ltl model checking n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
LTL – model checking PowerPoint Presentation
Download Presentation
LTL – model checking

Loading in 2 Seconds...

play fullscreen
1 / 33

LTL – model checking - PowerPoint PPT Presentation


  • 87 Views
  • Uploaded on

LTL – model checking. Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen. Overview. System. Negation of property. PLTL-formula (  ). Model. State space. Model checker. Normal-form formula. Graph. Generalised Büchi automaton. B ü chi automaton ( A sys ).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'LTL – model checking' - keely


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ltl model checking

LTL – model checking

Jonas Kongslund

Peter Mechlenborg

Christian Plesner

Kristian Støvring Sørensen

overview
Overview

System

Negation of property

PLTL-formula ()

Model

State space

Model checker

Normal-form formula

Graph

Generalised Büchi automaton

Büchi automaton (Asys)

Büchi automaton (A )

Product automaton (Asys A )

Checking emptiness

Yes!

No!

b chi automata
Büchi Automata
  • Def.: Labelled Büchi Automaton
b chi automata 2
Büchi Automata 2
  • Def.: Run of a LBA
b chi automata 3

(a|d)(bc+)ω

{a,d}

{b}

{c}

Büchi Automata 3
  • Example: Σ={a,b,c,d,e}
b chi automata 4
Büchi Automata 4
  • For each PLTL formula φ one can construct an LBA Aφ s.t. Lω(Aφ) is the sequences of sets of atomic propositions that satisfy φ.
  • Let Σ=2AP where AP is the set of atomic propositions.
b chi automata 5
Büchi Automata 5
  • Def.: Generalised LBA
getting normal
Eliminate F and G operators

Make negations adjacent to atomic propositions

Example:

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Getting Normal
getting normal 2

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Getting Normal 2
  • Past operators do not add any expressive power to LTL
  • Why are they useful?
  • Past operators are not easy expressed with future operators
getting normal 3

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Getting Normal 3
  • Past operators does not add any expressive power to LTL
  • Why are they useful?
  • Past operators are not easy to translate to normal form
  • Possible exponential blowup
normal form glba
Normal Form → GLBA

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

  • Overall idea: A node in the graph represents a state, an edge represent a step forward in time. Each node contains formulas that must be true at this time; view these formulas as proof obligations:
  • Atomic propositions: check for contradictions
  • Conjunctions: check both clauses
  • Disjunctions: split into two nodes and allow a nondeterministic choice
  • Next: Push proof obligation to the successors
  • Until and its evil twin: unfold recursively on demand
accept states 1

{{q}, {p, q}}

Ø

{{p}, {p, q}}

Accept states 1

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Definition of strict p U q:

Sooner or later, q must happen!

(Remember, every run is accepted, since the set of accept sets is empty)

accept states 2

{{q}, {p, q}}

Ø

{{p}, {p, q}}

Accept states 2

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Definition of strict p U q:

Sooner or later, q must happen!

Problem: The automaton accepts pω!

accept states 3
Accept states 3

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Definition of strict p U q:

Sooner or later, q must happen!

{{q}, {p, q}}

Ø

{{p}, {p, q}}

Solution: Insert accept states to break the cycle (not needed for U).

un generalizing glbas 1
Un-generalizing GLBAs 1

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

The generated automaton may have more than one set of accept states (one for each ‘until’ in the original formula):

un generalizing glbas 2
Un-generalizing GLBAs 2

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

un generalizing glbas 3
Un-generalizing GLBAs 3

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

un generalizing glbas 4
Un-generalizing GLBAs 4

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

un generalizing glbas 5
Un-generalizing GLBAs 5

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

combining the two lbas 1
Combining the two LBAs 1

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Wanted: an automaton accepting the intersection of the two languages:

x

combining the two lbas 2
Combining the two LBAs 2

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

By the ordinary DFA product construction:

Problem: Requires accept states to be visited at the same time.

combining the two lbas 3
Combining the two LBAs 3

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Solution: Use a GLBA with two accept sets, then reduce to an LBA.

the emptiness problem
The emptiness problem

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

How do we do it?

Find an appropriate cycle in the LBA – if no such cycle exists, the language is empty.

Why does this work?

Theorem 17.

Seriously, why?

In order for the language to be non-empty, there must be an infinite run of the automaton that visits an accept state infinitely often. This means that there has to be a reachable cycle containing an accept state.

overview1
Overview

System

Negation of property

PLTL-formula ()

Model

State space

Model checker

Normal-form formula

Graph

Generalised Büchi automaton

Büchi automaton (Asys)

Büchi automaton (A )

Product automaton (Asys A )

Checking emptiness

Yes!

No!

the state space
The state space
  • Example

int i;

proctype P1(){

do

::true -> atomic( if::(i<2) -> i=i+1

fi)

od }

proctype P2(){

do

::true -> atomic( if::(i!=2) -> i=2

::else -> i=0

fi)

od }

init{i=0; run(P1); run(P2);}

the state space 2
The state space 2
  • A state
    • all global vars.
    • local vars. and program counter in all processes
  • State space: all possible simulations from the initial state
  • State space must be finite
the state space 3

i=0

i=1

i=2

The state space 3

P1 and P2 enabled

P1 and P2 enabled

P2 enabled

state space lba
State space → LBA
  • Convert states to proposition tables
    • Get all propositions from the LTL expression
    • In each state
      • Change the lable to the set of all satisfied propositions
state space lba 2

i=0

p

i=1

i=2

r

q

State space → LBA 2
  • Propositions:

p:= (i <= 0)

q:= (i == 1)

r:= (i >= 2)

state space lba 3
State space → LBA 3
  • Make all paths infinite
  • Make all states accepting
    • Product is now normal DFA product
the rest
The rest
  • Is in chapter 5
references
References
  • G. J. Holzmann: An improved protocol reachability analysis technique.
  • O. Lichtenstein, A. Pnueli: The glory of the past.
  • R. Gerth et al.: Simple on-the-fly automatic verification of linear temporal logic.
  • K. Etessami, G. J. Holzmann: Optimizing Büchi automata.
  • A. M. Mikkelsen: On-the-fly model checking in Design/CPN.
  • G. J. Holzmann: The model checker SPIN.
exercises
Exercises
  • Exercises 8, 9, 10 (s3 should be s2), 12
  • Derive the semantics of U from the semantics of U, and give an intuitive explanation.