Implementing an LTL-to-Bchi Translator in Erlang

Implementing an LTL-to-Bchi Translator in ErlangA ProTest Experience Report

Hans SvenssonChalmers University of TechnologyEdinburgh 2009-09-05

BackgroundMcErlang was going publicEncoding properties using hand-written Erlang monitors not very user friendlyWanted to provide support for properties in LTLNo existing LTL-to-Bchi implementation in ErlangLicensing issuesAesthetics

LTL formulasIf AP is a non-empty and finite set of atomic propositions, the LTL formulas are:

All p AP are LTL formulas If and are LTL formulas, then , , X , U are LTL formulas

Linear Time Logic, i.e. discrete steps in a linear fashion.

NeXt - X p is true if p is true in the next step

Until p U q is true if p is true in all steps until a step where q is trueLTL formulasppppqFor convenience additional operators are often defined, such as:

Always - (true U )

Eventually - true U LTL formulasLTL Model Checking Specification (LTL formula) (Finite) model of the system (state-transition graph) Not directly checkable

Close correspondence between LTL formulas and Bchi automata [Wolper et. al. 83] McErlang can check against Bchi automatonBchi automataA Bchi automaton is a tuple is the alphabetQ is the finite set of states Q x x Q is the transition relationQ0 is the set of initial statesF Q is the set of accepting states

A Bchi automaton accepts infinite sequences iff there exists a path that visits an accepting state infinitely oftenBchi automatas1s2aabb = {a,b} Q = {s1,s2} Q0 = {s1}

= {(s1,a, s2), (s2,a, s2), (s2,b, s1), (s1,b, s1)} F = {s2} Translating LTL to BchiIntuition: Express everything in terms of Until Repeatedly expand:p U q = q (p X (p U q)) Keep track of equivalent stepsTranslation Three stepsRewrite Use heuristics to simplify LTL formula [Somenzi & Bloem 00]Core translation - construct basic Bchi automaton using repeated expansion. (Tableau-based algorithm) [Gerth et.al. 96]Reduce and Optimize apply simplification and reduction algorithms [Etessami & Holzmann 00]ImplementationQuite straightforward from the literature!?NO! Dont start implementing just yet!

First think about properties for the systemIn this case the properties are known in literature! [Tauriainen & Heljanko 02]Testing the translationGenerate LTL-to-Bchi translator ALTL-to-Bchi translator A IntersectionCheck emptinessOKFailBABA BABA Testing the translation Testing using QuickCheck Straightforward translation into propertyprop_test_ltl2buchi(LTL2B_1,LTL2B_2) -> ?FORALL(Phi, ltl_formula(), begin BA1 = LTL2B_1(Phi), BA2 = LTL2B_2(ltl:negate(Phi)), BA1xBA2 = buchi:intersection(BA1,BA2), buchi:is_empty(BA1xBA2) end).

Generating LTL formulasltl_formula() -> ?SIZED(Size, ltl_formula(Size)).

ltl_formula(0) -> lprop();ltl_formula(S) -> Smaller = ltl_formula(S div 2), oneof([ {land,Smaller,Smaller}, {lor,Smaller,Smaller}, {next,ltl_formula(S 1)}, {eventually,ltl_formula(S - 1)}, {always, ltl_formula(S - 1)}, {lnot, ltl_formula(S 1)}]).Implementation Almost trivial!! Implement algorithms and check with QuickCheck

Errors are found early, and counter examples show where the errors are. More tests were used, described in the paper.ResultsPasses an extensive amount of QuickCheck testsPerforms on par (or better) than the reference implementations* (JavaPathExplorer LTL2Bchi and Wring)

* Disclaimer: Only measured for random LTL formulasDistribution Included in McErlang distribution (only translator)

Full version can be retrieved from GitHub: http://github.com/hanssv/Erlang-LTL2Buchi/

Test code and example parser is included.Conclusions Property Driven Development works!* (But we already knew that) Implementation gets simpler More confidence in correctness

* Although this project fits exceptionally well into the PDD ideaProTest This project was sponsored by: EU FP7 Collaborative project ProTest (grant number 215868)

http://www.protest-project.eu