Timo Latvala. March 7, 2004

Similar documents
Efficient Model Checking of Safety Properties

Automata-based Verification - III

ω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear:

Timo Latvala. February 4, 2004

Logic Model Checking

Chapter 3: Linear temporal logic

Automata-based Verification - III

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Compositional Reasoning

Alan Bundy. Automated Reasoning LTL Model Checking

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

PSL Model Checking and Run-time Verification via Testers

The State Explosion Problem

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

T Reactive Systems: Temporal Logic LTL

Model Checking of Safety Properties

Automatic Synthesis of Distributed Protocols

Course Runtime Verification

Efficient Model Checking of Safety Properties

Automata on Infinite words and LTL Model Checking

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 95

Computer-Aided Program Design

Lecture 2 Automata Theory

LTL Model Checking. Wishnu Prasetya.

Sanjit A. Seshia EECS, UC Berkeley

Lecture 2 Automata Theory

From Liveness to Promptness

Classes and conversions

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

LTL is Closed Under Topological Closure

Büchi Automata and Linear Temporal Logic

On the Succinctness of Nondeterminizm

Chapter 5: Linear Temporal Logic

A Symbolic Approach to Safety LTL Synthesis

Automata-Theoretic LTL Model-Checking

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

Linear Temporal Logic and Büchi Automata

Linear-time Temporal Logic

Revisiting Synthesis of GR(1) Specifications

Specifying and Verifying Systems of Communicating Agents in a Temporal Action Logic

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

SETH FOGARTY AND MOSHE Y. VARDI

A Hierarchy for Accellera s Property Specification Language

Lecture 4 Model Checking and Logic Synthesis

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

2. Elements of the Theory of Computation, Lewis and Papadimitrou,

LTL Model Checking for Modular Petri Nets

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Runtime Verification of Safety-Progress Properties

MPRI 1-22 Introduction to Verification January 4, TD 6: Petri Nets

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Theoretical Foundations of the UML

Chapter 5: Linear Temporal Logic

Robust Linear Temporal Logic

Chapter 4: Computation tree logic

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication

COM364 Automata Theory Lecture Note 2 - Nondeterminism

Scenario Graphs and Attack Graphs

The Safety Simple Subset

Nondeterministic finite automata

Decision, Computation and Language

Reactive Synthesis. Swen Jacobs VTSA 2013 Nancy, France u

Temporal logics and model checking for fairly correct systems

Reachability Analysis of Conditional Pushdown Systems with Patterns

Finite Automata. BİL405 - Automata Theory and Formal Languages 1

Lecture Notes on Inductive Definitions

Büchi Automata and their closure properties. - Ajith S and Ankit Kumar

Takeaway Notes: Finite State Automata

Abstractions and Decision Procedures for Effective Software Model Checking

On Safety Properties and Their Monitoring

Runtime Verification. Grigore Roşu. University of Illinois at Urbana-Champaign

Automata-Theoretic Model Checking of Reactive Systems

Representing Arithmetic Constraints with Finite Automata: An Overview

Temporal Logic Model Checking

Lecture 3: Nondeterministic Finite Automata

Finite-State Model Checking

Further discussion of Turing machines

Automata-Theoretic Verification

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Response property checking via distributed state space exploration

Recognizing Safety and Liveness by Alpern and Schneider

Lecture Notes on Inductive Definitions

Weak Alternating Automata Are Not That Weak

Advanced Automata Theory 7 Automatic Functions

Synthesis weakness of standard approach. Rational Synthesis

Generating Deterministic ω-automata for most LTL Formulas by the Breakpoint Construction

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

A Framework for Automated Competitive Analysis of On-line Scheduling of Firm-Deadline Tasks

Succinctness of the Complement and Intersection of Regular Expressions

Learning Regular ω-languages

Introduction to Formal Verification Methods Exercise 4

Automata Theory and Model Checking

Automata, Logic and Games: Theory and Application

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

UNIT-II. NONDETERMINISTIC FINITE AUTOMATA WITH ε TRANSITIONS: SIGNIFICANCE. Use of ε-transitions. s t a r t. ε r. e g u l a r

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication 1

FAIRNESS FOR INFINITE STATE SYSTEMS

Transcription:

Reactive Systems: Safety, Liveness, and Fairness Timo Latvala March 7, 2004

Reactive Systems: Safety, Liveness, and Fairness 14-1 Safety Safety properties are a very useful subclass of specifications. Basically safety properties are those properties, where a violation of the property can always be detected after only a finite execution of the system. Thus model checking of safety properties requires only reasoning about finite executions (basically the history of the system execution so far). This makes algorithmics for model checking easier, as emptiness checking reduces basically to the reachability of a final state. Violations of safety properties can also be detected with traditional testing and simulation methods. Violations of safety properties can also often be monitored during implementation runtime. This is often called runtime verification.

Reactive Systems: Safety, Liveness, and Fairness 14-2 Bad Prefixes Let s now formalize this notion of safety. Consider a language L consisting a set of of infinite words over alphabet Σ, i.e., L Σ ω. A finite word x Σ is a bad prefix for L iff for all infinite words y Σ ω it holds that the concatenation x y is not in L. In other words, no matter how x is extended, we will always get words not in L. You can think of the bad prefix x as a finite counterexample showing that the safety property is violated.

Reactive Systems: Safety, Liveness, and Fairness 14-3 Safety Languages A language L Σ ω is a safety language (also called a safety property) iff every infinite word not in L has a finite bad prefix. I.e., L is a safety language iff w Σ ω \ L there is x Σ such that: (i) w = x z for some z Σ ω, and (ii) for all y Σ ω it holds that x y L.

Reactive Systems: Safety, Liveness, and Fairness 14-4 Safety and LTL There is a subset of LTL properties, which is called syntactic LTL safety formulas. Basically this subset contains all the formulas built using the following syntax: Given the set AP, an syntactic safety LTL formula is: true, false, p for p AP, or p for p AP, f 1 f 2, f 1 f 2, X f 1, f 1, or f 1 R f 2, where f 1 and f 2 are syntactic safety LTL formulas Note that negation can only be applied to atomic propositions, thus until properties can not be expressed in the subset.

Reactive Systems: Safety, Liveness, and Fairness 14-5 Automata for Syntactic LTL Safety Formulas For syntactic safety formulas we have the following theorem: Theorem 1 Given a syntactic safety LTL formula f, there is a nondeterministic finite automaton A f (on finite words), which has at most 2 O( f ) states, accepts only bad prefixes for L( f ), and for each word w L( f ), the automaton accepts some finite word x, such that w = x z for some infinite word z. The procedure to obtain that automaton is similar in spirit to LTL to Büchi conversion, but the details differ! If you need this automaton, take a look at the scheck tool by T. Latvala (http://www. tcs.hut.fi/~timo/scheck).

Reactive Systems: Safety, Liveness, and Fairness 14-6 Automata for General LTL Safety Formulas Note that there are a lot of other LTL formulas which are safety, but are not in the syntactic safety subset. For example any formula which is equivalent to false is a safety formula! Example: p p. If we get outside syntactic safety subset, things get a quite bit more messy: Theorem 2 Given a safety LTL formula f, there is a deterministic finite automaton A f (on finite words), which has at most 2 2O( f ) states, accepts only bad prefixes for L( f ), and for each word w L( f ), the automaton accepts the shortest finite word x, such that w = x z for some infinite word z. There is also a 2 2Ω( f ) lower bound. Because of the blow-up, handling non-syntactic safety formulas can actually be made more efficiently by using Büchi automata instead!

Reactive Systems: Safety, Liveness, and Fairness 14-7 Liveness There are several different definitions of liveness in the literature. We define liveness as follows: A language L Σ ω is a liveness language (also called a liveness property) iff L is not a safety language. To detect violations of liveness properties thus need to consider (at least some) infinite executions of the system.

Reactive Systems: Safety, Liveness, and Fairness 14-8 Fairness Sometimes we want to use fairness assumptions on the environment out system works in. For example, we might want to assume that a scheduler never ignores some process forever. It could be that a system can only guarantee progress if such a scheduler is present. However, optimally we would like our program to work even if the scheduler is very unfair. To model the worst possible scheduler, we might add fairness conditions implying that each process is scheduled infinitely often. Another example of fairness assumptions is that of a lossy message channel, which will for each message m i guarantee the following: If message m i is sent infinitely often, then the same message m i is also received infinitely often. Note that fairness assumptions are only needed to prove liveness properties! Any safety property can be verified without assuming fairness.

Reactive Systems: Safety, Liveness, and Fairness 14-9 Model Checking Under Fairness In model checking under fairness, some fairness assumption is assumed from a system, such as that the used scheduler will schedule all processes infinitely often. This can often be captured by an LTL formula of the form (fairness) (property). One should be careful when specifying the formula for fairness, because it is easy to make a mistake and to specify a fairness assumption, which is equivalent to false.

Reactive Systems: Safety, Liveness, and Fairness 14-10 Two very commonly used forms of fairness are weak fairness and strong fairness. Weak fairness can be captured by using the LTL formula which is actually equivalent to 1 i n ( p i q i ), ( ( p 1 q i )). 1 i n This formula can be translated into a one state (generalized) Büchi automaton, provided that the automaton class used has acceptance sets on arcs instead being on the states (as in the standard definition used in this course).

Reactive Systems: Safety, Liveness, and Fairness 14-11 Most LTL to Büchi translators will (unfortunately) generate an exponential Büchi automaton when confronted with a weak fairness formula. Thus it is advisable to see whether the LTL model checker you use handles weak fairness constraints in an efficient manner. Sometimes using an a better LTL to Büchi conversion tool can significantly improve the performance of model checking LTL under weak fairness.

Reactive Systems: Safety, Liveness, and Fairness 14-12 The strong fairness is characterized by the LTL formula 1 i n ( p i q i ). Unfortunately, this cannot be translated into a one state Büchi automaton, and the exponential blowup is unavoidable. It can, however, be translated into one state automaton of a class called a Streett automaton (again provided that the acceptance conditions are on edges).

Reactive Systems: Safety, Liveness, and Fairness 14-13 The acceptance component of a (state acceptance set based) Streett automaton is Ω = {(L 1,U 1 ),(L 2,U 2 ),...,(L n,u n )}. A run r of the Streett automaton A is accepting iff n (inf (r) L i = /0 inf (r) U i /0). i=1 It is easy to see that the acceptance component is basically a strong fairness formula. Generalized Büchi automata can be emulated by Streett automata by setting L i = S, and U i = F i for all i. However, the other direction involves an exponential blowup.

Reactive Systems: Safety, Liveness, and Fairness 14-14 Upgrading your LTL to Büchi translator to a decent one might help some when dealing with model checking under strong fairness, but the resulting Büchi automata will always be exponential in the number of fairness constraints. The emptiness checking algorithms for Streett automata are more complex than those of Büchi automata. They are, however, still polynomial. Thus if you need to model check under many strong fairness constraints, using a model checker employing Streett automata is advisable. (Use e.g., the Petri net model checker of the Maria tool, due to T. Latvala and K. Heljanko.)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback