Automata-based Verification - III

Size: px

Start display at page:

Download "Automata-based Verification - III"

Dorcas Moody
6 years ago
Views:

1 COMP30172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20: howard.barringer@manchester.ac.uk March 2009

2 Third Topic Infinite Word Automata Motivation Büchi Automata BA Operations Infinite Word Model Checking Where next

3 Outline Infinite Word Automata Motivation Büchi Automata BA Operations Infinite Word Model Checking Where next

4 Motivation We defined a Kripke structure as representing infinite runs of a given concurrent program Temporal logic formulas may also relate to infinite sequences We must extend the finite word model checking to handle infinite words We use infinite word automata, usually a generalised form of Büchi automaton

5 Outline Infinite Word Automata Motivation Büchi Automata BA Operations Infinite Word Model Checking Where next

6 About Infinite Word Automata An infinite word automaton has similar structure to a finite word automaton There is still a finite set of states A different method is required to determine acceptable (infinite) runs Hence, we change the notion of final state set to be a set of accepting states

7 More formally... A Büchi automaton is a structure BA = (S, Σ, T, S 0, A) where S is a set of states Σ is an alphabet T is a labelled transition relation, (S Σ S) S 0 is a distinguished set of initial states, S A is a distinguished set of accepting states, S

8 The language of a Büchi Automaton A infinite word w over an alphabet Σ is a infinite sequence of symbols of Σ, i.e. w Σ ω.

9 The language of a Büchi Automaton A infinite word w over an alphabet Σ is a infinite sequence of symbols of Σ, i.e. w Σ ω. A run r of a Büchi automaton BA = (S, Σ, T, S 0, A) on infinite word w is a sequence of states r = s 0 s 1 s 2... such that (s i, w i, s i+1 ) T for all i N}.

10 The language of a Büchi Automaton A infinite word w over an alphabet Σ is a infinite sequence of symbols of Σ, i.e. w Σ ω. A run r of a Büchi automaton BA = (S, Σ, T, S 0, A) on infinite word w is a sequence of states r = s 0 s 1 s 2... such that (s i, w i, s i+1 ) T for all i N}. Let inf (r) denote the subset of states S that occur infinitely in r.

11 The language of a Büchi Automaton A infinite word w over an alphabet Σ is a infinite sequence of symbols of Σ, i.e. w Σ ω. A run r of a Büchi automaton BA = (S, Σ, T, S 0, A) on infinite word w is a sequence of states r = s 0 s 1 s 2... such that (s i, w i, s i+1 ) T for all i N}. Let inf (r) denote the subset of states S that occur infinitely in r. An infinite word w is accepted by a Büchi automaton BA if there is a run r on w and s 0 S 0 and inf (r) A {}.

12 The language of a Büchi Automaton A infinite word w over an alphabet Σ is a infinite sequence of symbols of Σ, i.e. w Σ ω. A run r of a Büchi automaton BA = (S, Σ, T, S 0, A) on infinite word w is a sequence of states r = s 0 s 1 s 2... such that (s i, w i, s i+1 ) T for all i N}. Let inf (r) denote the subset of states S that occur infinitely in r. An infinite word w is accepted by a Büchi automaton BA if there is a run r on w and s 0 S 0 and inf (r) A {}. The language L of an Büchi automaton BA = (S, Σ, T, S 0, A) is the subset of infinite words w over Σ accepted by BA.

13 Examples Consider the Büchi automaton over alphabet Σ = {p, q}, with S = {s 0, s 1 }, S 0 = {s 0 } and A = {s 1 }.

14 Examples Consider the Büchi automaton over alphabet Σ = {p, q}, with S = {s 0, s 1 }, S 0 = {s 0 } and A = {s 1 }. Give some examples of (infinite) words that it accepts.

15 Examples Consider the Büchi automaton over alphabet Σ = {p, q}, with S = {s 0, s 1 }, S 0 = {s 0 } and A = {s 1 }. Give some examples of (infinite) words that it accepts. Give some examples of words that it does not accept.

16 More examples Assume Σ is 2 AP, i.e. elements of Σ are subsets of propositions. The set of transitions is: (s 0, {}, s 0), (s 0, {in 1}, s 0), (s 0, {in 2}, s 0), (s 0, {in 1, in 2}, s 1), (s 1, {}, s 1), (s 1, {in 1}, s 1), (s 1, {in 2}, s 1), (s 1, {in 1, in 2}, s 1) More conveniently, we can use propositional formulas as labels: (s 0, (in 1 in 2), s 0), (s 0, in 1 in 2, s 1), (s 1, true, s 1) This BA represents precisely the set of (infinite) paths for: Always (in 1 in 2 )

17 A Liveness Property Consider a Büchi automaton corresponding to the linear temporal logic formula Always Sometime p over the proposition alphabet AP = {p, q} Draw a suitable automaton structure.

18 Outline Infinite Word Automata Motivation Büchi Automata BA Operations Infinite Word Model Checking Where next

19 Set-theoretic operations on BA Büchi automata define the class of ω-regular languages, e.g. those representable as ω-regular expressions αβ ω where α and β denote regular expressions. Büchi automata are closed under intersection and complement. In particular, given languages L M say representing the execution paths of a program or model, and L S representing the allowable, i.e. specified, paths, we will want to determine whether L M L S, i.e. whether L M L S = {}

20 Set-theoretic operations on BA Büchi automata define the class of ω-regular languages, e.g. those representable as ω-regular expressions αβ ω where α and β denote regular expressions. Büchi automata are closed under intersection and complement. In particular, given languages L M say representing the execution paths of a program or model, and L S representing the allowable, i.e. specified, paths, we will want to determine whether L M L S, i.e. whether L M L S = {} What are the corresponding operations on Büchi automata?

21 Checking for emptiness A Büchi automaton BA = (S, Σ, T, S 0, A) accepts the empty language if there is no word w Σ ω accepted by BA. Must determine that there is NO infinite path from an initial state that visits an accepting state infinitely?

22 About Infinite Paths in Graphs An infinite path through a graph will eventually be trapped in a strongly connected component of the graph.

23 About Infinite Paths in Graphs An infinite path through a graph will eventually be trapped in a strongly connected component of the graph. There is one terminal strongly connected component.

24 About Infinite Paths in Graphs An infinite path through a graph will eventually be trapped in a strongly connected component of the graph. There is one terminal strongly connected component. There are two maximal strongly connected components.

25 The emptiness check on Büchi automata Given a Büchi automaton BA = (S, Σ, T, S 0, A), compute its set of reachable strongly connected components, SCCs. For each strongly connected component C of SCCs, check if the intersection of the states of C with A is empty. If there is no strong component containing an accepting state, the Büchi is empty. The reachable SCCs can be computed in time of order S + T using Tarjan s Depth First Search algorithm (see DER notes).

26 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

27 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

28 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

29 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

30 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

31 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

32 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

33 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

34 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

35 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

36 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

37 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

38 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

39 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

40 Or tailor a double DFS search Use two depth first searches. When an accepting state is reached and its successors visited, start a new dfs search from the accepting state to determine whether it is in a cycle, i.e. it is reachable from itself.

41 Double Depth First Search outline void isempty() { forall initial states s { firstdfs(s) } terminate with false; } void firstdfs(state s) { add s to visited store and mark on 1st search; forall successors s of s if (s not visited) firstdfs(s ); if (s is an accepting state) seconddfs(s); mark s as not on 1st search; } void seconddfs(state s) { mark s as visited on 2nd search; forall successors s of s if (s on stack of 1st search) terminate with true; else if (s not on path of 2nd search) seconddfs(s ); remove 2nd search mark for s; }

42 Building a Product of Büchi automata Given BA 1 = (S 1, Σ, T 1, S 01, A 1 ) and BA 2 = (S 2, Σ, T 2, S 02, A 2 ) How do we construct BA 3 such that L(BA 3 ) = L(BA 1 ) L(BA 2 )? Build a product automaton BA 3 where: S 3 = S 1 S 2 {0, 1, 2} Σ 3 = Σ T 3 = {((s 1, s 2, x), α, (t 1, t 2, y)) (s 1, α, t 1 ) T 1 and (s 2, α, t 2 ) T 2 and condition} S 03 = S 01 S 02 {0} A 3 = S 1 S 2 {2} where condition is if t 1 A 1 x == 0 then y == 1 if t 2 A 2 x == 1 then y == 2 if x = 2 then y == 0 otherwise x == y

43 Product some explanation The product definition is more complex than before because of the different acceptance condition. The product of the two acceptance sets is no longer sufficient the individual component acceptance states may be visited at different time. The state markers, 0, 1, and 2, keep track of the individual component acceptance. 1. marker 0 indicates that no accepting state has been visited 2. marker 1 means that an accepting state of the first component has been visited 3. marker 2 means that accepting states from both components have been visited

44 Product Example Consider the product of the two Büchi automata below. The first defines (p q) ω, the second is (p q) ω. There are 6 possible states in the product BA: (s, t 0, 0) (s, t 0, 1) (s, t 0, 2) (s, t 1, 0) (s, t 1, 1) (s, t 1, 2) The initial state set is {(s, t 0, 0)} The acceptance state set is {(s, t 0, 2), (s, t 1, 2)} The transitions...

45 And the composition is...

46 Complementation of Büchi Automata Büchi automata are closed under complementation

47 Complementation of Büchi Automata Büchi automata are closed under complementation The complement construction is difficult and of high complexity

48 Complementation of Büchi Automata Büchi automata are closed under complementation The complement construction is difficult and of high complexity Most well-known solution is Safra s construction but this is beyond what we can consider here

49 Complementation of Büchi Automata Büchi automata are closed under complementation The complement construction is difficult and of high complexity Most well-known solution is Safra s construction but this is beyond what we can consider here And it is far far better to avoid it, how?

50 Complementation of Büchi Automata Büchi automata are closed under complementation The complement construction is difficult and of high complexity Most well-known solution is Safra s construction but this is beyond what we can consider here And it is far far better to avoid it, how? As we most often build a Büchi automaton from a temporal formula, we can complement the formula very easily before constructing the automaton.

51 Outline Infinite Word Automata Motivation Büchi Automata BA Operations Infinite Word Model Checking Where next

52 From Kripke Structures to BA To apply the above automata methods to model checking, must construct a BA corresponding to a Kripke structure K such that: {w σ paths(k). i {0.. σ 1}.I (σ i ) = w i } = L(FA)

53 From Kripke Structures to BA To apply the above automata methods to model checking, must construct a BA corresponding to a Kripke structure K such that: {w σ paths(k). i {0.. σ 1}.I (σ i ) = w i } = L(FA) The alphabet Σ is taken as 2 AP where AP are the atomic propositions of the Kripke structure.

54 From Kripke Structures to BA To apply the above automata methods to model checking, must construct a BA corresponding to a Kripke structure K such that: {w σ paths(k). i {0.. σ 1}.I (σ i ) = w i } = L(FA) The alphabet Σ is taken as 2 AP where AP are the atomic propositions of the Kripke structure. The state-transition structure of the automaton is obtained by prefixing that of the Kripke structure with a new (single) initial state, which is connected to all previous initial states.

55 From Kripke Structures to BA To apply the above automata methods to model checking, must construct a BA corresponding to a Kripke structure K such that: {w σ paths(k). i {0.. σ 1}.I (σ i ) = w i } = L(FA) The alphabet Σ is taken as 2 AP where AP are the atomic propositions of the Kripke structure. The state-transition structure of the automaton is obtained by prefixing that of the Kripke structure with a new (single) initial state, which is connected to all previous initial states. The labelling of each state s is then attached to each of s s incoming transitions.

56 From Kripke Structures to BA To apply the above automata methods to model checking, must construct a BA corresponding to a Kripke structure K such that: {w σ paths(k). i {0.. σ 1}.I (σ i ) = w i } = L(FA) The alphabet Σ is taken as 2 AP where AP are the atomic propositions of the Kripke structure. The state-transition structure of the automaton is obtained by prefixing that of the Kripke structure with a new (single) initial state, which is connected to all previous initial states. The labelling of each state s is then attached to each of s s incoming transitions. We make all states of the automaton accepting ones.

57 As an example... For example:

58 Model Checking linear temporal logic properties And now you have the ingredients to model check (linear) temporal logic properties of concurrent programs! 1. build a Kripke structure corresponding to the concurrent program

59 Model Checking linear temporal logic properties And now you have the ingredients to model check (linear) temporal logic properties of concurrent programs! 1. build a Kripke structure corresponding to the concurrent program 2. and convert to an infinite word automaton the program automaton

60 Model Checking linear temporal logic properties And now you have the ingredients to model check (linear) temporal logic properties of concurrent programs! 1. build a Kripke structure corresponding to the concurrent program 2. and convert to an infinite word automaton the program automaton 3. construct a Büchi automaton corresponding to the negation of the desired property

61 Model Checking linear temporal logic properties And now you have the ingredients to model check (linear) temporal logic properties of concurrent programs! 1. build a Kripke structure corresponding to the concurrent program 2. and convert to an infinite word automaton the program automaton 3. construct a Büchi automaton corresponding to the negation of the desired property 4. build the product of the program automaton with the complemented property automaton

62 Model Checking linear temporal logic properties And now you have the ingredients to model check (linear) temporal logic properties of concurrent programs! 1. build a Kripke structure corresponding to the concurrent program 2. and convert to an infinite word automaton the program automaton 3. construct a Büchi automaton corresponding to the negation of the desired property 4. build the product of the program automaton with the complemented property automaton 5. if the product is empty, property holds for all program behaviours

63 Model Checking linear temporal logic properties And now you have the ingredients to model check (linear) temporal logic properties of concurrent programs! 1. build a Kripke structure corresponding to the concurrent program 2. and convert to an infinite word automaton the program automaton 3. construct a Büchi automaton corresponding to the negation of the desired property 4. build the product of the program automaton with the complemented property automaton 5. if the product is empty, property holds for all program behaviours 6. if the product is non-empty, it provides a counterexample

64 Outline Infinite Word Automata Motivation Büchi Automata BA Operations Infinite Word Model Checking Where next

65 Summary... We have given a little insight into a SERIOUS application of graph algorithms Model checking technology has truly proved itself over the past 15 years Major advances on the basic automata-theoretic approaches have been made These include: extension to tree-automata for branching time logics development of symbolic encodings, e.g. Ordered Binary Decision Diagrams, to represent transition systems and automata various attacks to attack the combinatorial state space explosion

Automata-based Verification - III

CS3172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20/22: email: howard.barringer@manchester.ac.uk March 2005 Third Topic Infinite Word Automata Motivation Büchi Automata