Specification of Systems with Temporal Logic

Specification of Systems with Temporal Logic

Simon Robillard

Fall 2019

1 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Section 3

LTL Model-Checking

2 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

LTL and ω-Languages

I a LTL formula defines an ω-language: the set of words that

satisfy it
I a labelled transition system defines an ω-language: the set of
words (paths) through it
Verifying that a system TS satisfies a formula ϕ is the same thing
as checking
L(TS) ⊆ L(ϕ)
We will do this by converting both TS and ϕ to Büchi automata.

3 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Büchi Automata: Reminders

Definition
I transition system
I no labels on states, but actions (labels on transitions) instead
I set of accepting states
Acceptance condition
I accepted run = at least one accepting state occurs infinitely
often
Determinism
I unlike finite automata, not all non-deterministic Büchi
automata (NDA) have an equivalent deterministic Büchi
automaton (DBA)

4 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Why Use an Intermediate Representation?

Advantages
I NBA can be used to represent the language of
• any LTL formula
• any labelled transition system
I NBA are closed under intersection (also: union, complement,
ω-closure, concatenation)
I checking that the language of a BA is empty is easy

5 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Automata-Based Verification

TS ATS

ATS∩¬ϕ

ϕ A¬ϕ

I any word accepted by ATS∩¬ϕ is both in L(TS) and L(¬ϕ)

I it corresponds to a run of TS that violates ϕ
I otherwise, if the language of ATS∩¬ϕ is empty, TS |= ϕ

6 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

From a LTS to a Büchi Automaton

I given a LTS TS = (S, →, S0 , L : S → 2P )

I the corresponding BA is A = (S ∪ {s0 }, 2P , δ, {s0 }, S ∪ {s0 })
• (s0 , α, s) ∈ δ iff s ∈ S0 and α = L(s)
• (s, α, s 0 ) ∈ δ iff s → s 0 and α = L(s 0 )

LTS Büchi automaton

{p} {p}
s0 s1
s1
{p} {q} {p, q}

s2 s3 {q} {p, q}
s2 s3
{q} {p, q}
7 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Closure of a Formula

cl(ϕ) = {ψ | ψ is a sub-formula of ϕ or its negation}

Example

cl(p U ¬q) = {p U ¬q, ¬p R q, p, ¬p, q, ¬q}

note: we put all subformulas in NNF for convenience later

8 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Maximally Consistent Subset

Let us consider the subsets S ⊂ cl(ϕ) that are maximally
consistent: the largest combinations of subformulas that can be
true at the same time.
Enumeration
I Consider all the subsets S ⊂ cl(ϕ) that contain exactly one of
ψ or ¬ψ for each subformula ψ
I Keep only those that are consistent:
• ⊥ must not be in S
• if ϕ ∧ ψ ∈ S, then ϕ and ψ must be in S
• if ϕ ∨ ψ ∈ S, then ϕ must be in S or ψ must be in S
• if ϕ U ψ ∈ S, then ϕ must be in S or ψ must be in S
• if ϕ R ψ ∈ S, then ψ must be in S

The set of maximally consistent subsets is denoted mcs(ϕ)

9 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Example

I we have cl(p U ¬q) = {p U ¬q, ¬p R q, p, ¬p, q, ¬q}

I let us enumerate the maximally consistent subsets

subset consistent?
{p U ¬q, p, q} 3
{p U ¬q, p, ¬q} 3
{p U ¬q, ¬p, q} 7
{p U ¬q, ¬p, ¬q} 3
{¬p R q, p, q} 3
{¬p R q, p, ¬q} 7
{¬p R q, ¬p, q} 3
{¬p R q, ¬p, ¬q} 7

10 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Exercise 5

I list the elements of mcs(¬FGp)

I reminder: NNF (¬FGp) = ⊥ R (> U ¬p)

11 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Sequences of Maximally Consistent Sets

Idea: for any word w such that w |= ϕ we can construct a unique

sequence H of elements of mcs(ϕ) such that for all i, w i satisfies
the formulas in Hi and no other formulas in cl(ϕ)

Example with ϕ = p U ¬q

w = {p, q} {p, q} {p} {q} {q} ...

H = {ϕ, p, q} {ϕ, p, q} {ϕ, p, ¬q} {¬ϕ, ¬p, q} {¬ϕ, ¬p, q} . . .

Corollaries
I for any i, wi = Hi ∩ P
I ϕ ∈ H0

12 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Constructing the Büchi Automaton

Idea:
I build BA with states Q = mcs(ϕ)
I infinite paths starting in qi should be accepted iff they satisfy
exactly the formulas in qi
I initial states q such that ϕ ∈ q
I words accepted by the BA are those that satisfy ϕ
Difficulty:
I the acceptance condition for ϕ U ψ is not local

13 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Generalized Büchi Automata

I difference from Büchi automata: acceptance condition

• the acceptance condition F is a set of sets of states
• a run is accepting iff the set of infinitely often occurring states
contains at least a state from each accepting set Fi ∈ F
• if F is empty, any run is accepted
I same expressive power: every GBA has a corresponding BA
(trivially, the other way around too)
I mostly used as an intermediate step during the translation
from LTL

14 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

LTL to GBA

For a formula ϕ, let Aϕ = (Q, 2P , δ, Q0 , F ) with

I Q = mcs(ϕ)
I Q0 = {q | ϕ ∈ q}
I (q, α, q 0 ) ∈ δ iff
• α=q∩P
• if Xψ ∈ q, then ψ ∈ q 0
• if ψ1 U ψ2 ∈ q and ¬ψ2 ∈ q, then ψ1 U ψ2 ∈ q 0
• if ψ1 R ψ2 ∈ q and ¬ψ1 ∈ q, then ψ1 R ψ2 ∈ q 0
I F = {F1 , . . . , Fn }
I one accepting set Fi ∈ F for each ψi1 U ψi2 ∈ cl(ϕ)
I q ∈ Fi if:
• ψi1 U ψi2 6∈ q
• OR ψi2 ∈ q

15 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Automaton for ϕ = p U ¬q

{p U ¬q, ¬p, ¬q}, {p U ¬q, p, ¬q}, {p U ¬q, p, q}, {¬p R q, p, q}, {¬p R q, ¬p, q},
| {z } | {z } | {z } | {z } | {z }
q1 q2 q3 q4 q5

q2 q4

q1

q3 q5
16 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Automaton for ϕ = p U ¬q

{p U ¬q, ¬p, ¬q}, {p U ¬q, p, ¬q}, {p U ¬q, p, q}, {¬p R q, p, q}, {¬p R q, ¬p, q},
| {z } | {z } | {z } | {z } | {z }
q1 q2 q3 q4 q5

q2 q4

{} {} {}

q1

{} {}

q3 q5
16 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Automaton for ϕ = p U ¬q

{p U ¬q, ¬p, ¬q}, {p U ¬q, p, ¬q}, {p U ¬q, p, q}, {¬p R q, p, q}, {¬p R q, ¬p, q},
| {z } | {z } | {z } | {z } | {z }
q1 q2 q3 q4 q5

{p}

{p}
q2 q4
{p}

{p}
q1 {p}

q3 q5
16 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Automaton for ϕ = p U ¬q

{p U ¬q, ¬p, ¬q}, {p U ¬q, p, ¬q}, {p U ¬q, p, q}, {¬p R q, p, q}, {¬p R q, ¬p, q},
| {z } | {z } | {z } | {z } | {z }
q1 q2 q3 q4 q5

q2 q4

q1 {p, q}

{p, q}
q3 {p, q} q5
16 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Automaton for ϕ = p U ¬q

{p U ¬q, ¬p, ¬q}, {p U ¬q, p, ¬q}, {p U ¬q, p, q}, {¬p R q, p, q}, {¬p R q, ¬p, q},
| {z } | {z } | {z } | {z } | {z }
q1 q2 q3 q4 q5

{p, q}

q2 q4

q1 {p, q}

q3 q5
16 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Automaton for ϕ = p U ¬q

{p U ¬q, ¬p, ¬q}, {p U ¬q, p, ¬q}, {p U ¬q, p, q}, {¬p R q, p, q}, {¬p R q, ¬p, q},
| {z } | {z } | {z } | {z } | {z }
q1 q2 q3 q4 q5

q2 q4

{q}

q1 {q} {q}

{q}

q3 q5 {q}
16 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Un-Generalizing the Büchi Automaton

I if |F | = 0, simply mark all states as accepting

I else, when F = {F0 , . . . , Fk−1 }, let A0 = (Q 0 , 2P , δ 0 , Q00 , F 0 )
with
• Q 0 = Q × {0, . . . , k − 1}
• Qo0 = {hq, 0i | q ∈ Q0 }
• F 0 = {hq, 0i | q ∈ F1 }
• for any (q, α, q 0 ) ∈ δ
I if q 6∈ Fi , (hq, ii, α, hq 0 , ii) ∈ δ 0
I otherwise, (hq, ii, α, hq 0 , i + 1 mod ki) ∈ δ 0
I idea: create k “copies” of the automaton
• transitions out of a state in Fi lead to the copy i + 1
• a path looping through an accepting state hq, 0i must
necessarily go through accepting states in each of the copies

17 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Expressivity Büchi Automata vs LTL

Büchi automata are strictly more expressive than LTL

{p}

{p}, {}

I no LTL formula (over P = {p}) is equivalent to this BA

I Büchi automata can define ω-regular languages (similar to
regular languages, but for infinite words)

18 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Intersection Automaton: the Special Case

I given two Büchi automata over alphabet Σ

• A = (QA , Σ, δA , Q0A , FA ) and B = (QB , Σ, δB , Q0B , FB )
I we want an automaton A∩ = (Q 0 , Σ, δ 0 , Q00 , F 0 ) that accepts
the language L(A) ∩ L(B)
I for our purpose, all states of A are accepting (FA = QA ), so
we can simply take
• Q 0 = QA × QB
• Q00 = Q0A × Q0B
• F 0 = {hq, q 0 i | q 0 ∈ FB }
• for any (qA , α, qA0 ) ∈ δA and any (qB , α, qB0 ) ∈ δB ,
(hqA , qB , i, α, hqA0 , qB0 , i) ∈ δ 0
I this construction is not correct for arbitrary automata!

19 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Intersection Automaton: the General Case

I in general, the automaton should only accept runs that go

infinitely often through states of FA and FB
I create two “copies” of the automaton with product states to
emulate the acceptance condition (similar to the idea used for
the un-generalized automaton)
I A∩ = (Q 0 , Σ, δ 0 , Q00 , F 0 )
• Q 0 = QA × QB × {0, 1}
• Qo0 = Q0A × Q0B × {0}
• F 0 = {hq, q 0 , 0i | q 0 ∈ FB }
• for any (qA , α, qA0 ) ∈ δA and any (qB , α, qB0 ) ∈ δB
I (hqA , qB , 0i, α, hqA0 , qB0 , ii) ∈ δ 0 , with i = 1 if qA ∈ FA and
i = 0 otherwise
I (hqA , qB , 1i, α, hqA0 , qB0 , ii) ∈ δ 0 , with i = 0 if qB ∈ FA and
i = 1 otherwise

20 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Emptiness of Büchi Automaton

To check that a Büchi automaton accepts a word:

1 find a path from an initial state to an accepting state q
2 find a path from q to itself
Simple DFS

21 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Negation vs Complement

I instead of computing the automaton A¬ϕ

I why not compute the automaton Aϕ and then its
complement?

22 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Negation vs Complement

I instead of computing the automaton A¬ϕ

I why not compute the automaton Aϕ and then its
complement?
I complementation of a BA is exponential
I whereas A¬ϕ has the same size as Aϕ
• cl(ϕ) = cl(¬ϕ) hence mcs(ϕ) = mcs(¬ϕ)
• the two automata have the same states, transitions and
acceptance conditions
• only the initial states are different

22 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Complexity

I size of closure: |cl(ϕ)| ∈ O(|ϕ|)

I number of m.c. sets: |mcs(ϕ)| ∈ O(2|cl(ϕ)| ) = O(2|ϕ| )
I size of intersection automata for a LTS with n states:
O(n × 2|ϕ| )
Optimizations
I there are more efficient algorithms to construct Aϕ
I they remain exponential
I we only care about the emptiness test in the intersection
automaton =⇒ we can construct the automaton lazily
(on-the-fly) while we visit it searching for an accepting cycle
I in general, LTL model-checking is PSPACE-complete

23 / 24
Specification of Systems with Temporal Logic
LTL Model-Checking

Exercise 6

I Compute the generalized Büchi automaton corresponding to

the formula
¬FGp
I We want to check that the following transition system satisfies
the formula FGp
{p} {} {p}

How many states are there in the “intersection” automaton?

24 / 24