Formal Methods: Module I: Automated Reasoning Ch. 05: Automata-Theoretic LTL Reasoning

(1)

Formal Methods:

Module I: Automated Reasoning

Ch. 05: Automata-Theoretic LTL Reasoning

Roberto Sebastiani and Stefano Tonetta

DISI, Università di Trento, Italy – roberto.sebastiani@unitn.it URL: http://disi.unitn.it/rseba/DIDATTICA/fm2021/

Teaching assistant:Giuseppe Spallitta– giuseppe.spallitta@unitn.it

M.S. in Computer Science, Mathematics, & Artificial Intelligence Systems Academic year 2020-2021

last update: Tuesday 20^thApril, 2021, 12:49

Copyright notice: some material (text, figures) displayed in these slides is courtesy of R. Alur, M. Benerecetti, A. Cimatti, M. Di Natale, P. Pandya, M. Pistore, M. Roveri, C. Tinelli, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is

detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be

displayed in public without containing this copyright notice.

1 / 69

(2)

Outline

1

Büchi Automata

2

The Automata-Theoretic Approach to LTL Reasoning General Ideas

Language-Emptiness Checking of Büchi Automata From Kripke Models to Büchi Automata

From LTL Formulas to Büchi Automata Complexity

3

Exercises

(3)

Outline

1

Büchi Automata

2

The Automata-Theoretic Approach to LTL Reasoning General Ideas

Language-Emptiness Checking of Büchi Automata From Kripke Models to Büchi Automata

From LTL Formulas to Büchi Automata Complexity

3

Exercises

3 / 69

(4)

Infinite Word Languages

Modeling infinite computations of reactive systems Given an Alphabet Σ (e.g. Σ

^def

= {a, b})

An ω-word α over Σ is an infinite sequence a

₀

, a

₁

, a

₂

. . ..

Formally, α : N → Σ.

The set of all infinite words is denoted by Σ

^ω

.

A ω-language L is collection of ω-words, i.e. L ⊆ Σ

^ω

. Example: All words over {a, b} with infinitely many a’s.

Notation:

omega words α, β, γ ∈ Σ

^ω

.

omega-languages L, L

₁

⊆ Σ

^ω

For u ∈ Σ

⁺

, let u

^ω

= u.u.u . . .

(5)

Omega-Automata

We consider automaton running over infinite words.

Let α = aabbbb . . ..

There are several (infinite) possible runs.

Run ρ

₁

= s

₁

, s

₁

, s

₁

, s

₁

, s

₂

, s

₂

. . . Run ρ

₂

= s

₁

, s

₁

, s

₁

, s

₁

, s

₁

, s

₁

. . .

Acceptance Conditions: Büchi (Muller, Rabin, Street):

Acceptance is based on states occurring infinitely often Notation Let ρ ∈ Q

^ω

. Then,

Inf (ρ) = {s ∈ Q | ∃

^∞

i ∈ N. ρ(i) = s}.

(The set of states occurring infinitely many times in ρ.)

5 / 69

(6)

Büchi Automata

Nondeterministic Büchi Automaton

A Nondeterministic Büchi Automaton (NBA) is (Q, Σ, δ, I, F ) s.t.

Q Finite set of states.

Σis a finite alphabet I ⊆ Q set of initial states.

F ⊆ Q set of accepting states.

δ ⊆Q × Σ × Q transition relation (edges).

A Deterministic Büchi Automaton (DBA) is an NBA s.t. the transition relation is functional: δ : Q × Σ 7−→ Q

Runs and Language of NBAs

A run ρ of A on ω-word α = a

₀

, a

₁

, a

₂

, ... is an infinite sequence ρ = q

o

, q

₁

, q

₂

, . . . s.t. q

₀

∈ I and q

_i

−→ q

^aⁱ _i+1

for 0 ≤ i.

The run ρ is accepting if Inf (ρ) ∩ F 6= ∅.

The language accepted by A

L(A) = {α ∈ Σ

^ω

| A has an accepting run on α}

(7)

Büchi Automaton: Example

Let Σ = {a, b}.

Let a Deterministic Büchi Automaton (DBA) A

₁

be

With F = {s

₁

} the automaton recognizes words with infinitely many a’s.

With F = {s

₂

} the automaton recognizes words with infinitely many b’s.

7 / 69

(8)

Büchi Automaton: Example (2)

Let a Nondeterministic Büchi Automaton (NBA) A

₂

be

With F = {s

₂

}, the automaton A

₂

recognizes words with finitely

many a. Thus, L(A

₂

) = L(A

₁

).

(9)

Deterministic vs. Nondeterministic Büchi Automata

Theorem

DBAs are strictly less powerful than NBAs.

The subset construction does not work!

Let DA

₂

be

DA

₂

is not equivalent to A

₂

(e.g., it recognizes (b.a)

^ω

)

There is no DBA equivalent to A

₂

9 / 69

(10)

Closure Properties

Theorem (union, intersection)

For the NBAs A

₁

, A

₂

we can construct

the NBA A s.t. L(A) = L(A

₁

) ∪ L(A

₂

). |A| = |A

1

| + |A

2

|

the NBA A s.t. L(A) = L(A

₁

) ∩ L(A

₂

). |A| ≤ |A

1

| · |A

2

| · 2.

(11)

Union of two NBAs

Definition: union of NBAs

Let A

₁

= (Q

₁

, Σ

₁

, δ

₁

, I

₁

, F

₁

), A

₂

= (Q

₂

, Σ

₂

, δ

₂

, I

₂

, F

₂

).

Then A = A

₁

∪ A

₂

= (Q, Σ, δ, I, F ) is defined as follows Q := Q

₁

∪ Q

2

, I := I

₁

∪ I

2

, F := F

₁

∪ F

2

R(s, s

⁰

) :=

R

₁

(s, s

⁰

) if s ∈ Q

₁

R

₂

(s, s

⁰

) if s ∈ Q

₂

Theorem

L(A) = L(A

1

) ∪ L(A

₂

)

|A |= |A

1

| + |A

2

|

Note

A is an automaton which just runs nondeterministically either A

₁

or A

₂

(same construction as with ordinary automata)

11 / 69

(12)

Synchronous Product of NBAs

Definition: synchronous product of NBAs

Let A

₁

= (Q

₁

, Σ, δ

₁

, I

₁

, F

₁

) and A

₂

= (Q

₂

, Σ, δ

₂

, I

₂

, F

₂

).

Then, A

₁

× A

2

= (Q, Σ, δ, I, F ), where Q = Q

₁

× Q

₂

× {1, 2}.

I = I

₁

× I

₂

× {1}.

F = F

₁

× Q

2

× {1}.

hp, q, 1i −→ hp

^a ⁰

, q

⁰

, 1i iff p −→ p

^a ⁰

and q −→ q

^a ⁰

and p 6∈ F

₁

. hp, q, 1i −→ hp

^a ⁰

, q

⁰

, 2i iff p −→ p

^a ⁰

and q −→ q

^a ⁰

and p ∈ F

₁

. hp, q, 2i −→ hp

^a ⁰

, q

⁰

, 2i iff p −→ p

^a ⁰

and q −→ q

^a ⁰

and q 6∈ F

₂

. hp, q, 2i −→ hp

^a ⁰

, q

⁰

, 1i iff p −→ p

^a ⁰

and q −→ q

^a ⁰

and q ∈ F

₂

.

Theorem

L(A

₁

× A

₂

) = L(A

₁

) ∩ L(A

₂

).

|A

1

× A

2

| ≤ 2 · |A

1

| · |A

2

|.

(13)

Synchronous Product of NBAs: Intuition

The automaton remembers two tracks, one for each source NBA, and it points to one of the two tracks

As soon as it goes through an accepting state of the current track, it switches to the other track

=⇒ in order to visit infinitely often a state in F (i.e., F

₁

), it must visit infinitely often some state also in F

₂

Important subcase: If F

₂

= Q

₂

, then Q = Q

₁

× Q

₂

.

I = I

₁

× I

₂

. F = F

₁

× Q

2

.

13 / 69

(14)

Synchronous Product of NBAs: Example

(15)

Closure Properties (2)

Theorem (complementation) [Safra, MacNaughten]

For the NBA A

₁

we can construct an NBA A

₂

such that L(A

2

) = L(A

₁

).

|A

₂

| = O(2

^|A¹^|·log(|A¹^|)

).

Method: (hint)

(i) convert a Büchi automaton into a Non-Deterministic Rabin automaton

(ii) determinize and Complement the Rabin automaton (iii) convert the Rabin automaton into a Büchi automaton.

15 / 69

(16)

Generalized Büchi Automaton

Definition

A Generalized Büchi Automaton is a tuple A := (Q, Σ, δ, I, FT ) where FT = hF

₁

, F

₂

, . . . , F

_k

i with F

_i

⊆ Q.

A run ρ of A is accepting if Inf (ρ) ∩ F

_i

6= ∅ for each 1 ≤ i ≤ k .

Theorem

For every Generalized Büchi Automaton we can construct a language equivalent plain Büchi Automaton.

Intuition

Let Q

⁰

= Q × {1, . . . , K }.

The automaton remains in phase i till it visits a state in F

_i

. Then, it

moves to (i mod K ) + 1 mode.

(17)

De-generalization of a generalized NBA

Definition: De-generalization of a generalized NBA

Let A

^def

= (Q, Σ, δ, I, FT ) a generalized BA s.f. FT

^def

= {F

₁

, ..., F

_K

}.

Then a language-equivalent BA A

⁰^def

= (Q

⁰

, Σ, δ

⁰

, I

⁰

, F

⁰

) is built as follows

Q

⁰

= Q

₁

× {1, ..., K }.

I

⁰

= I × {1}.

F

⁰

= F

₁

× {1}.

δ

⁰

is s.t., for every i ∈ [1, ..., K ]:

hp, ii −→ hq, ii

^a

iff p −→ q ∈ δ and p 6∈ F

^a _i

. hp, ii −→ hq, (i mod K ) + 1i iff p

^a

−→ q ∈ δ and p ∈ F

^a _i

.

Theorem

L(A

⁰

) = L(A).

|A

⁰

| ≤ K · |A|.

17 / 69

(18)

Degeneralizing a Büchi automaton: Example

(19)

Omega-regular Expressions

Definition

A language is called ω-regular if it has the form ∪

ⁿ_i=1

U

_i

.(V

_i

)

^ω

where U

_i

, V

_i

are regular languages.

Theorem

A language L is ω-regular iff it is NBA-recognizable.

19 / 69

(20)

Outline

1

Büchi Automata

2

The Automata-Theoretic Approach to LTL Reasoning General Ideas

Language-Emptiness Checking of Büchi Automata From Kripke Models to Büchi Automata

From LTL Formulas to Büchi Automata Complexity

3

Exercises

(21)

Outline

1

Büchi Automata

2

The Automata-Theoretic Approach to LTL Reasoning General Ideas

Language-Emptiness Checking of Büchi Automata From Kripke Models to Büchi Automata

From LTL Formulas to Büchi Automata Complexity

3

Exercises

21 / 69

(22)

Automata-Theoretic LTL Satisfiability and Entailment

LTL Validity/Satisfiability Let ψ be an LTL formula

|= ψ (LTL)

⇐⇒ ¬ψ unsat

⇐⇒ L(A_¬ψ) = ∅

A

¬ψ

is a Büchi Automaton which represents all and only the paths that satisfy ¬ψ (do not satisfy ψ)

LTL Entailment

Let ϕ, ψ be an LTL formula

ϕ |= ψ (LTL)

|= ϕ → ψ (LTL)

⇐⇒ ϕ ∧ ¬ψunsat

⇐⇒ L(Aϕ∧¬ψ) = ∅

A

_ϕ∧¬ψ

is a Büchi Automaton which represents all and only the

paths that satisfy ϕ ∧ ¬ψ (satisfy ϕ and do not satisfy ψ)

(23)

Automata-Theoretic LTL Model Checking

LTL Model Checking

Let M be a Kripke model and ψ be an LTL formula

M |= ψ (LTL)

⇐⇒ L(M) ⊆ L(ψ)

⇐⇒ L(M) ∩ L(ψ) = ∅

⇐⇒ L(M) ∩ L(¬ψ) = ∅

⇐⇒ L(A_M) ∩ L(A¬ψ) = ∅

⇐⇒ L(A_M× A¬ψ) = ∅

A

_M

is a Büchi Automaton equivalent to M (which represents all and only the executions of M)

A

_¬ψ

is a Büchi Automaton which represents all and only the paths that satisfy ¬ψ (do not satisfy ψ)

=⇒ A

_M

× A

¬ψ

represents all and only the paths appearing in M and not in ψ.

23 / 69

(24)

Automata-Theoretic LTL Model Checking

Four steps Let ϕ

^def

= ¬ψ:

(i) Compute A

_M

(ii) Compute A

ϕ

(iii) Compute the product A

_M

× A

ϕ

(iv) Check the emptiness of L(A

_M

× A

_ϕ

)

(25)

Outline

1

Büchi Automata

2

The Automata-Theoretic Approach to LTL Reasoning General Ideas

Language-Emptiness Checking of Büchi Automata From Kripke Models to Büchi Automata

From LTL Formulas to Büchi Automata Complexity

3

Exercises

25 / 69

(26)

NBA emptiness checking

Find an accepting cycle reachable from an initial state.

A naive algorithm:

(i) a DFS finds the final states f reachable from an initial state;

(ii) for each f , a second DFS finds if it can reach f (i.e., if there exists a loop)

Complexity: O(n

²

) SCC-based algorithm:

(i) Tarjan’s algorithm uses a DFS to find the SCCs in linear time;

(ii) drop all SCCs which do not have at least one arc, and which do not contain at least one accepting state f

(iii) another DFS finds if the union of non-trivial SCCs is reachable from an initial state.

Complexity: O(n)

Drawbacks: it stores too much information and does not find

directly a counterexample.

(27)

Double Nested DFS algorithm

Double Nested DFS Two nested DFSs

DFS1finds the final states f reachable from an initial state for each f, DFS2 finds if it can reach f (i.e., if there exists a loop)

Two Hash tables:

T1: reachable states

T2: states reachable from a reachable final state

Two stacks:

S1: current branch of states reachable

S2: current branch of states reachable from final state f

It stops as soon as it finds a counterexample.

The counterexample is given by

the stack of DFS2 (an accepting, preceded by cycle) the stack of DFS1 (a path from an initial state to the cycle)

DFS1 invokes DFS2 on each f

_i

only after popping it (postorder) T2 passed by reference, is not reset at each call of DFS2 !

27 / 69

(28)

Double Nested DFS - First DFS

// returns True if empty language, false otherwise Bool DFS1(NBA A) {

stack S1=I; stack S2=∅;

Hashtable T1=I; Hashtable T2=∅;

while S1!=∅ { v=top(S1);

if ∃w s.t. w∈ δ(v) && T1(w)==0 { hash(w,T1);

push(w,S1);

} else { pop(S1);

if (v∈F && !DFS2(v,S2,T2,A)) return False;

} }

return True;

}

(29)

Double Nested DFS - Second DFS

Bool DFS2(state f, stack & S, Hashtable & T, NBA A) { hash(f,T);

S = {f}

while S!=∅ { v=top(S);

if f∈ δ(v) return False;

if ∃w s.t. w∈ δ(v) && T(w)==0 { hash(w);

push(w);

} else pop(S);

}

return True;

}

Remark: T passed by reference, is not reset at each call of DFS2 !

29 / 69

(30)

Double nested DFS: intuition

DFS1 invokes DFS2 on each f

₁

, ..., f

_n

only after popping it (postorder):

suppose DFS2 is invoked on f

_j

before than on f

_i

=⇒ f

_i

not reachable from (any state s which is reachable from) f

_j

If during DFS2(f

_i

, ...) it is encountered a state S which has already been explored by DFS2(f

_j

, ...) for some f

_j

,

can we reach f_i from S?

No, because f_i is not reachable from f_j!

=⇒ it is safe to backtrack.

(31)

Double nested DFS: intuition

DFS1 invokes DFS2 on each f

₁

, ..., f

_n

only after popping it (postorder):

suppose DFS2 is invoked on f

_j

before than on f

_i

=⇒ f

_i

not reachable from (any state s which is reachable from) f

_j

If during DFS2(f

_i

, ...) it is encountered a state S which has already been explored by DFS2(f

_j

, ...) for some f

_j

,

=⇒ it is safe to backtrack. f

_j

f

_i

S

30 / 69

(32)

Double nested DFS: intuition

DFS1 invokes DFS2 on each f

₁

, ..., f

_n

only after popping it (postorder):

suppose DFS2 is invoked on f

_j

before than on f

_i

=⇒ f

_i

not reachable from (any state s which is reachable from) f

_j

If during DFS2(f

_i

, ...) it is encountered a state S which has already been explored by DFS2(f

_j

, ...) for some f

_j

,

=⇒ it is safe to backtrack. f

_j

f

_i

S

(33)

Double nested DFS: intuition

DFS1 invokes DFS2 on each f

₁

, ..., f

_n

only after popping it (postorder):

suppose DFS2 is invoked on f

_j

before than on f

_i

=⇒ f

_i

not reachable from (any state s which is reachable from) f

_j

If during DFS2(f

_i

, ...) it is encountered a state S which has already been explored by DFS2(f

_j

, ...) for some f

_j

,

=⇒ it is safe to backtrack. f

_j

f

_i

S

30 / 69

(34)

Double nested DFS: intuition

DFS1 invokes DFS2 on each f

₁

, ..., f

_n

only after popping it (postorder):

suppose DFS2 is invoked on f

_j

before than on f

_i

=⇒ f

_i

not reachable from (any state s which is reachable from) f

_j

If during DFS2(f

_i

, ...) it is encountered a state S which has already been explored by DFS2(f

_j

, ...) for some f

_j

,

=⇒ it is safe to backtrack. f

_j

f

_i

S

???

(35)

Double nested DFS: intuition

DFS1 invokes DFS2 on each f

₁

, ..., f

_n

only after popping it (postorder):

suppose DFS2 is invoked on f

_j

before than on f

_i

=⇒ f

_i

not reachable from (any state s which is reachable from) f

_j

If during DFS2(f

_i

, ...) it is encountered a state S which has already been explored by DFS2(f

_j

, ...) for some f

_j

,

=⇒ it is safe to backtrack. f

_j

f

_i

S

30 / 69

(36)

Double nested DFS: intuition

DFS1 invokes DFS2 on each f

₁

, ..., f

_n

only after popping it (postorder):

suppose DFS2 is invoked on f

_j

before than on f

_i

=⇒ f

_i

not reachable from (any state s which is reachable from) f

_j

If during DFS2(f

_i

, ...) it is encountered a state S which has already been explored by DFS2(f

_j

, ...) for some f

_j

,

=⇒ it is safe to backtrack. f

_j

f

_i

S

(37)

Double Nested DFS: example

T1

S2 S1

3 4 2

1 6

5 T2

31 / 69

(38)

Double Nested DFS: example

1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

(39)

Double Nested DFS: example

2

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

31 / 69

(40)

Double Nested DFS: example

3

00 11

3 2

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

(41)

Double Nested DFS: example

4

0 1

4 3

00 11

3 2

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

31 / 69

(42)

Double Nested DFS: example

0 1

4 3

00 11

3 2

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

(43)

Double Nested DFS: example

0 1

4

00 11

3 2

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

31 / 69

(44)

Double Nested DFS: example

3

0 1

3

0 1

4

00 11

3 2

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

(45)

Double Nested DFS: example

4

0 1

4 3

0 1

3

0 1

4

00 11

3 2

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

31 / 69

(46)

Double Nested DFS: example

0 1

4 3

0 1

3

0 1

4

00 11

3 2

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

(47)

Double Nested DFS: example

0 1

4

0 1

3

0 1

4

00 11

3 2

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

31 / 69

(48)

Double Nested DFS: example

0 1

4

0 1

3

0 1

4

00 11

3

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

(49)

Double Nested DFS: example

5

00 11

5

0 1

4

0 1

3

0 1

4

00 11

3

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

31 / 69

(50)

Double Nested DFS: example

6

00 11

6 5

00 11

5

0 1

4

0 1

3

0 1

4

00 11

3

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

(51)

Double Nested DFS: example

00 11

6 5

00 11

5

0 1

4

0 1

3

0 1

4

00 11

3

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

31 / 69

(52)

Double Nested DFS: example

00 11

6

00 11

5

0 1

4

0 1

3

0 1

4

00 11

3

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

(53)

Double Nested DFS: example

5

0 1

5

00 11

6

00 11

5

0 1

4

0 1

3

0 1

4

00 11

3

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

31 / 69

(54)

Double Nested DFS: example

2

0 1

2 5

0 1

5

00 11

6

00 11

5

0 1

4

0 1

3

0 1

4

00 11

3

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

(55)

Double Nested DFS: example

0 1

2 5

0 1

5

00 11

6

00 11

5

0 1

4

0 1

3

0 1

4

00 11

3

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

31 / 69

(56)

Double Nested DFS: example

6

0 1

6

0 1

2 5

0 1

5

00 11

6

00 11

5

0 1

4

0 1

3

0 1

4

00 11

3

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

(57)

Double Nested DFS: example

1

0 1

1 6

0 1

6

0 1

2 5

0 1

5

00 11

6

00 11

5

0 1

4

0 1

3

0 1

4

00 11

3

0 1

2 1

0 1

1 T1

S2 S1

3 4 2

1 6

5 T2

31 / 69

(58)

Outline

1

Büchi Automata

2

The Automata-Theoretic Approach to LTL Reasoning General Ideas

Language-Emptiness Checking of Büchi Automata From Kripke Models to Büchi Automata

From LTL Formulas to Büchi Automata Complexity

3

Exercises

(59)

Computing an NBA A

_M

from a Kripke Structure M

Transform a Kripke model M = hS, S

₀

, R, L, APi into an NBA A

_M

= hQ, Σ, δ, I, F i s.t.:

States:Q := S ∪ {init}, init being a new initial state Alphabet:Σ :=2^AP

Initial State:I := {init}

Accepting States:F := Q = S ∪ {init}

Transitions:

δ : q−→ q^a ⁰iff (q, q⁰) ∈R and L(q⁰) =a init−→ q iff q ∈ S^a ₀and L(q) = a

L(A

_M

) = L(M)

|A

_M

| = |M| + 1

33 / 69

(60)

Computing a NBA A

_M

from a Kripke Structure M:

Example

{p,q}

Kripke Structure Buechi Automaton

{p,q} {p}

{q}

{p,−q}

{−p,q}

=⇒ Substantially, add one initial state, move labels from states to

incoming edges, set all states as accepting states

(61)

Labels on Kripke Structures and BA’s - Remark

Note that the labels of a Büchi Automaton are different from the labels of a Kripke Structure. Also graphically, they are interpreted differently:

p

in a Kripke Structure, it means that p is true and all other propositions are false;

in a Büchi Automaton, it means that p is true and all other propositions are irrelevant (“don’t care”), i.e. they can be either true or false.

35 / 69

(62)

Outline

1

Büchi Automata

2

The Automata-Theoretic Approach to LTL Reasoning General Ideas

Language-Emptiness Checking of Büchi Automata From Kripke Models to Büchi Automata

From LTL Formulas to Büchi Automata Complexity

3

Exercises

(63)

Translation problem

Problem

Given an LTL formula φ, find a Büchi Automaton that accepts the same language of φ.

It is a fundamental problem in LTL model checking (in other words, every model checking algorithm that verifies the correctness of an LTL formula translates it in some sort of finite-state machine).

We will translate an LTL formula into a Generalized Büchi Automata (GBA).

37 / 69

(64)

LTL Negative Normal Form (NNF)

Every LTL formula ϕ can be written into an equivalent formula ϕ

⁰

using only the operators ∧, ∨, X, U, R on propositional literals.

Done by pushing negations down to literal level:

¬(ϕ

₁

∨ ϕ

₂

) =⇒ (¬ϕ

1

∧ ¬ϕ

₂

)

¬(ϕ

₁

∧ ϕ

₂

) =⇒ (¬ϕ

₁

∨ ¬ϕ

₂

)

¬Xϕ

₁

=⇒ X¬ϕ

₁

¬(ϕ

₁

Uϕ

₂

) =⇒ (¬ϕ

1

R¬ϕ

₂

)

¬(φ

₁

Rφ

₂

) =⇒ (¬φ

₁

U¬φ

₂

)

=⇒ the resulting formula is expressed in terms of ∨, ∧, X , U, R and literals (Negative Normal Form, NNF).

encoding linear if a DAG representation is used

In the construction of A

_ϕ

we now assume that ϕ is in NNF.

For convenience, we still use F’s and G’s as shortcuts:

Fϕ for >Uϕ and Gϕ for ⊥Rϕ

(65)

On-the-fly Construction of A

ϕ

(Intuition)

Apply recursively the following steps:

Step 1: Apply the tableau expansion rules to ϕ

ψ

₁

Uψ

₂

=⇒ ψ

₂

∨ (ψ

₁

∧ X(ψ

₁

Uψ

₂

)) [and Fψ =⇒ ψ ∨ XFψ]

ψ

1

Rψ

₂

=⇒ ψ

2

∧ (ψ

₁

∨ X(ψ

1

Rψ

₂

)) [and Gψ =⇒ ψ ∧ XGψ]

until we get a Boolean combination of elementary subformulas of ϕ (An elementary formula is a proposition or a X-formula.)

39 / 69

(66)

Tableaux Rules: a Quote

“After all... tomorrow is another day."

[Scarlett O’Hara, “Gone with the Wind”]

(67)

On-the-fly Construction of A

ϕ

(Intuition) [cont.]

Step 2: Convert all formulas into Disjunctive Normal Form, and then push the conjunctions inside the next:

ϕ =⇒ _

i

( ^

j

l

_ij

∧ ^

k

Xψ

_ik

) =⇒ _

i

( ^

j

l

_ij

∧ X ^

k

ψ

_ik

).

Each disjunct (

labels

z }| {

^

j

l

_ij

∧

next part

z }| {

X ^

k

ψ

_ik

) represents a state:

the conjunction of literalsV

jl_ij representsa set of labels in Σ (e.g., if Vars(ϕ) = {p, q, r }, p ∧ ¬q represents the two labels {p, ¬q, r } and {p, ¬q, ¬r } )

XV

kψ_ikrepresents thenext partof the state (obbligations for the successors)

N.B., if no next part occurs, X> is implicitly assumed

41 / 69

(68)

On-the-fly Construction of A

ϕ

(Intuition) [cont.]

Step 3: For every state S

_i

represented by ( V

j

l

_ij

∧ X

ϕi

z }| {

^

k

ψ

_ik

) label the incoming edges of S

_i

with V

j

l

_ij

mark that the state S

_i

satisfies ϕ

apply recursively steps 1-2-3 to ϕ

_i ^def

= V

k

ψ

_ik

,

rewrite ϕi intoW

i⁰(V

jl_i⁰0j∧ XV

kψ_i⁰0k) from each disjunct(V

jl_i⁰0j ∧ XV

kψ_i⁰0k)generate a new state Sii⁰ (if not already present) and label it as satisfying ϕ_i ^def=V

kψ_ik

draw an edge from S

_i

to all states S

_ii⁰

which satisfy V

k

ψ

ik

(if no next part occurs, X> is implicitly assumed, so that an edge

to a “true” node is drawn)

(69)

On-the-fly Construction of A

ϕ

(Intuition) [cont.]

ϕ??

43 / 69

(70)

On-the-fly Construction of A

ϕ

(Intuition) [cont.]

W

i(V

jlij∧ XV

kψik)!

(71)

On-the-fly Construction of A

ϕ

(Intuition) [cont.]

(V

jl1j∧ XV

kψ1k)

(V

jl_2j∧ XV

kψ2k)

(V

jlij∧ XV

kψik)

...

W

i(V

jlij∧ XV

kψik)!

43 / 69

(72)

On-the-fly Construction of A

ϕ

(Intuition) [cont.]

V

jl1j [V

kψ1k]

[V

kψ2k] V

jl2j

[V

kψik] V

jlij

(V

jl1j∧ XV

kψ1k)

(V

jl_2j∧ XV

kψ2k)

(V

jlij∧ XV

kψik)

...

W

i(V

jlij∧ XV

kψik)!

(73)

On-the-fly Construction of A

ϕ

(Intuition) [cont.]

...

V

kψik ?

43 / 69

(74)

On-the-fly Construction of A

ϕ

(Intuition) [cont.]

...

W

i(V

jlij∧ XV

kψik)!

V

jl₁⁰0j

V

jl₂⁰0j

V

jl_i⁰0j [V

kψ⁰_ik] [V

kψ⁰_2k] [V

kψ⁰_1k] W

i⁰ (V

jl_i⁰0j∧ XV

kψ⁰_i0k)

....

(75)

On-the-fly Construction of A

ϕ

(Intuition) [cont.]

V

jl1j

V

jl2j

V

jlij

...

W

i(V

jlij∧ XV

kψik)!

V

jl₁⁰0j

V

jl₂⁰0j

V

jl_i⁰0j [V

kψ⁰_ik] [V

kψ⁰_2k] [V

kψ⁰_1k]

....

43 / 69

(76)

On-the-fly Construction of A

ϕ

(Intuition) [cont.]

When the recursive applications of steps 1-3 has terminated and the automata graph has been built, then apply the following:

Step 4: For every ψ

_i

Uϕ

_i

, for every state q

_j

, mark q

_j

with F

_i

iff (ψ

_i

Uϕ

_i

) / ∈ q

_j

or ϕ

_i

∈ q

_j

(If there is no U-subformulas, then mark all states with F

₁

—i.e., FT

^def

= {Q}).

Remark

The fact that we initially converted the formula into NNF guarantees

that only positive U/F-subformulas and negative R-/G-subformulas

are considered here

(77)

Dealing with U-subformulas: Intuition

Tableaux rules: ϕ

1

Uϕ

₂

⇐⇒ (ϕ

₂

∨ (ϕ

₁

∧ Xϕ

1

Uϕ

₂

)) are a property, not a definition of U:

=⇒ they implicitly admit a “weaker” semantics of ϕ

₁

Uϕ

₂

, in which ϕ

₁

Uϕ

₂

always holds and ϕ

₂

never holds

It cannot happen that we get into a state s

⁰

from which we can enter a path π

⁰

in which ϕ

₁

Uϕ

₂

holds forever and ϕ

₂

never holds.

ϕ1Uϕ2 ϕ1Uϕ2

−ϕ2

ϕ1Uϕ2 ϕ1Uϕ2

−ϕ2 . . . .

−ϕ2 −ϕ2

=⇒ every legal path must touch infinitely often a state where

¬(ϕ

₁

Uϕ

₂

) ∨ ϕ

2

) holds

In LTL: GF(¬(ϕ

₁

Uϕ

₂

) ∨ ϕ

₂

) (“avoid bad loop”)

45 / 69

(78)

On-the-fly Construction of A

φ

- State

Henceforth, a state is represented by a tuple s := hλ, χ, σi where:

λis the set of labels

χis the next part, i.e. the set of X -formulas satisfied by s σis the set of the subformulas of φ satisfied by s (necessary for the fairness definition)

Given a set of LTL formulas Ψ

^def

= {ψ

₁

, ..., ψ

_k

}, we define

Cover (Ψ)

^def

= Expand (Ψ, h∅, ∅, ∅i) to be the set of initial states of the Buchi automaton representing V

j

ψ

j

.

Combines steps 1. and 2. of previous slides Expand() defined recursively as follows

(79)

On-the-fly Construction of A

φ

- Expand

Given a set of formulas Φ to expand and a state s, we define the set of states Expand (Φ, s) recursively as follows:

if Φ = ∅, Expand (Φ, s) = {s}

if ⊥ ∈ Φ, Expand (Φ, s) = ∅ if > ∈ Φ and s = hλ, χ, σi,

Expand (Φ, s) = Expand (Φ\{>}, hλ, χ, σ ∪ {>}i) if l ∈ Φ and s = hλ, χ, σi, l propositional literal Expand (Φ, s) = Expand (Φ\{l}, hλ ∪ {l}, χ, σ ∪ {l}i) (add l to the labels of s and to set of satisfied formulas) if Xψ ∈ Φ and s = hλ, χ, σi,

Expand (Φ, s) = Expand (Φ\{X ψ}, hλ, χ ∪ {ψ}, σ ∪ {Xψ}i) (add ψ to the next part of s and Xψ to set of satisfied formulas) if ψ

₁

∧ ψ

₂

∈ Φ and s = hλ, χ, σi,

Expand (Φ, s) =

Expand (Φ ∪ {ψ

₁

, ψ

₂

}\{ψ

₁

∧ ψ

₂

}, hλ, χ, σ ∪ {ψ

₁

∧ ψ

₂

}i) (process both ψ

₁

and ψ

₂

and add ψ

₁

∧ ψ

₂

to σ)

...

47 / 69

(80)

On-the-fly Construction of A

φ

- Expand

if ψ

₁

∨ ψ

₂

∈ Φ and s = hλ, χ, σi,

Expand (Φ, s) =Expand (Φ ∪ {ψ

₁

}\{ψ

₁

∨ ψ

₂

}, hλ, χ, σ ∪ {ψ

₁

∨ ψ

₂

}i)

∪Expand (Φ ∪ {ψ

2

}\{ψ

₁

∨ ψ

₂

}, hλ, χ, σ ∪ {ψ

₁

∨ ψ

₂

}i) (split s in two copies, process ψ

₂

on the first, ψ

₁

on the second, add ψ

₁

∨ ψ

₂

to σ)

if ψ

₁

Uψ

₂

∈ Φ and s = hλ, χ, σi,

Expand (Φ, s) =Expand (Φ ∪ {ψ₁}\{ψ₁Uψ₂}, hλ, χ ∪ {ψ₁Uψ₂}, σ ∪ {ψ₁Uψ₂}i)

∪Expand (Φ ∪ {ψ₂}\{ψ₁Uψ₂}, hλ, χ, σ ∪ {ψ₁Uψ₂}i)

(split s in two copies and process ψ

₁

on the first, ψ

₂

on the second, add ψ

₁

Uψ

₂

to σ)

if ψ

₁

Rψ

₂

∈ Φ and s = hλ, χ, σi,

Expand (Φ, s) =Expand (Φ ∪ {ψ₂}\{ψ₁Rψ₂}, hλ, χ ∪ {ψ₁Rψ₂}, σ ∪ {ψ₁Rψ₂}i)

∪Expand (Φ ∪ {ψ₁, ψ₂}\{ψ₁Rψ₂}, hλ, χ, σ ∪ {ψ₁Rψ₂}i)

(split s in two copies and process ψ

₁

on the first, ψ

₂

on the

second, add ψ

₁

Rψ

₂

to σ)

(81)

On-the-fly Construction of A

φ

- Expand

Two relevant subcases: Fψ

^def

= >Uψ and Gψ

^def

= ⊥Rψ if Fψ ∈ Φ and s = hλ, χ, σi,

Expand (Φ, s) =Expand (Φ\{Fψ}, hλ, χ ∪ {Fψ}, σ ∪ {Fψ}i)

∪Expand (Φ ∪ {ψ}\{Fψ}, hλ, χ, σ ∪ {Fψ}i)

if Gψ ∈ Φ and s = hλ, χ, σi,

Expand (Φ, s) =Expand (Φ ∪ {ψ}\{Gψ}, hλ, χ ∪ {Gψ}, σ ∪ {Gψ}i) Note: Expand (Φ ∪ {⊥, ψ}\{Gψ}, ...) = ∅

49 / 69

(82)

Definition of A

φ

Given a set of LTL formulas Ψ, we define Cover (Ψ)

^def

= Expand (Ψ, h∅, ∅, ∅i).

For an LTL formula φ, we construct a Generalized NBA A

_φ

= (Q, Σ, δ, I, FT ) as follows:

Σ = 3

^vars(φ)

(v ∈ {>, ⊥, ∗}) Q is the smallest set such that

Cover ({φ}) ⊆ Q

ifhλ, χ, σi ∈ Q, thenCover (χ) ∈ Q

Q

₀

= Cover ({φ}).

s

^λ

0

−→ s

⁰

∈ δ iff, s = hλ, χ, σi, s

⁰

= hλ

⁰

, χ

⁰

, σ

⁰

i and s

⁰

∈ Cover (χ) FT = hF

₁

, F

₂

, ..., F

_k

i where, for all (ψ

_i

Uφ

_i

) occurring positively in φ, F

_i

= {hλ, χ, σi ∈ Q | (ψ

_i

Uφ

_i

) / ∈ σ or φ

_i

∈ σ}.

(If there is no U-subformulas, then FT

^def

= {Q}).

(83)

Example: φ = FGp

Cover ({FGp})

= Expand ({FGp}, h∅, ∅, ∅i)

= Expand (∅, h∅, {FGp}, {FGp}i) ∪ Expand ({Gp}, h∅, ∅, {FGp}i)

= {h∅, {FGp}, {FGp}i} ∪ Expand ({p}, h∅, {Gp}, {FGp, Gp}i)

= {h∅, {FGp}, {FGp}i} ∪ Expand (∅, h{p}, {Gp}, {FGp, Gp, p}i)

= {h∅, {FGp}, {FGp}i, h{p}, {Gp}, {FGp, Gp, p}i}

Cover ({Gp}) = Expand ({Gp}, h∅, ∅, ∅i)

= Expand ({p}, h∅, {Gp}, {Gp}i)

= Expand (∅, h{p}, {Gp}, {Gp, p}i)

= {h{p}, {Gp}, {Gp, p}i}

Optimization:

merge h{p}, {Gp}, {FGp, Gp, p}i and h{p}, {Gp}, {Gp, p}i

51 / 69

(84)

Example: φ = FGp

Call s

₁

= h∅, {FGp}, {FGp}i, s

₂

= h{p}, {Gp}, {FGp, Gp, p}i Q = {s

₁

, s

₂

}

Q

₀

= {s

₁

, s

₂

}.

T : s

₁

→ {s

1

, s

₂

}, s

₂

→ {s

₂

}

FT = hF

₁

i where F

₁

= {s

₂

}.

[ XGp ]

p

[ XFGp ]

p

(85)

Example: φ = pUq

Cover ({pUq})

= Expand ({pUq}, h∅, ∅, ∅i)

= Expand ({p}, h∅, {pUq}, {pUq}i) ∪ Expand ({q}, h∅, ∅, {pUq}i)

= Expand (∅, h{p}, {pUq}, {pUq, p}i) ∪ Expand (∅, h{q}, ∅, {pUq, q}i)

= {h{p}, {pUq}, {pUq, p}i} ∪ {h{q}, {>}, {pUq, q}i}

Cover ({>}) = {h∅, {>}, {>}i}

53 / 69

(86)

Example: φ = pUq

Let s

₁

=

_def

h{p}, {pUq}, {pUq, p}i, s

₂

=

_def

h{q}, {>}, {pUq, q}i, s

₃

=

_def

h∅, {>}, {>}i.

Q = {s

₁

, s

₂

, s

₃

}, Q

₀

= {s

₁

, s

₂

},

T : s

₁

→ {s

₁

, s

₂

}, s

₂

→ {s

₃

} s

₃

→ {s

3

}

FT = hF

₁

i where F

₁

= {s

₂

, s

₃

}.

[ XT ]

q

q p

p

(87)

Example: φ = GFp

Cover ({GFp})

= E ({GFp}, h∅, ∅, ∅i)

= E ({Fp}, h∅, {GFp}, {GFp}i)

= E ({}, h∅, {GFp, Fp}, {GFp, Fp}i) ∪ E ({p}, h{}, {GFp}, {GFp, Fp}i)

= E ({}, h∅, {GFp, Fp}, {GFp, Fp}i) ∪ E ({}, h{p}, {GFp}, {GFp, Fp, p}i)

= {h∅, {GFp, Fp}, {GFp, Fp}i} ∪ {h{p}, {GFp}, {GFp, Fp, p}i}

Note: GFp ∧ Fp ⇐⇒ GFp, s.t. Cover (GFp ∧ Fp) = Cover (GFp)

55 / 69

(88)

Example: GFp

Let s

₁

=

_def

h{p}, {GFp}, {GFp, Fp, p}i, s

₂

=

_def

h∅, {GFp, Fp}, {GFp, Fp}i, Q = {s

₁

, s

₂

},

Q

₀

= {s

₁

, s

₂

}, T : s

₁

→ {s

₁

, s

₂

},

s

₂

→ {s

1

, s

₂

}

FT = hF

₁

i where F

₁

= {s

₁

}.

[ XGFp ] [ XGFp ]

p

(89)

NBAs of disjunctions of formulas

Remark

If ϕ

^def

= (ϕ

₁

∨ ϕ

₂

) and A

_ϕ₁

, A

_ϕ₂

are NBAs encoding ϕ

₁

and ϕ

₂

resp., then L(ϕ) = L(ϕ

₁

) ∪ L(ϕ

₂

), so that A

_ϕ ^def

= A

_ϕ₁

∪ A

_ϕ₂

is an NBA encoding ϕ

A

_ϕ

non necessarily the smallest/best NBA encoding ϕ Example

Let ϕ

^def

= (GFp → GFq), i.e., ϕ ≡ (FG¬p ∨ GFq).

Then A

_FG¬p

∪ A

_GFq

encodes ϕ:

¬p

¬p q

q q

¬p

57 / 69

(90)

Suggested Exercises:

Find an NBA encoding:

p

(p ∧ q) ∨ (¬p ∧ ¬q) Fp

Gp pRq

(GFp ∧ GFq) → Gr

(91)

Outline

1

Büchi Automata

2

The Automata-Theoretic Approach to LTL Reasoning General Ideas

Language-Emptiness Checking of Büchi Automata From Kripke Models to Büchi Automata

From LTL Formulas to Büchi Automata Complexity

3

Exercises

59 / 69

(92)

Automata-Theoretic LTL Model Checking: Complexity

Four steps:

(i) Compute A

_M

:

|A

_M

| = O(|M|) (ii) Compute A

ϕ

:

|A

_ϕ

| = O(2

^|ϕ|

)

(iii) Compute the product A

_M

× A

ϕ

:

|A

_M

× A

_ϕ

| = |A

_M

| · |A

_ϕ

| = O(|M| · 2

^|ϕ|

) (iv) Check the emptiness of L(A

_M

× A

ϕ

):

O(|A

_M

× A

_ϕ

|) = O(|M| · 2

^|ϕ|

)

=⇒ The complexity of LTL M.C. grows linearly wrt. the size of the

model M and exponentially wrt. the size of the property ϕ

(93)

Final Remarks

Büchi automata are in general more expressive than LTL!

=⇒ some tools (e.g., Spin) allow specifications to be expressed directly as NBAs

=⇒ complementation of NBA important!

For every LTL formula, there are many possible equivalent NBAs

=⇒ lots of research for finding “the best” conversion algorithm Performing the product and checking emptiness very relevant

=⇒ lots of techniques developed (e.g., partial order reduction)

=⇒ lots on ongoing research

61 / 69