LTL Model Checking 张文辉

LTL Model Checking 迁移系统 Kripke 结构  - 自动机 LTL PLTL  - 自动机 Ｍ |=  L(A M )  L(A  )

LTL Model Checking L(A M )  L(A  ) L(A M )  (   \ L(A  )) =  L(A M )  L(A  ) =  L(A M  A  ) =  Double DFS

Kripke Structure

Kripke Structures Definition A Kripke structure is a triple – S : A finite set of states – R  S x S : A total transition relation – I  S : A set of initial states The set of successors of s is denoted R(S) Then R is total iff R(s)  for all s  S

Example: s2 s0 s3 s1

Computation Given a Kripke structure K=. s  s’: sRs’ or (s,s’)  R Definition A computation of K is an infinite sequence of S: s 0 s 1 s 2 …. such that s 0  I, and s i  s i+1 for all i  0

Path Definition An infinite path is an infinite sequence of S: s 0 s 1 s 2 …. such that s i  s i+1 for all i  0 Definition A finite path is a finite prefix of an infinite path: s 0 …s n

Labeled Kripke Structures AP: A set of propositions. Definition A (Labeled) Kripke structure is a quadruple – S : A finite set of states – R  S x S : A total transition relation – I  S : A set of initial states – L: S  2 AP is a labeling function

Example: s2 s0 s3 s1 {} {q} {p,q} {p}

x==0||t==0 11 Example t0 x=1,t=0 t1 t2 y==0||t==1 t3 x=0 s0 y=1,t=1 s1 s2 s3 y=0 Initial States s0 t0 x=0 y=0 t=0

s0,t0,0,0,0 s0,t1,1,0,0s1,t0,0,1,1 s2,t0,0,1,1 s3,t0,0,0,1 s1,t1,1,1,0s0,t2,1,0,0 s0,t3,0,0,0 s1,t1,1,1,1 s2,t1,1,1,0s1,t2,1,1,1 s3,t1,1,0,0 s1,t3,0,1,1 s3,t2,1,0,0 s3,t3,0,0, s2,t3,0,1,1 s3,t3,0,0,

Proposition Symbols Let AP be the set of proposition symbols {p0,p1,…,p13} with the following meaning:

Labeling Function L(s0,t0,0,0,0)={p6,p10,p0,p2,p4} L(s0,t0,0,0,1)={p6,p10,p0,p2,p5} …

 -Automata

Buchi-Automata Definition A Buchi automaton (BA) is a quintuple –  : A finite set of symbols – S : A finite set of states –   S x  x S : A transition relation – I  S : A set of initial states – F  S : A set of acceptance states

Example: s2 s0 s3 s1 a b a b cc

Runs Given a BA A= Notation: s  a s’: (s,a,s’)  Definition Let w  . A run of A on w is an infinite sequence s 0 s 1 s 2 …. of S such that s 0  I, and (s i,w[i],s i+1 )  for all i  0.

Words over a Run Definition A word over a run r of A is an infinite sequence of  : a 1 a 2 …. such that r is a run on a 1 a 2 ….

Accepting Runs Let inf(  ) be the set of states that appear infinitely many times on . Definition An accepting run of A is a run  of A such that inf(  )  F .

Accepting Words Definition An accepting word of A is a word over some accepting run of A.

Language Definition The language of A is the set of accepting words of A. The language of A is denoted L(A).

Union Given two BAs A 1 =, A 2 =. Suppose that S 1 and S 2 are disjoint. Define A 1  A 2 = where S = S 1  S 2  =  1   2 I = I 1  I 2 F = F 1  F 2

Union Theorem L(A 1  A 2 ) = L(A 1 )  L(A 2 )

Intersection Given BAs A 1 =, A 2 =. Define A 1  A 2 = where S = S 1 x S 2 x {0,1,2}  = ? I = I 1 x I 2 x {0} F = S 1 x S 2 x {2}

Intersection  = { ((s 1,s 2,i),a,((s 1 ’,s 2 ’,i)) | i  {0,1}, (s 1,a,s 1 ’)  1, (s 2,a,s 2 ’)  2 }  { ((s 1,s 2,0),a,((s 1 ’,s 2 ’,1)) | (s 1,a,s 1 ’)  1, (s 2,a,s 2 ’)  2, s 1  F 1 }  { ((s 1,s 2,1),a,((s 1 ’,s 2 ’,2)) | (s 1,a,s 1 ’)  1, (s 2,a,s 2 ’)  2, s 2  F 2 }  { ((s 1,s 2,2),a,((s 1 ’,s 2 ’,0)) | (s 1,a,s 1 ’)  1, (s 2,a,s 2 ’)  2 }

Intersection Theorem L(A 1  A 2 ) = L(A 1 )  L(A 2 )

Complementation The set of BAs is closed under complementation. Given A=. There exists a BA B such that L(B) =   \L(A)

Generalized Buchi Automaton Definition A GBA is a quintuple –  : A finite set of symbols – S : A finite set of states –   S x  x S : A transition relation – I  S : A set of initial states – F  2 S : A set of sets of acceptance states

Accepting Run Definition An accepting run of A is a run  of A such that for each f  F, inf(  )  f .

Union Given two automaton A 1 =, A 2 =. Suppose that S 1 and S 2 are disjoint. Define A 1  A 2 = where S = S 1  S 2  =  1   2 I = I 1  I 2 F = { f  S 2 | f  F 1 }  { f  S 1 | f  F 2 }

Union Theorem L(A 1  A 2 ) = L(A 1 )  L(A 2 )

Intersection Given two automaton A 1 =, A 2 =. Define A 1  A 2 = where S = S 1 x S 2  = { ((s 1,s 2 ),a,((s 1 ’,s 2 ’))| (s 1,a,s 1 ’)  1, (s 2,a,s 2 ’)  2 } I = I 1 x I 2 F = { f x S 2 | f  F 1 }  { S 1 x f| f  F 2 }

Intersection Theorem L(A 1  A 2 ) = L(A 1 )  L(A 2 )

Complementation The set of GBAs is closed under complementation.

Expressiveness of GBAs

Theorem Every language expressible by a BA is also expressible by a GBA. Proof Given a BA A=. We can construct a GBA B= such that L(B)=L(A).

Expressiveness of GBAs Theorem Every language expressible by a GBA is also expressible by a BA. Proof Given a GBA A=. We can construct a BA B= such that L(B)=L(A).

GBA  BA BA B= S’ = S x {0,1,2,…,n}  ’ = ? I’ = I x {0} F’ = S x {n}

GBA  BA  ’ = { ((s,i),a,(s’,i)) | i  {0,1,…,n-1}, (s,a,s’)  }  { ((s,i),a,(s’,i+1)) | i  {0,1,…,n-1}, (s,a,s’) ,s  F i+1 }  { ((s,n),a,(s’,0)) | (s,a,s’)  }

Kripke Structure   -Automata

Computations  Accepting runs Labels on Computations  Accepting Words

Kripke Structure   -Automata AP: A set of propositions. K= A=  =2 AP  ={ (s,a,s’) | (s,s’)  R, a=L(s) } F=S

Kripke Structure   -Automata Theorem r is a computation of K  L(r) is an accepting word of A w is an accepting word of A  there is a computation r of K such that L(r)=w

Example: s2 s0 s3 s1 {} {q} {p,q} {p} s2 s0 s3 s1 {} {q} {p,q} {p} {} {p}

PLTL   -Automata

Example G p p U q p U (q U r)

PLTL   -Automata Only consider NNF formulas with literals, disjunction, conjunction, X, U, R  == p |  p |  |  |X  |  R  |  U 

PLTL   -Automata Let  be a PLTL formula over AP. Construct a GBA A= such that  |=  iff  L(A) (1)  =2 AP (2)S,I, ,F = ?

PLTL   -Automata  s=[  ;  ;  ;  ] s=[a;  ; c; d] New node s’=[s; d;  ;  ]

PLTL   -Automata s=[a; p,  ; c; d] where p is a literal Replace s‘=[a;  ; p,c; d]

PLTL   -Automata s=[a;  0  1,  ; c; d] replace s‘=[a;  0,  ;  0  1,c; d] s’’=[a;  0,  ;  0  1,c; d]

PLTL   -Automata s=[a;  0  1,  ; c; d] Replace s’=[a;  0,  1,  ;  0  1,c; d]

PLTL   -Automata s=[a; O  1,  ; c; d] Replace s‘=[a;  ; O  1,c;  1,d]

PLTL   -Automata s=[a;  0 U  1,  ; c; d] Replace s’=[a;  1  (  0  X(  0 U  1 )),  ;  0 U  1,c; d]

PLTL   -Automata s=[a;  0 R  1,  ; c; d] Replace s’=[a;  1  (  0  X(  0 R  1 )),  ;  0 R  1,c; d]

PLTL   -Automata s=[a;  ; c; d] s’=[a’;  ; c; d] Replace s’’=[a,a’;  ; c; d]

PLTL   -Automata s=[a;  ; c; d] s  I iff   a

PLTL   -Automata  =2 AP s=[a;  ; c; d] s’=[a’;  ; c’; d’] Define  as follow: (s, ,s’)   iff s  a’ and  |=s

PLTL   -Automata Let f(  0 U  1 ) = { s |  0 U  1  s.c   1  s.c } F = { f(  0 U  1 ) |  0 U  1 is a sub-formula of  }

PLTL   -Automata Theorem Let A= be a GBA as constructed. Then  |=  iff  L(A).

Example G p p U q p U (q U r)

LTL Model Checking L(A M )  L(A  ) L(A M )  (   \ L(A  )) =  L(A M )  L(A  ) =  L(A M  A  ) =  Double DFS

Emptiness of  -Automata

On the Fly

Partial Order Reduction

Questions?