3 COMP 1 5 9 3 Algorithmic Verification LTL Model Checking and - - PowerPoint PPT Presentation

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

COMP 3 9 1 5 3 Algorithmic Verification

LTL Model Checking and B¨ uchi Automata

• Dr. Liam O’Connor

CSE, UNSW (for now) Term 1 2020

1

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

LTL Model Checking

M | = ϕ

Kripke Structure ??? LTL Formula

2

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

LTL Model Checking

M | = ϕ

Kripke Structure ??? LTL Formula

↓ ↓ MA ϕA

B¨ uchi Automaton B¨ uchi Automaton

3

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

LTL Model Checking

M | = ϕ

Kripke Structure ??? LTL Formula

↓ ↓ L(MA) ⊆ L(ϕA)

B¨ uchi Automaton B¨ uchi Automaton

4

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

LTL Model Checking

M | = ϕ

Kripke Structure ??? LTL Formula

↓ ↓ L(MA) ⊆ L(ϕA)

B¨ uchi Automaton B¨ uchi Automaton B¨ uchi Automata B¨ uchi Automata are like finite automata, but their languages are

• f infinite-length strings, so they work well for behaviours ∈ (2P)ω.

5

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

B¨ uchi Automata

Definition A (generalized) B¨ uchi automaton is a 5-tuple (Q, I, Σ, δ, F) where Q is a set of states. I ⊆ Q is a set of initial states. Σ is our alphabet of actions. δ : (Q × Σ) → 2Q is our transition relation. F ⊆ Q is a set of final states.

6

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

B¨ uchi Automata

Definition A (generalized) B¨ uchi automaton is a 5-tuple (Q, I, Σ, δ, F) where Q is a set of states. I ⊆ Q is a set of initial states. Σ is our alphabet of actions. δ : (Q × Σ) → 2Q is our transition relation. F ⊆ Q is a set of final states. Language We consider σ ∈ L(A) for a B¨ uchi automaton A iff it visits a particular final state infinitely often. More formally, define inf(ρ) = { q | q appears infinitely often in ρ }, then we say trace(ρ) ∈ L(A) ⇔ inf(ρ) ∩ F = ∅

7

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

q0 q1 q2 a c b b a

• acaaaaaaa. . .

8

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

q0 q1 q2 a c b b a

• acaaaaaaa. . .

Accepted

• acbcbcbcb. . .

9

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

q0 q1 q2 a c b b a

• acaaaaaaa. . .

Accepted

• acbcbcbcb. . .

Accepted

• acbbbbbbb. . .

10

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

q0 q1 q2 a c b b a

• acaaaaaaa. . .

Accepted

• acbcbcbcb. . .

Accepted

• acbbbbbbb. . .

Rejected

11

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Exercise

Let Σ = {0, 1}. Define B¨ uchi automata for the following languages. L1 = {v ∈ Σω | 0 occurs in v exactly once }

12

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Exercise

Let Σ = {0, 1}. Define B¨ uchi automata for the following languages. L1 = {v ∈ Σω | 0 occurs in v exactly once } L2 = {v ∈ Σω | every 0 is followed at least one 1}

13

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Exercise

Let Σ = {0, 1}. Define B¨ uchi automata for the following languages. L1 = {v ∈ Σω | 0 occurs in v exactly once } L2 = {v ∈ Σω | every 0 is followed at least one 1} L3 = {v ∈ Σω | v contains infinitely many 1s}

14

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Exercise

Let Σ = {0, 1}. Define B¨ uchi automata for the following languages. L1 = {v ∈ Σω | 0 occurs in v exactly once } L2 = {v ∈ Σω | every 0 is followed at least one 1} L3 = {v ∈ Σω | v contains infinitely many 1s} L4 = (01)∗Σω

15

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Closure Properties

B¨ uchi Automata are closed under: Union (same as NFAs)

16

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Closure Properties

B¨ uchi Automata are closed under: Union (same as NFAs) Intersection (as we will show)

17

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Closure Properties

B¨ uchi Automata are closed under: Union (same as NFAs) Intersection (as we will show) Complement (as we will refer to textbooks — it’s hard)

18

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Closure Properties

B¨ uchi Automata are closed under: Union (same as NFAs) Intersection (as we will show) Complement (as we will refer to textbooks — it’s hard)

19

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Intersection of GBAs

p0 p1 a a q0 q1 a a

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Intersection of GBAs

p0 p1 a a q0 q1 a a (p0, q0) (p0, q1) (p1, q0) (p1, q1)

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Intersection of GBAs

p0 p1 a a q0 q1 a a (p0, q0) (p0, q1) (p1, q0) (p1, q1) a a

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Intersection of GBAs

p0 p1 a a q0 q1 a a (p0, q0) (p0, q1) (p1, q0) (p1, q1) a a NFA product doesn’t work!

23

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Triple Product

An accepting cycle of a product of B¨ uchi automata P × Q must cycle through accepting states of both P and Q infinitely often. Arbitrarily, we shall say it must alternate by visiting a final state of Q then P then Q and so on. This doesn’t affect expressivity because we are only concerned with infinite strings.

24

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Triple Product

An accepting cycle of a product of B¨ uchi automata P × Q must cycle through accepting states of both P and Q infinitely often. Arbitrarily, we shall say it must alternate by visiting a final state of Q then P then Q and so on. This doesn’t affect expressivity because we are only concerned with infinite strings. Key idea Make three copies of the product: P × Q × {0, 1, 2}. Copy ’0’ is marked with initial states IP × IQ. Copy ’2’ is entirely marked as final states. Transition relation like normal product, but:

We move from copy 0 to copy 1 when moving to a state ∈ FQ. We move from copy 1 to copy 2 when moving to a state ∈ FP. All transitions from copy 2 move back to copy 0.

25

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

p0q0 p0q1 p1q0 p1q1

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1

a

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1

a a

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1

a a

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1

a a a

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1

a a a a

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1

a a a a

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1 p0q0 p0q1 p1q0 p1q1

a a a a a

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

p0 p1 a a q0 q1 a a

p0q0 p1q1 p0q0 p1q1

a a a a

37

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

B¨ uchi Product

Let A1 = (Q1, I1, Σ1, δ1, F1) and A2 = (Q2, I2, Σ2, δ2, F2). Definition Define A∩ with Q = Q1 × Q2 × {0, 1, 2}, and I = I1 × I2 × {0}, Σ = Σ1 ∩ Σ2 and F = Q1 × Q2 × {3}. We define δ as follows:

((q1, q2, 0), a, (q′

1, q′ 2, 0)) ∈ δ

iff (qi, a, q′

i) ∈ δi (i = 1, 2) ∧ q′ 1 /

∈ F1 ((q1, q2, 0), a, (q′

1, q′ 2, 1)) ∈ δ

iff (qi, a, q′

i) ∈ δi (i = 1, 2) ∧ q′ 1 ∈ F1

((q1, q2, 1), a, (q′

1, q′ 2, 1)) ∈ δ

iff (qi, a, q′

i) ∈ δi (i = 1, 2) ∧ q′ 1 /

∈ F2 ((q1, q2, 1), a, (q′

1, q′ 2, 2)) ∈ δ

iff (qi, a, q′

i) ∈ δi (i = 1, 2) ∧ q′ 1 ∈ F2

((q1, q2, 2), a, (q′

1, q′ 2, 0)) ∈ δ

iff (qi, a, q′

i) ∈ δi (i = 1, 2)

38

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

LTL Model Checking L(AM) ⊆ L(AΦ)

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

LTL Model Checking L(AM) ⊆ L(AΦ) ≡ L(AM) ∩ L(AΦ)C = ∅

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

LTL Model Checking L(AM) ⊆ L(AΦ) ≡ L(AM) ∩ L(AΦ)C = ∅ ≡ L(AM) ∩ L(A¬Φ) = ∅

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

LTL Model Checking L(AM) ⊆ L(AΦ) ≡ L(AM) ∩ L(AΦ)C = ∅ ≡ L(AM) ∩ L(A¬Φ) = ∅ ≡ L(AM × A¬Φ) = ∅

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

LTL Model Checking L(AM) ⊆ L(AΦ) ≡ L(AM) ∩ L(AΦ)C = ∅ ≡ L(AM) ∩ L(A¬Φ) = ∅ ≡ L(AM × A¬Φ) = ∅

We still need to know how to: Determine if L(A) = ∅ for a B¨ uchi automaton A. Convert a Kripke structure M to a B¨ uchi automaton AM Convert a LTL formula Φ to a B¨ uchi automaton AΦ.

43

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

B¨ uchi from Kripke

p, q q, s p, r

44

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

B¨ uchi from Kripke

p, q q, s p, r How to convert We add a new initial state, move labels on the states to all incoming edges, and make all states final.

45

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

B¨ uchi from Kripke

p, q q, s p, r How to convert We add a new initial state, move labels on the states to all incoming edges, and make all states final.

{p, q} {q, s} {p, q} {p, r} {p, q}

46

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

B¨ uchi Automata Emptiness

Theorem (B¨ uchi pumping) Given a B¨ uchi Automaton A = (Q, I, Σ, δ, F) then L(A) = ∅ iff there exists v, w ∈ Σ∗ with lengths ≤ |Q| such that vwω ∈ L(A).

47

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

B¨ uchi Automata Emptiness

Theorem (B¨ uchi pumping) Given a B¨ uchi Automaton A = (Q, I, Σ, δ, F) then L(A) = ∅ iff there exists v, w ∈ Σ∗ with lengths ≤ |Q| such that vwω ∈ L(A). We need to find a final state that is: Reachable from an initial state. Reachable from itself — a cycle.

48

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

B¨ uchi Automata Emptiness

Theorem (B¨ uchi pumping) Given a B¨ uchi Automaton A = (Q, I, Σ, δ, F) then L(A) = ∅ iff there exists v, w ∈ Σ∗ with lengths ≤ |Q| such that vwω ∈ L(A). We need to find a final state that is: Reachable from an initial state. Reachable from itself — a cycle. How to detect cycles?

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

B¨ uchi Automata Emptiness

Theorem (B¨ uchi pumping) Given a B¨ uchi Automaton A = (Q, I, Σ, δ, F) then L(A) = ∅ iff there exists v, w ∈ Σ∗ with lengths ≤ |Q| such that vwω ∈ L(A). We need to find a final state that is: Reachable from an initial state. Reachable from itself — a cycle. How to detect cycles? We use Strongly Connected Components!. Many algorithms exist (see online).

50

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

How to convert from LTL formulae to B¨ uchi Automata? For atomic formulae, it’s straightforward: p ∧ q

51

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

How to convert from LTL formulae to B¨ uchi Automata? For atomic formulae, it’s straightforward: p ∧ q {p, q} Σ p ⇒ q

52

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

How to convert from LTL formulae to B¨ uchi Automata? For atomic formulae, it’s straightforward: p ∧ q {p, q} Σ p ⇒ q {p, q} ¬p Σ We can manually construct them for temporal formulae, but how to do so systematically?

53

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Methods of LTL to B¨ uchi

Many exist. All are complicated. Tableau Methods (Kersten, Manna, McGuire, Pnueli or Geth, Peled, Vardi, Wolper) Automata Theoretic (Vardi) Local and Eventuality Automata (Vardi, Wolper) Local and Eventuality Automata

1

Reduce number of operators to just UNTIL and X.

54

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Methods of LTL to B¨ uchi

Many exist. All are complicated. Tableau Methods (Kersten, Manna, McGuire, Pnueli or Geth, Peled, Vardi, Wolper) Automata Theoretic (Vardi) Local and Eventuality Automata (Vardi, Wolper) Local and Eventuality Automata

1

Reduce number of operators to just UNTIL and X.

2

Construct a local automaton for Φ — describes behaviours that satisfy the safety component of Φ.

55

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Methods of LTL to B¨ uchi

Many exist. All are complicated. Tableau Methods (Kersten, Manna, McGuire, Pnueli or Geth, Peled, Vardi, Wolper) Automata Theoretic (Vardi) Local and Eventuality Automata (Vardi, Wolper) Local and Eventuality Automata

1

Reduce number of operators to just UNTIL and X.

2

Construct a local automaton for Φ — describes behaviours that satisfy the safety component of Φ.

3

Construct a eventuality automaton for Φ — ensures “termination”, the liveness aspect of Φ.

56

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Methods of LTL to B¨ uchi

Many exist. All are complicated. Tableau Methods (Kersten, Manna, McGuire, Pnueli or Geth, Peled, Vardi, Wolper) Automata Theoretic (Vardi) Local and Eventuality Automata (Vardi, Wolper) Local and Eventuality Automata

1

Reduce number of operators to just UNTIL and X.

2

Construct a local automaton for Φ — describes behaviours that satisfy the safety component of Φ.

3

Construct a eventuality automaton for Φ — ensures “termination”, the liveness aspect of Φ.

4

Intersect the two automata, then reduce the alphabet to just atomic propositions.

57

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Closure and Maximal Subsets

Closure The closure Cl(Φ) of an LTL formula Φ is the set of all subformulae of Φ and their negation.

58

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Closure and Maximal Subsets

Closure The closure Cl(Φ) of an LTL formula Φ is the set of all subformulae of Φ and their negation. What is the closure of • U • ?

59

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Closure and Maximal Subsets

Closure The closure Cl(Φ) of an LTL formula Φ is the set of all subformulae of Φ and their negation. What is the closure of • U • ? Maximal Subsets Define Sub(Φ) of an LTL formula Φ as the set of all maximal subsets of Cl(Φ) that are locally consistent (not contradictory).

60

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Local Automaton

Definition The local automaton for AL

Φ for a formula Φ is defined as

(Q, I, Σ, δ, F) where: Q = Sub(Φ)

61

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Local Automaton

Definition The local automaton for AL

Φ for a formula Φ is defined as

(Q, I, Σ, δ, F) where: Q = Sub(Φ) I = { S ∈ Sub(Φ) | Φ ∈ S }

62

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Local Automaton

Definition The local automaton for AL

Φ for a formula Φ is defined as

(Q, I, Σ, δ, F) where: Q = Sub(Φ) I = { S ∈ Sub(Φ) | Φ ∈ S } Σ = 2Cl(Φ)

63

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Local Automaton

Definition The local automaton for AL

Φ for a formula Φ is defined as

(Q, I, Σ, δ, F) where: Q = Sub(Φ) I = { S ∈ Sub(Φ) | Φ ∈ S } Σ = 2Cl(Φ) F = I

64

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Local Automaton

Definition The local automaton for AL

Φ for a formula Φ is defined as

(Q, I, Σ, δ, F) where: Q = Sub(Φ) I = { S ∈ Sub(Φ) | Φ ∈ S } Σ = 2Cl(Φ) F = I q ∈ δ(p, a) if a = p and

65

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Local Automaton

Definition The local automaton for AL

Φ for a formula Φ is defined as

(Q, I, Σ, δ, F) where: Q = Sub(Φ) I = { S ∈ Sub(Φ) | Φ ∈ S } Σ = 2Cl(Φ) F = I q ∈ δ(p, a) if a = p and

• Xϕ ∈ p

if ϕ ∈ q

• ϕ U ψ ∈ p

if ψ ∈ p

• r

ϕ ∈ p ∧ (ϕ U ψ) ∈ q Whats the local automaton for X• ?

66

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

Whats the local automaton for • U • ?

(the edge actions are always just the origin state, so they’re omitted) { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

Whats the local automaton for • U • ?

(the edge actions are always just the origin state, so they’re omitted) { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• } { • U • , • , • }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

Whats the local automaton for • U • ?

(the edge actions are always just the origin state, so they’re omitted) { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• } { • U • , • , • }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

Whats the local automaton for • U • ?

(the edge actions are always just the origin state, so they’re omitted) { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• } { • U • , • , • } { • U • , ¬• , • }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

Whats the local automaton for • U • ?

(the edge actions are always just the origin state, so they’re omitted) { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• } { • U • , • , • } { • U • , ¬• , • }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

Whats the local automaton for • U • ?

(the edge actions are always just the origin state, so they’re omitted) { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• } { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

Whats the local automaton for • U • ?

(the edge actions are always just the origin state, so they’re omitted) { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• } { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

Whats the local automaton for • U • ?

(the edge actions are always just the origin state, so they’re omitted) { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• } { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

Whats the local automaton for • U • ?

(the edge actions are always just the origin state, so they’re omitted) { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• } { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

Whats the local automaton for • U • ?

(the edge actions are always just the origin state, so they’re omitted) { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• } { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

Whats the local automaton for • U • ?

(the edge actions are always just the origin state, so they’re omitted) { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• } { • U • , • , • } { • U • , ¬• , • } { • U • , • , ¬• } { ¬(• U • ), • , ¬• } { ¬(• U • ), ¬• , ¬• }

77

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Eventuality Automaton

The local automaton accepts just the safety part of our formula. So, our example on the previous slide would accept an infinite sequence of • .

78

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Eventuality Automaton

The local automaton accepts just the safety part of our formula. So, our example on the previous slide would accept an infinite sequence of • . To ensure that the second part of UNTIL actually happens, we use an eventuality automaton.

79

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Eventuality Automaton

The local automaton accepts just the safety part of our formula. So, our example on the previous slide would accept an infinite sequence of • . To ensure that the second part of UNTIL actually happens, we use an eventuality automaton. Eventuality Automaton The eventuality automaton AE

Φ for a formula Φ is defined as

(Q, I, Σ, δ, F) where the states Q are all sets of UNTIL formulae in Cl(Φ), the initial and final state is ∅, the actions Σ are the same as the local automaton Sub(Φ), and δ is defined as follows: q ∈ δ(p, a) iff a is consistent with p and

80

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Eventuality Automaton

The local automaton accepts just the safety part of our formula. So, our example on the previous slide would accept an infinite sequence of • . To ensure that the second part of UNTIL actually happens, we use an eventuality automaton. Eventuality Automaton The eventuality automaton AE

Φ for a formula Φ is defined as

(Q, I, Σ, δ, F) where the states Q are all sets of UNTIL formulae in Cl(Φ), the initial and final state is ∅, the actions Σ are the same as the local automaton Sub(Φ), and δ is defined as follows: q ∈ δ(p, a) iff a is consistent with p and When p = ∅ : For all (ϕ U ψ) ∈ a one has (ϕ U ψ) ∈ q iff ψ / ∈ a When p = ∅ : For all (ϕ U ψ) ∈ p one has (ϕ U ψ) ∈ q iff ψ / ∈ a

81

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

The current state of the eventuality automaton reflects the set of UNTIL formulae we are waiting on. Example for • U • : ∅

• U •

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

The current state of the eventuality automaton reflects the set of UNTIL formulae we are waiting on. Example for • U • : ∅

• U •

{ • U • , • , ¬• }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

The current state of the eventuality automaton reflects the set of UNTIL formulae we are waiting on. Example for • U • : ∅

• U •

{ • U • , • , ¬• } { • U • , • , • } { • U • , ¬• , • } { ¬(• U •), • , ¬• } { ¬(• U •), ¬• , ¬• }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

The current state of the eventuality automaton reflects the set of UNTIL formulae we are waiting on. Example for • U • : ∅

• U •

{ • U • , • , ¬• } { • U • , • , • } { • U • , ¬• , • } { ¬(• U •), • , ¬• } { ¬(• U •), ¬• , ¬• } { • U • , ¬• , • } { • U • , • , • }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

The current state of the eventuality automaton reflects the set of UNTIL formulae we are waiting on. Example for • U • : ∅

• U •

{ • U • , • , ¬• } { • U • , • , • } { • U • , ¬• , • } { ¬(• U •), • , ¬• } { ¬(• U •), ¬• , ¬• } { • U • , ¬• , • } { • U • , • , • } { • U • , • , ¬• }

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Example

The current state of the eventuality automaton reflects the set of UNTIL formulae we are waiting on. Example for • U • : ∅

• U •

{ • U • , • , ¬• } { • U • , • , • } { • U • , ¬• , • } { ¬(• U •), • , ¬• } { ¬(• U •), ¬• , ¬• } { • U • , ¬• , • } { • U • , • , • } { • U • , • , ¬• } No other consistent edges!

87

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Alphabet Reduction

Our model automata AM has just atomic propositions for actions, but our formula automaton AL

Φ × AE Φ includes temporal

propositions in the actions.

88

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Alphabet Reduction

Our model automata AM has just atomic propositions for actions, but our formula automaton AL

Φ × AE Φ includes temporal

propositions in the actions. Solution After computing the product of local and eventuality automata, however, we can simply remove all negations and temporal propositions from the actions, leaving only atomic propositions behind. Then we can compute the final product of our model with our negated formula as normal.

89

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Complexity

Each node in a local automaton contains each subformula,

90

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Complexity

Each node in a local automaton contains each subformula, |Q| exponential in size of formula. Eventuality automata has each combination of UNTILs,

91

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Complexity

Each node in a local automaton contains each subformula, |Q| exponential in size of formula. Eventuality automata has each combination of UNTILs, |Q| exponential in number of UNTILs. Then product, reduction to reachable states, alphabet reduction, and final product.

92

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Complexity

Each node in a local automaton contains each subformula, |Q| exponential in size of formula. Eventuality automata has each combination of UNTILs, |Q| exponential in number of UNTILs. Then product, reduction to reachable states, alphabet reduction, and final product. Then SCCs to find cycles, check emptiness.

93

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Complexity

Each node in a local automaton contains each subformula, |Q| exponential in size of formula. Eventuality automata has each combination of UNTILs, |Q| exponential in number of UNTILs. Then product, reduction to reachable states, alphabet reduction, and final product. Then SCCs to find cycles, check emptiness. Tons of overhead. Other methods are smarter (but even more complicated).

94

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

SPIN

Liam: Whirlwind tour of SPIN, preview of next lecture 95

B¨ uchi Automata LTL Model Checking LTL to B¨ uchi Automata

Bibliography

Baier/Katoen: Principles of Model Checking, Section 5.2

96