LTL Model Checking

张文辉http://lcs.ios.ac.cn/~zwh

LTL Model Checking

迁移系统迁移系统 Kripke 结构Kripke 结构 - 自动机- 自动机

LTLLTL PLTLPLTL - 自动机- 自动机

Ｍ |= Ｍ |= Ｍ |= Ｍ |= L(AM) L(A)L(AM) L(A)

LTL Model Checking

L(AM) L(A)L(AM) L(A)

L(AM) (\ L(A)) = L(AM) (\ L(A)) =

L(AM) L(A) = L(AM) L(A) =

L(AM A) = L(AM A) = Double DFS

Kripke Structure

Kripke Structures

DefinitionA Kripke structure is a triple <S,R,I>

– S : A finite set of states– R S x S : A total transition relation– I S : A set of initial states

The set of successors of s is denoted R(S)

Then R is total iff R(s) for all s S

Example:

s2s2

s0s0

s3s3

s1s1

Computation

Given a Kripke structure K=<S,R,I>.

ss’: sRs’ or (s,s’)R

DefinitionA computation of K is an infinite sequence of S:s0 s1 s2 ….

such that s0 I, and si si+1 for all i 0

Path

DefinitionAn infinite path is an infinite sequence of S:

s0 s1 s2 ….

such that si si+1 for all i 0

DefinitionA finite path is a finite prefix of an infinite path:s0 …sn

Labeled Kripke Structures

AP: A set of propositions.

DefinitionA (Labeled) Kripke structure is a quadruple <S,R,I,L>

– S : A finite set of states– R S x S : A total transition relation– I S : A set of initial states– L: S 2AP is a labeling function

Example:

s2s2

s0s0

s3s3

s1s1

{} {q}

{p,q}{p}

x==0||t==0

11

Example

t0

x=1,t=0

t1

t2

y==0||t==1

t3

x=0

s0

y=1,t=1

s1

s2

s3

y=0

Initial States

s0t0

x=0y=0t=0

s0,t0,0,0,0

s0,t1,1,0,0s1,t0,0,1,1

s2,t0,0,1,1

s3,t0,0,0,1

s1,t1,1,1,0 s0,t2,1,0,0

s0,t3,0,0,0

s1,t1,1,1,1

s2,t1,1,1,0 s1,t2,1,1,1

s3,t1,1,0,0 s1,t3,0,1,1

s3,t2,1,0,0

s3,t3,0,0,0

10 96

s2,t3,0,1,1

s3,t3,0,0,1

513 12 13 12

5 6

9 10

12 13

13

Proposition Symbols

Let AP be the set of proposition symbols{p0,p1,…,p13} with the following meaning:

Labeling Function

L(s0,t0,0,0,0)={p6,p10,p0,p2,p4}L(s0,t0,0,0,1)={p6,p10,p0,p2,p5}…

-Automata

Buchi-Automata

DefinitionA Buchi automaton (BA) is a quintuple <,S,,I,F>

– : A finite set of symbols– S : A finite set of states– S x x S : A transition relation– I S : A set of initial states– F S : A set of acceptance states

Example:

s2s2

s0s0

s3s3

s1s1a

b

a

bc c

RunsGiven a BA A=<,S,,I,F>

Notation: sa s’: (s,a,s’)

DefinitionLet w. A run of A on w is an infinite sequence s0 s1 s2 …. of S

such that s0 I, and (si ,w[i],si+1) for all i 0.

Words over a Run

DefinitionA word over a run r of A is an infinite sequence of : a1a2 ….

such that r is a run on a1a2 ….

Accepting Runs

Let inf() be the set of states that appear infinitely many times on .

DefinitionAn accepting run of A is a run of Asuch that inf()F.

Accepting Words

DefinitionAn accepting word of A is a word over some accepting run of A.

Language

DefinitionThe language of A is the set of accepting words of A.

The language of A is denoted L(A).

UnionGiven two BAsA1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.

Suppose that S1 and S2 are disjoint.

Define A1A2= <,S,,I,F> whereS = S1 S2

= 1 2

I = I1 I2

F = F1 F2

Union

TheoremL(A1A2 ) = L(A1 ) L(A2)

IntersectionGiven BAsA1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.

Define A1A2= <,S,,I,F> whereS = S1 x S2 x {0,1,2}

= ?I = I1 x I2 x {0}

F = S1 x S2 x {2}

Intersection ={ ((s1,s2,i),a,((s1’,s2’,i)) |

i {0,1}, (s1,a,s1’)1, (s2,a,s2’)2 }

{ ((s1,s2,0),a,((s1’,s2’,1)) |

(s1,a,s1’)1, (s2,a,s2’)2, s1F1 }

{ ((s1,s2,1),a,((s1’,s2’,2)) |

(s1,a,s1’)1, (s2,a,s2’)2, s2F2 }

{ ((s1,s2,2),a,((s1’,s2’,0)) |

(s1,a,s1’)1, (s2,a,s2’)2 }

Intersection

TheoremL(A1 A2 ) = L(A1 ) L(A2)

Complementation

The set of BAs is closed under complementation.

Given A=<,S,,I,F>.There exists a BA B such that L(B) = \L(A)

Generalized Buchi Automaton

DefinitionA GBA is a quintuple <,S,,I,F>

– : A finite set of symbols– S : A finite set of states– S x x S : A transition relation– I S : A set of initial states– F 2S : A set of sets of acceptance states

Accepting Run

DefinitionAn accepting run of A is a run of Asuch that for each fF, inf()f.

UnionGiven two automaton A1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.

Suppose that S1 and S2 are disjoint.

Define A1A2= <,S,,I,F> whereS = S1 S2

= 1 2

I = I1 I2

F = { f S2 | f F1 } { f S1 | f F2 }

Union

TheoremL(A1A2 ) = L(A1 ) L(A2)

Intersection Given two automaton A1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.

Define A1A2= <,S,,I,F> where S = S1 x S2

= { ((s1,s2),a,((s1’,s2’))| (s1,a,s1’)1, (s2,a,s2’)2 }

I = I1 x I2

F = { f x S2 | f F1} { S1 x f| f F2}

Intersection

TheoremL(A1 A2 ) = L(A1 ) L(A2)

Complementation

The set of GBAs is closed under complementation.

Expressiveness of GBAs

Expressiveness of GBAs

TheoremEvery language expressible by a BA is alsoexpressible by a GBA.

ProofGiven a BA A=<,S,,I,F>.We can construct a GBA B=<,S,,I,{F}>such that L(B)=L(A).

Expressiveness of GBAs

TheoremEvery language expressible by a GBA is alsoexpressible by a BA.

ProofGiven a GBA A=<,S,,I,{f1,…,fn}>.

We can construct a BA B=<,S’,’,I’,F’>such that L(B)=L(A).

GBA BA

BA B=<,S’,’,I’,F’>

S’ = S x {0,1,2,…,n}’ = ?I’ = I x {0}F’ = S x {n}

GBA BA

’ = { ((s,i),a,(s’,i)) | i {0,1,…,n-1}, (s,a,s’)} { ((s,i),a,(s’,i+1)) | i {0,1,…,n-1}, (s,a,s’),sFi+1}

{ ((s,n),a,(s’,0)) | (s,a,s’)}

Kripke Structure -Automata

Kripke Structure -Automata

Computations Accepting runsLabels on Computations Accepting Words

Kripke Structure -Automata

AP: A set of propositions.K=<S,R,I,L>

A=<,S,,I,F>

=2AP

={ (s,a,s’) | (s,s’)R, a=L(s) }F=S

Kripke Structure -Automata

Theorem

r is a computation of K L(r) is an accepting word of A

w is an accepting word of Athere is a computation r of K such that L(r)=w

Example:

s2s2

s0s0

s3s3

s1s1

{} {q}

{p,q}{p}

s2s2

s0s0

s3s3

s1s1{}

{q} {p,q}

{p}

{}{p}

PLTL -Automata

Example

G p p U q p U (q U r)

PLTL -Automata

Only consider NNF formulas with

literals,disjunction, conjunction,X, U, R

== p | p | | |X | R | U

PLTL -Automata

Let be a PLTL formula over AP.

Construct a GBA A=<S,,,I,F> such that |= iff L(A)

(1)=2AP

(2)S,I,,F = ?

PLTL -Automata

s=[; ; ; ]

s=[a; ; c; d]

New node

s’=[s; d; ; ]

PLTL -Automata

s=[a; p,; c; d] where p is a literal

Replace

s‘=[a; ; p,c; d]

PLTL -Automata

s=[a; 01,; c; d]

replace

s‘=[a; 0,; 01,c; d]

s’’=[a; 0,; 01,c; d]

PLTL -Automata

s=[a; 01,; c; d]

Replace

s’=[a; 0,1,; 01,c; d]

PLTL -Automata

s=[a; O1,; c; d]

Replace

s‘=[a; ; O1,c; 1,d]

PLTL -Automata

s=[a; 0U1,; c; d]

Replace

s’=[a; 1(0X(0U1)),; 0U1,c; d]

PLTL -Automata

s=[a; 0R1,; c; d]

Replace

s’=[a; 1(0X(0R1)),; 0R1,c; d]

PLTL -Automata

s=[a; ; c; d] s’=[a’; ; c; d]

Replace

s’’=[a,a’; ; c; d]

PLTL -Automata

s=[a; ; c; d]

s I iff a

PLTL -Automata

=2AP

s=[a; ; c; d] s’=[a’; ; c’; d’]

Define as follow: (s,,s’) iff s a’ and |=s

PLTL -Automata

Let f(0U1) = { s | 0U1s.c 1s.c }

F = { f(0U1) | 0U1 is a sub-formula of }

PLTL -Automata

TheoremLet A=<,S,,I,F> be a GBA as constructed.Then |= iff L(A).

Example

G p p U q p U (q U r)

LTL Model Checking

L(AM) L(A)L(AM) L(A)

L(AM) (\ L(A)) = L(AM) (\ L(A)) =

L(AM) L(A) = L(AM) L(A) =

L(AM A) = L(AM A) = Double DFS

Emptiness of -Automata

On the Fly

Partial Order Reduction

Questions?