LTL Model Checking

LTL Model Checking

Radu Iosif ([email protected])

Linear Temporal Logic (LTL)

• Not exclusively for model checking

• Also meant for deduction (Manna, Pnueli)

• So, there must be some equations involving LTL terms

Kripke Structures

• AP = {p, q, r, … } is a set of atomic propositions

• K = <S, R, L> is a K-structure, where:– S is a finite set of states– R S x S is a transition relation

– L : S P(AP) is a labeling function

• w=x0, x1, … = s0, s1, … such that xi L(si) for all i 0

LTL Syntax

• p AP is a formula• true is a formula• if f, g are formulae, then:

f– f g– X f– f U g

are formulae

LTL Semantics

Defined on Kripke structures K=(S, R, L):

• K, = true always• K, = p iff = s0,s1,…

and p L(s0)• K, = f iff not K, = f• K, = fg iff K, = f or K, = g• K, = X f iff = s0,s1,s2, …

and K, s1,s2, … = f• K, = f U g iff k 0 . K, = g

and 0 i < k K, = f

LTL Syntactic Sugar

We write:• false true• fg (f g)• Fg true U g• Gf F (f)• f W g (Gf ) (f U g) (weak

until)• f V g (f U g) (release)

LTL equations

f U g = g (f X(f U g))f V g = g (f X(f V g))

= (g f) (g X(f V g))

• hold for every K, assuming that is an infinite path

LTL model checkingThe model checking problem:• find whether a path generated by a

Kripke structure K is a model for a LTL formula f (notation K, = f)

To model check an LTL formula f:1. first negate it then derive the negation

normal form2. Then build an automaton [A f] out of the

negated formula3. The problem is reduced to finding out

whether L(A f) L(K) =

Negation normal form: example

((A U (B U C)) D) = (A U (B U C)) D

= (A V (B U C)) D

= (A V (B V C)) D

TABLEAUA tableau is a proof process

represented by a graph, in which edges represents actually steps taken by the prover, and nodes intermediate states in the proof

A node in the tableau consists of:• name = unique name of the node• incoming = set of ancestors• new = current proof obligation• old = already met proof obligation• next = proof obligation in the next state

Tableau for p U q

name = Node1 incoming = {init}

new = {p U q} old = {} next = {}

Nodes = {}

Tableau for p U q




new = {q} old = {p U q} next = {}


new = {p} old = {p U q} next = {p U q}

Nodes = {}

Tableau for p U q







Nodes = {}

name = Node2’ incoming = {init}

new = {} old = {q, p U q} next = {}

Tableau for p U q

Nodes ={2’}name = Node2’ incoming = {init}


name = Node2’’ incoming = {Node2’}

new = {} old = {} next = {}

Tableau for p U q

Nodes ={2’, 2’’}name = Node2’ incoming = {init}


name = Node2’’ incoming = {Node2’, Node2’’}

new = {} old = {} next = {}

name = Node2’’’ incoming = {Node2’’}

new = {} old = {} next = {}

Tableau for p U q







Nodes = {2’, 2’’}


new = {} old = {p, p U q} next = {p U q}

Tableau for p U q

Nodes ={2’, 2’’, 3’}




new = {} old = {p, p U q} next = {p U q}



Tableau for p U q

Nodes ={2’, 2’’, 3’}



name = Node4 incoming = {Node3’}

new = {q} old = {pUq} next = {}


new = {p} old = {pUq} next = {pUq}

Tableau for p U q







name = Node4’ incoming = {Node3’}

new = {} old = {q, pUq} next = {}

incoming(2’) = {init, Node3’}

Tableau for p U q








new = {} old = {p, pUq} next = {pUq}

incoming(3’) = {init, Node3’}

Resulting automaton

init

Node2’ Node3’

Node2’’

{q}

{p}

{p}

{q}

{} = true

{} = true

An LTL formula f is satisfied iff there exists an infinite path in Af containing an acceptance state infinitely often

Automata-Theoretic model checking• Invented by Vardi and Wolper in the 80’s• Implemented in SPIN in the 90’s• Language intersection problem L(A f)

L(K) = is reduced to:– computing the synchronous product (A f )

x K– checking whether the synchronous product

contains an acceptance cycle– if so, there exists a violation of f on some

execution path of K– the model checker will show us the

counterexample

Documents

LTL Model Checking