Content deleted Content added
m →Declarative construction: Better rewording of a sentence |
m →Tools: HTTP to HTTPS for SourceForge |
||
| (37 intermediate revisions by 20 users not shown) | |||
Line 1:
In [[formal verification]],
finite state [[model checking]] needs to find a [[Büchi automaton]] (BA) equivalent to a given [[linear temporal logic]] (LTL) formula, i.e., such that the LTL formula and the BA recognize the same [[ω-language]]. There are algorithms that translate an LTL formula to a BA.<ref name=VW94>M.Y. Vardi and P. Wolper, Reasoning about infinite computations, [[Information and Computation]], 115(1994), 1–37.</ref><ref name=KMMP93>Y. Kesten, Z. Manna, H. McGuire, [[Amir Pnueli|A. Pnueli]], A decision algorithm for full propositional temporal logic, CAV’93, Elounda, Greece, LNCS 697, Springer–Verlag, 97-109.</ref><ref name=GPVW93>R. Gerth, D. Peled, M.Y. Vardi and P. Wolper, "Simple On-The-Fly Automatic Verification of Linear Temporal Logic," Proc. IFIP/WG6.1 Symp. Protocol Specification, Testing, and Verification (PSTV95), pp. 3-18, Warsaw, Poland, Chapman & Hall, June 1995.
</ref><ref name=GOCAV01>▼
</ref>▼
▲<ref name=GOCAV01>
P. Gastin and D. Oddoux, Fast LTL to Büchi automata translation, Thirteenth Conference on Computer Aided Verification (CAV ′01), number 2102 in LNCS, Springer-Verlag (2001), pp. 53–65.
</ref> This transformation is normally done in two steps. The first step produces a [[generalized Büchi automaton]] (GBA) from a LTL formula. The second step translates this GBA into a BA, which involves a relatively [[Büchi automaton#Transforming from other models of description to non-deterministic B.C3.BCchi automata|easy construction]]. Since LTL is strictly less expressive than BA, the reverse construction is not always possible.
The algorithms for transforming LTL to GBA differ in their construction strategies but they all have a common underlying principle, i.e., each state in the constructed automaton represents a set of LTL formulas that are ''expected'' to be satisfied by the remaining input word after occurrence of the state during a run.
==Transformation from LTL to GBA==
Here, two algorithms are presented for the construction. The first one provides a declarative and easy
For each LTL formula f' without ¬ as top symbol, let ''neg''(f') = ¬f'
For a special case f'='''true''', let ''neg''('''true''') = '''false'''.
Line 29 ⟶ 15:
Before describing the construction, we need to present a few auxiliary definitions.
For
{|
|
Line 43 ⟶ 29:
|}
''cl''( f ) is closure of sub-formulas of f under
Note that ''cl''( f ) may contain formulas that are not in negation normal form.
The subsets of ''cl''( f ) are going to serve as states of the equivalent GBA.
We aim to construct the GBA such that if a state ''corresponds'' to a subset M
For this reason,
we will not consider each formula set M that is clearly inconsistent
or subsumed by a
A set M
{|
|
Line 75 ⟶ 61:
if f<sub>1</sub> '''U''' f<sub>2</sub> is true in some state then eventually f<sub>2</sub> is true at some state later.
{{Hidden begin|titlestyle = background:lightblue;|contentstyle = background-color: lightgrey;
|title
}}
Let ω-word ''w''= a<sub>1</sub>, a<sub>2</sub>,... over alphabet 2<sup>''AP''</sup>. Let ''w''<sup>i</sup> = a<sub>i</sub>, a<sub>i+1</sub>,... .
Line 113 ⟶ 97:
===Gerth et al. algorithm===
The following algorithm is due to Gerth, Peled, [[Moshe Y. Vardi|Vardi]], and [[Pierre Wolper|Wolper]].<ref name=GPVW93/>
A verified construction mechanism of this by Schimpf, Merz and Smaus is also available.<ref name=TPHOLS2009>A. Schimpf, S. Merz, and J.-G. Smaus, "Construction of Büchi Automata for LTL Model Checking Verified in Isabelle/HOL," Proc. International Conference on Theorem Proving in Higher Order Logics (TPHOLs 2009), pp. 424-439, Munich, Germany, Springer, August 2009.
The above construction creates exponentially many states upfront and many of those states may be unreachable.▼
▲</ref>
The following algorithm has two steps.▼
▲The
In step one, it incrementally constructs a directed graph stored in a tableaux. In step two, it builds an [[labeled generalized Büchi automaton]] (LGBA) by defining nodes of the graph as states and directed edges as transitions.▼
▲The following algorithm avoids this upfront construction and has two steps.
In the first step, it incrementally constructs a directed graph.
▲In
This algorithm takes reachability into account and may produce a smaller automaton but the worst-case complexity remains the same.
The nodes of the graph are labeled by sets of formulas and are obtained by decomposing formulas according to their Boolean structure, and by expanding the temporal operators in order to separate what has to be true immediately from what has to be true from the next state
f<sub>1</sub> '''U''' f<sub>2</sub> is equivalent to f<sub>2</sub> ∨ ( f<sub>1</sub> ∧ '''X'''(f<sub>1</sub> '''U''' f<sub>2</sub>) ).
The equivalent expansion suggests that f<sub>1</sub> '''U''' f<sub>2</sub> is true in one of the following two conditions.
# f<sub>1</sub> holds
# f<sub>2</sub> holds
In the first case, we have offloaded a part of burden of proof in the next time step
therefore we also create another state (node) that will carry the obligation for next time step in its label.
We also need to consider temporal operator '''R''' that may cause such case split.
f<sub>1</sub> '''R''' f<sub>2</sub> is equivalent to ( f<sub>1</sub> ∧ f<sub>2</sub>) ∨ ( f<sub>2</sub> ∧ '''X'''(f<sub>1</sub> '''R''' f<sub>2</sub>) )
and this equivalent expansion suggests that f<sub>1</sub> '''R''' f<sub>2</sub> is true in one of the following two conditions.
# f<sub>2</sub> holds
# ( f<sub>1</sub> ∧ f<sub>2</sub>) holds
To avoid many cases in the following algorithm, let us define functions ''
{| class="wikitable"
|-
! f !!
|-
| f<sub>1</sub> '''U''' f<sub>2</sub> || {f<sub>1</sub>} || { f<sub>1</sub> '''U''' f<sub>2</sub> } || {f<sub>2</sub>}
Line 157 ⟶ 144:
For a node q, ''Now''(q) denotes the set of formulas that must be satisfied by the rest of the input word if the automaton is currently at node(state) q.
''Next''(q) denotes the set of formulas that must be satisfied by the rest of the input word if the automaton is currently at the next node(state) after q.
{{pre|1=
'''typedefs'''
'''LTL''': LTL formulas
'''LTLSet''': Sets of LTL formulas
'''NodeSet''': Sets of graph nodes ∪ {init}
'''globals'''
''Nodes'' : set of graph nodes := ∅
''Incoming'': ''Nodes'' → '''NodeSet''' := ∅
''Now'' : ''Nodes'' → '''LTLSet''' := ∅
''Next'' : ''Nodes'' → '''LTLSet''' := ∅
'''function''' ''create_graph''('''LTL''' f) {
expand({f}, ∅, ∅, {init}
'''return''' (''Nodes'', ''Now'', ''Incoming'')
}
}}
'''function''' expand('''LTLSet'''
1: '''if'''
2: '''if''' ∃q ∈ ''Nodes'': ''Next''(q)=next ∧ ''Now''(q)=old '''then'''
3: ''Incoming''(q) := ''Incoming''(q) ∪ incoming
Line 186 ⟶ 174:
10: expand(''Next''(q), ∅, ∅, {q})
11: '''else'''
12: f ∈
13:
14: old := old ∪ {f}
15: '''match''' f '''with'''
Line 194 ⟶ 182:
18: '''skip'''
19: '''else'''
20: expand(
21: | f<sub>1</sub> ∧ f<sub>2</sub> →
22: expand(
23: | '''X''' g →
24: expand(
25: | f<sub>1</sub> ∨ f<sub>2</sub>, f<sub>1</sub> '''U''' f<sub>2</sub>, or f<sub>1</sub> '''R''' f<sub>2</sub> →
26: expand(
27: expand(
28: '''return'''
}
Line 208 ⟶ 196:
Each call to ''expand'' aims to add a node and its successors nodes in the graph.
The parameters of the call describes a potential new node.
* The first parameter ''
* The second parameter ''old'' contains the set of formulas that are already expanded. * The third parameter ''next'' is the set of the formula using which successor node will be created.
* The fourth parameter ''incoming'' defines set of incoming edges when the node is added to the graph.
If the ''curr'' is empty then at line 2 the '''if''' condition checks if there already exists a state q' with same set of expanded formulas.
If that is the case, then we do not add a redundant node, but we add parameter ''incoming'' in ''Incoming''(q') at line 3.
Otherwise, we add a new node q using the parameters at lines 5–9 and we start expanding a successor node of q using ''next''(q) as its unexpanded set of formulas at line 10.
In the case ''
At lines 12–14, a formula f from ''
Depending on structure of f, the rest of the function executes.
* If f is a literal, then expansion continues at line 20, but if ''old'' already contains ''neg''(f) or f='''false''', then ''old'' contains an inconsistent formula and we discard this node by not making any recursive all at line 18.
* If f = f<sub>1</sub> ∧ f<sub>2</sub>, then f<sub>1</sub> and f<sub>2</sub> are added to ''curr'' and a recursive call is made for further expansion at line 22.
* If f = '''X''' f<sub>1
* If f = f<sub>1</sub> ∨ f<sub>2</sub>, f = f<sub>1</sub> '''
<!--
There are following four possible results of the call.
Line 233 ⟶ 224:
Let (''Nodes'', ''Now'', ''Incoming'') = create_graph(f).
An equivalent LGBA to f is ''A''=(''Nodes'', 2<sup>''AP''</sup>, ''L'', Δ, ''Q''<sub>0</sub>, '''F'''), where
* ''L'' = { (q,a) | q ∈ ''Nodes'' and (''Now''(q) ∩ ''AP'') ⊆ a ⊆ {p ∈
* Δ = {(q,q')| q,q' ∈ Nodes and q ∈ Incoming(q') }
* ''Q''<sub>0</sub> = { q ∈ Nodes | init ∈ ''
* For each sub-formula g = g<sub>1</sub> '''
Note that node labels in the algorithmic construction
==Tools==
*[
*[http://www.lsv
*[
*[https://owl.model.in.tum.de/ Owl's LTL2NBA] - LTL2NBA translator included in Java library Owl. Online translator available.
==References==
Line 250 ⟶ 242:
{{DEFAULTSORT:Linear temporal logic to Buchi automaton}}
[[Category:Automata
[[Category:Model checking]]
[[Category:Temporal logic]]
| |||