Semantics

Defined on Kripke structures K=(S, R, L):

  • K,  = true always

  • K,  = p iff = s0,s1,…and p  L(s0)

  • K,  = f iff not K,  = f

  • K,  = fg iff K,  = f or K,  = g

  • K,  = X f iff = s0,s1,s2, …and K, s1,s2, … = f

  • K,  = f U g iff k  0 . K,  = g and 0  i < k K,  = f


LTL Syntactic Sugar

We write:

  • false   true

  • fg  (f  g)

  • Fg true U g

  • Gf  F (f)

  • f W g  (Gf )  (f U g) (weak until)

  • f V g  (f U g) (release)


LTL equations

f U g = g  (f  X(f U g))

f V g = g  (f  X(f V g))

= (g  f)  (g  X(f V g))

  • hold for every K,  assuming that  is an infinite path


LTL model checking

The model checking problem:

  • find whether a path  generated by a Kripke structure K is a model for a LTL formula f (notation K,  = f)

    To model check an LTL formula f:

  • first negate it then derive the negation normal form

  • Then build an automaton [A f] out of the negated formula

  • The problem is reduced to finding out whether

    L(A f)  L(K) = 


Negation normal form: example

((A U (B U C))  D) = (A U (B U C))  D

= (A V (B U C))  D

= (A V (B V C))  D


TABLEAU

A tableau is a proof process represented by a graph, in which edges represents actually steps taken by the prover, and nodes intermediate states in the proof

A node in the tableau consists of:

  • name = unique name of the node

  • incoming = set of ancestors

  • new = current proof obligation

  • old = already met proof obligation

  • next = proof obligation in the next state


Tableau for p u q
Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {}


Tableau for p u q1
Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {}

name = Node2 incoming = {init}

new = {q} old = {p U q} next = {}

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}


Tableau for p u q2
Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {}

name = Node2 incoming = {init}

new = {q} old = {p U q} next = {}

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}

name = Node2’ incoming = {init}

new = {} old = {q, p U q} next = {}


Tableau for p u q3
Tableau for p U q

Nodes ={2’}

name = Node2’ incoming = {init}

new = {} old = {q, p U q} next = {}

name = Node2’’ incoming = {Node2’}

new = {} old = {} next = {}


Tableau for p u q4
Tableau for p U q

Nodes ={2’, 2’’}

name = Node2’ incoming = {init}

new = {} old = {q, p U q} next = {}

name = Node2’’ incoming = {Node2’, Node2’’}

new = {} old = {} next = {}

name = Node2’’’ incoming = {Node2’’}

new = {} old = {} next = {}


Tableau for p u q5
Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {2’, 2’’}

name = Node2 incoming = {init}

new = {q} old = {p U q} next = {}

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}

name = Node3’ incoming = {init}

new = {} old = {p, p U q} next = {p U q}


Tableau for p u q6
Tableau for p U q

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}

Nodes ={2’, 2’’, 3’}

name = Node3’ incoming = {init}

new = {} old = {p, p U q} next = {p U q}

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}


Tableau for p u q7

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}

name = Node4 incoming = {Node3’}

new = {q} old = {pUq} next = {}

name = Node5 incoming = {Node3’}

new = {p} old = {pUq} next = {pUq}

Tableau for p U q

Nodes ={2’, 2’’, 3’}


Tableau for p u q8

incoming(2’) = {init, Node3’}

Tableau for p U q

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}

name = Node4 incoming = {Node3’}

new = {q} old = {pUq} next = {}

name = Node5 incoming = {Node3’}

new = {p} old = {pUq} next = {pUq}

name = Node4’ incoming = {Node3’}

new = {} old = {q, pUq} next = {}


Tableau for p u q9

incoming(3’) = {init, Node3’}

Tableau for p U q

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}

name = Node4 incoming = {Node3’}

new = {q} old = {pUq} next = {}

name = Node5 incoming = {Node3’}

new = {p} old = {pUq} next = {pUq}

name = Node5 incoming = {Node3’}

new = {} old = {p, pUq} next = {pUq}


Resulting automaton
Resulting automaton

init

{p}

{q}

Node2’

{q}

Node3’

{p}

{} = true

Node2’’

An LTL formula f is satisfied iff there exists an infinite path in Af containing an acceptance state infinitely often

{} = true


Automata-Theoretic model checking

  • Invented by Vardi and Wolper in the 80’s

  • Implemented in SPIN in the 90’s

  • Language intersection problem L(A f)  L(K) = is reduced to:

    • computing the synchronous product (A f ) x K

    • checking whether the synchronous product contains an acceptance cycle

    • if so, there exists a violation of f on some execution path of K

    • the model checker will show us the counterexample


ad