Formal Verifjcation Lecture 6: How LTL Model Checling Works (Potted - PowerPoint PPT Presentation

Formal Verifjcation Lecture 6: How LTL Model Checling Works (Potted Version) Jacques Fleuriot jdf@inf.ac.uk

Recap ▶ Previously: ▶ Model Checking CTL formulas ▶ Tiis time: ▶ Model Checking LTL ▶ Language-theoretic viewpoint ▶ From LTL formulas to automata (examples)

LTL Semantics recap S a fjnite set of states a set of initial states transition relation a labelling function Defjnition (Path) Defjnition (Transition System, with S 0 explicit) A transition system M = ⟨ S , S 0 , → , L ⟩ consists of: S 0 ⊆ S → ⊆ S × S L : S → P ( Atom ) such that ∀ s 1 ∈ S . ∃ s 2 ∈ S . s 1 → s 2 A path π in a transition system M = ⟨ S , S 0 , → , L ⟩ is an infjnite sequence of states s 0 , s 1 , ... such that s 0 ∈ S 0 and ∀ i ≥ 0 . s i → s i +1 . Paths are writuen as: π = s 0 → s 1 → s 2 → ...

Tie LTL Model Checling Problem or, equivalently: and each path is infjnitely long hold? LTL model checking seeks to answer the question (with starting Does … so use a language-theoretic approach. hold? Does state s omited): M | = φ = 0 φ ∀ π ∈ Paths ( M ) . π | = i φ means “path at position i satisfjes formula φ ”. where (recall) π | ▶ Tie universal quantifjcation is over the infjnite set of paths ▶ How can we check infjnitely many paths? ▶ CTL: use a fjxed point characterisation of the sets of states ▶ LTL: sets of paths ; a path is a sequences of symbols …

Tie language accepted by a transition system Example: a b c abcccc ababcccccc abababcccccc ababababcccccc ababababababab Fix a transition system M = ⟨ S , S 0 , → , L ⟩ Let us consider the set of states S as an alphabet Σ . Each infjnite path π is then a word in the set Σ ω . Tie set of all paths of M is the language L ( M ) accepted by M .

Tie language accepted by a transition system Example: � b � Fix a transition system M = ⟨ S , S 0 , → , L ⟩ Let us consider the set of states S as an alphabet Σ . Each infjnite path π is then a word in the set Σ ω . Tie set of all paths of M is the language L ( M ) accepted by M . M L ( M ) { abcccc ..., � a ababcccccc ..., abababcccccc ..., � c � ababababcccccc ..., ..., ababababababab .... }

Alternate defjnitions of the language of a transition system and of a Language of an LTL formula formula use Atom as the alphabet instead of the set of states S (see H&R). If the state has a boolean component for each element of Atom , then the defjnitions are equivalent. Let φ be an LTL formula, and S be the set of states of a model with the same set of atomic propositions as φ . Defjne the language L ( φ ) of φ as: L ( φ ) = { π ∈ S ω | π | = 0 φ }

Alternate defjnitions of the language of a transition system and of a Language of an LTL formula H&R). If the state has a boolean component for each element of Atom , then the defjnitions are equivalent. Let φ be an LTL formula, and S be the set of states of a model with the same set of atomic propositions as φ . Defjne the language L ( φ ) of φ as: L ( φ ) = { π ∈ S ω | π | = 0 φ } formula use P ( Atom ) as the alphabet instead of the set of states S (see

Language-theoretic presentation of validity or, equivalently: Does hold? or, equivalently: Does Recall: LTL model checking seeks to answer the question: hold? Using the presentation of transitions systems and formulas as languages , this can now be phrased as: M | = φ = 0 φ ∀ π ∈ Paths ( M ) . π | L ( M ) ⊆ L ( φ ) L ( M ) ∩ L ( φ ) = ∅ where X means S ω − X .

Languages via automata S of the automaton on which some accepting state is visited infjnitely An infjnite word is accepted by a Büchi automaton ifg there is a run set of accepting states S A set of initial states S S transition relation S an alphabet a fjnite set of states S A consists of: S A (non-deterministic) Büchi automaton S Can be represented by a related concept called a Büchi Automaton . cannot be represented by a transition system. No. In general, LTL formulas be described in the same way? ofuen . L ( M ) is defjned in terms of a fjnite state transition system. Can

Languages via automata S of the automaton on which some accepting state is visited infjnitely An infjnite word is accepted by a Büchi automaton ifg there is a run set of accepting states S A set of initial states S S transition relation S an alphabet a fjnite set of states S A consists of: S A (non-deterministic) Büchi automaton S Can be represented by a related concept called a Büchi Automaton . LTL formulas be described in the same way? ofuen . L ( M ) is defjned in terms of a fjnite state transition system. Can No. In general, L ( φ ) cannot be represented by a transition system.

Languages via automata transition relation of the automaton on which some accepting state is visited infjnitely An infjnite word is accepted by a Büchi automaton ifg there is a run set of accepting states set of initial states an alphabet a fjnite set of states S Can be represented by a related concept called a Büchi Automaton . LTL formulas be described in the same way? ofuen . L ( M ) is defjned in terms of a fjnite state transition system. Can No. In general, L ( φ ) cannot be represented by a transition system. A (non-deterministic) Büchi automaton ⟨ S , Σ , → , S 0 , A ⟩ consists of: Σ → ⊆ S × Σ × S S 0 ⊆ S A ⊆ S

Example Bücii automata � � a � � (Can also do them without the error paths.) a U b : � a G a : � � � F a : a b Here, ¬ a means “any symbol that isn’t a ”. States marked with ���� ���� ���� are accepting. ���� ���� � ���� � ���� ���� ���� ���� ¬ a � ���� � ���� ���� ���� ���� ���� � ���� � ���� � ���� ���� ���� ���� ❑ ❑ ❑ ❑ ❑ ¬ a ❑ ���� ���� � For the general construction for any formula φ , see H&R, Section 3.6.3.

LTL Model Checling Idea We reformulated the LTL model checking problem to: Now: 5. Use Fair CTL model checking to check this last property. See H&R. L ( M ) ∩ L ( φ ) = ∅ 1. Observe that L ( φ ) = L ( ¬ φ ) 2. Let A φ be a Büchi automaton such that L ( φ ) = L ( A φ ) . 3. For a suitable notion of composition M ⊗ A of a transition system M and a Büchi automaton A , we have that L ( M ⊗ A ) = L ( M ) ∩ L ( A ) 4. So, to check M | = φ , instead check L ( M ⊗ A ¬ φ ) = ∅

Example: Model Checling LTL formula G p composition is empty. 3. If the language is empty, then we know that G p is satisfjed by Tie next few slides examine this within the context of NuSMV. 1. Construct an automaton A ¬ G p = A F ¬ p for F ¬ p , which takes as input infjnite paths of states of a model M and accepts just those paths that satisfy F ¬ p . 2. Compose A F ¬ p and M and ask whether the language of the M . If not and we exhibit an accepting path, then that path is a counter-example to G p : it both is a path in M and it satisfjes A F ¬ p = A ¬ G p .

Emulating Bücii automata in NuSMV : 0; -- Specification is true just when there are no accepting paths -- LTL expression of acceptance condition: -- Accepting states: {1} as st = 1 occurs infinitely often esac; : 1; st = 1 -- then loop forever more in state 1 st = 0 & !sys.p : 1; -- If ever p is false, transition to state 1 st = 0 & sys.p Here is a transition system and LTL formula emulating a Büchi -- loop in state 0 if p is always true next(st) := case init(st) := 0; ASSIGN st : { 0, 1 }; VAR MODULE formula(sys) -- A 2 state automaton for F ! p. LTLSPEC ! G F st = 1; automaton A F ¬ p for checking F ¬ p :

Composing Bücii automaton and transition system st = 1 : 1; m : model; VAR MODULE main -- p := TRUE p := st = 0 | st = 1; DEFINE esac; st = 2 : 2; st = 0 : {1,2}; Tiis composition checks LTL property G p of the model: next(st) := case init(st) := 0; ASSIGN st : 0..2; VAR MODULE model A model M with 2 alternative definitions of a state property p -- f : formula(m);

Model Checling Results 1 m.st = 2 Tie acceptance condition for a run in this composition is just the -> State: 1.5 <- -> State: 1.4 <- -- Loop starts here f.st = 1 -> State: 1.3 <- -- Loop starts here m.p = FALSE -> State: 1.2 <- With this defjnition in the model: m.p = TRUE f.st = 0 m.st = 0 -> State: 1.1 <- Trace Type: Counterexample -- as demonstrated by the following execution sequence -- specification !( G ( F st = 1)) IN f is false we get: p := st = 0 | st = 1; acceptance condition for a run of the formula automaton.

Model Checling Results 2 With this defjnition in the model: p := TRUE; we get: -- specification !( G ( F st = 1)) IN f is true

[BDDs are] one of the only really fundamental data Summary structures that came out in the last twenty-fjve years. — Donald Knuth “Fun with Binary Decision Diagrams” ▶ LTL Model Checking (H&R 3.6.2, 3.6.3) ▶ Transition systems and formulas as languages ▶ Formulas as Büchi automata ▶ Simulating Büchi automata in NuSMV ▶ Next time: Binary Decision Diagrams