When Simulation Meets Antichains Yu-Fang Chen Academia Sinica, Taiwan Joint work with Parosh Aziz Abdulla, Lukas Holik, Richard Mayr, and Tomas Vojunar 1 on Checking Language Inclusion of NFA

Outline  Motivation  Previous Approaches Simulation-based Subset Construction-based  Our Approach: Simulation+Antichain  Further Extensions  Experimental Results 2

 NFA A=( Σ, Q, I, F, δ )  An example:  This NFA accepts the word aabab, but rejects the word aabaa  L(A)={w | w is accepted by A} Nondeterministic Finite State Automata 3 a,b a b p s r

 Many problems in verification can be reduced to language inclusion problems.  E.g., Automata-based Model Checking NFA M describes the behaviors of a system and NFA P describes the behaviors allowed by the desired property. L(M) µ L(P) ? Language Inclusion Problem 4 Language Inclusion Problem of NFA

Previous approaches for checking if L(A) µ L(B):  Simulation-based approach [Dill et al. CAV ’91] Check if all the initial states of A are simulated by some initial states of B  Subset Construction-based approaches Check if L(A) Å L(B)= ; Antichain-based approach [De Wulf et al. CAV ’06] Previous Approaches for Inclusion Checking 5

 A simulation on A=( Σ, Q, I, F, δ ) is a relation ¹µ Q £ Q such that p ¹ r (p is simulated by r) implies p 2 F ) r 2 F, and for every transition p ! a p', there exists a transition r ! a r' such that p' ¹ r'  It can be extended to states of two NFA.  There exists efficient polynomial-time algorithms for computing maximal simulation [FOCS’95, LICS’07]. Simulation-based Approach 6 r p ¹ p1p1 a1a1

 A simulation on A=( Σ, Q, I, F, δ ) is a relation ¹µ Q £ Q such that p ¹ r (p is simulated by r) implies p 2 F ) r 2 F, and for every transition p ! a p', there exists a transition r ! a r' such that p' ¹ r'  It can be extended to states of two NFA.  There exists efficient polynomial-time algorithms for computing maximal simulation [FOCS’95, LICS’07]. Simulation-based Approach 7 r p ¹¹ p1p1 r1r1 a1a1 a1a1

 A simulation on A=( Σ, Q, I, F, δ ) is a relation ¹µ Q £ Q such that p ¹ r (p is simulated by r) implies p 2 F ) r 2 F, and for every transition p ! a p', there exists a transition r ! a r' such that p' ¹ r'  It can be extended to states of two NFA.  There exists efficient polynomial-time algorithms for computing maximal simulation [FOCS’95, LICS’07]. Simulation-based Approach 8 r p ¹¹¹ p1p1 p2p2 r1r1 r2r2 a1a1 a1a1 a2a2 a2a2

 A simulation on A=( Σ, Q, I, F, δ ) is a relation ¹µ Q £ Q such that p ¹ r (p is simulated by r) implies p 2 F ) r 2 F, and for every transition p ! a p', there exists a transition r ! a r' such that p' ¹ r'  We have p ¹ r implies L(p) µ L(r).  It can be extended to states of two NFA.  There exists efficient polynomial-time algorithms for computing maximal simulation [FOCS’95, LICS’07]. Simulation-based Approach 9 r p ¹¹¹¹ p1p1 p2p2 pmpm r1r1 r2r2 rmrm …… a1a1 a1a1 a2a2 a2a2 a3a3 amam a3a3 amam

 NFA A=( Σ,Q A,I A,F A, δ A ) and B=( Σ,Q B,I B,F B, δ B ).  We have 8 p 2 I A 9 q 2 I B : p ¹ q implies L(A) µ L(B) L(A) = [ p 2 I a L(p) L(B) = [ q 2 I b L(q) Simulation-based Approach 10 µ

 NFA A=( Σ,Q A,I A,F A, δ A ) and B=( Σ,Q B,I B,F B, δ B ).  However, even if L(A) µ L(B), it is not always true that 8 p 2 I A 9 q 2 I B : p ¹ q  An example: Simulation-based Approach 11 A a,b p B a r’ We have L(A) µ L(B), but both p ¹ r 1 and p ¹ r 2 r1r1 r2r2 b

Problems of Simulation-based Approach Simulation-based approach is fast, but incomplete. No conclusion can be made if there exists no simulation between the initial states of the NFA. 12

Subset Construction-based Approach 13 p a a,b B a p’ A a a,b a r’ r a B p’ p,p’ ; b b a,b b a a p a Determinize & Complement Intersection A Å B r,{p} r, {p’} r', {p’} r,{p,p’} r',{p,p’} a a a a a a a a a b b Is L(A) µ L(B)?

 Is L(A) µ L(B)? Subset Construction-based Approach 14 p a a,b B a p’ A a a,b a r’ r a p’ p,p’ ; b b a,b b a a p a Determinize (subset construction)

 Is L(A) µ L(B)? Subset Construction-based Approach 15 p a a,b B a p’ A a a,b a r’ r a B p’ p,p’ ; b b a,b b a a p a Determinize & Complement

Subset Construction-based Approach 16 p a a,b B a p’ A a a,b a r’ r a B p’ p,p’ ; b b a,b b a a p a Determinize & Complement Intersection A Å B r,{p} r, {p’} r', {p’} r,{p,p’} r',{p,p’} a a a a a a a a a a b b Note: a product state is accepting if r is accepting and all states in R are rejecting r,R Is L(A) µ L(B)?

 Is L(A) µ L(B)? Subset Construction-based Approach 17 p a a,b B a p’ A a a,b a r’ r a r,{p} r, {p’} r', {p’} r,{p,p’} r',{p,p’} a a a a a a a a a a b b r, {p}

 Is L(A) µ L(B)? Subset Construction-based Approach 18 p a a,b B a p’ A a a,b a r’ r a r,{p} r, {p’} r', {p’} r,{p,p’} r',{p,p’} a a a a a a a a a a b b r, {p} r, {p’}r', {p’} a a

 Is L(A) µ L(B)? Subset Construction-based Approach 19 p a a,b B a p’ A a a,b a r’ r a r,{p} r, {p’} r', {p’} r,{p,p’} r',{p,p’} a a a a a a a a a a b b r, {p} r, {p’}r', {p’} a a r,{p} b

 Is L(A) µ L(B)? Subset Construction-based Approach 20 p a a,b B a p’ A a a,b a r’ r a r,{p} r, {p’} r', {p’} r,{p,p’} r',{p,p’} a a a a a a a a a a b b r, {p} r, {p’}r', {p’} a a r,{p} b

 Is L(A) µ L(B)? Subset Construction-based Approach 21 p a a,b B a p’ A a a,b a r’ r a r,{p} r, {p’} r', {p’} r,{p,p’} r',{p,p’} a a a a a a a a a a b b r, {p} r, {p’}r', {p’} a a r,{p}r',{p,p’}r,{p,p’} a a b

 Is L(A) µ L(B)? Subset Construction-based Approach 22 p a a,b B a p’ A a a,b a r’ r a r,{p} r, {p’} r', {p’} r,{p,p’} r',{p,p’} a a a a a a a a a a b b r, {p} r, {p’}r', {p’} a a r,{p,p’} r',{p,p’}r,{p}r',{p,p’}r,{p,p’} a a a a b

 Is L(A) µ L(B)? Subset Construction-based Approach 23 p a a,b B a p’ A a a,b a r’ r a r,{p} r, {p’} r', {p’} r,{p,p’} r',{p,p’} a a a a a a a a a a b b r, {p} r, {p’}r', {p’} a a r,{p,p’} r',{p,p’}r,{p}r',{p,p’}r,{p,p’} a a a a b

 Is L(A) µ L(B)? Subset Construction-based Approach 24 p a a,b B a p’ A a a,b a r’ r a r,{p} r, {p’} r', {p’} r,{p,p’} r',{p,p’} a a a a a a a a a a b b r, {p} r, {p’}r', {p’} a a r,{p,p’} r',{p,p’}r,{p}r',{p,p’}r,{p,p’} a a a a b r, {p}r', {p,p’}r, {p,p’}r', {p,p’}r, {p,p’} b a a a a

 Is L(A) µ L(B)?  Observe that if the product state already in the processed set, we do not need to continue the search from the state.  Intuition: any word that is accepted from will also be accepted from. Antichain-based Approach (CAV 2006) 25 p a a,b B a p’ A a a,b a r’ r a r,{p,p’} r, {p} r,{p,p’} Note: a product state is accepting if r is accepting and all states in R are rejecting r,R r‘, P [ P’ r‘, P w w 

 Is L(A) µ L(B)?  Define the order w between product states as follows: w iff (1) r = q and (2) R ¶ Q  Keep only minimal elements (wrt. w ) in the processed set Antichain-based Approach (CAV 2006) 26 p a a,b B a p’ A a a,b a r’ r a r, R An antichain is a subset of a partially ordered set such that any two elements in the subset are incomparable q, Q r, {p} r, {p’}r', {p’} a a r,{p,p’} r',{p,p’}r,{p}r',{p,p’}r,{p,p’} a a a a b r, {p}r', {p,p’}r, {p,p’}r', {p,p’}r, {p,p’} b a a a a

 Is L(A) µ L(B)? Antichain-based Approach (CAV 2006) 27 p a a,b B a p’ A a a,b a r’ r a r, {p} r, {p’}r', {p’} a a r,{p,p’} r',{p,p’}r,{p}r',{p,p’}r,{p,p’} a a a a b r, {p}r', {p,p’}r, {p,p’}r', {p,p’}r, {p,p’} b a a a a An antichain is a subset of a partially ordered set such that any two elements in the subset are incomparable

Problems of Antichain-based Approach Antichain-based approach is complete, but slow. In many cases, the determinization will cause a very fast growth in the number of states. 28

 Here we propose a new approach that can be viewed as a generalization of both simulation-based and antichain-based approaches.  It has the advantages of both approaches: fast and complete.  NFA A=( Σ,Q A,I A,F A, δ A ), B=( Σ,Q B,I B,F B, δ B ), a relation ¹ over states of A and B that implies language inclusion, i.e., p ¹ q implies L(p) µ L(q).  We want to know if L(A) µ L(B)? Generalize Both Approaches 29

 Optimization 1: an extended order between product states Previous: w iff (1) r = q and (2) R ¶ Q New: w 89 iff (1) r ¹ q and (2) 8 q i 9 r j : q i ¹ r j Generalize the Antichain-based Approach 30 r, Rq, Q r, { r 1, r 2,…, r n } q, { q 1, q 2,…, q m } q‘, Q 1 [ Q 2 [ … [ Q m r‘, R 1 [ R 2 [ … [ R n w w  Note: a product state is accepting if p is accepting and all states in P are rejecting p,P

 Optimization 1: an extended order between product states Previous: w iff (1) r = q and (2) R ¶ Q New: w 89 iff (1) r ¹ q and (2) 8 q i 9 r j : q i ¹ r j Generalize the Antichain-based Approach 31 r, Rq, Q r, { r 1, r 2,…, r n } q, { q 1, q 2,…, q m } q‘, Q 1 [ Q 2 [ … [ Q m r‘, R 1 [ R 2 [ … [ R n w w  Note: a product state is accepting if p is accepting and all states in P are rejecting p,P

 Optimization 1: an extended order between product states Previous: w iff (1) r = q and (2) R ¶ Q New: w 89 iff (1) r ¹ q and (2) 8 q i 9 r j : q i ¹ r j Generalize the Antichain-based Approach 32 r, Rq, Q r, { r 1, r 2,…, r n } q, { q 1, q 2,…, q m } q‘, Q 1 [ Q 2 [ … [ Q m r‘, R 1 [ R 2 [ … [ R n w w  Note: a product state is accepting if p is accepting and all states in P are rejecting p,P

 Optimization 1: an extended order between product states Previous: w iff (1) r = q and (2) R ¶ Q New: w 89 iff (1) r ¹ q and (2) 8 q i 9 r j : q i ¹ r j Generalize the Antichain-based Approach 33 r, Rq, Q r, { r 1, r 2,…, r n } q, { q 1, q 2,…, q m } q‘, Q 1 [ Q 2 [ … [ Q m r‘, R 1 [ R 2 [ … [ R n w w  Note: a product state is accepting if p is accepting and all states in P are rejecting p,P It can an be viewed as our special case when ¹ is the identity.

 Optimization 1: If ¹ is the maximal simulation, we have p ¹ p’, hence w 89 and we don’t need to continue from. Our Approach 34 p a a,b B a p’ A a a,b a r’ r a r, {p} r, {p’}r', {p’} a a r,{p,p’} r',{p,p’}r,{p}r',{p,p’}r,{p,p’} a a a a b r, {p}r', {p,p’}r, {p,p’}r', {p,p’}r, {p,p’} b a a a a r, {p}r, {p’} Note1: w 89 iff (1) r ¹ q and (2) 8 q’ 2 Q. 9 r’ 2 R: q’ ¹ r’ r, Rq, Q Note2: we have r’=p’ > r =p wrt. the maximal simulation

 Optimization 2: an generalized simulation-based approach We can stop the search if a product state s.t. 9 q i :q ¹ q i is encountered Any word w accepted from q are also accepted from q i. Hence, all successors of are not final states. Our algorithm begins with the following set of product states: { | i A 2 I A }  For cases that simulation is sufficient to prove language inclusion, our approach terminates immediately after all initial states are processed.  For cases that simulation is not sufficient to prove language inclusion, the time used for computing simulation is not wasted. Generalize Simulation-based Approaches 35 q, { q 1, q 2,…, q m } i A, I B

 Optimization 2:  If ¹ is the maximal simulation, we have r ¹ p, hence we can stop immediately from the product state and conclude that L(A) µ L(B) Our Approach 36 p a a,b B a p’ A a a,b a r’ r a r, {p} r, {p’}r', {p’} a a r,{p,p’} r',{p,p’}r,{p}r',{p,p’}r,{p,p’} a a a a b r, {p}r', {p,p’}r, {p,p’}r', {p,p’}r, {p,p’} b a a a a r, {p} Note: we have r’=p’ > r =p wrt. the maximal simulation

There Are More in the Paper….  Other optimizations  Correctness proof  … But it should be sufficient for you to understand how our approach subsumes both the antichain-based approach and the simulation-based approach. 37

Further Extensions and Applications  Further extensions: Tree Automata (done, TACAS 2010) Buchi Automata  Ramsey-based (antichain-based, TACAS 2010)  Safra-based  Rank-based (antichain-based, TACAS 2007, 2008)  Applications: Automata-based Model Checking Regular Model Checking (useful in verifying parameterized system). 38

Experimental Results Source: 1069 pairs of NFA generated from the intermediate steps of a regular model checker while verifying the correctness of the bakery algorithm, a producer-consumer system, the bubble sort algorithm, an algorithm that reverses a circular list, and a Petri net model of the readers/writers protocol. 39

Experimental Results Source: NFA generated from random regular expressions. Our approach is more stable. All the test cases are finished within 10 secs. 40

Experimental Results Source: We generate two NFA A and B from regular expressions and then check if L(A) µ L(A [ B). 41