Flavio Lerda 1 LTL Model Checking Flavio Lerda

2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking –Model checking of a property expressed as an LTL formula: –Given a model M and an initial state s 0 : M,s 0 ╞ A f

Flavio Lerda 3 LTL Model Checking LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f ≠ AFG p Contains a single universal quantifier –The path formula f holds for every path Commonly: – A is omitted –G is replaced by  (box or always) –F is replaced by  (diamond or eventually)

Flavio Lerda 4 LTL Model Checking Examples of LTL formulas Always eventually p: –   p –AGF p or AG AF p Always after p eventually q –  ( p  q) –AG (p -> F q) or AG (p -> AF q) Fairness –(   p )   –A ((GF p)   ) Not a CTL formula

Flavio Lerda 5 LTL Model Checking LTL Semantics Derived from the CTL* semantics Given an infinite execution trace  =s 0 s 1 …  ╞ p  p(s 0 )  ╞ ¬   ¬(  ╞  )  ╞  1   2   ╞  1   ╞  2  ╞  1   2   ╞  1   ╞  2  ╞   i  0  i ╞   ╞   i  0  i ╞   ╞  1 U  2  i  0  i ╞  2   0  j  < i  j ╞  1

Flavio Lerda 6 LTL Model Checking Given a model M and an LTL formula  –All traces of M must satisfy  –If a trace of M does not satisfy  Counterexample –  M is the set of traces of M –   is the set of traces that satisfy   M    Equivalently  M   ¬  = 

Flavio Lerda 7 LTL Model Checking Büchi Automata Automaton which accepts infinite traces A Büchi automaton is 4-tuple  S, I, , F  –S is a finite set of states –I  S is a set of initial states –   S  S is a transition relation –F  S is a set of accepting states An infinite sequence of states is accepted iff it contains accepting states infinitely often

Flavio Lerda 8 LTL Model Checking Example S0S0 S1S1 S2S2  1 =S 0 S 1 S 2 S 2 S 2 S 2 …  2 =S 0 S 1 S 2 S 1 S 2 S 1 …  3 =S 0 S 1 S 2 S 1 S 1 S 1 … ACCEPTED REJECTED

Flavio Lerda 9 LTL Model Checking Büchi Automata Büchi automata are non-deterministic: –The next state is not uniquely defined –  is a transition relation not a transition function Deterministic Büchi automata are not equivalent to (non-deterministic) Büchi automata: –Cannot convert any Büchi automaton into a deterministic equivalent one –There exists no optimal and efficient minimization algorithm for non-deterministic automata

Flavio Lerda 10 LTL Model Checking LTL and Büchi Automata LTL formula –Represents a set of infinite traces which satisfy such formula Büchi Automaton –Accepts a set of infinite traces We can build an automaton which accepts all and only the infinite traces represented by an LTL formula

Flavio Lerda 11 LTL Model Checking Labeled Büchi Automata Given a set of atomic proposition P –Define a labeling function : S  2 P –Each state is assigned a set of propositions that must be true –All the other propositions must be false Similar to the labeling for the model M

Flavio Lerda 12 LTL Model Checking Given a model M and an LTL formula  –Build the Buchi automaton B ¬  –Compute product of M and B ¬  Each state of M is labeled with propositions Each state of B ¬  is labeled with propositions Match states with the same labels –The product accepts the traces of M that are also traces of B ¬  (  M   ¬  ) –If the product accepts any sequence We have found a counterexample

Flavio Lerda 13 LTL Model Checking Nested Depth First Search The product is a Büchi automaton How do we find accepted sequences? –Accepted sequences must contain a cycle In order to contain accepting states infinitely often –We are interested only in cycles that contain at least an accepting state –During depth first search start a second search when we are in an accepting states If we can reach the same state again we have a cycle (and a counterexample)

Flavio Lerda 14 LTL Model Checking Example

Flavio Lerda 15 LTL Model Checking Example

Flavio Lerda 16 LTL Model Checking Nested Depth First Search procedure DFS(s) visited = visited  {s} for each successor s’ of s if s’  visited then DFS(s’) if s’ is accepting then DFS2(s’, s’) end if end for end procedure

Flavio Lerda 17 LTL Model Checking Nested Depth First Search procedure DFS2(s, seed) visited2 = visited2  {s} for each successor s’ of s if s’ = seed then return “Cycle Detect”; end if if s’  visited2 then DFS2(s’, seed) end if end for end procedure

Flavio Lerda 18 LTL Model Checking Generating Büchi Automata We need a procedure to generate a Büchi automaton given an LTL formula –Efficiently Formulas are usually small Büchi automaton exponential in the size of the formula The cost of model checking is polynomial to the size of the automaton Non-deterministic Büchi automata are not equivalent to deterministic Büchi automata –Cannot use automata minimization algorithms Finding the minimal automata is NP-complete

Flavio Lerda 19 LTL Model Checking Approach Formula rewriting –Rewrite the formula in negation normal form –Apply rewriting rules Core translation –Turns an LTL formula into a generalized Büchi automaton Degeneralization –Turns a generalized Büchi automaton into a Büchi automaton

Flavio Lerda 20 LTL Model Checking Rewriting Negation normal form –Negation appears only in front of literals –Use the following identities ¬¬  =  ¬G  = F ¬  ¬F  = G ¬  ¬(  U  ) = (¬  ) V (¬  ) ¬(  V  ) = (¬  ) U (¬  ) V (sometimes R) is the Release operator –Dual of Until

Flavio Lerda 21 LTL Model Checking Rewriting Additional rewriting rules: –Reduce the size of the formula –They are not guaranteed to yield smaller automaton –The size of the automaton is exponential in the size of the formula Examples: –(X  ) U (X  )  X (  U  ) –(X  )  (X  )  X (    ) –GF   GF   GF (    )

Flavio Lerda 22 LTL Model Checking Generalized Büchi Automata Büchi automaton with multiple sets of accepting states A generalized Büchi automaton is 4-tuple  S, I, , F  –S is a finite set of states –I  S is a set of initial states –   S  S is a transition relation – F = {F 1, …, F n }  2 S is a set of sets of accepting states An infinite sequence of states is accepted iff it contains infinitely often accepting states from each of the accepting sets as before

Flavio Lerda 23 LTL Model Checking Core Translation Make use of the following recurrence equations: –  U  =   (   X(  U  )) –  V  =   (   X(  V  )) The operator V (release) is the dual of U: –  V   (  U  ) We need V (release) because we want the formula in negation normal form –Negation appears only in front of atomic propositions The core translations only handles , , U, V: –Rewriting of: G  =  U false F  = true U 

Flavio Lerda 24 LTL Model Checking Example F p (T U p) Old:{} New:{T U p} Next:{} Old:{T U p} New:{T} Next:{T U p} Old:{T U p} New:{p} Next:{} Old:{T U p} New:{} Next:{T U p} Old:{T U p} Next:{T U p} Old:{T U p, p} New:{} Next:{} Old:{T U p, p} Next:{} Tp p Old:{} New:{} Next:{} Old:{} Next:{} T U p = p  (T  X(T U p)) 123

Flavio Lerda 25 LTL Model Checking Core Translation Node –Represent a sub-formula –Contain information about the past, the present and the future Conjunction of formulas as sets State –Represents a state in the final automaton –They are the nodes that have fully expanded

Flavio Lerda 26 LTL Model Checking Core Translation Expansion –Select a formula from the New field –If it is a literal, add it to the Old field –Otherwise     (New{  },Next{}) and (New{  },Next{})  U   (New{  },Next{  U  }) and (New{  },Next{})  V   (New{  },Next{  V  }) and (New{ ,  },Next{})  U    (   X(  U  ))  V    (   X(  V  ))

Flavio Lerda 27 LTL Model Checking Core Translation Nodes to states –If a node has no New formulas –Create a new node with all the Next formulas –Create an edge between the two nodes –Check if there is any equivalent state With the same Next field With the same Old field

Flavio Lerda 28 LTL Model Checking Core Translation Accepting states –Generalized Büchi automaton Multiple accepting sets –One for each Until sub-formula (  U  ) –Such that The Old field doesn’t contain  U  or The Old field does contain 

Flavio Lerda 29 LTL Model Checking Degeneralization Turn a generalized Büchi automaton into a Büchi automaton Consider as many copies of the automaton as the number of accepting sets Replace incoming edges from accepting states with edges to the next copy Each cycle must go through every copy Each cycle must contains accepting states from each accepting set

Flavio Lerda 30 LTL Model Checking Example T ab T ab T 1 1,2 2 F a  F b

Flavio Lerda 31 LTL Model Checking Example T ab T a T T ab T b T

Flavio Lerda 32 LTL Model Checking Example T ab T a T T ab T b T

Flavio Lerda 33 LTL Model Checking Example T ab T a T T ab T

Flavio Lerda 34 LTL Model Checking Example T ab T a T T

Flavio Lerda 35 LTL Model Checking Example T ab T a T T

Flavio Lerda 36 LTL Model Checking Optimizations Can be done at each stage Try to minimize –The number of states and transitions –The number of accepting states Involve –Strongly connected components –Fair (bi)simulation Expensive but –The Büchi automaton is usually small –The saving during verification can be very high