Presentation is loading. Please wait.

Presentation is loading. Please wait.

Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking."— Presentation transcript:

1 Flavio Lerda 1 LTL Model Checking Flavio Lerda

2 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking –Model checking of a property expressed as an LTL formula: –Given a model M and an initial state s 0 : M,s 0 ╞ A f

3 Flavio Lerda 3 LTL Model Checking LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f ≠ AFG p Contains a single universal quantifier –The path formula f holds for every path Commonly: – A is omitted –G is replaced by  (box or always) –F is replaced by  (diamond or eventually)

4 Flavio Lerda 4 LTL Model Checking Examples of LTL formulas Always eventually p: –   p –AGF p or AG AF p Always after p eventually q –  ( p  q) –AG (p -> F q) or AG (p -> AF q) Fairness –(   p )   –A ((GF p)   ) Not a CTL formula

5 Flavio Lerda 5 LTL Model Checking LTL Semantics Derived from the CTL* semantics Given an infinite execution trace  =s 0 s 1 …  ╞ p  p(s 0 )  ╞ ¬   ¬(  ╞  )  ╞  1   2   ╞  1   ╞  2  ╞  1   2   ╞  1   ╞  2  ╞   i  0  i ╞   ╞   i  0  i ╞   ╞  1 U  2  i  0  i ╞  2   0  j  < i  j ╞  1

6 Flavio Lerda 6 LTL Model Checking Given a model M and an LTL formula  –All traces of M must satisfy  –If a trace of M does not satisfy  Counterexample –  M is the set of traces of M –   is the set of traces that satisfy   M    Equivalently  M   ¬  = 

7 Flavio Lerda 7 LTL Model Checking Büchi Automata Automaton which accepts infinite traces A Büchi automaton is 4-tuple  S, I, , F  –S is a finite set of states –I  S is a set of initial states –   S  S is a transition relation –F  S is a set of accepting states An infinite sequence of states is accepted iff it contains accepting states infinitely often

8 Flavio Lerda 8 LTL Model Checking Example S0S0 S1S1 S2S2  1 =S 0 S 1 S 2 S 2 S 2 S 2 …  2 =S 0 S 1 S 2 S 1 S 2 S 1 …  3 =S 0 S 1 S 2 S 1 S 1 S 1 … ACCEPTED REJECTED

9 Flavio Lerda 9 LTL Model Checking Büchi Automata Büchi automata are non-deterministic: –The next state is not uniquely defined –  is a transition relation not a transition function Deterministic Büchi automata are not equivalent to (non-deterministic) Büchi automata: –Cannot convert any Büchi automaton into a deterministic equivalent one –There exists no optimal and efficient minimization algorithm for non-deterministic automata

10 Flavio Lerda 10 LTL Model Checking LTL and Büchi Automata LTL formula –Represents a set of infinite traces which satisfy such formula Büchi Automaton –Accepts a set of infinite traces We can build an automaton which accepts all and only the infinite traces represented by an LTL formula

11 Flavio Lerda 11 LTL Model Checking Labeled Büchi Automata Given a set of atomic proposition P –Define a labeling function : S  2 P –Each state is assigned a set of propositions that must be true –All the other propositions must be false Similar to the labeling for the model M

12 Flavio Lerda 12 LTL Model Checking Given a model M and an LTL formula  –Build the Buchi automaton B ¬  –Compute product of M and B ¬  Each state of M is labeled with propositions Each state of B ¬  is labeled with propositions Match states with the same labels –The product accepts the traces of M that are also traces of B ¬  (  M   ¬  ) –If the product accepts any sequence We have found a counterexample

13 Flavio Lerda 13 LTL Model Checking Nested Depth First Search The product is a Büchi automaton How do we find accepted sequences? –Accepted sequences must contain a cycle In order to contain accepting states infinitely often –We are interested only in cycles that contain at least an accepting state –During depth first search start a second search when we are in an accepting states If we can reach the same state again we have a cycle (and a counterexample)

14 Flavio Lerda 14 LTL Model Checking Example

15 Flavio Lerda 15 LTL Model Checking Example

16 Flavio Lerda 16 LTL Model Checking Nested Depth First Search procedure DFS(s) visited = visited  {s} for each successor s’ of s if s’  visited then DFS(s’) if s’ is accepting then DFS2(s’, s’) end if end for end procedure

17 Flavio Lerda 17 LTL Model Checking Nested Depth First Search procedure DFS2(s, seed) visited2 = visited2  {s} for each successor s’ of s if s’ = seed then return “Cycle Detect”; end if if s’  visited2 then DFS2(s’, seed) end if end for end procedure

18 Flavio Lerda 18 LTL Model Checking Generating Büchi Automata We need a procedure to generate a Büchi automaton given an LTL formula –Efficiently Formulas are usually small Büchi automaton exponential in the size of the formula The cost of model checking is polynomial to the size of the automaton Non-deterministic Büchi automata are not equivalent to deterministic Büchi automata –Cannot use automata minimization algorithms Finding the minimal automata is NP-complete

19 Flavio Lerda 19 LTL Model Checking Approach Formula rewriting –Rewrite the formula in negation normal form –Apply rewriting rules Core translation –Turns an LTL formula into a generalized Büchi automaton Degeneralization –Turns a generalized Büchi automaton into a Büchi automaton

20 Flavio Lerda 20 LTL Model Checking Rewriting Negation normal form –Negation appears only in front of literals –Use the following identities ¬¬  =  ¬G  = F ¬  ¬F  = G ¬  ¬(  U  ) = (¬  ) V (¬  ) ¬(  V  ) = (¬  ) U (¬  ) V (sometimes R) is the Release operator –Dual of Until

21 Flavio Lerda 21 LTL Model Checking Rewriting Additional rewriting rules: –Reduce the size of the formula –They are not guaranteed to yield smaller automaton –The size of the automaton is exponential in the size of the formula Examples: –(X  ) U (X  )  X (  U  ) –(X  )  (X  )  X (    ) –GF   GF   GF (    )

22 Flavio Lerda 22 LTL Model Checking Generalized Büchi Automata Büchi automaton with multiple sets of accepting states A generalized Büchi automaton is 4-tuple  S, I, , F  –S is a finite set of states –I  S is a set of initial states –   S  S is a transition relation – F = {F 1, …, F n }  2 S is a set of sets of accepting states An infinite sequence of states is accepted iff it contains infinitely often accepting states from each of the accepting sets as before

23 Flavio Lerda 23 LTL Model Checking Core Translation Make use of the following recurrence equations: –  U  =   (   X(  U  )) –  V  =   (   X(  V  )) The operator V (release) is the dual of U: –  V   (  U  ) We need V (release) because we want the formula in negation normal form –Negation appears only in front of atomic propositions The core translations only handles , , U, V: –Rewriting of: G  =  U false F  = true U 

24 Flavio Lerda 24 LTL Model Checking Example F p (T U p) Old:{} New:{T U p} Next:{} Old:{T U p} New:{T} Next:{T U p} Old:{T U p} New:{p} Next:{} Old:{T U p} New:{} Next:{T U p} Old:{T U p} Next:{T U p} Old:{T U p, p} New:{} Next:{} Old:{T U p, p} Next:{} Tp p Old:{} New:{} Next:{} Old:{} Next:{} T U p = p  (T  X(T U p)) 123

25 Flavio Lerda 25 LTL Model Checking Core Translation Node –Represent a sub-formula –Contain information about the past, the present and the future Conjunction of formulas as sets State –Represents a state in the final automaton –They are the nodes that have fully expanded

26 Flavio Lerda 26 LTL Model Checking Core Translation Expansion –Select a formula from the New field –If it is a literal, add it to the Old field –Otherwise     (New{  },Next{}) and (New{  },Next{})  U   (New{  },Next{  U  }) and (New{  },Next{})  V   (New{  },Next{  V  }) and (New{ ,  },Next{})  U    (   X(  U  ))  V    (   X(  V  ))

27 Flavio Lerda 27 LTL Model Checking Core Translation Nodes to states –If a node has no New formulas –Create a new node with all the Next formulas –Create an edge between the two nodes –Check if there is any equivalent state With the same Next field With the same Old field

28 Flavio Lerda 28 LTL Model Checking Core Translation Accepting states –Generalized Büchi automaton Multiple accepting sets –One for each Until sub-formula (  U  ) –Such that The Old field doesn’t contain  U  or The Old field does contain 

29 Flavio Lerda 29 LTL Model Checking Degeneralization Turn a generalized Büchi automaton into a Büchi automaton Consider as many copies of the automaton as the number of accepting sets Replace incoming edges from accepting states with edges to the next copy Each cycle must go through every copy Each cycle must contains accepting states from each accepting set

30 Flavio Lerda 30 LTL Model Checking Example T ab T ab T 1 1,2 2 F a  F b

31 Flavio Lerda 31 LTL Model Checking Example T ab T a T T ab T b T

32 Flavio Lerda 32 LTL Model Checking Example T ab T a T T ab T b T

33 Flavio Lerda 33 LTL Model Checking Example T ab T a T T ab T

34 Flavio Lerda 34 LTL Model Checking Example T ab T a T T

35 Flavio Lerda 35 LTL Model Checking Example T ab T a T T

36 Flavio Lerda 36 LTL Model Checking Optimizations Can be done at each stage Try to minimize –The number of states and transitions –The number of accepting states Involve –Strongly connected components –Fair (bi)simulation Expensive but –The Büchi automaton is usually small –The saving during verification can be very high

Download ppt "Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking."

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Translating from logic to automata Book: Chapter 6.

Translating from logic to automata Book: Chapter 6.
Model Checking and Testing combined

Model Checking and Testing combined
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 Generalized Buchi automaton. 2 Reminder: Buchi automata A=  Alphabet (finite). S: States (finite).  : S x  x S ) S is the transition relation. I.

1 Generalized Buchi automaton. 2 Reminder: Buchi automata A=  Alphabet (finite). S: States (finite).  : S x  x S ) S is the transition relation. I.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

Similar presentations

Ads by Google