Tree Automata, Approximations, and Constraints for Verification - - PowerPoint PPT Presentation

Tree Automata, Approximations, and Constraints for Verification

Ph.D. thesis defence for Vincent Hugot, Supervised by O. Kouchnarenko and P.-C. Héam

{pheam,vhugot,okouchna}@femto-st.fr

University of Franche-Comté DGA & Inria/CASSIS & FEMTO-ST (DISC)

August 1, 2014

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Model-Checking

Introduced in [Clarke and Emerson, 1981, Queille and Sifakis, 1982]

Check M, s0 | = ϕ: “do all executions of M starting in s0 follow ϕ?” M finite states/transitions model s0 initial state ϕ the specification, in temporal logic Limited by state explosion. Prevented by parametrisation.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 1/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Regular Model-Checking

Introduced in [Kesten et al., 1997]

regular model-checking. states → finite words sets of states → finite-state automata transitions → finite-state transducers, semi-Thue systems q0 q1 q2 a b a ↔ { aa, aba, abba, . . . } Automata provide finite, tractable symbolic representations

• f infinite sets of states.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 2/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Regular Model-Checking

Introduced in [Kesten et al., 1997]

tree regular model-checking. states → finite trees sets of states → tree automata transitions → tree transducers, term rewriting systems q0 q1 q2 a b a ↔ { aa, aba, abba, . . . } Automata provide finite, tractable symbolic representations

• f infinite sets of states.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 2/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Reachability Analysis (in TRMC)

e.g. [Feuillade et al., 2004, Bouajjani and Touili, 2002]

S0 initial language tree automaton B set of “bad” states tree automaton R the transitions rewrite system or transducer R∗(S0) bbad B

?

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 3/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Reachability Analysis (in TRMC)

e.g. [Feuillade et al., 2004, Bouajjani and Touili, 2002]

S0 initial language tree automaton B set of “bad” states tree automaton R the transitions rewrite system or transducer R∗(S0) bbad B

?

Regularity-preserving classes, context-free step,. . .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 3/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Reachability Analysis (in TRMC)

e.g. [Feuillade et al., 2004, Bouajjani and Touili, 2002]

S0 initial language tree automaton B set of “bad” states tree automaton R the transitions rewrite system or transducer R∗(S0) Approx bbad B

?

Regularity-preserving classes, context-free step,. . . Regular over- or under-approximations.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 3/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Variations on Reachability Analysis

With Rewriting: e.g. [Meseguer, 1992, Boyer and Genet, 2009, Courbis et al., 2009]

S0 B

Reachability analysis = ¬B.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 4/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Variations on Reachability Analysis

With Rewriting: e.g. [Meseguer, 1992, Boyer and Genet, 2009, Courbis et al., 2009]

S0 X X X Y

Reachability analysis = ¬B. More general: e.g. (X ⇒ ◦Y).

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 4/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Variations on Reachability Analysis

With Rewriting: e.g. [Meseguer, 1992, Boyer and Genet, 2009, Courbis et al., 2009]

S0

Reachability analysis = ¬B. More general: e.g. (X ⇒ ◦Y). Same on transitions: (♠ ⇒ ◦♠).

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 4/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

1

Model-Checking LTL on Rewrite Sequences Statement of the Central Problem Our Approach: An Overview

2

TAGE With a Bounded Number of Constraints Global Equality Constraints Overview of the Results

3

Other Works and Some Perspectives Results on SAT & Tree-Walking Automata Perspectives and Questions

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 4/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

1

Model-Checking LTL on Rewrite Sequences Statement of the Central Problem Our Approach: An Overview

2

TAGE With a Bounded Number of Constraints Global Equality Constraints Overview of the Results

3

Other Works and Some Perspectives Results on SAT & Tree-Walking Automata Perspectives and Questions

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 4/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Model-Checking Rewrite Sequences

[Meseguer, 1992]

Order of application of rewrite rules. Check R, Π | = ϕ, with R a term rewriting system (TRS) Π the initial (regular) tree language ϕ a linear temporal logic (LTL) formula Example: ϕ = (X ⇒ •Y) X, Y ⊆ R are sets of rules

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 5/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Model-Checking Rewrite Sequences

[Meseguer, 1992]

t0 ∈ Π ti tj . . . tn ui uj . . . un vi vj . . . vn X X X X R∗ R∗ R∗ R∗ ri ∈ X rj ∈ X rk ∈ X rn ∈ X r′

i ∈ Y

r′

j ∈ Y

r′

k ∈ Y

r′

n ∈ Y

ϕ = (X ⇒ •Y)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 5/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Model-Checking Rewrite Sequences

[Meseguer, 1992]

Order of application of rewrite rules. Check R, Π | = ϕ, with R a term rewriting system (TRS) Π the initial (regular) tree language ϕ a linear temporal logic (LTL) formula Example: ϕ = (X ⇒ •Y) X, Y ⊆ R are sets of rules X = “ask PIN code” = { ask } Y = “authenticate or cancel” = { auth1, auth2, can }

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 5/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Model-Checking Rewrite Sequences

Overview of the Model-Checking Process

Whether R, Π | = ϕ is undecidable. R Π ϕ To Rew. Prop. To Approx. R, Π | = ϕ ? π δ1, . . . , δn Two-step positive approximated decision [Courbis et al., 2009]: π a rewrite proposition – language equation δk TAGE-based approximated procedures TAGE tree automata with constraints: more precision

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 6/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Model-Checking Rewrite Sequences

Prior work [Courbis et al., 2009]

“The system R satisfies the property”. . . R, Π | = (X ⇒ •Y) . . . is equivalent to the rewrite proposition. . . [R \ Y](X(R∗(Π))) = ∅ ∧ X(R∗(Π)) ⊆ Y−1(T)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 7/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Model-Checking Rewrite Sequences

Prior work [Courbis et al., 2009]

“The system R satisfies the property”. . . R, Π | = (X ⇒ •Y) . . . is equivalent to the rewrite proposition. . . [R \ Y](X(R∗(Π))) = ∅ ∧ X(R∗(Π)) ⊆ Y−1(T) . . . approximated with TAGE by, assuming Y is left-linear,

IsEmpty(OneStep(R \ Y, Approx(A, R)), X) and Subset(OneStep(X, Approx(A, R)), Backward(Y)),

where L(A) = Π, L(Approx(A, R)) ⊇ R∗(L(A))

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 7/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Model-Checking Rewrite Sequences

Prior work [Courbis et al., 2009], and New Goals

1 R, Π |

= (X ⇒ •Y) [R \ Y](X(R∗(Π))) = ∅ ∧ X(R∗(Π)) ⊆ Y−1(T)

2 R, Π |

= ¬Y ∧ (•Y ⇒ X) Y(Π) = ∅ ∧ Y([R \ X](R∗(Π))) = ∅

3 R, Π |

= (X ⇒ ◦ ¬Y) Y(R∗(X(R∗(Π)))) = ∅

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 8/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Model-Checking Rewrite Sequences

Prior work [Courbis et al., 2009], and New Goals

Main goal: from manual to automatic translations. R Π ϕ To Rew. Prop. To Approx. R, Π | = ϕ ? π δ1, . . . , δn Sub-goal: efficient procedures = ⇒ TAGE complexity study.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 8/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

1

Model-Checking LTL on Rewrite Sequences Statement of the Central Problem Our Approach: An Overview

2

TAGE With a Bounded Number of Constraints Global Equality Constraints Overview of the Results

3

Other Works and Some Perspectives Results on SAT & Tree-Walking Automata Perspectives and Questions

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 8/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 R, Π |

= ¬X: “The first transition, if it occurs, is not by X” π1 ≡ X(Π) = ∅

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

“The first transition, if it occurs, is not by X” π1 ≡ X(Π) = ∅

2 X:

“There is a first transition, and it is by X” π2 ≡ [R \ X](Π) = ∅ ?

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

“The first transition, if it occurs, is not by X” π1 ≡ X(Π) = ∅

2 X:

“There is a first transition, and it is by X” π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

“The first transition, if it occurs, is not by X” π1 ≡ X(Π) = ∅

2 X:

“There is a first transition, and it is by X” π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

“No transition that occurs is by X” π3 ≡ X(R∗(Π)) = ∅

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

“No transition that occurs is by X” π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

“All transitions that occur are by X”

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

“No transition that occurs is by X” π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

“All transitions that occur are by X” π4 ≡ π2[R∗(Π)/Π] ≡ [R \ X](R∗(Π)) = ∅ ∧ R∗(Π) ⊆ X−1(T) ?

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

“No transition that occurs is by X” π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

“All transitions that occur are by X” π4 ≡ π2[R∗(Π)/Π] ≡ [R \ X](R∗(Π)) = ∅ ∧ R∗(Π) ⊆ X−1(T) ? ω-language! Too strong

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

“No transition that occurs is by X” π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

“All transitions that occur are by X” π4 ≡ [R \ X](R∗(Π)) = ∅

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

π4 ≡ [R \ X](R∗(Π)) = ∅

5 Conjunction: if ϕ : π5 and ψ : π′

5 then ϕ ∧ ψ : π5 ∧ π′ 5.

ϕ : π = “R, Π | = ϕ is translated by π” “for all executions, ϕ is satisfied” ∀x.P(x) ∧ ∀x.Q(x) ⇐ ⇒ ∀x.(P(x) ∧ Q(x))

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

π4 ≡ [R \ X](R∗(Π)) = ∅

5 Conjunction: if ϕ : π5 and ψ : π′

5 then ϕ ∧ ψ : π5 ∧ π′ 5.

∀x.P(x) ∧ ∀x.Q(x) ⇐ ⇒ ∀x.(P(x) ∧ Q(x))

6 Disjunction: π6 ∨ π′

6 =

⇒ R, Π | = ϕ ∨ ψ ∀x.P(x) ∨ ∀x.Q(x) = ⇒ ∀x.(P(x) ∨ Q(x))

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

π4 ≡ [R \ X](R∗(Π)) = ∅

5 Conjunction: if ϕ : π5 and ψ : π′

5 then ϕ ∧ ψ : π5 ∧ π′ 5.

∀x.P(x) ∧ ∀x.Q(x) ⇐ ⇒ ∀x.(P(x) ∧ Q(x))

6 Disjunction: π6 ∨ π′

6 =

⇒ R, Π | = ϕ ∨ ψ ∀x.P(x) ∨ ∀x.Q(x) = ⇒ ∀x.(P(x) ∨ Q(x))

7 Negation: R, Π |

= / ϕ = R, Π | = ¬ϕ : “NNF” required ∀x.¬P(x) = ¬∀x.P(x)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

π4 ≡ [R \ X](R∗(Π)) = ∅

5 Conjunction: if ϕ : π5 and ψ : π′

5 then ϕ ∧ ψ : π5 ∧ π′ 5.

6 Disjunction: π6 ∨ π′

6 =

⇒ R, Π | = ϕ ∨ ψ

7 Negation: R, Π |

= / ϕ = R, Π | = ¬ϕ : “NNF” required

8 Implication: X ⇒ •Y: Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

π4 ≡ [R \ X](R∗(Π)) = ∅

5 Conjunction: if ϕ : π5 and ψ : π′

5 then ϕ ∧ ψ : π5 ∧ π′ 5.

6 Disjunction: π6 ∨ π′

6 =

⇒ R, Π | = ϕ ∨ ψ

7 Negation: R, Π |

= / ϕ = R, Π | = ¬ϕ : “NNF” required

8 Implication: X ⇒ •Y:

π7 ≡ [R \ Y](X(Π)) = ∅ ∧ X(Π) ⊆ Y−1(T)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

π4 ≡ [R \ X](R∗(Π)) = ∅

5 Conjunction: if ϕ : π5 and ψ : π′

5 then ϕ ∧ ψ : π5 ∧ π′ 5.

6 Disjunction: π6 ∨ π′

6 =

⇒ R, Π | = ϕ ∨ ψ

7 Negation: R, Π |

= / ϕ = R, Π | = ¬ϕ : “NNF” required

8 Implication: X ⇒ •Y:

π7 ≡ [R \ Y](X(Π)) = ∅ ∧ X(Π) ⊆ Y−1(T) X : π2, Y : π′

2 ≡ π2[Y/X], π7 ≡ π′ 2[X(Π)/Π]

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

π4 ≡ [R \ X](R∗(Π)) = ∅

5 Conjunction: if ϕ : π5 and ψ : π′

5 then ϕ ∧ ψ : π5 ∧ π′ 5.

6 Disjunction: π6 ∨ π′

6 =

⇒ R, Π | = ϕ ∨ ψ

7 Negation: R, Π |

= / ϕ = R, Π | = ¬ϕ : “NNF” required

8 Implication: X ⇒ •Y:

π7 ≡ [R \ Y](X(Π)) = ∅ ∧ X(Π) ⊆ Y−1(T) X : π2, Y : π′

2 ≡ π2[Y/X], π7 ≡ π′ 2[X(Π)/Π]

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

π4 ≡ [R \ X](R∗(Π)) = ∅

5 Conjunction: if ϕ : π5 and ψ : π′

5 then ϕ ∧ ψ : π5 ∧ π′ 5.

6 Disjunction: π6 ∨ π′

6 =

⇒ R, Π | = ϕ ∨ ψ

7 Negation: R, Π |

= / ϕ = R, Π | = ¬ϕ : “NNF” required

8 Implication: X ⇒ •Y:

π7 ≡ [R \ Y](X(Π)) = ∅ ∧ X(Π) ⊆ Y−1(T) X : π2, Y : π′

2 ≡ π2[Y/X], π7 ≡ π′ 2[X(Π)/Π]

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

π4 ≡ [R \ X](R∗(Π)) = ∅

5 Conjunction: if ϕ : π5 and ψ : π′

5 then ϕ ∧ ψ : π5 ∧ π′ 5.

6 Disjunction: π6 ∨ π′

6 =

⇒ R, Π | = ϕ ∨ ψ

7 Negation: R, Π |

= / ϕ = R, Π | = ¬ϕ : “NNF” required

8 Implication: X ⇒ •Y:

π7 ≡ [R \ Y](X(Π)) = ∅ ∧ X(Π) ⊆ Y−1(T) X : π2, Y : π′

2 ≡ π2[Y/X], π7 ≡ π′ 2[X(Π)/Π]

(X ⇒ •Y) : π0 ≡ π7[R∗(Π)/Π]

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

π4 ≡ [R \ X](R∗(Π)) = ∅

5 Conjunction: if ϕ : π5 and ψ : π′

5 then ϕ ∧ ψ : π5 ∧ π′ 5.

6 Disjunction: π6 ∨ π′

6 =

⇒ R, Π | = ϕ ∨ ψ

7 Negation: R, Π |

= / ϕ = R, Π | = ¬ϕ : “NNF” required

8 Implication: X ⇒ •Y:

π7 ≡ [R \ Y](X(Π)) = ∅ ∧ X(Π) ⊆ Y−1(T) X : π2, Y : π′

2 ≡ π2[Y/X], π7 ≡ π′ 2[X(Π)/Π]

(X ⇒ •Y) : π0 ≡ π7[R∗(Π)/Π] What about •Y ⇒ X ?

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

1 ¬X:

π1 ≡ X(Π) = ∅

2 X:

π2 ≡ [R \ X](Π) = ∅ ∧ Π ⊆ X−1(T)

3 ¬X:

π3 ≡ X(R∗(Π)) = ∅ ≡ π1[R∗(Π)/Π]

4 X:

π4 ≡ [R \ X](R∗(Π)) = ∅

5 Conjunction: if ϕ : π5 and ψ : π′

5 then ϕ ∧ ψ : π5 ∧ π′ 5.

6 Disjunction: π6 ∨ π′

6 =

⇒ R, Π | = ϕ ∨ ψ

7 Negation: R, Π |

= / ϕ = R, Π | = ¬ϕ : “NNF” required

8 Implication: X ⇒ •Y:

π7 ≡ [R \ Y](X(Π)) = ∅ ∧ X(Π) ⊆ Y−1(T) X : π2, Y : π′

2 ≡ π2[Y/X], π7 ≡ π′ 2[X(Π)/Π]

(X ⇒ •Y) : π0 ≡ π7[R∗(Π)/Π] What about •Y ⇒ X ? Other techniques (signatures,. . . )

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 9/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Translation Rules, by Examples

A dozen rules, e.g. conjunction:

• Π σ ϕ ∧ ψ

Π σ ϕ ∧ Π σ ψ always (simplest case):

• Π ε ϕ

R∗(Π) ⋆ε ϕ positive literal: Π σ X (σ \ X) ⊳ h(σ \ X) = ε Π

• h(σ\X)

σ\X

= ∅ ∧

• h(σ\X)−1
• k∈∇

σ,k=0

Πk

σ\X ⊆ R−1(T)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 10/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

LTL → Rewrite Proposition

Derivation Tree

Derivation tree: automatic translation and proof Π ε (X ⇒ •Y) R∗(Π) ⋆ε X ⇒ •Y R∗(Π) X R | N1 •Y R∗(Π) X R | N1 ◦Y X(R∗(Π)) ⋆ε Y [R \ Y](X(R∗(Π))) = ∅ ∧ X(R∗(Π)) ⊆ R−1(T) . Optional global optimisation phase: R−1(T) → Y−1(T).

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 11/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Translatable Fragment

Exactly rewrite-translatable fragment: X ∈ ℘(R), m ∈ N ϕ := ⊤ | ⊥ | X | ¬X | ϕ ∧ ϕ | ψ ⇒ ϕ | •ϕ | ◦ϕ | ϕ ψ := ⊤ | ⊥ | X | ¬X | ψ ∨ ψ | ψ ∧ ψ | •ψ | ◦ψ | Φ Φ := at least ε-stabilisable ϕ Practical pre-experimental evaluation: good partial support of [Dwyer et al., 1999] patterns.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 12/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

LTL on Rewrite Sequences

Perspectives (Translation Into Rewrite Proposition)

R Π ϕ To Rew. Prop. To Approx. R, Π | = ϕ ? π δ1, . . . , δn [Héam et al., 2012a] Int. Conf. IJCAR’12, Manchester Extensions: Past-Time and Existential LTL Dealing with eventuality by studying “exhaustion”: e.g. ♦ ¬{f(x) → x} holds with bounded f-height & no intro

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 13/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

LTL on Rewrite Sequences

Perspectives (Approximated Decision Procedures)

R Π ϕ To Rew. Prop. To Approx. R, Π | = ϕ ? π δ1, . . . , δn Coping with more non-linearity – e.g. protocols, rewrite steps e.g. f(x, x) → g(x), f(x) → g(x, x),. . . Tractable algorithmic toolbox for TAGE Last points ⇒ closer study of TAGE complexity

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 14/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

1

Model-Checking LTL on Rewrite Sequences Statement of the Central Problem Our Approach: An Overview

2

TAGE With a Bounded Number of Constraints Global Equality Constraints Overview of the Results

3

Other Works and Some Perspectives Results on SAT & Tree-Walking Automata Perspectives and Questions

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 14/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

With Global Equality Constraints [Filiot et al., 2008]

TAGE, TA=, Positive TAGED, A = A, Q, F, ∆, ≅ : A, Q, F, ∆ vanilla tree automaton ta(A) ≅ equality constraints, ≅ ⊆ Q2 Constraint p ≅ q : run ρ of A on t: run of ta(A) on t satisfying ≅: ∀α, β ∈ P(t); ρ(α) ≅ ρ(β) ⇒ t|α = t|β accepting run: accepting for ta(A)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 15/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

With Global Equality Constraints [Filiot et al., 2008]

A = { a/0, f/2 }, Q = { q, ^

q, qf }, F = { qf }, ^ q ≅ ^ q, and ∆ = { f(^ q, ^ q) → qf, f(q, q) → q, f(q, q) → ^ q, a → q, a → ^ q } u = f f a a f a a and v = f a f a a

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 16/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

With Global Equality Constraints [Filiot et al., 2008]

A = { a/0, f/2 }, Q = { q, ^

q, qf }, F = { qf }, ^ q ≅ ^ q, and ∆ = { f(^ q, ^ q) → qf, f(q, q) → q, f(q, q) → ^ q, a → q, a → ^ q } u, ρu = f qf f ^ q a q a q f ^ q a q a q and v = f a f a a

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 16/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

With Global Equality Constraints [Filiot et al., 2008]

A = { a/0, f/2 }, Q = { q, ^

q, qf }, F = { qf }, ^ q ≅ ^ q, and ∆ = { f(^ q, ^ q) → qf, f(q, q) → q, f(q, q) → ^ q, a → q, a → ^ q } u = f f a a f a a and v, ρv = f qf a ^ q f ^ q a q a q

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 16/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

1

Model-Checking LTL on Rewrite Sequences Statement of the Central Problem Our Approach: An Overview

2

TAGE With a Bounded Number of Constraints Global Equality Constraints Overview of the Results

3

Other Works and Some Perspectives Results on SAT & Tree-Walking Automata Perspectives and Questions

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 16/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

TA= versus TA=

k

Restriction on the kind of constraints: Rigid Automata (RTA) Same expressive power as TA= Less compact representations Linear emptiness / finiteness tests, vs. ExpTime-complete Applications: [Jacquemard et al., 2009, Vacher, 2010] What of the number of constraints? TA=

k A = Σ, Q, F, ∆, ≅ :

Σ, Q, F, ∆, ≅ TA= A ≅ such that Card(≅) k

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 17/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Summary of Results

[Héam et al., 2012c] Int. Conf. CIAA’12, Porto Strict hierarchy of powers: L(TA=

k) ⊂ L(TA= k+1)

Emptiness linear for TA=

1 , ExpTime-complete TA= 2

Finiteness polynomial for TA=

1 , ExpTime-complete for TA= 2

NP-complete membership becomes polynomial if k fixed.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 18/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Summary of Results

[Héam et al., 2012c] Int. Conf. CIAA’12, Porto Strict hierarchy of powers: L(TA=

k) ⊂ L(TA= k+1)

σ σ σ ⊥ , u1 u1 uk−1 uk−1 uk uk ui ∈ T(Ai) ∀i Emptiness linear for TA=

1 , ExpTime-complete TA= 2

Finiteness polynomial for TA=

1 , ExpTime-complete for TA= 2

NP-complete membership becomes polynomial if k fixed.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 18/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Summary of Results

[Héam et al., 2012c] Int. Conf. CIAA’12, Porto Strict hierarchy of powers: L(TA=

k) ⊂ L(TA= k+1)

Emptiness linear for TA=

1 , ExpTime-complete TA= 2

σ σ u1 σ u2 σ u3 . . . σ un−1 un σ u σ u σ u . . . σ u u Finiteness polynomial for TA=

1 , ExpTime-complete for TA= 2

NP-complete membership becomes polynomial if k fixed.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 18/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Summary of Results

[Héam et al., 2012c] Int. Conf. CIAA’12, Porto Strict hierarchy of powers: L(TA=

k) ⊂ L(TA= k+1)

Emptiness linear for TA=

1 , ExpTime-complete TA= 2

Finiteness polynomial for TA=

1 , ExpTime-complete for TA= 2

Reduction of emptiness to finiteness. NP-complete membership becomes polynomial if k fixed.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 18/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Summary of Results

NP-complete membership becomes polynomial if k fixed.

GP St

← − h ∈ Ht

P −

→ G1 = { p, q } G2 = { r, s, t } G3 = {qx} Gn . . . CG1 CG2 CG1 CGn

• CG3
• • • •
• • • •

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 18/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

1

Model-Checking LTL on Rewrite Sequences Statement of the Central Problem Our Approach: An Overview

2

TAGE With a Bounded Number of Constraints Global Equality Constraints Overview of the Results

3

Other Works and Some Perspectives Results on SAT & Tree-Walking Automata Perspectives and Questions

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 18/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

TAGE SAT & Tree-Walking Overloops

[Héam et al., 2010] Int. Workshop CSTVA’10, Paris [Héam et al., 2011] Int. Conf. CIAA’11, Blois [Héam et al., 2012b] Int. Journal Theo. Comp. Sci. SAT Encoding for TAGE membership & optimisations. Formal treatment of tree-walking loops for transformation into bottom-up TA; revealed missing factor in space Σ × T × 2Q2. Introduced tree-walking overloops: restores T × 2Q2, smaller automata in practice in extensive random tests. Shown overloops upper-bound is |T| · 2|Q| log2(|Q|+1) in the deterministic case. Note that exponential is unavoidable. Polynomial overloops-based approximation to TWA emptiness, vs. ExpTime-c. Very precise in random tests.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 19/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Polynomial Approximation for Emptiness

Random tests

1 Ad-hoc scheme: ≈ 20 000 TWA, 2 |Q| 20, |∆| ≈ 3 × |Q|,

75% of empty languages, only two Unknown instead of Empty.

2 Uniform scheme [Héam et al., 2009], REGAL back-end for FSA

generation [Bassino et al., 2007]. 2 000 deterministic and complete TWA uniformly generated for each 2 |Q| 25.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 20/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Polynomial Approximation for Emptiness

Random tests

5 10 15 20 25 30 35 40 45 50 55 2 4 6 8 10 12 14 16 18 20 22 24 ∅% |Q|

Approximation – 2000 samples Approximation – 200 samples Exact – 200 samples Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 20/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Size Comparison: Loops vs. Overloops

One Example & Uniform Generation Scheme

For X: loops Bl = 1986; overloops Bo = 95; deterministic minimal Bm = 56; smallest known non-deterministic Bs = 34. Loops 60 times worse than manual optimal; overloops 3 times. Orthogonal to post-processing cleanup:

• B′

l

• = 1617, B′
• = 78.

Bl Bo ≈ 20.9 and

• B′

l

• B′
• ≈ 20.7

and Bl

• B′

l

• ≈ Bo

B′

• ≈ 1.2 .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 21/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Size Comparison: Loops vs. Overloops

One Example & Uniform Generation Scheme

1 2 3 2 3 4 5 6 7 B 105 |QA|

Bl B′

l (clean)

Bo B′

• (clean)

2 3 4 5 6 70 2 4 6 8 10 12 14 16 18 Ratio |QA|

Bl/Bo B′

l/B′

• Bl/B′

l

Bo/B′

• Tree (Not Quite) Regular Model-Checking

Vincent HUGOT Ph.D. Defence 21/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

1

Model-Checking LTL on Rewrite Sequences Statement of the Central Problem Our Approach: An Overview

2

TAGE With a Bounded Number of Constraints Global Equality Constraints Overview of the Results

3

Other Works and Some Perspectives Results on SAT & Tree-Walking Automata Perspectives and Questions

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 21/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Conclusion / Summary

Generalisation of the translation R Π ϕ To Rew. Prop. To Approx. R, Π | = ϕ ? π δ1, . . . , δn Study of complexity of bounded global constraints Improved loops-based methods for tree-walking automata

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 22/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Perspectives

Full TAGE may not be required for X(Π); flat constraints ensure polynomial emptiness decision; are they enough? Implemented algorithmic toolbox for these automata. Rewrite propositions go beyond LTL (e.g. ∃-LTL). What is their full expressive power? Intermix state and transition-based properties.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 23/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Questions ?

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 24/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Supported Fragment, In Practice

Partially Supported Patterns From [Dwyer et al., 1999]

Scope Pattern Global Before After Between Until Support Absence 41 5 12 18 9 48% Universality 110 1 5 2 1 96% Existence 12 1 4 8 1 0% Bound Exist. 1 0% Response 241 1 3 99% Precedence 25 1 96%

• Resp. Chain

8 0%

• Prec. Chain

1 0% Support 95% 0% 32% 0% 0% 83%

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 25/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Formal Tools for Verification

Reliable Software

Software failure is undesirable. . . Ariane 5, Therac-25, Mariner I, Phobos I, XA/21 USA & Canada Northeast 2003 blackout, MIM-104 Patriot anti-missile, Mars Climate Orbiter, Mars Polar Lander, Mars Global Surveyor space probes,. . . . . . hence the need for formal verification methods. E.G. With Hoare logic, correctness is a mathematical theorem. Precondition, code, post-condition: { ⊤ } x := y { x = y }. Manual proofs require mathematical ingenuity. Automation?

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 26/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Model-Checking Rewrite Sequences

Coding the Behaviour of the System: (X ⇒ •Y)

t0 ∈ Π ti tj . . . tn ui uj . . . un vi vj . . . vn X X X X R∗ R∗ R∗ R∗ ri ∈ X rj ∈ X rk ∈ X rn ∈ X r′

i ∈ Y

r′

j ∈ Y

r′

k ∈ Y

r′

n ∈ Y

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 27/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Maximal Rewrite Words

Coding the Behaviour of the System

t0 ∈ Π ti tj . . . tn ui uj . . . un vi vj . . . vn X X X X R∗ R∗ R∗ R∗ ri ∈ X rj ∈ X rk ∈ X rn ∈ X r′

i ∈ Y

r′

j ∈ Y

r′

k ∈ Y

r′

n ∈ Y

Executions may or may not terminate: finite and infinite words.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 28/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Maximal Rewrite Words

Coding the Behaviour of the System

Finite or infinite words on R:

N = N ∪ {+∞}

W =

• n∈N
• 1, n → R
• Notation: length #w ∈ N : #w = Card(dom w).

Maximal rewrite words of R, originating in Π: Π is the set of words w ∈ W such that ∃u0 ∈ Π : ∃u1, . . . , u#w ∈ T : ∀k ∈ dom w, uk−1

w(k)

− − − → uk ∧ #w ∈ N ⇒ R({u#w}) = ∅

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 28/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Syntax and Semantics for LTL

Close to Finite-LTL [Manna and Pnueli, 1995]

ϕ := X | ¬ϕ | ϕ ∧ ϕ | •mϕ | ◦mϕ | ϕ U ϕ X ∈ ℘(R) ⊤ | ⊥ | ϕ ∨ ϕ | ϕ ⇒ ϕ | ♦ ϕ | ϕ m ∈ N . (w, i) | = X ⇔ i ∈ dom w and w(i) ∈ X (w, i) | = ¬ϕ ⇔ (w, i) | = / ϕ (w, i) | = (ϕ ∧ ψ) ⇔ (w, i) | = ϕ and (w, i) | = ψ (w, i) | = •mϕ ⇔ i + m ∈ dom w and (w, i + m) | = ϕ (w, i) | = ◦mϕ ⇔ i + m / ∈ dom w or (w, i + m) | = ϕ (w, i) | = ϕ U ψ ⇔ ∃j ∈ dom w : j i ∧ (w, j) | = ψ ∧ ∀k ∈ i, j − 1, (w, k) | = ϕ For any w ∈ W, i ∈ N1, m ∈ N and X ∈ ℘(R).

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 29/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Syntax and Semantics for LTL

Close to Finite-LTL [Manna and Pnueli, 1995]

ϕ := X | ¬ϕ | ϕ ∧ ϕ | •mϕ | ◦mϕ | ϕ U ϕ X ∈ ℘(R) ⊤ | ⊥ | ϕ ∨ ϕ | ϕ ⇒ ϕ | ♦ ϕ | ϕ m ∈ N . (w, i) | = X ⇔ i ∈ dom w and w(i) ∈ X (w, i) | = ¬ϕ ⇔ (w, i) | = / ϕ (w, i) | = (ϕ ∧ ψ) ⇔ (w, i) | = ϕ and (w, i) | = ψ (w, i) | = •mϕ ⇔ i + m ∈ dom w and (w, i + m) | = ϕ (w, i) | = ◦mϕ ⇔ i + m / ∈ dom w or (w, i + m) | = ϕ (w, i) | = ϕ ⇔ ∀j ∈ dom w, j i ⇒ (w, j) | = ϕ For any w ∈ W, i ∈ N1, m ∈ N and X ∈ ℘(R).

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 29/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Syntax and Semantics for LTL

Close to Finite-LTL [Manna and Pnueli, 1995]

(w, i) | = X ⇔ i ∈ dom w and w(i) ∈ X (w, i) | = ¬ϕ ⇔ (w, i) | = / ϕ (w, i) | = (ϕ ∧ ψ) ⇔ (w, i) | = ϕ and (w, i) | = ψ (w, i) | = •mϕ ⇔ i + m ∈ dom w and (w, i + m) | = ϕ (w, i) | = ◦mϕ ⇔ i + m / ∈ dom w or (w, i + m) | = ϕ (w, i) | = ϕ ⇔ ∀j ∈ dom w, j i ⇒ (w, j) | = ϕ For any w ∈ W, i ∈ N1, m ∈ N and X ∈ ℘(R). Satisfaction: w | = ϕ ⇐ ⇒ (w, 1) | = ϕ R, Π | = ϕ ⇐ ⇒ ∀w ∈ Π, w | = ϕ

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 29/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Rewrite Propositions

Problem Statement: First Translation Step

Rewrite proposition π on R, from Π; has a trivial truth value π := γ | γ ∧ γ | γ ∨ γ γ := ℓ = ∅ | ℓ ⊆ ℓ X ∈ ℘(R) ℓ := Π | T | X(ℓ) | X−1(ℓ) | X∗(ℓ) Problem statement: translations into RP Input: R, ϕ ∈ LTL, Π ⊆ T Output: RP π such that: R, Π | = ϕ ⇐ ⇒ π (exact translation) R, Π | = ϕ ⇐ = π (under-approximated translation) R, Π | = ϕ = ⇒ π (over-approximated translation)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 30/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Intuitions for the Translation

Boundaries of the Translatable Fragment

R∗(Π) hides traces: ♦ X probably untranslatable. So are { ♦, U, W, R, . . . } . Formulæ in sanitised form: negation on literals. Not exactly NNF. (A ∨ B) ⇒ C (A ⇒ C) ∧ (B ⇒ C) (¬A ∧ ¬B) ∨ C Preprocessing to fit translatable “antecedent/consequent” form.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 31/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Signatures

Implication: Girdling the Future

Idea: ϕ ⇒ ψ ? ϕ as an assumption, i.e. a model of ϕ: ξ(ϕ) Σ =

• n∈N
• 1, n ∪ {ω}
• → ℘(R)
• × ℘(N) .

Notations: σ ∈ Σ compactly as σ = f | S = ∂σ | ∇ σ,

• r in extenso as f(1), f(2), . . . , f(#σ) f(ω) | S.

Example: ξ

• X ∧ ◦1Y ∧ ◦2 Z
• = X, Y Z | N1

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 32/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Signatures

Implication: Girdling the Future

Σ =

• n∈N
• 1, n ∪ {ω}
• → ℘(R)
• × ℘(N) .

Notations: σ ∈ Σ compactly as σ = f | S = ∂σ | ∇ σ,

• r in extenso as f(1), f(2), . . . , f(#σ) f(ω) | S.

Example: ξ

• X ∧ ◦1Y ∧ ◦2 Z
• = X, Y Z | N1

Constrained Words: Π σ = {w ∈ Π | #w ∈ ∇ σ ∧ ∀k ∈ dom w, w(k) ∈ σ[k]} ∀ Π ⊆ T, ϕ ∈ A-LTL, Π ξ(ϕ) = { w ∈ Π | w | = ϕ }

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 32/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Signatures: the Transformation ξ(·)

Modelling the Antecedent to Girdle the Future

ξ(⊤) = R | N = ε ξ(⊥) = ∅ | ∅ ξ(X) = X R | N1 ξ(¬X) = R \ X R | N ξ(•mϕ) = ξ(ϕ) ◮ m ξ(◦mϕ) = ξ(ϕ) ⊲ m ξ(ϕ ∧ ψ) = ξ(ϕ) ξ(ψ) ξ( ϕ) =

∞

• m=0
• ξ(ϕ) ⊲ m
• Tree (Not Quite) Regular Model-Checking

Vincent HUGOT Ph.D. Defence 33/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Signatures: the Transformation ξ(·)

Modelling the Antecedent to Girdle the Future

ξ(⊤) = R | N = ε ξ(⊥) = ∅ | ∅ ξ(X) = X R | N1 ξ(¬X) = R \ X R | N ξ(•mϕ) = ξ(ϕ) ◮ m ξ(◦mϕ) = ξ(ϕ) ⊲ m ξ(ϕ ∧ ψ) = ξ(ϕ) ξ(ψ) ξ( ϕ) =

∞

• m=0
• ξ(ϕ) ⊲ m
• σ ◮ m = Strong Shift Right =

R1, . . . , Rm, ∂σ(1), . . . , ∂σ(#σ) ∂σ(ω) | (∇ σ \ {0}) + m σ ⊲ m = Weak Shift Right = R1, . . . , Rm, ∂σ(1), . . . , ∂σ(#σ)∂σ(ω) | 0, m∪(∇ σ+m)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 33/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Signatures: the Transformation ξ(·)

Modelling the Antecedent to Girdle the Future

ξ(⊤) = R | N = ε ξ(⊥) = ∅ | ∅ ξ(X) = X R | N1 ξ(¬X) = R \ X R | N ξ(•mϕ) = ξ(ϕ) ◮ m ξ(◦mϕ) = ξ(ϕ) ⊲ m ξ(ϕ ∧ ψ) = ξ(ϕ) ξ(ψ) ξ( ϕ) =

∞

• m=0
• ξ(ϕ) ⊲ m
• Product Property: Π σ σ′ = Π σ ∩ Π σ′

Example: σ = X, Y Z | N2 ρ = X′ Z′ | N3 σ ρ = X ∩ X′, Y ∩ Z′ Z ∩ Z′ | N3

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 33/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Signatures: the Transformation ξ(·)

Modelling the Antecedent to Girdle the Future

ξ(⊤) = R | N = ε ξ(⊥) = ∅ | ∅ ξ(X) = X R | N1 ξ(¬X) = R \ X R | N ξ(•mϕ) = ξ(ϕ) ◮ m ξ(◦mϕ) = ξ(ϕ) ⊲ m ξ(ϕ ∧ ψ) = ξ(ϕ) ξ(ψ) ξ( ϕ) =

∞

• m=0
• ξ(ϕ) ⊲ m
• ϕ ⇔

∞

• m=0
• mϕ

Π

∞

• n=0

σn =

∞

• n=0

Π σn

∞

• n=0
• σ ◮ n
• and

∞

• n=0
• σ ⊲ n
• converge ∀σ ∈ Σ

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 33/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Rewrite Proposition → Procedure

automatic kind inference and generation rules

Kind inference: expressiveness required & assumptions α : TA ⊢ X(α) : TA= ⊳ α : TA, X : reg-pres ⊢ X(α) : TA ⊢ X−1(T) : TA= ⊳ X : left-lin ⊢ X−1(T) : TA α : TA ⊢ ♮α : TA α : TA= ⊢ ♮α : TA, ♮α : + + + Procedure Generation: from languages to automata Γ X−1(T) ⇒ Γ, X : left-lin X−1(T) Γ [ℓ ֌ ∆, α] ∆ ⊢∗ α : TA X(ℓ) ⇒ Γ, ∆, X : reg-pres X(α) Γ [ℓ ֌ ∆, α] ∆ ⊢∗ α : TA= X(ℓ) ⇒ Γ, ∆, X : reg-pres X(♮α)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 34/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Supported Fragment, In Practice

Partially Supported Patterns From [Dwyer et al., 1999]

Scope Pattern Global Before After Between Until Support Absence 41 5 12 18 9 48% Universality 110 1 5 2 1 96% Existence 12 1 4 8 1 0% Bound Exist. 1 0% Response 241 1 3 99% Precedence 25 1 96%

• Resp. Chain

8 0%

• Prec. Chain

1 0% Support 95% 0% 32% 0% 0% 83%

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 35/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

[Comon et al., 2008]

Introduced in the fifties; regular tree languages: model-checking: programs, protocols,. . . automated theorem-proving XML schema and (esp. variants) query languages . . . and so much more Doesn’t deal with comparisons and non-linearity: { f(u, u) | u ∈ T(Σ) } e.g. password verification { f(u, v) | u, v ∈ T(Σ), u = v } e.g. primary keys R(ℓ), ℓ regular, R a TRS e.g. { g(x) → f(x, x) }(T(A))

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 36/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

Bottom-Up, Non-Deterministic, Finite

Tree Automaton A = A, Q, F, ∆ :

A

finite ranked alphabet Q finite set of states F final states, F ⊆ Q ∆ finite set of transitions Transition r ∈ ∆ : σ(q1, . . . , qn) → q σ ∈ An q1, . . . , qn, q ∈ Q

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 37/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

Bottom-Up, Non-Deterministic, Finite

A = { ∧, ∨/2, ¬/1, ⊤, ⊥/0 }, Q = { q0, q1 }, F = {q1}, ∆ =

⊤ → q1, ⊥ → q0, ¬(qb) → q¬b ∧(qb, qb′) → qb∧b′, ∨(qb, qb′) → qb∨b′

• b, b′ ∈ { 0, 1 }
• t =

∧ ∨ ¬ ⊥ ⊥ ¬ ∧ ⊤ ⊥

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 38/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

Bottom-Up, Non-Deterministic, Finite

∧ ∨ ¬ ⊥ ⊥ ¬ ∧ ⊤ ⊥ →∗

∆

∧ ∨ ¬ q0 q0 ¬ ∧ q1 q0 →∗

∆

∧ ∨ q1 q0 ¬ q0 →∗

∆

∧ q1 q1 →∆ q1

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 38/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

Runs and Languages

The reduction t →∗

∆ q1 is captured by the run:

q1 q1 q1 q0 q0 q1 q0 q1 q0 decorated:

ε ∧ q1 2 ∨ q1 22 ¬ q1 221 ⊥ q0 21 ⊥ q0 1 ¬ q1 11 ∧ q0 112 ⊤ q1 111 ⊥ q0

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 39/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

With Global Equality Constraints [Filiot et al., 2008]

TAGE, TA=, Positive TAGED, A = A, Q, F, ∆, ≅ : A, Q, F, ∆ vanilla tree automaton ta(A) ≅ equality constraints, ≅ ⊆ Q2 Constraint p ≅ q : run ρ of A on t: run of ta(A) on t satisfying ≅: ∀α, β ∈ P(t); ρ(α) ≅ ρ(β) ⇒ t|α = t|β accepting run: accepting for ta(A)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 40/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

With Global Equality Constraints [Filiot et al., 2008]

A = { a/0, f/2 }, Q = { q, ^

q, qf }, F = { qf }, ^ q ≅ ^ q, and ∆ = { f(^ q, ^ q) → qf, f(q, q) → q, f(q, q) → ^ q, a → q, a → ^ q } u = f f a a f a a and v = f a f a a

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 41/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

With Global Equality Constraints [Filiot et al., 2008]

A = { a/0, f/2 }, Q = { q, ^

q, qf }, F = { qf }, ^ q ≅ ^ q, and ∆ = { f(^ q, ^ q) → qf, f(q, q) → q, f(q, q) → ^ q, a → q, a → ^ q } u, ρu = f qf f ^ q a q a q f ^ q a q a q and v = f a f a a

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 41/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

With Global Equality Constraints [Filiot et al., 2008]

A = { a/0, f/2 }, Q = { q, ^

q, qf }, F = { qf }, ^ q ≅ ^ q, and ∆ = { f(^ q, ^ q) → qf, f(q, q) → q, f(q, q) → ^ q, a → q, a → ^ q } u = f f a a f a a and v, ρv = f qf a ^ q f ^ q a q a q

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 41/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

With Global Equality Constraints [Filiot et al., 2008]

A = { ∧, ∨/2, ¬/1, ⊤, ⊥/0 } ⊎ X, Q = { q0, q1 } ⊎ { vx | x ∈ X } and

F = {q1}, new rules ⊤ → vx, ⊥ → vx, x(q0, vx) → q1, x(vx, q1) → q0 for each x ∈ X, vx ≅ vx. (x ∧ y) ∨ ¬x ≡ ∨ ¬ x ⊤ ⊥ ∧ y ⊤ ⊥ x ⊤ ⊥

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 42/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Automata

With Global Equality Constraints [Filiot et al., 2008]

A = { ∧, ∨/2, ¬/1, ⊤, ⊥/0 } ⊎ X, Q = { q0, q1 } ⊎ { vx | x ∈ X } and

F = {q1}, new rules ⊤ → vx, ⊥ → vx, x(q0, vx) → q1, x(vx, q1) → q0 for each x ∈ X, vx ≅ vx. (x ∧ y) ∨ ¬x ≡ ∨ q1 ¬ q1 x q0 ⊤ q1 ⊥ vx ∧ q0 y q1 ⊤ vy ⊥ q0 x q0 ⊤ q1 ⊥ vx

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 42/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

TA versus RTA versus TA=

Closure, Complexity and Decidability

TA RTA (p ≅ p) TA= ∪ PTime PTime PTime ∩ PTime ExpTime ExpTime ¬ ExpTime ∅ ∅ t ∈ L(A) ? PTime NP-c NP-c (a) L(A) = ∅ ? linear-time linear-time ExpTime-c |L(A)| ∈ N ? PTime PTime ExpTime-c L(A) = T(Σ) ? ExpTime-c undecidable undecidable L(A) ⊆ L(B) ? ExpTime-c undecidable undecidable L(

i Ai) = ∅ ?

ExpTime-c ExpTime-c ExpTime-c

(a)SAT solver approach: [Héam et al., 2010]. Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 43/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

TA versus RTA versus TA=

Closure, Complexity and Decidability

TA RTA (p ≅ p) TA= ∪ PTime PTime PTime ∩ PTime ExpTime ExpTime ¬ ExpTime ∅ ∅ t ∈ L(A) ? PTime NP-c NP-c (a) L(A) = ∅ ? linear-time linear-time ExpTime-c |L(A)| ∈ N ? PTime PTime ExpTime-c L(A) = T(Σ) ? ExpTime-c undecidable undecidable L(A) ⊆ L(B) ? ExpTime-c undecidable undecidable L(

i Ai) = ∅ ?

ExpTime-c ExpTime-c ExpTime-c

(a)SAT solver approach: [Héam et al., 2010]. Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 43/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

TA= versus TA=

k

Restriction on the kind of constraints: Rigid Automata (RTA) Same expressive power as TA= Less compact representations Linear emptiness / finiteness tests, vs. ExpTime-complete Applications: [Jacquemard et al., 2009, Vacher, 2010] What of the number of constraints? TA=

k A = Σ, Q, F, ∆, ≅ :

Σ, Q, F, ∆, ≅ TA= A ≅ such that Card(≅) k

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 44/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

The Separation Languages L = (ℓk)k∈N [Hugot, 2013]

k

• i=1

Ai ⊎ { σ/3, ⊥/0 } Ai = { ai, bi/0, fi, gi/2 }

ℓ0 = {⊥} ∀k 1, ℓk = { σ(u, u, tk−1) | u ∈ T(Ak), tk−1 ∈ ℓk−1 } σ σ σ ⊥ , u1 u1 uk−1 uk−1 uk uk ui ∈ T(Ai) ∀i

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 45/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

The Separation Languages L = (ℓk)k∈N [Hugot, 2013]

σ σ σ ⊥ , u1 u1 uk−1 uk−1 uk uk ui ∈ T(Ai) ∀i ℓ1 ∈ L(TA=

1 ) \ L(TA)

≈ ground instances of f(x, x). ℓk ∈ L(TA=

k) \ L(TA= k−1),

∀k 1.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 45/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

Show ℓk ∈ L(TA=

k) \ L(TA= k−1) [Hugot, 2013]

Show ℓk ∈ L(TA=

k): Ak ∈ TA= k such that L(Ak) = ℓk

Ui ∈ TA universal, Ui :F =

• qu

i

• , for all i. Ak is

Q = {qv

0} ⊎ k

• i=1

Ui :Q ⊎ {qv

i}

F = {qv

1}

qu

i ≅ qu i, ∀i ∈ 1, k

∆ =

• σ(qu

i, qu i, qv i−1) → qv i

• i ∈ 1, k
• ∪ { ⊥ → qv

0 } .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 46/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

Show ℓk ∈ L(TA=

k) \ L(TA= k−1) [Hugot, 2013]

Show ℓk / ∈ L(TA=

k−1):

active constrained states: acs ρ = { ρ(α) | α ∈ P(ρ), ∃β ∈ P(ρ) \ {α} : ρ(α) ≅ ρ(β) }

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 46/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

Show ℓk ∈ L(TA=

k) \ L(TA= k−1) [Hugot, 2013]

Show ℓk / ∈ L(TA=

k−1):

Assume ℓk ∈ L(TA=

k−1) i.e. ∃A ∈ TA= k−1 : L(A) = ℓk

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 46/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

Show ℓk ∈ L(TA=

k) \ L(TA= k−1) [Hugot, 2013]

Show ℓk / ∈ L(TA=

k−1):

Assume ℓk ∈ L(TA=

k−1) i.e. ∃A ∈ TA= k−1 : L(A) = ℓk

∀ρ, ∄α, β : α = β, α ∈ 3∗, ρ(α) ≅ ρ(β)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 46/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

Show ℓk ∈ L(TA=

k) \ L(TA= k−1) [Hugot, 2013]

Show ℓk / ∈ L(TA=

k−1):

Assume ℓk ∈ L(TA=

k−1) i.e. ∃A ∈ TA= k−1 : L(A) = ℓk

∀ρ, ∄α, β : α = β, α ∈ 3∗, ρ(α) ≅ ρ(β) Pick t ∈ ℓk such that

• t|α
• > |Q|, for all α ∈ 3∗(1 + 2)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 46/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

Show ℓk ∈ L(TA=

k) \ L(TA= k−1) [Hugot, 2013]

Show ℓk / ∈ L(TA=

k−1):

Assume ℓk ∈ L(TA=

k−1) i.e. ∃A ∈ TA= k−1 : L(A) = ℓk

∀ρ, ∄α, β : α = β, α ∈ 3∗, ρ(α) ≅ ρ(β) Pick t ∈ ℓk such that

• t|α
• > |Q|, for all α ∈ 3∗(1 + 2)

Suppose ∃α ∈ 3∗(1 + 2) such that ran ρ|α ∩ acs ρ = ∅. A acts as BUTA wrt. t|α; pump ρ|α, get t′ / ∈ ℓk, but t′ ∈ L(A).

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 46/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

Show ℓk ∈ L(TA=

k) \ L(TA= k−1) [Hugot, 2013]

Show ℓk / ∈ L(TA=

k−1):

Assume ℓk ∈ L(TA=

k−1) i.e. ∃A ∈ TA= k−1 : L(A) = ℓk

∀ρ, ∄α, β : α = β, α ∈ 3∗, ρ(α) ≅ ρ(β) Pick t ∈ ℓk such that

• t|α
• > |Q|, for all α ∈ 3∗(1 + 2)

∀α ∈ 3∗(1 + 2), ran ρ|α ∩ acs ρ = ∅

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 46/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

Show ℓk ∈ L(TA=

k) \ L(TA= k−1) [Hugot, 2013]

Show ℓk / ∈ L(TA=

k−1):

Assume ℓk ∈ L(TA=

k−1) i.e. ∃A ∈ TA= k−1 : L(A) = ℓk

∀ρ, ∄α, β : α = β, α ∈ 3∗, ρ(α) ≅ ρ(β) Pick t ∈ ℓk such that

• t|α
• > |Q|, for all α ∈ 3∗(1 + 2)

∀α ∈ 3∗(1 + 2), ran ρ|α ∩ acs ρ = ∅ i = j, pi acs for ui, pj for uj. ∃ acs qi, qj : pi ≅ qi, pj ≅ qj. Suppose qi in subrun of uj. Then ∃si ui, sj uj, si = sj. But ui ∈ T(Ai) and uj ∈ T(Aj), thus si ∈ T(Ai) and sj ∈ T(Aj). T(Ai) ∩ T(Aj) = ∅, thus si = sj ∈ ∅.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 46/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

Show ℓk ∈ L(TA=

k) \ L(TA= k−1) [Hugot, 2013]

Show ℓk / ∈ L(TA=

k−1):

Assume ℓk ∈ L(TA=

k−1) i.e. ∃A ∈ TA= k−1 : L(A) = ℓk

∀ρ, ∄α, β : α = β, α ∈ 3∗, ρ(α) ≅ ρ(β) Pick t ∈ ℓk such that

• t|α
• > |Q|, for all α ∈ 3∗(1 + 2)

∀α ∈ 3∗(1 + 2), ran ρ|α ∩ acs ρ = ∅ Each pair of ui needs its own fresh state(s) pi ≅ qi

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 46/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Expressive Power

Show ℓk ∈ L(TA=

k) \ L(TA= k−1) [Hugot, 2013]

Show ℓk / ∈ L(TA=

k−1):

Assume ℓk ∈ L(TA=

k−1) i.e. ∃A ∈ TA= k−1 : L(A) = ℓk

∀ρ, ∄α, β : α = β, α ∈ 3∗, ρ(α) ≅ ρ(β) Pick t ∈ ℓk such that

• t|α
• > |Q|, for all α ∈ 3∗(1 + 2)

∀α ∈ 3∗(1 + 2), ran ρ|α ∩ acs ρ = ∅ Each pair of ui needs its own fresh state(s) pi ≅ qi A does not exist, contradiction.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 46/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

The Membership Problem

General Idea & Strategy

Membership complexity : t ∈ L(A) ? NP-complete for TA= PTime for TA=

k, ∀k ∈ N

Proof Strategy : Choose each P ⊆ dom ≅ = { p | ∃q : p ≅ q or q ≅ p } Given P, turn ≅ into an equivalence relation ≍P Try all possible “housings” of the ≅-classes into t For each housing, try to build an accepting run

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 47/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

≅ is Not an Equivalence

(but we can pretend it is)

Example: Given p ≅ r and r ≅ q, what of p ≅ q ? Does r actually appear in the run ? yes : p ≅ q implied no : p ≅ r and r ≅ q are moot. Fix P ⊆ dom ≅. Any run ρ such that (ran ρ) ∩ (dom ≅) = P is accepting for A iff it is so for AP = A | ≅ :=

• ≅ ∩P2≡ ,

symmetric, transitive, reflexive closure under dom(≅ ∩P2).

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 48/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Groups & Similarity Classes

Groups GP : set of ≅-equivalence classes (given P)

GP = dom(≅ ∩P2)

(≅ ∩P2)≡ = dom(≅ ∩P2) ≍P Similarity Classes St of t : ∀α, β ∈ P(t); α ∼ β ⇐ ⇒ t|α = t|β classes St = P(t)/∼

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 49/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Housings

And Their Compatibility with the Constraints

Characterisation of Satisfaction of ≅ : ∀G ∈ GP; ∃CG ∈ St : ρ−1(G) ⊆ CG Housings Ht

P of P within t :

The map G → CG is a P-housing of ρ in t, compatible with ρ

Ht

P = GP → St

is the set of all possible P-housings on t.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 50/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

GP St

← − h ∈ Ht

P −

→ G1 = { p, q } G2 = { r, s, t } G3 = {qx} Gn . . . CG1 CG2 CG1 CGn

• CG3
• • • •
• • • •

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 51/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Proof Outline

For TA=

k

Operations Needed : Choose P: 22k possible P ⊆ dom ≅ Choose housing:

• StGP

= |St||GP| t2k P-housings on t ⇒ 4k · t2k tests in total polynomial compatibility test = variant of reachability Is a final state reachable if states q ∈ P can only go in h([q]≍P)?

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 52/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Compatibility Test

In Polynomial Time

Simple variant of reachability algorithm: Given P and h ∈ Ht

P, there exists a compatible run iff

ΦP,h

t

(ε) ∩ F = ∅ , where ΦP,h

t

(α) =        q ∈ Q

• t(α)(p1, . . . , pn) → q ∈ ∆

∀i ∈ 1, n, pi ∈ ΦP,h

t

(α.i) q ∈

GP =

⇒ α ∈ h([q]≍P) q / ∈ dom(≅) \ P        .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 53/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Compatibility Test

In Polynomial Time

Simple variant of reachability algorithm: Given P and h ∈ Ht

P, there exists a compatible run iff

ΦP,h

t

(ε) ∩ F = ∅ , where ΦP,h

t

(α) =        q ∈ Q

• t(α)(p1, . . . , pn) → q ∈ ∆

∀i ∈ 1, n, pi ∈ ΦP,h

t

(α.i) q ∈

GP =

⇒ α ∈ h([q]≍P) q / ∈ dom(≅) \ P        .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 53/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Compatibility Test

In Polynomial Time

Simple variant of reachability algorithm: Given P and h ∈ Ht

P, there exists a compatible run iff

ΦP,h

t

(ε) ∩ F = ∅ , where ΦP,h

t

(α) =        q ∈ Q

• t(α)(p1, . . . , pn) → q ∈ ∆

∀i ∈ 1, n, pi ∈ ΦP,h

t

(α.i) q ∈

GP =

⇒ α ∈ h([q]≍P) q / ∈ dom(≅) \ P        .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 53/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Compatibility Test

In Polynomial Time

Simple variant of reachability algorithm: Given P and h ∈ Ht

P, there exists a compatible run iff

ΦP,h

t

(ε) ∩ F = ∅ , where ΦP,h

t

(α) =        q ∈ Q

• t(α)(p1, . . . , pn) → q ∈ ∆

∀i ∈ 1, n, pi ∈ ΦP,h

t

(α.i) q ∈

GP =

⇒ α ∈ h([q]≍P) q / ∈ dom(≅) \ P        .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 53/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Compatibility Test

In Polynomial Time

Simple variant of reachability algorithm: Given P and h ∈ Ht

P, there exists a compatible run iff

ΦP,h

t

(ε) ∩ F = ∅ , where ΦP,h

t

(α) =        q ∈ Q

• t(α)(p1, . . . , pn) → q ∈ ∆

∀i ∈ 1, n, pi ∈ ΦP,h

t

(α.i) q ∈

GP =

⇒ α ∈ h([q]≍P) q / ∈ dom(≅) \ P        .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 53/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Rigidification

Problem : Given TA= A, build equivalent RTA B.

General Result [Filiot, 2008, Lem. 5.3.5] Exponential construction: B O(2A2) In the case of TA=

1 :

Polynomial construction: B O(A2) Idea : Simulate a constraint p ≅ q, p = q by a TA intersection

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 54/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Rigidification: Construction

B = B¬

p ⊎ B¬ q ⊎ A | Q′, ∆′, qf ≅ qf

B¬

p = A | Q \ {p}

B¬

q = A | Q \ {q}

Q′ = (Q \ {p, q}) ⊎ (Bpq :Q) ∆′ = ∆qf

pq ⊎ (Bpq :∆)

Bpq = Bp Bq qf = (p, q) Bp = B¬

q | F := {p}, ∆ := ∆p

Bq = B¬

p | F := {q}, ∆ := ∆q

∆p = B¬

q :∆ \ { . . . p . . . → . . . }

∆q = B¬

p :∆ \ { . . . q . . . → . . . }

∆qf

pq is A:∆ from which all left-hand side occurrences of p or q

have been replaced by qf.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 55/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Emptiness

Outline of the Result and Proof

Complexity of Emptiness : L(A) = ∅ ? PTime (quadratic) for TA=

1

ExpTime-complete for TA=

k, k 2

TA=

1 : immediate by rigidification. Emptiness for RTA: linear time

TA=

2 : Reduction of intersection-emptiness of n TA A1, . . . , An.

Generalisation of the usual argument [Filiot et al., 2008, Thm. 1] from “unlimited constraints” to “two constraints”

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 56/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

L = ∅ ⇐ ⇒

n

• i=1

L(Ai) = ∅ σ σ u1 σ u2 σ u3 . . . σ un−1 un σ u σ u σ u . . . σ u u

Figure : Reduction of intersection-emptiness: the language.

where ∀i, xi ∈ L(Ai) and x = xi

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 57/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Finiteness

Outline of the Result and Proof

Complexity of Finiteness : |L(A)| ∈ N ? PTime for TA=

1

ExpTime-complete for TA=

k, k 2

TA=

1 : immediate by rigidification. Finiteness for RTA is PTime

TA=

2 : Reduction of Emptiness for TA= 2 .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 58/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Finiteness

Outline of the Result and Proof

A′ = A | Q ⊎ {p}, F := {p}, Σ ⊎ {σ/1}, ∆′ where ∆′ = ∆ ∪ { σ(qf) → p | qf ∈ F } ∪ { σ(p) → p } if L(A) = ∅ then L(A′) = ∅ if t ∈ L(A) then σ+(t) ⊆ L(A′) L(A′) is finite ⇐ ⇒ L(A) is empty

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 59/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Summary

and Perspectives

Refined complexity and expressiveness results: Expressiveness: TA=

k form a strict hierarchy

Membership: NP-c for TA=, but PTime for TA=

k, ∀k

Emptiness: quadratic for TA=

1 , ExpTime-complete for TA= 2

Finiteness: PTime for TA=

1 , ExpTime-complete for TA= 2

Left to do: Effects of ≅, flat constraints, efficient heuristics, etcetera.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 60/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Walking Automata

in a Few Words

Not a new formalism [Aho and Ullman, 1969] Sequential model, as opposed to branching tree automata Less extensively studied model until ≈ 2000

[Bojańczyk and Colcombet, 2005, Bojańczyk and Colcombet, 2006]

Recent surge in interest, due mostly to connection to XML:

Caterpillar expressions [Brüggemann-Klein and Wood, 2000] Streaming XML documents [Segoufin and Vianu, 2002] type-checking XML-QL, XSLT,. . . [Milo et al., 2003]

Rich variants: pebbles, marbles,. . .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 61/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Tree Walking Automata

in a Few Words

Existing research focused on fundamental problems: expressive power, determinisability,. . . We study practical, efficient algorithms In particular: the transformation from TWA to BUTA

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 61/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Preliminaries

Definition of Tree Walking Automata

A Tree-Walking Automaton is a tuple A = Σ, Q, I, F, ∆ ∆ ⊆ Σ × Q × { ⋆, 0, 1 }

• T : types

× { ↑, , ւ, ց }

• M : moves

×Q “f, p, τ → µ, q” written for the tuple (f, p, τ, µ, q) ∈ ∆. Σ2, p, T → , q = { (σ, p, τ, , q) | σ ∈ Σ2, τ ∈ T } Remarks Ranked (binary) vs. unranked alphabet Σ0, Q, T → { ւ, ց }, Q ∪ Σ, Q, ⋆ → ↑, Q invalid

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 62/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Preliminaries

Example Tree Walking Automaton

A very simple example TWA: X = Σ, Q, I, F, ∆ Σ0 = { a, b, c } and Σ2 = { f, g, h } Q = { qℓ, qu }, I = {qℓ}, F = {qu} ∆ = a, qℓ, { ⋆, 0 } → , qu ∪ Σ, qu, 0 → ↑, qu ∪ Σ2, qℓ, { ⋆, 0 } → ւ, qℓ X accepts exactly all trees whose left-most leaf is labelled by a — and the tree a itself.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 63/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Preliminaries

Example Tree Walking Automaton

Q = { qℓ, qu }, I = {qℓ}, F = {qu} ∆ = a, qℓ, { ⋆, 0 } → , qu ∪ Σ, qu, 0 → ↑, qu ∪ Σ2, qℓ, { ⋆, 0 } → ւ, qℓ f h a b a

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 64/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Preliminaries

Example Tree Walking Automaton

Q = { qℓ, qu }, I = {qℓ}, F = {qu} ∆ = a, qℓ, { ⋆, 0 } → , qu ∪ Σ, qu, 0 → ↑, qu ∪ Σ2, qℓ, { ⋆, 0 } → ւ, qℓ f[qℓ] h a b a

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 64/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Preliminaries

Example Tree Walking Automaton

Q = { qℓ, qu }, I = {qℓ}, F = {qu} ∆ = a, qℓ, { ⋆, 0 } → , qu ∪ Σ, qu, 0 → ↑, qu ∪ Σ2, qℓ, { ⋆, 0 } → ւ, qℓ f h[qℓ] a b a

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 64/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Preliminaries

Example Tree Walking Automaton

Q = { qℓ, qu }, I = {qℓ}, F = {qu} ∆ = a, qℓ, { ⋆, 0 } → , qu ∪ Σ, qu, 0 → ↑, qu ∪ Σ2, qℓ, { ⋆, 0 } → ւ, qℓ f h a[qℓ] b a

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 64/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Preliminaries

Example Tree Walking Automaton

Q = { qℓ, qu }, I = {qℓ}, F = {qu} ∆ = a, qℓ, { ⋆, 0 } → , qu ∪ Σ, qu, 0 → ↑, qu ∪ Σ2, qℓ, { ⋆, 0 } → ւ, qℓ f h a[qu] b a

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 64/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Preliminaries

Example Tree Walking Automaton

Q = { qℓ, qu }, I = {qℓ}, F = {qu} ∆ = a, qℓ, { ⋆, 0 } → , qu ∪ Σ, qu, 0 → ↑, qu ∪ Σ2, qℓ, { ⋆, 0 } → ւ, qℓ f h[qu] a b a

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 64/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Preliminaries

Example Tree Walking Automaton

Q = { qℓ, qu }, I = {qℓ}, F = {qu} ∆ = a, qℓ, { ⋆, 0 } → , qu ∪ Σ, qu, 0 → ↑, qu ∪ Σ2, qℓ, { ⋆, 0 } → ւ, qℓ f[qu] h a b a

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 64/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

TWA to BUTA Transformation

Given a TWA A, build an equivalent BUTA B

Solution outlined in [Bojańczyk, 2008] and [Samuelides, 2007] Based on the idea of tree loops Claims resulting states for B: T × 2Q2 — or det. (2Q2)T Only proof sketches. No explicit algorithm is given. We argue that things are slightly less straightforward:

Needed states space: Σ × T × 2Q2 — or det. Σ × (2Q2)T Existing implementations: almost correct [dtwa-tools]

We introduce tree overloops

This time we really have T × 2Q2 — or det. (2Q2)T Nicer upper bound if A is deterministic: |T| · 2|Q| log2(|Q|+1)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 65/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

The Idea of Tree Loops

With Pretty Pictures

(pin, pout) ∈ Q2 is a loop of A on t|α if there exists a run which starts in pin, ends in pout — at the local root α, and always stays in the subtree pin · pout · · .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 66/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

The Idea of Tree Loops

With Pretty Pictures

(pin, pout) ∈ Q2 is a loop of A on t|α if there exists a run which starts in pin, ends in pout — at the local root α, and always stays in the subtree · pin · pout · .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 66/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

The Idea of Tree Loops

By Example

Recall that X visits the left-most leaf and goes back up if it is a. f h a b a Loops of X on. . . t: {} t|0: {} t|0.0: {} t|0.1: {} t|1: {}

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 67/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

The Idea of Tree Loops

By Example

Recall that X visits the left-most leaf and goes back up if it is a. f[qℓ] h a b a Loops of X on. . . t: {(qℓ, ?), (qℓ,qℓ)} t|0: {} t|0.0: {} t|0.1: {} t|1: {}

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 67/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

The Idea of Tree Loops

By Example

Recall that X visits the left-most leaf and goes back up if it is a. f h[qℓ] a b a Loops of X on. . . t: {(qℓ, ?), (qℓ, qℓ)} t|0: {(qℓ, ?), (qℓ,qℓ)} t|0.0: {} t|0.1: {} t|1: {}

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 67/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

The Idea of Tree Loops

By Example

Recall that X visits the left-most leaf and goes back up if it is a. f h a[qℓ] b a Loops of X on. . . t: {(qℓ, ?), (qℓ, qℓ)} t|0: {(qℓ, ?), (qℓ, qℓ)} t|0.0: {(qℓ, ?), (qℓ,qℓ)} t|0.1: {} t|1: {}

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 67/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

The Idea of Tree Loops

By Example

Recall that X visits the left-most leaf and goes back up if it is a. f h a[qu] b a Loops of X on. . . t: {(qℓ, ?), (qℓ, qℓ)} t|0: {(qℓ, ?), (qℓ, qℓ)} t|0.0: {(qℓ, qu), (qℓ, qℓ), (qu,qu)} t|0.1: {} t|1: {}

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 67/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

The Idea of Tree Loops

By Example

Recall that X visits the left-most leaf and goes back up if it is a. f h[qu] a b a Loops of X on. . . t: {(qℓ, ?), (qℓ, qℓ)} t|0: {(qℓ, qu), (qℓ, qℓ), (qu,qu)} t|0.0: {(qℓ, qu), (qℓ, qℓ), (qu, qu)} t|0.1: {} t|1: {}

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 67/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

The Idea of Tree Loops

By Example

Recall that X visits the left-most leaf and goes back up if it is a. f[qu] h a b a Loops of X on. . . t: {(qℓ, qu), (qℓ, qℓ), (qu,qu)} t|0: {(qℓ, qu), (qℓ, qℓ), (qu, qu)} t|0.0: {(qℓ, qu), (qℓ, qℓ), (qu, qu)} t|0.1: {} t|1: {}

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 67/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

The Idea of Tree Loops

By Example

Recall that X visits the left-most leaf and goes back up if it is a. f h a b a Loops of X on. . . t: {(qℓ, qu), (qℓ, qℓ), (qu, qu)} t|0: {(qℓ, qu), (qℓ, qℓ), (qu, qu)} t|0.0: {(qℓ, qu), (qℓ, qℓ), (qu, qu)} t|0.1: {(qℓ, qℓ), (qu, qu)} t|1: {(qℓ, qℓ), (qu, qu)}

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 67/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Computing Tree Loops

Loops Decomposition

A loop is a simple loop on t|α if there is a run which forms it and reaches α exactly twice — i.e. simple looping run Proposition: loops decomposition If S ⊆ Q2 is the set of all simple loops of A on a given subtree u = t|α, then S∗ is the set of all loops of A on u. So to compute all loops, it suffices to compute simple loops.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 68/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Computing Tree Loops

℧τ(u) = set of loops of A on a subtree u of type τ

On leaves u = a ∈ Σ0 Simple looping run = (α, p) ։ (α, q) only. Hτ

σ = { (p, q) | σ, p, τ → , q ∈ ∆ }

℧τ(a) = (Hτ

a)∗

On inner nodes u = f(u0, u1) : by first move ↑ — impossible: leaves the subtree u — all computed in Hτ

f

ւ — (ε, p), (0, p0), (β1, s1), . . . , (βn, sn), (0, q0), (ε, q), with all βk 0. So (p0, q0) ∈ ℧0(u0) ց —(ε, p), (1, p1), (β1, s1), . . . , (βn, sn), (1, q1), (ε, q), with all βk 1. So (p1, q1) ∈ ℧1(u1)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 69/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Computing Tree Loops

℧τ(u) = set of loops of A on a subtree u of type τ

On leaves u = a ∈ Σ0 Simple looping run = (α, p) ։ (α, q) only. Hτ

σ = { (p, q) | σ, p, τ → , q ∈ ∆ }

℧τ(a) = (Hτ

a)∗

On inner nodes u = f(u0, u1)

1 choose a side: θ ∈ S = { 0, 1 } 2 find an existing loop on that side: (pθ, qθ) ∈ ℧θ(uθ) 3 such that one can connect beginning and end 1

f, p, τ → χ(θ), pθ ∈ ∆a and

2

uθ(ε), qθ, θ → ↑, q ∈ ∆

aχ(·) : S → { ւ, ց } such that χ(0) =ւ and χ(1) =ց Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 69/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Computing Tree Loops

℧τ(u) = set of loops of A on a subtree u of type τ

On leaves u = a ∈ Σ0 Simple looping run = (α, p) ։ (α, q) only. Hτ

σ = { (p, q) | σ, p, τ → , q ∈ ∆ }

℧τ(a) = (Hτ

a)∗

On inner nodes u = f(u0, u1)

• Hτ

f ∪

• (p, q)
• ∃θ ∈ S :

∃(pθ, qθ) ∈ ℧θ(uθ):f, p, τ → χ(θ), pθ ∈ ∆ uθ(ε), qθ, θ → ↑, q ∈ ∆ ∗

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 69/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Loops-Based Transformation Into BUTA

0 Input: A TWA A = Σ, Q, I, F, ∆ 1 Initialise States and Rules to ∅ 2 for each a ∈ Σ0, τ ∈ T do

let P = (a, τ, Hτ

a ∗)

add a → P to Rules and P to States

3 repeat until Rules remain unchanged

for each f ∈ Σ2, τ ∈ T do

add every f(P0, P1) → P to Rules and P to States where P0, P1 ∈ States such that P0 = (σ0, 0, S0) and P1 = (σ1, 1, S1) and P = (f, τ, (Hτ

f ∪ S)∗),

with S the set of simple loops built on the sons.

4 Output: A BUTA B equivalent to A:

B = Σ, States, { (σ, ⋆, L) ∈ States | L ∩ (I × F) = ∅ }, Rules

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 70/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Loops-Based Transformation Into BUTA

0 Input: A TWA A = Σ, Q, I, F, ∆ 1 Initialise States and Rules to ∅ 2 for each a ∈ Σ0, τ ∈ T do

let P = (a, τ, Hτ

a ∗)

add a → P to Rules and P to States

3 repeat until Rules remain unchanged

for each f ∈ Σ2, τ ∈ T do

add every f(P0, P1) → P to Rules and P to States where P0, P1 ∈ States such that P0 = (σ0, 0, S0) and P1 = (σ1, 1, S1) and P = (f, τ, (Hτ

f ∪ S)∗),

with S the set of simple loops built on the sons.

4 Output: A BUTA B equivalent to A:

B = Σ, States, { (σ, ⋆, L) ∈ States | L ∩ (I × F) = ∅ }, Rules

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 70/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Loops-Based Transformation Into BUTA

add every f(P0, P1) → P to Rules and P to States where P0, P1 ∈ States such that P0 = (σ0, 0, S0) and P1 = (σ1, 1, S1) and P = (f, τ, (Hτ

f ∪ S)∗),

with S the set of simple loops built on the sons. S =

• (p, q)
• ∃θ ∈ S :

∃(pθ, qθ) ∈ Sθ : f, p, τ → χ(θ), pθ ∈ ∆ σθ, qθ, θ → ↑, q ∈ ∆

• Tree (Not Quite) Regular Model-Checking

Vincent HUGOT Ph.D. Defence 70/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Loops-Based Transformation Into BUTA

add every f(P0, P1) → P to Rules and P to States where P0, P1 ∈ States such that P0 = (σ0, 0, S0) and P1 = (σ1, 1, S1) and P = (f, τ, (Hτ

f ∪ S)∗),

with S the set of simple loops built on the sons. S =

• (p, q)
• ∃θ ∈ S :

∃(pθ, qθ) ∈ Sθ : f, p, τ → χ(θ), pθ ∈ ∆ σθ, qθ, θ → ↑, q ∈ ∆

• The son’s symbol is needed to close the end of the loop!

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 70/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Loops-Based Transformation Into BUTA

The Real States Space

Sets of loops cannot be considered independently from the symbol in which they are rooted. Consider { a, b }, p, τ → , q and b, q, τ → ↑, s′ ∈ ∆. Then ℧θ(a) = ℧θ(b) = {(p, q)}∗, but ℧τ(f(a, a)) = ℧τ(f(b, b)). Needs states in Σ × T × 2Q2 instead of just T × 2Q2. Alphabet potentially large. How to get rid of it ?

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 71/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

From Tree Loops to Tree Overloops

Tree overloops: slight alteration of loops, with advantages. Fixes states space: T × 2Q2 instead of Σ × T × 2Q2. Deterministic case: |T| · 2|Q| log2(|Q|+1) better upper bound 2 to 100 times smaller BUTA in average in random tests. pout pin · q ·

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 72/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

From Tree Loops to Tree Overloops

Tree overloops: slight alteration of loops, with advantages. Fixes states space: T × 2Q2 instead of Σ × T × 2Q2. Deterministic case: |T| · 2|Q| log2(|Q|+1) better upper bound 2 to 100 times smaller BUTA in average in random tests. (p, q) ∈ Q2 is an overloop of A on t|α if there exists a run which starts in p, ends in q at the parent of the root α, and always stays in the subtree, except for the last configuration. Parent of ε is ε. A TWA A must be escaped into A′ =

• Σ, Q ⊎ {}, I, F, ∆ ⊎ Σ, F, ⋆ → ↑,
• .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 72/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Overloops and Determinism

A TWA A = Σ, Q, I, F, ∆ is deterministic if for all σ ∈ Σ, p ∈ Q, τ ∈ T, |σ, p, τ → M, Q ∩ ∆| 1. In general, the overloops-based BUTA has up to |T| × 2|Q|2 states. However, it has at most |T| · 2|Q| log2(|Q|+1) states if A is a DTWA. If A is deterministic, overloop sets are functional. Not like loops. Partial functions versus relations. At most |Q + 1||Q| overloop sets, versus 2|Q|2.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 73/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Polynomial Approximation for Emptiness

Emptiness is ExpTime-complete XML Queries / Caterpillar accessibility Satisfiability of some XPath fragments But also TWA model-checking. . . Standard: TWA → BUTA (explosion) → linear test. Alternative: An over-approximation; may detect emptiness Polynomial time and space Very – surprisingly – accurate in our random tests

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 74/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Polynomial Approximation for Emptiness

0 Input: An escaped TWA A = Σ, Q, I, F, ∆ 1 Initialise L0, L1, L⋆ to ∅ 2 for each a ∈ Σ0, τ ∈ T do

Lτ ← Lτ ∪ Uτ

a[Hτ a ∗]

3 repeat until L0, L1, L⋆ remain unchanged

for each f ∈ Σ2, τ ∈ T do

Lτ ← Lτ ∪ Uτ

f[(Hτ f ∪ S)∗]

with S the set of simple loops built on L0 and L1.

4 Output: Empty if L⋆ ∩ (I × {}) = ∅, else Unknown Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 75/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Polynomial Approximation for Emptiness

0 Input: An escaped TWA A = Σ, Q, I, F, ∆ 1 Initialise L0, L1, L⋆ to ∅ 2 for each a ∈ Σ0, τ ∈ T do

Lτ ← Lτ ∪ Uτ

a[Hτ a ∗]

3 repeat until L0, L1, L⋆ remain unchanged

for each f ∈ Σ2, τ ∈ T do

Lτ ← Lτ ∪ Uτ

f[(Hτ f ∪ S)∗]

with S the set of simple loops built on L0 and L1.

4 Output: Empty if L⋆ ∩ (I × {}) = ∅, else Unknown

coarsest with one bucket L; finest as full transformation (exp)

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 75/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Polynomial Approximation for Emptiness

Random tests

1 Ad-hoc scheme: ≈ 20 000 TWA, 2 |Q| 20, |∆| ≈ 3 × |Q|,

75% of empty languages, only two Unknown instead of Empty.

2 Uniform scheme [Héam et al., 2009], REGAL back-end for FSA

generation [Bassino et al., 2007]. 2 000 deterministic and complete TWA uniformly generated for each 2 |Q| 25.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 76/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Polynomial Approximation for Emptiness

Random tests

5 10 15 20 25 30 35 40 45 50 55 2 4 6 8 10 12 14 16 18 20 22 24 ∅% |Q|

Approximation – 2000 samples Approximation – 200 samples Exact – 200 samples Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 76/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Size Comparison: Loops vs. Overloops

One Example & Uniform Generation Scheme

For X: loops Bl = 1986; overloops Bo = 95; deterministic minimal Bm = 56; smallest known non-deterministic Bs = 34. Loops 60 times worse than manual optimal; overloops 3 times. Orthogonal to post-processing cleanup:

• B′

l

• = 1617, B′
• = 78.

Bl Bo ≈ 20.9 and

• B′

l

• B′
• ≈ 20.7

and Bl

• B′

l

• ≈ Bo

B′

• ≈ 1.2 .

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 77/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

Size Comparison: Loops vs. Overloops

One Example & Uniform Generation Scheme

1 2 3 2 3 4 5 6 7 B 105 |QA|

Bl B′

l (clean)

Bo B′

• (clean)

2 3 4 5 6 70 2 4 6 8 10 12 14 16 18 Ratio |QA|

Bl/Bo B′

l/B′

• Bl/B′

l

Bo/B′

• Tree (Not Quite) Regular Model-Checking

Vincent HUGOT Ph.D. Defence 77/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

References I

Aho, A. and Ullman, J. (1969). Translations on a context free grammar. Information and Control, 19(5):439–475. Bassino, F., David, J., and Nicaud, C. (2007).

REGAL : A library to randomly and exhaustively generate

automata. In CIAA, LNCS 4783, pages 303–305. Bojańczyk, M. (2008). Tree-Walking Automata. LATA’08 (tutorial), LNCS, 5196. Bojańczyk, M. and Colcombet, T. (2005). Tree-walking automata do not recognize all regular languages. STOC ’05, pages 234–243. ACM.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 78/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

References II

Bojańczyk, M. and Colcombet, T. (2006). Tree-walking automata cannot be determinized. Theoretical Computer Science, 350(2-3):164–173. Bouajjani, A. and Touili, T. (2002). Extrapolating tree transformations. In Brinksma, E. and Larsen, K. G., editors, Computer Aided Verification, CAV’02, volume 2404 of Lecture Notes in Computer Science, pages 539–554. Springer-Verlag. Boyer, B. and Genet, T. (2009). Verifying Temporal Regular Properties of Abstractions of Term Rewriting Systems. In RULE, volume 21 of EPTCS, pages 99–108.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 79/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

References III

Brüggemann-Klein, A. and Wood, D. (2000). Caterpillars: A context specification technique. Markup Languages, 2(1):81–106. Clarke, E. M. and Emerson, E. A. (1981). Design and synthesis of synchronization skeletons using branching-time temporal logic. In Kozen, D., editor, Logic of Programs, volume 131 of Lecture Notes in Computer Science, pages 52–71. Springer. Comon, H., Dauchet, M., Gilleron, R., Löding, C., Jacquemard, F., Lugiez, D., Tison, S., and Tommasi, M. (2008). Tree Automata Techniques and Applications. release November 18, 2008.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 80/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

References IV

Courbis, R., Héam, P.-C., and Kouchnarenko, O. (2009). TAGED Approximations for Temporal Properties Model-Checking. In [Maneth, 2009], pages 135–144. Dwyer, M., Avrunin, G., and Corbett, J. (1999). Patterns in property specifications for finite-state verification. In ICSE’99, pages 411–420. IEEE. Feuillade, G., Genet, T., and Tong, V. V. T. (2004). Reachability analysis over term rewriting systems.

• J. Autom. Reasoning, 33(3-4):341–383.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 81/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

References V

Filiot, E. (2008). Logics for n-ary queries in trees. PhD thesis, Université des Sciences et Technologie de Lille - Lille I. Filiot, E., Talbot, J.-M., and Tison, S. (2008). Tree automata with global constraints. In Developments in Language Theory, volume 5257 of Lecture Notes in Computer Science, pages 314–326. Springer. Héam, P., Hugot, V., and Kouchnarenko, O. (2010). SAT Solvers for Queries over Tree Automata with Constraints. In Third International Conference on Software Testing, Verification, and Validation Workshops, pages 343–348. IEEE.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 82/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

References VI

Héam, P.-C., Hugot, V., and Kouchnarenko, O. (2011). Loops and overloops for tree walking automata. In CIAA’11, LNCS 6807, pages 166–177. Héam, P.-C., Hugot, V., and Kouchnarenko, O. (2012a). From linear temporal logic properties to rewrite propositions. In Gramlich, B., Miller, D., and Sattler, U., editors, IJCAR’12, volume 7364 of Lecture Notes in Computer Science, pages 316–331. Springer. Héam, P.-C., Hugot, V., and Kouchnarenko, O. (2012b). Loops and overloops for tree-walking automata. Theoretical Computer Science, 450:43–53.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 83/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

References VII

Héam, P.-C., Hugot, V., and Kouchnarenko, O. (2012c). On positive TAGED with a bounded number of constraints. In Moreira, N. and Reis, R., editors, CIAA, volume 7381 of Lecture Notes in Computer Science, pages 329–336. Springer. Héam, P.-C., Nicaud, C., and Schmitz, S. (2009). Random generation of deterministic tree (walking) automata. In [Maneth, 2009], pages 115–124. Hugot, V. (2013). Tree Automata, Approximations, and Constraints for Verification – Tree (Not Quite) Regular Model-Checking. Ph.D. thesis (to be defended), Université de Franche-Comté.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 84/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

References VIII

Jacquemard, F., Klay, F., and Vacher, C. (2009). Rigid tree automata. In Horia Dediu, A., Mihai Ionescu, A., and Martín-Vide, C., editors, Proceedings of the 3rd International Conference on Language and Automata Theory and Applications (LATA’09), volume 5457 of Lecture Notes in Computer Science, pages 446–457, Tarragona, Spain. Springer. Kesten, Y., Maler, O., Marcus, M., Pnueli, A., and Shahar, E. (1997). Symbolic model checking with rich assertional languages. In Grumberg, O., editor, CAV, volume 1254 of Lecture Notes in Computer Science, pages 424–435. Springer.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 85/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

References IX

Maneth, S., editor (2009). Implementation and Application of Automata, 14th International Conference, CIAA 2009, Sydney, Australia, July 14-17, 2009. Proceedings, volume 5642 of Lecture Notes in Computer Science. Springer. Manna, Z. and Pnueli, A. (1995). Temporal Verification of Reactive Systems - Safety. Springer. Meseguer, J. (1992). Conditioned rewriting logic as a unified model of concurrency. Theoretical Computer Science, 96(1):73–155.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 86/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

References X

Milo, T., Suciu, D., and Vianu, V. (2003). Typechecking for XML transformers.

• J. Comput. Syst. Sci., 66(1):66–97.

Queille, J.-P. and Sifakis, J. (1982). Specification and verification of concurrent systems in CESAR. In Dezani-Ciancaglini, M. and Montanari, U., editors, Symposium on Programming, volume 137 of Lecture Notes in Computer Science, pages 337–351. Springer. Samuelides, M. (2007). Automates d’arbres à jetons. PhD thesis, Université Paris-Diderot - Paris VII.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 87/24

Preliminaries LTL Checking Bounded TAGE Other Works Appendices References

References XI

Segoufin, L. and Vianu, V. (2002). Validating Streaming XML Documents. In PODS, pages 53–64. ACM. Vacher, C. (2010). Tree automata with global constraints for the verification of security properties. Ph.D. thesis, ENS Cachan.

Tree (Not Quite) Regular Model-Checking Vincent HUGOT Ph.D. Defence 88/24