1 / 33

LTL – model checking

LTL – model checking. Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen. Overview. System. Negation of property. PLTL-formula (  ). Model. State space. Model checker. Normal-form formula. Graph. Generalised Büchi automaton. B ü chi automaton ( A sys ).

keely
Download Presentation

LTL – model checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen

  2. Overview System Negation of property PLTL-formula () Model State space Model checker Normal-form formula Graph Generalised Büchi automaton Büchi automaton (Asys) Büchi automaton (A ) Product automaton (Asys A ) Checking emptiness Yes! No!

  3. Büchi Automata • Def.: Labelled Büchi Automaton

  4. Büchi Automata 2 • Def.: Run of a LBA

  5. (a|d)(bc+)ω {a,d} {b} {c} Büchi Automata 3 • Example: Σ={a,b,c,d,e}

  6. Büchi Automata 4 • For each PLTL formula φ one can construct an LBA Aφ s.t. Lω(Aφ) is the sequences of sets of atomic propositions that satisfy φ. • Let Σ=2AP where AP is the set of atomic propositions.

  7. Büchi Automata 5 • Def.: Generalised LBA

  8. Eliminate F and G operators Make negations adjacent to atomic propositions Example: LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Getting Normal

  9. LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Getting Normal 2 • Past operators do not add any expressive power to LTL • Why are they useful? • Past operators are not easy expressed with future operators

  10. LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Getting Normal 3 • Past operators does not add any expressive power to LTL • Why are they useful? • Past operators are not easy to translate to normal form • Possible exponential blowup

  11. Normal Form → GLBA LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? • Overall idea: A node in the graph represents a state, an edge represent a step forward in time. Each node contains formulas that must be true at this time; view these formulas as proof obligations: • Atomic propositions: check for contradictions • Conjunctions: check both clauses • Disjunctions: split into two nodes and allow a nondeterministic choice • Next: Push proof obligation to the successors • Until and its evil twin: unfold recursively on demand

  12. {{q}, {p, q}} Ø {{p}, {p, q}} Accept states 1 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Definition of strict p U q: Sooner or later, q must happen! (Remember, every run is accepted, since the set of accept sets is empty)

  13. {{q}, {p, q}} Ø {{p}, {p, q}} Accept states 2 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Definition of strict p U q: Sooner or later, q must happen! Problem: The automaton accepts pω!

  14. Accept states 3 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Definition of strict p U q: Sooner or later, q must happen! {{q}, {p, q}} Ø {{p}, {p, q}} Solution: Insert accept states to break the cycle (not needed for U).

  15. Un-generalizing GLBAs 1 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? The generated automaton may have more than one set of accept states (one for each ‘until’ in the original formula):

  16. Un-generalizing GLBAs 2 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

  17. Un-generalizing GLBAs 3 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

  18. Un-generalizing GLBAs 4 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

  19. Un-generalizing GLBAs 5 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

  20. Combining the two LBAs 1 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Wanted: an automaton accepting the intersection of the two languages: x

  21. Combining the two LBAs 2 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? By the ordinary DFA product construction: Problem: Requires accept states to be visited at the same time.

  22. Combining the two LBAs 3 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Solution: Use a GLBA with two accept sets, then reduce to an LBA.

  23. The emptiness problem LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? How do we do it? Find an appropriate cycle in the LBA – if no such cycle exists, the language is empty. Why does this work? Theorem 17. Seriously, why? In order for the language to be non-empty, there must be an infinite run of the automaton that visits an accept state infinitely often. This means that there has to be a reachable cycle containing an accept state.

  24. Overview System Negation of property PLTL-formula () Model State space Model checker Normal-form formula Graph Generalised Büchi automaton Büchi automaton (Asys) Büchi automaton (A ) Product automaton (Asys A ) Checking emptiness Yes! No!

  25. The state space • Example int i; proctype P1(){ do ::true -> atomic( if::(i<2) -> i=i+1 fi) od } proctype P2(){ do ::true -> atomic( if::(i!=2) -> i=2 ::else -> i=0 fi) od } init{i=0; run(P1); run(P2);}

  26. The state space 2 • A state • all global vars. • local vars. and program counter in all processes • State space: all possible simulations from the initial state • State space must be finite

  27. i=0 i=1 i=2 The state space 3 P1 and P2 enabled P1 and P2 enabled P2 enabled

  28. State space → LBA • Convert states to proposition tables • Get all propositions from the LTL expression • In each state • Change the lable to the set of all satisfied propositions

  29. i=0 p i=1 i=2 r q State space → LBA 2 • Propositions: p:= (i <= 0) q:= (i == 1) r:= (i >= 2)

  30. State space → LBA 3 • Make all paths infinite • Make all states accepting • Product is now normal DFA product

  31. The rest • Is in chapter 5

  32. References • G. J. Holzmann: An improved protocol reachability analysis technique. • O. Lichtenstein, A. Pnueli: The glory of the past. • R. Gerth et al.: Simple on-the-fly automatic verification of linear temporal logic. • K. Etessami, G. J. Holzmann: Optimizing Büchi automata. • A. M. Mikkelsen: On-the-fly model checking in Design/CPN. • G. J. Holzmann: The model checker SPIN.

  33. Exercises • Exercises 8, 9, 10 (s3 should be s2), 12 • Derive the semantics of U from the semantics of U, and give an intuitive explanation.

More Related