automata for formal methods: little steps towards perfection

utomt for forml methods: little steps towrds perfection Frntišek Blhoudek phd thesis corrected version (September 25, 2018) Fculty of Informtics Msryk University Brno Mrch 2018

Acknowledgements I will lwys remember my postgrdute yers s n intensive period of my life, full of both mzing nd tough experiences. It ws period of joy nd constnt personl growth. I could never finish my thesis without inspirtion nd support of mny people round me. In the following prgrphs, I would like to express my grtitude to t lest some of them. First of ll, I would like to thnk my supervisor Jn Strejček. He is the one who showed me the beuty of utomt more thn ten yers go nd who gve me the opportunity to spred the beuty mong my students s techer. I especilly vlue his trust nd ptience, nd I m more thn grteful for his method of supervising through creful, inspiring, nd close collbortion. I like the wy he writes, nd I hope I lernt t lest some bits from him. I enjoyed shring my pssions for chocolte, good drinks, running, nd colorful utomt with this gret techer nd mentor. And wht I pprecite the most is tht I cn cll Jn my friend with whom I cn discuss science, life, love, nd jokes. I will never forget tht we were ble to experience good lughs even t 4 in the morning before dedlines. And I lso hve to mention the unforgettble trvel experiences from our business trips; it ws pure plesure to wtch Jn flling to the river Okwngo fter he ttempted to drive Mokoro bot. I ws lso honoured to hve Mojmír Křetínský s supervisor for yer. I m thnkful to him for his ttitude to me, his willingness to help, nd for his support nd cre in difficult dys. Alexndre Duret-Lutz is our exceptionl collbortor. He disclosed me how much cn scientists profit from mutul collbortion nd he lso encourged me to lern nd explore new technologies nd to develop own useful tools. My reserch would be much hrder nd less enjoyble without him nd his work on Spot. The integrtion of Spot with Jupyter hd n enormous impct on my performnce nd sved me lot of precious time. As n ttendee of the MOVEP summer school, I hd the unique opportunity to shre good time with Sven Schewe. I enjoyed our tlks bout utomt nd life, nd I pprecite his notorious good mood nd the willingness to shre ides. I hve shred my office with three inspiring collegues nd friends. Petr Novotný, strting his PhD two yers before me, ws lwys good source of inspirtion nd good dvice; he tught me to pprecite good rum nd to enjoy prepring my presenttions properly. Luboš Korenčik is n infinite source of jokes nd good mood nd gret compnion to trvels; he tught me to procrstinte nd to be open to people. Mrtin Jonáš never hesittes to shre his opinion nd good tste; he tught me to drink up to four cups of coffee dy nd to be concerned with typogrphy. Our office is prt of the Formel lb, plce where I hve been meeting mny wonderful collegues nd friends. I especilly enjoyed meeting Tomáš Bbik, Tom Brázdil, Mrek Chlup, Jkub Gjrský, Mirek Klimoš, Jéň Krčál, Honz Křetínský, Káj Mlá, Mikuláš Klokočk, Honz Obdržálek, Voj-

4 t Rujbr, Vojt Řehák, Mim Ssráková, Mrek Trtík, Dominik Veln, Mrtin Vitovská, nd Táň Zbončáková. I wish to meet them on mny occsions in the future. I lso hope to meet the friends from the PrDiSe lb, who contributed to the positive environment in the school. Teching hs been n enjoyble prt of my studies nd it often served s source of energy for me. I m thnkful to my students tht brought fun nd good mood into my lessons. I m lso grteful to ll people tht helped me to bring TechingLb into life. I especilly enjoyed the coopertion with Ondráš Přibyl, who brought mny new insights nd views into my life. A gret del of my grtitude goes to Mrtin Ukrop who continues in my effort to improve the qulity of the student s teching t our university. It would be hrdly possible to survive the PhD studies without the support of friends. I would especilly like to thnk Dědek, Vojt Dub, Romn Klein, Michl Klivický, Tom Kocmi, Honz Kudr, Sš Kuckir, Lukáš Strk, nd Michl Zemn for their help nd the wonderful time we spent together. I would lso like to thnk Věrk Slezáková, who supported me in my difficult times nd who tught me much bout life. I feel exceptionl grtitude to my friends from Instruktoři Brno for mny memorble experiences, 1 personl growth, nd fun they hve brought into my life. But most of ll I vlue the close friendships I found there, notbly with Ďáblice, Entiro, Finn, Glum, Jitk, Lenk, Mýc, nd Rissie. I feel the deepest grtitude to my prents, Mrie nd Frntišek. They hve lwys offered me wrm plce to return to, unconditionl support, empthy, nd love. They hve encourged me to pursue my gols nd they hve lwys been curious bout my vrious dventures not only from business trips. Beyond ll of this, I thnk them for teching me not to forget bout fun in my life. I hve the gret luck to hve brod, supportive fmily whose members hve kind words for me when needed nd they lso never miss n opportunity to mke fun of me. I would like to especilly mention my brother Petr nd my unts Anč nd Petr nd thnk them for being close to me. I hve lwys enjoyed the compny nd smiles of other members of my fmily, nmely Anduj, Ev, Fnd, Honz, Mrie, Milušk, Petr, Táň, Všek, nd Zuzk. 1 They mde my group crry bot for more thn five km through forest t night, for exmple. Fnd Blhoudek Brno Mrch 2018

5

Abstrct As ω-utomt re convenient representtion of lnguges of infinite words, they re widespred in the re of forml methods; mny lgorithms tht nlyze systems with infinite behviours rely on ω-utomt. The efficient lgorithms for the intersection, union, nd emptiness checking for vrious clsses of ω-utomt mde them ppeling for model checking of properties expressed s ω-regulr lnguges or s formule in (not only) Liner Temporl Logic (LTL). On the contrry, determiniztion nd complementtion of ω-utomt re notoriously difficult problems. This fct complictes usge of the utomtbsed methods tht need deterministic utomt 2 or inherently employ lnguge difference or complementtion of ω-utomt. 3 This disserttion pproches ω-utomt nd forml methods from vrious directions nd presents severl contributions towrds perfect utomt for forml methods. The presenttion of the contributions is divided into three prts. 2 like model checking of probbilistic systems or synthesis of rective systems 3 like termintion nlysis in the tool Ultimte Automizer The first prt is tightly connected to the model checker Spin nd nondeterministic Büchi utomt. We investigte how different utomt for one lnguge cn influence the performnce of Spin nd we bring severl interesting observtions nd recommendtions for LTL trnsltors. Moreover, we introduce method tht enbles the cretion of utomt tht re suited for prticulr verifiction tsk. The utomt convey knowledge bout the system to be verified; this knowledge sometimes helps to mke the utomt significntly smller nd to speed up the model checking. The second prt of the thesis is dedicted to the trnsltion of LTL into deterministic utomt. We present n efficient trnsltion of frgment of LTL into utomt with generlized Rbin cceptnce condition. We lso discuss other pproches to the trnsltion nd offer n extensive experimentl comprison of vilble tools. The lst prt discusses semi-deterministic utomt, which re utomt tht re deterministic in the limit. We develop n lgorithm (nd tool) for semi-determiniztion of Büchi utomt, nd n efficient lgorithm for complementtion of these utomt.

Contents List of Figures 10 List of Tbles 12 1 Introduction 15 1.1 outline nd contribution of the thesis 18 1.2 uthor s publictions nd his contribution 19 2 Preliminries 23 2.1 ω-utomt 23 2.2 liner temporl logic (ltl) 26 i how büchi utomt influence model checking 27 3 Is There Best Büchi Automton for Spin? 29 3.1 motivtion by empiricl dt: how much cn utomt influence spin 32 3.2 stndrd pproch to optimiztion: helping the product 34 3.3 nother view to optimiztion: helping the emptiness check 36 3.4 summry of the chpter 40 4 Specifictions meet systems 43 4.1 specifiction refinement nd constrints 44 4.2 formul refinement 45 4.3 utomton refinement 46 4.4 experimentl evlution 47 4.5 lbel simplifiction 53 4.6 when refinement hrms nd found bugs 55 4.7 finl remrks 57 ii ltl to deterministic utomt 61 5 Trnsltion of LTL Frgments into Generlized Rbin Automt 63 5.1 lternting utomt nd their subclsses 63 5.2 trnsltion of ltl(f s,g s ) to mm 66

10 5.3 trnsltion of mm to ltl(f s,g s ) 67 5.4 trnsltion of mm to deterministic utomt 68 5.5 mm in the limit nd ltl g(u,x) 72 5.6 degenerliztion for rbin utomt 72 5.7 implementtion nd trnsltion improvements 74 6 LTL to Deterministic Automt Trnsltors: Experimentl Evlution 77 6.1 evluted tools 79 6.2 benchmrk formule 83 6.3 hrdwre, benchmrk settings, nd errors 85 6.4 results: non-prmetric benchmrks 86 6.5 results: the prmetric benchmrks 98 6.6 finl words 101 iii semi-deterministic utomt 103 7 Semi-Determiniztion of TGBA 105 7.1 semi-determinism nd cut-determinism 105 7.2 cut-determinism check & stte spce prtition 106 7.3 subset construction 107 7.4 semi-determiniztion of büchi utomt 107 7.5 cut-determiniztion of büchi utomt 112 7.6 semi-determiniztion of generlized büchi utomt 113 7.7 cut-determiniztion of tgb 116 7.8 implementtion 116 7.9 experimentl evlution 118 8 Complementtion of Semi-Deterministic Büchi Automt 125 8.1 complementtion of nb 125 8.2 complementtion of sdb 126 8.3 rnks nd correctness 129 8.4 on-the-fly pproch 133 8.5 implementtion 133 8.6 experimentl evlution 134 Bibliogrphy 137

List of Figures Figure 1.1 Büchi utomton for G(request F print). 16 Figure 1.2 Powerset construction. 16 Figure 1.3 Vrious utomt for GF GFb. 18 Figure 2.1 NSBA, NTGBA, nd DTGRA for FG (GFb GF b). 24 Figure 3.1 Automt-theoretic pproch to model checking. 29 Figure 3.2 Impct of the Büchi utomt on model checking. 33 Figure 3.3 Two BA for GF nd stte spce. 34 Figure 3.4 Two BA for G( X(ā X(ā X))). 36 Figure 3.5 Vrious utomt for GF GFb. 36 Figure 3.6 Two TGBA for GF GFb. 37 Figure 3.7 Automt for (GF GFb). 39 Figure 4.1 Promel code of process from bkery protocol. 43 Figure 4.2 Incomptible propositions in ction. 43 Figure 4.3 Specifiction refinement pplied on n utomton. 45 Figure 4.4 Performnce of formul refinement. 50 Figure 4.5 Distribution of the improvement rtios of formul refinment. 50 Figure 4.6 Performnce of utomt refinement. 52 Figure 4.7 Distribution of the improvement rtios of utomt refinement. 52 Figure 4.8 Formul vs.utomton refinement. 54 Figure 4.9 Formul vs.utomt refinement distributions. 54 Figure 4.10 C code generted by Spin for trnsition. 54 Figure 4.11 A rκ (ϕ) much smller thn A ϕ. 55 Figure 5.1 An exmple liner lternting utomton A. 64 Figure 5.2 A run of the LAA A. 65 Figure 5.3 Stte styles of My/must AA. 65 Figure 5.4 The MMAA A ϕ for ϕ = G(F s F s b) Gb. 67 Figure 5.5 The semiutomton for A ϕ. 69 Figure 5.6 The DTGRA for A ϕ. 70 Figure 6.1 LTL to deterministic utomt: evluted tool chins. 79 Figure 6.2 LTL to deterministic utomt: workflow of Spot. 80 Figure 6.3 LTL formule from literture nd their clssifiction. 82 Figure 6.4 Miniml utomt by pproches. 88 Figure 6.5 Unique miniml utomt by pproches. 88 Figure 6.6 Miniml utomt by tools (literture). 89 Figure 6.7 Miniml utomt by tools (rndom). 90 Figure 6.8 Quntile plot for selected tool chins with Spot. 93 Figure 6.9 Sctter plots compring ltl2dstr nd Spot. 96 Figure 6.10 Sctter plots compring Rbinizer 4 nd Spot. 97 Figure 6.11 Sctter plot compring Rbinizer 4 ginst Spot combined with LTL3TELA. 98

12 Figure 7.1 Structure of semi-deterministic utomt. 105 Figure 7.2 Mrks pushed to trnsitions. 107 Figure 7.3 Semi-determiniztion. 108 Figure 7.4 SCC-wre semi-determiniztion. 111 Figure 7.5 Cut-determiniztion. 112 Figure 7.6 Degenerliztion of GBA. 113 Figure 7.7 Two-step semi-determiniztion of GBA. 113 Figure 7.8 One-step semi-determiniztion of GBA. 115 Figure 7.9 Formule from literture nd their clssifiction. 119 Figure 7.10 Comprison of Semintor nd ltl2ldb. 122 Figure 7.11 Comprison of Semintor nd nb2ldb. 122 Figure 7.12 Comprison of Semintor nd Semintor 2-step. 123 Figure 8.1 NCSB construction: n exmple. 128 Figure 8.2 Comprison of the NCSB construction nd other complementtions. 136

List of Tbles Tble 3.1 LTL-to-BA trnsltors. 32 Tble 3.2 Benchmrk bsed on utomt nd product sizes. 35 Tble 3.3 Benchmrk bsed on utomt sizes nd Spin s runs (bkery.7.pm). 37 Tble 3.4 Benchmrk bsed on utomt sizes nd Spin s runs (peterson.4.pm). 39 Tble 4.1 LTL-to-BA trnsltors. 47 Tble 4.2 Solved verifiction tsks (formul refinement). 48 Tble 4.3 Effect on property utomt (formul refinement). 49 Tble 4.4 Improvement rtios distributions (formul refinement). 51 Tble 4.5 How trnsitions ffect run time of Spin. 51 Tble 4.6 Solved verifiction tsks (utomton refinement). 52 Tble 4.7 Effect on property utomt (utomton refinement). 53 Tble 4.8 Improvement rtios distributions (utomton refinement). 53 Tble 4.9 Solved verifiction tsks (utomton vs.formul refinement). 53 Tble 4.10 Effect on property utomt (formul vs.utomton refinement). 53 Tble 4.11 Improvement rtios distributions (formul vs.utomton refinement). 53 Tble 4.12 More dt on refinement impct (formul refinement). 58 Tble 4.13 More dt on refinement impct (formul refinement) II. 59 Tble 6.1 Tool references. 81 Tble 6.2 Tool chins nd their ltlcross commnds. 81 Tble 6.3 Concrete formule benchmrks. 83 Tble 6.4 Errors summry (literture). 85 Tble 6.5 Errors summry (rndom). 85 Tble 6.6 The cumultive numbers for the literture benchmrks. 91 Tble 6.7 The cumultive numbers for the rndom benchmrks. 91 Tble 6.8 Cross-comprison (direct trnsltions). 92 Tble 6.9 Cross-comprison (ltl2dstr) 94 Tble 6.10 Cross-comprison (Spot) 95 Tble 6.11 Cross-comprison (Rbinizer 4, Spot, nd ltl2dp). 97 Tble 6.12 Prmetric formule benchmrk (gh I). 99 Tble 6.13 Prmetric formule benchmrk (gh II). 99 Tble 6.14 Prmetric formule benchmrk (ms nd go). 100 Tble 6.15 Prmetric formule benchmrk (kr nd other). 100 Tble 7.1 Tool references. 118 Tble 7.2 Tool configurtions (semi-deterministic). 119 Tble 7.3 Tool configurtions (cut-deterministic). 119 Tble 7.4 Evlution of tools producing semi-deterministic utomt. 120 Tble 7.5 Evlution of tools producing semi-deterministic utomt. 120 Tble 8.1 Complementtion constructions nd their GOAL commnds. 135 Tble 8.2 Complementtion benchmrk without simplifictions. 135 Tble 8.3 Complementtion benchmrk without nd with simplifictions. 136

Introduction Automt ply n essentil role in the history of computer science. In the 1960s nd 1970s utomt over finite words were seen s bstrct mchines tht process inputs nd ccept or reject them. This kind of view ws minly driven by their ppliction t tht time utomt were used to build lexicogrphic nlysers, prsers nd compilers. Their primry purpose ws to check syntx. With the development in forml methods, utomt becme populr formlism used to describe behviours nd specifiction 1 of softwre nd hrdwre systems; they becme dt structure for representing sets of behviours. Their populrity stems from the fct tht utomt llow efficient implementtion of opertions like union, intersection, nd complement. Another ppeling spect of utomt over words is their intuitive grphicl representtion. Automt over infinite words (ω-words), lso known s ω-utomt, were introduced by Büchi in 1962 s tool to prove the decidbility of the mondic second-order logic with Presburger rithmetic. 2 An infinite word cnnot be red to its end by n utomton nd thus Büchi hd to innovte the cceptnce mechnism of utomt. His solution ws the following: n ω-utomton A ccepts n ω-word w if A cn visit some ccepting stte infinitely often while reding w. Automt with this kind of cceptnce condition re nowdys nmed fter Büchi nd they re the most widely used type of ω-utomt to these dys. However, s we will discuss lter, their cceptnce mechnism is not powerful enough for some pplictions, nd thus more cceptnce conditions like Muller, Rbin, Streett, prity, nd others were introduced. Vrdi nd Wolper strted mzing scientific progress in the re of ω-utomt in 1986 3 when they relized tht ω-utomt re nturl choice s dt structure for methods tht nlyze systems with infinite behviour. 4 ω-utomt lie t the hert of mny solutions of interesting problems from the re of forml methods rnging from system monitoring through system nlysis nd verifiction to system synthesis. Solutions to these problems re typiclly computtionlly hrd nd the computtion time nd memory consumption often hugely depend on utomt used on the wy. While ω-utomt inherit the decidbility properties of utomt over finite words, some opertions like determiniztion, complementtion, etc. re substntilly hrder for ω-utomt. The needs of efficient construction of prcticl ω-utomt nd efficient mnipultion of ω-utomt hs driven the scientific progress to these dys. This thesis confirms the previous sttement nd presents prt of my contribution to the fscinting world of utomt-theory, mostly motivted by prcticl needs of verifiction methods. In the next few prgrphs, we will discuss res of utomt theory touched by this thesis. 1 1 specifiction in the form of set of intended or erroneous behviours 2 Büchi (1962), On Decision Method in Restricted Second Order Arithmetic, [1]. 3 Vrdi nd Wolper (1986), An Automt- Theoretic Approch to Automtic Progrm Verifiction (Preliminry Report), [2]. 4 A print server or controller of power plnt, for exmple. A notble exmple of n ω-utomt-bsed verifiction method is the utomt-theoretic pproch to model checking discussed in Chpter 3.

16 utomt for forml methods: little steps towrds perfection LTL trnsltions. The inputs of verifiction tsk re typiclly system to be verified nd its forml specifiction. The specifiction is often given s formul of some modl logic. Liner Temporl Logic (LTL) is often the logic of choice s it llows to reson bout the evolution of the system in time nd thus cn express mny useful properties. For exmple, the nturl expecttion from print server tht every print request is eventully processed cn be written s n LTL formul ϕ = G(request F print). A stndrd step in verifiction is trnsltion of this formul into n ω-utomton tht represents ll behviours tht stisfy ϕ; see Figure 1.1 for Büchi utomton for ϕ. As mny chpters of the thesis re somehow relted to the construction of ω-utomt for LTL formule, we will discuss LTL trnsltions in more detil. Every LTL formul ϕ cn be trnslted to nondeterministic Büchi utomton (NBA) A ϕ with the number of sttes exponentilly dependent on the size of ϕ. The trnsltion of LTL into NBA is well-studied problem. Scientists hve lredy suggested mny pproches to the trnsltion. Evlutions show tht no pproch is superior to the others on its own, without further optimiztions. Therefore, rewriting of the input formule nd reductions of the utomt t different stges of the trnsltion becme the most powerful wepons in the bttle for the best LTL-to-BA trnsltor. The rpid development brought to the community trnsltors like Spot nd LTL3BA tht re very efficient in prctice, nd they often void the exponentil blow-up. Mny experts, including uthors of the mentioned tools, believe tht there is not much hope for smller NBA here. However, this is not the end of the story of LTL trnsltions s we show in the next three prgrphs. Some pplictions cnnot be solved using NBA directly. For exmple, controller synthesis for rective systems 5 is ddressed by reduction to the problem of finding winning strtegy in two-plyer gme. The gme is usully constructed from n ω-utomton for the specifiction, nd we need deterministic ω-utomton for this tsk. 6 Further, problems from the fmily of model checking of probbilistic systems re typiclly solved using deterministic ω-utomt. How cn we efficiently construct them? A nturl choice is to tke efficient trnsltors of LTL to NBA nd determinize the NBA we get for our formul. Let us discuss this option in more detil. Determiniztion of ω-utomt is substntilly hrder thn the one of utomt over finite words. For finite words, we hve n efficient procedure known s the powerset construction tht tkes nondeterministic utomton with n sttes nd constructs n equivlent deterministic utomton with t most 2 n sttes. 7 This method is known to be tight nd is well understood. In the world of Büchi utomt, the powerset construction is not correct nymore; see Figure 1.2. The increse in complexity of correct determiniztion is two-fold. First, deterministic Büchi utomt re less expressive thn their nondeterministic counterprts nd thus we hve to use some more complex cceptnce condition. Second, for Büchi utomton with n sttes we cn build, using the tight upper bound on determiniztion, 8 Rbin utomton (A), b b b 1 2 (P) b {1} {1, 2} b request print request print print G(request F print) Figure 1.1: Büchi utomton A ϕ for ϕ. 5 The problem of controller synthesis for rective systems tkes s input specifiction ϕ, set of vilble ctions of n environment, nd set of vilble ctions of controller. While the ctions of the environment re out of our control, we cn control the ctions of the controller. A solution to this problem is to utomticlly generte controller tht will rect to the ctions of the environment in wy tht gurntees stisfction of ϕ no mtter wht ctions the environment performs. 6 Alterntively, so-clled good-for-gmes Rbin or prity utomt do not need to be fully deterministic nd still cn be reduced effectively to two-plyer gme. 7 Rbin nd Scott (1959), Finite Automt nd Their Decision Problems, [3]. 8 Schewe (2009), Tighter Bounds for the Deterministion of Büchi Automt, [4]; Colcombet nd Zdnowski (2009), A Tight Lower Bound for Determiniztion of Trnsition Lbeled Büchi Automt, [5]. Figure 1.2: The utomt A nd P demonstrte tht the powerset construction is not correct for ω-utomt. The utomton P is the result of the powerset construction pplied on A. While A ccepts ll ω-words with only finite number of s, P ccepts ll ω-words tht hve infinitely mny bs (nd possibly lso infinitely mny s).

introduction 17 with t most (1.65n) n sttes nd 2 n+1 ccepting sets. If we im for prity cceptnce which is more suitble for solving gmes (nd thus controller synthesis), we cn hve utomt with t most O(n! 2 ) sttes nd 2n priorities. I would like to mention two pproches tht reserchers pursue to overcome the high complexity of ω-utomt determiniztion. The first pproch is direct trnsltion of LTL into vrious deterministic ω-utomt. The second pproch investigtes new methods of solving model checking of probbilistic systems using ω-utomt tht re not fully deterministic, for exmple unmbiguous or semi-deterministic 9 ω-utomt. These methods brought us new chllenge of efficient trnsltion of LTL into semi-deterministic utomt, either directly or vi nondeterministic utomt with subsequent efficient semi-determiniztion. 9 An unmbiguous utomton hs t most one ccepting run for ech word. In semi-deterministic utomton, ech ccepting run voids nondeterministic sttes from some point on. Semi-deterministic utomt re lso known s limit-deterministic or deterministic-in-the-limit. Complementtion. Complementtion is nother opertion tht is substntilly hrder for ω-utomt thn for utomt over finite words. It took over hlf century of reserch to find mtching upper 10 nd lower 11 10 bounds Schewe (2009), Büchi Complementtion Θ((0.76n) n ) for complementing Büchi utomt. Despite the high complexity, complementtion of Büchi utomt is vluble tool for verifiction, Mde Tight, [6]. 11 Yn (2008), Lower Bounds for Complementtion of Omeg-Automt Vi the Full lnguge inclusion, or lnguge subtrction. With the growing understnding of the worst-cse complexity, the prcticl cost of complementing Büchi Automt Technique, [7]. utomt hs become second line of reserch s the worst cse cn often be voided. Our motivtion to tckle complementtion of Büchi utomt comes from the progrm termintion nlysis of ultimte büchi utomizer. 12 12 Heizmnn, Hoenicke, nd Podelski (2014), The im of progrm termintion nlysis is to decide whether given progrm termintes on ll inputs. In other words, it tries to estblish or disprove Termintion Anlysis by Lerning Terminting Progrms, [8]. tht ll infinite execution pths in the progrm flowgrph re infesible. The ultimte büchi utomizer uses Büchi utomt to represent infinite pths tht re lredy known to be infesible nd it subtrcts these pths (using complement nd product) from the progrm flowgrph to identify the set of infinite execution pths whose infesibility still needs to be proven. Suitbility of utomt for model checking. The set of lnguges tht cn be recognized by utomt over finite words re exctly the regulr lnguges nd the ω-regulr lnguges for (most types of) ω-utomt. While there is unique miniml deterministic utomton for ech regulr lnguge, the sitution is more complicted for ω-utomt there is no equivlent to the minimiztion lgorithm tht we know for utomt over finite words. Moreover, size is not the only relevnt property of ω-utomt tht influences the process of model checking. Smll size, the degree of determinism, nd the simplicity of the cceptnce condition cn positively influence the performnce of verifiction tools but they re often contrdictory requirements from the perspective of LTL trnsltors t the sme time. 13 Furthermore, other spects of prticulr ω-utomt my influence model checking even more drmticlly, for exmple, the loction of ccepting or initil sttes. With the vriety of vilble tools for LTL to ω-utomt trnsltion, we hve mny ω-utomt to consider to use for verifiction. Figure 1.3 shows six utomt for the formul GF GFb. Which one is the most suitble for given verifiction tsk? We cnnot nswer this question entirely, but we offer t lest some deeper insight for tsks solved by the model checker Spin. 13 For exmple, we cn hve one-stte deterministic Rbin utomton for the formul ϕ = FG while no deterministic Büchi cn express ϕ. Moreover, no Büchi utomton with less then two sttes exists for ϕ.

18 utomt for forml methods: little steps towrds perfection b s 0 b b s 0 b b s i s 0 b b s 0 ā b b b b s 0 b b āb s 0 s 1 s 2 s 1 s 2 s 1 s 2 s 1 s 2 b s 1 s 2 āb s 1 s 2 b (C 1 ) Spin (C 2 ) LTL2BA & LTL3BA ā b (C 3 ) MoDeLL ā b (C 4 ) LTL3BA (det) b ā b ā (C 5 ) (C 6 ) Spot & Spot (det) Spot (no jump) 1.1 outline nd contribution of the thesis Chpter 2 provides preliminries nd most definitions used throughout the thesis. In prticulr it introduces ω-utomt nd LTL. The rest of the thesis is divided into three prts; ech prt is devoted to ω-utomt with vrying degrees of determinism. The first prt focuses on nondeterministic utomt. It is followed by prt tht dels with deterministic utomt. Finlly, the lst prt of the thesis discusses lgorithms for semi-deterministic utomt. The thesis contributes to the utomt theory in the following res. Figure 1.3: Automt for GF GFb generted by different tools nd options. Nondeterministic Büchi utomt for explicit model checking. We study the connection of Büchi utomt nd concrete verifiction tsks performed by successful explicit model checker clled Spin. In prticulr we focus on two spects. In Chpter 3 we serch for properties of Büchi utomt tht relly influence the performnce of the centrl lgorithm of Spin Nested Depth First Serch. We do so by mnul nlysis of severl utomt nd by experiments with common LTL-to-BA trnsltors nd relistic verifiction tsks. As result of these experiences, we gin better insight into the chrcteristics of utomt tht work well with Spin. In Chpter 4 we provide methods tht tke prticulr system to be verified, nlyze the mening of tomic propositions tht re present in the system, nd use this nlysis to improve Büchi utomt built from LTL specifictions. As result, we get smller utomt with shorter edge lbels tht re esier to understnd. Thnks to these ω-utomt we cn improve the run time of Spin. Trnsltion of LTL into deterministic ω-utomt. In Chpter 5 we define My/Must lternting utomt (MMAA), show (constructively) their expressive equivlence to LTL(F s, G s ), nd provide procedure tht converts MMAA into deterministic trnsition-bsed generlized Rbin utomt. These steps connect into n efficient trnsltion of LTL(F s, G s ) into deterministic ω-utomt. We hve implemented this method in the tool LTL3DRA tht is publicly vilble. LTL(F s, G s) is frgment of LTL which uses the temporl opertors strict eventully nd strict lwys only. Chpter 6 offers n exhustive experimentl evlution nd comprison of vrious methods tht trnsform formule of LTL (nd its frgments) into deterministic ω-utomt.

introduction 19 Semi-deterministic Büchi utomt construction nd complementtion. In Chpter 7 we first describe trnsition-bsed doption of the stndrd semi-determiniztion procedure for Büchi utomt by Courcoubetis nd Ynnkkis 14 nd we extend the lgorithm with n SCC-wre 15 optimiztion. We lso show how to twek the construction to produce cutdeterministic utomt ( stronger form of semi-determinism). We further present n lgorithm for semi-determiniztion of generlized Büchi utomt tht is similr to the one presented by Hhn et l. in 2015. 16 All procedures were implemented in n open source tool clled Semintor. We lso evlute nd compre Semintor to other relevnt tools. 14 Courcoubetis nd Ynnkkis (1988), Verifying Temporl Properties of Finite-Stte Probbilistic Progrms, [9]. 15 bsed on knowledge bout strongly connected components 16 Hhn et l. (2015), Lzy Probbilistic Model Checking without Deterministion, [10]. In Chpter 8 we present specilized lgorithm for complementtion of semi-deterministic Büchi utomt. For semi-deterministic Büchi utomton with n sttes our lgorithm cretes n unmbiguous Büchi utomton with t most 4 n sttes tht recognizes complement of the lnguge of the input utomton. Besides the theoreticl result, this lgorithm ws successfully used to speed-up termintion nlysis in the ultimte büchi utomizer. 1.2 uthor s publictions nd his contribution 1.2.1 Core of the Thesis Ech of Chpters 3 8 is bsed on conference publiction co-uthored by me. I list the publictions nd discuss my contribution, respecting the order of the chpters. SPIN 2014 Frntišek Blhoudek, Alexndre Duret-Lutz, Mojmír Křetínský, nd Jn Strejček. Is there Best Büchi Automton for Explicit Model Checking? [11]. My contribution: Prticipted in discussions, performed ll experiments, prticipted in writing of the min body. 30% SPIN 2015 Frntišek Blhoudek, Alexndre Duret-Lutz, Vojtěch Rujbr, nd Jn Strejček. On Refinement of Büchi Automt for Explicit Model Checking [12]. My contribution: Prticipted in discussions, on experiments, nd on writing of the min body. 25% ATVA 2013 Tomáš Bbik, Frntišek Blhoudek, Mojmír Křetínský, nd Jn Strejček. Effective Trnsltion of LTL to Deterministic Rbin Automt: Beyond the (F, G)-Frgment [13]. My contribution: Prticipted in discussions, formulted the min lgorithms nd devised nd written most of the proofs. Mrginlly collborted on implementtion nd performed ll experiments. Prticipted in writing of the min body. 50% LPAR 2013 Frntišek Blhoudek, Mojmír Křetínský, nd Jn Strejček. Comprison of LTL to Deterministic Rbin Automt Trnsltors [14]. My contribution: Prticipted in discussions, performed ll experiments, prticipted in writing of the min body. 55%

20 utomt for forml methods: little steps towrds perfection LPAR 2017 Frntišek Blhoudek, Alexndre Duret-Lutz, Mikuláš Klokočk, Mojmír Křetínský, nd Jn Strejček. Semintor: A Tool for Semi-Determiniztion of Omeg-Automt [15]. My contribution: Prticipted in discussions nd in formultion of lgorithms, prticipted in writing the pper. Mrginlly prticipted in implementtion nd performed ll experiments. 30% TACAS 2016 Frntišek Blhoudek, Mtthis Heizmnn, Sven Schewe, Jn Strejček, nd Ming-Hsien Tsi. Complementing Semi-deterministic Büchi Automt [16]. My contribution: Prticipted in discussions nd together with Sven Schewe formulted the lgorithm. Substntilly prticipted in writing the pper, performed the dt nlysis nd prepre the finl version of the experimentl evlution. 25% The thesis is bsed on these conference ppers. However, some of the mteril ws completely rewritten nd some prts were substntilly extended. In prticulr, the thesis uses definition of ω-utomt tht rely on cceptnce mrks nd Emerson-Lei cceptnce condition in forml constructions, in comprison to ATVA 2013 [13], the proofs in Chpter 5 hve been reformulted using new terminology nd concept of escping multitrnsitions. The degenerliztion of Rbin utomt ws completely rewritten. The comprison of tools from LPAR 2013 [14] hs been fully rewritten nd revised. New tools hve been included (determiniztion methods of Spot, Rbinizer 3, Rbinizer 4, LTL3TELA) nd those tht did not well in LPAR 2013 [14] hve been omitted. The presenttion of mteril from LPAR 2017 [15] hs been completely rewritten, enhnced with forml descriptions of more lgorithms, with illustrtions nd with proofs. Moreover, SCC-wre optimiztion hs been described nd implemented. New versions of Semintor nd of other tools hve been used in experimentl evlution. Tools. The reserch done for this thesis hs impct on severl tools from the community. LTL3DRA 17 is n implementtion of the trnsltion of LTL to deterministic ω-utomt presented in ATVA 2014 [13]. Semintor 18 implements ll lgorithms described in Chpter 7 nd it ws presented in LPAR 2017 [15]. The methods developed for SPIN 2015 [12] were dded to Spot. 19 The complementtion lgorithm described in TACAS 2016 [16] is implemented in GOAL 20 nd ultimte büchi utomizer. 21 17 https://github.com/xblhoud/ltl3dr 18 https://github.com/mklokock/semintor/ 19 https://spot.lrde.epit.fr/ 20 http://gol.im.ntu.edu.tw/ 21 http://ultimte.informtik.uni-freiburg. de/ 1.2.2 Other Publictions nd Projects Hnoi Omeg-Automt (HOA) Formt. HOA formt 22 22 is flexible tex- Full specifiction of the formt including tul exchnge formt for ω-utomt. It enbles one to express deterministic, some exmples cn be found t https://dl. github.io/hof/ nondeterministic, or lternting utomt in uniform, humn-redble, nd succinct wy. HOA formt supports vrious structurl vrints such s

introduction 21 lbels on sttes or trnsitions, stte-bsed or trnsition-bsed cceptnce. Every ω-utomton is equipped with n Emerson-Lei cceptnce condition ( Boolen formul over the cceptnce primitives infinitely often nd finitely often) which cn express ll cceptnce conditions mentioned so fr nd more. The formt ws presented t the conference CAV 2015: CAV 2015 Tomáš Bbik, Frntišek Blhoudek, Alexndre Duret-Lutz, Jochim Klein, Jn Křetínský, Dvid Müller, Dvid Prker, nd Jn Strejček. The Hnoi Omeg-Automt Formt [17]. Trnsltion of LTL into Trnsition-bsed Emerson-Lei Automt (TELA). We hve creted LTL3TELA, 23 which is trnsltor of LTL to (possibly nondeterministic) TELA. Similrly to LTL3BA nd LTL3DRA, the trnsltion uses lternting utomt s n intermedite step. This experimentl pproch to LTL trnsltion ddresses the trde-off between complexity of cceptnce condition nd size of ω-utomt in comprison to Spot or LTL3BA it cn produce smller ω-utomt with cceptnce conditions tht re usully hrder to check. 23 https://github.com/jurjmjor/ltl3tel

Preliminries This chpter introduces ω-utomt nd Liner Temporl Logic (LTL). 2 Alphbets. An lphbet is finite set of letters. We use two types of lphbets. In clssicl lphbets, letters re symbols, like in Σ = {, b, c}. Letters in propositionl lphbets re subsets of finite set of tomic propositions; if AP = {, b} is set of tomic propositions, Σ = 2 AP = {, {}, {b}, {, b}} is propositionl lphbet over AP. We usully use the symbol α to reference the letters of n lphbet. Infinite words. An infinite word (or simply word) over Σ is n infinite sequence of letters u = u 0 u 1 u 2... Σ ω. By u i.. we denote the ith suffix u i.. = u i u i+1... of u. 2.1 ω-utomt ω-utomt re finite utomt over infinite words. The thesis does not cover utomt over finite words nd thus we lso use the term utomt to reference ω-utomt. An ω-utomton is lwys equipped with some cceptnce condition, typiclly Büchi, Rbin, Streett, or prity. Even though cceptnce conditions of ll utomt used through the thesis could be clssified s more or less stndrd, for clrity resons, our definition follows the pproch of the Hnoi Omeg-Automt (HOA) formt 1 nd uses cceptnce mrks nd cceptnce formule to describe the cceptnce mechnism of utomt. To clerly distinguish between the utomt structure nd its cceptnce mechnism, we strt with definition of semiutomton. 1 Bbik et l. (2015), The Hnoi Omeg- Automt Formt, [17], see lso https://dl.github.io/hof/. Semiutomt. A semiutomton is tuple T = (S, Σ, δ, s I ), where S is finite set of sttes, Σ is n lphbet, δ S Σ S is trnsition reltion, nd s I S is the initil stte. A triple t = (s, α, s ) δ is trnsition of s leding to s under α nd we lso sy tht α is the lbel of t. A stte s is rechble from s in T, denoted by s T s, iff there exists sequence of trnsitions (s 0, α 0, s 1 )... (s k 1, α k 1, s k ) such tht s 0 = s nd s k = s. We use s T s to denote the fct tht s nd s re mutully rechble. We write s s nd s s insted of s T s nd s T s when T is cler from context. SCC. A strongly connected component (SCC) C S is set of sttes tht re ll mutully rechble. An SCC C is mximl if no stte outside C is mutully rechble with sttes from C. For ech utomton there is unique decomposition of the sttes into mximl strongly connected components. Determinism. A stte s S is deterministic in δ if it hs t most one trnsition under α in δ for ech α Σ. An SCC is deterministic if it consists of

24 utomt for forml methods: little steps towrds perfection deterministic sttes only nd finlly, semiutomton T nd the trnsition reltion δ re deterministic if ll sttes from S re deterministic in δ. Runs. A run of semiutomton T over word u = u 0 u 1... Σ ω is n infinite sequence σ = (s 0, u 0, s 1 )(s 1, u 1, s 2 )... δ ω of trnsitions such tht s 0 = s I. A deterministic semiutomton hs t most one run for ech word u Σ ω. ω-utomt. An ω-utomton is tuple A = (S, Σ, δ, s I, M, µ, Φ) where An ω-utomton is semiutomton with (S, Σ, δ, s mrks on sttes or trnsitions nd with n I ) is semiutomton, M is finite set of mrks, µ M 2 S δ is cceptnce formul. The mrks with the cceptnce formul sy which runs of the semi- function tht plces mrks on sttes nd trnsitions, nd finlly Φ is n cceptnce formul. We sy tht trnsition or stte hs mrk M if it is utomton re ccepting. member of µ( ). The cceptnce formul is positive Boolen combintion of terms Inf nd Fin where rnges over the set of mrks M. The intuitive mening of Inf is to visit infinitely often nd the one of Fin is to visit Semntics. The semiutomton defines the runs of A nd the cceptnce mrks nd formul give semntics to these runs. Let σ be run of A. Rec(σ) is the set of sttes nd trnsitions tht pper infinitely often (recurrently) in the run. The mrks of σ is the set of mrks tht re plced on sttes nd trnsitions from Rec(σ), more precisely mrks(σ) = { µ( ) Rec(σ) }. The run only finitely often. For exmple, generlized Büchi condition with two mrks is expressed s Inf 1 Inf 2. σ stisfies Inf if mrks(σ) nd it stisfies Fin if mrks(σ). 2 The run 2 In this thesis we use unique mrk for ech is ccepting if it stisfies Φ. The lnguge of A is the set L(A) of ll words u Σ ω such tht A hs n ccepting run over u. term of Φ nd by convention we use circles for mrks tht pper in Inf-terms nd squres for those in Fin-terms. Visulistion. We drw utomt s in Figure 2.1. Sttes re represented by nodes; the initil stte hs n incoming edge from n empty spce, the cceptnce formul is in the yellow box below the utomton itself, trnsitions re depicted s edges. If the utomton hs propositionl lphbet, trnsitions between two sttes tht hve identicl mrks but different lbels re merged into one edge. The edge is lbelled by boolen formul over tomic propositions in condensed nottion; the lbel is stisfied by exctly ll lbels of the merged trnsitions. For exmple, the lbel āb in the right utomton with Σ = 2 {,b} stnds for b nd represents the unique trnsition under {b}, nd ny edge of the left utomton with lbel b represents trnsitions under {} nd. Sometimes green box provides corresponding LTL formul s in the cse of the right utomton. Nmes of utomt re typeset using clligrphic lphbet nd re enclosed in prenthesis in figures. The condensed nottion omits conjunctions nd uses ā for. Tools tht mnipulte or generte utomt usully lso merge trnsitions into edges (both internlly nd for input/output). An edge is then triple (s, l, s ) where l is the edge-lbel. b (B) b b b b b b 0 (G) 1 0 1 b āb 0 2 (R) b 1 2 b 0 1 āb FG (GFb GF b) Figure 2.1: Three utomt for the LTL formul FG (GFb GF b). From left to right: Büchi with mrks on sttes, generlized Büchi with mrks on trnsitions, nd deterministic generlized Rbin with mrks on trnsitions. Inf Inf 0 Inf 1 Fin 0 (Inf 1 Inf 2 )

preliminries 25 Stndrd cceptnce conditions. We cn express ll stndrd cceptnce conditions in our setting, you cn see some exmples bove in Figure 2.1. We do not distinguish explicitly between stte-bsed nd trnsition-bsed cceptnce 3 (we even llow to mix them). For Büchi nd co-büchi utomt we need only one mrk nd the corresponding cceptnce formule re Inf nd Fin, respectively, for generlized Büchi with k cceptnce sets we need k mrks nd the formul is k 1 i=0 Inf i. For Rbin utomton with h Rbin pirs we need 2h mrks nd the formul is h 1 k=0 (Fin k Inf k ). A Rbin pir is conjunction of co-büchi nd Büchi condition, in generlized Rbin pir the Büchi prt is replced by generlized Büchi nd thus the cceptnce formul for generlized Rbin utomt is k K (Fin k j Jk Inf j ). 3 Stte-bsed utomt hve mrks only on sttes while trnsition-bsed utomt hve mrks on trnsitions. Abbrevitions. We often need to refer to utomt tht hve certin properties. As their description cn be rther long, we use bbrevitions for utomt types. A type of n utomton is influenced by the following three properties. determinism: Deterministic [D], Nondeterministic [N], semi-deterministic [sd], cut-deterministic [cd] the plcement of mrks: trnsitions [T], sttes [S] cceptnce condition: Büchi [B], generlized Büchi [GB], Rbin [R], generlized Rbin [GR] In bbrevitions, we use the sme order s in the list nd dd n A which stnds for utomton (or utomt, regrding the context). We leve out these properties tht re not of our interest. For exmple, the bbrevition BA denotes Büchi utomt nd DTGRA denotes deterministic generlized Rbin utomt with mrks on trnsitions. Expressibility remrk. The definition of n utomton used in this thesis llows for ech lbel α Σ t most one trnsition between two sttes. In the HOA formt you cn lso describe utomt tht hve more such trnsitions tht differ in the mrks they crry. Such utomt re not expressible by our definition. Tht is on purpose s it simplifies the presenttion of most of the mteril nd we lso do not lose nything. Indeed, more trnsitions between two sttes re only useful for utomt with some Fin-terms in the cceptnce formul nd mrks on trnsitions. We use such utomt only in Prt II where ll these utomt re deterministic. Finlly, no choice between trnsitions is permitted nywy in deterministic utomt.

26 utomt for forml methods: little steps towrds perfection 2.2 liner temporl logic (ltl) The syntx of LTL is defined by ϕ = ϕ ϕ ϕ ϕ ϕ Xϕ ϕ U ϕ, where stnds for true, rnges over countble set AP of tomic propositions, X nd U re temporl opertors clled next nd until, respectively. LTL formule re interpreted over infinite words over the propositionl lphbet Σ = 2 AP, where AP is finite subset of AP. We inductively define when word u stisfies formul ϕ, written u ϕ, s follows. We lso use stndrd Boolen connectives (like nd ) in their usul mening s shorthnds. u u iff u 0 u ϕ iff u / ϕ u ϕ 1 ϕ 2 iff u ϕ 1 or u ϕ 2 u ϕ 1 ϕ 2 iff u ϕ 1 nd u ϕ 2 u Xϕ iff u 1.. ϕ u ϕ 1 U ϕ 2 iff i 0. ( u i.. ϕ 2 nd 0 j < i. u j.. ϕ 1 ) Given n lphbet Σ, formul ϕ defines the lnguge L Σ (ϕ) = {u Σ ω u ϕ}. We write L(ϕ) insted of L 2AP(ϕ) (ϕ), where AP(ϕ) denotes the set of tomic propositions occurring in the formul ϕ. We define the derived unry temporl opertors eventully (F), lwys (G), strict eventully (F s ), strict lwys (G s ), nd releses (R) by the following equivlences: Fϕ U ϕ F s ϕ XFϕ ϕ 1 R ϕ 2 ( ϕ 1 U ϕ 2 ) Gϕ F ϕ G s ϕ XGϕ An LTL formul is in positive norml form if no opertor occurs in the scope of ny negtion. Ech LTL formul cn be trnsformed to this form using De Morgn s lws for nd nd the following equivlences: Fψ G ψ Gψ F ψ F s ψ G s ψ G s ψ F s ψ (ϕ 1 R ϕ 2 ) ϕ 1 U ϕ 2 (ϕ 1 U ϕ 2 ) ϕ 1 R ϕ 2 Xϕ X ϕ We sy tht formul is temporl if its topmost opertor is neither conjunction nor disjunction; note tht nd re lso temporl formule.

Prt I HOW BÜCHI AUTOMATA INFLUENCE EXPLICIT MODEL CHECKING

Is There Best Büchi Automton for Spin? Model Checking In the trditionl view, the model checking 1 problem decides whether given system is model of given formul, tht is whether ll behviours of the system stisfy the formul. We see the model checking s tool tht decides whether or not the system hs n erroneous behviour; we strt with formul ϕ tht describes the erroneous behviour 2 nd we consider the system correct if no behviour of the system stisfies ϕ. Model checking of LTL expects tht ϕ is n LTL formul. The utomt-theoretic pproch 3 to model checking relies on utomt to internlly represent both the specifiction nd the system; it usully proceeds in the following four steps s illustrted by Figure 3.1. 3 1 Bier nd Ktoen (2008), Principles of Model Checking, [18]. 2 We cn simply negte the input formul to switch between the two views. 3 Vrdi (1995), An Automt-Theoretic Approch to Liner Temporl Logic, [19]. 1. Build the stte spce S; the stte spce represents ll possible executions of the system to be verified, 2. trnslte the LTL formul ϕ into Büchi utomton 4 A ϕ tht ccepts ll 4 lso clled property utomton fulty behviours, 3. build the synchronous product S A ϕ of the system nd the utomton; the product represents ll behviours of S tht conform to A nd ϕ nd thus re erroneous, nd finlly 4. check this product for emptiness. implicit description of the considered system specifiction of erroneous behviours Figure 3.1: Automt-theoretic pproch to model checking. stte spce S model checker S A ϕ LTL formul ϕ utomton A ϕ Although we nticipte here specifiction s n LTL formul, we my generlize mny results of this prt to pplictions where the erroneous behviours re given directly s Büchi utomt or in nother formlism tht cn be converted into utomt. L(S A ϕ )? = YES verified NO + counterexmple

30 utomt for forml methods: little steps towrds perfection The utomt pproch effectively reduces the problem of model checking Indeed, the min work of model checker to the problem of lnguge emptiness for Büchi utomt. If L(S A consists of building the product nd check its ϕ ) is lnguge for emptiness. empty then we cn consider S to be sfe with respect to ϕ. On the other hnd, if the product S A ϕ ccepts word w then we hve concrete exmple of In the trditionl view of model checking, w the erroneous behviour of S. is known s counterexmple. Spin 5 is successful explicit model checker tht relies on the utomt pproch. The word explicit emphsises the fct tht it explicitly enumertesll the sttes of S nd of the product S A ϕ nd stores them in the memory. The explicit pproch often suffers from the so-clled stte spce explosion problem the product is simply too lrge to be stored in memory or tkes too long to nlyze. Mny model checkers (including Spin) perform the steps 3 nd 4 simultneously they build the product on-the-fly ccording to the needs of the emptiness check. In this wy, the model checkers build nd store only the relevnt prt of the product. To fight the stte spce explosion problem, developers of model checkers implemented mny other methods how to hndle the given product more effectively. 6 6 See Pelánek (2008), Fighting Stte Spce When you wnt to mke the product smller, you hve to focus on the Explosion: Review nd Evlution, [22], for nice review. property utomton A ϕ ; the system is given. This is where the LTL-to-BA trnsltors cme into the ply. There re mny lgorithms nd tools for trnslting LTL formule into Büchi utomt nd they produce vrious lnguge equivlent utomt. For instnce, Figure 3.5 on the pge 36 shows severl Büchi utomt for the LTL formul GF GFb. 7 This chpter ddress the following question. Should one be preferred over the others? To pick the best utomton for given formul is more thn difficult it is even impossible if we do know how S looks like. The intuition tht smller A ϕ produces smller synchronous product S A ϕ is not lwys correct. 8 8 See Figure 3.3 on pge 34 for n exmple. We discuss vrious pproches to product reductions considered previously by uthors of LTL-to-BA trnsltors or of utomt reductions in Section 3.2. The property utomton influences not only the number of sttes or trnsitions in the product. The utomton cn hevily influence lso the emptiness check (step 4). Before we discuss how the emptiness check depends on the property utomton, we hve to understnd how the emptiness check of Spin works. From the vriety of possible emptiness check lgorithms, Spin chooses Nested Depth-First Serch (NDFS). 9 9 Holzmnn, Peled, nd Ynnkkis (1996), On Nested Depth First Serch, [23]. 5 Holzmnn (1997), The Model Checker SPIN, [20]; Holzmnn (2003), The SPIN Model Checker: Primer nd Reference Mnul, [21]. 7 This nd the following chpter del minly with Büchi utomt with mrks on sttes. Therefore, we use the clssic convention for their visuliztion: the ccepting sttes re mrked with double circle nd we omit the cceptnce formul.

is there best büchi utomton for spin? 31 Nested Depth-First Serch (NDFS) To check the lnguge emptiness of the product S A ϕ, Spin hs to serch for cycle tht is rechble from the initil stte nd tht contins t lest one ccepting stte. By defult, Spin uses n lgorithm tht is bsed on two nested depth-first serches: blue nd red. The blue DFS plys the leding role. It explores the product nd every time it would bcktrck from n ccepting stte s 10 it strts red DFS from s. If the red DFS reches ny stte on the blue DFS serch stck then rechble nd ccepting cycle is found 11 nd the lgorithm reports it s counterexmple. Otherwise, the red DFS termintes nd the blue DFS cn continue. The two DFS lwys ignore sttes tht hve been completely explored by n instnce of the red DFS, so stte is never visited more thn twice. Spin utilizes n extr optimiztion, if the blue DFS hits its own serch stck by following trnsition tht is either going to or coming from n ccepting stte, Spin reports n ccepting cycle without even strting ny red DFS. 12 Now we re redy to see tht the number of sttes or trnsitions in not lwys relevnt: ultimtely, only the prt of the product tht is explored by the emptiness check does mtter. Some uthors of utomt optimiztions or LTL-to-BA trnsltion improvements provide lso run times of selected emptiness check executed on the product of obtined utomt nd either rndom stte spces or few relistic systems. 13 Etessmi nd Holzmnn even complined tht the reltion between the size of A ϕ nd the run time of the model checking procedure ws difficult to predict, especilly in the presence of counterexmple. When counterexmple exists in the product, the emptiness check my report it more or less rpidly depending on the order in which the NDFS explores the trnsitions of the product. With ny luck, the first trnsition selected t ech step of the DFS will led to n ccepting cycle. Conversely, the first trnsitions followed might led to huge component of the product tht just turns out to be ded-end, nd from which the emptiness check hs to bcktrck before finding the counterexmple. The selected trnsition order in S A ϕ depends on the order of the trnsitions in the property utomton A ϕ. Previous ttempts to explore reordering of the trnsitions of A to help the emptiness check hve been inconclusive. 14 Furthermore, the swrming techniques 15 used nowdys mkes this topic even less ttrctive: in these pproches, severl threds compete to find counterexmple in S A ϕ using different, rndom trnsition order for A ϕ. Therefore, we do not ddress the question of the trnsition order. Like the previous two prgrphs nd Figure 3.3 document, methods tht im minly to decrese the size nd determinism of the utomt cnnot be universl nd we cnnot hope for the best utomton for ll verifiction tsks with the sme specifiction. Therefore we focus on other spects tht re helpful for Nested Depth First Serch (NDFS) the emptiness check of Spin. To gin better insight into the chrcteristics of utomt tht work well with Spin, we look t concrete exmples of how formule re trnslted into utomt differently by existing tools nd how these utomt influence NDFS. 10 We bcktrck from s fter ll successors of s hve been explored by the blue DFS. 11 Since s is rechble from ll sttes on the blue DFS serch stck. 12 Gstin, Moro, nd Zeitoun (2004), Minimiztion of Counterexmples in SPIN, [24]; Schwoon nd Esprz (2005), A Note on Onthe-Fly Verifiction Algorithms, [25]. 13 Etessmi nd Holzmnn (2000), Optimizing Büchi Automt, [26]; Dx, Eisinger, nd Kledtke (2007), Mechnizing the Powerset Construction for Restricted Clsses of ω-automt, [27], for exmple. 14 Geldenhuys nd Vlmri (2005), More Efficient On-the-Fly LTL Verifiction with Trjn s Algorithm, [28]. 15 Holzmnn, Joshi, nd Groce (2011), Swrm Verifiction Techniques, [29].