Course Runtime Verification - PDF Free Download

Course Martin Leucker (ISP) Volker Stolz (Høgskolen i Bergen, NO) INF5140 / V17

Chapters of the Course Chapter 1 Recall in More Depth Chapter 2 Specification Languages on Words Chapter 3 LTL on Finite Words Chapter 4 Impartial Chapter 5 Anticipatory LTL Semantics Chapter 6 Alternating Büchi Automata Chapter 7 Monitor Construction for Anticipatory Chapter 8 LTL with a Predictive Semantics Chapter 9 Summary

Chapter 1 Recall in More Depth Course INF5140 / V17

Chapter 1 Learning Targets of Chapter Recall in More Depth. 1. Recall the underlying principle of runtime verification. 2. Get to know to applications of runtime verification. 3. See different frameworks for runtime verification.

Chapter 1 Outline of Chapter Recall in More Depth. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks

Section Recall Word Problem Good Monitors? Chapter 1 Recall in More Depth Course INF5140 / V17

(Recall) technique that allow for checking whether a run of a system under scrutiny satisfies or violates a given correctness property. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-5

Run and Execution (Recall) Run Run: possibly infinite sequence of the system s states. Run formally: possibly infinite word or trace. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-6

Run and Execution (Recall) Execution Run Run: possibly infinite sequence of the system s states. Run formally: possibly infinite word or trace. Execution: finite prefix of a run. Execution formally: finite word or trace. RV is primarly used on executions. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-6

Adding Monitors to a System (Recall) A monitor checks whether an execution meets a correctness property. A monitor is a device that reads a finite trace and yields a certain verdict. Recall Word Problem Good Monitors? C 1 C 3 Applications Reflection When to Use RV? RV Frameworks C 2 C 4 1-7

Adding Monitors to a System (Recall) A monitor checks whether an execution meets a correctness property. A monitor is a device that reads a finite trace and yields a certain verdict. M Recall Word Problem Good Monitors? C 1 C 3 Applications Reflection When to Use RV? RV Frameworks C 2 C 4 1-7

Monitors can Check Relations of Values (Recall) A monitor can use more than one input value. A monitor can check the relations of multiple values. M C Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-8

RV and the Word Problem A simple monitor outputs yes if the execution satisfies the correctness property, no if not. Let ϕ denote the set of valid executions given by property ϕ. Then runtime verification answers the word problem w ϕ. The word problem can be decided with lower complexity compared to the subset problem. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-9

How Does a Good Monitor Look? Impartiality and Anticipation (Impartiality) Impartiality requires that a finite trace is not evaluated to true or, respectively false, if there still exists a (possibly infinite) continuation leading to another verdict. (Anticipation) Anticipation requires that once every (possibly infinite) continuation of a finite trace leads to the same verdict, then the finite trace evaluates to this very same verdict. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks A monitor for RV should adhere to both maxims! 1-10

Section Applications Reflection When to Use RV? RV Frameworks Chapter 1 Recall in More Depth Course INF5140 / V17

Reflection reflection (RR) is an architecture pattern for the development of reliable systems. A monitoring layer is enriched with a diagnosis layer and a subsequent mitigation layer. Application Mitigation Diagnosis Monitoring Logging Reflection Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-12

Reflection Logging Recording of System Events The logging layer observes system events and provides them for the monitoring layer. Realization Add code annotations within the system to build or use separated stand-alone loggers. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-13

Reflection Monitoring Fault Detection The monitoring layer is implemented using runtime verification techniques, consists of a number of monitors, detects the presence of faults in the system and raises an alarm for the diagnosis layer in case of faults. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-14

Reflection Diagnosis Failure Identification The diagnosis layer collects the verdicts of the monitors and deduces an explanation for the current system state solely based upon the results of the monitors and general information on the system. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-15

Reflection Mitigation Reconfiguration The reconfiguration layer mitigates the failure, if possible, or else may store detailed diagnosis information for off-line treatment. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-16

When to Use RV? The verification verdict is often referring to a model of the real system. verification may then be used to easily check the actual execution of the system. Thus, runtime verification may act as a partner to theorem proving and model checking. Often, some information is available only at runtime. In such cases, runtime verification is an alternative to theorem proving and model checking. The behavior of an application may depend heavily on the environment of the target system. In this scenario, runtime verification adds on formal correctness proofs by model checking and theorem proving. In the case of systems where security is important, it is useful also to monitor behavior or properties that have been statically proved or tested. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-17

Taxonomy information collection finite performance evaluation finite noncompleted trace infinite inline security application area integration outline Recall Word Problem event sequence safety checking monitoring runtime verification stage online Good Monitors? Applications Reflection When to Use RV? RV Frameworks offline state sequence input/ output behavior steering interference invasive passive active noninvasive 1-18

Monitoring Systems/Logging: Overview dedicated tracing/- monitoring hardware source code Recall trace tools monitoring systems /logging instrumentation byte code Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks binary code logging APIs 1-19

Monitoring Systems/Logging: Overview junit Eagle RV TraceMatches J-LO TraceContract Larva Recall Temporal Rover RV frameworks LogScope Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks RulerR LoLa MOP MAC 1-20

1. verification deals with verification techniques that allow checking whether an execution of a system under scrutiny satisfies or violates a given correctness property. 2. A Monitor checks whether an execution meets a correctness property. 3. One of its main technical challenges is the synthesis of efficient monitors from logical specifications. Recall Word Problem Good Monitors? Applications Reflection When to Use RV? RV Frameworks 1-21

Chapter 2 Specification Languages on Words Course INF5140 / V17

Chapter 2 Learning Targets of Chapter Specification Languages on Words. 1. Understand that RV specifies shape of words. 2. Recall the idea of regular expressions and understand their limitations for practical specifications. 3. Get an idea about temporal logics. 4. Understand the difference of regular expressions and temporal logics. 5. Understand how to specify properties in LTL.

Chapter 2 Outline of Chapter Specification Languages on Words. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic

Section Runs Are Words States of the System Executions Are Words Chapter 2 Specification Languages on Words Course INF5140 / V17

Recap We want to monitor the execution of a system. We have already seen that A run of a system is a possibly infinite sequence of the system s states. An execution of a system is a finite prefix of a run. Observations We describe the execution of a system in a discrete way. The system is in exactly one state at a time. In the next step the system is in the next state. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-5

Atomic Propositions An atomic proposition is an indivisible bit. We consider a fixed set of finitely many such bits. In every state every atomic proposition is either true or false. In other words: In every state of the execution some atomic propositions hold. Example Variable count is greater than 5. Memory for a variable data is allocated. Memory for data is free. The file handle logfile points to an opened file. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-6

States Let AP be a fixed finite non empty set of atomic propositions. Σ = 2 AP is the power set of these. A state can be seen as an element a Σ. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-7

Executions Are Like Linear Paths Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-8

Languages over Alphabets Let Σ be an alphabet and n N. We then use the following notation: Notation Σ Σ n Σ n Σ n Σ + Σ ω Σ Meaning set of all finite words over Σ all words in Σ of length n all words in Σ of length at most n all words in Σ of length at least n = Σ 1 set of all infinite words over Σ = Σ Σ ω Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-9

Executions Are Words A state can be seen as an element a Σ. Now a run is an infinite word w Σ ω and an execution a finite prefix w Σ. verification is about checking if an execution is correct, so we need to specify the set of correct executions as a language L Σ. Therefore a correctness property is a language L. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-10

Section Regular Expressions The Idea Syntax and Semantics Limitations Chapter 2 Specification Languages on Words Course INF5140 / V17

Regular Expressions: The Idea Use a bottom up construction to construct a complex language by combining simpler languages together. Start with languages containing only one word of length 1. Use the common operations on languages to combine these into complexer languages. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-12

Operations on Languages Let L 1 Σ and L 2 Σ be two languages. We than have intersection L 1 L 2 = {w Σ w L 1 w L 2 } union L 1 L 2 = {w Σ w L 1 w L 2 } complement L = {w Σ w L} concatenation L 1 L 2 = {uv Σ u L 1 v L 2 } Kleene star L = {u 1 u 2... u n Σ i : u i L} Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-13

Regular Expressions Regular expressions use only the operations union, concatenation and Kleene star. These are enough to build all regular languages. Every symbol a Σ is a regular expression. The empty word ε describes the empty word. Concatenation is expressed by concatenating regular expressions. Union is expressed by the operator combining two regular expressions. Kleene star is expressed by the * operator at the end of a regular expression. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-14

Examples Examples Let Σ = {0, 1} be the finite alphabet. (0 1)* specifies all words w Σ. 1*0* specifies all words w Σ that do not contain the string 01. ((0 1)1)* specifies all words w Σ of even length where every second letter is 1. ((0 1)1)*(0 1 ε) specifies all words w Σ where every second letter is 1. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-15

Syntax of Regular Expressions (Syntax of regular expressions) Let x Σ be a symbol from a given alphabet. The syntax of regular expressions is inductively defined by the following grammar: ϕ ::= ε x ϕϕ (ϕ ϕ) (ϕ)* Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-16

Semantics of Regular Expression (Semantics of Regular Expressions) Let w, u i Σ be words over the given alphabet, x Σ be an element of the alphabet and R, R regular expressions. Then the semantics of a regular expression is inductively defined as relation = of a non empty word and a regular expression as follows. ε = ε x = x w = RR iff u 1, u 2 : w = u 1 u 2 and u 1 = R and u 2 = R w = (R R ) iff w = R or w = R w = (R)* iff u 1,..., u n : w = u 1... u n and i {1,..., n} : u i = R. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-17

Expressiveness of Regular Expressions Regular expressions describe regular languages: Every language described by a regular expression is a regular language. Proof: Structural induction on the syntax of regular expressions. Every regular language can be described using a regular expression. Proof: Standard translation of deterministic finite automata into regular expressions. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-18

Limitations Regular expressions sometimes look more like a swear word in a comic book than a specification of anything. Crash! ^[^\)]+$ Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-19

Specifying Correctness Properties Specifications must be easy to understand: Specification must be correct otherwise verification makes no sense at all. We need kind of negation: It is often easier to specify the behaviour we do not want. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-20

Section Linear Temporal Logic (LTL) Propositional Logic Temporal Logic Chapter 2 Specification Languages on Words Course INF5140 / V17

Another Idea A state of a system is a set of atomic propositions that hold in this state. An execution of a system is a finite sequence of such states. Let s use operators of propositional logic to describe properties of one state. temporal logic to describe the relationship of states. propositional logic to combine this. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-22

A Simple Analogy A state is like a day. The initial state is like today. The next state is like tomorrow. s 0 s 1 s 2... s 21 Runs Are Words States of the System Executions Are Words today tomorrow the day after tomorrow... in 21 days Regular Expressions The Idea Syntax and Semantics Limitations Remember A day is a state in the execution. A day is a letter in the word over Σ = 2 AP. Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-23

Propositional Logic Using propositional logic without temporal operators we describe only the first state (today). Example Consider AP = {p, q, r, s} and an initial state s 0 of an execution w in which p and r holds. We then have s 0 s 1 s 2... s 21 {p, r} w = true w = p w = false w = p r q w = q s w = q. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-24

Formula: ϕ The formula ϕ holds for an execution if ϕ holds in the first state s 0 of that execution. s 0 s 1 s 2... s 21 ϕ Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-25

Next: X ϕ The formula X ϕ holds in state s i if ϕ holds in state s i+1. If there is no state s i+1 then X ϕ never holds. s 0 s 1 s 2... s 21 ϕ Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-26

Weak Next: X ϕ The formula X ϕ holds in state s i if ϕ holds in state s i+1. If there is no state s i+1 then X ϕ always holds. s 0 s 1 s 2... s 21 ϕ Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-27

Globally: G ϕ The formula G ϕ holds in state s i if ϕ holds in all states s j for j i. s 0 s 1 s 2... s 21 ϕ ϕ ϕ ϕ ϕ Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-28

Finally: F ϕ The formula F ϕ holds in state s i if there is a state s j for j i in which ϕ holds. s 0 s 1... s 20 s 21 ϕ Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-29

Until: ϕ U ψ The formula ϕ U ψ holds in state s i if there is a state s j for j i in which ψ holds and ϕ holds in all states s k for i k < j. s 0 s 1... s 20 s 21 ϕ ϕ ϕ ψ Notice that a state in which ϕ holds is not required in all cases! Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-30

Release: ϕ R ψ The formula ϕ R ψ holds in state s i if there is a state s j for j i in which ϕ holds and ψ holds in all states s k for i k j. If there is no such state s j then the ϕ R ψ holds if ψ holds in all states s k for k i. s 0 s 1... s 20 s 21 ψ ψ ψ ψ ϕ s 0 s 1 or... s 20 s 21 ψ ψ ψ ψ ψ Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-31

1. The execution of a system is a word over the alphabet Σ = 2 AP where AP is the set of atomic propositions. 2. A correctness property is a language describing a set of executions. 3. Regular expressions describe regular languages and could be used to describe regular correctness properties. 4. Linear Temporal Logic (LTL) describes a subset of regular languages but is much better suited to describe correctness properties for runtime verification: Negation and Conjunction of LTL allows often to express correctness properties in a simple manner. Runs Are Words States of the System Executions Are Words Regular Expressions The Idea Syntax and Semantics Limitations Linear Temporal Logic (LTL) Propositional Logic Temporal Logic 2-32

Chapter 3 LTL on Finite Words Course INF5140 / V17

Chapter 3 Learning Targets of Chapter LTL on Finite Words. 1. Learn about LTL. 2. Understand the LTL syntax. 3. Understand the LTL semantics on finite words: FLTL. 4. See how RV can be implemented using FLTL and learn about monitors for finite, terminated traces.

Chapter 3 Outline of Chapter LTL on Finite Words. LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea

Section LTL Syntax LTL SALT Chapter 3 LTL on Finite Words Course INF5140 / V17

Recall: Specify Correctness Properties Observing Executions LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-5

Recall: Specify Correctness Properties Observing Executions Idea Specify correctness properties in Linear Temporal Logic (LTL). LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-5

Recall: Specify Correctness Properties Observing Executions Idea Specify correctness properties in Linear Temporal Logic (LTL). Commercial Specify correctness properties in Regular Linear Temporal Logic (RLTL). LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-5

Syntax of LTL Formulae (Syntax of LTL Formulae) Let p AP be an atomic proposition from a finite set of atomic propositions AP. The set of LTL formulae is inductively defined by the following grammar: ϕ ::= true p ϕ ϕ X ϕ ϕ U ϕ F ϕ false p ϕ ϕ X ϕ ϕ R ϕ G ϕ ϕ LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-6

Order of Operations The operator precedence is needed to determine an unambiguous derivation of an LTL formula if braces are left out in nested expressions. The higher the rank of an operator is the later it is derivated. Braces only need to be added if an operator of lower or same rank should be derivated later than the current one. Example (operator precedence of arithmetic) 1. exponential operator: 2. multiplicative operators:, / 3. additive operators: +, LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-7

Order of Operations (operator precedence of LTL) 1. negation operator: 2. unary temporal operators: X, X, G, F 3. binary temporal logic operators: U, R 4. conjunction operator: 5. disjunction operator: LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Example G x x U G y z ( ( ) ) G ( x) ( x) U (G y) z Monitor Function for FLTL The Idea 3-8

LTL for the Working Engineer? Simple? LTL is for theoreticians but for practitioners? LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-9

LTL for the Working Engineer? Simple? LTL is for theoreticians but for practitioners? SALT Structured Assertion Language for Temporal Logic Syntactic Sugar for LTL LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-9

www.isp.uni-luebeck.de/salt LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-10

Section FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Chapter 3 LTL on Finite Words Course INF5140 / V17

Parts of Words In the formal definition of LTL semantics we denote parts of a word as follows: Let w = a 1 a 2... a n Σ n be a finite word over the alphabet Σ = 2 AP and let i N with 1 i n be a position in this word. Then w := n is the length of the word, w i = a i is the i-th letter of the word and w i = a i a i+1... a n is the subword starting with letter i. LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-12

FLTL Semantics (FLTL Semantics) Let ϕ, ψ be LTL formulae and let w Σ + be a finite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = true w = p iff p w 1 w = p iff p w 1 w = ϕ iff w = ϕ w = ϕ ψ w = ϕ ψ iff w = ϕ or w = ψ iff w = ϕ and w = ψ LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-13

FLTL Semantics (FLTL Semantics) Let ϕ, ψ be LTL formulae and let w Σ + be a finite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = X ϕ iff w > 1 w = X ϕ iff w = 1 and, for w > 1, w 2 = ϕ or, for w > 1, w 2 = ϕ LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-13

FLTL Semantics (FLTL Semantics) Let ϕ, ψ be LTL formulae and let w Σ + be a finite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = ϕ U ψ w = ϕ R ψ iff i, 1 i w : (w i = ψ and k, 1 k < i : w k = ϕ) iff i, 1 i w : (w i = ϕ and k, 1 k i : w k = ψ) or i, 1 i w : w i = ψ LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-13

FLTL Semantics (FLTL Semantics) Let ϕ, ψ be LTL formulae and let w Σ + be a finite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = F ϕ w = G ϕ iff i, 1 i w : w i = ϕ iff i, 1 i w : w i = ϕ LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-13

Finally and Globally Examples Examples (Finally and Globally) Consider words over the alphabet Σ = 2 AP with AP = {p, q}. {p} {q} = F q. LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-14

Finally and Globally Examples Examples (Finally and Globally) Consider words over the alphabet Σ = 2 AP with AP = {p, q}. {p} {q} = F q. {q}{q}{p, q}{q}{q} = G q. LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-14

Finally and Globally Examples Examples (Finally and Globally) Consider words over the alphabet Σ = 2 AP with AP = {p, q}. {p} {q} = F q. {q}{q}{p, q}{q}{q} = G q. {p}{p, q} {q} {q} = G F q. {p} {q}{p}{p, q}{p, q}{q} = F G q. LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-14

Finally and Globally Examples Examples (Finally and Globally) Consider words over the alphabet Σ = 2 AP with AP = {p, q}. {p} {q} = F q. {q}{q}{p, q}{q}{q} = G q. {p}{p, q} {q} {q} = G F q. {p} {q}{p}{p, q}{p, q}{q} = F G q. G F ϕ can be read as: For every state (globally) there will be a state in the future (finally) in that ϕ holds. F G ϕ can be read as: There will be a state in the future (finally) that ϕ holds in every state (globally). LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-14

Practical Examples In the following examples we consider these scopes: everytime: all states before ψ: all states before the first state in which ψ holds (if there is such a state) after ψ: all states after and including the first state in which ψ holds (if there is such a state) Example (Absence) The formula ϕ does not hold everytime: G ϕ before ψ: (F ψ) ( ϕ U ψ) after ψ: G(ψ (G ϕ)) LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-15

Practical Examples In the following examples we consider these scopes: everytime: all states before ψ: all states before the first state in which ψ holds (if there is such a state) after ψ: all states after and including the first state in which ψ holds (if there is such a state) Example (Existence) The formula ϕ holds in the future everytime: F ϕ before ψ: G ψ ψ U(ϕ ψ) after ψ: G ψ F(ψ F ϕ) LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-15

Practical Examples In the following examples we consider these scopes: everytime: all states before ψ: all states before the first state in which ψ holds (if there is such a state) after ψ: all states after and including the first state in which ψ holds (if there is such a state) Example (Universality) The formula ϕ holds everytime: G ϕ before ψ: (F ψ) (ϕ U ψ) after ψ: G(ψ G ϕ) LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-15

Equivalences (Equivalence of Formulae) Let Σ = 2 AP and ϕ and ψ be LTL formulae over AP. ϕ and ψ are equivalent, denoted by ϕ ψ, iff w Σ + : w = ϕ w = ψ. Globally and finally can easily be expressed using until and release: F ϕ true U ϕ G ϕ false R ϕ LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-16

De Morgan Rules The negation can always be moved in front of the atomic propositions using the dual operators: De Morgan Rules of Propositional Logic (ϕ ψ) ϕ ψ (ϕ ψ) ϕ ψ LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-17

De Morgan Rules The negation can always be moved in front of the atomic propositions using the dual operators: De Morgan Rules of Temporal Logic (ϕ U ψ) ϕ R ψ (ϕ R ψ) ϕ U ψ (G ϕ) F ϕ (F ϕ) G ϕ (X ϕ) X ϕ (X ϕ) X ϕ LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-17

Fixed Point Equations The following fixed point equations can be used to step-wise unwind until and release: ϕ U ψ ψ (ϕ X(ϕ U ψ)) ϕ R ψ ψ (ϕ X(ϕ R ψ)) Consequently such fix point equations for globally and finally are special cases of the above ones: G ϕ ϕ X(G ϕ) F ϕ ϕ X(F ϕ) LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-18

Negation Normal Form (NNF) (Negation Normal Form (NNF)) An LTL formula ϕ is in Negation Normal Form (NNF) iff only occurs in front of atomic propositions p AP. LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-19

Negation Normal Form (NNF) (Negation Normal Form (NNF)) An LTL formula ϕ is in Negation Normal Form (NNF) iff only occurs in front of atomic propositions p AP. Lemma For every LTL formula there exists an equivalent formula in NNF. Proof. Recursively apply De Morgan rules of propositional logic and De Morgan rules of temporal logic. LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-19

Section Monitor Function for FLTL The Idea Chapter 3 LTL on Finite Words Course INF5140 / V17

The Idea Build up a function that takes an LTL formula ϕ in NNF and a word w Σ +, performs recursion on the structure of ϕ returns true iff w = ϕ. LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-21

First Ideas Let p AP be an atomic proposition and w Σ + a word. We then can evaluate true and false. ϕ ψ by evaluating ϕ, evaluating ψ and computing ϕ ψ. p by checking if p w 1. p by checking if p w 1. LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-22

Further Ideas What about next? We can check if w = X ϕ holds by omitting the first letter of w and the next operator and checking if w 2 = ϕ holds. LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-23

Further Ideas What about next? We can check if w = X ϕ holds by omitting the first letter of w and the next operator and checking if w 2 = ϕ holds. What about until and release? Use the already presented fixpoint equations and the above ideas to evaluate conjunction, disjunction and next. ϕ U ψ ψ (ϕ X(ϕ U ψ)) ϕ R ψ ψ (ϕ X(ϕ R ψ)) LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-23

evlfltl Let Σ = 2 AP be the finite alphabet, p AP an atomic proposition, w Σ + a finite non-empty word, ϕ and ψ LTL formulae and B 2 = {, }. We then define the function evlfltl : Σ + LTL B 2 inductively as follows: evlfltl(w, true) = evlfltl(w, false) = evlfltl(w, ϕ ψ) = evlfltl(w, ϕ) evlfltl(w, ψ) evlfltl(w, ϕ ψ) = evlfltl(w, ϕ) evlfltl(w, ψ) evlfltl(w, p) = (p w 1 ) evlfltl(w, p) = (p w 1 ) LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-24

evlfltl Let Σ = 2 AP be the finite alphabet, p AP an atomic proposition, w Σ + a finite non-empty word, ϕ and ψ LTL formulae and B 2 = {, }. We then define the function evlfltl : Σ + LTL B 2 inductively as follows: evlfltl(w, ϕ U ψ) = evlfltl(w, ψ (ϕ X(ϕ U ψ))) evlfltl(w, ϕ R ψ) = evlfltl(w, ψ (ϕ X(ϕ R ψ))) evlfltl(w, F ϕ) = evlfltl(w, ϕ X F ϕ) evlfltl(w, G ϕ) = evlfltl(w, ϕ X G ϕ) evlfltl(w, X ϕ) = ( w > 1) evlfltl(w 2, ϕ) evlfltl(w, X ϕ) = ( w = 1) evlfltl(w 2, ϕ) LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-24

1. The LTL operations negation, disjunction, until and next are enough to gain the full expressiveness of LTL. 2. If you add the dual operators every LTL formula has a negation normal form (NNF). 3. The fix point equations can be used to step-wise unwind until and release using next and weak next. 4. evlfltl is as inductively defined function that answers the question if a given finite non-empty word models a correctness property given as an LTL formula in NNF and can easily be implemented recursively. LTL Syntax LTL SALT FLTL Semantics Semantics Examples and Equivalences Negation Normal Form Monitor Function for FLTL The Idea 3-25

Chapter 4 Impartial Course INF5140 / V17

Chapter 4 Learning Targets of Chapter Impartial. 1. Understand the idea of impartiality and why we want to use impartial evaluation of LTL formulae. 2. Learn the basics of truth domains and lattices. 3. Understand the four-valued LTL semantics on finite words: FLTL 4. 4. See how impartial RV can be implemented using FLTL 4 and learn about automata based monitors for finite, non-completed traces.

Chapter 4 Outline of Chapter Impartial. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV

Section Truth Domains Motivation Chapter 4 Impartial Course INF5140 / V17

Words Aren t Terminated They Are Growing In the last chapters we considered finite terminated words. A monitor for RV does not get a formula and a finite terminated word. A monitor for RV gets a formula and one letter after another. With every new system state the monitor gets one more letter. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-5

Examples of Evaluating Growing Words Consider the alphabet Σ = 2 AP where AP = {p, q}, the properties ϕ = G p and ϕ = F p and words w and w growing with every new state. Lets watch monitors for RV at work: w = {p, q} w = ϕ Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-6

Examples of Evaluating Growing Words Consider the alphabet Σ = 2 AP where AP = {p, q}, the properties ϕ = G p and ϕ = F p and words w and w growing with every new state. Lets watch monitors for RV at work: w = {p, q} {p} w = ϕ w = ϕ Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-6

Examples of Evaluating Growing Words Consider the alphabet Σ = 2 AP where AP = {p, q}, the properties ϕ = G p and ϕ = F p and words w and w growing with every new state. Lets watch monitors for RV at work: w = {p, q} {p} {q} w = ϕ w = ϕ w = ϕ Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-6

Examples of Evaluating Growing Words Consider the alphabet Σ = 2 AP where AP = {p, q}, the properties ϕ = G p and ϕ = F p and words w and w growing with every new state. Lets watch monitors for RV at work: w = {p, q} {p} {q} {p} w = ϕ w = ϕ w = ϕ w = ϕ Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-6

Examples of Evaluating Growing Words Consider the alphabet Σ = 2 AP where AP = {p, q}, the properties ϕ = G p and ϕ = F p and words w and w growing with every new state. Lets watch monitors for RV at work: w = {p, q} {p} {q} {p} w = {q} Truth Domains Motivation w = ϕ w = ϕ w = ϕ w = ϕ w = ϕ Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-6

Examples of Evaluating Growing Words Consider the alphabet Σ = 2 AP where AP = {p, q}, the properties ϕ = G p and ϕ = F p and words w and w growing with every new state. Lets watch monitors for RV at work: w = {p, q} {p} {q} {p} w = {q} {q} Truth Domains Motivation w = ϕ w = ϕ w = ϕ w = ϕ w = ϕ w = ϕ Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-6

Examples of Evaluating Growing Words Consider the alphabet Σ = 2 AP where AP = {p, q}, the properties ϕ = G p and ϕ = F p and words w and w growing with every new state. Lets watch monitors for RV at work: w = {p, q} {p} {q} {p} w = {q} {q} {p, q} Truth Domains Motivation w = ϕ w = ϕ w = ϕ w = ϕ w = ϕ w = ϕ w = ϕ Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-6

Examples of Evaluating Growing Words Consider the alphabet Σ = 2 AP where AP = {p, q}, the properties ϕ = G p and ϕ = F p and words w and w growing with every new state. Lets watch monitors for RV at work: w = {p, q} {p} {q} {p} w = {q} {q} {p, q} {p} Truth Domains Motivation w = ϕ w = ϕ w = ϕ w = ϕ w = ϕ w = ϕ w = ϕ w = ϕ Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-6

Impartiality Be Impartial! go for a final verdict ( or ) only if you really know be a rational being: stick to your word Truth Domains Motivation (Impartiality) Impartiality requires that a finite trace is not evaluated to true or, respectively false, if there still exists an (possibly infinite) continuation leading to another verdict. Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-7

Semantic Function (Semantic Function) The semantic function sem k : Σ + LTL B k maps a word w Σ + and a an LTL formula ϕ to a logic value b B k. We use w = ϕ k = b instead of sem k (w, ϕ) = b. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-8

Semantic Function for FLTL We defined the FLTL semantics as relation w = ϕ between a word w Σ + and an LTL formula ϕ. This can be interpreted as semantic function sem 2 : Σ + LTL B 2, { if w = ϕ sem 2 (w, ϕ) = w = ϕ 2 := else. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-9

Impartiality (Impartial Semantics) Let Σ = 2 AP be an alphabet, w Σ + a word and ϕ an LTL formula. A semantic function is called impartial iff for all u Σ w = ϕ = implies wu = ϕ = w = ϕ = implies wu = ϕ =. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Target Create monitors which only answer or if the result keeps stable for a growing word. Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-10

We Need Multiple Values FLTL semantics are not impartial: w = {a}, ϕ = G a and wu = {a}{b} is a counterexample for w = ϕ = implies wu = ϕ =. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-11

We Need Multiple Values FLTL semantics are not impartial: w = {a}, ϕ = G a and wu = {a}{b} is a counterexample for w = ϕ = implies wu = ϕ =. Truth Domains Motivation Impartiality implies multiple values Every two-valued logic is not impartial. Impartiality forbids switching from to and vice versa. Therefore we need more logic values than and. Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-11

Lattice (Lattice) A lattice is a partially ordered set (L, ) where for each x, y L, there exists 1. a unique greatest lower bound (glb), which is called the meet of x and y, and is denoted with x y, and 2. a unique least upper bound (lub), which is called the join of x and y, and is denoted with x y. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines If the ordering relation is obvious we denote the lattice with the set L. Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-12

Finite Lattice (Finite Lattice) A lattice (L, ) is called finite iff L is finite. Truth Domains Motivation Every non-empty finite lattice has two well-defined unique elements: A least element, called bottom, denoted with and a greatest element, called top, denoted with. Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-13

Hasse diagram Hasse diagrams are used to represent a finite partially ordered set. Each element of the set is represented as a vertex in the plane. For all x, y L where x y but no z L exists where x z y a line that goes upward from x to y is drawn. Example Hasse diagram for B 2 = {, } with : Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-14

Example Lattices B 2 : B 2 2 : (, ) (, ) Truth Domains Motivation B 2 2 2 : Four-Valued LTL Semantics: FLTL 4 (,, ) (,, ) (,, ) (,, ) (,, ) (,, ) Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-15

Example Lattices II B 2 : B 3 : B 4 :? p Truth Domains Motivation p Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-16

Distributive Lattices (Distributive Lattices) A lattice (L, ) is called a distributive lattice iff we have for all elements x, y, z L x (y z) = (x y) (x z) and x (y z) = (x y) (x z). Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-17

De Morgan Lattice (De Morgan Lattice) A distributive lattice (L, ) is called a De Morgan lattice iff every element x L has a unique dual element x, such that x = x and x y implies y x. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-18

Boolean Lattice (Boolean Lattice) A De Morgan lattice is called Boolean lattice iff for every element x and its dual element x we have x x = and x x =. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Every Boolean lattice has 2 n elements for some n N. Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-19

Truth Domain (Truth Domain) A Truth Domain is a finite De Morgan Lattice. Examples (Truth Domains) The following lattices are all Truth Domains: B 2 = {, } with and = and =. B 3 = {,?, } with? and =,? =? and =. B 4 = {, p, p, } with p p and =, p = p, p = p and =. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-20

Section Four-Valued LTL Semantics: FLTL 4 Monitor Function Chapter 4 Impartial Course INF5140 / V17

Examples of Impartial LTL Semantics We want to create impartial four-valued semantics for LTL on finite, non-completed words using the truth domain (B 4, ). Examples (FLTL vs. FLTL 4 ) The indices 2 and 4 denote FLTL resp. FLTL 4. Truth Domains Motivation = X a 2 = = X a 2 = {a} = X a 2 = = X a 2 = = X a 2 = {a} = X a 2 = = X a 4 = p = X a 4 = {a} = X a 4 = = X a 4 = p = X a 4 = {a} = X a 4 = Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-22

How To Create Impartial LTL Semantics? At the end of the word X evaluates to p instead of and X evaluates to p instead of. Idea of p : Semantics if the word ends here. Fulfilling the introduced equivalences and fix point equations we get at the end of the word: U evaluates to p instead of, R evaluates to p instead of, F evaluates to p instead of and G evaluates to p instead of. Idea of p : Semantics if the word ends here or goes on like this forever. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-23

Properties of (B 4, ) (B 4, ) is no Boolean Lattice. Some equivalences in FLTL do not hold in FLTL 4. For any LTL formula ϕ using FLTL semantics we have ϕ ϕ 2 true and ϕ ϕ 2 false. Truth Domains Motivation Examples (FLTL vs. FLTL 4 ) For any w Σ + and a Σ we have w = G a G a 2 = w = G a G a 4 = p w = F a F a 2 = w = F a F a 4 = p Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-24

FLTL 4 Semantics (FLTL 4 Semantics) Let ϕ, ψ be LTL formulae and let w Σ + be a finite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = true 4 = w = false 4 = { if p w1 w = p 4 = if p w 1 { if p w1 w = p 4 = if p w 1 Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-25

FLTL 4 Semantics (FLTL 4 Semantics) Let ϕ, ψ be LTL formulae and let w Σ + be a finite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = ϕ 4 = w = ϕ 4 w = ϕ ψ 4 = w = ϕ 4 w = ψ 4 w = ϕ ψ 4 = w = ϕ 4 w = ψ 4 Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-25

FLTL 4 Semantics (FLTL 4 Semantics) Let ϕ, ψ be LTL formulae and let w Σ + be a finite word. Then the semantics of ϕ with respect to w is inductively defined as follows: { w 2 = ϕ 4 if w > 1 w = X ϕ 4 = p else { w 2 = ϕ 4 if w > 1 w = X ϕ 4 = p else Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-25

FLTL 4 Semantics (FLTL 4 Semantics) Let ϕ, ψ be LTL formulae and let w Σ + be a finite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = ϕ U ψ 4 = 1 i w w i = ψ 4 1 j<i p w j = ϕ 4 1 i w w i = ϕ 4 Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-25

FLTL 4 Semantics (FLTL 4 Semantics) Let ϕ, ψ be LTL formulae and let w Σ + be a finite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = ϕ R ψ 4 = 1 i w w i = ϕ 4 1 j i p w j = ψ 4 1 i w w i = ψ 4 Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-25

FLTL 4 Semantics (FLTL 4 Semantics) Let ϕ, ψ be LTL formulae and let w Σ + be a finite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = F ϕ 4 = p w i = ϕ 4 w = G ϕ 4 = p 1 i w 1 i w w i = ϕ 4 Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-25

Equivalences (Equivalence of Formulae) Let Σ = 2 AP and ϕ and ψ be LTL formulae over AP. ϕ and ψ are equivalent, denoted by ϕ ψ, iff w Σ + : w = ϕ = w = ψ. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 The equivalences desribed in the previous chapter are still valid using the semantic function of FLTL 4. Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-26

Monitor Function Left-to-right! Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-27

The Idea Build up a monitor function for evaluating each subsequent letter of non-completed words. Such a function takes an LTL formula ϕ in NNF and a letter a Σ, performs (not recursive) formula rewriting (progression) and returns a = ϕ 4 and a new LTL formula ϕ that the next letter has to fulfill. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-28

The Idea of Progression Compute only the semantics of the first letter and let someone else do the rest. Rewrite the LTL formula to keep track of what is done and what still needs to be checked. Thanks to the impartial semantics we don t need to know the whole word to compute a valid semantics. Truth Domains Motivation Examples Let w Σ + be a word and a Σ a letter. We can compute w = X a 4 by doing nothing and letting someone else check w 2 = a 4. We can compute w = a 4 by checking a w 1. Then the LTL formula is over. This is denoted by true or false as new formula. Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-29

Further Ideas We know how to evaluate atomic propositions, positive operators of propositional logic (, ) and next-formulas. Truth Domains Motivation That s it thanks to equivalences for G and F, De Morgan rules of propositional and temporal logic for negation ( ) and and fixed point equations for U and R. Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-30

evlfltl 4 Let Σ = 2 AP be the finite alphabet, p AP an atomic proposition, a Σ a letter, and ϕ and ψ LTL formulae. We then define the function evlfltl 4 : Σ LTL B 4 LTL inductively as follows: evlfltl 4 (a, true) = (, true) evlfltl 4 (a, false) = (, false) { (, true) if p a evlfltl 4 (a, p) = (, false) else { (, false) if p a evlfltl 4 (a, p) = (, true) else Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-31

evlfltl 4 Let Σ = 2 AP be the finite alphabet, p AP an atomic proposition, a Σ a letter, and ϕ and ψ LTL formulae. We then define the function evlfltl 4 : Σ LTL B 4 LTL inductively as follows: evlfltl 4 (a, ϕ ψ) = (v ϕ v ψ, ϕ ψ ), where (v ϕ, ϕ ) = evlfltl 4 (a, ϕ) and (v ψ, ψ ) = evlfltl 4 (a, ψ) evlfltl 4 (a, ϕ ψ) = (v ϕ v ψ, ϕ ψ ), where (v ϕ, ϕ ) = evlfltl 4 (a, ϕ) and (v ψ, ψ ) = evlfltl 4 (a, ψ) Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-31

evlfltl 4 Let Σ = 2 AP be the finite alphabet, p AP an atomic proposition, a Σ a letter, and ϕ and ψ LTL formulae. We then define the function evlfltl 4 : Σ LTL B 4 LTL inductively as follows: evlfltl 4 (a, X ϕ) = ( p, ϕ) evlfltl 4 (a, X ϕ) = ( p, ϕ) evlfltl 4 (a, ϕ U ψ) = evlfltl 4 (a, ψ (ϕ X(ϕ U ψ))) evlfltl 4 (a, ϕ R ψ) = evlfltl 4 (a, ψ (ϕ X(ϕ R ψ))) evlfltl 4 (a, F ϕ) = evlfltl 4 (a, ϕ X F ϕ) evlfltl 4 (a, G ϕ) = evlfltl 4 (a, ϕ X G ϕ) Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-31

Examples Example (Impartial Evaluation of Globally) Consider w = {a}{a}. First letter: evlfltl 4 ({a}, G a) = evlfltl 4 ({a}, a X G a) = (v 1 v 2, ϕ 1 ϕ 2 ) = ( p, true G a) = ( p, G a) where (v 1, ϕ 1 ) = evlfltl 4 ({a}, a) = (, true) (v 2, ϕ 2 ) = evlfltl 4 ({a}, X G a) = ( p, G a). Next letters: evlfltl 4 ({a}, G a) = ( p, G a) evlfltl 4 (, G a) = (, false) Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-32

Examples Example (Impartial Evaluation of Finally) Consider w = {a}. First letter: evlfltl 4 (, F a) = evlfltl 4 (, a X F a) = (v 1 v 2, ϕ 1 ϕ 2 ) = ( p, false F a) = ( p, F a) where (v 1, ϕ 1 ) = evlfltl 4 (, a) = (, false) (v 2, ϕ 2 ) = evlfltl 4 (, X F a) = ( p, F a). Next letters: evlfltl 4 (, F a) = ( p, F a) evlfltl 4 ({a}, F a) = (, true) Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-32

Section Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV Chapter 4 Impartial Course INF5140 / V17

Monitoring LTL on finite but expanding words Automata-theoretic approach Synthesize automaton Monitoring = stepping through automaton Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-34

Finite-state Machines With Output Moore Machines and Mealy Machines consists of states and transitions. read input and write output. change current state depending on input. Truth Domains Motivation Moore Machines output depends only on current state. generate first output in initial state. Mealy Machines output depends on current state and input. generate no output without input. Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-35

Moore Machine q 1 {p} q 0 p {q}, {p, q} q 2, {p}, {q}, {p, q}, {p}, {q}, {p, q} Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-36

Moore Machine Input q 1 {p} q 0 p {q}, {p, q} q 2, {p}, {q}, {p, q}, {p}, {q}, {p, q} Output p Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-36

Moore Machine Input {p} q 1 {p} q 0 p {q}, {p, q} q 2, {p}, {q}, {p, q}, {p}, {q}, {p, q} Output p p Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-36

Moore Machine Input {p}{p, q} q 1 {p} q 0 p {q}, {p, q} q 2, {p}, {q}, {p, q}, {p}, {q}, {p, q} Output p p Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-36

Mealy Machine {p}/ p q 0 / {q}, {p, q}/ Truth Domains Motivation q 1 q 2 Four-Valued LTL Semantics: FLTL 4, {p}, {q}, {p, q}/, {p}, {q}, {p, q}/ Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-37

Mealy Machine {p}/ p q 0 / {q}, {p, q}/ Truth Domains Motivation q 1 q 2 Four-Valued LTL Semantics: FLTL 4, {p}, {q}, {p, q}/, {p}, {q}, {p, q}/ Monitor Function Mealy Machines Input Output Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-37

Mealy Machine {p}/ p q 0 / {q}, {p, q}/ Truth Domains Motivation q 1 q 2 Four-Valued LTL Semantics: FLTL 4, {p}, {q}, {p, q}/, {p}, {q}, {p, q}/ Monitor Function Mealy Machines Input {p} Output p Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-37

Mealy Machine {p}/ p q 0 / {q}, {p, q}/ Truth Domains Motivation q 1 q 2 Four-Valued LTL Semantics: FLTL 4, {p}, {q}, {p, q}/, {p}, {q}, {p, q}/ Monitor Function Mealy Machines Input {p}{p, q} Output p Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-37

Translation Translating Moore into Mealy Machine Keep states. Label transitions with output of target state. Truth Domains Motivation Translating Mealy into Moore Machine Four-Valued LTL Semantics: FLTL 4 Add some extra states for those with multiple incoming transitions labeled with different output. Label state with output from its incoming transitions. Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-38

From evlfltl 4 To Mealy Machine evlfltl 4 gets a letter and a formula and outputs a logic value and a new formula. Use formula as state of the Mealy Machine. Use letter as input and logic value as output. Next state (new formula) depends on state (formula) and input (letter). Output depends on state (formula) and input (letter). Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-39

Determinstic Mealy Machine (Deterministic Mealy Machine) A (deterministic) Mealy machine is a tupel M = (Σ, Q, q 0, Γ, δ) where Σ is the input alphabet, Q is a finite set of states, q 0 Q is the initial state, Γ is the output alphabet and δ : Q Σ Γ Q is the transition function Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-40

Run of a Deterministic Mealy Machine (Run of a Deterministic Mealy Machine) A run of a (deterministic) Mealy machine M = (Σ, Q, q 0, Γ, δ) on a finite word w Σ n with outputs o i Γ is a sequence such that (w 1,o 1 ) (w 2,o 2 ) t 0 t 1... (w n 1,o n 1 ) (w n,o n) t n 1 t n t 0 = q 0 and (t i, o i ) = δ(t i 1, w i ) The output of the run is o n. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-41

Machine Types Deterministic in one state at a time transition function provides one state Nondeterministic in one state at a time transition function provides set of states Universal in many states simultaneously transition function provides set of states Alternating in many states simultaneously transition function provides positive Boolean combination of states FLTL 4 Monitoring Needs Alternating Mealy Machines We need all positive Boolean combinations of subformulae with finitely many states. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-42

Alternating Mealy Machine, {q}/ p {p}, {p, q}/ p q 0 Truth Domains Motivation false, {p}/ q 1 Four-Valued LTL Semantics: FLTL 4 Monitor Function {q}, {p, q}/ p Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-43

Positive Boolean Combination (PBC) (Positive Boolean Combination (PBC)) Given a set Q we define the set of all positive Boolean combinations (PBC) over Q, denoted by B + (Q), inductively as follows: {true, false} B + (Q), Q B + (Q) and α, β B + (Q) : α β, α β B + (Q). Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Examples Consider AP = {a, b, c} a B + (AP), {a} B + (AP), a b a c B + (AP), true B + (AP) and false B + (AP). Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-44

Alternating Mealy Machine (AMM) (Alternating Mealy Machine (AMM)) A alternating Mealy machine (AMM) is a tupel M = (Σ, Q, q 0, Γ, δ) where Σ is the input alphabet, Q is a finite set of states, q 0 Q is the initial state and Γ is a finite, distributive lattice, the output lattice, δ : Q Σ B + (Γ Q) is the transition function Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-45

Alternating Mealy Machine (AMM) (Alternating Mealy Machine (AMM)) A alternating Mealy machine (AMM) is a tupel M = (Σ, Q, q 0, Γ, δ) where Σ is the input alphabet, Q is a finite set of states, q 0 Q is the initial state and Γ is a finite, distributive lattice, the output lattice, δ : Q Σ B + (Γ Q) is the transition function Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Convention Understand δ : Q Σ B + (Γ Q) as a function δ : Q Σ Γ B + (Q) Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-45

Extended Transition Function (Extended Transition Function) Let δ : Q Σ Γ B + (Q) be the transition function of an alternating mealy machine. Then the extended transition function ˆδ : B + (Q) Σ Γ B + (Q) is inductively defined as follows ˆδ(q, a) = δ(q, a), ˆδ(true, a) = (, true), ˆδ(q1 q 2, a) = (o 1 o 2, q 1 q 2 ) and ˆδ(false, a) = (, false), ˆδ(q1 q 2, a) = (o 1 o 2, q 1 q 2 ), where (o 1, q 1 ) = ˆδ(q 1, a) and (o 2, q 2 ) = ˆδ(q 2, a). Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-46

Run of an Alternating Mealy Machine (Run of an Alternating Mealy Machine) A run of an alternating Mealy machine M = (Σ, Q, q 0, Γ, δ) on a finite word w Σ n with outputs o i Γ is a sequence such that (w 1,o 1 ) (w 2,o 2 ) t 0 t 1... (w n 1,o n 1 ) (w n,o n) t n 1 t n t 0 = q 0 and (t i, o i ) = ˆδ(t i 1, w i ), where ˆδ is the extended transition function of M. The output of the run is o n. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-47

Equivalence of PBCs (Model Relation for PBCs) Let Q be a set. A subset S Q is a model of a positive Boolean combination α B + (Q), denoted by S = α, iff α evaluates to true in propositional logic interpreting all p S as true and all p Q\S as false. Truth Domains Motivation (Equivalence of PBCs) Let Q be a set and α B + (Q) and β B + (Q) be positive Boolean combinations over Q. α and β are equivalent, denoted by α β, iff S Q : S = α S = β. Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-48

Equivalence Classes of PBCs (Equivalence Classes of PBCs) Let Q be a set. The equivalence class [α] of a positive Boolean combination α B + (Q) over Q is defined as follows [α] = {β B + (Q) α β}. The set of all equivalence classes of positive Boolean combinations over Q is denoted by the following quotient set B + (Q)/ = {[α] α B + (Q)}. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-49

Translating AMM to MM Use B + (Q) instead of Q as states. The extended transition function ˆδ then can be used as transition function of a MM. Problem: B + (Q) is infinite. There are infinitely many positive Boolean combinations over any set with at least two elements. Solution: Use B + (Q)/ instead of B + (Q). Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-50

Equivalence of Output and Next State Lemma Let ˆδ be the extended transition function of an AMM M = (Σ, Q, q 0, Γ, δ), a Σ, o, p Γ and α, β, α, β B + (Q) such that α β, (o, α ) = ˆδ(α, a) and Truth Domains Motivation Then (p, β ) = ˆδ(β, a). o = p and ( ) α β. Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV The proof of ( ) requires the output lattice to be distributive. 4-51

Representatives of [q] We can now use B + (Q)/ instead of Q as states. We still need a well defined representative for [α] for α B + (Q). In other words: Given α Q, howto find [α]? Solution: Use disjunctive normal form of α. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-52

Disjunctive Normal Form (DNF) (Disjunctive Normal Form (DNF)) A positive Boolean combination α B + (Q) over a set Q is in disjunctive normal form (DNF) iff n m α = q i,j i=1 j=1 for q i,j Q. A disjunctive normal form α B + (Q) is called minimal if there is no disjunctive normal form β B + (Q) s. t. α β and β contains less operators. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-53

Disjunctive Normal Form (DNF) (Disjunctive Normal Form (DNF)) A positive Boolean combination α B + (Q) over a set Q is in disjunctive normal form (DNF) iff n m α = q i,j i=1 j=1 for q i,j Q. A disjunctive normal form α B + (Q) is called minimal if there is no disjunctive normal form β B + (Q) s. t. α β and β contains less operators. Lemma For every positive Boolean combination α B + (Q) there exists a positive Boolean combination β such that α β and β is in minimal DNF. Proof uses distributivity of propositional logic. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-53

B + (Q)/ is finite Let Q be the set of states of an AMM. Then Q is finite. Then there are at most 2 Q many different α for n α = q i and n different q i Q. i=1 Then there are at most 2 2 Q many different β for n m β = q i,j minimal and q i,j Q. i=1 j=1 Then there are at most 2 2 Q many different [β] for β B + (Q). Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-54

Example: Alternating Mealy Machine, {q}/ p {p}, {p, q}/ p q 0 Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 false, {p}/ q 1 Monitor Function Mealy Machines {q}, {p, q}/ p Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-55

Example: Translated Mealy Machine, {q}/ p {q}/ p q 0 {p}, {p, q}/ p q 0 q 1, {p}/ q false, {p}, {q}, {p, q}/ {p, q}/ p Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-56

Translating AMM to Non-Deterministic or Universal MM Analogous we can use sets of (not equivalent) disjunctions or conjunctions of Q as states instead of B + (Q)/. alternating non-deterministic: translate t B + (Q) into equivalent minimal disjunctive normal form and use monomials as new states. alternating universal: translate t B + (Q) into equivalent minimal conjunctive normal form and use clauses as new states. alternating deterministic: translate t B + (Q) into equivalent minimal conjunctive or disjunctive normal form and use normal forms as new states. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-57

Automata Based RV We monitor an LTL formula ϕ by evaluating its current subformula ψ w.r.t. the current letter a. The monitor function evlfltl 4, which takes an LTL formula ψ in NNF and a letter a Σ and returns a = ψ 4 and a new LTL formula ψ, Truth Domains Motivation can be interpreted as transition function of an AMM where the states are subformulae of ϕ, the initial state is ϕ, the current state is ψ, we read the letter a, we output a = ψ 4 and Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV the next state is the new formula ψ. 4-58

Transition function of an AMM Let Σ = 2 AP be the finite alphabet, p AP an atomic proposition, a Σ a letter, ϕ, ψ 1, ψ 2 LTL formulae in NNF and Q the set of all subformulae of ϕ. We then define the transition function δ4 a : Q Σ B+ (B 4 Q) of the monitor AMM M ϕ = (Σ, Q, ϕ, B 4, δ4 a ) inductively as follows: δ a 4(true, a) = (, true) δ4(false, a a) = (, false) { (, true) if p a δ4(p, a a) = (, false) else { (, true) if p a δ4( a p, a) = (, false) else Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-59

Transition function of an AMM Let Σ = 2 AP be the finite alphabet, p AP an atomic proposition, a Σ a letter, ϕ, ψ 1, ψ 2 LTL formulae in NNF and Q the set of all subformulae of ϕ. We then define the transition function δ4 a : Q Σ B+ (B 4 Q) of the monitor AMM M ϕ = (Σ, Q, ϕ, B 4, δ4 a ) inductively as follows: δ a 4(ψ 1 ψ 2, a) = δ a 4(ψ 1, a) δ a 4(ψ 2, a) δ a 4(ψ 1 ψ 2, a) = δ a 4(ψ 1, a) δ a 4(ψ 2, a) δ a 4(X ψ 1, a) = ( p, ψ 1 ) δ a 4(X ψ 1, a) = ( p, ψ 1 ) Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-59

Transition function of an AMM Let Σ = 2 AP be the finite alphabet, p AP an atomic proposition, a Σ a letter, ϕ, ψ 1, ψ 2 LTL formulae in NNF and Q the set of all subformulae of ϕ. We then define the transition function δ4 a : Q Σ B+ (B 4 Q) of the monitor AMM M ϕ = (Σ, Q, ϕ, B 4, δ4 a ) inductively as follows: δ a 4(ψ 1 U ψ 2, a) = δ a 4(ψ 2 (ψ 1 X(ψ 1 U ψ 2 )), a) δ a 4(ψ 1 R ψ 2, a) = δ a 4(ψ 2 (ψ 1 X(ψ 1 R ψ 2 )), a) δ a 4(F ψ 1, a) = δ a 4(ψ 1 (X(F ψ 1 )), a) δ a 4(G ψ 1, a) = δ a 4(ψ 1 (X(G ψ 1 )), a) Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-59

Example Graph of the monitor M ϕ of the formula ϕ = G(p X G q):, {q}/ p {p}, {p, q}/ p G( p X G q) Truth Domains Motivation false, {p}/ G q {q}, {p, q}/ p Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-60

Generating Deterministic Monitors In practical implementations one may omit the AMM and generate the MM directly out of the LTL formula. Define a function smplfy : LTL LTL that transforms LTL formulae into a unique normal form. Use all simplified positive Boolean combinations of subformulae of ϕ as states for M ϕ. Define δ 4 : Q Σ B 4 Q inductively as follows: δ 4 (ψ 1 ψ 2, a) = (v ψ1 v ψ2, smplfy(ψ 1 ψ 2)), where (v ψ1, ψ 1) = δ 4 (ψ 1, a) and (v ψ2, ψ 2) = δ 4 (ψ 2, a) δ 4 (ψ 1 ψ 2, a) = (v ψ1 v ψ2, smplfy(ψ 1 ψ 2)), where (v ψ1, ψ 1) = δ 4 (ψ 1, a) and (v ψ2, ψ 2) = δ 4 (ψ 2, a) δ 4 (ψ 1, a) = δ a 4(ψ 1, a) for any other formula ψ 1. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-61

Automata-theoretic Approach Further Topics Alternating vs. non-deterministic vs. deterministic machines. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-62

Automata-theoretic Approach Further Topics Alternating vs. non-deterministic vs. deterministic machines. Complexity of the translations. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-62

Automata-theoretic Approach Further Topics Alternating vs. non-deterministic vs. deterministic machines. Complexity of the translations. Size vs. power. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-62

Automata-theoretic Approach Further Topics Alternating vs. non-deterministic vs. deterministic machines. Complexity of the translations. Size vs. power. State sequence for an input word. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-62

1. Every two-valued logic is not impartial. Impartiality implies multiple values. 2. We use the distributive De Morgan lattice B 4 = {, p, p, } in the impartial FLTL 4 semantics. 3. At the end of the word X evaluates to p and X evaluates to p. 4. evlfltl 4 performs formula rewriting (progression) for an LTL formula and one letter. 5. evlfltl 4 can be used to describe the transition function of an alternating mealy machine using the subformulae as states. 6. Such an alternating mealy machine can be translated into a deterministic mealy machine using the fact that equivalent positive combinations of states leads to the same next states and output. Truth Domains Motivation Four-Valued LTL Semantics: FLTL 4 Monitor Function Mealy Machines Determinstic Mealy Machines Alternating Mealy Machines Automata Based RV 4-63

Chapter 5 Anticipatory LTL Semantics Course INF5140 / V17

Chapter 5 Learning Targets of Chapter Anticipatory LTL Semantics. 1. Understand that LTL semantics can be defined over infinite words as well. 2. Understand the difference of LTL over finite and infinite words. 3. Recall anticipation and understand why impartiality is not enough to build good monitors. 4. Get used to the three-valued sematics for LTL. 5. Understand the concept of safety and co-safety properties and get an idea of monitorable properties.

Chapter 5 Outline of Chapter Anticipatory LTL Semantics. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability

Section LTL on Infinite Words Semantics Equivalences and Examples Chapter 5 Anticipatory LTL Semantics Course INF5140 / V17

Need of LTL on Infinite Words in RV? Impartiality Say or only if you are sure. Anticipation Say or once you can be sure. We want do define impartial LTL semantics: Say if every infinite continuation evaluates to. Say if every infinite continuation evaluates to. Otherwise say?. We Need LTL on Infinite Words Impartial LTL semantics will be based on infinite continuations. Properties of infinite continuations cannot be expressed using LTL on finite words. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-5

Infinite Words An infinite word w is an infinite sequence over the alphabet Σ = 2 AP. w can be interpreted as function w : N\{0} Σ. w can be interpreted as concatenation of many finite and one infinite words. Examples (Infinite Words) Consider the alphabet Σ = 2 AP with AP = {p, q}. {p} ω denotes the infinite word where every letter is {p} and can be interpreted as w(i) = {p} for all i 1. ({q}{p}) ω can be interpreted as if i = 1 w(i) = {q} if i 0 mod 2 {p} else LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-6

Finally and Globally Examples Examples (Finally and Globally) Consider infinite words over the alphabet Σ = 2 AP with AP = {p, q}. {p} {q} ω = F q. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-7

Finally and Globally Examples Examples (Finally and Globally) Consider infinite words over the alphabet Σ = 2 AP with AP = {p, q}. {p} {q} ω = F q. {q}{q}({p, q}{q}) ω = G q. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-7

Finally and Globally Examples Examples (Finally and Globally) Consider infinite words over the alphabet Σ = 2 AP with AP = {p, q}. {p} {q} ω = F q. {q}{q}({p, q}{q}) ω = G q. ( {p}{p, q} ) ω = G F q. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-7

Finally and Globally Examples Examples (Finally and Globally) Consider infinite words over the alphabet Σ = 2 AP with AP = {p, q}. {p} {q} ω = F q. {q}{q}({p, q}{q}) ω = G q. ( {p}{p, q} ) ω = G F q. {p} {q}{p}({p, q}{q}) ω = F G q. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-7

Parts of Infinite Words In the formal definition of LTL semantics we denote parts of a word as follows: Let w = a 1 a 2 a 3... Σ ω be an infinite word over the alphabet Σ = 2 AP and let i N with i 1 be a position in this word. Then w i = a i is the i-th letter of the word, w (i) = a 1 a 2... a i is the prefix of w of length i and w i is the subword of w s. t. w = w (i 1) w i. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-8

LTL Semantics on Infinite Words (LTL Semantics on Infinite Words) Let ϕ, ψ be LTL formulae and let w Σ ω be an infinite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = true w = p iff p w 1 w = p iff p w 1 w = ϕ iff w = ϕ w = ϕ ψ w = ϕ ψ iff w = ϕ or w = ψ iff w = ϕ and w = ψ LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-9

LTL Semantics on Infinite Words (LTL Semantics on Infinite Words) Let ϕ, ψ be LTL formulae and let w Σ ω be an infinite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = X ϕ w = X ϕ iff w 2 = ϕ iff w 2 = ϕ LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-9

LTL Semantics on Infinite Words (LTL Semantics on Infinite Words) Let ϕ, ψ be LTL formulae and let w Σ ω be an infinite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = ϕ U ψ w = ϕ R ψ iff i 1 : (w i = ψ and k, 1 k < i : w k = ϕ) iff i 1 : (w i = ϕ and k, 1 k i : w k = ψ) or i 1 : w i = ψ LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-9

LTL Semantics on Infinite Words (LTL Semantics on Infinite Words) Let ϕ, ψ be LTL formulae and let w Σ ω be an infinite word. Then the semantics of ϕ with respect to w is inductively defined as follows: w = F ϕ w = G ϕ iff i 1 : w i = ϕ iff i 1 : w i = ϕ LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-9

Semantic Function for LTL on Infinite Words We defined the LTL semantics on infinite words as relation w = ϕ between a word w Σ ω and a LTL formula ϕ. This can be interpreted as semantic function sem ω : Σ ω LTL B 2, { if w = ϕ sem ω (w, ϕ) = w = ϕ ω := else. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-10

Languages Defined by LTL Formulae The set of models of an LTL formula ϕ defines a language L(ϕ) Σ ω of infinite words over Σ = 2 AP as follows: L(ϕ) = {w Σ ω w = ϕ ω = }. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-11

Equivalences Weak Next Let w Σ ω be an infinite word. w has no last character. For every position i 1 the word w i Σ ω is infinite. X and X have the same semantics. The De Morgan rules, equivalences for G and F and the fixed point equations for U and R are still valid. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-12

Finite and Infinite Semantics Examples (Globally and Finally) We know {p}({p}{q}) ω = F q ω = from {p}{p}{q} = F q 4 =. We know {p}({p}{q}) ω = G p ω = from {p}{p}{q} = G p 4 =. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-13

Finite and Infinite Semantics Examples (Until) We know {p}({p}{q}) ω = p U q ω = from {p}{p}{q} = p U q 4 =. We know {p} {q} ω = p U q ω = from {p} = p U q 4 =. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-13

Section Anticipatory LTL Semantics: LTL 3 Anticipation Examples Chapter 5 Anticipatory LTL Semantics Course INF5140 / V17

Anticipation Be Anticipatory go for a final verdict ( or ) once you really know do not delay the decision (Anticipation) Anticipation requires that once every (possibly infinite) continuation of a finite trace leads to the same verdict, then the finite trace evaluates to this very same verdict. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-15

FLTL 4 is Not Anticipatory Example (Next Operator) We have {p} = X X false 4 = p {p}{p} = X X false 4 = {p} = X false 4 = p {p}{p}{p} = X X false 4 = {p}{p} = X false 4 = {p} = false 4 =, but it would be anticipatory to have {p} = X X false 3 =. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-16

FLTL 4 is Not Anticipatory Example (Globally and Finally Operator) We have w = G true 4 = w = false R true 4 = p and w = F false 4 = w = true U false 4 = p but it would be anticipatory to have w = G true 3 = and w = F false 3 =. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-16

Impartial Anticipation Define LTL semantics for finite, non-terminated words. The set of all infinite continuations of a finite word contains only infinite words. Define semantics for finite words based on semantics of these infinite continuations. If the semantic function yields the same verdict for all infinite continuations use that verdict. Combine p and p to a common? for the other cases. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-17

Anticipatory Three-Valued LTL Semantics (LTL 3 Semantics) Let ϕ be an LTL formula and let u Σ be a finite word. Then the semantics of ϕ with respect to u is defined as follows: if w Σ ω : uw = ϕ ω = u = ϕ 3 = if w Σ ω : uw = ϕ ω =? else. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-18

Example Consider ϕ = G(p F false) and {q}{p} Σ for Σ = 2 AP and AP = {p, q}. We then have = ϕ 3 =? {q} = ϕ 3 =? {q}{p} = ϕ 3 = {q}{p} = ϕ 3 = LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-19

Example Consider ϕ = G(p F false) and {q}{p} Σ for Σ = 2 AP and AP = {p, q}. We then have = ϕ 3 =? {q} = ϕ 3 =? {q}{p} = ϕ 3 = {q}{p} = ϕ 3 = {q}{p}u = ϕ 3 = for all u Σ LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-19

Possible Verdicts of LTL Formulae Consider a word w Σ for Σ = 2 AP and propositions p, q AP. We then have w = p U q 3 {,?, } w = p R q 3 {,?, } LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-20

Possible Verdicts of LTL Formulae Consider a word w Σ for Σ = 2 AP and propositions p, q AP. We then have w = p U q 3 {,?, } w = p R q 3 {,?, } w = F p 3 {,?} w = G p 3 {?, } LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-20

Possible Verdicts of LTL Formulae Consider a word w Σ for Σ = 2 AP and propositions p, q AP. We then have w = p U q 3 {,?, } w = p R q 3 {,?, } w = F p 3 {,?} w = G p 3 {?, } w = G F p 3 =? w = F G p 3 =? LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-20

Section Monitorable Properties (Co-)Safety Examples Monitorability Chapter 5 Anticipatory LTL Semantics Course INF5140 / V17

Monitorability When Does Anticipation Help? LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-22

The Good, The Bad and The Ugly (Good, Bad and Ugly Prefixes) Given a language L Σ ω of infinite words over Σ we call a finite word u Σ a good prefix for L if w Σ ω : uw L, a bad prefix for L if w Σ ω : uw L and an ugly prefix for L if v Σ : uv is neither a good prefix nor a bad prefix. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-23

Examples for Good, Bad and Ugly Examples (The Good, The Bad and The Ugly) {p}{q} is a good prefix for L(F q). {p}{q}{p} is a good prefix for L(F q). {p}{q} is a bad prefix for L(G p). every w Σ is an ugly prefix for L(G F p). {p} is an ugly prefix for L(p G F p). LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-24

LTL 3 indentifies good/bad prefixes Given an LTL formula ϕ and a finite word u Σ, then if u is a good prefix for L(ϕ) u = ϕ 3 = if u is a bad prefix for L(ϕ)? otherwise LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-25

The Idea of Saftey and Co-Safety Safety Properties assert that nothing bad happens. Such a property is violated iff something bad happens after finitely many steps. ( A bad prefix exists.) Co-Safety Properties assert that something good happens. Such a property is fulfilled iff something good happens after finitely many steps. ( A good prefix exists.) LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-26

(Co-)Safety Languages and Properties ((Co-)Safety Languages) A language L Σ ω is called a safety language if for all w L there is a prefix u Σ of w which is a bad prefix for L. a co-safety language if for all w L there is a prefix u Σ of w which is a good prefix for L. ((Co-)Safety Properties) An LTL formula ϕ is called a safety property if its set of models L(ϕ) is a safety language. a co-safety property if its set of models L(ϕ) is a co-safety language. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-27

Examples Consider propositions p, q AP. Formula Safety Co-Safety G p F p X p G F p F G p X p G F p p U q p R q LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-28

Details on The Examples p U q is not a safety property, because {p} ω = p U q, but there is no bad prefix. p U q is a co-safety property, because every infinite word w Σ ω with w = p U q must contain the releasing q in a finite prefix. p R q is not a co-safety property, because {q} ω = p R q, but there is no good prefix. p R q is a safety property, because every infinite word w Σ ω with w = p R q must contain the violating absence of q in a finite prefix. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-29

Monitorability (Monitorable Languages) A language L Σ ω is called monitorable iff L has no ugly prefix. (Monitorable Properties) An LTL formula ϕ is called monitorable iff its set of models L(ϕ) is monitorable. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-30

Monitorable Properties Safety Properties LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-31

Monitorable Properties Safety Properties Co-Safety Properties LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-31

Monitorable Properties Safety Properties Co-Safety Properties Remark Safety and Co-Safety Properties are monitorable. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-31

Safety- and Co-Safety-Properties Theorem The class of monitorable properties comprises safety- and co-safety properties, but is strictly larger than their union. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-32

Safety- and Co-Safety-Properties Proof. Consider AP = {p, q, r} and ϕ = ((p q) U r) G p. {p} ω = ϕ without good prefix, therefore ϕ is not a co-safety property. {q} ω = ϕ without bad prefix, therefore ϕ is not a safety property. Every finite word u Σ that is not a bad prefix can become a good prefix by appending {r}. Every finite word u Σ that is not a good prefix can become a bad prefix by appending. No ugly prefix exists as every prefix is either good, bad or can become good or bad by appending {r} or. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-32

Safety- and Co-Safety-Properties Proof by Another Counterexample. Consider AP = {p, q} and ϕ = F p G q. {q} ω = ϕ without good prefix, therefore ϕ is not a co-safety property. ω = ϕ without bad prefix, therefore ϕ is not a safety property. Every finite word u Σ that is not a bad prefix can become a good prefix by appending {p}. No ugly prefix exists as every prefix is either bad or can become good by appending {p}. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-32

1. In the semantics for LTL on infinite words there is no difference between X and X. 2. The semantics LTL 3 for finite, non-terminated words is defined based on the LTL semantics for infinite words on the lattice B 3 = {,?, }. 3. FLTL 4 is not anticipatory, LTL 3 is. 4. w = ϕ 3 is for all good prefixes of L(ϕ), for all bad prefixes of L(ϕ) and? for all ugly prefixes of L(ϕ). 5. The class of monitorable properties comprises safetyand co-safety properties, but is strictly larger than their union. LTL on Infinite Words Semantics Equivalences and Examples Anticipatory LTL Semantics: LTL 3 Anticipation Examples Monitorable Properties (Co-)Safety Examples Monitorability 5-33

Chapter 6 Alternating Büchi Automata Course INF5140 / V17

Chapter 6 Learning Targets of Chapter Alternating Büchi Automata. 1. Recall the definition of DFA and NFA. 2. Understand the acceptance condition of Büchi automata (BA) on infinite words. 3. Learn about alternating Büchi automata (ABA). 4. Know how ABA can be translated into BA.

Chapter 6 Outline of Chapter Alternating Büchi Automata. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA

Section Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Chapter 6 Alternating Büchi Automata Course INF5140 / V17

Recall Finite Automata Finite Automata consist of finitely many states and transitions. read a word over an alphabet letter by letter. change current state depending on the current letter. accept or reject a word depending after reading it. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-5

Deterministic Finite Automata, {p} q 0 q 1, {p} {q}, {p, q} {q}, {p, q} q 2 {q}, {p, q}, {p} Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-6

Deterministic Finite Automata, {p} q 0 q 1, {p} {q}, {p, q} {q}, {p, q} q 2 {q}, {p, q}, {p} Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-6

Deterministic Finite Automata, {p} q 0 q 1, {p} {q}, {p, q} {q}, {p, q} q 2 {q}, {p, q}, {p} Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word {q} Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-6

Deterministic Finite Automata, {p} q 0 q 1, {p} {q}, {p, q} {q}, {p, q} Word {q}{p} q 2 {q}, {p, q}, {p} Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-6

Deterministic Finite Automata, {p} q 0 q 1, {p} {q}, {p, q} {q}, {p, q} Word {q}{p}{q} q 2 {q}, {p, q}, {p} Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-6

Deterministic Finite Automata, {p} q 0 q 1, {p} {q}, {p, q} {q}, {p, q} Word {q}{p}{q}{p, q} q 2 {q}, {p, q}, {p} Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-6

Deterministic Finite Automata (DFA) (Deterministic Finite Automata (DFA)) A deterministic finite automata (DFA) is a tuple A = (Σ, Q, q 0, δ, F ) such that Σ is the input alphabet, Q is a finite non-empty set of states, q 0 Q is the initial state, δ : Q Σ Q is the transition function and F Q is the set of accepting states. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-7

Run of a DFA (Run of a DFA) A Run of a DFA A = (Σ, Q, q 0, δ, F ) on a finite word w Σ is a function ρ : {0,..., w } Q such that ρ(0) = q 0 and i {1,..., w } : ρ(i) = δ(ρ(i 1), w i ). A run is called accepting iff ρ( w ) F. A accepts w if the run ρ of A on w is accepting. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-8

Non-determinstic Finite Automata, {p}, {q}, {p, q}, {p}, {q}, {p, q} q 0 q 2 {p}, {p, q} {p}, {p, q} q 1 Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-9

Non-determinstic Finite Automata, {p}, {q}, {p, q}, {p}, {q}, {p, q} q 0 q 2 {p}, {p, q} {p}, {p, q} q 1 Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-9

Non-determinstic Finite Automata, {p}, {q}, {p, q}, {p}, {q}, {p, q} q 0 q 2 {p}, {p, q} {p}, {p, q} q 1 Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word {p} Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-9

Non-determinstic Finite Automata, {p}, {q}, {p, q}, {p}, {q}, {p, q} q 0 q 2 {p}, {p, q} {p}, {p, q} q 1 Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word {p}{q} Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-9

Non-determinstic Finite Automata, {p}, {q}, {p, q}, {p}, {q}, {p, q} q 0 q 2 {p}, {p, q} {p}, {p, q} q 1 Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word {p}{q}{p} Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-9

Non-determinstic Finite Automata, {p}, {q}, {p, q}, {p}, {q}, {p, q} q 0 q 2 {p}, {p, q} {p}, {p, q} q 1 Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word {p}{q}{p}{p, q} Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-9

Non-deterministic Finite Automata (NFA) (Non-deterministic Finite Automata (NFA)) A non-deterministic finite automata (NFA) is a tuple A = (Σ, Q, Q 0,, F ) such that Σ is the input alphabet, Q is a finite non-empty set of states, Q 0 Q is the set of initial states, Q Σ Q is the transition relation and F Q is the set of accepting states. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-10

Run of an NFA (Run of an NFA) A Run of an NFA A = (Σ, Q, Q 0,, F ) on a finite word w Σ is a function ρ : {0,..., w } Q such that ρ(0) Q 0 and i {1,..., w } : (ρ(i 1), w i, ρ(i)). A run is called accepting iff ρ( w ) F. A accepts w if there is an accepting run ρ of A on w. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-11

Language of Automata (Language of Automata) The language L(A) Σ of an automaton A with the alphabet Σ is defined as follows: L(A) = {w Σ A accepts w}. We say that A accepts a language L iff L(A) = L. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-12

Power of Finite Automata Every NFA can be translated into an equivalent DFA using the power set construction. DFAs can accept all regular languages. (Proof: Construct a DFA from a regular grammar using its nonterminals as states.) For every regular language one can construct a DFA. (Proof: See regular expressions.) Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-13

Section Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Chapter 6 Alternating Büchi Automata Course INF5140 / V17

ω-regular Languages (ω-regular Languages) A language L Σ ω over an alphabet Σ is called ω-regular iff there are regular languages U i, V i Σ for i {1,..., m} such that L = m i=1 U i V ω i. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-15

ω-regular Languages (ω-regular Languages) A language L Σ ω over an alphabet Σ is called ω-regular iff there are regular languages U i, V i Σ for i {1,..., m} such that L = m i=1 Example (ω-regular Languages) U i V ω i. Consider an alphabet Σ = 2 AP for AP = {p, q}. L(G p) = {{p}, {p, q}} ω L(F p) = Σ {{p}, {p, q}} Σ ω Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-15

Finite Automata on Infinite Words Finite automata can be used on infinite words as well. of run ρ can be reused. Problem: There is no last state ρ( w ). Solution: New acceptance condition. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-16

Acceptance Condition of Büchi Automata Büchi automata can accept all ω-regular languages. An accepting run of a Büchi automaton visits at least one accepting state infinitely often. Automata on Finite Words ω-regular Languages union concatenation regular language U i regular language V ω i Büchi Automata non-determinism simple transition like an NFA new acceptance condition Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-17

Non-deterministic Büchi Automata, {p}, {q}, {p, q} {p}, {p, q} q 0 q 1 {p}, {p, q}, {p}, {q}, {p, q} q 2 Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-18

Non-deterministic Büchi Automata, {p}, {q}, {p, q} {p}, {p, q} q 0 q 1 {p}, {p, q}, {p}, {q}, {p, q} Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Word q 2 Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-18

Non-deterministic Büchi Automata, {p}, {q}, {p, q} {p}, {p, q} q 0 q 1 {p}, {p, q}, {p}, {q}, {p, q} Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Word {p} q 2 Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-18

Non-deterministic Büchi Automata, {p}, {q}, {p, q} {p}, {p, q} q 0 q 1 {p}, {p, q}, {p}, {q}, {p, q} Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Word {p}{p, q} q 2 Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-18

Non-deterministic Büchi Automata, {p}, {q}, {p, q} {p}, {p, q} q 0 q 1 {p}, {p, q}, {p}, {q}, {p, q} Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Word {p}{p, q} {q} q 2 Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-18

Non-deterministic Büchi Automata, {p}, {q}, {p, q} {p}, {p, q} q 0 q 1 {p}, {p, q}, {p}, {q}, {p, q} q 2 Word {p}{p, q} {q}{p} Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-18

Non-deterministic Büchi Automata, {p}, {q}, {p, q} {p}, {p, q} q 0 q 1 {p}, {p, q}, {p}, {q}, {p, q} q 2 Word {p}{p, q}({q}{p}) ω Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-18

Non-deterministic Büchi Automata (BA) (Non-deterministic Büchi Automata (BA)) A (non-deterministic) Büchi automaton is a tuple A = (Σ, Q, Q 0,, F ) such that Σ is the input alphabet, Q is the finite non-empty set of states, Q 0 Q is the set of initial states, Q Σ Q is the transition relation and F Q is the set of accepting states. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-19

Run of a BA (Run of a BA) A run of a BA A = (Σ, Q, Q 0,, F ) on an infinite word w Σ ω is a function ρ : N Q such that ρ(0) Q 0 and i N\{0} : (ρ(i 1), w i, ρ(i)). Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-20

Accepting Runs of a BA (Accepting Runs of a BA) A run ρ of a BA A = (Σ, Q, Q 0,, F ) is called accepting iff Inf(ρ) F, where Inf(ρ) denotes the set of states visited infinitely often given by { } Inf(ρ) = q Q {k N ρ(k) = q} =. A accepts w if there is an accepting run ρ of A on w. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-21

Accepting Runs of a BA (Accepting Runs of a BA) A run ρ of a BA A = (Σ, Q, Q 0,, F ) is called accepting iff Inf(ρ) F, where Inf(ρ) denotes the set of states visited infinitely often given by { } Inf(ρ) = q Q {k N ρ(k) = q} =. A accepts w if there is an accepting run ρ of A on w. Again the language L(A) Σ ω of an automata A with the alphabet Σ is defined as follows: L(A) = {w Σ ω A accepts w}. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-21

Deterministic Büchi Automata (Deterministic Büchi Automata) A BA A = (Σ, Q, Q 0,, F ) is called determistic iff for every q Q and a Σ there is exactly one q Q such that (q, a, q ). The successor state is determined by the current state and the action. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-22

Deterministic Büchi Automata (Deterministic Büchi Automata) A BA A = (Σ, Q, Q 0,, F ) is called determistic iff for every q Q and a Σ there is exactly one q Q such that (q, a, q ). The successor state is determined by the current state and the action. Non-deterministic BA are strictly more expressive than deterministic BA. The language {p, q} {q} ω cannot be accepted by a deterministic BA. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-22

BA for {p, q} {q} ω p, q q q 0 q 1 Impossible to handle with determistic transition function. There are infinitely many possible finite prefixes in {p, q}. You don t know when to stop scanning the finite prefix and start scanning the infinite loop. q Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-23

Section Alternating Büchi Automata (ABA) The Idea Translating ABA into BA Chapter 6 Alternating Büchi Automata Course INF5140 / V17

Alternating Automata Extend non-deterministic automata by universal choices. Non-deterministic transition relations denote a set of possible next states. Alternating transition functions denote a positive Boolean combination of next states. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-25

Alternating Büchi Automaton, {p}, {q}, {p, q}, {q} q 0 q 1 Automata on Finite Words {p}, {p, q} true Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-26

Alternating Büchi Automaton, {p}, {q}, {p, q}, {q} q 0 q 1 Automata on Finite Words {p}, {p, q} true Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-26

Alternating Büchi Automaton, {p}, {q}, {p, q}, {q} q 0 q 1 Automata on Finite Words {p}, {p, q} true Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word {p} Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-26

Alternating Büchi Automaton, {p}, {q}, {p, q}, {q} q 0 q 1 Automata on Finite Words {p}, {p, q} true Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word {p}{q} Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-26

Alternating Büchi Automaton, {p}, {q}, {p, q}, {q} q 0 q 1 Automata on Finite Words {p}, {p, q} true Word {p}{q}{p, q} Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-26

Alternating Büchi Automaton, {p}, {q}, {p, q}, {q} q 0 q 1 Automata on Finite Words {p}, {p, q} true Word {p}{q}{p, q}{p} Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-26

Alternating Büchi Automaton, {p}, {q}, {p, q}, {q} q 0 q 1 Automata on Finite Words {p}, {p, q} true Word {p}{q}{p, q}{p} ω Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-26

Recall: Positive Boolean Combination The set B + (Q) of all positive boolean combinations (PBC) over Q contains true, false and all elements of Q and all conjunctions and disjunctions of its elements. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) A subset S Q is a model of α B + (Q), denoted by S = α, iff α evaluates to true in propositional logic interpreting all p S as true and all p Q\S as false. Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-27

Alternating Büchi Automata (ABA) (Alternating Büchi Automata (ABA)) A alternating Büchi automaton is a tuple A = (Σ, Q, Q 0, δ, F ) such that Σ is the input alphabet, Q is the finite non-empty set of states, Q 0 B + (Q) is the PBC of initial states, δ : Q Σ B + (Q) is the transition function and F Q is the set of accepting states. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-28

Minimal Models of a PBC (Minimal Models of a PBC) A model S = α of a PBC α B + (Q) is called minimal, denoted by S α, if none of its proper subsets S S is a model S = α. Examples Consider α = (q 1 q 2 ) (q 1 q 3 ) B + ({q 0, q 1, q 2, q 3 }) {q 1, q 2 } α {q 1, q 3 } α {q 1, q 2, q 3 } = α but {q 1, q 2, q 3 } α Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-29

Minimal Models of a PBC (Minimal Models of a PBC) A model S = α of a PBC α B + (Q) is called minimal, denoted by S α, if none of its proper subsets S S is a model S = α. Examples true S Q : S S true S Q : S = false Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-29

Run of an ABA (Run of an ABA) A run of an ABA A = (Σ, Q, Q 0, δ, F ) on an infinite word w Σ ω is a Q-labeled directed acyclic graph (V, E) such that there exist labelings l : V Q and h : V N which satisfy the following properties: {l(v) v h 1 (0)} Q 0. E i N (h 1 (i) h 1 (i + 1)). v V : h(v ) 1 {v V (v, v ) E}. v, v V : v v l(v) = l(v ) h(v) h(v ). v V : {l(v ) (v, v ) E} δ(l(v), w h(v)+1 ). Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-30

Run of an ABA, {p}, {q}, {p, q}, {q} q 0 q 1 Automata on Finite Words {p}, {p, q} true Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-31

Run of an ABA, {p}, {q}, {p, q}, {q} q 0 q 0 q 1 Automata on Finite Words {p}, {p, q} true Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-31

Run of an ABA, {p}, {q}, {p, q}, {q} q 0 {p} q 1 q 0 q 0 q 1 Automata on Finite Words {p}, {p, q} true Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word {p} Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-31

Run of an ABA, {p}, {q}, {p, q}, {q} q 0 {p} q 1 q 0 q 0 q 1 {q} Automata on Finite Words Deterministic Finite {p}, {p, q} true q 1 q 0 Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Word {p}{q} Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-31

Run of an ABA, {p}, {q}, {p, q}, {q} q 0 {p} q 1 q 0 q 0 q 1 {p}, {p, q} true Word {p}{q}{p, q} {q} q 1 q 0 {p, q} q 1 q 0 Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-31

Run of an ABA, {p}, {q}, {p, q}, {q} q 0 {p} q 1 q 0 q 0 q 1 {q} Automata on Finite Words Deterministic Finite {p}, {p, q} true q 1 q 0 {p, q} Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Word {p}{q}{p, q}{p} ω q 1 q 0 {p} ω Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-31

Run of an ABA, {p}, {q}, {p, q}, {q} 0 q 0 {p} 1 q 1 q 0 q 0 q 1 {q} Automata on Finite Words Deterministic Finite {p}, {p, q} true 2 q 1 q 0 {p, q} Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Word {p}{q}{p, q}{p} ω 3 q 1 q 0 {p} ω Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-31

Accepting Run of an ABA A run of a BA is accepting, if infinitely many accepting states are visited. Think of the run of an ABA as runs of several copies of BAs at the same time. Every copy has to visit infinitely many accepting states. Automata on Finite Words Deterministic Finite Automata (DFA) (Accepting Run of an ABA) A run (V, E) on w Σ ω is accepting if every maximal infinite path, with respect to the labeling l, visits at least one accepting state infinitely often. Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Note that every maximal finite path ends in a node v V with δ(l(v), w h(v)+1 ) = true. Translating ABA into BA 6-32

Translating ABA into BA Theorem For every alternating Büchi automaton A, there is a Büchi automaton A with L(A) = L(A ). The size of A is exponential in the size of A. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-33

The Idea Transition function of ABA points to PBCs. Use minimal models X Q of these PBCs as states of the BA. 0 1 2 q 0 q 1 q 2 q 3 q 4 Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Problem: What are the new accepting states? 3 q 1 q 2 Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Accepting only if every state of X is accepting is not enough. 4 q 3 q 4 Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-34

The Idea: The new accepting states Idea: Keep track of the paths on which we already visited an accepting state. Split states into two components. Shift successor states of the current states into the second component if they are accepting. An empty first component indicates that accepting states have been seen on all paths. Such states are accepting and all not accpeting successors are shifted back to the first component. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-35

The Idea: The New Accepting States 0 q 0 ({q 0 }, ) 1 q 1 q 2 ({q 1 }, {q 2 }) Automata on Finite Words 2 q 3 q 4 (, {q 3, q 4 }) Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) 3 q 1 q 2 ({q 1 }, {q 2 }) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? 4 q 3 q 4 (, {q 3, q 4 }) Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-36

Translating ABA into BA Proof. Let A = (Σ, Q, Q 0, δ, F ) be an ABA. We then define the BA A = (Σ, Q, Q 0,, F ) such that L(A) = L(A ), where Q = 2 Q 2 Q, Q Σ Q as defined next, Q 0 = {(X, ) X Q, X Q 0} and F = 2 Q. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-37

Translating ABA into BA Proof. A pair (U, V ) Q, an action a Σ and a pair (U, V ) Q are element of the transition relation iff case U : there are X, Y Q satisfying X δ(q, a) and Y δ(q, a) q U q V and U = X\F and V = (X F ) (Y \U ). case U = : there is Y Q satisfying Y δ(q, a) q V and U = Y \F and V = Y F. Note that we identify an empty conjunction with true, so that e. g. ((, ), a, (, )). Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-37

Translating ABA into BA Proof. By Q = 2 Q 2 Q we get Q = 2 Q 2 Q = 2 2 Q, but since the components U and V of a state (U, V ) have an empty intersection U V = we get an upper bound for the number of needed states of Q ( ) ( Q k ( )) k k l k=0 l=0 Q ( ) Q = 2 k k k=0 = 3 Q = 2 Q log 2 3 Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-37

Example: ABA, {p}, {q}, {p, q}, {q} Automata on Finite Words q 0 q 1 Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) {p}, {p, q} true Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-38

Example: Matching BA ({q 0 }, ), {p}, {q}, {p, q} ({q 1 }, {q 0 }), {q}, {p}, {q}, {p, q} {p}, {p, q} (, {q 0, q 1 }) Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-39

1. DFA and NFA are finite automata on finite words and accept a word depending on the last state of a run on it. 2. Büchi automata (BA) are finite automata on infintite words and accept a word depending on the set of states visited infinitely often in a run on it. 3. Non-deterministic BA can accept all ω-regular languages, deterministic BA cannot. 4. Alternating Büchi Automata (ABA) use transition functions mapping to positive Boolean combinations (PBCs) of states. 5. Every ABA can be translated into an BA accepting the same language using minimal models of the PBCs as states and keeping track of the paths on which accepting states were already visited. Automata on Finite Words Deterministic Finite Automata (DFA) Non-determinstic Finite Automata (NFA) Büchi Automata (BA) Non-deterministic Büchi Automata (BA) Deterministic Büchi Automata? Alternating Büchi Automata (ABA) The Idea Translating ABA into BA 6-40

Chapter 7 Monitor Construction for Anticipatory Course INF5140 / V17

Chapter 7 Learning Targets of Chapter Monitor Construction for Anticipatory. 1. Understand the translation from LTL to alternating Büchi automata. 2. Understand the monitor construction for LTL 3. 3. Know the single steps of this construction, especially how a satisfiability check is implemented in the emptiness per state function. 4. Learn about its complexity and its relation to monitorable properties.

Chapter 7 Outline of Chapter Monitor Construction for Anticipatory. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties

Section The Idea Impartial Anticipation The Construction Chapter 7 Monitor Construction for Anticipatory Course INF5140 / V17

Impartial Anticipation Impartiality Go for a final verdict ( or ) only if you really know. Be a rational being: Stick to your word. Every two-valued logic is not impartial. We therefore use B 3 = {,?, }. Anticipation Go for a final verdict ( or ) once you really know. Don t be a cunctator: Don t delay the decision. Implementing anticipation is dificult you need to identify all shortest bad resp. good prefixes. Consider for example X X X false or F false. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-5

The Semantics Let ϕ be an LTL formula and let u Σ be a finite word. Then the semantics of ϕ with respect to u is given as follows: if w Σ ω : uw = ϕ ω = u = ϕ 3 = if w Σ ω : uw = ϕ ω =? else. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-6

Target Construct a Moore machine M ϕ for an LTL formula ϕ that reads a word letter by letter outputs in every state the value of w = ϕ 3 where w is the word read so far. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-7

First Idea Remember the evlfltl 4 function: It reads a word letter by letter and outputs the subformula that has to be satisfied next for every letter it gets. First idea: Perform a satisfiability check on the returned formula of such a function. Return? if the formula is satisfiable. Return if the formula is a tautology. Return if the formula is a contradiction. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-8

Satisfiability Checking for LTL Satisfiability checking for LTL is a difficult task. The problem of deciding if there exists a word w Σ ω for an LTL formula ϕ such that w = ϕ is pspace-complete. We will use a translation of LTL formulae to Büchi automata to perform this task. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-9

Monitor construction Construct a BA of the LTL formula and identify: For example consider AP = {p, q} and Σ = 2 AP : {p}, {p, q} q 0 q 1, {q} {p}, {p, q}, {q} q 2 {p}, {p, q} q 3 q 4, {q}, {p}, {q}, {p, q} The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-10

Monitor construction Construct a BA of the LTL formula and identify: good states BA will accept on every continuation. For example consider AP = {p, q} and Σ = 2 AP : {p}, {p, q} q 0 q 1, {q} {p}, {p, q}, {q} q 2 {p}, {p, q} q 3 q 4, {q}, {p}, {q}, {p, q} The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-10

Monitor construction Construct a BA of the LTL formula and identify: good states BA will accept on every continuation. bad states BA will reject on every continuation. For example consider AP = {p, q} and Σ = 2 AP : {p}, {p, q} q 0 q 1, {q} {p}, {p, q}, {q} q 2 {p}, {p, q} q 3 q 4, {q}, {p}, {q}, {p, q} The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-10

Monitor construction Construct a BA of the LTL formula and identify: good states BA will accept on every continuation. bad states BA will reject on every continuation. other states? We don t know (yet). For example consider AP = {p, q} and Σ = 2 AP :? {p}, {p, q} q 0 q 1, {q} {p}, {p, q}, {q} q 2 {p}, {p, q} q 3 q 4, {q}, {p}, {q}, {p, q} The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-10

Analysis of the Construction It s an LTL 3 Monitor! One can construct an ABA from LTL. We can translate an ABA into a BA. The monitor performs the desired satisfiability check. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-11

Analysis of the Construction It s an LTL 3 Monitor! One can construct an ABA from LTL. We can translate an ABA into a BA. The monitor performs the desired satisfiability check. How to detect regions? The bad regions ( ) are subautomata S without accepting states and without edges leaving S. They can be identified using linear-time nested depth-first search algorithms. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-11

Analysis of the Construction It s an LTL 3 Monitor! One can construct an ABA from LTL. We can translate an ABA into a BA. The monitor performs the desired satisfiability check. How to detect regions? The bad regions ( ) are subautomata S without accepting states and without edges leaving S. They can be identified using linear-time nested depth-first search algorithms. The good regions ( ) are universal subautomata accepting every possible word. Universality check for BA is pspace-complete. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-11

Identifying The Good States {p}, {p, q} {p}, {p, q} q 0 q 1 q 2, {q}, {q} {p}, {p, q} q 3 q 4, {q}, {p}, {q}, {p, q} The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-12

Identifying The Good States Only identify bad states ( ) and {p}, {p, q} {p}, {p, q} q 0 q 1 q 2, {q}, {q} {p}, {p, q} q 3 q 4, {q}, {p}, {q}, {p, q} The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-12

Identifying The Good States Only identify bad states ( ) and label everything else as not bad ( ). {p}, {p, q} {p}, {p, q} q 0 q 1 q 2, {q}, {p}, {q}, {p, q} The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis, {q} {p}, {p, q} Complexity Monitorable Properties q 3 q 4, {q} 7-12

Identifying The Good States Only identify bad states ( ) and label everything else as not bad ( ). Perform this for the LTL formulae ϕ and ϕ. Good states for ϕ are bad states for ϕ. {p}, {p, q} {p}, {p, q} q 0 q 1 q 2, {q}, {p}, {q}, {p, q} The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis, {q} {p}, {p, q} Complexity Monitorable Properties q 3 q 4, {q} 7-12

Identifying The Good States Only identify bad states ( ) and label everything else as not bad ( ). Perform this for the LTL formulae ϕ and ϕ. Good states for ϕ are bad states for ϕ. Remark An LTL formula can be complemented by adding. Computing the NNF can be done in linear time. Complementing a BA potentially needs exponential time. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-12

The Complete Construction 1. Translate ϕ and ϕ into ABA. 2. Translate ABAs into BAs. 3. Create NFAs based on bad states in BAs. 4. Determinize NFAs to DFAs. 5. Compute Moore machine out of both DFAs. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-13

Section The Construction From LTL to ABA Emptiness per State The Monitor Chapter 7 Monitor Construction for Anticipatory Course INF5140 / V17

Recall the Idea of the AMM for FLTL 4 We monitor an LTL formula ϕ by evaluating its current subformula ψ w.r.t. the current letter a. Progression provides the LTL formula ψ that has to be fulfilled next. The set of states consists of all subformulae of ϕ. The initial state is ϕ. The current state is ψ. It reads the letter a and sets ψ as new state. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-15

Recall the Idea of the AMM for FLTL 4 We monitor an LTL formula ϕ by evaluating its current subformula ψ w.r.t. the current letter a. Progression provides the LTL formula ψ that has to be fulfilled next. The set of states consists of all subformulae of ϕ. The initial state is ϕ. The current state is ψ. It reads the letter a and sets ψ as new state. But when to accept? ABA accepts if all paths are finite (ending in true). Only Release R and Globally G allow for infinite loops. Make these states accepting. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-15

LTL to ABA Let Σ = 2 AP be the finite alphabet, p AP an atomic proposition, a Σ a letter, ϕ, ψ 1, ψ 2 LTL formulae in NNF and Q the set of all subformulae of ϕ. We then define ABA ϕ = (Σ, Q, ϕ, δ, F ) with F = {ψ 1 R ψ 2, G ψ 1 ψ 1, ψ 2 Q}. and its transition function δ : Q Σ B + (Q) inductively given as follows: δ(true, a) = true δ(false, a) = false { true if p a δ(p, a) = false else { true if p a δ( p, a) = false else The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-16

LTL to ABA Let Σ = 2 AP be the finite alphabet, p AP an atomic proposition, a Σ a letter, ϕ, ψ 1, ψ 2 LTL formulae in NNF and Q the set of all subformulae of ϕ. We then define ABA ϕ = (Σ, Q, ϕ, δ, F ) with F = {ψ 1 R ψ 2, G ψ 1 ψ 1, ψ 2 Q}. and its transition function δ : Q Σ B + (Q) inductively given as follows: δ(ψ 1 ψ 2, a) = δ(ψ 1, a) δ(ψ 2, a) δ(ψ 1 ψ 2, a) = δ(ψ 1, a) δ(ψ 2, a) δ(x ψ 1, a) = ψ 1 δ(x ψ 1, a) = ψ 1 The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-16

LTL to ABA Let Σ = 2 AP be the finite alphabet, p AP an atomic proposition, a Σ a letter, ϕ, ψ 1, ψ 2 LTL formulae in NNF and Q the set of all subformulae of ϕ. We then define ABA ϕ = (Σ, Q, ϕ, δ, F ) with F = {ψ 1 R ψ 2, G ψ 1 ψ 1, ψ 2 Q}. and its transition function δ : Q Σ B + (Q) inductively given as follows: δ(ψ 1 U ψ 2, a) = δ(ψ 2 (ψ 1 X(ψ 1 U ψ 2 )), a) δ(ψ 1 R ψ 2, a) = δ(ψ 2 (ψ 1 X(ψ 1 R ψ 2 )), a) δ(f ψ 1, a) = δ(ψ 1 (X(F ψ 1 )), a) δ(g ψ 1, a) = δ(ψ 1 (X(G ψ 1 )), a) The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-16

Example Consider AP = {p, q}, Σ = 2 AP and ϕ = G(p U q). δ(g(p U q), a) = G(p U q) δ(p U q, a) a Σ δ(p U q, ) = δ(q, ) (δ(p, ) (p U q)) = false (false (p U q)) = false δ(p U q, {p}) = δ(q, {p}) (δ(p, {p}) (p U q)) = false (true (p U q)) = p U q δ(p U q, {q}) = δ(q, {q}) (δ(p, {q}) (p U q)) = true (false (p U q)) = true δ(p U q, {p, q}) = δ(q, {p, q}) (δ(p, {p, q}) (p U q)) = true (true (p U q)) = true The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-17

Example Consider AP = {p, q}, Σ = 2 AP and ϕ = G(p U q). true {q}, {p, q} {p} {q}, {p, q} G(p U q) p U q {p} false false The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-17

The Monitor Construction For a given LTL formula ϕ over an alphabet Σ we construct a Moore machine M ϕ that reads finite words w Σ and outputs w = ϕ 3 B 3. For the next steps let A ϕ = (Σ, Q ϕ, Q ϕ 0, δϕ, F ϕ ) denote the BA accepting all models of ϕ and A ϕ = (Σ, Q ϕ, Q ϕ 0, δ ϕ, F ϕ ) The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties denote the BA accepting all words falsifying ϕ. 7-18

Emptiness per State (BA With Adjusted Initial State) For an BA A, we denote by A(q) the BA that coincides with A except for the set of initial states Q 0, which is redefined in A(q) as Q 0 = {q}. (Emptiness per State) We then define a function F ϕ : Q ϕ B 2 (with B 2 = {, }) where we set F ϕ (q) = iff L(A ϕ (q)). Using F ϕ, we define the NFA Âϕ = (Σ, Q ϕ, Q ϕ 0, δϕ, ˆF ϕ ) with ˆF ϕ = {q Q ϕ F ϕ (q) = }. Analogously, we set Â ϕ = (Σ, Q ϕ, Q ϕ 0, δ ϕ, ˆF ϕ ) with ˆF ϕ = {q Q ϕ F ϕ (q) = }. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-19

LTL 3 Evaluation Lemma (LTL 3 Evaluation) With the notation as before, we have if w / L(Â ϕ ) w = ϕ 3 = if w / L(Âϕ )? if w L(Âϕ L(Â ϕ )) The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-20

LTL 3 Evaluation Proof. w = ϕ 3 = if w / L(Â ϕ ) Feeding a finite prefix w Σ to the BA A ϕ, we reach the set δ ϕ (Q ϕ 0, w) Q ϕ of states. If q δ ϕ (Q ϕ 0, w) : L(A ϕ (q)) then we can choose σ L(A ϕ (q)) such that wσ L(A ϕ ). Such a state q exists by definition iff w L(Â ϕ ). If w / L(Â ϕ ) then every possible continuation wσ of w will be rejected by A ϕ, i.e. wσ = ϕ ω = for all σ Σ ω. Therefore we have w = ϕ 3 =. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties w = ϕ 3 = if w / L(Âϕ ) can be seen by substituting ϕ for ϕ. 7-20

LTL 3 Evaluation Proof. w = ϕ 3 =? if w L(Â ϕ ) L(Âϕ ) If q δ ϕ (Q ϕ 0, w) : L(A ϕ (q)) and q δ ϕ (Q ϕ 0, w) : L(Aϕ (q )) then we can choose σ L(A ϕ (q)) and σ L(A ϕ (q )) such that wσ = ϕ 2 = and wσ = ϕ 2 =. Hence we have w = ϕ 3 =?. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-20

Deterministic Moore Machine (FSM), {p}, {q}, {p, q}, {p}, {q}, {p, q} q 1 q 0 {q}, {p, q}? q 2 The Idea Impartial Anticipation The Construction {p} The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-21

Determinstic Moore Machine (FSM) (Deterministic Moore Machine (FSM)) A (deterministic) Moore machine is a tupel M = (Σ, Q, q 0, Γ, δ, λ) where Σ is the input alphabet, Q is a finite set of states, q 0 Q is the initial state, Γ is the output alphabet, δ : Q Σ Q is the transition function and λ : Q Γ is the output function. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-22

Run of a Deterministic Moore Machine (Run of a Deterministic Moore Machine) A run of a (deterministic) Moore machine M = (Σ, Q, q 0, Γ, δ, λ) on a finite word w Σ n with outputs o i Γ is a sequence such that t 0 = q 0, t i = δ(t i 1, w i ) and o i = λ(t i ). w t 1 w 0 2 w n 1 w t1... t n n 1 tn The output of the run is o n = λ(t n ). The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-23

Monitor M ϕ for an LTL Formula ϕ Let Ãϕ = (Σ, Q ϕ, q ϕ 0, δ ϕ, F ϕ ) and Ã ϕ = (Σ, Q ϕ, q ϕ 0, δ ϕ, F ϕ ) be the equivalent DFAs of the NFAs Âϕ and Â ϕ. (Monitor M ϕ for an LTL formula ϕ) We define the product automaton A ϕ = Ãϕ Ã ϕ as the Moore machine (Σ, Q, q 0, B 3, δ, λ), where Q = Q ϕ Q ϕ, q 0 = ( q ϕ 0, q ϕ 0 ), δ((q, q ), a) = ( δ ϕ (q, a), δ ϕ (q, a)) and λ : Q B 3 with if q / F ϕ λ((q, q )) = if q / F ϕ? if q F ϕ and q F ϕ. The monitor M ϕ of ϕ is obtained by minimizing A ϕ. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-24

The Complete Construction The Construction LTL BA Emptiness per State NFA ϕ A ϕ F ϕ Â ϕ The Idea Impartial Anticipation The Construction LTL 3 Evaluation u = ϕ 3 = if u / L(NFA ϕ )? The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-25

The Complete Construction The Construction LTL BA Emptiness per State NFA ϕ ϕ A ϕ F ϕ Â ϕ The Idea Impartial Anticipation The Construction LTL 3 Evaluation u = ϕ 3 = if u / L(NFA ϕ )? The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-25

The Complete Construction The Construction LTL BA Emptiness per State NFA ϕ ϕ A ϕ A ϕ F ϕ F ϕ Âϕ Â ϕ The Idea Impartial Anticipation The Construction LTL 3 Evaluation if u / L(NFA ϕ ) u = ϕ 3 = if u / L(NFA ϕ )? else The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-25

The Complete Construction The Construction LTL BA Emptiness per State NFA ϕ ϕ ϕ A ϕ A ϕ F ϕ F ϕ Âϕ Â ϕ The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-25

The Complete Construction The Construction LTL BA Emptiness per State NFA DFA ϕ ϕ ϕ A ϕ A ϕ F ϕ F ϕ Âϕ Â ϕ Ã ϕ Ã ϕ The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-25

The Complete Construction The Construction LTL BA Emptiness per State NFA DFA FSM ϕ ϕ ϕ A ϕ A ϕ F ϕ F ϕ Âϕ Â ϕ Ã ϕ Ã ϕ M ϕ The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-25

Example LTL p U q (p U q) The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-26

Example LTL p U q (p U q) BA {p} {q}, {p, q} Σ {p} Σ The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-26

Example LTL p U q (p U q) BA {p} {q}, {p, q} Σ {p} Σ DFA {p} {q}, {p, q} Σ Σ {p} {q}, {p, q} Σ Σ The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-26

Section Analysis Complexity Monitorable Properties Chapter 7 Monitor Construction for Anticipatory Course INF5140 / V17

Complexity The Construction LTL ϕ ϕ ϕ BA A ϕ A ϕ Emptiness per State F ϕ F ϕ NFA Âϕ Â ϕ DFA Ã ϕ Ã ϕ FSM M ϕ The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-28

Complexity The Construction LTL ϕ ϕ ϕ BA A ϕ A ϕ Emptiness per State F ϕ F ϕ NFA Âϕ Â ϕ DFA Ã ϕ Ã ϕ FSM M ϕ The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Complexity M 2 2O( ϕ ) Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-28

On-the-fly Construction The Construction LTL ϕ ϕ ϕ BA A ϕ A ϕ Emptiness per State F ϕ F ϕ NFA Âϕ Â ϕ DFA Ã ϕ Ã ϕ FSM M ϕ The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-29

Evaluation on Dwyer s Specification Patterns I Number of States 45 40 35 Both NBAs together Resulting monitor Formula size The Idea Impartial Anticipation Total number of states 30 25 20 15 10 5 The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 0 0 10 20 30 40 50 The 53 monitorable LTL specification patterns 7-30

Evaluation on Dwyer s Specification Patterns II Total Size 1000 Both NBAs together Resulting monitor Formula size Total number of states and transitions 800 600 400 200 The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 0 0 10 20 30 40 50 The 53 monitorable LTL specification patterns 7-31

Monitorability When Does Anticipation Help? The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-32

Recall The Good, The Bad and The Ugly Given a language L Σ ω of infinite words over Σ we call a finite word u Σ a good prefix for L if w Σ ω : uw L, a bad prefix for L if w Σ ω : uw L and an ugly prefix for L if v Σ : uv is neither a good prefix nor a bad prefix. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-33

Recall The Good, The Bad and The Ugly Given a language L Σ ω of infinite words over Σ we call a finite word u Σ a good prefix for L if w Σ ω : uw L, a bad prefix for L if w Σ ω : uw L and an ugly prefix for L if v Σ : uv is neither a good prefix nor a bad prefix. LTL 3 indentifies good/bad prefixes: if u is a good prefix for L(ϕ) u = ϕ 3 = if u is a bad prefix for L(ϕ)? otherwise. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-33

Monitors Revisited Structure of Monitors? The Idea Impartial Anticipation The Construction bad ugly? good Σ Σ Σ The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-34

Monitorable Non-Monitorable ϕ is non-monitorable after u, if u cannot be extended to a bad oder good prefix. Monitorable ϕ is monitorable if there is no such u. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-35

Monitorable Non-Monitorable ϕ is non-monitorable after u, if u cannot be extended to a bad oder good prefix. Monitorable ϕ is monitorable if there is no such u. Ugly occurs Consider G F p bad ugly?? good Σ Σ Σ The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-35

1. LTL formulae on infinite words can be translated into alternating Büchi automata. 2. The emptiness per state function computes the satisfiability of an LTL formla and can be used to generate an NFA accepting in the not bad states of the BA of the LTL formula. 3. The impartial anticipatory LTL monitor is based on such an NFA for the LTL formula and one for its complement and identifies good, bad and ugly prefixes. 4. Universalitiy testing for Büchi automata can be avoided by complementing the LTL formula instead of the Büchi automaton. 5. The size of the generated monitor is double-exponential in the size of the LTL formula. The Idea Impartial Anticipation The Construction The Construction From LTL to ABA Emptiness per State The Monitor Analysis Complexity Monitorable Properties 7-36

Chapter 8 LTL with a Predictive Semantics Course INF5140 / V17

Chapter 8 Learning Targets of Chapter LTL with a Predictive Semantics. 1. Understand how the underlying program to monitor could be taken into account. 2. Understand how to build a corresponding monitor synthesis procedure.

Chapter 8 Outline of Chapter LTL with a Predictive Semantics. Predictive Semantics Motivation Monitoring LTL P 4

Section Predictive Semantics Motivation Chapter 8 LTL with a Predictive Semantics Course INF5140 / V17

Fusing model checking and runtime verification LTL with a predictive semantics Predictive Semantics Motivation Monitoring LTL P 4 8-5

Recall anticipatory LTL semantics The truth value of a LTL 3 formula ϕ with respect to u, denoted by u = ϕ, is an element of B 3 defined by if σ Σ ω : uσ = ϕ u = ϕ = if σ Σ ω : uσ = ϕ? otherwise. Predictive Semantics Motivation Monitoring LTL P 4 8-6

Applied to the Empty Word Empty word ε ε = ϕ P = iff σ Σ ω with εσ P : εσ = ϕ iff L(P) = ϕ RV more difficult than MC? Then runtime verification implicitly answers model checking Predictive Semantics Motivation Monitoring LTL P 4 8-7

Abstraction An over-abstraction or and over-approximation of a program P is a program ˆP such that L(P) L( ˆP) Σ ω. Predictive Semantics Motivation Monitoring LTL P 4 8-8

Predictive Semantics (Predictive Semantics of LTL) Let P be a program and let ˆP be an over-approximation of P. Let u Σ denote a finite trace. The truth value of u and an LTL formula ϕ with respect to ˆP, denoted by u = ϕ ˆP B 4 = {,,?, }, and defined as follows: if u ω L( ˆP) w Σ ω : uw L( ˆP) uw = ϕ ω = if u ω L( ˆP) w Σ ω : u = ϕ ˆP = uw L( ˆP) uw = ϕ ω =? if w, w Σ ω : uw, uw L( ˆP) uw = ϕ ω = uw = ϕ ω = if u / ω L( ˆP) Predictive Semantics Motivation Monitoring LTL P 4 We use LTL P 4 to indicate LTL with predictive semantics. 8-9

Properties of Predictive Semantics Remark Let ˆP be an over-approximation of a program P over Σ, u Σ, and ϕ LTL. Model checking is more precise than RV with the predictive semantics: P = ϕ implies u = ϕ ˆP {,?} RV has no false negatives: u = ϕ ˆP = implies P = ϕ The predictive semantics of an LTL formula is more precise than LTL 3 : u = ϕ 3 = implies u = ϕ ˆP = u = ϕ 3 = implies u = ϕ ˆP = Predictive Semantics Motivation Monitoring LTL P 4 The reverse directions are in general not true. 8-10

Section Monitoring LTL P 4 Chapter 8 LTL with a Predictive Semantics Course INF5140 / V17

Predictive Semantics Motivation Monitoring LTL P 4 8-12

1. LTL P 4 only considers extensions of the current word leading to executions of an over-abstraction ˆP of the underlying program P. 2. We introduced the new value of the output alphabet indicating that the current execution has left the over-abstraction. 3. The use of an over-abstraction is the tradeoff between model checking and runtime verification as the use of the program P itself would implicitly solve the model checking problem. Predictive Semantics Motivation Monitoring LTL P 4 8-13

Chapter 9 Summary Course INF5140 / V17

Chapter 9 Learning Targets of Chapter Summary. 1. Understand that FLTL, FLTL 4 and LTL on infinite words share a very similar semantics. 2. Understand that LTL 3 and LTL P 4 are defined with respect to existing semantics. 3. Understand the difference of propositions and events.

Chapter 9 Outline of Chapter Summary. Impartial RV Common LTL Semantics RV on Finite, Terminated Executions Impartial RV on Finite, Non-Terminated Words Anticipatory RV LTL on Infinite Words Anticipatory RV on Finite, Non-Terminated Words Other LTL Semantics Events vs. Propositions Further Topics

Section Impartial RV Common LTL Semantics RV on Finite, Terminated Executions Impartial RV on Finite, Non-Terminated Words Chapter 9 Summary Course INF5140 / V17

LTL Semantics We know the following LTL semantics FLTL LTL on finite, completed words FLTL 4 impartial LTL on finite, non-completed words LTL LTL on infinite words LTL 3 anticipatory LTL on finite, non-completed words LTL P 4 anticipatory LTL on finite, non-completed words with respect to an over-abstraction of a program P FLTL, FLTL 4 and LTL have very similar semantics with a big common part LTL 3 and LTL P 4 are defined based on LTL Impartial RV Common LTL Semantics RV on Finite, Terminated Executions Impartial RV on Finite, Non-Terminated Words Anticipatory RV LTL on Infinite Words Anticipatory RV on Finite, Non-Terminated Words Other LTL Semantics Events vs. Propositions Further Topics 9-5

The Common Parts of LTL Semantics Let AP be a finite set of atomic propositions, Σ = 2 AP, p AP, ϕ, ψ LTL formulae, and w Σ a (finite or infinite) word. The the common part of the LTL semantics FLTL, FLTL 4 and LTL (indicated by L) of an LTL formula with respect to w is inductively defined as follows: Boolean Constants w = true L = w = false L = Impartial RV Common LTL Semantics RV on Finite, Terminated Executions Impartial RV on Finite, Non-Terminated Words Anticipatory RV LTL on Infinite Words Boolean Combinations Anticipatory RV on Finite, Non-Terminated Words Other LTL Semantics w = ϕ L = w = ϕ L w = ϕ ψ L = w = ϕ L w = ψ L Further Topics Events vs. Propositions w = ϕ ψ L = w = ϕ L w = ψ L 9-6

The Common Parts of LTL Semantics Let AP be a finite set of atomic propositions, Σ = 2 AP, p AP, ϕ, ψ LTL formulae, and w Σ a (finite or infinite) word. The the common part of the LTL semantics FLTL, FLTL 4 and LTL (indicated by L) of an LTL formula with respect to w is inductively defined as follows: Atomic Propositions w = p L = { if p w1 if p / w 1 Impartial RV Common LTL Semantics RV on Finite, Terminated Executions Impartial RV on Finite, Non-Terminated Words Anticipatory RV LTL on Infinite Words Local Temporal Operators w = X ϕ L = defined dependent of L later w = X ϕ L = defined dependent of L later Anticipatory RV on Finite, Non-Terminated Words Other LTL Semantics Events vs. Propositions Further Topics 9-6

The Common Parts of LTL Semantics Let AP be a finite set of atomic propositions, Σ = 2 AP, p AP, ϕ, ψ LTL formulae, and w Σ a (finite or infinite) word. The the common part of the LTL semantics FLTL, FLTL 4 and LTL (indicated by L) of an LTL formula with respect to w is inductively defined as follows: Fixed Point Operators if i, 1 i w : ( w i = ψ L = w = ϕ U ψ L = and k, 1 k < i : w k = ϕ L = ) defined dependent of L later else w = ϕ R ψ L = w = ϕ U ψ L w = F ϕ L = w = true U ϕ L Impartial RV Common LTL Semantics RV on Finite, Terminated Executions Impartial RV on Finite, Non-Terminated Words Anticipatory RV LTL on Infinite Words Anticipatory RV on Finite, Non-Terminated Words Other LTL Semantics Events vs. Propositions Further Topics w = G ϕ L = w = false R ϕ L 9-6

LTL on Finite, Terminated Words Impartial RV Common LTL Semantics RV on Finite, Terminated Executions Impartial RV on Finite, Non-Terminated Words Anticipatory RV LTL on Infinite Words Anticipatory RV on Finite, Non-Terminated Words Other LTL Semantics Events vs. Propositions Further Topics 9-7