Formal Methods

1. Formal Methods

2. Verification as a Game • Two Players: • Environment - chooses inputs in an attempt to violate specification • System - chooses outputs in an attempt to satisfy specification Design construction:

3. Parity Automata NBA: (Σ, S, I⊆S, T⊆S ×Σ×S, F⊆S) Accepting run on a word σ0σ1 ...∈Σω: =q0 q1 ...∈Sω, s.t.: q0∈I, (qi,σi,qi+1)∈T,inf()F NPA (non deterministic parity automaton) (Σ, S, I⊆S, T⊆S ×Σ×S, c:V→N - coloring function ) Accepting run on a word σ0σ1 ...∈Σω: =q0q1...∈Sω, s.t.: q0∈I, (qi,σi,qi+1)∈T,Even(max{c(q) | q∈inf()}) DBA/DPA (Deterministic Buchi/Parity automaton) - |I |=1 - |{q’S | (q, , q’)T}| ≤1, qS,  Σ

4. LTL to DPA • NBA to DPA • For every NBA there exists an equivalent DPA • The number of states in the DPA is exponential in the number • of states of the NBA. • For every LTL formula  there exists a DPA As.t. L(A)=models() • The number of states in Ais doubly-exponential in the length of . Example: Finitely many ‘rqst’ imply finitely many ‘ack’ LTL: rqst  Ack

5. Infinite Game • A gamegraph is a tuple G = (V0, V1, E, c) where • V0, V1 sets of nodes (positions), • E  (V0×V1 )(V1×V0 ), a set of edges s.t. for every vV=V0+V1 • vE := {wV |(v,w)E} is finite and nonempty.

6. Match & Strategy Match - v0 v1 · · · V, such that i. (vi,vi+1)E. Strategy for player p{0,1} is a function fp : V*Vp  V, such that (vn-1, fp(v0 v1 ··· vn-1 ))E for all prefixes v0v1·· · vn-1 with vn-1Vp. A match =v0v1v2··· conforms to a strategy fp if i. viVp fp(v0 ··· vi )=vi+1 Winning strategy for player p for a match starting at v0 is a strategy fp for player p for a match starting at v0, such that player p wins every match =v0v1v2···, where vj=fp(v0···vj-1) for every vjV1-i. (This means player i wins all matches starting at v0 if he plays according to his winning strategy.)

7. Safety/Reachability Game A pair(G,S) where G is a game graph and SV. Player 0 wins a match v0 v1 · · · if i. viS; o.w. player 1 wins. Example: never ‘Nack’ Example: An ‘Ack’ only in response to ‘Rqst’

8. Buchi Game A pair(G,S) where G is a game graph and SV. Player 0 wins a match  if inf()S; o.w. player 1 wins. Example: Infinitely many ‘Ack’

9. Parity Game A pair(G,c) where G is a game graph and c:VN. Player 0 wins a match  if max{c(v) | vinf()} is even; o.w. player 1 wins. Example: Finitely many ‘rqst’ imply finitely many ‘Ack’

10. Determinacy • A strategy fp is v-winning for player p and position v if all matches • that conform to fp and that start in v are won by player p. • The winning region for player p is the set of positions • Wp = {v∈V | there is a strategy fp s.t. fp is v-winning}. • A game is determined if V = W0∪W1. • A memory-less strategy for player p is a function fp : Vp→V • Which defines a strategy f’p(uv)= fp(v). • A game is memory-less-determined if for every position some • player wins the game with memory-less strategy. Theorem: safety/reachability, Buchi, and parity games are memory-less determined. Proof: by fixpoint construction (separately for each type). Thus W0, W1 are explicitly constructed and form a solution for the game.

11. Game Solution to a Design • Mealy machine A = (, , S, i ,T, ) •  : input alphabet •  : output alphabet • S: finite set of states • iS: initial state • T : S S: transition function •  : S : output function • The winning strategy can be represented as a Mealy machine.

12. Example An ‘Ack’ only in response to ‘Rqst’