LTL Model Checking
description
Transcript of LTL Model Checking
LTL Model Checking
Radu Iosif ([email protected])
Linear Temporal Logic (LTL)
• Not exclusively for model checking
• Also meant for deduction (Manna, Pnueli)
• So, there must be some equations involving LTL terms
Kripke Structures
• AP = {p, q, r, … } is a set of atomic propositions
• K = <S, R, L> is a K-structure, where:– S is a finite set of states– R S x S is a transition relation
– L : S P(AP) is a labeling function
• w=x0, x1, … = s0, s1, … such that xi L(si) for all i 0
LTL Syntax
• p AP is a formula• true is a formula• if f, g are formulae, then:
f– f g– X f– f U g
are formulae
LTL Semantics
Defined on Kripke structures K=(S, R, L):
• K, = true always• K, = p iff = s0,s1,…
and p L(s0)• K, = f iff not K, = f• K, = fg iff K, = f or K, = g• K, = X f iff = s0,s1,s2, …
and K, s1,s2, … = f• K, = f U g iff k 0 . K, = g
and 0 i < k K, = f
LTL Syntactic Sugar
We write:• false true• fg (f g)• Fg true U g• Gf F (f)• f W g (Gf ) (f U g) (weak
until)• f V g (f U g) (release)
LTL equations
f U g = g (f X(f U g))f V g = g (f X(f V g))
= (g f) (g X(f V g))
• hold for every K, assuming that is an infinite path
LTL model checkingThe model checking problem:• find whether a path generated by a
Kripke structure K is a model for a LTL formula f (notation K, = f)
To model check an LTL formula f:1. first negate it then derive the negation
normal form2. Then build an automaton [A f] out of the
negated formula3. The problem is reduced to finding out
whether L(A f) L(K) =
Negation normal form: example
((A U (B U C)) D) = (A U (B U C)) D
= (A V (B U C)) D
= (A V (B V C)) D
TABLEAUA tableau is a proof process
represented by a graph, in which edges represents actually steps taken by the prover, and nodes intermediate states in the proof
A node in the tableau consists of:• name = unique name of the node• incoming = set of ancestors• new = current proof obligation• old = already met proof obligation• next = proof obligation in the next state
Tableau for p U q
name = Node1 incoming = {init}
new = {p U q} old = {} next = {}
Nodes = {}
Tableau for p U q
name = Node1 incoming = {init}
new = {p U q} old = {} next = {}
name = Node2 incoming = {init}
new = {q} old = {p U q} next = {}
name = Node3 incoming = {init}
new = {p} old = {p U q} next = {p U q}
Nodes = {}
Tableau for p U q
name = Node1 incoming = {init}
new = {p U q} old = {} next = {}
name = Node2 incoming = {init}
new = {q} old = {p U q} next = {}
name = Node3 incoming = {init}
new = {p} old = {p U q} next = {p U q}
Nodes = {}
name = Node2’ incoming = {init}
new = {} old = {q, p U q} next = {}
Tableau for p U q
Nodes ={2’}name = Node2’ incoming = {init}
new = {} old = {q, p U q} next = {}
name = Node2’’ incoming = {Node2’}
new = {} old = {} next = {}
Tableau for p U q
Nodes ={2’, 2’’}name = Node2’ incoming = {init}
new = {} old = {q, p U q} next = {}
name = Node2’’ incoming = {Node2’, Node2’’}
new = {} old = {} next = {}
name = Node2’’’ incoming = {Node2’’}
new = {} old = {} next = {}
Tableau for p U q
name = Node1 incoming = {init}
new = {p U q} old = {} next = {}
name = Node2 incoming = {init}
new = {q} old = {p U q} next = {}
name = Node3 incoming = {init}
new = {p} old = {p U q} next = {p U q}
Nodes = {2’, 2’’}
name = Node3’ incoming = {init}
new = {} old = {p, p U q} next = {p U q}
Tableau for p U q
Nodes ={2’, 2’’, 3’}
name = Node3 incoming = {init}
new = {p} old = {p U q} next = {p U q}
name = Node3’ incoming = {init}
new = {} old = {p, p U q} next = {p U q}
name = Node3’’ incoming = {Node3’}
new = {p U q} old = {} next = {}
Tableau for p U q
Nodes ={2’, 2’’, 3’}
name = Node3’’ incoming = {Node3’}
new = {p U q} old = {} next = {}
name = Node4 incoming = {Node3’}
new = {q} old = {pUq} next = {}
name = Node5 incoming = {Node3’}
new = {p} old = {pUq} next = {pUq}
Tableau for p U q
name = Node3’’ incoming = {Node3’}
new = {p U q} old = {} next = {}
name = Node4 incoming = {Node3’}
new = {q} old = {pUq} next = {}
name = Node5 incoming = {Node3’}
new = {p} old = {pUq} next = {pUq}
name = Node4’ incoming = {Node3’}
new = {} old = {q, pUq} next = {}
incoming(2’) = {init, Node3’}
Tableau for p U q
name = Node3’’ incoming = {Node3’}
new = {p U q} old = {} next = {}
name = Node4 incoming = {Node3’}
new = {q} old = {pUq} next = {}
name = Node5 incoming = {Node3’}
new = {p} old = {pUq} next = {pUq}
name = Node5 incoming = {Node3’}
new = {} old = {p, pUq} next = {pUq}
incoming(3’) = {init, Node3’}
Resulting automaton
init
Node2’ Node3’
Node2’’
{q}
{p}
{p}
{q}
{} = true
{} = true
An LTL formula f is satisfied iff there exists an infinite path in Af containing an acceptance state infinitely often
Automata-Theoretic model checking• Invented by Vardi and Wolper in the 80’s• Implemented in SPIN in the 90’s• Language intersection problem L(A f)
L(K) = is reduced to:– computing the synchronous product (A f )
x K– checking whether the synchronous product
contains an acceptance cycle– if so, there exists a violation of f on some
execution path of K– the model checker will show us the
counterexample