Lecture 2 Automata Theory

Size: px

Start display at page:

Download "Lecture 2 Automata Theory"

Emmeline Anabel Foster
5 years ago
Views:

1 Lecture 2 Automata Theory Ufuk Topcu Nok Wongpiromsarn Richard M. Murray Outline: Transition systems Linear-time properties Regular propereties EECI, 14 May 2012

2 This short-course is on this picture applied to a particular class of systems/problems. requirements (on the system behavior) assumptions (on the unknowns, e.g., environment behavior) complete system or some of its components verification synthesis satisfied (+certificate) violated (+counterexample) controller that render the system to satisfy the spec s no such controller exists 2

3 This short-course is on this picture applied to a particular class of systems/problems. requirements (on the system behavior) assumptions (on the unknowns, e.g., environment behavior) complete system or some of its components formal specifications system model verification synthesis satisfied (+certificate) violated (+counterexample) controller that render the system to satisfy the spec s no such controller exists 2

4 This short-course is on this picture applied to a particular class of systems/problems. requirements (on the system behavior) assumptions (on the unknowns, e.g., environment behavior) complete system or some of its components formal specifications system model This lecture is an intro to these. verification synthesis satisfied (+certificate) violated (+counterexample) controller that render the system to satisfy the spec s no such controller exists 2

5 Finite transition system A finite transition system is a mathematical description of the behavior of systems, plants, controllers or environments with finite (discrete) inputs, outputs, and internal states and transitions between the states. 3

6 Finite transition system A finite transition system is a mathematical description of the behavior of systems, plants, controllers or environments with finite (discrete) inputs, outputs, and internal states and transitions between the states. front pad rear pad door q 0 q 1 {door is open} {door is not open} 3

7 Finite transition system A finite transition system is a mathematical description of the behavior of systems, plants, controllers or environments with finite (discrete) inputs, outputs, and internal states and transitions between the states. front pad rear pad door front q 0 q 1 {door is open} {door is not open} 3

8 Finite transition system A finite transition system is a mathematical description of the behavior of systems, plants, controllers or environments with finite (discrete) inputs, outputs, and internal states and transitions between the states. front pad rear pad door front q 0 q 1 {door is open} {door is not open} neither 3

outputs, and internal states and transitions between the states.

9 Finite transition system A finite transition system is a mathematical description of the behavior of systems, plants, controllers or environments with finite (discrete) inputs, outputs, and internal states and transitions between the states. front pad rear pad door rear, both, neither front front, rear, both q 0 q 1 {door is open} {door is not open} neither 3

P = passing, no reversing. PR = passing, reversing allowed.

10 Finite transition system Example: Traffic logic planner in Alice. Partial nomenclature: DR = drive. STO = stop. NP = no passing, no reversing. P = passing, no reversing. PR = passing, reversing allowed. S = safe clearance with obstacle. A = aggressive clearance with obstacle. B = no clearance with obstacle. 4

11 Finite transition system Example: Traffic lights. q 1 s 1 traffic light 2 q 2 {g 1 } traffic light 1 c 2 s 2 {g 2 } traffic light 2 traffic light 1 c 1 e 1 γ 2 γ 1 γ 2 γ1 c 3 e 2 environment controller 5

12 Preliminaries A proposition is a statement that can be either true or false, but not both. Examples: Traffic light is green is a proposition. The front pad is occupied is a proposition. Is the front pad? is not a proposition. 6

13 Preliminaries A proposition is a statement that can be either true or false, but not both. Examples: Traffic light is green is a proposition. The front pad is occupied is a proposition. Is the front pad? is not a proposition. An atomic proposition is one whose truth or falsity does not depend on the truth or falsity of any other proposition. Examples: All propositions above are atomic propositions. If traffic light is green, the car can drive is not an atomic proposition. 6

14 Preliminaries A proposition is a statement that can be either true or false, but not both. Examples: Traffic light is green is a proposition. The front pad is occupied is a proposition. Is the front pad? is not a proposition. An atomic proposition is one whose truth or falsity does not depend on the truth or falsity of any other proposition. Examples: All propositions above are atomic propositions. If traffic light is green, the car can drive is not an atomic proposition. For notational brevity, use propositional variables to abbreviate propositions. For example, p Traffic light is green q Front pad is occupied 6

15 Finite transition system A transition system TS is a tuple TS =(S, Act,, I, AP, L), where S is a set of states, Act is a set of actions, S Act S is a transition relation, I S is a set of initial states, AP is a set of atomic propositions, L : S 2 AP is a labeling function, and TS is called finite if S, Act, and AP are finite. rear, both, neither front, rear, both front q 0 q 1 {door is not open} neither {door is open} example S = {q 0,q 1 } Act = {rear, front, both, neither} = {(q 0, front, q 1 ), (q 1, neither, q 0 ), (q 1, rear, q 1 ),...} I = {q 0 } L(q 0 )={door is not open} L(q 1 )={door is open} 7

16 Finite transition system A transition system TS is a tuple TS =(S, Act,, I, AP, L), where S is a set of states, Act is a set of actions, S Act S is a transition relation, I S is a set of initial states, AP is a set of atomic propositions, L : S 2 AP is a labeling function, and TS is called finite if S, Act, and AP are finite. AP depends on the characteristics of the system of interest. For state s, L(s) is the set of atomic propositions that are satisfied at s. Labels model outputs or observables. Actions model inputs or communication. rear, both, neither front, rear, both front q 0 q 1 {door is not open} neither {door is open} example S = {q 0,q 1 } Act = {rear, front, both, neither} = {(q 0, front, q 1 ), (q 1, neither, q 0 ), (q 1, rear, q 1 ),...} I = {q 0 } L(q 0 )={door is not open} L(q 1 )={door is open} 7

17 Propositional logic Given finite set AP of atomic propositions, the set of propositional logic formulas is inductively defined by: - true is a formula; - any a AP is a formula; - if φ 1, φ 2, and φ are formulas, so are φ and φ 1 φ 2 ; and - nothing else is a formula. From Specifying Systems by L. Lamport: Propositional logic is the math of the Boolean values, true and false, and the operators,,, 8

18 Propositional logic Given finite set AP of atomic propositions, the set of propositional logic formulas is inductively defined by: - true is a formula; - any a AP is a formula; - if φ 1, φ 2, and φ are formulas, so are φ and φ 1 φ 2 ; and - nothing else is a formula. From Specifying Systems by L. Lamport: Propositional logic is the math of the Boolean values, true and false, and the operators,,, Notation Connectives: (negation), (and) (or), (implies) 1 for true and 0 for false. Example propositional logic formulas obtained by applying the above four rules: φ 1 φ 2 := ( φ 1 φ 2 ) φ 1 φ 2 := φ 1 φ 2 8

19 Propositional logic Given finite set AP of atomic propositions, the set of propositional logic formulas is inductively defined by: - true is a formula; - any a AP is a formula; - if φ 1, φ 2, and φ are formulas, so are φ and φ 1 φ 2 ; and - nothing else is a formula. From Specifying Systems by L. Lamport: Propositional logic is the math of the Boolean values, true and false, and the operators,,, Notation Connectives: (negation), (and) (or), (implies) 1 for true and 0 for false. Example propositional logic formulas obtained by applying the above four rules: φ 1 φ 2 := ( φ 1 φ 2 ) The evaluation function µ : AP {0, 1} assigns a truth value to each a AP. The truth value µ(φ) of a formula Φ is determined by substituting the values for the atomic propositions specified by µ. Given: AP = {a, b, c}, µ(a) = 0 and µ(b) =µ(c) =1. Φ 1 =(a b) c, µ(φ 1 )=1 Φ 2 =(a b) c, µ(φ 2 )=0 φ 1 φ 2 := φ 1 φ 2 8

20 Logical dynamical system as a finite transition system x 1 [k + 1] = x 2 [k] u[k], x 1 [0] = 0, x 2 [k + 1] = x 1 [k] u[k], x 2 [0] = 1, y[k] =x 1 [k] x 2 [k] φ 1 φ 2 := ( φ 1 φ 2 ) (φ 1 φ 2 ) XOR (exclusive or) gives true only if exactly one of the operands is true. S = {0, 1]} 2 Act = {0, 1} I = {(0, 1)} AP = {y} L(x 1,x 2 )= {y} (indicating 1) if x1 x 2 =0 1 (indicating 0) otherwise 9

21 Concurrent systems Systems in which multiple tasks can be executed at the same time potentially with inter-task communication and resource sharing. 10

Example: multi-threaded control Separate code into independent threads Switch between threads, allowing each to run

22 Concurrent systems Systems in which multiple tasks can be executed at the same time potentially with inter-task communication and resource sharing. Example: multi-threaded control Separate code into independent threads Switch between threads, allowing each to run simultaneously Potential problems: deadlocks, race conditions Thread Usage in Alice (DGC05) Modes of communication between the subsystems: hand-shaking (leads to synchrony) changing the values of shared variables (leads to asynchrony) 10

23 Composition of transition systems (by handshaking) Let TS 1 =(S 1, Act 1, 1,I 1, AP 1,L 1 ) and TS 2 =(S 2, Act 2, 2,I 2, AP 2,L 2 ) be transition systems. Their parallel composition, TS 1 TS 2 is the transition system defined by TS 1 TS 2 =(S 1 S 2, Act 1 Act 2,,I 1 I 2, AP 1 AP 2,L) where L(s 1,s 2 )=L 1 (s 1 ) L 2 (s 2 ) and is defined by the following rules: If Act 1 Act 2, s 1 1 s 1, and s 2 2 s 2,thens 1,s 2 s 1,s 2. If Act 1 \ Act 2 and s 1 1 s 1,thens 1,s 2 s 1,s 2. If Act 2 \ Act 1 and s 2 2 s 2,thens 1,s 2 s 1,s 2. q 1 s 1 q 1,s 1 q 1,s 2 {g 2 } q 2 s 2 q 2,s 1 q 2,s 2 {g 1 } traffic light 1 {g 2 } traffic light 2 {g 1 } {g 1,g 2 } 11

24 Composition of transition systems (by handshaking) Let TS 1 =(S 1, Act 1, 1,I 1, AP 1,L 1 ) and TS 2 =(S 2, Act 2, 2,I 2, AP 2,L 2 ) be transition systems. Their parallel composition, TS 1 TS 2 is the transition system defined by TS 1 TS 2 =(S 1 S 2, Act 1 Act 2,,I 1 I 2, AP 1 AP 2,L) where L(s 1,s 2 )=L 1 (s 1 ) L 2 (s 2 ) and is defined by the following rules: If Act 1 Act 2, s 1 1 s 1, and s 2 2 s 2,thens 1,s 2 s 1,s 2. If Act 1 \ Act 2 and s 1 1 s 1,thens 1,s 2 s 1,s 2. If Act 2 \ Act 1 and s 2 2 s 2,thens 1,s 2 s 1,s 2. q 1 s 1 q 1,s 1 q 1,s 2 {g 2 } q 2 s 2 q 2,s 1 q 2,s 2 {g 1 } traffic light 1 {g 2 } traffic light 2 {g 1 } {g 1,g 2 } 11

25 Composition of transition systems (by handshaking) Let TS 1 =(S 1, Act 1, 1,I 1, AP 1,L 1 ) and TS 2 =(S 2, Act 2, 2,I 2, AP 2,L 2 ) be transition systems. Their parallel composition, TS 1 TS 2 is the transition system defined by TS 1 TS 2 =(S 1 S 2, Act 1 Act 2,,I 1 I 2, AP 1 AP 2,L) where L(s 1,s 2 )=L 1 (s 1 ) L 2 (s 2 ) and is defined by the following rules: If Act 1 Act 2, s 1 1 s 1, and s 2 2 s 2,thens 1,s 2 s 1,s 2. If Act 1 \ Act 2 and s 1 1 s 1,thens 1,s 2 s 1,s 2. If Act 2 \ Act 1 and s 2 2 s 2,thens 1,s 2 s 1,s 2. q 1 q 2 {g 1 } traffic light 1 s 1 s 2 {g 2 } traffic light 2 q 1,s 1 q 2,s 1 {g 2 } q 1,s 2 q 2,s 2 {g 1 } {g 1,g 2 } c 2 c 1 c 3 controller {g 1 } q 2,s 1,c 2 q 1,s 1,c 1 q 1,s 2,c 3 {g 2 } + Unreachable states 11

26 Paths of a finite transition system Given a transition system TS =(S, Act,, I, AP, L). For s S, P ost(s) := s S : a Act s.t. s a s Example: Post((0,0)) = {(0,0),(1,0)}. A state s is terminal iff Post(s) is empty. 12

27 Paths of a finite transition system Given a transition system TS =(S, Act,, I, AP, L). For s S, P ost(s) := s S : a Act s.t. s a s Example: Post((0,0)) = {(0,0),(1,0)}. q A state s is terminal iff Post(s) is empty. 12

28 Paths of a finite transition system Given a transition system TS =(S, Act,, I, AP, L). For s S, P ost(s) := s S : a Act s.t. s a s Example: Post((0,0)) = {(0,0),(1,0)}. A state s is terminal iff Post(s) is empty. A sequence of states, either finite π = s 0 s 1 s 2...s n or infinite π = s 0 s 1 s 2..., is a path fragment if s i+1 P ost(s i ), i 0. (0, 1) 0,1 (1, 0) 1 (1, 1) 1 (1, 1) 0 (1, 0) 0 (0, 0) 0 (0, 0) 1 (1, 0) 0 (0, 1) 0,1 (1, 0) 1 (1, 1). 12

29 Paths of a finite transition system Given a transition system TS =(S, Act,, I, AP, L). For s S, P ost(s) := s S : a Act s.t. s a s Example: Post((0,0)) = {(0,0),(1,0)}. A state s is terminal iff Post(s) is empty. A sequence of states, either finite π = s 0 s 1 s 2...s n or infinite π = s 0 s 1 s 2..., is a path fragment if s i+1 P ost(s i ), i 0. A path is a path fragment s.t. and it is either finite with terminal or infinite. Denote the set of paths in TS by P ath(ts). s 0 I s n a path: (0, 1) 0,1 (1, 0) 1 (1, 1) 1 (1, 1) 0 not a path: (1, 0) 0 (0, 0) 0 (0, 0) 1 (1, 0) 0 not a path: (0, 1) 0,1 (1, 0) 1 (1, 1). 12

30 Traces of a finite transition system Equivalent FSMs w/ and w/o terminal state Consider a finite transition system TS =(S, Act,, I, AP, L) with no terminal states (wlog). The trace of an infinite path fragment The set, π = s 0 s 1 s 2... trace(π) =L(s 0 )L(s 1 )L(s 2 )..., of traces of TS is defined by. T races(ts)={trace(π) :π P aths(ts)} T races(ts) is defined by sequence of sets of atomic propositions that are valid in the states along the path 13

31 Traces of a finite transition system Equivalent FSMs w/ and w/o terminal state Consider a finite transition system TS =(S, Act,, I, AP, L) with no terminal states (wlog). The trace of an infinite path fragment The set, π = s 0 s 1 s 2... trace(π) =L(s 0 )L(s 1 )L(s 2 )..., of traces of TS is defined by. T races(ts)={trace(π) :π P aths(ts)} T races(ts) is defined by sequence of sets of atomic propositions that are valid in the states along the path rear, both, neither front, rear, both front q 0 q 1 {door is not open} {door is open} neither Actions: f, f, n, b, f, f, b,... Path: q 0 q 1 q 1 q 0 q 0 q 1 q 1 q 1... Trace: o, o, o, o, o, o, o, o,... (with some abuse of notation) 13

32 Linear-time properties A linear-time (LT) property P over atomic propositions in AP is a set of infinite sequences over 2 AP. Let P be an LT property over AP and TS =(S, Act,, I, AP, L) bea transition system. TS satisfies P, denoted as TS = P, iff T races(ts) P. 14

33 Linear-time properties A linear-time (LT) property P over atomic propositions in AP is a set of infinite sequences over 2 AP. Let P be an LT property over AP and TS =(S, Act,, I, AP, L) bea transition system. TS satisfies P, denoted as TS = P, iff T races(ts) P. traces of TS admissible, desired, undesired, etc. behavior 14

34 Linear-time properties A linear-time (LT) property P over atomic propositions in AP is a set of infinite sequences over 2 AP. Let P be an LT property over AP and TS =(S, Act,, I, AP, L) bea transition system. TS satisfies P, denoted as TS = P, iff T races(ts) P. traces of TS admissible, desired, undesired, etc. behavior Example: AP = {red1, green1, red2, green2} P1 = The first light is infinitely often green. [A 0 A 1 A 2... with green1 A i 2 AP holds for infinitely many i] {r1,g2}{g1,r2}{r1,g2}{g1,r2}... {g1} {g1} {g1}... {g1,g2}{g1,g2}{g1,g2}... {r1,g2}{r1g1}... P2 = The lights are never both green simultaneously. [A 0 A 1 A 2... with green1 / A i or green2 / A i, for all i 0] 14

35 Linear-time properties A linear-time (LT) property P over atomic propositions in AP is a set of infinite sequences over 2 AP. Let P be an LT property over AP and TS =(S, Act,, I, AP, L) bea transition system. TS satisfies P, denoted as TS = P, iff T races(ts) P. traces of TS {g 2 } admissible, desired, undesired, etc. behavior q 1,s 1 q 1,s 2 Example: AP = {red1, green1, red2, green2} P1 = The first light is infinitely often green. [A 0 A 1 A 2... with q 2,s green1 1 A i q 2,s 2 AP 2 holds for infinitely many i] {g 1 } {g 1,g 2 } {r1,g2}{g1,r2}{r1,g2}{g1,r2}... {g1} {g1} {g1}... {g1,g2}{g1,g2}{g1,g2}... {r1,g2}{r1g1}... P2 = The lights are never both green simultaneously. [A 0 A 1 A 2... with green1 / A i or green2 / A i, for all i 0] c 2 c 1 c 3 {g 1 } q 2,s 1,c 2 q 1,s 1,c 1 q 1,s 2,c 3 {g 2 } + Unreachable states 14

36 Linear-time properties A linear-time (LT) property P over atomic propositions in AP is a set of infinite sequences over 2 AP. Let P be an LT property over AP and TS =(S, Act,, I, AP, L) bea transition system. TS satisfies P, denoted as TS = P, iff T races(ts) P. traces of TS {g 2 } admissible, desired, undesired, etc. behavior q 1,s 1 q 1,s 2 Example: AP = {red1, green1, red2, green2} P1 = The first light is infinitely often green. [A 0 A 1 A 2... with q 2,s green1 1 A i q 2,s 2 AP 2 holds for infinitely many i] {g 1 } {g 1,g 2 } {r1,g2}{g1,r2}{r1,g2}{g1,r2}... {g1} {g1} {g1}... {g1,g2}{g1,g2}{g1,g2}... {r1,g2}{r1g1}... P2 = The lights are never both green simultaneously. [A 0 A 1 A 2... with green1 / A i or green2 / A i, for all i 0] c 2 c 1 c 3 {g 1 } q 2,s 1,c 2 q 1,s 1,c 1 q 1,s 2,c 3 {g 2 } + Unreachable states The transition system satisfies P2, but it does not satisfy P1. 14

37 Invariants An LT property P Φ over AP is an invariant with respect to a propositional logic formula Φ over AP if P Φ = {A 0 A 1 A 2... (2 AP ) ω : A j = Φ j 0}. 15

38 Invariants An LT property P Φ over AP is an invariant with respect to a propositional logic formula Φ over AP if P Φ = {A 0 A 1 A 2... (2 AP ) ω : A j = Φ j 0}. Notation: repeat infinitely many times For A AP, let the evaluation µ A be the characteristic function of A. A = Φ iff µ A (Φ) =1 15

39 Invariants An LT property P Φ over AP is an invariant with respect to a propositional logic formula Φ over AP if P Φ = {A 0 A 1 A 2... (2 AP ) ω : A j = Φ j 0}. Notation: repeat infinitely many times For A AP, let the evaluation µ A be the characteristic function of A. A = Φ iff µ A (Φ) =1 Example: The LT property the lights are never both green simultaneously is an invariant with respect to Φ = green1 green2. 15

40 Invariants An LT property P Φ over AP is an invariant with respect to a propositional logic formula Φ over AP if P Φ = {A 0 A 1 A 2... (2 AP ) ω : A j = Φ j 0}. Notation: repeat infinitely many times For A AP, let the evaluation µ A be the characteristic function of A. A = Φ iff µ A (Φ) =1 Example: The LT property the lights are never both green simultaneously is an invariant with respect to Φ = green1 green2. Given TS, Φ, and P Φ, TS = P Φ? The following four statements are equivalent TS = P Φ trace(π) P Φ, π P ath(ts) L(s) = Φ, s S on a path of TS L(s) = Φ, s Reach(TS) A state s is reachable if there exists an execution fragment s.t. s 0 I and Reach(TS) a s 1 a 0 2 a s1 n s n = s : set of reachable states in TS Invariants are state properties. That is, for verification, find the reachable states and check Φ. 15

41 Safety properties An LT property P safe is a safety property if for all words σ (2 AP ) ω \P safe there exists a finite prefix ˆσ of σ s.t. P safe {σ (2 AP ) ω :ˆσ is a finite prefix of σ } =. Bad things have happened in the bad prefix starts with satisfies. ˆσ P safe ˆσ. Hence, no infinite word that 16

42 Safety properties An LT property P safe is a safety property if for all words σ (2 AP ) ω \P safe there exists a finite prefix ˆσ of σ s.t. P safe {σ (2 AP ) ω :ˆσ is a finite prefix of σ } =. Bad things have happened in the bad prefix starts with satisfies. ˆσ P safe ˆσ. Hence, no infinite word that Example: AP = {red, green, yellow} At least one of the lights is always on is a safety property. {σ = A 0 A 1... : A j AP A j = } Bad prefixes: finite words that contain. Two lights are never on at the same time is a safety property. {σ = A 0 A 1... : A j AP card(a j ) 1} Bad prefixes: finite words that contain {red,green}, {red,yellow}, and so on. 16

43 Safety properties An LT property P safe is a safety property if for all words σ (2 AP ) ω \P safe there exists a finite prefix ˆσ of σ s.t. P safe {σ (2 AP ) ω :ˆσ is a finite prefix of σ } =. Bad things have happened in the bad prefix starts with satisfies. ˆσ P safe ˆσ. Hence, no infinite word that Example: AP = {red, green, yellow} At least one of the lights is always on is a safety property. {σ = A 0 A 1... : A j AP A j = } Bad prefixes: finite words that contain. Two lights are never on at the same time is a safety property. {σ = A 0 A 1... : A j AP card(a j ) 1} Any invariant is a safety property. There are safety properties that are not invariant. Example: AP = {red, yellow} Each red is immediately preceded by a yellow is a safety property, but not invariant (because it is not a state property). Sample bad prefixes: Bad prefixes: finite words that contain {r} {y}{y}{r}{r} {r} {red,green}, {red,yellow}, and so on. 16

44 Liveness properties An LT property P is a liveness property if and only if for each finite word w of 2 AP there exists an infinite word σ (2 AP ) ω satisfying wσ P. Example: Two traffic lights with First light will eventually turn green First light will turn green infinitely often AP = {red1, green1, red2, green2} 17

45 Liveness properties An LT property P is a liveness property if and only if for each finite word w of 2 AP there exists an infinite word σ (2 AP ) ω satisfying wσ P. Example: Two traffic lights with First light will eventually turn green First light will turn green infinitely often AP = {red1, green1, red2, green2} Use of liveness properties: specify the absence of (undesired) infinite loops or progress toward a goal. rule out executions that cannot realistically occur (fairness), e.g., in an asynchronous execution, every process is activate infinitely often. 17

46 Liveness properties An LT property P is a liveness property if and only if for each finite word w of 2 AP there exists an infinite word σ (2 AP ) ω satisfying wσ P. Example: Two traffic lights with First light will eventually turn green First light will turn green infinitely often AP = {red1, green1, red2, green2} Use of liveness properties: specify the absence of (undesired) infinite loops or progress toward a goal. rule out executions that cannot realistically occur (fairness), e.g., in an asynchronous execution, every process is activate infinitely often. Example: Is the following a safety or liveness property? the first light is eventually green after it is initially red three time instances in a row 17

47 Liveness properties An LT property P is a liveness property if and only if for each finite word w of 2 AP there exists an infinite word σ (2 AP ) ω satisfying wσ P. Example: Two traffic lights with First light will eventually turn green First light will turn green infinitely often AP = {red1, green1, red2, green2} Use of liveness properties: specify the absence of (undesired) infinite loops or progress toward a goal. rule out executions that cannot realistically occur (fairness), e.g., in an asynchronous execution, every process is activate infinitely often. safety liveness Example: Is the following a safety or liveness property? the first light is eventually green after it is initially red three time instances in a row r 1 r 1 r 1 (2 AP ) ω (2 AP ) g 1 (2 AP ) ω Answer: It is a combination of a safety and a liveness property. Liveness: any finite word can be extended by an infinite word A 0 A 1 A 2... with green1 A j for some j 0. Safety: any finite word A 0 A 1 A 2 with red1 / A i for any i {0, 1, 2} is a bad prefix. 17

48 Invariant Safety Liveness state condition something bad never happens something good will happen eventually violated at individual states any infinite run violating the property has a finite prefix violated only by infinite runs verification: find the reachable states and check the invariant condition verification: verification:?? 18

49 Nondeterministic finite automaton (NFA) A nondeterministic finite automaton A =(Q, Σ, δ,q 0,F) is a tuple with - A is a set of states, - Σ is an alphabet, - δ : Q Σ 2 Q is a transition function, - Q 0 Q is a set of initial states, and - F Q is a set of accept (or: final) states. Q = {q0,q1,q2}, Σ = {A, B} Q 0 = {q0}, F = {q2} δ(q0,a)={q0}, δ(q1,a)={q2}, δ(q2,a)=, δ(q0,b)={q0,q1} δ(q1,b)={q2} δ(q0,b)= 19

50 Nondeterministic finite automaton (NFA) A nondeterministic finite automaton A =(Q, Σ, δ,q 0,F) is a tuple with - A is a set of states, - Σ is an alphabet, - δ : Q Σ 2 Q is a transition function, - Q 0 Q is a set of initial states, and - F Q is a set of accept (or: final) states. set of finite words Let w = A 1...A n Σ be a finite word. A run for w in A is a finite sequence of states q 0 q 1...q n s.t. - q 0 Q 0 Q = {q0,q1,q2}, Σ = {A, B} Q 0 = {q0}, F = {q2} δ(q0,a)={q0}, δ(q1,a)={q2}, δ(q2,a)=, δ(q0,b)={q0,q1} δ(q1,b)={q2} δ(q0,b)= A i+1 - q i q i+1 for all 0 i<n. word run empty word B ABA BBA BA BBA q0 q0q1 q0q0q0q0 q0q0q0q0 q0q1q2 q0q0q1q2 19

51 Nondeterministic finite automaton (NFA) A nondeterministic finite automaton A =(Q, Σ, δ,q 0,F) is a tuple with - A is a set of states, - Σ is an alphabet, - δ : Q Σ 2 Q is a transition function, - Q 0 Q is a set of initial states, and - F Q is a set of accept (or: final) states. set of finite words Let w = A 1...A n Σ be a finite word. A run for w in A is a finite sequence of states q 0 q 1...q n s.t. - q 0 Q 0 Q = {q0,q1,q2}, Σ = {A, B} Q 0 = {q0}, F = {q2} δ(q0,a)={q0}, δ(q1,a)={q2}, δ(q2,a)=, δ(q0,b)={q0,q1} δ(q1,b)={q2} δ(q0,b)= A i+1 - q i q i+1 for all 0 i<n. word run A run q 0 q 1...q n is called accepting if q n F. A finite word in accepted if it leads to an accepting run. The accepted language L(A) of A is the set of finite words in Σ accepted by A. accepted empty word B ABA BBA BA BBA q0 q0q1 q0q0q0q0 q0q0q0q0 q0q1q2 q0q0q1q2 19

52 Regular safety properties A set L Σ of finite strings is called a regular language if there is a nondeterministic finite automaton A s.t. L = L(A). NFA: A =(Q, Σ, δ,q 0,F) language (set of finite words) accepted by the NFA 20

53 Regular safety properties A set L Σ of finite strings is called a regular language if there is a nondeterministic finite automaton A s.t. L = L(A). A safety property P safe over AP is called regular if its set of bad prefixes constitutes a regular language over 2 AP. That is: NFA A s.t. L(A) = bad prefixes of P safe NFA: A =(Q, Σ, δ,q 0,F) language (set of finite words) accepted by the NFA 20

54 Regular safety properties A set L Σ of finite strings is called a regular language if there is a nondeterministic finite automaton A s.t. L = L(A). A safety property P safe over AP is called regular if its set of bad prefixes constitutes a regular language over 2 AP. That is: NFA A s.t. L(A) = bad prefixes of P safe NFA: A =(Q, Σ, δ,q 0,F) language (set of finite words) accepted by the NFA Example: AP = {red, green, yellow} Each red must be preceded immediately by a yellow is a regular safety property. Sample bad prefixes: {}{}{red} {}{red} {yellow}{yellow}{green}{red} A 0 A 1...A n s.t. n>0, red A n, and yellow / A n 1 general form of minimal bad prefixes yellow q1 q0 q2 red yellow red yellow red yellow 20

55 Verifying regular safety properties Given a transition system TS and a regular safety property P safe, both over the atomic propositions AP. Let A be an NFA s.t. L(A) =BadP ref(p safe ). 21

56 Verifying regular safety properties Given a transition system TS and a regular safety property P safe, both over the atomic propositions AP. Let A be an NFA s.t. L(A) =BadP ref(p safe ). T races(ts) P safe 21

57 Verifying regular safety properties Given a transition system TS and a regular safety property P safe, both over the atomic propositions AP. Let A be an NFA s.t. L(A) =BadP ref(p safe ). TS = P safe iff T races(ts) P safe iff T races(ts) ((2 AP ) ω \P safe )= iff T races(ts) BadP ref(p safe ).(2 AP ) ω = iff pref(t races(ts)) BadP ref(p safe )= iff pref(t races(t S)) L(A) = finite prefixes T races(ts) P safe For words w and σ, w.σ denotes their concatenation. 21

58 Verifying regular safety properties Given a transition system TS and a regular safety property P safe, both over the atomic propositions AP. Let A be an NFA s.t. L(A) =BadP ref(p safe ). TS = P safe iff T races(ts) P safe iff T races(ts) ((2 AP ) ω \P safe )= iff T races(ts) BadP ref(p safe ).(2 AP ) ω = iff pref(t races(ts)) BadP ref(p safe )= iff pref(t races(t S)) L(A) = finite prefixes (2 AP ) ω (2 AP ) ω \P safe T races(ts) P safe For words w and σ, w.σ denotes their concatenation. 21

59 Invariant Safety Liveness state condition something bad never happens something good will happen eventually violated at individual states any infinite run violating the property has a finite prefix violated only by infinite runs verification: find the reachable states and check the invariant condition verification: based on nondeterministic finite automaton which accepts finite runs verification:? 22

60 Nondeterministic Buchi automaton (NBA) A nondeterministic Buchi automaton is same as an NFA with its runs interpreted differently. A =(Q, Σ, δ,q 0,F) Let w = A 1 A 2... Σ ω be an infinite string. A run for w in A is an infinite sequence q 0 q 1... of states s.t. - q 0 Q 0 and A - q 1 A 0 2 A q1 3 q

61 Nondeterministic Buchi automaton (NBA) A nondeterministic Buchi automaton is same as an NFA with its runs interpreted differently. A =(Q, Σ, δ,q 0,F) Let w = A 1 A 2... Σ ω be an infinite string. A run for w in A is an infinite sequence q 0 q 1... of states s.t. - q 0 Q 0 and A - q 1 A 0 2 A q1 3 q2... AP = {red, green} A run is accepting if q j F for infinitely many j. A string w is accepted by A if there is an accepting run of w in A. L ω (A): set of infinite strings accepted by A. input word: {green}{}{green}{}{green}{}... run: q 0 q 1 q 0 q 1 q 0 q 1... input word: ({green, red}{}{green}{red}) ω run: q 0 q 1 q 0 q 1 q 0 q

62 Nondeterministic Buchi automaton (NBA) A nondeterministic Buchi automaton is same as an NFA with its runs interpreted differently. A =(Q, Σ, δ,q 0,F) Let w = A 1 A 2... Σ ω be an infinite string. A run for w in A is an infinite sequence q 0 q 1... of states s.t. - q 0 Q 0 and A - q 1 A 0 2 A q1 3 q2... AP = {red, green} A run is accepting if q j F for infinitely many j. A string w is accepted by A if there is an accepting run of w in A. L ω (A): set of infinite strings accepted by A. A set of infinite string L ω Σ ω is called an ω-regular language if there is an NBA A s.t. L ω = L ω (A). The NBA on the right accepts the infinite words satisfying the LT property: infinitely often green. input word: {green}{}{green}{}{green}{}... run: q 0 q 1 q 0 q 1 q 0 q 1... input word: ({green, red}{}{green}{red}) ω run: q 0 q 1 q 0 q 1 q 0 q

63 ω -Regular Properties NBA: A =(Q, Σ, δ,q 0,F) An LT property P over AP is called ω-regular if P is an ω-regular language over 2 AP. Invariant, regular safety, and various liveness properties are ω-regular. Let P be an ω-regular property and A be an NBA that represents the bad traces for P. Basic idea behind model checking ω-regular properties: TS = P if and only if Traces(TS) P if and only if Traces(TS) (2 AP ) ω \ P = if and only if if and only if Traces(TS) P = Traces(TS) L ω (A) = 24

64 Invariant Safety Liveness state condition something bad never happens something good will happen eventually violated at individual states any infinite run violating the property has a finite prefix violated only by infinite runs verification: find the reachable states and check the invariant condition verification: based on nondeterministic finite automaton which accepts finite runs verification: based on nondeterministic Buchi automaton which accepts infinite runs 25

Lecture 2 Automata Theory

Lecture 2 Automata Theory Ufuk Topcu Nok Wongpiromsarn Richard M. Murray EECI, 18 March 2013 Outline Modeling (discrete) concurrent systems: transition systems, concurrency and interleaving Linear-time