ltl model checking 张文辉 zwh
TRANSCRIPT
![Page 1: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/1.jpg)
LTL Model Checking
张文辉http://lcs.ios.ac.cn/~zwh
![Page 2: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/2.jpg)
LTL Model Checking
迁移系统迁移系统 Kripke 结构Kripke 结构 - 自动机- 自动机
LTLLTL PLTLPLTL - 自动机- 自动机
M |= M |= M |= M |= L(AM) L(A)L(AM) L(A)
![Page 3: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/3.jpg)
LTL Model Checking
L(AM) L(A)L(AM) L(A)
L(AM) (\ L(A)) = L(AM) (\ L(A)) =
L(AM) L(A) = L(AM) L(A) =
L(AM A) = L(AM A) = Double DFS
![Page 4: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/4.jpg)
Kripke Structure
![Page 5: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/5.jpg)
Kripke Structures
DefinitionA Kripke structure is a triple <S,R,I>
– S : A finite set of states– R S x S : A total transition relation– I S : A set of initial states
The set of successors of s is denoted R(S)
Then R is total iff R(s) for all s S
![Page 6: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/6.jpg)
Example:
s2s2
s0s0
s3s3
s1s1
![Page 7: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/7.jpg)
Computation
Given a Kripke structure K=<S,R,I>.
ss’: sRs’ or (s,s’)R
DefinitionA computation of K is an infinite sequence of S:s0 s1 s2 ….
such that s0 I, and si si+1 for all i 0
![Page 8: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/8.jpg)
Path
DefinitionAn infinite path is an infinite sequence of S:
s0 s1 s2 ….
such that si si+1 for all i 0
DefinitionA finite path is a finite prefix of an infinite path:s0 …sn
![Page 9: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/9.jpg)
Labeled Kripke Structures
AP: A set of propositions.
DefinitionA (Labeled) Kripke structure is a quadruple <S,R,I,L>
– S : A finite set of states– R S x S : A total transition relation– I S : A set of initial states– L: S 2AP is a labeling function
![Page 10: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/10.jpg)
Example:
s2s2
s0s0
s3s3
s1s1
{} {q}
{p,q}{p}
![Page 11: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/11.jpg)
x==0||t==0
11
Example
t0
x=1,t=0
t1
t2
y==0||t==1
t3
x=0
s0
y=1,t=1
s1
s2
s3
y=0
Initial States
s0t0
x=0y=0t=0
![Page 12: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/12.jpg)
s0,t0,0,0,0
s0,t1,1,0,0s1,t0,0,1,1
s2,t0,0,1,1
s3,t0,0,0,1
s1,t1,1,1,0 s0,t2,1,0,0
s0,t3,0,0,0
s1,t1,1,1,1
s2,t1,1,1,0 s1,t2,1,1,1
s3,t1,1,0,0 s1,t3,0,1,1
s3,t2,1,0,0
s3,t3,0,0,0
10 96
s2,t3,0,1,1
s3,t3,0,0,1
513 12 13 12
5 6
9 10
12 13
![Page 13: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/13.jpg)
13
Proposition Symbols
Let AP be the set of proposition symbols{p0,p1,…,p13} with the following meaning:
![Page 14: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/14.jpg)
Labeling Function
L(s0,t0,0,0,0)={p6,p10,p0,p2,p4}L(s0,t0,0,0,1)={p6,p10,p0,p2,p5}…
![Page 15: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/15.jpg)
-Automata
![Page 16: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/16.jpg)
Buchi-Automata
DefinitionA Buchi automaton (BA) is a quintuple <,S,,I,F>
– : A finite set of symbols– S : A finite set of states– S x x S : A transition relation– I S : A set of initial states– F S : A set of acceptance states
![Page 17: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/17.jpg)
Example:
s2s2
s0s0
s3s3
s1s1a
b
a
bc c
![Page 18: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/18.jpg)
RunsGiven a BA A=<,S,,I,F>
Notation: sa s’: (s,a,s’)
DefinitionLet w. A run of A on w is an infinite sequence s0 s1 s2 …. of S
such that s0 I, and (si ,w[i],si+1) for all i 0.
![Page 19: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/19.jpg)
Words over a Run
DefinitionA word over a run r of A is an infinite sequence of : a1a2 ….
such that r is a run on a1a2 ….
![Page 20: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/20.jpg)
Accepting Runs
Let inf() be the set of states that appear infinitely many times on .
DefinitionAn accepting run of A is a run of Asuch that inf()F.
![Page 21: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/21.jpg)
Accepting Words
DefinitionAn accepting word of A is a word over some accepting run of A.
![Page 22: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/22.jpg)
Language
DefinitionThe language of A is the set of accepting words of A.
The language of A is denoted L(A).
![Page 23: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/23.jpg)
UnionGiven two BAsA1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.
Suppose that S1 and S2 are disjoint.
Define A1A2= <,S,,I,F> whereS = S1 S2
= 1 2
I = I1 I2
F = F1 F2
![Page 24: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/24.jpg)
Union
TheoremL(A1A2 ) = L(A1 ) L(A2)
![Page 25: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/25.jpg)
IntersectionGiven BAsA1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.
Define A1A2= <,S,,I,F> whereS = S1 x S2 x {0,1,2}
= ?I = I1 x I2 x {0}
F = S1 x S2 x {2}
![Page 26: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/26.jpg)
Intersection ={ ((s1,s2,i),a,((s1’,s2’,i)) |
i {0,1}, (s1,a,s1’)1, (s2,a,s2’)2 }
{ ((s1,s2,0),a,((s1’,s2’,1)) |
(s1,a,s1’)1, (s2,a,s2’)2, s1F1 }
{ ((s1,s2,1),a,((s1’,s2’,2)) |
(s1,a,s1’)1, (s2,a,s2’)2, s2F2 }
{ ((s1,s2,2),a,((s1’,s2’,0)) |
(s1,a,s1’)1, (s2,a,s2’)2 }
![Page 27: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/27.jpg)
Intersection
TheoremL(A1 A2 ) = L(A1 ) L(A2)
![Page 28: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/28.jpg)
Complementation
The set of BAs is closed under complementation.
Given A=<,S,,I,F>.There exists a BA B such that L(B) = \L(A)
![Page 29: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/29.jpg)
Generalized Buchi Automaton
DefinitionA GBA is a quintuple <,S,,I,F>
– : A finite set of symbols– S : A finite set of states– S x x S : A transition relation– I S : A set of initial states– F 2S : A set of sets of acceptance states
![Page 30: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/30.jpg)
Accepting Run
DefinitionAn accepting run of A is a run of Asuch that for each fF, inf()f.
![Page 31: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/31.jpg)
UnionGiven two automaton A1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.
Suppose that S1 and S2 are disjoint.
Define A1A2= <,S,,I,F> whereS = S1 S2
= 1 2
I = I1 I2
F = { f S2 | f F1 } { f S1 | f F2 }
![Page 32: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/32.jpg)
Union
TheoremL(A1A2 ) = L(A1 ) L(A2)
![Page 33: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/33.jpg)
Intersection Given two automaton A1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.
Define A1A2= <,S,,I,F> where S = S1 x S2
= { ((s1,s2),a,((s1’,s2’))| (s1,a,s1’)1, (s2,a,s2’)2 }
I = I1 x I2
F = { f x S2 | f F1} { S1 x f| f F2}
![Page 34: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/34.jpg)
Intersection
TheoremL(A1 A2 ) = L(A1 ) L(A2)
![Page 35: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/35.jpg)
Complementation
The set of GBAs is closed under complementation.
![Page 36: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/36.jpg)
Expressiveness of GBAs
![Page 37: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/37.jpg)
Expressiveness of GBAs
TheoremEvery language expressible by a BA is alsoexpressible by a GBA.
ProofGiven a BA A=<,S,,I,F>.We can construct a GBA B=<,S,,I,{F}>such that L(B)=L(A).
![Page 38: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/38.jpg)
Expressiveness of GBAs
TheoremEvery language expressible by a GBA is alsoexpressible by a BA.
ProofGiven a GBA A=<,S,,I,{f1,…,fn}>.
We can construct a BA B=<,S’,’,I’,F’>such that L(B)=L(A).
![Page 39: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/39.jpg)
GBA BA
BA B=<,S’,’,I’,F’>
S’ = S x {0,1,2,…,n}’ = ?I’ = I x {0}F’ = S x {n}
![Page 40: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/40.jpg)
GBA BA
’ = { ((s,i),a,(s’,i)) | i {0,1,…,n-1}, (s,a,s’)} { ((s,i),a,(s’,i+1)) | i {0,1,…,n-1}, (s,a,s’),sFi+1}
{ ((s,n),a,(s’,0)) | (s,a,s’)}
![Page 41: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/41.jpg)
Kripke Structure -Automata
![Page 42: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/42.jpg)
Kripke Structure -Automata
Computations Accepting runsLabels on Computations Accepting Words
![Page 43: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/43.jpg)
Kripke Structure -Automata
AP: A set of propositions.K=<S,R,I,L>
A=<,S,,I,F>
=2AP
={ (s,a,s’) | (s,s’)R, a=L(s) }F=S
![Page 44: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/44.jpg)
Kripke Structure -Automata
Theorem
r is a computation of K L(r) is an accepting word of A
w is an accepting word of Athere is a computation r of K such that L(r)=w
![Page 45: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/45.jpg)
Example:
s2s2
s0s0
s3s3
s1s1
{} {q}
{p,q}{p}
s2s2
s0s0
s3s3
s1s1{}
{q} {p,q}
{p}
{}{p}
![Page 46: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/46.jpg)
PLTL -Automata
![Page 47: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/47.jpg)
Example
G p p U q p U (q U r)
![Page 48: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/48.jpg)
PLTL -Automata
Only consider NNF formulas with
literals,disjunction, conjunction,X, U, R
== p | p | | |X | R | U
![Page 49: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/49.jpg)
PLTL -Automata
Let be a PLTL formula over AP.
Construct a GBA A=<S,,,I,F> such that |= iff L(A)
(1)=2AP
(2)S,I,,F = ?
![Page 50: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/50.jpg)
PLTL -Automata
s=[; ; ; ]
s=[a; ; c; d]
New node
s’=[s; d; ; ]
![Page 51: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/51.jpg)
PLTL -Automata
s=[a; p,; c; d] where p is a literal
Replace
s‘=[a; ; p,c; d]
![Page 52: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/52.jpg)
PLTL -Automata
s=[a; 01,; c; d]
replace
s‘=[a; 0,; 01,c; d]
s’’=[a; 0,; 01,c; d]
![Page 53: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/53.jpg)
PLTL -Automata
s=[a; 01,; c; d]
Replace
s’=[a; 0,1,; 01,c; d]
![Page 54: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/54.jpg)
PLTL -Automata
s=[a; O1,; c; d]
Replace
s‘=[a; ; O1,c; 1,d]
![Page 55: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/55.jpg)
PLTL -Automata
s=[a; 0U1,; c; d]
Replace
s’=[a; 1(0X(0U1)),; 0U1,c; d]
![Page 56: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/56.jpg)
PLTL -Automata
s=[a; 0R1,; c; d]
Replace
s’=[a; 1(0X(0R1)),; 0R1,c; d]
![Page 57: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/57.jpg)
PLTL -Automata
s=[a; ; c; d] s’=[a’; ; c; d]
Replace
s’’=[a,a’; ; c; d]
![Page 58: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/58.jpg)
PLTL -Automata
s=[a; ; c; d]
s I iff a
![Page 59: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/59.jpg)
PLTL -Automata
=2AP
s=[a; ; c; d] s’=[a’; ; c’; d’]
Define as follow: (s,,s’) iff s a’ and |=s
![Page 60: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/60.jpg)
PLTL -Automata
Let f(0U1) = { s | 0U1s.c 1s.c }
F = { f(0U1) | 0U1 is a sub-formula of }
![Page 61: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/61.jpg)
PLTL -Automata
TheoremLet A=<,S,,I,F> be a GBA as constructed.Then |= iff L(A).
![Page 62: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/62.jpg)
Example
G p p U q p U (q U r)
![Page 63: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/63.jpg)
LTL Model Checking
L(AM) L(A)L(AM) L(A)
L(AM) (\ L(A)) = L(AM) (\ L(A)) =
L(AM) L(A) = L(AM) L(A) =
L(AM A) = L(AM A) = Double DFS
![Page 64: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/64.jpg)
Emptiness of -Automata
![Page 65: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/65.jpg)
On the Fly
![Page 66: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/66.jpg)
Partial Order Reduction
![Page 67: LTL Model Checking 张文辉 zwh](https://reader030.vdocuments.site/reader030/viewer/2022012303/5697bfc71a28abf838ca7dbc/html5/thumbnails/67.jpg)
Questions?