Presentation is loading. Please wait.

Presentation is loading. Please wait.

LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen."— Presentation transcript:

1 LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen

2 Overview System Model Büchi automaton (A sys ) Negation of property PLTL-formula (  ) Normal-form formula Graph Generalised Büchi automaton Büchi automaton (A  ) Product automaton (A sys  A  ) State space Checking emptiness Yes!No! Model checker

3 Büchi Automata Def.: Labelled Büchi Automaton

4 Büchi Automata 2 Def.: Run of a LBA

5 Büchi Automata 3 Example: Σ={a,b,c,d,e} {a,d}{b} {c} (a|d)(bc + ) ω

6 Büchi Automata 4 For each PLTL formula φ one can construct an LBA A φ s.t. L ω (A φ ) is the sequences of sets of atomic propositions that satisfy φ. Let Σ=2 AP where AP is the set of atomic propositions.

7 Büchi Automata 5 Def.: Generalised LBA

8 Getting Normal Eliminate F and G operators Make negations adjacent to atomic propositions Example: LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

9 Past operators do not add any expressive power to LTL Why are they useful? Past operators are not easy expressed with future operators Getting Normal 2 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

10 Past operators does not add any expressive power to LTL Why are they useful? Past operators are not easy to translate to normal form Possible exponential blowup Getting Normal 3 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?

11 Normal Form → GLBA LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Overall idea: A node in the graph represents a state, an edge represent a step forward in time. Each node contains formulas that must be true at this time; view these formulas as proof obligations: Atomic propositions: check for contradictions Conjunctions: check both clauses Disjunctions: split into two nodes and allow a nondeterministic choice Next: Push proof obligation to the successors Until and its evil twin: unfold recursively on demand

12 Accept states 1 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Definition of strict p U q: Sooner or later, q must happen! {{q}, {p, q}}Ø {{p}, {p, q}} (Remember, every run is accepted, since the set of accept sets is empty)

13 Accept states 2 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Definition of strict p U q: Sooner or later, q must happen! {{q}, {p, q}}Ø {{p}, {p, q}} Problem: The automaton accepts p ω !

14 Accept states 3 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Definition of strict p U q: Sooner or later, q must happen! {{q}, {p, q}}Ø {{p}, {p, q}} Solution: Insert accept states to break the cycle (not needed for U).

15 Un-generalizing GLBAs 1 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? The generated automaton may have more than one set of accept states (one for each ‘until’ in the original formula):

16 Un-generalizing GLBAs 2 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

17 Un-generalizing GLBAs 3 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

18 Un-generalizing GLBAs 4 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

19 Un-generalizing GLBAs 5 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.

20 Combining the two LBAs 1 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Wanted: an automaton accepting the intersection of the two languages: x

21 Combining the two LBAs 2 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? By the ordinary DFA product construction: Problem: Requires accept states to be visited at the same time.

22 Combining the two LBAs 3 LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? Solution: Use a GLBA with two accept sets, then reduce to an LBA.

23 The emptiness problem LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty? How do we do it? Find an appropriate cycle in the LBA – if no such cycle exists, the language is empty. Why does this work? Theorem 17. Seriously, why? In order for the language to be non-empty, there must be an infinite run of the automaton that visits an accept state infinitely often. This means that there has to be a reachable cycle containing an accept state.

24 Overview System Model Büchi automaton (A sys ) Negation of property PLTL-formula (  ) Normal-form formula Graph Generalised Büchi automaton Büchi automaton (A  ) Product automaton (A sys  A  ) State space Checking emptiness Yes!No! Model checker

25 The state space Example int i; proctype P1(){ do ::true -> atomic(if::(i i=i+1 fi) od } proctype P2(){ do ::true -> atomic(if::(i!=2) -> i=2 ::else -> i=0 fi) od } init{i=0; run(P1); run(P2);}

26 The state space 2 A state –all global vars. –local vars. and program counter in all processes State space: all possible simulations from the initial state State space must be finite

27 The state space 3 i=0 i=1i=2 P1 and P2 enabled P2 enabled

28 Convert states to proposition tables –Get all propositions from the LTL expression –In each state Change the lable to the set of all satisfied propositions State space → LBA

29 Propositions: p:= (i <= 0) q:= (i == 1) r:= (i >= 2) State space → LBA 2 i=0 i=1i=2 p q r

30 State space → LBA 3 Make all paths infinite Make all states accepting –Product is now normal DFA product

31 The rest Is in chapter 5

32 References G. J. Holzmann: An improved protocol reachability analysis technique. O. Lichtenstein, A. Pnueli: The glory of the past. R. Gerth et al.: Simple on-the-fly automatic verification of linear temporal logic. K. Etessami, G. J. Holzmann: Optimizing Büchi automata. A. M. Mikkelsen: On-the-fly model checking in Design/CPN. G. J. Holzmann: The model checker SPIN.

33 Exercises Exercises 8, 9, 10 (s 3 should be s 2 ), 12 Derive the semantics of U from the semantics of U, and give an intuitive explanation.

Download ppt "LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen."

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Translating from logic to automata Book: Chapter 6.

Translating from logic to automata Book: Chapter 6.
Model Checking and Testing combined

Model Checking and Testing combined
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

Similar presentations

Ads by Google