technion - israel institute of technology
Post on 12-Jan-2016
49 Views
Preview:
DESCRIPTION
TRANSCRIPT
Beyond Vacuity:Towards the Strongest Passing
Formula
Hana Chockler Arie Gurfinkel Ofer Strichman
Technion -Israel Instituteof Technology
IBM Research SEI Technion
(Appeared in fmcad’08 )
IBM HRL
2
The players: s.t. M ²
l does not affect in M if M ² [l à false].
Exists such a literal is satisfied vacuously in M.
Connection with original definition of vacuity [BBER01]
An LTL formula φ in NNFA structure MA literal occurrence l in φ
PreliminariesPreliminaries
IBM HRL
3
PreliminariesPreliminaries
M ² [ack à false]
= G(req ! ack)
M::req
Perhaps we should have written a stronger property ’ = G(:req)
“satisfies vacuously” = “satisfies from the wrong reasons”
IBM HRL
4
Preliminaries
Vacuity can be checked with respect to literal occurrences.
= G(p U (q U :p))
Renaming: each literal appears once
= G(p1 U (q U p2))
Requires changing M, e.g.,
replace p’ = exp with p1’ = exp and p2’=:exp
IBM HRL
5
Mutual vacuity [GC04]
Find the largest number of literals that can be replaced with false without falsifying in M.
r
=
M:
p U ( q U r)falsefalse r
IBM HRL
6
Question
What is the strongest formula that is satisfied by M, still “captures the user’s intent”? ( = “based on
”)
IBM HRL
7
M ² a b c
M ² a b c
Towards the strongest formula – step I
If there are several possible strongest replacements of literals with false, we can take all of them:
a,b,c = a b c
M:
M ² a b c
false
false false
false
falsefalse
M ² ( a b c )
IBM HRL
8
Towards the strongest formula – step II
We can compute vacuity separately for each path:
= p U (q U r)
¼1 ² p U ( q U r)false
¼2 ² p U (q U r)
p U r
falseq U r
M ² ( (p U r) (q U r) )
r r
p qM:
¼1 ¼2
note that is not vacuous in M
IBM HRL
9
Combining both steps
Φ(M,) = disjunction over all paths in M,each disjunct is a conjunction of all possible strongest formulas obtained from by applying mutual vacuity
Example:
v v
p,q rM: ¼1 ¼2
¼1 ² (p U v) (q U v)
¼2 ² r U v
Φ(M,) = ((p U v) (q U v)) (r U v)
= (p q) U ( r U v)
IBM HRL
10
v v
p,q rM: ¼1 ¼2
v
¼3
We are not done yet …
Φ(M,) can be vacuous in M, because it can contain redundant
disjuncts:
Modified example:
= (p q) U ( r U v)
Φ(M,) = ((p U v) (q U v)) (r U v) v
can be replaced with false without falsifying in MTrying to get rid of
vacuity we created a
vacuous formula!
¼1 ¼2¼3
IBM HRL
11
Getting rid of vacuity in Φ(M,) There is clearly a partial order between disjuncts
in Φ(M,), so we can keep only the weakest disjuncts
Φ(M,)
Φmin(M,)
removing redundant disjuncts
ΦΦminmin(M,(M,φφ)) is the strongest formula that is satisfied in M from all the formulas in the
Boolean closure of strengthened versions of φ.
It can be shown that:
Φ(M,) , Φmin(M,)
IBM HRL
12
How?
An algorithm for computing Φmin(M,) has to enumerate paths in M (?) compute all-mutual-vacuity of each path (?)
It’s not so bad in practice.
IBM HRL
13
The vacuity value
v v
p,q r
¼1 ¼2
v
¼3
Example: = (p q) U ( r U v)
The vacuity value vac(¼, isaset of sets of literals that can be replaced with false in without falsifying in ¼.
vac(¼i,) {{p,r},{q,r}} {{p,q}} {{p,q,r}}
(Here we only wrote the maximal elements)
IBM HRL
14
The Vacuity Lattice
For a set of literals L, the vacuity lattice V(L) is the set of downset-closed elements in 22L
Example: Lattice for L = {a,b}:
{{}}
{{a},{}}{{b},{}}
{{a},{b},{}}
{{a,b},{a},{b},{}}
{}
{{}}
{{a}} {{b}}
{{a},{b}}
{{a,b}}
{}
Denote by maximal
representatives
{{}}
{{a}} {{b}}
{{a},{b}}
{{a,b}}
{}
Remove arrows
IBM HRL
15
Another example of the vacuity Lattice
Lattice V(L) for L = {a,b,c}. 20 rather than 223 = 256
{{a}} {{b}}
{{a},{b}}
{{a,b}}
{{c}}
{{a},{b},{c}}
{{b},{c}}{{a},{c}}
{{a,c}} {{b,c}}
{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}
{{a,b,c}}
{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}
{{a,b},{a,c},{b,c}}
{{}}
{}
2L · |V(L)| · 22L
Exact size is unknown for |L|
>8 [DP02]
IBM HRL
16
{{a,b},{c}}
{{b,c}}
Useful restrictions on the vacuity lattice
{{b,c}}
Let L = lit()
1. Let V(φ) µ V(L) be the set of elements that correspond to satisfiable formulas.
2. Let V(M,φ) µ V() be the subset of V() that corresponds to witnesses in M.
φ = G( a b c)
{{a}} {{b}}
{{a},{b}}
{{a,b}}
{{c}}
{{a},{b},{c}}
{{b},{c}}{{a},{c}}
{{a,c}}
{{a,c},{b}}{{b,c},{a}}
{{a,b,c}}
{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}
{{a,b},{a,c},{b,c}}
{{}}
{}
IBM HRL
17
Useful restrictions on the vacuity lattice
3. Let Vmin(M,φ) µ V(M,φ) be the frontier of V(M,φ) from below
{{a}} {{b}}
{{a},{b}}
{{a,b}}
{{c}}
{{a},{b},{c}}
{{b},{c}}{{a},{c}}
{{a,c}} {{b,c}}
{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}
{{a,b,c}}
{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}
{{a,b},{a,c},{b,c}}
{{}}
{}
IBM HRL
18
From Vmin(M,) to Φmin(M,) by example
= G(a b c)
Φmin(M,φ) = G(c) (G(b c) G(a b))
{{a}} {{b}}
{{a},{b}}
{{a,b}}
{{c}}
{{a},{b},{c}}
{{b},{c}}{{a},{c}}
{{a,c}} {{b,c}}
{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}
{{a,b,c}}
{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}
{{a,b},{a,c},{b,c}}
{{}}
{}
IBM HRL
19
So how do we compute Vmin(M,) ?
{{a},{c}}
{{a,b}}
{{}}
{{a}} {{b}}
{{a},{b}}
{{c}}
{{a},{b},{c}}
{{b},{c}}
{{a,c}} {{b,c}}
{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}
{{a,b,c}}
{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}
{{a,b},{a,c},{b,c}}
{}
V = ;
While M contains a path ¼ such that vac(¼, φ) V",
add vac(¼, φ) to V.
Vmin(M,) = minimal elements in V.
The upset of V
V Vmin
IBM HRL
20
Model checking
How do we compute its vacuity value ?
So how do we compute Vmin(M,) ?
V = ;
While M contains a path ¼ such that vac(¼, φ) V",
add vac(¼, φ) to V.
Vmin(M,) = minimal elements in V.
How do we find the next such path ?
- Brute-force model-checking, or- via lattice automaton
IBM HRL
21
{{a},{c}}
{{a,b}}
{{}}
{{a}} {{b}}
{{a},{b}}
{{c}}
{{a},{b},{c}}
{{b},{c}}
{{a,c}} {{b,c}}
{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}
{{a,b,c}}
{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}
{{a,b},{a,c},{b,c}}
{}
Finding the next path ¼
We need a path ¼ with a vacuity value outside V"
IBM HRL
22
Finding the next path ¼ / single element in V
Let L be a set of literals. For s µ L let s = [l à false | l 2 s]For v 2 V(L) let C(v) = s2v s
Example: = G(a b c)
v = {{a},{c}}C(v) = G(b c) G(a b)
{{a},{c}}
{{a,b}}
{{}}
{{a}} {{b}}
{{a},{b}}
{{c}}
{{a},{b},{c}}
{{b},{c}}
{{a,c}} {{b,c}}
{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}
{{a,b,c}}
{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}
{{a,b},{a,c},{b,c}}
{}
A countereample to M ² C(v) must
be out of v"
IBM HRL
23
Let L be a set of literals. For s µ L let s = [l à false | l 2 s]For v 2 V(L) let C(v) = s2v s
For V µ V(L) let C(V) = v2V C(v)
Example: = G(a b c)
v1 = {{a},{c}} v2 = {{a,b}}
C(V) = (G(b c) G(a b)) (G(c))
{{a},{c}}
{{a,b}}
{{}}
{{a}} {{b}}
{{a},{b}}
{{c}}
{{a},{b},{c}}
{{b},{c}}
{{a,c}} {{b,c}}
{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}
{{a,b,c}}
{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}
{{a,b},{a,c},{b,c}}
{}
A counterexample to M ² C(V) must
be out of V"
Finding the next path ¼ / multiple elements in V
IBM HRL
24
Finding the vacuity value of a path
Given ¼ and , compute vac(¼, ). Several options:
1. Traverse the vacuity lattice: (2-exp in lit()) With BFS order on V() – V" from top
if ¼ ² C(v) return v.
2. An approach based on the subset lattice (1-exp in lit(), for each ¼).
3. An approach based on a lattice automaton (between 1-exp and 2-exp in lit(), but only once)
IBM HRL
25
Let S = hlit(), ½i vac(¼) = ; For each s 2 S // BFS from top
if ¼ ² s
vac(¼) = vac(¼) [ sremove s from S
2. Computing vac(¼) with the subset lattice
{}
{a,b,c}
{a} {b} {c}
{a,b} {a,c} {b,c}
IBM HRL
26
3. Computing vac(¼) with a vacuity automaton
Vacuity automaton is a lattice automaton [Kupferman-Lustig 07] over the vacuity lattice A lattice automaton maps an input word to a value on the
lattice
The vacuity automaton Amaps each path ¼ to the vacuity value of on ¼
So we: Compute A (once).
Simulate ¼ on Ato get vac(¼)
...details in [CGS08]
IBM HRL
27
If the minimal element of V() is not { {} }, then is satisfied vacuously in all structures – called inherently vacuous [FKSV08].
Some observations about V() and V(M,)
{{}}
{{a}} {{b}}
{{a},{b}}
{{a,b}}
{}
F (a b)
IBM HRL
28
Some observations about V() and V(M,)
If {{}} is the minimal element of V(M,), then M has an interesting witness for
{{}}
{{a}} {{b}}
{{a},{b}}
{{a,b}}
{}
IBM HRL
29
Some observations about V() and V(M,)
If then is vacuous in M.
{{a},{c}}
{{a,b}}
{{}}
{{a}} {{b}}
{{a},{b}}
{{c}}
{{a},{b},{c}}
{{b},{c}}
{{a,c}} {{b,c}}
{{a,b},{c}} {{a,c},{b}
}
{{b,c},{a}}
{{a,b,c}}
{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}
{{a,b},{a,c},{b,c}}
{}
IBM HRL
30
Summary
Defined the formulas Φ(M,φ) and Φmin(M,φ)
Proved that they are the strongest Showed how to compute them
IBM HRL
31
backup slides
IBM HRL
32
The complexity is … .hideous!
in theory
O(|V(M,)| ¢ |M| ¢ 2(||¢ 2(||)
Model-checking
Size of a formula
that corresponds to a lattice element
Number of elements in V(M, ).
Number of sets of literals
IBM HRL
33
How to find ¼ and compute its vacuity value:
We define the notion of vacuity automata Vacuity automaton is a lattice automaton [KL07] over the
vacuity lattice A lattice automaton maps an input word to a value on the
lattice
The vacuity automaton Amaps each path ¼ to the vacuity value of on ¼:
L(A) (¼) = vac(¼, )
Actually, we first translate to a Latticed LTL formula …details are in the paper
IBM HRL
34
Lattice Automata [KL07]
Lattice automata are an extension of finite automata: we allow transitions to be labeled with values from the lattice.
For an automaton A and a word w, the value of a run r of A on w is the meet of all intermediate lattice values obtained during r.
The value of A on w is the join of all values of accepting runs of A on w (in case A is non-deterministic).
The acceptance condition of lattice Büchi automata is the same as for standard Büchi.
Example:G(a Ç b)
**{a},{b},{a,b}
Büchi automaton
IBM HRL
35
Lattice Automata [KL07]
Lattice automata are an extension of finite automata: we allow transitions to be labeled with values from the lattice.
For an automaton A and a word w, the value of a run r of A on w is the meet of all intermediate lattice values obtained during r.
The value of A on w is the join of all values of accepting runs of A on w (in case A is non-deterministic).
The acceptance condition of lattice Büchi automata is the same as for standard Büchi.
Example:
<*,>> <*,>><{a},{{b}}>,<{b},{{a}}>,
<{a,b},{{a},{b}}>
Vacuity lattice automatonletter lattice value
s0 s1
G(a Ç b)
IBM HRL
36
Example: G(a Ç b)
<*,>> <*,>>
<{a},{{b}}>,<{b},{{a}}>,
<{a,b},{{a},{b}}>
letter lattice value
s0 s1
We’ll consider three words of the accepting run: s0
{{b}} w ² G(a)
b ¢ b ¢ b ¢ b ¢ … {{a}} w ² G(b)
(ab) ¢ (ab) ¢ (ab) ¢… {{a},{b}} w ² G(a) Æ G(b)
a ¢ a ¢ a ¢ a ¢ …
word wLattice value =
vac(w,) Indeed…
Vacuity lattice automaton
IBM HRL
37
Computing Φ(M,) and Φmin(M,) with the vacuity lattice automata
Observation: vacuity value vac(M,) = emptiness value of M £ Avac(:)
Recall the algorithm for computing Φ(M,φ):
V = ;While M contains a path ¼ such that vac(¼ ,) V,
add vac(¼ ,) to V.Return V.
we use vacuity lattice automata to
compute vacuity values of paths
here
Possible improvement: 1. take one path; 2. use its vacuity value to build an
intermediate formula;3. model-check the result;4. take a counterexample
IBM HRL
38
Some cool observations about V() and V(M,)
If { {} } is the minimal element of V(M,), then M has an interesting witness for (a path that satisfies non-vacuously). Otherwise, either is vacuous in M …
r r
p,q qM:
¼1 ¼2
= (p Ç q) U rvac(¼1) = {{q},{p}}vac(¼2) = {{p}}M ² [p à false]
top related