1 / 36

Model Checking Lecture 3

Model Checking Lecture 3. Specification Automata. Syntax, given a set A of atomic observations:. S finite set of states S 0  S set of initial states  S  S transition relation : S  PL(A) where the formulas of PL are  ::= a |    |   for a  A.

sonyaj
Download Presentation

Model Checking Lecture 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking Lecture 3

  2. Specification Automata Syntax, given a set A of atomic observations: • S finite set of states • S0 S set of initial states •  S  S transition relation • : S  PL(A) where the formulas of PL are  ::= a |    |   for a  A

  3. Specification Omega Automata Syntax as for finite automata, in addition the following acceptance condition: Buchi: BA  S

  4. Language L(M) of specification omega-automaton M = (S, S0, , , BA ) : infinite trace t0, t1, ...  L(M) iff there exists an infinite run s0  s1  ... of M such that 1. s0  s1  ... satisfies BA 2. for all i  0, ti |= (si)

  5. Let Inf(s) = { p | p = si for infinitely many i }. The infinite run s satisfies the acceptance condition BA iff Inf(s)  BA  

  6. Linear semantics of specification omega automata: omega-language containment (K,q) |=L M iff L(K,q)  L(M) infinite traces

  7. Response specification automaton :  (a  b) assuming (a  b) = false s1 a b s2 s0 b a s3 Buchi condition { s0, s3 }

  8. Response monitor automaton :  (a  b) assuming (a  b) = false true a b s0 s1 s2 Buchi condition { s2 }

  9. Outline • 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness • 2 Graph algorithms for model checking • Symbolic algorithms for model checking • Pushdown systems

  10. Model-Checking Algorithms = Graph Algorithms

  11. Safety: • -solve: finite monitors ( emptiness) • -algorithm: reachability (linear) • Liveness: • -solve: Buchi monitors ( emptiness) • -algorithm: strongly connected components (linear) We will talk about STL and CTL model checking later.

  12. From specification automata to monitor automata: determinization (exponential) + complementation (easy) From LTL to monitor automata: complementation (easy) + tableau construction (exponential)

  13. Algorithms • Reachability • Strongly connected components • Tableau construction

  14. Finite Emptiness Given: finite automaton (S, S0, , , FA) Find: is there a path from a state in S0 to a state in FA ?

  15. Fix a set A of atomic observations

  16. State-transition graph K • Q set of states •  Q  Q transition relation [ ]: Q  2A observation function

  17. Monitor automaton M • S finite set of states • S0 S set of initial states •  S  S transition relation E  S set of final states • : S  PL(A) where the formulas of PL are  ::= a |    |   for a  A

  18. languages over finite traces (K,q) |=C M iff L(K,q)  L(M) =  We construct another monitor automaton M’ such that L(M’) =L(K,q)  L(M) S’ = {(q,s)  Q  S | [q] |= (s)} finite set of states ({q}  S0)  S’ set of initial states (q,s)  (q’,s’) transition relation iff q  q’ and s  s’ (Q  E) S’ set of final states ’: S’  PL(A) labeling function ’(q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q]

  19. Finite Emptiness Given: monitor automaton (S, S0, , , E) Find: is there a path from a state in S0 to a state in E ? Solution: depth-first or breadth-first search

  20. dfs(s) { if (s  E) then report error add s to dfsTable for each successor t of s if (t  dfsTable) then dfs(t) }

  21. Buchi Emptiness Given: Buchi automaton (S, S0, , , BA) Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ?

  22. Monitor Buchi automaton M • S finite set of states • S0 S set of initial states •  S  S transition relation BA  S acceptance condition • : S  PL(A) where the formulas of PL are  ::= a |    |   for a  A

  23. languages over infinite traces (K,q) |=C M iff L(K,q)  L(M) =  We construct another monitor Buchi automaton M’ such that L(M’) =L(K,q)  L(M) S’ = {(q,s)  Q  S | [q] |= (s)} finite set of states ({q}  S0)  S’ set of initial states (q,s)  (q’,s’) transition relation iff q  q’ and s  s’ (Q  BA) S’ acceptance condition ’: S’  PL(A) labeling function ’(q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q]

  24. Buchi Emptiness Given: Buchi automaton (S, S0, , , BA) Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ? Solution: 1. Compute SCC graph by depth-first search 2. Mark SCC C as fair iff C  BA   3. Check if some fair SCC is reachable from S0

  25. Complexity n number of states m number of transitions Reachability: O(n+m) SCC: O(n+m)

  26. Buchi emptiness • Two algorithms for SCC computation • forward and backward DFS • forward HI-LO algorithm • Storing SCCs requires lot of memory • Nested DFS • checks Buchi emptiness without explicitly computing SCCs

  27. dfs(s) { add s to dfsTable for each successor t of s if (t  dfsTable) then dfs(t) if (s  BA) then { seed := s; ndfs(s) } } ndfs(s) { add s to ndfsTable for each successor t of s if (t  ndfsTable) then ndfs(t) else if (t = seed) then report error }

  28. Multi-Buchi Emptiness Given: Multi-Buchi automaton (S, S0, , , BA1, …, BAn) Find: is there an infinite path from a state in S0 that infinitely often visits some state in BAi for all i such that 1  i  n ? Solution: 1. Compute SCC graph by depth-first search 2. Mark SCC C as fair iff C  BAi   for all i such that 1  i  n. 3. Check if some fair SCC is reachable from S0

  29. Tableau Construction Given: LTL formula  Find: Multi-Buchi automaton M such that L(M) = L() monitors subformulas of  [Fischer & Ladner 1975; Manna & Wolper 1982]

  30. Negation normal form (  ) =    (  ) =    () = () ( U ) = ( W   ) ( W ) = ( U   ) ,  ::= a | a |    |    |  |  U  |  W 

  31. Fischer-Ladner Closure of a Formula Sub (a) = { a, a } Sub (a) = { a, a } Sub () = {  }  Sub ()  Sub () Sub () = {  }  Sub ()  Sub () Sub () = {  }  Sub () Sub (U) = { U, (U) }  Sub ()  Sub () Sub (W) = { W, (W) }  Sub ()  Sub () | Sub () | = O(||)

  32. s  Sub () is consistent iff -for all atomic propositions a (a)  s iff a  s -if ()  Sub () then ()  s iff   s and   s -if ()  Sub () then ()  s iff either   s or   s -if (U)  Sub () then (U)  s iff either   s or   s and (U)  s -if (W)  Sub () then (W)  s iff either   s or   s and (W)  s

  33. Fischer-Ladner Closure of a Formula … … Sub () = {,  }  Sub () Sub () = {,  }  Sub ()

  34. s  Sub () is consistent iff … -if ()  Sub () then ()  s iff either   s or   s -if ()  Sub () then ()  s iff   s and   s

  35. Tableau M = (S, S0, , , BA1,…,BAn) S ... set of consistent subsets of Sub () s  S0 iff   s s  t iff for all ()  Sub (), if ()  s then   t (s) ... conjunction of atomic observations in s and negated atomic observations not in s There is an acceptance condition - for each (U)  Sub () given by { s |   s or (U)  s } - for each ()  Sub () given by { s |   s or ()  s }

  36. Size of M is O(2||). LTL model checking: PSPACE-complete

More Related