# ltl model checking

Post on 02-Feb-2016

21 views

Category:

## Documents

Embed Size (px)

DESCRIPTION

LTL Model Checking. Radu Iosif (iosif@cis.ksu.edu). Linear Temporal Logic (LTL) Not exclusively for model checking Also meant for deduction ( Manna, Pnueli) So, there must be some equations involving LTL terms. Kripke Structures AP = {p, q, r, … } is a set of atomic propositions - PowerPoint PPT Presentation

TRANSCRIPT

• LTL Model CheckingRadu Iosif (iosif@cis.ksu.edu)

• Linear Temporal Logic (LTL)

Not exclusively for model checking

Also meant for deduction (Manna, Pnueli)

So, there must be some equations involving LTL terms

• Kripke Structures

AP = {p, q, r, } is a set of atomic propositions

K = is a K-structure, where:S is a finite set of statesR S x S is a transition relationL : S P(AP) is a labeling function

w=x0, x1, = s0, s1, such that xi L(si) for all i 0

• LTL Syntax

p AP is a formulatrue is a formulaif f, g are formulae, then: ff g X ff U g are formulae

• LTL Semantics

Defined on Kripke structures K=(S, R, L):K, = truealwaysK, = p iff = s0,s1, and p L(s0)K, = fiff not K, = fK, = fgiff K, = f or K, = gK, = X fiff = s0,s1,s2, and K, s1,s2, = fK, = f U giff k 0 . K, = gand 0 i < k K, = f

• LTL Syntactic Sugar

We write:false truefg (f g)Fg true U gGf F (f)f W g (Gf ) (f U g)(weak until)f V g (f U g)(release)

• LTL equations

f U g = g (f X(f U g))f V g = g (f X(f V g))= (g f) (g X(f V g))

hold for every K, assuming that is an infinite path

• LTL model checkingThe model checking problem:find whether a path generated by a Kripke structure K is a model for a LTL formula f (notation K, = f)

To model check an LTL formula f:first negate it then derive the negation normal formThen build an automaton [A f] out of the negated formulaThe problem is reduced to finding out whether L(A f) L(K) =

• Negation normal form: example

((A U (B U C)) D) = (A U (B U C)) D= (A V (B U C)) D= (A V (B V C)) D

• TABLEAUA tableau is a proof process represented by a graph, in which edges represents actually steps taken by the prover, and nodes intermediate states in the proofA node in the tableau consists of:name = unique name of the nodeincoming = set of ancestorsnew = current proof obligationold = already met proof obligationnext = proof obligation in the next state

• Tableau for p U qname = Node1 incoming = {init}new = {p U q} old = {} next = {}Nodes = {}

• Tableau for p U qname = Node1 incoming = {init}new = {p U q} old = {} next = {}name = Node2 incoming = {init}new = {q} old = {p U q} next = {}name = Node3 incoming = {init}new = {p} old = {p U q} next = {p U q}Nodes = {}

• Tableau for p U qname = Node1 incoming = {init}new = {p U q} old = {} next = {}name = Node2 incoming = {init}new = {q} old = {p U q} next = {}name = Node3 incoming = {init}new = {p} old = {p U q} next = {p U q}Nodes = {}name = Node2 incoming = {init}new = {} old = {q, p U q} next = {}

• Tableau for p U qNodes ={2}name = Node2 incoming = {init}new = {} old = {q, p U q} next = {}name = Node2 incoming = {Node2}new = {} old = {} next = {}

• Tableau for p U qNodes ={2, 2}name = Node2 incoming = {init}new = {} old = {q, p U q} next = {}name = Node2 incoming = {Node2, Node2}new = {} old = {} next = {}name = Node2 incoming = {Node2}new = {} old = {} next = {}

• Tableau for p U qname = Node1 incoming = {init}new = {p U q} old = {} next = {}name = Node2 incoming = {init}new = {q} old = {p U q} next = {}name = Node3 incoming = {init}new = {p} old = {p U q} next = {p U q}Nodes = {2, 2}name = Node3 incoming = {init}new = {} old = {p, p U q} next = {p U q}

• Tableau for p U qNodes ={2, 2, 3}name = Node3 incoming = {init}new = {p} old = {p U q} next = {p U q}name = Node3 incoming = {init}new = {} old = {p, p U q} next = {p U q}name = Node3 incoming = {Node3}new = {p U q} old = {} next = {}

• Tableau for p U qNodes ={2, 2, 3}

• Tableau for p U qname = Node3 incoming = {Node3}new = {p U q} old = {} next = {}name = Node4 incoming = {Node3}new = {q} old = {pUq} next = {}name = Node5 incoming = {Node3}new = {p} old = {pUq} next = {pUq}name = Node4 incoming = {Node3}new = {} old = {q, pUq} next = {}incoming(2) = {init, Node3}

• Tableau for p U qname = Node3 incoming = {Node3}new = {p U q} old = {} next = {}name = Node4 incoming = {Node3}new = {q} old = {pUq} next = {}name = Node5 incoming = {Node3}new = {p} old = {pUq} next = {pUq}name = Node5 incoming = {Node3}new = {} old = {p, pUq} next = {pUq}incoming(3) = {init, Node3}

• Resulting automatoninitNode2Node3Node2{q}{p}{p}{q}{} = true{} = trueAn LTL formula f is satisfied iff there exists an infinite path in Af containing an acceptance state infinitely often

• Automata-Theoretic model checkingInvented by Vardi and Wolper in the 80sImplemented in SPIN in the 90sLanguage intersection problem L(A f) L(K) = is reduced to:computing the synchronous product (A f ) x Kchecking whether the synchronous product contains an acceptance cycleif so, there exists a violation of f on some execution path of Kthe model checker will show us the counterexample