LTL – model checking

1 / 33

# LTL – model checking - PowerPoint PPT Presentation

LTL – model checking. Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen. Overview. System. Negation of property. PLTL-formula (  ). Model. State space. Model checker. Normal-form formula. Graph. Generalised Büchi automaton. B ü chi automaton ( A sys ).

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'LTL – model checking' - keely

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### LTL – model checking

Jonas Kongslund

Peter Mechlenborg

Christian Plesner

Kristian Støvring Sørensen

Overview

System

Negation of property

PLTL-formula ()

Model

State space

Model checker

Normal-form formula

Graph

Generalised Büchi automaton

Büchi automaton (Asys)

Büchi automaton (A )

Product automaton (Asys A )

Checking emptiness

Yes!

No!

Büchi Automata
• Def.: Labelled Büchi Automaton
Büchi Automata 2
• Def.: Run of a LBA

(a|d)(bc+)ω

{a,d}

{b}

{c}

Büchi Automata 3
• Example: Σ={a,b,c,d,e}
Büchi Automata 4
• For each PLTL formula φ one can construct an LBA Aφ s.t. Lω(Aφ) is the sequences of sets of atomic propositions that satisfy φ.
• Let Σ=2AP where AP is the set of atomic propositions.
Büchi Automata 5
• Def.: Generalised LBA
Eliminate F and G operators

Make negations adjacent to atomic propositions

Example:

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Getting Normal
Getting Normal 2
• Past operators do not add any expressive power to LTL
• Why are they useful?
• Past operators are not easy expressed with future operators
Getting Normal 3
• Past operators does not add any expressive power to LTL
• Why are they useful?
• Past operators are not easy to translate to normal form
• Possible exponential blowup
Normal Form → GLBA

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

• Overall idea: A node in the graph represents a state, an edge represent a step forward in time. Each node contains formulas that must be true at this time; view these formulas as proof obligations:
• Atomic propositions: check for contradictions
• Conjunctions: check both clauses
• Disjunctions: split into two nodes and allow a nondeterministic choice
• Next: Push proof obligation to the successors
• Until and its evil twin: unfold recursively on demand

{{q}, {p, q}}

Ø

{{p}, {p, q}}

Accept states 1

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Definition of strict p U q:

Sooner or later, q must happen!

(Remember, every run is accepted, since the set of accept sets is empty)

{{q}, {p, q}}

Ø

{{p}, {p, q}}

Accept states 2

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Definition of strict p U q:

Sooner or later, q must happen!

Problem: The automaton accepts pω!

Accept states 3

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Definition of strict p U q:

Sooner or later, q must happen!

{{q}, {p, q}}

Ø

{{p}, {p, q}}

Solution: Insert accept states to break the cycle (not needed for U).

Un-generalizing GLBAs 1

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

The generated automaton may have more than one set of accept states (one for each ‘until’ in the original formula):

Un-generalizing GLBAs 2

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

Un-generalizing GLBAs 3

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

Un-generalizing GLBAs 4

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

Un-generalizing GLBAs 5

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

Combining the two LBAs 1

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Wanted: an automaton accepting the intersection of the two languages:

x

Combining the two LBAs 2

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

By the ordinary DFA product construction:

Problem: Requires accept states to be visited at the same time.

Combining the two LBAs 3

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

Solution: Use a GLBA with two accept sets, then reduce to an LBA.

The emptiness problem

LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

How do we do it?

Find an appropriate cycle in the LBA – if no such cycle exists, the language is empty.

Why does this work?

Theorem 17.

Seriously, why?

In order for the language to be non-empty, there must be an infinite run of the automaton that visits an accept state infinitely often. This means that there has to be a reachable cycle containing an accept state.

Overview

System

Negation of property

PLTL-formula ()

Model

State space

Model checker

Normal-form formula

Graph

Generalised Büchi automaton

Büchi automaton (Asys)

Büchi automaton (A )

Product automaton (Asys A )

Checking emptiness

Yes!

No!

The state space
• Example

int i;

proctype P1(){

do

::true -> atomic( if::(i<2) -> i=i+1

fi)

od }

proctype P2(){

do

::true -> atomic( if::(i!=2) -> i=2

::else -> i=0

fi)

od }

init{i=0; run(P1); run(P2);}

The state space 2
• A state
• all global vars.
• local vars. and program counter in all processes
• State space: all possible simulations from the initial state
• State space must be finite

i=0

i=1

i=2

The state space 3

P1 and P2 enabled

P1 and P2 enabled

P2 enabled

State space → LBA
• Convert states to proposition tables
• Get all propositions from the LTL expression
• In each state
• Change the lable to the set of all satisfied propositions

i=0

p

i=1

i=2

r

q

State space → LBA 2
• Propositions:

p:= (i <= 0)

q:= (i == 1)

r:= (i >= 2)

State space → LBA 3
• Make all paths infinite
• Make all states accepting
• Product is now normal DFA product
The rest
• Is in chapter 5
References
• G. J. Holzmann: An improved protocol reachability analysis technique.
• O. Lichtenstein, A. Pnueli: The glory of the past.
• R. Gerth et al.: Simple on-the-fly automatic verification of linear temporal logic.
• K. Etessami, G. J. Holzmann: Optimizing Büchi automata.
• A. M. Mikkelsen: On-the-fly model checking in Design/CPN.
• G. J. Holzmann: The model checker SPIN.
Exercises
• Exercises 8, 9, 10 (s3 should be s2), 12
• Derive the semantics of U from the semantics of U, and give an intuitive explanation.