LTL Model Checking
张文辉
http://lcs.ios.ac.cn/~zwh
LTL Model Checking
迁移系统
Kripke结构
-自动机
LTL
PLTL
-自动机
Ｍ |= 
Ｍ |= 
L(AM)  L(A)
LTL Model Checking
L(AM)  L(A)
L(AM)  (\ L(A)) = 
L(AM)  L(A) = 
L(AM  A) = 
Double
DFS
Kripke Structure
Kripke Structures
Definition
A Kripke structure is a triple <S,R,I>
– S : A finite set of states
– R  S x S : A total transition relation
– I  S : A set of initial states
The set of successors of s is denoted R(S)
Then R is total iff R(s) for all s  S
Example:
s0
s1
s2
s3
Computation
Given a Kripke structure K=<S,R,I>.
ss’: sRs’ or (s,s’)R
Definition
A computation of K is an infinite sequence of S:
s0 s1 s2 ….
such that s0  I, and si  si+1 for all i  0
Path
Definition
An infinite path is an infinite sequence of S:
s0 s1 s2 ….
such that si  si+1 for all i  0
Definition
A finite path is a finite prefix of an infinite path:
s0 …sn
Labeled Kripke Structures
AP: A set of propositions.
Definition
A (Labeled) Kripke structure is a quadruple <S,R,I,L>
– S : A finite set of states
– R  S x S : A total transition relation
– I  S : A set of initial states
– L: S  2AP is a labeling function
Example:
{}
{q}
s0
s1
s2
s3
{p}
{p,q}
Example
s0
t0
y=1,t=1
x=1,t=0
s1
t1
Initial States
x==0||t==0
y==0||t==1
s2
t2
y=0
x=0
s3
t3
s0
t0
x=0
y=0
t=0
11
s0,t0,0,0,0
s1,t0,0,1,1
s2,t0,0,1,1
s3,t0,0,0,1
12
6
s0,t1,1,0,0
5
s1,t1,1,1,0
s1,t1,1,1,1
9
10
s1,t2,1,1,1
s2,t1,1,1,0
6
s0,t2,1,0,0
s0,t3,0,0,0
s3,t1,1,0,0
s1,t3,0,1,1
s3,t2,1,0,0
s2,t3,0,1,1
s3,t3,0,0,0
s3,t3,0,0,1
13
12
10
9
13
13
12
5
Proposition Symbols
Let AP be the set of proposition symbols
{p0,p1,…,p13} with the following meaning:
13
Labeling Function
L(s0,t0,0,0,0)={p6,p10,p0,p2,p4}
L(s0,t0,0,0,1)={p6,p10,p0,p2,p5}
…
-Automata
Buchi-Automata
Definition
A Buchi automaton (BA) is a quintuple <,S,,I,F>
–  : A finite set of symbols
– S : A finite set of states
–   S x  x S : A transition relation
– I  S : A set of initial states
– F  S : A set of acceptance states
Example:
s0
c
a
b
b
s2
s1
a
s3
c
Runs
Given a BA A=<,S,,I,F>
Notation: sa s’: (s,a,s’)
Definition
Let w.
A run of A on w is an infinite sequence
s0 s1 s2 …. of S
such that s0  I, and (si ,w[i],si+1)  for all i  0.
Words over a Run
Definition
A word over a run r of A is
an infinite sequence of : a1a2 ….
such that r is a run on a1a2 ….
Accepting Runs
Let inf() be the set of states
that appear infinitely many times on .
Definition
An accepting run of A is a run  of A
such that inf()F.
Accepting Words
Definition
An accepting word of A is
a word over some accepting run of A.
Language
Definition
The language of A is
the set of accepting words of A.
The language of A is denoted L(A).
Union
Given two BAs
A1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.
Suppose that S1 and S2 are disjoint.
Define A1A2= <,S,,I,F> where
S = S1 S2
 = 1 2
I = I1 I2
F = F1 F2
Union
Theorem
L(A1A2 ) = L(A1 )  L(A2)
Intersection
Given BAs
A1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.
Define A1A2= <,S,,I,F> where
S = S1 x S2 x {0,1,2}
=?
I = I1 x I2 x {0}
F = S1 x S2 x {2}
Intersection
=
{ ((s1,s2,i),a,((s1’,s2’,i)) |
i {0,1}, (s1,a,s1’)1, (s2,a,s2’)2 } 
{ ((s1,s2,0),a,((s1’,s2’,1)) |
(s1,a,s1’)1, (s2,a,s2’)2, s1F1 } 
{ ((s1,s2,1),a,((s1’,s2’,2)) |
(s1,a,s1’)1, (s2,a,s2’)2, s2F2 } 
{ ((s1,s2,2),a,((s1’,s2’,0)) |
(s1,a,s1’)1, (s2,a,s2’)2 }
Intersection
Theorem
L(A1  A2 ) = L(A1 )  L(A2)
Complementation
The set of BAs is closed under complementation.
Given A=<,S,,I,F>.
There exists a BA B such that
L(B) =  \L(A)
Generalized Buchi Automaton
Definition
A GBA is a quintuple <,S,,I,F>
–  : A finite set of symbols
– S : A finite set of states
–   S x  x S : A transition relation
– I  S : A set of initial states
– F  2S : A set of sets of acceptance states
Accepting Run
Definition
An accepting run of A is a run  of A
such that for each fF, inf()f.
Union
Given two automaton
A1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.
Suppose that S1 and S2 are disjoint.
Define A1A2= <,S,,I,F> where
S = S1 S2
 = 1 2
I = I1 I2
F = { f  S2 | f F1 }  { f  S1 | f F2 }
Union
Theorem
L(A1A2 ) = L(A1 )  L(A2)
Intersection
Given two automaton
A1=<,S1,1,I1,F1>, A2=<,S2,2,I2,F2>.
Define A1A2= <,S,,I,F> where
S = S1 x S2
 = { ((s1,s2),a,((s1’,s2’))| (s1,a,s1’)1, (s2,a,s2’)2 }
I = I1 x I2
F = { f x S2 | f F1}  { S1 x f| f F2}
Intersection
Theorem
L(A1  A2 ) = L(A1 )  L(A2)
Complementation
The set of GBAs is closed under complementation.
Expressiveness of GBAs
Expressiveness of GBAs
Theorem
Every language expressible by a BA is also
expressible by a GBA.
Proof
Given a BA A=<,S,,I,F>.
We can construct a GBA B=<,S,,I,{F}>
such that L(B)=L(A).
Expressiveness of GBAs
Theorem
Every language expressible by a GBA is also
expressible by a BA.
Proof
Given a GBA A=<,S,,I,{f1,…,fn}>.
We can construct a BA B=<,S’,’,I’,F’>
such that L(B)=L(A).
GBA  BA
BA B=<,S’,’,I’,F’>
S’ = S x {0,1,2,…,n}
’ = ?
I’ = I x {0}
F’ = S x {n}
GBA  BA
’ =
{ ((s,i),a,(s’,i)) | i {0,1,…,n-1}, (s,a,s’)} 
{ ((s,i),a,(s’,i+1)) | i {0,1,…,n-1}, (s,a,s’),sFi+1} 
{ ((s,n),a,(s’,0)) | (s,a,s’)}
Kripke Structure  -Automata
Kripke Structure  -Automata
Computations  Accepting runs
Labels on Computations  Accepting Words
Kripke Structure  -Automata
AP: A set of propositions.
K=<S,R,I,L>
A=<,S,,I,F>
=2AP
={ (s,a,s’) | (s,s’)R, a=L(s) }
F=S
Kripke Structure  -Automata
Theorem
r is a computation of K
 L(r) is an accepting word of A
w is an accepting word of A

there is a computation r of K such that L(r)=w
Example:
{}
{q}
s0
s1
s2
s3
{p}
{p,q}
{}
s0
{p}
s1
{}
s2
{q}
{p}
s3
{p,q}
PLTL  -Automata
Example
Gp
pUq
p U (q U r)
PLTL  -Automata
Only consider NNF formulas with
literals,
disjunction, conjunction,
X, U, R
 == p | p |  |  |X  |  R  |  U 
PLTL  -Automata
Let  be a PLTL formula over AP.
Construct a GBA A=<S,,,I,F> such that
 |=  iff L(A)
(1) =2AP
(2) S,I,,F = ?
PLTL  -Automata

s=[; ; ; ]
s=[a; ; c; d]
New node
s’=[s; d; ; ]
PLTL  -Automata
s=[a; p,; c; d]
Replace
s‘=[a; ; p,c; d]
where p is a literal
PLTL  -Automata
s=[a; 01,; c; d]
replace
s‘=[a; 0,; 01,c; d]
s’’=[a; 0,; 01,c; d]
PLTL  -Automata
s=[a; 01,; c; d]
Replace
s’=[a; 0,1,; 01,c; d]
PLTL  -Automata
s=[a; O1,; c; d]
Replace
s‘=[a; ; O1,c; 1,d]
PLTL  -Automata
s=[a; 0U1,; c; d]
Replace
s’=[a; 1(0X(0U1)),; 0U1,c; d]
PLTL  -Automata
s=[a; 0R1,; c; d]
Replace
s’=[a; 1(0X(0R1)),; 0R1,c; d]
PLTL  -Automata
s=[a; ; c; d]
s’=[a’; ; c; d]
Replace
s’’=[a,a’; ; c; d]
PLTL  -Automata
s=[a; ; c; d]
s  I iff   a
PLTL  -Automata
=2AP
s=[a; ; c; d]
s’=[a’; ; c’; d’]
Define  as follow:
(s,,s’)   iff s  a’ and |=s
PLTL  -Automata
Let f(0U1) = { s | 0U1s.c  1s.c }
F = { f(0U1) | 0U1 is a sub-formula of  }
PLTL  -Automata
Theorem
Let A=<,S,,I,F> be a GBA as constructed.
Then  |=  iff L(A).
Example
Gp
pUq
p U (q U r)
LTL Model Checking
L(AM)  L(A)
L(AM)  (\ L(A)) = 
L(AM)  L(A) = 
L(AM  A) = 
Double
DFS
Emptiness of -Automata
On the Fly
Partial Order Reduction
Questions?