Model Checking Lecture 3

Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition relation : S PL(A) where the formulas of PL are ::= a | | for a A

Specification Omega Automata Syntax as for finite automata, in addition the following acceptance condition: Buchi:BA S

Language L(M) of specification omega-automaton M = (S, S 0,,, BA ) : infinite trace t 0, t 1,... L(M) iff there exists an infinite run s 0 s 1... of M such that 1. s 0 s 1... satisfies BA 2. for all i 0, t i |= (s i )

Let Inf(s) = { p | p = s i for infinitely many i }. The infinite run s satisfies the acceptance condition BA iff Inf(s) BA

(K,q) |= L M iff L(K,q) L(M) Linear semantics of specification omega automata: omega-language containment infinite traces

Response specification automaton : (a b) assuming (a b) = false a b b a s1s1 s2s2 s3s3 s0s0 Buchi condition { s 0, s 3 }

Response monitor automaton : (a b) assuming (a b) = false a b s1s1 s2s2 Buchi condition { s 2 } s0s0 true

Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking 3Symbolic algorithms for model checking 4Pushdown systems

Model-Checking Algorithms = Graph Algorithms

1Safety: -solve: finite monitors ( emptiness) -algorithm: reachability (linear) 2Liveness: -solve: Buchi monitors ( emptiness) -algorithm: strongly connected components (linear) We will talk about STL and CTL model checking later.

From specification automata to monitor automata: determinization (exponential) + complementation (easy) From LTL to monitor automata: complementation (easy) + tableau construction (exponential)

Algorithms 1Reachability 2Strongly connected components 3Tableau construction

Finite Emptiness Given: finite automaton (S, S 0,,, FA) Find: is there a path from a state in S 0 to a state in FA ?

Fix a set A of atomic observations

State-transition graph K Q set of states Q Q transition relation [ ]: Q 2 A observation function

Monitor automaton M Sfinite set of states S 0 Sset of initial states S S transition relation E Sset of final states : S PL(A) where the formulas of PL are ::= a | | for a A

(K,q) |= C M iff L(K,q) L(M) = We construct another monitor automaton M such that L(M) = L(K,q) L(M) S = {(q,s) Q S | [q] |= (s)} finite set of states ({q} S 0 ) S set of initial states (q,s) (q,s) transition relation iff q q and s s (Q E) Sset of final states : S PL(A)labeling function (q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q] languages over finite traces

Finite Emptiness Given: monitor automaton (S, S 0,,, E) Find: is there a path from a state in S 0 to a state in E ? Solution: depth-first or breadth-first search

dfs(s) { if (s E) then report error add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t) }

Buchi Emptiness Given: Buchi automaton (S, S 0,,, BA) Find: is there an infinite path from a state in S 0 that visits some state in BA infinitely often ?

Monitor Buchi automaton M Sfinite set of states S 0 Sset of initial states S S transition relation BA Sacceptance condition : S PL(A) where the formulas of PL are ::= a | | for a A

(K,q) |= C M iff L(K,q) L(M) = We construct another monitor Buchi automaton M such that L(M) = L(K,q) L(M) S = {(q,s) Q S | [q] |= (s)} finite set of states ({q} S 0 ) S set of initial states (q,s) (q,s) transition relation iff q q and s s (Q BA) Sacceptance condition : S PL(A)labeling function (q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q] languages over infinite traces

Buchi Emptiness Given: Buchi automaton (S, S 0,,, BA) Find: is there an infinite path from a state in S 0 that visits some state in BA infinitely often ? Solution: 1. Compute SCC graph by depth-first search 2. Mark SCC C as fair iff C BA 3. Check if some fair SCC is reachable from S 0

Complexity n number of states m number of transitions Reachability:O(n+m) SCC:O(n+m)

Buchi emptiness Two algorithms for SCC computation –forward and backward DFS –forward HI-LO algorithm Storing SCCs requires lot of memory Nested DFS –checks Buchi emptiness without explicitly computing SCCs

dfs(s) { add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t) if (s BA) then { seed := s; ndfs(s) } } ndfs(s) { add s to ndfsTable for each successor t of s if (t ndfsTable) then ndfs(t) else if (t = seed) then report error }

Multi-Buchi Emptiness Given: Multi-Buchi automaton (S, S 0,,, BA 1, …, BA n ) Find: is there an infinite path from a state in S 0 that infinitely often visits some state in BA i for all i such that 1 i n ? Solution: 1. Compute SCC graph by depth-first search 2. Mark SCC C as fair iff C BA i for all i such that 1 i n. 3. Check if some fair SCC is reachable from S 0

Tableau Construction Given:LTL formula Find: Multi-Buchi automaton M such that L(M ) = L( ) [Fischer & Ladner 1975; Manna & Wolper 1982] monitors subformulas of

, ::= a | a | | | | U | W ( ) = ( ) = ( ) ( U ) = ( W ) ( W )=( U ) Negation normal form

Fischer-Ladner Closure of a Formula Sub (a)= { a, a } Sub ( )={ } Sub ( ) Sub ( ) Sub ( )={ } Sub ( ) Sub ( U )={ U, ( U ) } Sub ( ) Sub ( ) Sub ( W )={ W, ( W ) } Sub ( ) Sub ( ) | Sub ( ) | = O(| |)

s Sub ( ) is consistent iff -for all atomic propositions a ( a) s iff a s -if ( ) Sub ( ) then ( ) s iff s and s -if ( ) Sub ( ) then ( ) s iff either s or s -if ( U ) Sub ( ) then ( U ) s iff either s or s and ( U ) s -if ( W ) Sub ( ) then ( W ) s iff either s or s and ( W ) s

Fischer-Ladner Closure of a Formula … Sub ( )={, } Sub ( )

s Sub ( ) is consistent iff … -if ( ) Sub ( ) then ( ) s iff either s or s -if ( ) Sub ( ) then ( ) s iff s and s

Tableau M = (S, S 0,,, BA 1,…,BA n ) S...set of consistent subsets of Sub ( ) s S 0 iff s s t iff for all ( ) Sub ( ), if ( ) s then t (s)... conjunction of atomic observations in s and negated atomic observations not in s There is an acceptance condition - for each ( U ) Sub ( ) given by { s | s or ( U ) s } - for each ( ) Sub ( ) given by { s | s or ( ) s }

Size of M is O(2 | | ). LTL model checking:PSPACE-complete