Live demo 2 / 27 Automata-Theoretic LTL Model Checking State-space - PowerPoint PPT Presentation

Contributions to LTL and ω -Automata for Model Checking Alexandre Duret-Lutz LRDE/EPITA 10 February 2017 Javier Esparza Technische Universität München reviewer Radu Mateescu INRIA Grenoble reviewer Moshe Y. Vardi Rice University, Houston, Texas reviewer Rüdiger Ehlers Universität Bremen examiner Stephan Merz INRIA Nancy & LORIA examiner Jaco van de Pol University of Twente examiner Fabrice Kordon Univ. Pierre & Marie Curie, Paris examiner 1 / 27

Live demo 2 / 27

Automata-Theoretic LTL Model Checking State-space High-level State-space generation model M automaton Product A M automaton A M ⊗ A ¬ ϕ Synchronized product Emptiness check L ( A M ⊗ A ¬ ϕ ) = L ( A M ⊗ A ¬ ϕ ) ? L ( A M ) ∩ L ( A ¬ ϕ ) = ∅ Negated LTL M | = ϕ or LTL property property ϕ counterexample translation automaton A ¬ ϕ M. Y. Vardi and P . Wolper. An automata-theoretic approach to automatic program verification. LICS’86 3 / 27

Automata-Theoretic LTL Model Checking State-space High-level State-space generation model M automaton Product A M automaton A M ⊗ A ¬ ϕ Synchronized product Emptiness check L ( A M ⊗ A ¬ ϕ ) = L ( A M ⊗ A ¬ ϕ ) ? L ( A M ) ∩ L ( A ¬ ϕ ) = ∅ Negated LTL M | = ϕ or LTL property property ϕ counterexample translation automaton A ¬ ϕ M. Y. Vardi and P . Wolper. An automata-theoretic approach to automatic program verification. LICS’86 3 / 27

Automata-Theoretic LTL Model Checking On-the-fly generation High-level of state-space automaton model M A M On-the-fly synchronized product Emptiness check L ( A M ⊗ A ¬ ϕ ) = L ( A M ⊗ A ¬ ϕ ) ? L ( A M ) ∩ L ( A ¬ ϕ ) = ∅ Negated LTL M | = ϕ or LTL property property ϕ counterexample translation automaton A ¬ ϕ M. Y. Vardi and P . Wolper. An automata-theoretic approach to automatic program verification. LICS’86 3 / 27

Automata-Theoretic LTL Model Checking Custom Model Checker On-the-fly generation High-level of state-space automaton model M A M SPOT On-the-fly synchronized product Emptiness check L ( A M ⊗ A ¬ ϕ ) = L ( A M ⊗ A ¬ ϕ ) ? L ( A M ) ∩ L ( A ¬ ϕ ) = ∅ Negated LTL M | = ϕ or LTL property property ϕ counterexample translation automaton A ¬ ϕ A. Duret-Lutz and D. Poitrenaud. SPOT: an Extensible Model Checking Library using Transition-based Generalized Büchi Automata. MASCOTS’04 3 / 27

Motivation: Supporting Research Spot should offer a set of efficient and reusable blocks for model checking and related tasks . 4 / 27

Motivation: Supporting Research Spot should offer a set of efficient and reusable blocks for model checking and related tasks . Efficient: ◮ Implement state-of-the-art algorithms ◮ Improve them ◮ Propose new algorithms Reusable: ◮ Multiple interfaces (C+ +/Python/Shell) ◮ Documented ◮ Tested Related tasks: ◮ LTL and ω -automata toolbox ◮ Glue between third-party tools 4 / 27

Motivation: Supporting Research Spot should offer a set of efficient and reusable blocks for model checking and related tasks . Efficient: ◮ Implement state-of-the-art algorithms ◮ Improve them Research ◮ Propose new algorithms Reusable: ◮ Multiple interfaces (C+ +/Python/Shell) ◮ Documented ◮ Tested Related tasks: ◮ LTL and ω -automata toolbox ◮ Glue between third-party tools 4 / 27

Contributions On-the-fly generation High-level of state-space automaton model M A M On-the-fly synchronized product Emptiness check L ( A M ⊗ A ¬ ϕ ) = L ( A M ⊗ A ¬ ϕ ) ? L ( A M ) ∩ L ( A ¬ ϕ ) = ∅ Negated LTL M | = ϕ or LTL property property ϕ counterexample translation automaton A ¬ ϕ 5 / 27

Contributions On-the-fly generation High-level Plugging Spot of state-space automaton model M with various tools Parallelization A M H Union-find y b P r Many improvements i r d o v m i s o o On-the-fly d s e PSL translation Simplifications l Stutter checks synchronized product c Classification h e Emptiness check c L ( A M ⊗ A ¬ ϕ ) = k i n g L ( A M ⊗ A ¬ ϕ ) ? L ( A M ) ∩ L ( A ¬ ϕ ) = ∅ Testing automata Negated LTL M | = ϕ or LTL property Generic acceptance property ϕ counterexample translation automaton A ¬ ϕ Decomposition SAT-based minimization 5 / 27

Contributions On-the-fly generation High-level Plugging Spot of state-space automaton model M with various tools Parallelization A M H Union-find y b P r Many improvements i r d o v m i s o o On-the-fly d s e PSL translation Simplifications l Stutter checks synchronized product c Classification h e Emptiness check c L ( A M ⊗ A ¬ ϕ ) = k i n g L ( A M ⊗ A ¬ ϕ ) ? L ( A M ) ∩ L ( A ¬ ϕ ) = ∅ Testing automata Negated LTL M | = ϕ or LTL property Generic acceptance property ϕ counterexample translation automaton A ¬ ϕ Decomposition SAT-based minimization 5 / 27

Context & Motivation 0 Spot has a very good translator, combining several improved procedures. LTL to Büchi 1 Named acceptances are a hindrance. Generic algo- Generalized Acceptance 2 rithms are more elegant. Tooling for improvement Spot: groundwork for research 3 + tools for experimenting, test- ing, finding interesting cases. Closing remarks 4 6 / 27

Büchi Variations on G F a ∧ G F b Büchi ¯ ab ¯ ab a 1 2 a 0 ¯ ab b ¯ ab ¯ b 0 Inf ( 0 ) 7 / 27

Büchi Variations on G F a ∧ G F b Büchi generalized Büchi ¯ ab ¯ ab a 1 2 1 ¯ a a 0 1 ¯ a ab b b ¯ ab ¯ b 0 0 ¯ b 0 Inf ( 0 ) Inf ( 0 ) ∧ Inf ( 1 ) 7 / 27

Büchi Variations on G F a ∧ G F b Büchi generalized Büchi ¯ ab ¯ ab a 1 2 1 ¯ a state-based a 0 1 ¯ a ab b b ¯ ab ¯ b 0 0 ¯ b 0 Inf ( 0 ) Inf ( 0 ) ∧ Inf ( 1 ) a ¯ b transition-based 1 ¯ a 0 0 a ¯ 1 b ab ab 0 1 0 a ¯ 0 ¯ ¯ b b Inf ( 0 ) Inf ( 0 ) ∧ Inf ( 1 ) 7 / 27

Büchi Variations on G F a ∧ G F b Büchi generalized Büchi ¯ ab ¯ ab a 1 2 1 ¯ a state-based a 0 1 ¯ a ab b b ¯ ab ¯ b 0 0 ¯ b 0 n e h Inf ( 0 ) Inf ( 0 ) ∧ Inf ( 1 ) w u l e f s u & y n l g n O t i p e c c a g n x i i m s a ¯ e l c b y c transition-based g n t i c e 1 j ¯ e a r 0 0 a ¯ 1 b ab ab 0 1 0 a ¯ 0 ¯ ¯ b b Inf ( 0 ) Inf ( 0 ) ∧ Inf ( 1 ) 7 / 27

Comparison of Some “LTL to Büchi” Translators Results summed over 178 formulas from the literature. automaton size product size nd. time st. nd.st. tr. st. tr. spin (11 × ❆ ) 162 220 . 7s 1440 1236 46033 259313 9433430 169 0 . 3s 1000 801 29974 190898 5616566 ltl2ba 109 18 . 5s 1244 577 23474 210494 4033414 modella 119 0 . 5s 957 398 16798 172246 3276714 trans 115 0 . 7s 829 307 14322 155220 2913043 ltl3ba 49 1 . 9s 666 102 10346 129419 2399328 Spot ltl2tgba -s 44 1 . 9s 671 96 10456 129804 2401471 ltl2tgba -Ds 8 / 27

From LTL to Büchi Automata LTL Core Post- Büchi LTL form. rewritings translation processings automaton G F a ∧ G F b a ¯ b ¯ ab ¯ a ab 0 G ( F a ∧ F b ) 3 1 0 ab 1 1 a 0 ¯ ¯ ab ab b ¯ ab a ¯ 2 ¯ b ¯ b Inf ( 0 ) ∧ Inf ( 1 ) Inf ( 0 ) 9 / 27

From LTL to Büchi Automata LTL Core Post- Büchi LTL form. rewritings translation processings automaton ◮ lots of rewritings (e.g. f U G f ≡ G f ) ◮ implication-based rewritings (e.g., if f → g then f U g ≡ g ) syntactic or automata-based 9 / 27

From LTL to Büchi Automata LTL Core Post- Büchi LTL form. rewritings translation processings automaton Couvreur’s translation, plus: ◮ Improved determinism ◮ Improved translation of persistent formulas ◮ Improved translation of G -subformulas J.-M. Couvreur. On-the-fly verification of temporal logic. FM’99 A. Duret-Lutz. LTL translation improvements in Spot 1.0. Int. J. on Crit. Comp.-Based Sys. , 5(1/2):31–54, Mar. 2014 9 / 27

From LTL to Büchi Automata LTL Core Post- Büchi LTL form. rewritings translation processings automaton fwd/bwd fwd/bwd degen. simul. simul. SCC TGBA best BA simpl. determinize and minimize obligation properties 9 / 27

From LTL to Büchi Automata LTL Core Post- Büchi LTL form. rewritings translation processings automaton fwd/bwd fwd/bwd degen. simul. simul. SCC TGBA best BA simpl. determinize and minimize obligation properties ◮ BDD signatures Remove: SCC-aware ◮ useless SCCs ◮ improves det. degeneralization ◮ useless acc. sets T. Babiak, T. Badie, A. Duret-Lutz, M. Kˇ retínský, and J. Strejˇ cek. Compositional approach to suspension and other improvements to LTL translation. SPIN’13 9 / 27

From LTL to Büchi Automata LTL Core Post- Büchi LTL form. rewritings translation processings automaton fwd/bwd fwd/bwd degen. simul. simul. SCC TGBA best BA simpl. determinize and minimize obligation properties Secret weapon — only implemented in Spot! C. Löding. Efficient minimization of deterministic weak ω -automata. Information Processing Letters , 79(3):105–109, 2001 C. Dax, J. Eisinger, and F. Klaedtke. Mechanizing the powerset construction for restricted classes of ω -automata. ATVA’07 9 / 27