Logic without formulas:

automata as a computational

notation

Pierre Wolper

Universite de Liege

1

The basic idea

• Consider the domain of strings (words), or a domain that can be

encoded by strings (anything countable).

• Finite automata can then represent sets of elements or predicates (not

all).

• Finite automata are closed under boolean operations and projection

(existential quantification).

• One can thus build an automaton for any set definable in first-order

logic from predicates that are representable by automata.

Limitations: unary interpreted predicates that can be represented by finite

automata.

These limitations can be lifted by improving the encoding into strings.

2

How it got started

Julius-Richard Buchi (1924–1984) and WS1S

• individual variables x, y, . . . ranging over the naturals,

• set variables X,Y, . . . ranging over finite sets of naturals

• terms t : x, t+ 1

• formulas: t1 < t2, t ∈ X, ∧,∨,¬, ∃, ∀

3

An Encoding for WS1S

• Encode a natural number n by 0n10∗,

• Encode a set by a word in Σ = {0,1}n,

• Deal simultaneously with several numbers/sets by using the alphabetΣn.

Consequently:

• Sets are represented by words, and thus unary uninterpreted predicatescan be handled;

• By using the alphabet Σn, n-ary interpreted predicates can berepresented by automata.

Can be used in practice: MONA system , Klarlund et al 1995

4

Moving to S1S

• Infinite sets need to be represented,

• Thus use ω-words in Σω,

• The automata become Buchi automata,

• The rest stays the same, but complementation is harder.

5

The link to verification: temporal logic

A. Synthesis

• Build a program (transition system) from a temporal logicspecification.

• Temporal logic (and more) can be directly translated to S1S and thusto an automaton (transition system).

• The tame syntax of temporal logic allows an exponential (at the veryworst) translation to automata.

B. Model checking

• Linear-time Model-checking aims at comparing the sequencesgenerated by a program (transition system) to a temporal logicspecification.

• Using the translation from temporal logic to automata makes thecomparison algorithmically simple.

• One could also directly use automata as specifications (harder forliveness properties).

6

A different encoding of numbers

• Encode numbers using the usual binary (base r). positional encoding.

• One can no longer encode unary predicates by strings, but addition

can be represented by an automaton.

• One can thus handle Presburger arithmetic 〈R,Z,+,≤〉.

Mojzesz Presburger (1904 - 1943?)

7

More on automata for arithmetic

Principles :

• Binary representation,

• Unbounded numbers,

• Most significant bit first.

• 2’s complement for negative numbers (at least p bits for a number x

such that −2p−1 ≤ x < 2p−1).

Examples :

4 : 0100, 00100, 000100, . . .−4 : 100, 1100, 11100, . . .

Vectors are represented by using same length encodings of the

components and reading them bit by bit.

8

Representing sets of integers by automata:

Building Automata for Linear Equations

Consider an equation ~a.~x = b with ~a ∈ Zn and b ∈ Z.

The problem is to build an automaton A = (S,2n, δ, s0, F ) accepting the

encodings of all ~x ∈ Zn satisfying the equation.

• Each state s of the automaton (except the initial state s0) is uniquely

labeled by an integer β(s). The final state is the one labeled by b. The

initial state is a special state labeled by 0.

• The idea of the construction is that the label of a state represents the

value of ~a.~x for the bits that have been read so far.

9

• Therefore, for states s and s′ other than s0 to be linked by a transition

labeled ~d, the number β(s) associated with the state s′ has to be given

by

β(s′) = ~a.~x′ = 2.~a.~x+ ~a.~d = 2.β(s) + ~a.~d.

where ~(x) and ~(x′) respectively represent the vectors read when

respectively reaching s and s′.

Note that the state s′ is unique.

• For the initial state, the associated value is 0 , but one has to take

into consideration that the first bit is a sign bit: in the function given

the next state, a 1 bit is interpreted as −1.

10

Example:

x− y = 2

−2

−1

1

2

−6

−5

−4

4

5

6

3

−3

000/11

01

10

10

00/11

01

01

1000/11

00/11

00/11

00/11

00/11

10

10

10

01

01

1000/11

01

01

−7

7

01

10

11

A useful approach?

• Very simple, leads to a direct implementation of a decision procedure

for Presburger arithmetic.

• Each projection and determinization can in theory lead to an

exponential blowup, but they do not.

• Results by F. Klaedtke (U. Freiburg, now ETH-Zurich) prove that the

minimal deterministic automaton corresponding to a Presburger

formula is at most of length three exponentials in the size of the

formula.

• A tool (LASH) has been developed for this, Boigelot et al.

12

Arithmetic automata: Expressiveness

Theorem: A set S ⊆ Zn is representable by an automaton in a base r > 1

iff it can be defined in the first-order theory 〈Z,+,≤, Vr〉, where Vr(z) is

the greatest power of r that divides z.

Theorem: A set S ⊆ Zn is representable by an automaton in in two

multiplicatively independent bases iff it can be defined in the first-order

theory 〈Z,+,≤〉 (i.e., Presburger arithmetic).

Automata-based representations of sets thus provide a simple algorithm

for deciding Presburger arithmetic.

Cobham1969, Semenov 1977

13

From Integers to Reals

Idea: Real numbers can be encoded as infinite words over an alphabet

composed of

• r digits: 0, 1, . . . , r − 1, and

• a separator ? between the integer and the fractional parts.

Examples:

Enc2(3.5) = 0+11 ? 1(0)ω ∪ 0+11 ? 0(1)ω

Enc2(−4) = 1+00 ? (0)ω ∪ 1+011 ? (1)ω.

One can thus handle the reals (and the integers) by using Buchi automata!

14

Reals and automata: implementation issues

Problem: Complementing Buchi automata requires elaborate algorithms.

Solution: It is sufficient to use only weak deterministic Buchi automata.

• In practical applications, weak deterministic Buchi automata are as

easy to handle as finite word automata;

• There exists a canonical form for weak deterministic automata.

The automata build for arithmetic formulas are naturally weak

deterministic, except when applying existential quantification, but in this

case they can always be transformed back into weak deterministic

automata.

15

Arithmetic automata on the reals: Expressiveness

Theorem: A set S ⊆ Rn is representable by an weak deterministic

automaton in two multiplicatively independent bases iff it can be defined

in the first-order theory 〈R,Z,+,≤〉.

Theorem: A set S ⊆ Rn is representable by a Buchi automaton in two

bases with different sets of prime factors iff it can be defined in the

first-order theory 〈R,Z,+,≤〉.

Boigelot, Brusten, Bruyere, 2008

Boigelot, Brusten, Leroux 2009,

16

The link to verification: infinite-state systems

The idea

• Compute with sets of states represented by finite automata.

• Can be applied to various domains: strings (queues, stacks, parametric

systems), integers and reals (real-time and hybrid systems).

The catch

• The most useful computation is that of the set of reachable states.

• This requires computing the transitive closure of an automaton

represented transition relation.

• But this is, in general, not computable.

The solution

• Use partial solutions that are domain specific or automata generic.

17

Computing the reachable states:A domain specific case, pushdown systems

A pushdown system is defined by a sextuple A = (C, c0,M,m0,Op,∆)

where

• C is a finite set of control locations,

• M = Σ∗ is the set of possible queue contents,

• Op = {a+, a−} for every a ∈ Σ. a+(w) = wa and a−(wa) = w for every

w ∈ Σ∗ (the value of a−(w) is not defined if w does not end with the

symbol a),

• ∆ ⊆ C ×Op× C is a finite set of transitions,

• c0 is an initial control location, and m0 is an initial memory content.

The reachable states of a pushdown system can be computed as the

reachability automaton of A.

18

It is the finite-state automaton Ar = (Qr,Σr,∆r, q0r , Fr) such that

• The set of states Qr is identical to C;

• The input alphabet Σr is identical to Σ;

• The transition relation ∆r ⊆ Qr × (Σr ∪ {ε})×Qr is the smallestrelation that satisfies the following conditions, where ∆∗r denotes thereflexive and transitive closure of ∆r, and ε denotes the empty word:

– If (q, a+, q′) ∈∆, then (q, a, q′) ∈∆r, and

– If (q, a−, q′) ∈∆ and (q′′, a, q) ∈∆∗r, then (q′′, ε, q′) ∈∆r;

• The initial state q0r is c0;

• All the states are accepting, i.e., we have Fr = Qr.

Ar characterizes the reachable states. A system state (q, w) is reachableiff q is reachable in Ar through the word w.

This is the basis of a tool (Moped, Esparza et al.) that checks recursiveboolean programs.

19

Computing reachable states: an automata-based approach

• Let R be a relation defined over the set of finite words constructed

from an alphabet Σ, that is regular and length preserving (i.e. if

(w,w′) ∈ R, then |w| = |w′|).

• R can thus be defined by a finite automaton T over the alphabet

Σ×Σ.

• If R represents the reachability relation of a system, the problem is to

compute R∗ (or R∗(I)).

• The idea used is to extrapolate a prefix of the series of powers of R.

20

Arithmetic transducers: an example

Transducer for (x, x+ 1) ∪ (x, x):

01

1,1

0,0

21,0

0,0

1,1

0,11,0

21

Computing the iteration: an example

T2:

3

1

1,0

2

0,0

1,1

00,0

1,1

1,0

0,10,0

1,1

T8:

4

3

1,0

5

0,0

1,1

0

1

0,0

1,0

1,12

0,1

0,0

1,1

6

1,0 0,0

0,1

1,0

1,1

1,1

0,0

0,1

1,0

0,10,0

1,1

T4:

4

2

1,0

3

0,0

1,1

0

1

0,0

1,0

1,1

0,1

0,0

1,1

1,0

0,10,0

1,1

T16:

5

4

1,0

6

0,0

1,1

0

1

0,0

1,0

1,1

2

0,1

0,0

1,1

7

1,0

0,0

0,1

1,0

1,1

3

1,1

0,0

0,1

8

1,0

0,0

0,1

1,0

1,1

0,0

1,1

0,1

1,0

0,10,0

1,1

22

Detecting increments and closing

• Common parts between Tsi0 and T

si+10 can be identified,

• These common parts are linked by an “increment”,

• Compute the iteration of the relation by allowing arbitrary repetitions

of this increment.

23

How about real application?

Intel provides a problem

• Most verification tools assume the memory model to be sequential

consistency (memory operations are interleaved.

• Recent multicore processors do not implement this memory model.

• Relaxed memory are in fact implemented: the order in which

operations are viewed at the memory is not necessary an interleaving

of the orders in which the operations are executed by the processes:

e.g. stores can be delayed.

24

The SC memory model

25

The TSO memory model

26

Verifying under TSO

• Buffer contents can be represented by words.

• Buffers are assumed to be unbounded.

• Sets of buffer contents are represented by automata.

• Operations on buffers translate to simple automata operations.

• The state-space exploration is done step by step, but acceleration

techniques are used for cycles.

• The restricted way in which the buffers are used makes the problem

simpler.

27

Conclusions

• When they can be used, automata are an excellent computationally

oriented representation of sets of values.

• Their expressiveness can be equivalent to that of logic and they enjoy

powerful properties such as normal forms.

• We have focused on (infinite)-word automata, but there are other

variants: trees, graphs, ...

• Issues are encoding the data and algorithms for computing with

automata.

• Most automata one works with in practice have a special structural

properties that it would be important to discover and exploit.

28