1 / 22

LTL Model Checking

LTL Model Checking. Radu Iosif (iosif@cis.ksu.edu). Linear Temporal Logic (LTL) Not exclusively for model checking Also meant for deduction ( Manna, Pnueli) So, there must be some equations involving LTL terms. Kripke Structures AP = {p, q, r, … } is a set of atomic propositions

Download Presentation

LTL Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. LTL Model Checking Radu Iosif (iosif@cis.ksu.edu)

  2. Linear Temporal Logic (LTL) • Not exclusively for model checking • Also meant for deduction(Manna, Pnueli) • So, there must be some equationsinvolving LTL terms

  3. Kripke Structures • AP = {p, q, r, … } is a set of atomic propositions • K = <S, R, L> is a K-structure, where: • S is a finite set of states • R  S x S is a transition relation • L : S  P(AP)is a labeling function • w=x0, x1, …   = s0, s1, … such that xi L(si) for all i  0

  4. LTL Syntax • p  AP is a formula • true is a formula • if f, g are formulae, then: •  f • f  g • X f • f U g are formulae

  5. LTL Semantics Defined on Kripke structures K=(S, R, L): • K,  = true always • K,  = p iff = s0,s1,…and p  L(s0) • K,  = f iff not K,  = f • K,  = fg iff K,  = f or K,  = g • K,  = X f iff = s0,s1,s2, …and K, s1,s2, … = f • K,  = f U g iff k  0 . K,  = g and 0  i < k K,  = f

  6. LTL Syntactic Sugar We write: • false   true • fg  (f  g) • Fg true U g • Gf  F (f) • f W g  (Gf )  (f U g) (weak until) • f V g  (f U g) (release)

  7. LTL equations f U g = g  (f  X(f U g)) f V g = g  (f  X(f V g)) = (g  f)  (g  X(f V g)) • hold for every K,  assuming that  is an infinite path

  8. LTL model checking The model checking problem: • find whether a path  generated by a Kripke structure K is a model for a LTL formula f (notation K,  = f) To model check an LTL formula f: • first negate it then derive the negation normal form • Then build an automaton [A f] out of the negated formula • The problem is reduced to finding out whether L(A f)  L(K) = 

  9. Negation normal form: example ((A U (B U C))  D) = (A U (B U C))  D = (A V (B U C))  D = (A V (B V C))  D

  10. TABLEAU A tableau is a proof process represented by a graph, in which edges represents actually steps taken by the prover, and nodes intermediate states in the proof A node in the tableau consists of: • name = unique name of the node • incoming = set of ancestors • new = current proof obligation • old = already met proof obligation • next = proof obligation in the next state

  11. Tableau for p U q name = Node1 incoming = {init} new = {p U q} old = {} next = {} Nodes = {}

  12. Tableau for p U q name = Node1 incoming = {init} new = {p U q} old = {} next = {} Nodes = {} name = Node2 incoming = {init} new = {q} old = {p U q} next = {} name = Node3 incoming = {init} new = {p} old = {p U q} next = {p U q}

  13. Tableau for p U q name = Node1 incoming = {init} new = {p U q} old = {} next = {} Nodes = {} name = Node2 incoming = {init} new = {q} old = {p U q} next = {} name = Node3 incoming = {init} new = {p} old = {p U q} next = {p U q} name = Node2’ incoming = {init} new = {} old = {q, p U q} next = {}

  14. Tableau for p U q Nodes ={2’} name = Node2’ incoming = {init} new = {} old = {q, p U q} next = {} name = Node2’’ incoming = {Node2’} new = {} old = {} next = {}

  15. Tableau for p U q Nodes ={2’, 2’’} name = Node2’ incoming = {init} new = {} old = {q, p U q} next = {} name = Node2’’ incoming = {Node2’, Node2’’} new = {} old = {} next = {} name = Node2’’’ incoming = {Node2’’} new = {} old = {} next = {}

  16. Tableau for p U q name = Node1 incoming = {init} new = {p U q} old = {} next = {} Nodes = {2’, 2’’} name = Node2 incoming = {init} new = {q} old = {p U q} next = {} name = Node3 incoming = {init} new = {p} old = {p U q} next = {p U q} name = Node3’ incoming = {init} new = {} old = {p, p U q} next = {p U q}

  17. Tableau for p U q name = Node3 incoming = {init} new = {p} old = {p U q} next = {p U q} Nodes ={2’, 2’’, 3’} name = Node3’ incoming = {init} new = {} old = {p, p U q} next = {p U q} name = Node3’’ incoming = {Node3’} new = {p U q} old = {} next = {}

  18. name = Node3’’ incoming = {Node3’} new = {p U q} old = {} next = {} name = Node4 incoming = {Node3’} new = {q} old = {pUq} next = {} name = Node5 incoming = {Node3’} new = {p} old = {pUq} next = {pUq} Tableau for p U q Nodes ={2’, 2’’, 3’}

  19. incoming(2’) = {init, Node3’} Tableau for p U q name = Node3’’ incoming = {Node3’} new = {p U q} old = {} next = {} name = Node4 incoming = {Node3’} new = {q} old = {pUq} next = {} name = Node5 incoming = {Node3’} new = {p} old = {pUq} next = {pUq} name = Node4’ incoming = {Node3’} new = {} old = {q, pUq} next = {}

  20. incoming(3’) = {init, Node3’} Tableau for p U q name = Node3’’ incoming = {Node3’} new = {p U q} old = {} next = {} name = Node4 incoming = {Node3’} new = {q} old = {pUq} next = {} name = Node5 incoming = {Node3’} new = {p} old = {pUq} next = {pUq} name = Node5 incoming = {Node3’} new = {} old = {p, pUq} next = {pUq}

  21. Resulting automaton init {p} {q} Node2’ {q} Node3’ {p} {} = true Node2’’ An LTL formula f is satisfied iff there exists an infinite path in Af containing an acceptance state infinitely often {} = true

  22. Automata-Theoretic model checking • Invented by Vardi and Wolper in the 80’s • Implemented in SPIN in the 90’s • Language intersection problem L(A f)  L(K) = is reduced to: • computing the synchronous product (A f ) x K • checking whether the synchronous product contains an acceptance cycle • if so, there exists a violation of f on some execution path of K • the model checker will show us the counterexample

More Related