Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations:...
-
Upload
lauren-doherty -
Category
Documents
-
view
217 -
download
3
Transcript of Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations:...
![Page 1: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/1.jpg)
Model Checking
Lecture 3
![Page 2: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/2.jpg)
Specification Automata
Syntax, given a set A of atomic observations:
S finite set of states
S0 S set of initial states
S S transition relation
: S PL(A) where the formulas of PL are
::= a | |
for a A
![Page 3: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/3.jpg)
Specification Omega Automata
Syntax as for finite automata, in addition the following acceptance condition:
Buchi: BA S
![Page 4: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/4.jpg)
Language L(M) of specification omega-automaton
M = (S, S0, , , BA ) :
infinite trace t0, t1, ... L(M)
iff
there exists an infinite run s0 s1 ... of M
such that
1. s0 s1 ... satisfies BA
2. for all i 0, ti |= (si)
![Page 5: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/5.jpg)
Let Inf(s) = { p | p = si for infinitely many i }.
The infinite run s satisfies the acceptance condition BA
iff
Inf(s) BA
![Page 6: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/6.jpg)
(K,q) |=L M iff L(K,q) L(M)
Linear semantics of specification omega automata:
omega-language containment
infinite traces
![Page 7: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/7.jpg)
Response specification automaton :
(a b) assuming (a b) = false
a b
ba
s1
s2
s3
s0
Buchi condition { s0, s3 }
![Page 8: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/8.jpg)
Response monitor automaton :
(a b) assuming (a b) = false
a b
s1 s2
Buchi condition { s2 }
s0
true
![Page 9: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/9.jpg)
Outline
1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness
2 Graph algorithms for model checking
3 Symbolic algorithms for model checking
4 Pushdown systems
![Page 10: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/10.jpg)
Model-Checking Algorithms = Graph Algorithms
![Page 11: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/11.jpg)
1 Safety:
-solve: finite monitors ( emptiness)
-algorithm: reachability (linear)
2 Liveness:
-solve: Buchi monitors ( emptiness)
-algorithm: strongly connected components (linear)
We will talk about STL and CTL model checking later.
![Page 12: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/12.jpg)
From specification automata to monitor automata:
determinization (exponential) + complementation (easy)
From LTL to monitor automata:
complementation (easy) + tableau construction (exponential)
![Page 13: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/13.jpg)
Algorithms
1 Reachability
2 Strongly connected components
3 Tableau construction
![Page 14: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/14.jpg)
Finite Emptiness
Given: finite automaton (S, S0, , , FA)
Find: is there a path from a state in S0 to a state in FA ?
![Page 15: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/15.jpg)
Fix a set A of atomic observations
![Page 16: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/16.jpg)
State-transition graph K
Q set of states
Q Q transition relation
[ ]: Q 2A observation function
![Page 17: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/17.jpg)
Monitor automaton M
S finite set of states
S0 S set of initial states
S S transition relation
E S set of final states
: S PL(A) where the formulas of PL are
::= a | | for a A
![Page 18: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/18.jpg)
(K,q) |=C M iff L(K,q) L(M) =
We construct another monitor automaton M’ such thatL(M’) = L(K,q) L(M)
S’ = {(q,s) Q S | [q] |= (s)} finite set of states
({q} S0) S’ set of initial states
(q,s) (q’,s’) transition relation
iff q q’ and s s’
(Q E) S’ set of final states
’: S’ PL(A) labeling function
’(q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q]
languages over finite traces
![Page 19: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/19.jpg)
Finite Emptiness
Given: monitor automaton (S, S0, , , E)
Find: is there a path from a state in S0 to a state in E ?
Solution: depth-first or breadth-first search
![Page 20: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/20.jpg)
dfs(s) { if (s E) then report error add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t)}
![Page 21: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/21.jpg)
Buchi Emptiness
Given: Buchi automaton (S, S0, , , BA)
Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ?
![Page 22: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/22.jpg)
Monitor Buchi automaton M
S finite set of states
S0 S set of initial states
S S transition relation
BA S acceptance condition
: S PL(A) where the formulas of PL are
::= a | | for a A
![Page 23: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/23.jpg)
(K,q) |=C M iff L(K,q) L(M) =
We construct another monitor Buchi automaton M’ such that L(M’) = L(K,q) L(M)
S’ = {(q,s) Q S | [q] |= (s)} finite set of states
({q} S0) S’ set of initial states
(q,s) (q’,s’) transition relation
iff q q’ and s s’
(Q BA) S’ acceptance condition
’: S’ PL(A) labeling function
’(q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q]
languages over infinite traces
![Page 24: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/24.jpg)
Buchi Emptiness
Given: Buchi automaton (S, S0, , , BA)
Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ?
Solution: 1. Compute SCC graph by depth-first search
2. Mark SCC C as fair iff C BA
3. Check if some fair SCC is reachable from S0
![Page 25: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/25.jpg)
Complexity
n number of states m number of transitions
Reachability: O(n+m)
SCC: O(n+m)
![Page 26: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/26.jpg)
Buchi emptiness
• Two algorithms for SCC computation– forward and backward DFS– forward HI-LO algorithm
• Storing SCCs requires lot of memory• Nested DFS
– checks Buchi emptiness without explicitly computing SCCs
![Page 27: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/27.jpg)
dfs(s) { add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t) if (s BA) then { seed := s; ndfs(s) }}
ndfs(s) { add s to ndfsTable for each successor t of s if (t ndfsTable) then ndfs(t) else if (t = seed) then report error}
![Page 28: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/28.jpg)
Multi-Buchi Emptiness
Given: Multi-Buchi automaton (S, S0, , , BA1, …, BAn)
Find: is there an infinite path from a state in S0 that infinitely often visits some state in BAi for all i
such that 1 i n ? Solution: 1. Compute SCC graph by depth-first search
2. Mark SCC C as fair iff C BAi for all i such that 1 i n.
3. Check if some fair SCC is reachable from S0
![Page 29: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/29.jpg)
Tableau Construction
Given: LTL formula
Find: Multi-Buchi automaton M such that L(M) = L()
[Fischer & Ladner 1975; Manna & Wolper 1982]
monitors subformulas of
![Page 30: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/30.jpg)
, ::= a | a | | | | U | W
( ) = ( ) = () = ()( U ) = ( W )( W ) = ( U )
Negation normal form
![Page 31: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/31.jpg)
Fischer-Ladner Closure of a Formula
Sub (a) = { a, a }
Sub (a) = { a, a }
Sub () = { } Sub () Sub ()
Sub () = { } Sub () Sub ()
Sub () = { } Sub ()
Sub (U) = { U, (U) } Sub () Sub ()
Sub (W) = { W, (W) } Sub () Sub () | Sub () | = O(||)
![Page 32: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/32.jpg)
s Sub () is consistent
iff-for all atomic propositions a
(a) s iff a s
-if () Sub () then () s iff s and s
-if () Sub () then () s iff either s or s
-if (U) Sub () then (U) s iff either s
or s and (U) s
-if (W) Sub () then (W) s iff either s
or s and (W) s
![Page 33: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/33.jpg)
Fischer-Ladner Closure of a Formula
…
…
Sub () = {, } Sub ()
Sub () = {, } Sub ()
![Page 34: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/34.jpg)
s Sub () is consistent
iff
…
-if () Sub () then () s iff either s or s
-if () Sub () then () s iff s and s
![Page 35: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/35.jpg)
Tableau M = (S, S0, , , BA1,…,BAn) S ... set of consistent subsets of Sub ()
s S0 iff s
s t iff for all () Sub (), if () s then t
(s) ... conjunction of atomic observations in s and negated atomic observations not in s
There is an acceptance condition
- for each (U) Sub () given by { s | s or (U) s }
- for each () Sub () given by { s | s or () s }
![Page 36: Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55147630550346b2598b4574/html5/thumbnails/36.jpg)
Size of M is O(2||).
LTL model checking: PSPACE-complete