LTL Model Checking

1 / 22

# LTL Model Checking - PowerPoint PPT Presentation

LTL Model Checking. Radu Iosif (iosif@cis.ksu.edu). Linear Temporal Logic (LTL) Not exclusively for model checking Also meant for deduction ( Manna, Pnueli) So, there must be some equations involving LTL terms. Kripke Structures AP = {p, q, r, … } is a set of atomic propositions

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'LTL Model Checking' - cate

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### LTL Model Checking

Linear Temporal Logic (LTL)
• Not exclusively for model checking
• Also meant for deduction(Manna, Pnueli)
• So, there must be some equationsinvolving LTL terms
Kripke Structures
• AP = {p, q, r, … } is a set of atomic propositions
• K = <S, R, L> is a K-structure, where:
• S is a finite set of states
• R  S x S is a transition relation
• L : S  P(AP)is a labeling function
• w=x0, x1, …   = s0, s1, … such that xi L(si) for all i  0
LTL Syntax
• p  AP is a formula
• true is a formula
• if f, g are formulae, then:
•  f
• f  g
• X f
• f U g

are formulae

LTL Semantics

Defined on Kripke structures K=(S, R, L):

• K,  = true always
• K,  = p iff = s0,s1,…and p  L(s0)
• K,  = f iff not K,  = f
• K,  = fg iff K,  = f or K,  = g
• K,  = X f iff = s0,s1,s2, …and K, s1,s2, … = f
• K,  = f U g iff k  0 . K,  = g and 0  i < k K,  = f
LTL Syntactic Sugar

We write:

• false   true
• fg  (f  g)
• Fg true U g
• Gf  F (f)
• f W g  (Gf )  (f U g) (weak until)
• f V g  (f U g) (release)
LTL equations

f U g = g  (f  X(f U g))

f V g = g  (f  X(f V g))

= (g  f)  (g  X(f V g))

• hold for every K,  assuming that  is an infinite path
LTL model checking

The model checking problem:

• find whether a path  generated by a Kripke structure K is a model for a LTL formula f (notation K,  = f)

To model check an LTL formula f:

• first negate it then derive the negation normal form
• Then build an automaton [A f] out of the negated formula
• The problem is reduced to finding out whether

L(A f)  L(K) = 

Negation normal form: example

((A U (B U C))  D) = (A U (B U C))  D

= (A V (B U C))  D

= (A V (B V C))  D

TABLEAU

A tableau is a proof process represented by a graph, in which edges represents actually steps taken by the prover, and nodes intermediate states in the proof

A node in the tableau consists of:

• name = unique name of the node
• incoming = set of ancestors
• new = current proof obligation
• old = already met proof obligation
• next = proof obligation in the next state
Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {}

Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {}

name = Node2 incoming = {init}

new = {q} old = {p U q} next = {}

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}

Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {}

name = Node2 incoming = {init}

new = {q} old = {p U q} next = {}

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}

name = Node2’ incoming = {init}

new = {} old = {q, p U q} next = {}

Tableau for p U q

Nodes ={2’}

name = Node2’ incoming = {init}

new = {} old = {q, p U q} next = {}

name = Node2’’ incoming = {Node2’}

new = {} old = {} next = {}

Tableau for p U q

Nodes ={2’, 2’’}

name = Node2’ incoming = {init}

new = {} old = {q, p U q} next = {}

name = Node2’’ incoming = {Node2’, Node2’’}

new = {} old = {} next = {}

name = Node2’’’ incoming = {Node2’’}

new = {} old = {} next = {}

Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {2’, 2’’}

name = Node2 incoming = {init}

new = {q} old = {p U q} next = {}

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}

name = Node3’ incoming = {init}

new = {} old = {p, p U q} next = {p U q}

Tableau for p U q

name = Node3 incoming = {init}

new = {p} old = {p U q} next = {p U q}

Nodes ={2’, 2’’, 3’}

name = Node3’ incoming = {init}

new = {} old = {p, p U q} next = {p U q}

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}

name = Node4 incoming = {Node3’}

new = {q} old = {pUq} next = {}

name = Node5 incoming = {Node3’}

new = {p} old = {pUq} next = {pUq}

Tableau for p U q

Nodes ={2’, 2’’, 3’}

incoming(2’) = {init, Node3’}

Tableau for p U q

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}

name = Node4 incoming = {Node3’}

new = {q} old = {pUq} next = {}

name = Node5 incoming = {Node3’}

new = {p} old = {pUq} next = {pUq}

name = Node4’ incoming = {Node3’}

new = {} old = {q, pUq} next = {}

incoming(3’) = {init, Node3’}

Tableau for p U q

name = Node3’’ incoming = {Node3’}

new = {p U q} old = {} next = {}

name = Node4 incoming = {Node3’}

new = {q} old = {pUq} next = {}

name = Node5 incoming = {Node3’}

new = {p} old = {pUq} next = {pUq}

name = Node5 incoming = {Node3’}

new = {} old = {p, pUq} next = {pUq}

Resulting automaton

init

{p}

{q}

Node2’

{q}

Node3’

{p}

{} = true

Node2’’

An LTL formula f is satisfied iff there exists an infinite path in Af containing an acceptance state infinitely often

{} = true

Automata-Theoretic model checking
• Invented by Vardi and Wolper in the 80’s
• Implemented in SPIN in the 90’s
• Language intersection problem L(A f)  L(K) = is reduced to:
• computing the synchronous product (A f ) x K
• checking whether the synchronous product contains an acceptance cycle
• if so, there exists a violation of f on some execution path of K
• the model checker will show us the counterexample