Model CheckingLecture 3

Specification Automata

Syntax, given a set A of atomic observations:S finite set of statesS0 S set of initial states S S transition relation: S PL(A) where the formulas of PL are

::= a | | for a A

Specification Omega Automata

Syntax as for finite automata, in addition the following acceptance condition:

Buchi: BA S

Language L(M) of specification omega-automaton

M = (S, S0, , , BA ) :

infinite trace t0, t1, ... L(M) iff

there exists an infinite run s0 s1 ... of M

such that 1. s0 s1 ... satisfies BA 2. for all i 0, ti |= (si)

Let Inf(s) = { p | p = si for infinitely many i }.

The infinite run s satisfies the acceptance condition BAiff

Inf(s) BA

(K,q) |=L M iff L(K,q) L(M)

Linear semantics of specification omega automata:

omega-language containment

infinite traces

Response specification automaton : (a b) assuming (a b) = false

a b

ba

s1

s2

s3

s0

Buchi condition { s0, s3 }

Response monitor automaton : (a b) assuming (a b) = false

a bs1 s2

Buchi condition { s2 }

s0

true

Outline

1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness

2 Graph algorithms for model checking3 Symbolic algorithms for model checking 4 Pushdown systems

Model-Checking Algorithms = Graph Algorithms

1 Safety: -solve: finite monitors ( emptiness)-algorithm: reachability (linear)

2 Liveness:-solve: Buchi monitors ( emptiness)-algorithm: strongly connected components (linear)

We will talk about STL and CTL model checking later.

From specification automata to monitor automata:determinization (exponential) + complementation (easy)

From LTL to monitor automata:complementation (easy) + tableau construction (exponential)

Algorithms

1 Reachability2 Strongly connected

components3 Tableau construction

Finite Emptiness

Given: finite automaton (S, S0, , , FA)Find: is there a path from a state in S0 to a state in FA ?

Fix a set A of atomic observations

State-transition graph K

Q set of states Q Q transition relation[ ]: Q 2A observation function

Monitor automaton M

S finite set of statesS0 S set of initial states S S transition relationE S set of final states: S PL(A) where the formulas of PL are

::= a | | for a A

(K,q) |=C M iff L(K,q) L(M) = We construct another monitor automaton M’ such thatL(M’) = L(K,q) L(M)

S’ = {(q,s) Q S | [q] |= (s)} finite set of states({q} S0) S’ set of initial states(q,s) (q’,s’) transition relation iff q q’ and s s’ (Q E) S’ set of final states’: S’ PL(A) labeling function’(q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q]

languages over finite traces

Finite Emptiness

Given: monitor automaton (S, S0, , , E)Find: is there a path from a state in S0 to a state in E ?

Solution: depth-first or breadth-first search

dfs(s) { if (s E) then report error add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t)}

Buchi Emptiness

Given: Buchi automaton (S, S0, , , BA)Find: is there an infinite path from a state in S0 that

visits some state in BA infinitely often ?

Monitor Buchi automaton M

S finite set of statesS0 S set of initial states S S transition relationBA S acceptance condition: S PL(A) where the formulas of PL are

::= a | | for a A

(K,q) |=C M iff L(K,q) L(M) = We construct another monitor Buchi automaton M’ such that L(M’) = L(K,q) L(M)

S’ = {(q,s) Q S | [q] |= (s)} finite set of states({q} S0) S’ set of initial states(q,s) (q’,s’) transition relation iff q q’ and s s’ (Q BA) S’ acceptance condition’: S’ PL(A) labeling function’(q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q]

languages over infinite traces

Buchi Emptiness

Given: Buchi automaton (S, S0, , , BA)Find: is there an infinite path from a state in S0 that

visits some state in BA infinitely often ?

Solution: 1. Compute SCC graph by depth-first search

2. Mark SCC C as fair iff C BA 3. Check if some fair SCC is reachable from

S0

Complexity

n number of states m number of transitions

Reachability: O(n+m)SCC: O(n+m)

Buchi emptiness• Two algorithms for SCC computation

– forward and backward DFS– forward HI-LO algorithm

• Storing SCCs requires lot of memory• Nested DFS

– checks Buchi emptiness without explicitly computing SCCs

dfs(s) { add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t) if (s BA) then { seed := s; ndfs(s) }}

ndfs(s) { add s to ndfsTable for each successor t of s if (t ndfsTable) then ndfs(t) else if (t = seed) then report error}

Multi-Buchi Emptiness

Given: Multi-Buchi automaton (S, S0, , , BA1, …, BAn)Find: is there an infinite path from a state in S0 that

infinitely often visits some state in BAi for all i such that 1 i n ?

Solution: 1. Compute SCC graph by depth-first search

2. Mark SCC C as fair iff C BAi for all i such that 1 i n.

3. Check if some fair SCC is reachable from S0

Tableau Construction

Given: LTL formula Find: Multi-Buchi automaton M such that L(M) = L()

[Fischer & Ladner 1975; Manna & Wolper 1982]

monitors subformulas of

, ::= a | a | | | | U | W

( ) = ( ) = () = ()( U ) = ( W )( W ) = ( U )

Negation normal form

Fischer-Ladner Closure of a Formula

Sub (a) = { a, a }Sub (a) = { a, a }Sub () = { } Sub () Sub ()Sub () = { } Sub () Sub ()Sub () = { } Sub ()Sub (U) = { U, (U) } Sub () Sub ()Sub (W) = { W, (W) } Sub () Sub () | Sub () | = O(||)

s Sub () is consistentiff

-for all atomic propositions a(a) s iff a s

-if () Sub () then () s iff s and s

-if () Sub () then () s iff either s or s

-if (U) Sub () then (U) s iff either s

or s and (U) s-if (W) Sub () then

(W) s iff either s or s and (W) s

Fischer-Ladner Closure of a Formula

……Sub () = {, } Sub ()Sub () = {, } Sub ()

s Sub () is consistentiff

…-if () Sub () then

() s iff either s or s-if () Sub () then

() s iff s and s

Tableau M = (S, S0, , , BA1,…,BAn) S ... set of consistent subsets of Sub ()

s S0 iff ss t iff for all () Sub (),

if () s then t(s) ... conjunction of atomic observations in s and negated atomic observations not in sThere is an acceptance condition - for each (U) Sub () given by { s | s or (U) s }- for each () Sub () given by { s | s or () s }

Size of M is O(2||).

LTL model checking: PSPACE-complete