Temporal logics and model checking for fairly correct systems

Similar documents
Temporal logics and model checking for fairly correct systems

Defining Fairness. Paderborn, Germany

Daniele Varacca Imperial College London, UK Hagen Völzer Universität zu Lübeck, Germany. Abstract

Counterexamples in Probabilistic LTL Model Checking for Markov Chains

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Timo Latvala. March 7, 2004

Chapter 3: Linear temporal logic

Alternating nonzero automata

Probabilistic verification and approximation schemes

STOCHASTIC TIMED AUTOMATA

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Chapter 4: Computation tree logic

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Chapter 5: Linear Temporal Logic

The State Explosion Problem

Refinement-Robust Fairness

LTL is Closed Under Topological Closure

The topology of ultrafilters as subspaces of 2 ω

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

A Survey of Partial-Observation Stochastic Parity Games

Introduction. Itaï Ben-Yaacov C. Ward Henson. September American Institute of Mathematics Workshop. Continuous logic Continuous model theory

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

From Löwenheim to Pnueli, from Pnueli to PSL and SVA

SELF-DUAL UNIFORM MATROIDS ON INFINITE SETS

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Information and Computation

Lecture 11 Safety, Liveness, and Regular Expression Logics

A Survey of Stochastic ω-regular Games

Automata-Theoretic LTL Model-Checking

Löwenheim-Skolem Theorems, Countable Approximations, and L ω. David W. Kueker (Lecture Notes, Fall 2007)

From Liveness to Promptness

The Complexity of Transducer Synthesis from Multi-Sequential Specifications

Tame definable topological dynamics

Limiting Behavior of Markov Chains with Eager Attractors

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

On the Accepting Power of 2-Tape Büchi Automata

Büchi Automata and Linear Temporal Logic

Value Iteration. 1 Introduction. Krishnendu Chatterjee 1 and Thomas A. Henzinger 1,2

Strategy Logic. 1 Introduction. Krishnendu Chatterjee 1, Thomas A. Henzinger 1,2, and Nir Piterman 2

Computer-Aided Program Design

Logic and Games SS 2009

On simulations and bisimulations of general flow systems

CSE 105 THEORY OF COMPUTATION

Strategy Synthesis for Markov Decision Processes and Branching-Time Logics

Visibly Linear Dynamic Logic

Bridging the Gap between Reactive Synthesis and Supervisory Control

Stat 451: Solutions to Assignment #1

Büchi Automata and Their Determinization

4 Choice axioms and Baire category theorem

Safety and Liveness Properties

Efficient Model Checking of Safety Properties

Linear-Time Logic. Hao Zheng

G δ ideals of compact sets

On Randomization versus Synchronization in Distributed Systems

Computation Tree Logic

CHURCH SYNTHESIS PROBLEM and GAMES

ESE601: Hybrid Systems. Introduction to verification

Recent results on Timed Systems

Alan Bundy. Automated Reasoning LTL Model Checking

Classical Theory of Cardinal Characteristics

Automata on Infinite words and LTL Model Checking

On Recognizable Languages of Infinite Pictures

Model Checking with CTL. Presented by Jason Simas

An Introduction to Temporal Logics

Automata-based Verification - III

New Complexity Results for Some Linear Counting Problems Using Minimal Solutions to Linear Diophantine Equations

On the complexity of infinite computations

On Recognizable Languages of Infinite Pictures

Banach-Mazur game played in partially ordered sets

A Countably-Based Domain Representation of a Non-Regular Hausdorff Space

Semi-Automatic Distributed Synthesis

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

CHAPTER 5. The Topology of R. 1. Open and Closed Sets

IDEAL GAMES AND RAMSEY SETS

1 Measure and Category on the Line

Automata, Logic and Games: Theory and Application

Overview. overview / 357

T Reactive Systems: Temporal Logic LTL

On the Expressiveness and Complexity of Randomization in Finite State Monitors

Complexity Bounds for Muller Games 1

Reasoning about Strategies: From module checking to strategy logic

Monodic fragments of first-order temporal logics

Classes of Polish spaces under effective Borel isomorphism

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Complexity of infinite tree languages

Automata-Theoretic Model Checking of Reactive Systems

1.1. MEASURES AND INTEGRALS

On the Total Variation Distance of Labelled Markov Chains

Modal and Temporal Logics

Definably amenable groups in NIP

An Algebra of Hybrid Systems

Synthesis weakness of standard approach. Rational Synthesis

Quasi-Weak Cost Automata

On the coinductive nature of centralizers

Games with Costs and Delays

A Lattice-Theoretic Characterization of Safety and Liveness

Probabilistic Model Checking and Strategy Synthesis for Robot Navigation

Parity Objectives in Countable MDPs

Transcription:

Temporal logics and model checking for fairly correct systems Hagen Völzer 1 joint work with Daniele Varacca 2 1 Lübeck University, Germany 2 Imperial College London, UK LICS 2006

Introduction Five Philosophers L Me R SPEC mutual exclusion and starvation-freedom System is not correct L and R may conspire against Me However, system is almost correct most runs satisfy SPEC

Generic Relaxations of Correctness Let S be the set of all runs of the system. Almost Correct SPEC is probabilistically large i.e. µ(spec) = 1 needs probability measure µ on S Fairly Correct (New!) SPEC is topologically large i.e. SPEC is a co-meager set in the natural topology on S there is a fairness assumption F for S such that S F SPEC

Road Map Fairness and Topological Largeness Fairness: Examples Fairness: Language-theoretic Characterisation Fairness: Topological Characterisation Topological vs Probabilistic Largeness Similarities Separation Coincidence Model Checking for Fairly Correct Systems Linear Time Branching Time Complete Fairness

Strong Fairness a b A B C c d Unwanted: e.g. (ac) ω Assumption: Strong fairness wrt transition t: enabled(t) = taken(t) t t t t t t t t t t

k-fairness (E. Best 84) L Me R Unwanted: Conspiracy Assumption: k-fairness wrt t: enabled(k, t) = taken(t) < k t t < k < k t < k t < k t

-Fairness t t t t t k-fairness wrt t: enabled(k, t) = taken(t) -Fairness wrt t: enabled(, t) = taken(t)

Setting Run: finite or infinite sequence of states: x Σ = Σ + Σ ω (Alternative x Σ ω ) α = {x Σ α is prefix of x} x = {α Σ + α is prefix of x} Temporal property: E Σ System S Σ all runs generated by a given transition system

-Fairness wrt a State s Σ s s s s s enabled S (, s) = taken(s)

-Fairness wrt a Word w Σ + w w w w w enabled S (, w) = taken(w)

(Memoryless) -Fairness wrt Q Σ + Q Q Q Q Q enabled S (, Q) = taken(q)

Memoryful -Fairness wrt Q Σ + Q Q Q Q Q live S (Q) = Q Examples: Q = Σ + w ( -Fairness wrt w) Q = "#a = #b" (truly memoryful)

Defining Fairness Q Q Q Q Q Definition E Σ is a fairness property for S iff it contains a property of the form live S (Q) = Q for some Q Σ +.

Scott Topology on S Basic open set: α for α Σ + S Open set: arbitrary union of basic open sets (guarantee relative to S) Closed set: complement of an open set (safety relative to S)

Dense Set L L intersects every (basic) open set = Liveness relative to S (S, L) is machine-closed

Dense Open Set Finite extension suffices to reach the set = "Observably" dense is a "large" set

Dense G δ Set E E = i N G i G i is dense open E is dense all G i are dense (in Baire spaces) Still a large set Game we play here: Banach-Mazur game

Topological Characterisation of Fairness E is a co-meager set iff it contains a dense G δ set true in Baire spaces co-meager = topologically large co-meager = complement of a meager (small) set Theorem E is a fairness property for S iff E is a co-meager set relative to S.

Properties of Fairness Refines relative liveness (machine-closure) Closed under countable intersection (and superset) Maximal class having these two properties (in a strong sense) For more: V., Varacca, Kindler: Defining Fairness CONCUR 2005

Road Map Fairness and Topological Largeness Fairness: Examples Fairness: Language-theoretic Characterisation Fairness: Topological Characterisation Topological vs Probabilistic Largeness Similarities Separation Coincidence Model Checking for Fairly Correct Systems Linear Time Branching Time Complete Fairness

Borel Measure µ over Scott Topology on S measurable sets are generated by basic open sets α for α Σ + S µ(αs ) = µ(α ) µ(αs α ) µ is determined by giving all p s α := µ(αs α ) for all αs Σ + S positive: α, s : p s α > 0 bounded: ε α, s : p s α > ε Markov: α, β, s, s : p s αs = p s βs

Generic Relaxations of Correctness Fairly Correct SPEC is topologically large i.e. SPEC is a co-meager set in the natural topology on S there is a fairness assumption F for S such that S F SPEC Almost Correct SPEC is probabilistically large i.e. µ(spec) = 1 needs probability measure µ on S One natural topology many associated Borel measures.

Shared Properties of Topological and Probabilistic Largeness Here: E is large = E is dense Large sets form a σ-filter, i.e.: E is large, E F = F is large E i, i N are large = i N E i is large E is large = E is not large not true for dense call E small when E is large E countable = E is small; there exist uncountable E that are small E is large F not small = E F not small

Notions do not coincide! (1/2) 1-p 1-p p p... -1 0 1... p p 1-p 1-p p 1 2 E = 0 µ(e) = 0 but E is co-meager µ(e) = 1 but E is meager System is infinite!

Notions do not coincide! (2/2) 1-p p A 0 B p 1 2 E = (#A = #B) µ(e) = 0 but E is co-meager Property is not ω-regular, hence not expressible in LTL!

Coincidence Main Theorem Theorem If S is finite-state, E is ω-regular, µ a bounded Borel measure on S then E is co-meager in S µ(e) = 1 In particular true when µ is a positive Markov measure.

Some Consequences Any ω-regular fairness property has probability 1 under randomised scheduling Obtain alternative characterisations for probability 1 (language-theoretic, game-theoretic, topological) in the considered case Obtain complexity for model checking fairly correct systems...

LTL Model Checking Theorem Checking whether a finite system is fairly correct wrt an LTL specification is PSPACE-complete. Use algorithm for finite Markov chains by Courcoubetis and Yannakakis 95 Algorithm uses time linear in the system size PSPACE-hardness for checking for probability 1 is due to Vardi

Alternative: Reactivity n φ = ( h i g i ) i=1 where h i and g i are past formulas. We have linear translation of largeness of φ into satisfaction of a CTL+past formula Checking CTL+past is PSPACE-complete LTL can be translated into reactivity (possible exponential blowup) Linear checking when h i and g i are state formulas (above translation yields CTL formula)

Model Checking ω-regular Properties Theorem Checking whether a finite system is fairly correct wrt an ω-regular property given by a Büchi automaton is PSPACE-complete. Use algorithm for finite Markov chains by Vardi 85 Algorithm uses time linear in the system size Completeness due to Vardi 85

Large-CTL* Interpret path quantifier A as "for almost all paths" in either sense Large-CTL* has complete axiomatisations Lehmann and Shelah 82: in probabilistic sense Ben-Eliyahu and Magidor 96: in topological sense Axiomatisations for topological interpretation and for finite probabilistic models are the same! Model Checking is PSPACE-complete

Large-CTL Theorem The model checking problem for Large-CTL can be solved in linear time. Largeness can be translated into CTL satisfaction Size may blow up Blow-up does not affect checking complexity

Question Is there a strongest fairness property F for S, i.e., S is fairly (almost) correct wrt SPEC iff F S SPEC? Advantage: Reduces checking fair correctness to checking satisfaction conditioned on F.

Answer No, not in general. (Fairness is not closed under arbitrary intersection.) Yes, if we are interested in a countable class of properties only (e.g. LTL, ω-regular) Word fairness is complete for LTL and ω-regular w w w w w Word fairness is not ω-regular No ω-regular-property is complete in general There is no generic LTL formula that can be used to check fair correctness of S for all SPEC

Conclusion Generic relaxation of correctness Language-theoretic, topological, game-theoretic, and probabilistic interpretation Checking for fair correctness is better than weakening specification No need to specify any fairness assumption Also in paper: topological interpretation of general path games and the Pistore-Vardi logic

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback