Model checking
Intro/val1.3-4
parallel
system
requirements
abstract
model M
specification
spec
model checker
fully automatic verification tool
checks whether M sat spec
no + counterexample
yes
5 / 152
Decidability of the model checking problem?
val1.3-5
6 / 152
Decidability of the model checking problem?
val1.3-5
parallel system
requirements
abstract model M
specification spec
model checker
decision algorithm for M sat spec
no
yes
7 / 152
Decidability of the model checking problem?
val1.3-5
parallel system
requirements
abstract model M
Turing machine
specification spec
“halt for every input”
model checker
decision algorithm for M sat spec
no
yes
8 / 152
General model checking problem is undecidable
val1.3-5
parallel system
requirements
abstract model M
Turing machine
specification spec
“halt for every input”
model checker
XXX
XX
X
XX
decision
algorithm
XXX
X
no
for M sat spec
yes
9 / 152
To ensure decidability . . .
Intro/val1.3-6
requirements
real system
abstract model
specification
model checker
“does M sat spec hold ?”
yes
no
10 / 152
To ensure decidability . . .
Intro/val1.3-6
requirements
real system
abstraction
semantics
abstract model
specification
model checker
“does M sat spec hold ?”
yes
no
11 / 152
To ensure decidability . . .
Intro/val1.3-6
requirements
real system
abstraction
semantics
abstract model
specification
finite
transition system
model checker
“does M sat spec hold ?”
yes
no
12 / 152
To ensure decidability . . .
Intro/val1.3-6
requirements
real system
abstraction
semantics
abstract model
specification
finite transition
system
finite
transition system
model checker
“does M sat spec hold ?”
yes
no
13 / 152
To ensure decidability . . .
Intro/val1.3-6
requirements
real system
abstraction
semantics
abstract model
finite
transition system
specification
finite transition
system
or temporal formula, e.g.,
(request → ♦enter crit)
model checker
“does M sat spec hold ?”
yes
no
14 / 152
Model checking vs other validation techniques
val1.3-7
The validation techniques (testing, simulation,
deductive verification, model checking) are
complementary to each other.
15 / 152
Model checking vs other validation techniques
val1.3-7
The validation techniques (testing, simulation,
deductive verification, model checking) are
complementary to each other.
model checking
• most efficient validation technique, fully automatic
• but mostly only applicable for finite models with
“small” (or “sufficiently structured”) state space
• industrial applications:
∗ hardware systems
∗ communication protocols
∗ coordination protocols for distributed systems
..
.
16 / 152
Historical notes
1976 Keller
1977 Pnueli
1981 Clarke/Emerson
Queille/Sifakis
Intro/val1.3-8
transition systems (TS)
to model parallel systems
temporal logic
to specify parallel systems
first model checker
17 / 152
Historical notes
1976 Keller
1977 Pnueli
1981 Clarke/Emerson
Queille/Sifakis
Intro/val1.3-8
transition systems (TS)
to model parallel systems
temporal logic LTL
to specify parallel systems
first model checker
for CTL
18 / 152
Historical notes
Intro/val1.3-8
1976 Keller
1977 Pnueli
1981 Clarke/Emerson
Queille/Sifakis
1983 Kanellakis/Smolka
1985 Lichtenstein/Pnueli
1986 Vardi/Wolper
transition systems (TS)
to model parallel systems
temporal logic LTL
to specify parallel systems
first model checker
for CTL
model checking
for homogeneous
TS-based specifications
model checking
for LTL
19 / 152
Historical notes
1976
1977
1981
..
.
1985
1986
val1.3-9
Keller
transition systems
Pnueli
temporal logic LTL
Clarke/Emerson
first model checker
Queille/Sifakis
for CTL
..
..
.
.
Lichtenstein/Pnueli
model checking
Vardi/Wolper
for LTL
state explosion problem
state space of industrial systems too large
to be handled by naı̈ve implementations of
model checking algorithms
20 / 152
Historical notes
1976
1977
1981
..
.
1985
1986
val1.3-9
Keller
transition systems
Pnueli
temporal logic LTL
Clarke/Emerson
first model checker
Queille/Sifakis
for CTL
..
..
.
.
Lichtenstein/Pnueli
model checking
Vardi/Wolper
for LTL
state explosion problem
ca. since 1990
“advanced techniques”
21 / 152
Historical notes
1976
1977
1981
..
.
1985
1986
val1.3-9
Keller
transition systems
Pnueli
temporal logic LTL
Clarke/Emerson
first model checker
Queille/Sifakis
for CTL
..
..
.
.
Lichtenstein/Pnueli
model checking
Vardi/Wolper
for LTL
state explosion problem
ca. since 1990
“advanced techniques”
symbolic model checking
with BDDs
partial order reduction
..
.
22 / 152
Historical notes
1976
1977
1981
..
.
1985
1986
val1.3-9
Keller
transition systems
Pnueli
temporal logic LTL
Clarke/Emerson
first model checker
Queille/Sifakis
for CTL
..
..
.
.
Lichtenstein/Pnueli
model checking
Vardi/Wolper
for LTL
state explosion problem
ca. since 1990
“advanced techniques”
symbolic model checking
with BDDs
partial order reduction
..
.
model checking for infinite systems, quantitative analysis,
e.g., real-time systems, probabilistic systems
23 / 152
Transition system (TS)
ts1.4-TS-def
A transition system is a tuple
T = (S, Act, −→, S0, AP, L)
• S is the state space, i.e., set of states,
• Act is a set of actions,
• −→ ⊆ S × Act × S is the transition relation,
α
i.e., transitions have the form s −→ s where s, s ∈ S and α ∈ Act
• S0 ⊆ S the set of initial states,
• AP a set of atomic propositions,
• L : S → 2AP the labeling function
30 / 152
“Behaviour” of transition systems
ts1.4-3
possible behaviours of a TS result from:
select nondeterministically an initial state s ∈ S0
WHILE s is non-terminal DO
α
select nondeterministically a transition s −→ s execute the action α and put s := s OD
36 / 152
“Behaviour” of transition systems
ts1.4-3
possible behaviours of a TS result from:
select nondeterministically an initial state s ∈ S0
WHILE s is non-terminal DO
α
select nondeterministically a transition s −→ s execute the action α and put s := s OD
executions: maximal “transition sequences”
α1
α2
α3
s0 −→
s1 −→
s2 −→
. . . with s0 ∈ S0
37 / 152
“Behaviour” of transition systems
ts1.4-3
possible behaviours of a TS result from:
select nondeterministically an initial state s ∈ S0
WHILE s is non-terminal DO
α
select nondeterministically a transition s −→ s execute the action α and put s := s OD
executions: maximal “transition sequences”
α1
α2
α3
s0 −→
s1 −→
s2 −→
. . . with s0 ∈ S0
reachable fragment:
Reach(T ) = set of all states that are reachable from
an initial state through some execution
38 / 152
Linear-time vs branching-time
ltb2.4-1
39 / 152
Linear-time vs branching-time
ltb2.4-1
transition system
T = (S, Act, →, S0, AP, L)
40 / 152
Linear-time vs branching-time
ltb2.4-1
transition system
T = (S, Act, →, S0, AP, L)
abstraction from actions
state graph
+ labeling
41 / 152
Linear-time vs branching-time
ltb2.4-1
transition system
T = (S, Act, →, S0, AP, L)
abstraction from actions
state graph
+ labeling
linear-time view
branching-time view
42 / 152
Linear-time vs branching-time
ltb2.4-1
transition system
T = (S, Act, →, S0, AP, L)
abstraction from actions
state graph
+ labeling
linear-time view
path-based
state sequences
branching structure
irrelevant
branching-time view
nondeterministic
branches
state & branches
43 / 152
Linear-time vs branching-time
ltb2.4-1-traces
transition system
T = (S, Act, →, S0, AP, L)
abstraction from actions
state graph
+ labeling
linear-time view
state sequences
branching-time view
state & branches
44 / 152
Linear-time vs branching-time
ltb2.4-1-traces
transition system
T = (S, Act, →, S0, AP, L)
abstraction from actions
state graph
+ labeling
linear-time view
state sequences
⇓
traces
projection
on AP
branching-time view
state & branches
⇓
computation tree
45 / 152
Traces
ltb2.4-4
46 / 152
Traces
ltb2.4-4
for TS with labeling function L : S → 2AP
execution: states + actions
α11
α2
α33
s1 −→
s2 −→
. . . infinite or finite
s0 −→
paths: sequences of states
s0 s1 s2 . . . infinite or s0 s1 . . . sn finite
47 / 152
Traces
ltb2.4-4
for TS with labeling function L : S → 2AP
execution: states + actions
α11
α2
α33
s1 −→
s2 −→
. . . infinite or finite
s0 −→
paths: sequences of states
s0 s1 s2 . . . infinite or s0 s1 . . . sn finite
traces: sequences of sets of atomic propositions
L(s0) L(s1) L(s2) . . .
48 / 152
Traces
ltb2.4-4
for TS with labeling function L : S → 2AP
execution: states + actions
α11
α2
α33
s1 −→
s2 −→
. . . infinite or finite
s0 −→
paths: sequences of states
s0 s1 s2 . . . infinite or s0 s1 . . . sn finite
traces: sequences of sets of atomic propositions
L(s0) L(s1) L(s2) . . . ∈ (2AP )ω ∪ (2AP )+
49 / 152
Traces
ltb2.4-4
for TS with labeling function L : S → 2AP
execution: states + actions
α11
α2
α33
s1 −→
s2 −→
. . . infinite or finite
s0 −→
paths: sequences of states
s0 s1 s2 . . . infinite or s0 s1 . . . sn finite
traces: sequences of sets of atomic propositions
L(s0) L(s1) L(s2) . . . ∈ (2AP )ω ∪ (2AP )+
for simplicity: we often assume that the given TS has
no terminal states
50 / 152
Traces
ltb2.4-4
for TS with labeling function L : S → 2AP
execution: states + actions
α1
α2
α3
XX
XX
s1 −→
s2 −→
. . . infinite or finite
s0 −→
paths: sequences of states
hhh
(
(((
hh
(finite
(
s0 s1 s2 . . . infinite or(s(
. .(. h
snh
hhh
0 s(
1(
h
traces: sequences of sets of atomic propositions
XXAP
X
)+X
L(s0) L(s1) L(s2) . . . ∈ (2AP )ω ∪ (2
X
X
for simplicity: we often assume that the given TS has
no terminal states
51 / 152
Example: traces
ltb2.4-5a
Let T be a TS without terminal states.
def ⊆ (2AP )ω
Traces(T ) = trace(π) : π ∈ Paths(T )
def Tracesfin (T ) = trace(
π) : π
∈ Pathsfin (T ) ⊆ (2AP )∗
{a}
TS T with a single
atomic proposition a
∅
Traces(T )
=
{a}∅ω , ∅ω
Tracesfin (T ) = {a}∅n : n ≥ 0 ∪ ∅m : m ≥ 1
57 / 152
Model checking
ltb2.4-14a
system P1. . .Pn
requirements
transition
system T
specification spec
model checker
does T satisfy spec ?
yes
no + error indication
58 / 152
Model checking
ltb2.4-14a
syntactic description
of P1 . . .Pn
SOS-rules
abstraction
from actions
requirements
specification spec
state graph of
transition system T
model checker
does T satisfy spec ?
yes
no + error indication
59 / 152
Model checking
ltb2.4-14a
syntactic description
of P1 . . .Pn
SOS-rules
abstraction
from actions
requirements
specification spec
spec,
e.g., LT property
state graph of
transition system T
model checker
does T satisfy spec ?
yes
no + error indication
61 / 152
Linear-time properties (LT properties)
ltb2.4-14
62 / 152
Linear-time properties (LT properties)
ltb2.4-14
for TS over AP without terminal states
An LT property over AP is a language E of infinite
ω
words over the alphabet Σ = 2AP , i.e., E ⊆ 2AP .
64 / 152
Linear-time properties (LT properties)
ltb2.4-14
for TS over AP without terminal states
An LT property over AP is a language E of infinite
ω
words over the alphabet Σ = 2AP , i.e., E ⊆ 2AP .
E.g., for mutual exclusion
problems and
AP = crit1 , crit2 , . . .
safety:
set of all infinite words A0 A1 A2 . . .
MUTEX = over 2AP such that for all i ∈ N
N:
crit1 ∈ Ai or crit2 ∈ Ai
65 / 152
Satisfaction relation for LT properties
ltb2.4-15
An LT property over AP is a language E of infinite
ω
words over the alphabet Σ = 2AP , i.e., E ⊆ 2AP .
67 / 152
Satisfaction relation for LT properties
ltb2.4-15
An LT property over AP is a language E of infinite
ω
words over the alphabet Σ = 2AP , i.e., E ⊆ 2AP .
|= for TS:
Satisfaction relation |=
If T is a TS (without terminal states) over AP
and E an LT property over AP then
T |= E
iff
Traces(T ) ⊆ E
68 / 152
Satisfaction relation for LT properties
ltb2.4-15
An LT property over AP is a language E of infinite
ω
words over the alphabet Σ = 2AP , i.e., E ⊆ 2AP .
|= for TS and states:
Satisfaction relation |=
If T is a TS (without terminal states) over AP
and E an LT property over AP then
T |= E
iff
Traces(T ) ⊆ E
If s is a state in T then
s |= E
iff
Traces(s) ⊆ E
69 / 152
LT properties and trace inclusion
ltb2.4-LT-trace
An LT property over AP is a language E of infinite
ω
words over the alphabet Σ = 2AP , i.e., E ⊆ 2AP .
If T is a TS over AP then T |= E iff Traces(T ) ⊆ E .
If T1 and T2 are TS over AP then the
following statements are equivalent:
(1) Traces(T1) ⊆ Traces(T2)
(2) for all LT-properties E over AP
AP:
whenever T2 |= E then T1 |= E
(1) =⇒ (2):
√
74 / 152
LT properties and trace inclusion
ltb2.4-LT-trace
An LT property over AP is a language E of infinite
ω
words over the alphabet Σ = 2AP , i.e., E ⊆ 2AP .
If T is a TS over AP then T |= E iff Traces(T ) ⊆ E .
If T1 and T2 are TS over AP then the
following statements are equivalent:
(1) Traces(T1) ⊆ Traces(T2)
(2) for all LT-properties E over AP
AP:
whenever T2 |= E then T1 |= E
(2) =⇒ (1): consider E = Traces(T2)
75 / 152
Trace equivalence
ltb2.4-21a
76 / 152
Trace equivalence
ltb2.4-21a
Transition systems T1 and T2 over the same set AP
of atomic propositions are called trace equivalent iff
Traces(T1 ) = Traces(T2)
77 / 152
Trace equivalence
ltb2.4-21a
Transition systems T1 and T2 over the same set AP
of atomic propositions are called trace equivalent iff
Traces(T1 ) = Traces(T2)
i.e., trace equivalence requires trace inclusion in
both directions
78 / 152
Trace equivalence
ltb2.4-21a
Transition systems T1 and T2 over the same set AP
of atomic propositions are called trace equivalent iff
Traces(T1 ) = Traces(T2)
i.e., trace equivalence requires trace inclusion in
both directions
Trace equivalent TS satisfy the same LT properties
79 / 152
LT properties and trace relations
ltb2.4-traceequiv
Let T1 and T2 be TS over AP
AP.
The following statements are equivalent:
(1) Traces(T1 ) ⊆ Traces(T2)
(2) for all LT-properties E : T2 |= E =⇒ T1 |= E
The following statements are equivalent:
(1) Traces(T1 ) = Traces(T2)
(2) for all LT-properties E : T1 |= E iff T2 |= E
80 / 152
Linear Temporal Logic (LTL)
ltlsf3.1-2
ϕ ::= true a ϕ1 ∧ ϕ2 ¬ϕ ϕ ϕ1 U ϕ2
where a ∈ AP
atomic
proposition
a ∈ AP
a
next operator
a
until operator
aUb
=
next
...
a
a
U=
until
a
...
a
b
...
87 / 152
Derived operators in LTL
ltlsf3.1-2a
ϕ ::= true a ϕ1 ∧ ϕ2 ¬ϕ ϕ ϕ1 U ϕ2
derived operators:
∨, →, . . . as usual
88 / 152
Derived operators in LTL
ltlsf3.1-2a
ϕ ::= true a ϕ1 ∧ ϕ2 ¬ϕ ϕ ϕ1 U ϕ2
derived operators:
def
♦ϕ = true U ϕ eventually
∨, →, . . . as usual
89 / 152
Derived operators in LTL
ltlsf3.1-2a
ϕ ::= true a ϕ1 ∧ ϕ2 ¬ϕ ϕ ϕ1 U ϕ2
def
♦ϕ = true U ϕ eventually
derived operators:
∨, →, . . . as usual
until operator
aUb
eventually
♦b
a
a
a
b
b
...
...
90 / 152
Derived operators in LTL
ltlsf3.1-2a
ϕ ::= true a ϕ1 ∧ ϕ2 ¬ϕ ϕ ϕ1 U ϕ2
def
derived operators:
♦ϕ = true U ϕ eventually
∨, →, . . . as usual
ϕ = ¬♦¬ϕ
until operator
aUb
a
def
a
a
eventually
♦b
always
a
always
b
...
b
a
a
a
a
...
a
a
...
91 / 152
Next , until U and eventually ♦
ltlsf3.1-3
(try to send → delivered)
...
...
try
del
92 / 152
Next , until U and eventually ♦
ltlsf3.1-3
(try to send → delivered)
...
...
try
del
(try to send → try to send U delivered)
...
...
try
try
try
del
93 / 152
Next , until U and eventually ♦
ltlsf3.1-3
(try to send → delivered)
...
...
try
del
(try to send → try to send U delivered)
...
...
try
try
try
del
(try to send → ♦ delivered)
...
...
try
del
94 / 152
Infinitely often and eventually forever
ltlsf3.1-4
ϕ ::= true a ϕ1 ∧ ϕ2 ¬ϕ ϕ ϕ1 U ϕ2
def
eventually ♦ϕ = true U ϕ
always
def
ϕ = ¬♦¬ϕ
infinitely often
♦ ϕ
eventually forever ♦ ϕ
e.g., unconditional fairness ♦criti
strong fairness
♦waiti → ♦criti
weak fairness
♦waiti → ♦criti
103 / 152
LTL-semantics
ltlsf3.1-6a
104 / 152
LTL-semantics
ltlsf3.1-6a
interpretation of LTL formulas over traces, i.e.,
infinite words over 2AP
105 / 152
LTL-semantics
ltlsf3.1-6a
interpretation of LTL formulas over traces, i.e.,
infinite words over 2AP
|= for
formalized by a satisfaction relation |=
• LTL formulas and
ω
• infinite words σ = A0 A1 A2 . . . ∈ 2AP
106 / 152
Semantics of LTL over infinite words
ω
for σ = A0 A1 A2 . . . ∈ 2AP :
ltlsf3.1-6
σ |= true
σ |= a
iff A0 |= a ,i.e., a ∈ A0
σ |= ϕ1 ∧ ϕ2 iff σ |= ϕ1 and σ |= ϕ2
σ |= ¬ϕ
iff σ |= ϕ
111 / 152
Semantics of LTL over infinite words
ω
for σ = A0 A1 A2 . . . ∈ 2AP :
ltlsf3.1-6
σ |= true
σ |= a
iff A0 |= a ,i.e., a ∈ A0
σ |= ϕ1 ∧ ϕ2 iff σ |= ϕ1 and σ |= ϕ2
σ |= ¬ϕ
iff σ |= ϕ
σ |= ϕ
iff suffix(σ, 1) = A1 A2 A3 . . . |= ϕ
112 / 152
Semantics of LTL over infinite words
ω
for σ = A0 A1 A2 . . . ∈ 2AP :
ltlsf3.1-6
σ |= true
σ |= a
iff A0 |= a ,i.e., a ∈ A0
σ |= ϕ1 ∧ ϕ2 iff σ |= ϕ1 and σ |= ϕ2
σ |= ¬ϕ
iff σ |= ϕ
σ |= ϕ
iff suffix(σ, 1) = A1 A2 A3 . . . |= ϕ
σ |= ϕ1 U ϕ2 iff there exists j ≥ 0 such that
suffix(σ, j) = Aj Aj+1 Aj+2 . . . |= ϕ2 and
suffix(σ, i ) = Ai Ai+1 Ai+2 . . . |= ϕ1 for 0 ≤ i < j
113 / 152
LTL semantics over paths of TS
ltlsf3.1-LTL-words-paths
117 / 152
LTL semantics over paths of TS
ltlsf3.1-LTL-words-paths
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
118 / 152
LTL semantics over paths of TS
ltlsf3.1-LTL-words-paths
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
interpretation of ϕ over infinite path fragments
π = s0 s1 s2 . . . |= ϕ iff trace(π) |= ϕ
119 / 152
LTL semantics over paths of TS
ltlsf3.1-LTL-words-paths
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
interpretation of ϕ over infinite path fragments
π = s0 s1 s2 . . . |= ϕ iff trace(π) |= ϕ
iff trace(π) ∈ Words(ϕ)
120 / 152
LTL semantics over paths of TS
ltlsf3.1-LTL-words-paths
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
interpretation of ϕ over infinite path fragments
π = s0 s1 s2 . . . |= ϕ iff trace(π) |= ϕ
iff trace(π) ∈ Words(ϕ)
remind: LT property of an LTL formula:
ω
Words(ϕ) = σ ∈ 2AP : σ |= ϕ
121 / 152
LTL semantics over the states of a TS
ltlsf3.1-sem-states
122 / 152
LTL semantics over the states of a TS
ltlsf3.1-sem-states
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
interpretation of ϕ over infinite path fragments
π = s0 s1 s2 . . . |= ϕ iff trace(π) |= ϕ
interpretation of ϕ over states:
s |= ϕ iff trace(π) |= ϕ for all π ∈ Paths(s)
123 / 152
LTL semantics over the states of a TS
ltlsf3.1-sem-states
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
interpretation of ϕ over infinite path fragments
π = s0 s1 s2 . . . |= ϕ iff trace(π) |= ϕ
interpretation of ϕ over states:
s |= ϕ iff trace(π) |= ϕ for all π ∈ Paths(s)
iff s |= Words(ϕ)
124 / 152
LTL semantics over the states of a TS
ltlsf3.1-sem-states
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
interpretation of ϕ over infinite path fragments
π = s0 s1 s2 . . . |= ϕ iff trace(π) |= ϕ
interpretation of ϕ over states:
s |= ϕ iff trace(π) |= ϕ for all π ∈ Paths(s)
iff s |= Words(ϕ)
↑
satisfaction relation for LT properties
125 / 152
LTL semantics over the states of a TS
ltlsf3.1-sem-states
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
interpretation of ϕ over infinite path fragments
π = s0 s1 s2 . . . |= ϕ iff trace(π) |= ϕ
interpretation of ϕ over states:
s |= ϕ iff trace(π) |= ϕ for all π ∈ Paths(s)
iff s |= Words(ϕ)
iff Traces(s) ⊆ Words(ϕ)
126 / 152
Interpretation of LTL formulas over TS
ltlsf3.1-sem-TS
127 / 152
Interpretation of LTL formulas over TS
ltlsf3.1-sem-TS
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
T |= ϕ iff s0 |= ϕ for all s0 ∈ S0
128 / 152
Interpretation of LTL formulas over TS
ltlsf3.1-sem-TS
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
T |= ϕ iff s0 |= ϕ for all s0 ∈ S0
iff trace(π) |= ϕ for all π ∈ Paths(T )
129 / 152
Interpretation of LTL formulas over TS
ltlsf3.1-sem-TS
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
T |= ϕ iff s0 |= ϕ for all s0 ∈ S0
iff trace(π) |= ϕ for all π ∈ Paths(T )
iff Traces(T ) ⊆ Words(ϕ)
130 / 152
Interpretation of LTL formulas over TS
ltlsf3.1-sem-TS
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
T |= ϕ iff s0 |= ϕ for all s0 ∈ S0
iff trace(π) |= ϕ for all π ∈ Paths(T )
iff Traces(T ) ⊆ Words(ϕ)
iff T |= Words(ϕ)
131 / 152
Interpretation of LTL formulas over TS
ltlsf3.1-sem-TS
given: TS T = (S, Act, →, S0, AP, L)
without terminal states
LTL formula ϕ over AP
T |= ϕ iff s0 |= ϕ for all s0 ∈ S0
iff trace(π) |= ϕ for all π ∈ Paths(T )
iff Traces(T ) ⊆ Words(ϕ)
iff T |= Words(ϕ)
↑
satisfaction relation for LT properties
132 / 152
Linear-time implementation relations
bseqor5.1-5
133 / 152
Linear-time implementation relations
bseqor5.1-5
finite trace inclusion and equivalence:
e.g., Tracesfin(T1) ⊆ Tracesfin(T2)
trace inclusion and trace equivalence:
e.g., Traces(T1 ) ⊆ Traces(T2)
134 / 152
Linear-time implementation relations
bseqor5.1-5
finite trace inclusion and equivalence:
e.g., Tracesfin(T1) ⊆ Tracesfin(T2)
preserves all linear-time safety properties
trace inclusion and trace equivalence:
e.g., Traces(T1 ) ⊆ Traces(T2)
135 / 152
Linear-time implementation relations
bseqor5.1-5
finite trace inclusion and equivalence:
e.g., Tracesfin(T1) ⊆ Tracesfin(T2)
preserves all linear-time safety properties
trace inclusion and trace equivalence:
e.g., Traces(T1 ) ⊆ Traces(T2)
preserves all LTL properties
136 / 152
Linear-time implementation relations
bseqor5.1-5
finite trace inclusion and equivalence:
e.g., Tracesfin(T1) ⊆ Tracesfin(T2)
preserves all linear-time safety properties
trace inclusion and trace equivalence:
e.g., Traces(T1 ) ⊆ Traces(T2)
preserves all LTL properties
∗ none of the LT relations is compatible with CTL
137 / 152
Linear-time implementation relations
bseqor5.1-5
finite trace inclusion and equivalence:
e.g., Tracesfin(T1) ⊆ Tracesfin(T2)
preserves all linear-time safety properties
trace inclusion and trace equivalence:
e.g., Traces(T1 ) ⊆ Traces(T2)
preserves all LTL properties
∗ none of the LT relations is compatible with CTL
∗ checking LT relations is computationally hard
138 / 152
Linear-time implementation relations
bseqor5.1-5
finite trace inclusion and equivalence:
e.g., Tracesfin(T1) ⊆ Tracesfin(T2)
preserves all linear-time safety properties
trace inclusion and trace equivalence:
e.g., Traces(T1 ) ⊆ Traces(T2)
preserves all LTL properties
∗ none of the LT relations is compatible with CTL
∗ checking LT relations is computationally hard
∗ minimization ???
139 / 152
Minimization w.r.t. trace equivalence?
T1 :
bseqor5.1-min-LT
T2 :
• Traces(T1 ) = Traces(T2)
but T1 and T2 are not isomorphic
• T1 , T2 have 5 states and 7 transitions each
• there is no smaller TS that is trace-equivalent to Ti
144 / 152
Classification of implementation relations
bseqor5.1-6
• linear vs. branching time
* linear time:
trace relations
* branching time: (bi)simulation relations
• (nonsymmetric) preorders vs. equivalences:
* preorders:
trace inclusion, simulation
* equivalences: trace equivalence, bisimulation
• strong vs. weak relations
* strong: reasoning about all transitions
* weak: abstraction from stutter steps
148 / 152
Summary: equivalences
ctleq5.2-10
LTL equivalence
bisimulation
equivalence
CTL equivalence
CTL* equivalence
for finitely
branching TS
149 / 152
Summary: equivalences
ctleq5.2-10
trace equivalence
LTL equivalence
bisimulation
equivalence
CTL equivalence
CTL* equivalence
for finitely
branching TS
150 / 152
Summary: equivalences
ctleq5.2-10
finite
trace equivalence
trace equivalence
LTL equivalence
bisimulation
equivalence
CTL equivalence
CTL* equivalence
for finitely
branching TS
151 / 152
Summary: equivalences
ctleq5.2-10
finite
trace equivalence
equivalence w.r.t.
LTL safety properties
trace equivalence
LTL equivalence
bisimulation
equivalence
CTL equivalence
CTL* equivalence
for finitely
branching TS
152 / 152