LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring...
-
date post
22-Dec-2015 -
Category
Documents
-
view
228 -
download
0
Transcript of LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring...
![Page 1: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/1.jpg)
LTL – model checking
Jonas KongslundPeter MechlenborgChristian Plesner
Kristian Støvring Sørensen
![Page 2: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/2.jpg)
OverviewSystem
Model
Büchi automaton (Asys)
Negation of property
PLTL-formula ()
Normal-form formula
Graph
Generalised Büchi automaton
Büchi automaton (A )
Product automaton (Asys A )
State space
Checking emptiness
Yes! No!
Model checker
![Page 3: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/3.jpg)
Büchi Automata
• Def.: Labelled Büchi Automaton
over sequences infinite ofset
function labelling state ,2:
statesaccept ofset ,
functionn transitio,2:
statesstart ofset ,
states ofset finite ,
symbols ofset ,
),,,,,( :LBA
0
0
Sl
SF
S
SSØ
ØS
Ø
lFSS
S
![Page 4: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/4.jpg)
Büchi Automata 2
• Def.: Run of a LBA
ALBA by the accepted is )(
.0 allfor
)(such that run acceptingan exists thereiff
A,LBA an by accepted is A word
sequence. in theoften infinitely occurs
state accepting oneleast at iff accepting is run A
.0for and where,:
10
10010
wwAL
i
sla
aaw
issSsss
ii
ii
![Page 5: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/5.jpg)
Büchi Automata 3
• Example: Σ={a,b,c,d,e}
{a,d} {b}
{c}
(a|d)(bc+)ω
![Page 6: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/6.jpg)
Büchi Automata 4
• For each PLTL formula φ one can construct an LBA Aφ s.t. Lω(Aφ) is the sequences of sets of atomic propositions that satisfy φ.
• Let Σ=2AP where AP is the set of atomic propositions.
![Page 7: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/7.jpg)
Büchi Automata 5
• Def.: Generalised LBA
sequence. in theoften infinitely occurs Feach
from state accepting oneleast at iff accepting is run A
.,
sets, state acceptance ofset a hasit t except thaLBA an As
i
1
SF),F,(FF ik
![Page 8: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/8.jpg)
Getting Normal
• Eliminate F and G operators
• Make negations adjacent to atomic propositions
• Example:
atruepfalse
atruepfalse
atrueptrue
atruep
ap
ap
alarmproblem
F
FF
FG
FG:
LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
![Page 9: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/9.jpg)
• Past operators do not add any expressive power to LTL
• Why are they useful?
• Past operators are not easy expressed with future operators
Getting Normal 2
problemalarmproblem G
LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
![Page 10: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/10.jpg)
• Past operators does not add any expressive power to LTL
• Why are they useful?
• Past operators are not easy to translate to normal form
• Possible exponential blowup
Getting Normal 3
problemalarmproblemproblemalarm GFG
problem. abeen has there
unless soundnot must alarm the:propertySafety
LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
![Page 11: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/11.jpg)
Normal Form → GLBALTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
ψ)) U X( (ψ ) (ψψ U
ψ)) UX( ( ψψ U
Overall idea: A node in the graph represents a state, an edge represent a step forward in time. Each node contains formulas that must be true at this time; view these formulas as proof obligations:
• Atomic propositions: check for contradictions
• Conjunctions: check both clauses
• Disjunctions: split into two nodes and allow a nondeterministic choice
• Next: Push proof obligation to the successors
• Until and its evil twin: unfold recursively on demand
![Page 12: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/12.jpg)
Accept states 1LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
Definition of strict p U q:
)p|)s(R.ikq|)s(i.(R q Up | s ki Sooner or later, q must happen!
{{q}, {p, q}} Ø
{{p}, {p, q}}
(Remember, every run is accepted, since the set of accept sets is empty)
![Page 13: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/13.jpg)
Accept states 2LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
Definition of strict p U q:
)p|)s(R.ikq|)s(i.(R q Up | s ki Sooner or later, q must happen!
{{q}, {p, q}} Ø
{{p}, {p, q}}
Problem: The automaton accepts pω!
![Page 14: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/14.jpg)
Accept states 3LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
Definition of strict p U q:
)p|)s(R.ikq|)s(i.(R q Up | s ki Sooner or later, q must happen!
{{q}, {p, q}} Ø
{{p}, {p, q}}
Solution: Insert accept states to break the cycle (not needed for U).
![Page 15: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/15.jpg)
Un-generalizing GLBAs 1LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
The generated automaton may have more than one set of accept states (one for each ‘until’ in the original formula):
![Page 16: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/16.jpg)
Un-generalizing GLBAs 2LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.
![Page 17: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/17.jpg)
Un-generalizing GLBAs 3LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.
![Page 18: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/18.jpg)
Un-generalizing GLBAs 4LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.
![Page 19: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/19.jpg)
Un-generalizing GLBAs 5LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
Duplicate automaton. When leaving an accept state, jump to next automaton. Keep only one set of accept states.
![Page 20: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/20.jpg)
Combining the two LBAs 1LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
Wanted: an automaton accepting the intersection of the two languages:
x
![Page 21: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/21.jpg)
Combining the two LBAs 2LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
By the ordinary DFA product construction:
Problem: Requires accept states to be visited at the same time.
![Page 22: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/22.jpg)
Combining the two LBAs 3LTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
Solution: Use a GLBA with two accept sets, then reduce to an LBA.
![Page 23: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/23.jpg)
The emptiness problemLTL → Normal Form → GLBA → LBA → LBA × LBA → Empty?
How do we do it?
Find an appropriate cycle in the LBA – if no such cycle exists, the language is empty.
Why does this work?
Theorem 17.
Seriously, why?
In order for the language to be non-empty, there must be an infinite run of the automaton that visits an accept state infinitely often. This means that there has to be a reachable cycle containing an accept state.
![Page 24: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/24.jpg)
OverviewSystem
Model
Büchi automaton (Asys)
Negation of property
PLTL-formula ()
Normal-form formula
Graph
Generalised Büchi automaton
Büchi automaton (A )
Product automaton (Asys A )
State space
Checking emptiness
Yes! No!
Model checker
![Page 25: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/25.jpg)
The state space• Example
int i;proctype P1(){
do::true -> atomic( if::(i<2) -> i=i+1
fi)od }
proctype P2(){do::true -> atomic( if::(i!=2) -> i=2
::else -> i=0fi)
od }init{i=0; run(P1); run(P2);}
![Page 26: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/26.jpg)
The state space 2
• A state– all global vars.– local vars. and program counter in all
processes
• State space: all possible simulations from the initial state
• State space must be finite
![Page 27: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/27.jpg)
The state space 3
i=0
i=1 i=2
P1 and P2 enabledP1
and
P2
enab
led
P2 enabled
![Page 28: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/28.jpg)
• Convert states to proposition tables– Get all propositions from the LTL expression– In each state
• Change the lable to the set of all satisfied propositions
State space → LBA
![Page 29: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/29.jpg)
• Propositions:p:= (i <= 0)
q:= (i == 1)
r:= (i >= 2)
State space → LBA 2
i=0
i=1 i=2
p
q r
![Page 30: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/30.jpg)
State space → LBA 3
• Make all paths infinite
• Make all states accepting – Product is now normal DFA product
![Page 31: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/31.jpg)
The rest
• Is in chapter 5
![Page 32: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/32.jpg)
References
• G. J. Holzmann: An improved protocol reachability analysis technique.
• O. Lichtenstein, A. Pnueli: The glory of the past.• R. Gerth et al.: Simple on-the-fly automatic verification of
linear temporal logic.• K. Etessami, G. J. Holzmann: Optimizing Büchi
automata.• A. M. Mikkelsen: On-the-fly model checking in
Design/CPN.• G. J. Holzmann: The model checker SPIN.
![Page 33: LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.](https://reader031.fdocuments.net/reader031/viewer/2022013112/56649d805503460f94a648b9/html5/thumbnails/33.jpg)
Exercises
• Exercises 8, 9, 10 (s3 should be s2), 12
• Derive the semantics of U from the semantics of U, and give an intuitive explanation.