Automata, Logics, and Infinite Games S. Pinchinat IRISA, Rennes, - PowerPoint PPT Presentation

Automata, Logics, and Infinite Games S. Pinchinat IRISA, Rennes, France Master2 RI 2007 S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 1 / 79

Temporal Logics and Model-checking 1 Introductory Example Kripke Structures Behavioral Properties - The logics LTL and CTL ∗ Fundamental Questions Games 2 Generalities Parity Games Memoryless Determinacy of Parity Games Solving Parity Games Automata on Infinite Objects 3 Generalities Non-deterministic Parity Tree Automata Alternating Tree Automata Decision Problems Emptiness of Non-deterministic Tree Automaton The Mu-calculus 4 Definitions From the Mu-calculus to Alternating Parity Tree Automata S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 2 / 79 From Alternating Tree Automata to the Mu-calculus

Temporal Logics and Model-checking Introductory Example Model-Checking The Model-checking Problem: A system Sys and a specification Spec , decide whether Sys satisfies Spec . Example: Mutual exclusion protocol Process 1: repeat Process 2: repeat 00: non-critical section 1 00: non-critical section 2 01: wait unless turn = 0 01: wait unless turn = 1 10: critical section 1 10: critical section 2 11: turn := 1 11: turn := 0 A state is a bit vector (line no. of process 1,line no. of process 2, value of turn) Start from (00000) . Spec = “a state (1010b) is never reached”, and “always when a state (01bcd) is reached, then later a state (10b’c’d’) is reached” (and similarly for Process 2, i.e. states (bc01d) and (b’c’10d’) ) S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 3 / 79

Temporal Logics and Model-checking Introductory Example The Formal Approach Models of systems are Kripke Structures Specifications languages are Temporal Logics S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 4 / 79

Temporal Logics and Model-checking Kripke Structures Kripke Structures Assume given Prop = p 1 , . . . , p n a set of atomic propositions (properties). A Kripke Structure over Prop is S = ( S , R , λ ) ◮ S is a set of states (worlds) ◮ R ⊆ S × S is a transition relation ◮ λ : S → 2 Prop associates those p i which are assumed true in s . Write λ ( s ) as a bit vector ( b 1 , . . . , b n ) with b i = 1 iff p i ∈ λ ( s ) A rooted Kripke Structure is a pair ( S , s ) where s is a distinguished state, called the initial state. S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 5 / 79

Temporal Logics and Model-checking Kripke Structures Mutual Exclusion Protocol Use p 1 , p 2 for “being in wait instruction before critical section of Process 1, or Process 2 respectively” Use p 3 , p 4 for “being in critical section of Process 1, or Process 2 respectively” Example of label function λ (01101) = { p 1 , p 4 } (encoded by (1001)) The relation R is as defined by the transitions of the protocol. S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 6 / 79

Temporal Logics and Model-checking Kripke Structures A Toy System Over two propositions p 1 , p 2 � 1 � 0 � � 0 0 � 1 � 1 � 0 � 1 S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 7 / 79

Temporal Logics and Model-checking Kripke Structures Paths and Words Let S = ( S , R , λ ) be Kripke Structure over Prop A path through ( S , s ) is a sequence s 0 , s 1 , s 2 , . . . where s 0 = s and ( s i , s i +1 ) ∈ R for i ≥ 0 l n ) ω ) is λ ( s 0 ) , λ ( s 1 ) , λ ( s 2 ) , . . . . Its corresponding word ( ∈ ( B � 1 � 0 � � 0 0 � 1 � � 1 � � 0 � � 1 � � 0 � � 0 � α = . . . in � 1 1 0 1 0 0 0 � 1 � 0 � 1 l n ) ω , If α = α (0) α (1) . . . ∈ ( B α i stands for α ( i ) α ( i + 1) . . . So α = α 0 . 1 ( α ( i )) j is the j th component of α ( i ) 2 S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 8 / 79

Temporal Logics and Model-checking Behavioral Properties - The logics LTL and CTL ∗ Linear Time Logic for Properties of Words [Eme90] We use modalities G denotes “ Always ” F denotes “ Eventually ” X denotes “ Next ” U denotes “ Until ” The syntax of the logic LTL is: ϕ 1 , ϕ 2 ( ∋ LTL ) ::= p | ϕ 1 ∨ ϕ 2 | ¬ ϕ 1 | X ϕ 1 | ϕ 1 U ϕ 2 wher p ∈ Prop . Other Boolean connectives true , false , ϕ 1 ∧ ϕ 2 , ϕ 1 ⇒ ϕ 2 , and ϕ 1 ⇔ ϕ 2 are defined via the usual abbreviations. S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 9 / 79

Temporal Logics and Model-checking Behavioral Properties - The logics LTL and CTL ∗ Semantics of LTL Define α i | = ϕ by induction over ϕ (where α is a word): α i | = p j iff ( α ( i )) j = 1 α i | = ϕ 1 ∨ ϕ 2 iff ... α i | = ¬ ϕ 1 iff α i | = X ϕ 1 iff α i +1 | = ϕ 1 α i | = ϕ 1 U ϕ 2 iff for some j ≥ i , α j | = ϕ 2 , and for all k = i , . . . , j − 1, α k | = ϕ 1  F ϕ def = true U ϕ , hence α i | = F ϕ iff α j | = ϕ for some j ≥ i .  Let G ϕ def = ¬ F ¬ ϕ , hence α i | = G ϕ 1 iff α j | = ϕ 1 for every j ≥ i .  S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 10 / 79

Temporal Logics and Model-checking Behavioral Properties - The logics LTL and CTL ∗ Examples Formulas over p 1 and p 2 : α | = GF p 1 iff “in α , infinitely often 1 appears in the first component”. 1 α | = X X ( p 2 ⇒ F p 1 ) iff “if the second component of α (2) is 1, so 2 will be the first component of α ( j ) for some j ≥ 2”. � 1 � α | = F ( p 1 ∧ X ( ¬ p 2 U p 1 )) iff “ α has two letters such that in 3 ⋆ � ⋆ � between only letters occur”. 0 S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 11 / 79

Temporal Logics and Model-checking Behavioral Properties - The logics LTL and CTL ∗ Augmenting LTL: the logic CTL ∗ We want to specify that every word of ( S , s ) satisfies an LTL specification ϕ , or that there exists a word in the Kripke Structure such that something holds. We use CTL ∗ [EH83] which extends LTL with quantfications over words: ψ 1 , ψ 2 ( ∋ CTL ∗ ) ::= E ψ | p | ψ 1 ∨ ψ 2 | ¬ ψ 1 | X ψ 1 | ψ 1 U ψ 2 Semantics: for a word α , a position i , and a rooted Kripke Structure ( S , s ): α i | = E ψ iff α ′ i | = ψ for some α ′ in ( S , s ) st. α [0 , . . . , i ] = α ′ [0 , . . . , i ] Let A ψ def = ¬ E ¬ ψ CTL ∗ is more expressive than LTL: A [ G life ⇒ GEX death] S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 12 / 79

Temporal Logics and Model-checking Behavioral Properties - The logics LTL and CTL ∗ Interpretation over Trees We unravel S = ( S , R , λ ) from s as a tree t ( S , s ) . Paths of S are retrieved in the tree t ( S , s ) as branches. s 0 t ( S , s 0 ) S s 0 s 1 s 0 s 1 s 0 s 2 s 2 s 0 s 1 s 1 s 0 s 1 s 2 s 0 s 1 s 1 s 1 s 0 s 1 s 1 s 2 s 0 s 1 s 2 S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 13 / 79

Temporal Logics and Model-checking Behavioral Properties - The logics LTL and CTL ∗ Σ-Labeled Full Binary Trees For simplicity we assume that states have exactly two successors ⇒ we consider (only) binary trees The full binary tree T ω is the set { 0 , 1 } ∗ of finite words over a two element alphabet. The root is the empty word ǫ A node w ∈ { 0 , 1 } ∗ has left son w 0 and right son w 1. A Σ-labeled full binary tree is a function t : { 0 , 1 } ∗ → Σ Trees (Σ) is the set of Σ-labeled full binary trees. If the formulas are over the set Prop of propositions, then take Σ = 2 Prop l n ) (or equivalently B S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 14 / 79

Temporal Logics and Model-checking Behavioral Properties - The logics LTL and CTL ∗ Example T ω ǫ t a a 0 1 b a a 00 01 10 11 b b S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 15 / 79

Temporal Logics and Model-checking Fundamental Questions Model-checking and Satisfiabilty The Model-checking Problem: does a tree t satisfy the specification Spec ? The Satisfiability Problem: Is there a tree model of the specification Spec ? Model-checking = Program Verification Satisfiability = Program Synthesis S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 16 / 79

Temporal Logics and Model-checking Fundamental Questions About the content of this course Tree Automata: devices which recognize models of formulas: Φ � A Φ such that L ( A Φ ) = { t ∈ Trees (Σ) | t | = Φ } The Model-checking Problem � The Membership Problem The Satisfiability Problem � The Emptiness Problem Games are fundamental to solve those Mu-calculus is a unifying logical formalism S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 17 / 79

Games Generalities Games Two-person games on directed graphs. How they are played? What is a strategy? What does it mean to say that a player wins the game? Determinacy, forgetful strategies, memoryless strategies S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 18 / 79

Games Generalities Arena An arena (or a game graph) is G = ( V 0 , V 1 , E ) V 0 Player 0 positions, and V 1 Player 1 positions (partition of V ) E ⊆ V × V is the edged-relation write σ ∈ { 0 , 1 } to designate a player, and σ = 1 − σ S. Pinchinat (IRISA) Automata, Logics, and Infinite Games Master2 RI 2007 19 / 79