Post on 22-Dec-2015
Flavio Lerda
1
LTL Model Checking
LTL Model Checking
Flavio Lerda
Flavio Lerda
2
LTL Model Checking
LTL Model Checking
• LTL– Subset of CTL* of the form:
A fwhere f is a path formula
• LTL model checking– Model checking of a property expressed as an
LTL formula:– Given a model M and an initial state s0:
M,s0╞ A f
Flavio Lerda
3
LTL Model Checking
LTL Formulas
• Subset of CTL*– Distinct from CTL
• AFG p LTL f CTL . f ≠ AFG p
• Contains a single universal quantifier– The path formula f holds for every path
• Commonly:– A is omitted– G is replaced by (box or always)– F is replaced by (diamond or eventually)
Flavio Lerda
4
LTL Model Checking
Examples of LTL formulas
• Always eventually p: p– AGF p or AG AF p
• Always after p eventually q ( p q)– AG (p -> F q) or AG (p -> AF q)
• Fairness– ( p ) – A ((GF p) ) Not a CTL formula
Flavio Lerda
5
LTL Model Checking
LTL Semantics
• Derived from the CTL* semantics• Given an infinite execution trace =s0s1…
╞ p p(s0)╞ ¬ ¬( ╞ )
╞ 1 2 ╞ 1 ╞ 2
╞ 1 2 ╞ 1 ╞ 2
╞ i 0 i╞ ╞ i 0 i╞ ╞ 1 U 2i 0 i╞ 2 0 j< i j╞ 1
Flavio Lerda
6
LTL Model Checking
LTL Model Checking
• Given a model M and an LTL formula – All traces of M must satisfy – If a trace of M does not satisfy
• Counterexample
M is the set of traces of M
is the set of traces that satisfy
M
• Equivalently M ¬=
Flavio Lerda
7
LTL Model Checking
Büchi Automata
• Automaton which accepts infinite traces• A Büchi automaton is 4-tupleS, I,, F
– S is a finite set of states– I S is a set of initial states S S is a transition relation– F S is a set of accepting states
• An infinite sequence of states is accepted iff it contains accepting states infinitely often
Flavio Lerda
8
LTL Model Checking
Example
S0 S1 S2
1=S0S1S2S2S2S2…
2=S0S1S2S1S2S1…
3=S0S1S2S1S1S1…
ACCEPTED
ACCEPTED
REJECTED
Flavio Lerda
9
LTL Model Checking
Büchi Automata
• Büchi automata are non-deterministic:– The next state is not uniquely defined is a transition relation not a transition function
• Deterministic Büchi automata are not equivalent to (non-deterministic) Büchi automata:– Cannot convert any Büchi automaton into a
deterministic equivalent one– There exists no optimal and efficient minimization
algorithm for non-deterministic automata
Flavio Lerda
10
LTL Model Checking
LTL and Büchi Automata
• LTL formula– Represents a set of infinite traces which
satisfy such formula
• Büchi Automaton– Accepts a set of infinite traces
• We can build an automaton which accepts all and only the infinite traces represented by an LTL formula
Flavio Lerda
11
LTL Model Checking
Labeled Büchi Automata
• Given a set of atomic proposition P– Define a labeling function
: S 2P
– Each state is assigned a set of propositions that must be true
– All the other propositions must be false
• Similar to the labeling for the model M
Flavio Lerda
12
LTL Model Checking
LTL Model Checking
• Given a model M and an LTL formula – Build the Buchi automaton B¬
– Compute product of M and B¬
• Each state of M is labeled with propositions• Each state of B¬ is labeled with propositions• Match states with the same labels
– The product accepts the traces of M that are also traces of B¬ (M ¬)
– If the product accepts any sequence• We have found a counterexample
Flavio Lerda
13
LTL Model Checking
Nested Depth First Search
• The product is a Büchi automaton• How do we find accepted sequences?
– Accepted sequences must contain a cycle• In order to contain accepting states infinitely often
– We are interested only in cycles that contain at least an accepting state
– During depth first search start a second search when we are in an accepting states
• If we can reach the same state again we have a cycle (and a counterexample)
Flavio Lerda
14
LTL Model Checking
Example
Flavio Lerda
15
LTL Model Checking
Example
Flavio Lerda
16
LTL Model Checking
Nested Depth First Search
procedure DFS(s) visited = visited {s} for each successor s’ of s if s’ visited then DFS(s’) if s’ is accepting then DFS2(s’, s’) end if end if end forend procedure
Flavio Lerda
17
LTL Model Checking
Nested Depth First Search
procedure DFS2(s, seed) visited2 = visited2 {s} for each successor s’ of s if s’ = seed then return “Cycle Detect”; end if if s’ visited2 then DFS2(s’, seed) end if end forend procedure
Flavio Lerda
18
LTL Model Checking
Generating Büchi Automata
• We need a procedure to generate a Büchi automaton given an LTL formula– Efficiently
• Formulas are usually small• Büchi automaton exponential in the size of the formula• The cost of model checking is polynomial to the size of the
automaton• Non-deterministic Büchi automata are not equivalent to
deterministic Büchi automata– Cannot use automata minimization algorithms
• Finding the minimal automata is NP-complete
Flavio Lerda
19
LTL Model Checking
Approach
• Formula rewriting– Rewrite the formula in negation normal form– Apply rewriting rules
• Core translation– Turns an LTL formula into a generalized Büchi
automaton
• Degeneralization– Turns a generalized Büchi automaton into a
Büchi automaton
Flavio Lerda
20
LTL Model Checking
Rewriting
• Negation normal form– Negation appears only in front of literals– Use the following identities
• ¬¬ = • ¬G = F ¬• ¬F = G ¬• ¬( U ) = (¬) V (¬)• ¬( V ) = (¬) U (¬)
• V (sometimes R) is the Release operator– Dual of Until
Flavio Lerda
21
LTL Model Checking
Rewriting
• Additional rewriting rules:– Reduce the size of the formula– They are not guaranteed to yield smaller automaton– The size of the automaton is exponential in the size of
the formula
• Examples:– (X ) U (X ) X ( U )– (X ) (X ) X ( )– GF GF GF ( )
Flavio Lerda
22
LTL Model Checking
Generalized Büchi Automata
• Büchi automaton with multiple sets of accepting states
• A generalized Büchi automaton is 4-tupleS, I,, F – S is a finite set of states– I S is a set of initial states S S is a transition relation– F = {F1, …, Fn} 2S is a set of sets of accepting
states• An infinite sequence of states is accepted iff it
contains infinitely often accepting states from each of the accepting sets
as before
Flavio Lerda
23
LTL Model Checking
Core Translation
• Make use of the following recurrence equations: U = ( X( U )) V = ( X( V ))
• The operator V (release) is the dual of U: V ( U)
• We need V (release) because we want the formula in negation normal form– Negation appears only in front of atomic propositions
• The core translations only handles , , U, V:– Rewriting of:
• G = U false• F = true U
Flavio Lerda
24
LTL Model Checking
ExampleF p
(T U p)Old:{}New:{T U p}Next:{}
Old:{T U p}New:{T}Next:{T U p}
Old:{T U p}New:{p}Next:{}
Old:{T U p}New:{}Next:{T U p}
Old:{T U p}Next:{T U p}
Old:{T U p, p}New:{}Next:{}
Old:{T U p, p}Next:{}
T pp
Old:{}New:{}Next:{}
Old:{}Next:{}
T U p = p (T X(T U p))
1 2 3
Flavio Lerda
25
LTL Model Checking
Core Translation
• Node– Represent a sub-formula– Contain information about the past, the
present and the future• Conjunction of formulas as sets
• State– Represents a state in the final automaton– They are the nodes that have fully expanded
Flavio Lerda
26
LTL Model Checking
Core Translation
• Expansion– Select a formula from the New field– If it is a literal, add it to the Old field– Otherwise
(New{},Next{}) and (New{},Next{})
U (New{},Next{ U }) and (New{},Next{})
V (New{},Next{ V }) and
(New{,},Next{})
U ( X( U )) V ( X( V ))
Flavio Lerda
27
LTL Model Checking
Core Translation
• Nodes to states– If a node has no New formulas– Create a new node with all the Next formulas– Create an edge between the two nodes– Check if there is any equivalent state
• With the same Next field• With the same Old field
Flavio Lerda
28
LTL Model Checking
Core Translation
• Accepting states– Generalized Büchi automaton
• Multiple accepting sets– One for each Until sub-formula ( U )– Such that
• The Old field doesn’t contain U
or• The Old field does contain
Flavio Lerda
29
LTL Model Checking
Degeneralization
• Turn a generalized Büchi automaton into a Büchi automaton
• Consider as many copies of the automaton as the number of accepting sets
• Replace incoming edges from accepting states with edges to the next copy
• Each cycle must go through every copy• Each cycle must contains accepting states from
each accepting set
Flavio Lerda
30
LTL Model Checking
Example
T
a b
T
a b
T
1
1,2
2
F a F b
Flavio Lerda
31
LTL Model Checking
Example
T
a b
T
a
T
T
a b
T
b
T
Flavio Lerda
32
LTL Model Checking
Example
T
a b
T
a
T
T
a b
T
b
T
Flavio Lerda
33
LTL Model Checking
Example
T
a b
T
a
T
T
a b
T
Flavio Lerda
34
LTL Model Checking
Example
T
a b
T
a
T T
Flavio Lerda
35
LTL Model Checking
Example
T
a b
T
a
TT
Flavio Lerda
36
LTL Model Checking
Optimizations
• Can be done at each stage• Try to minimize
– The number of states and transitions– The number of accepting states
• Involve– Strongly connected components– Fair (bi)simulation
• Expensive but– The Büchi automaton is usually small– The saving during verification can be very high