Tecniche di Specifica e di Verifica Automata-based LTL Model-Checking
Finite state automata A finite state automaton is a tuple A = (S,S,S 0,R,F) S: set of input symbols S: set of states -- S 0 : set of initial states ( S 0 S ) R:S S fi 2 S : the transition relation. F: set of accepting states ( F S ) A run r on w=a 1,,a n is a sequence s 0,,s n such that s 0 S 0 and s i+1 R(s i,a i ) for 0 i n. A run r is accepting if s n F, while a word w is accepted by A if there is an accepting run of A on w. The language L(A) accepted by A is the set of finite words accepted by A. 2
Finite state automata: union Given automata A 1 and A 2, there is an automaton A accepting L(A) = L(A 1 ) L(A 2 ) A = (S,S,S 0,R,F) is an automaton which just runs nondeterministically either A 1 or A 2 on the input word. S = S 1 S 2 F = F 1 F 2 S 0 = S 01 S 02 { R2 R(s,a) = R 1(s,a) if s S 1 (s,a) if s S 2 3
Finite state automata: union b A 1 a 0 b 1 A 2 a 2 b 3 a L(A 1 )=b * (ab) * a L(A 2 )=a(a*ba) * b a 0 1 b A 1 A 2 L(A)=L(A 1 ) L(A 2 ) a 2 3 a b 4
Finite state automata: intersection Given automata A 1 and A 2, there is an automaton A accepting L(A) = L(A 1 ) L(A 2 ) A = (S,S,S 0,R,F) runs simultaneously both automata A 1 and A 2 on the input word. S = S 1 S 2 F = F 1 F 2 S 0 = S 01 S 02 R((s,t),a) = R 1 (s,a) R 2 (t,a) 5
Finite state automata: intersection b A 1 a 0 b 1 A 2 a 2 b 3 a L(A 1 )=b * (ab) * a L(A 2 )=a(a*ba) * b 0,2 a 0,3 a b 1,2 1,3 A 1 A 2 L(A)=L(A 1 ) L(A 2 ) 6
Finite state automata: complementation If the automaton is deterministic, then it just suffices to set F c = S-F. This doesn t work, though, for non-deterministic automata. Solution: 1. Determinize the automaton using the subset construction. 2. Complement the resulting deterministic automaton The complexity of this process is exponential in the size of the original automaton. The number of states of the final automaton is 2 S, in the worst case. 7
Finite state automata: complementation a A a s b L(A)=(a + b) * a t 1 2 b {s} Ø a,b A D a b b a L(A D )= (a + b) * a {s,t} {t} a a a A c b {s} Ø a,b b b a {s,t} {t} L(A c )=L(A) 8
Büchi automata (BA) A Büchi automaton is a tuple A = (S,S,S 0,R,F) S: set of input symbols S: set of states -- S 0 : set of initial states ( S 0 S ) R:S S fi 2 S : the transition relation. F: set of accepting states ( F S ) A run r on w=a 1,a 2, is an infinite sequence s 0,s 1, such that s 0 S 0 and s i+1 R(s i,a i ) for i 0. A run r is accepting if some accepting state in F occurs in r infinitely often. A word w is accepted by A if there is an accepting run of A on w, and the language L w (A) accepted by A is the set of (infinite) w-words accepted by A. 9
Büchi automata (BA) A Büchi automaton is a tuple A = (S,S,S 0,R,F) A run r on w=a 1,a 2, is an infinite sequence s 0,s 1, such that s 0 S 0 and s i+1 R(s i,a i ) for i 0. Let Lim(r) = { s s = s i for infinitely many i } A run r is accepting if Lim(r) F A word w is accepted by A if there is an accepting run of A on w. The language L w (A) accepted by A is the set of (infinite) w-words accepted by A. 10
Büchi automata: union Given Büchi automata A 1 and A 2, there is an Büchi automaton A accepting L w (A) = L w (A 1 ) L w (A 2 ). The construction is the same as for ordinary automata. A = (S,S,S 0,R,F) is an automaton which just runs nondeterministically either A 1 or A 2 on the input word. S = S 1 S 2 F = F 1 F 2 S 0 = S 01 S 02 { R2 R(s,a) = R 1(s,a) if s S 1 (s,a) if s S 2 11
Büchi automata: intersection The intersection construction for automata does not work for Büchi automata. Instead, the intersection for Büchi automata can be defined as follows: A=(S,S,S 0,R,F) intuitively runs simultaneously both automata A 1 =(S,S 1,S 01,R 1,F 1 ) and A 2 =(S,S 2,S 02,R 2,F 2 ) on the input word. S = S 1 S 2 {1,2} F = F 1 S 2 {1} R((s,t,i),a) = S 0 = S 01 S 02 {1} (s,t,2) if s R 1 (s,a), t R 2 (t,a), s F 1 and i=1 { (s,t,1) if s R 1 (s,a), t R 2 (s,a), t F 2 and i=2 (s,t,i) if s R 1 (s,a), t R 2 (t,a) 12
Büchi automata: intersection A = (S,S,S 0,R,F) runs simultaneously both automata A 1 and A 2 on the input word. S = S 1 S 2 {1,2} F = F 1 S 2 {1} S 0 = S 01 S 02 {1} (s,t,2) if s R 1 (s,a), t R 2 (t,a), s F 1 and i=1 R((s,t,i),a) = (s,t,1) if s R 1 (s,a), t R 2 (t,a), t F 2 and i=2 {(s,t,i) if s R 1 (s,a), t R 1 (t,a) The automaton remembers 2 tracks, one for each automaton, and points to one of the tracks. As soon as it goes through an accepting state on the current track, it changes track. The accepting condition and the transition relation ensure that this change of track must happens infinitely often. 13
Büchi automata: intersection A = (S,S,S 0,R,F) runs simultaneously both automata A 1 and A 2 on the input word. S = S 1 S 2 {1,2} F = F 1 S 2 {1} S 0 = S 01 S 02 {1} (s,t,2) if s R 1 (s,a), t R 2 (t,a), s F 1 and i=1 R((s,t,i),a) = (s,t,1) if s R 1 (s,a), t R 2 (t,a), t F 2 and i=2 {(s,t,i) if s R 1 (s,a), t R 1 (t,a) As soon as it visits an accepting state in track 1, it switches to track 2 and then to track 1 again but only after visiting an accepting state in the track 2. Therefore, to visit infinitely often a state in F (F 1 ), the automaton must also visit infinitely often some state of F 2. 14
Büchi automata: complementation It s a complicated construction -- the standard subset construction for determinizing automata doesn t work as non-deterministic automata are more powerful than deterministic ones (e.g. L w =(0+1) * 1 w ) 1,0 Solution (resorts to another kind of automaton): Transform the (non-deterministic) Büchi automaton into a (non-deterministic) Rabin automaton (a more general kind of w-automaton). Determinize and then complement the Rabin automaton. Transform the Rabin automaton into a Büchi automaton. Therefore, also Büchi automata are closed under complementation. 1 1 15
Rabin automata A Rabin automaton is like a Büchi automaton, except that the accepting condition is defined differently. A = (S,S,S 0,R,F), where F=((G 1,B 1 ),,(G m,b m )). and the acceptance condition for a run r = s 0,s 1, is as follows: for some i Lim(r) G i and Lim(r) B i = in other words, there is a pair (G i,b i ) such that the good set (G i ) is visited infinitely often, while the bad set (B i ) is visited only finitely often. 16
Rabin versus Büchi automata 1,0 s 1 t 1 The Büchi automaton fot L w = (0+1) * 1 w 0 s 1 The Rabin automaton 1 t fot L w = (0+1) * 1 w 0 The Rabin automaton has F=(({t},{s})) Note that the Rabin automaton is deterministic. 17
Language emptiness for Büchi automata The emptiness problem for Büchi automata is the problem of deciding whether the language accepted by a Büchi automaton A is empty, i.e. if L(A) =. Theorem: The emptiness problem for Büchi automata is decidable in linear time, i.e. in time O( A ). Fact: L(A) = iff in the Büchi automaton there is no reachable cycle A containing a state in F. 18
Language emptiness for Büchi automata In other words, L(A) iff there is a cycle containing an accepting state, which is also reachable from some initial state of the automaton. We need to find whether there is such a reachable cycle We could simply compute the SCCs of A using the standard DFS algorithm, and check if there exists a reachable (nontrivial) SCC containing a state in F. But this is usually too inefficient in practice. We will therefore use a more efficient nested DFS (more efficient in the average-case). 19
Efficient language emptiness for BA Input: A Initialize: Stack 1 :=, Stack 2 := Table 1 :=, Table 2 := Algorithm Main() foreach s Init if s ˇ Table 1 then DFS1(s); output( empty ); return; Algorithm DFS1(s) push(s,stack 1 ); hash(s,table 1 ); foreach t Succ(s) if t ˇ Table 1 then DFS1(t); if s F then DFS2(s); pop(stack 1 ); Algorithm DFS2(s) push(s,stack 2 ); hash(s,table 2 ) ; foreach t Succ (s) do if t ˇ Table 2 then DFS2(t) else if t is on Stack 1 output( not empty ); output(stack 1,Stack 2,t); return; pop(stack 2 ); Note: upon finding a bad cycle, Stack 1 +Stack 2 +t, determines a counterexample: a bad cycle reached from an init state. 20
Generalized Büchi automata (GBA) Generalized Büchi automaton: A = (S,S,S 0,R,(F 1,...,F m )) A run r on w=a 1,a 2, is an infinite sequence s 0,s 1, such that s 0 S 0 and s i+1 R(s i,a i ) for i 0. Let Lim(r) = { s s = s i for infinitely many i } A run r is accepting if for each 1 i m Lim(r) F i Any Generalized Büchi automaton can be easily transformed into a Büchi automaton as follows: L(S,S,S 0,R,(F 1,...,F m )) = L(S,S,S 0,R,F i ) i {1,,m} This transformation is not very efficient, though. 21
From GBA to BA efficiently Generalized Büchi automaton: A = (S,S,S 0,R,(F 1,...,F m )) A Generalized Büchi automaton can be efficiently transformed into a Büchi automaton as follows: S = S {1,,m} F = F j {i} for some 1 i m S 0 = S 0 {i} for some 1 i m (s, (i mod m)+1) if s R(s,a) and s F i R((s,i),a) ={ (s,i) if s R (s,a) and sˇf i Notice that the transformation above expands the automaton size by a factor of m (compare with Büchi Intersection). 22
LTL-semantics and Büchi automata We can interpret a formula y as expressing a property of w-words, i.e., an w-language L(y) S AP w. For w-word s = s 0, s 1, s 2,.. S w AP, let s i = s i, s i+1, s i+2. be the suffix of s starting at position i. We defined the satisfies relation,, inductively: s p j iff p j s 0 (for any p j P). s y iff not s y. s y 1 y 2 iff s y 1 or s y 2. s Xy iff s 1 y. s y 1 U y 2 iff $ i 0 such that s i y 2, and "j, 0 j< i, s j y 1. We can then define the language L(y) = { s s y }. 23
Relation with Kripke structures We extend our definition of satisfies to transition systems, or Kripke structures, as follows: K AP y iff for all computations (runs) p of K AP, L(p) y, or in other words, iff L(K AP ) L(y). 24
Relation with Kripke structures We could transform any Kripke structure into a Büchi automaton as follows: A K K AP {p,q} init {p} {p,q} s 0 {p} s 1 {q} s 2 {p} s 0 {p,q} s 1 {p,q} s 2 {q} where every state is accepting! 25
LTL Model Checking System Model K LTL property y Model Checker Check that K y by checking that L(K) L(A y ) = Convert y to a Büchi automaton A y, so that L( y) = L(A y ) Yes! No! + counterexample 26
LTL Model Checking: explanation M y L(K AP ) L(y) L(K AP ) (S AP w \ L(y)) = L(K AP ) L( y) = L(K AP ) L(A y ) = L(K AP A y ) = 27
The algorithmic tasks to perform We have reduced LTL model checking to two tasks: 1 Convert an LTL formula j (i.e. y) into a Büchi automaton A j, such that L(j) = L(A j ). Can we do this in general?. Yes!!! 2 Check whether K AP y, by checking whether the intersection of languages L(K AP ) L(A y ) is empty. It is actually unwise to first construct all of K AP, because K AP can be far too big (state explosion). Instead, it is possible perform the check by constructing states of K AP only as needed. 28
LTL to BA translation First, let s put LTL formulas ϕ in normal form where: s have been pushed in, applying only to propositions. the only propositional operators are,,. the only temporal operators are X, U and its dual R. In order to do that we use the following rules: p fi q p q ; p «q ( p q) ( q p) (p q) p q ; (p q) p q ; p p (p U q) ( p) R ( q) ; (p R q) ( p) U ( q) F p T U p ; G p R p ; X p X p 29
LTL to BA translation First, let s put LTL formulas ϕ in normal form s have been pushed in, applying only to propositions. We use the following rules: p fi q p q ; p «q ( p q) ( q p) (p q) p q ; (p q) p q ; p p (p U q) ( p) R ( q) ; (p R q) ( p) U ( q) F p T U p ; G p R p ; X p X p Examples: ((p U q) fi F r) (p U q) F r (p U q) (T U r) ( p R q) (T U r) GF p fi F r ( R (Fp)) fi (T U p) ( R (T U p)) fi (T U r) ( R (T U p)) (T U r) (T U (T U p)) (T U r) (T U ( R p)) (T U r) 30
LTL to BA translation States of A j will be sets of subformulas of j, thus if we have j= p 1 U p 2, a state is given by G {p 1, p 2,p 1 U p 2 }. Consider a word s = s 0, s 1, s 2, S AP w such that s ϕ, where, e.g., j = y 1 Uy 2. Mark each position i with the set of subformulas Γ i of ϕ that hold true there: G 0 G 1 G 2 s 0 s 1 s 2 Clearly, j G 0. But then, by consistency, either: y 1 G 0 and j G 1, or y 2 G 0. The consistency rules dictate our states and transitions. 31
LTL to BA translation Let sub(j) denote the set of subformulas of j. We define A j = (Q, S, R, L, Init, F) as follows. First, the set of states of A j is defined as follows: Q = {G sub(j) s.t. G is locally consistent }. For G to be locally consistent we should, e.g., have: ^ˇ G if y g G, then y G or g G. if y g G, then y G and g G. if p i G then p iˇ G, and if p i G then p iˇ G. if y U g G, then (y G or g G). if y R g G, then g G. 32
LTL to BA translation Now, labeling of the states of A j is defined as: The labeling L:QaS is L(G)={ l l G S }. We want a word s = s 0 s 1 (S AP ) w to be in L(A j ) iff there is a run p = G 0 fi G 1 fi G 2 fi of A j s.t. "i Õ, we have that s i satisfies L(G i ), i.e., s i is a satisfying assignment for L(G i ). This constitutes a slight redefinition of Büchi automata, where labeling is on the states instead of on the edges. This facilitates a much more compact A j. 33
LTL to BA translation Then the transition relation of A j. It is based on the following LTL rules: (y U g) g ( y X (y U g) ) (y R g) g ( y X (y R g) ) ( g y) (g X(y R g)) and on the semantics of the operator X. R Q Q, where (G,G ) R iff: if (y U g) G then g G, or (y G and (y U g) G ). if (y R g) G then g G, and (y G or (y R g) G ). if X y G, then y G. 34
LTL to BA translation The initial states of A j are Init = {G Q j G}. The accepting states of A j are defined as follows: for each (yug) sub(j), there is a set F i F, such that: F i = {G Q (y U g) ˇ G or g G} or equivalently F i = {G Q if (y U g) G, then g G} Notice that if there is no (y U g) sub(j), then the acceptance condition is the trivial acceptance condition: i.e., all states are accepting Lemma: L(j) = L(A j ). But A j is now a generalized Büchi automaton 35
LTL to BA translation: example T U p T U p p p Consider the following formula: F p T U p sub(t U p) ={T U p, p} Init = {G sub(t U p) T U p G} 36
LTL to BA translation: example T U p T U p p p Consider the following formula: T U p (T U p) p X (T U p) 37
LTL to BA translation: example T U p T U p p p Consider the following formula: T U p (T U p) p X (T U p) 38
LTL to BA translation: example T U p T U p p p Consider the following formula: T U p (T U p) p X (T U p) 39
LTL to BA translation: example T U p T U p p p Consider the following formula: T U p (T U p) p X (T U p) 40
LTL to BA translation: example T U p T U p p p Consider the following formula: T U p sub(t U p) ={T U p, p} F = {F T Up } = {G sub(t U p) (T U p) ˇ G or p G} 41
LTL to BA translation: example ^ R p ^ R p p p Consider the following formula: G p ^ R p sub(^ R p) ={^ R p, p} Init = {G sub(^ R p) ^ R p G} 42
LTL to BA translation: example ^ R p ^ R p p p Consider the following formula: G p ^ R p sub(^ R p) ={^ R p, p} (^ R p) p X (^ R p) 43
LTL to BA translation: example ^ R p ^ R p p The trivial acceptance condition p Consider the following formula: G p ^ R p sub(^ R p) ={^ R p, p} There are no eventualities, hence F = { Q } 44
LTL to BA translation: example p U q q p U q p,q p U q p p U q p,q q p Consider the following formula: p U q sub(p U q) ={p U q, p, q} Init = {G sub(p U p) p U q G} 45
LTL to BA translation: example p U q q p U q p,q p U q p p U q p,q q p Consider the following formula: p U q sub(p U q) ={p U q, p, q} Init = {G sub(p U p) p U q G} 46
LTL to BA translation: example p U q q p U q p,q p U q p p U q p,q q p Consider the following formula: p U q sub(p U q) ={p U q, p, q} (p U q) q (p X (p U q)) 47
LTL to BA translation: example p U q q p U q p,q p U q p p U q p,q q p Consider the following formula: p U q sub(p U q) = {p U q, p, q} F = { F puq } = {G sub(p U q) (p U q) ˇ G or q G} 48
On-the-fly translation algorithm There is another more efficient way to build the Büchi automaton corresponding to a LTL formula. The algorithm proposed by Vardi and his colleagues, is based on the idea of refining states only as needed. It only record the necessary information (what must hold) at a state, instead of recording the complete information about each state (both what must hold and what might or might-not hold). In a way what might or might-not hold is treated as don t care information (which can be filled in, but whose value has no relevant effect). 49
Algorithm data structure: node Name: A string identifying the current node. Father: The name of the father node of current node. Incoming: List of fully expanded nodes with edges to the current node. Old: A set of temporal formulae which must hold and in the current node have been processed already. New: A set of temporal formulae which must hold but in the current node have not been processed yet. Next: A set of temporal formulae which should hold in the next node (immediate successor) of the current node. 50
NODE Name: Node1 Father: Node1 Incoming: Init New: {p U q} Next: {} Old: {} Name: Node2 Father: Node1 Incoming: Init New: {p} Next: {p U q} Old: {p U q} Name: Node3 Father: Node1 Incoming: Init New: {q} Next: {} Old: {p U q} 51
function create_graph(f) return(expand([name Father new_name(), Incoming {Init}, New {f}, Old, Next ], ) function expand (Node, Nodes_Set) if New(Node) = then if $ ND Nodes_Set with (Old(ND)=Old(Node) and Next(ND) = Next(Node)) then Incoming(ND) Incoming(ND) Incoming(Node); return(nodes_set); else return(expand([name Father new_name(), Incoming {Name(Node)}, New Next(Node), Old, Next ], Nodes_Set {Node}); else. 52
Nodes_Set Init 4 ^ R p ; p Name: Node8 Father: Node6 Incoming: 4 New: {} Next: {^ R p} Old: {^ R p ; p} 53
Init Nodes_Set 4 p U q ; p Name: Node4 Father: Node3 Incoming: Init New: {} Next: {p U q} Old: {p U q ; p} Name: Node5 Father: Node5 Incoming: 4 New: {p U q} Next: {} Old: {} 54
Init Nodes_Set 4 p U q ; p 9 p U q ; q Name: Node9 Father: Node7 Incoming: 4 New: {} Next: {} Old: {p U q ; q} Name: Node10 Father: Node10 Incoming: 9 New: {} Next: {} Old: {} 55
function expand (Node, Nodes_Set) if New(Node)= then /* see previous block */ else let h New; Contradiction found New(Node) := New(Node) \ {h}; case h of h = p i or p i or T or ^ : if h = ^ or Neg(h) Old(Node) then return(nodes_set) ; /* Discard current node */ else Old(Node) Old(Node) {h}; return(expand(node, Nodes Set)); h = m U y or m R y or m y :. 56
Additional functions The function Neg() is applied only to literals: Neg(p i ) = p i Neg(T) = ^ Neg( p i ) = p i Neg(^) = T The functions New1(), New2() and Next1(), used for splitting nodes, are applied to temporal formulae and defined as follows: h New1(h) Next1(h) New2(h) m U y {m} {m U y} {y} m R y {y} {m R y} {m,y} m y {m} {y} 57
function expand (Node, Nodes_Set) if New(Node)= then /* see previous block */ else let h New; New(Node) := New(Node) \ {h}; case h of h = p i or p i or T or ^: /* see previous block */ h = m U y or m R y or m y : Node1:=[Name new_name(), Father Name(Node), Incoming Incoming(Node), New New(Node) ({New1(h)} \ Old(Node)), splitting Old Old(Node) {h}, Next Next(Node) {Next1(h)}]; Node2:=[Name new_name(), Father Name(Node), Incoming Incoming(Node), New New(Node) ({New2(h)} \ Old(Node)), Old Old(Node) {h}, Next Next(Node)]; return(expand(node2, expand(node1, Nodes_Set))); h = m y :. /* see next block */ 58
Name: Node1 Father: Node1 Incoming: Init New: {p U q} Next: {} Old: {} Name: Node2 split Name: Node3 Father: Node1 Father: Node1 Incoming: Init Incoming: Init New: {p} New: {q} Next: {p U q} Next: {} Old: {p U q} Old: {p U q} 59
function expand (Node, Nodes_Set) if New(Node)= then /* see previous block */ else let h New; New(Node):=New(Node) \ {h}; case h of h = p i or p i or T or ^: /* see previous block */ h = m U y or m R y or m y : /* see previous block */ h = m y : return(expand([name Name(Node), Father Father(Node), Incoming Incoming(Node), New (New(Node) {m,y } \ Old(Node)), Old Old(Node) {h}, Next = Next(Node)], Nodes_Set); h = X y :. /* see next block */ 60
Name: Node1 Father: Node1 Incoming: Init New: {p q, } Next: {...} Old: {...} expand Name: Node2 Father: Node1 Incoming: Init New: {p,q, } Next: {...} Old: {,p q} 61
function expand (Node, Nodes_Set) if New(Node)= then /* see previous block */ else let h New; New(Node):=New(Node) \ {h}; case h of h = p i or p i or T or ^: /* see previous block */ h = m U y or m R y or m y : /* see previous block */ h = m y : /* see previous block */ h = X y : return(expand( [Name Name(Node),Father Father(Node), Incoming Incoming(Node), New New(Node), Old Old(Node) {h}, Next = Next(Node) {y}], Nodes_Set); esac; end expand; 62
Name: Node1 Father: Node1 Incoming: Init New: {X p, } Next: {...} Old: {...} expand Name: Node1 Father: Node1 Incoming: Init New: { } Next: {,p} Old: {, X p} 63
The need for accepting conditions IMPORTANT: Remember that not every maximal path p = s 0 s 1 s 2 in the graph determines a model of the formula: the construction above allows some node which contain muy, while none of its successor nodes contain y. This is solved again by imposing the generalized Büchi acceptance conditions : for each subformula of f of the form m U y, there is a set F f F containing all the nodes s Q such that either m U y ˇ Old(s), or y Old(s). 64
Complexity of the construction THEOREM: For any LTL formula f a Büchi automaton A f can be constructed which accepts all an only the w-sequences (LTL models) satisfying f. THEOREM: Given a LTL formula f, the Büchi automaton for f whose states are O(2 f ) (in the worst-case). [ f is the number of subformulae of f]. THEOREM: Given a LTL formula f and a Kripke structure K sys the, the LTL model checking problem can be solved in time O( K sys 2 f ). [actually it is PSPACE-complete]. 65
LTL to BA: example Consider the following formula: G p where p is an atomic formula. Its negation-normal form is ^ R p 66
LTL to BA: example Init Current node is Node 1 Incoming = [Init] Old = [] New = [^ R p] Next = [] (^ R p) (p ^) (p X(^ R p)) New(node) not empty, removing h = ^ R p, node split into 2, 3, about to expand them 67
LTL to BA: example Init Current node is Node 2 Incoming = [Init] Old = [^ R p] New = [p] Next = [^ R p] New(node) not empty, removing h = p, node replaced by 4 about to expand them 68
LTL to BA: example Init Current node is Node 4 Incoming = [Init] Old = [^ R p ; p] New = [] Next = [^ R p] New(node) empty, no equivalent nodes. About to add, timeshift and expand. 69
LTL to BA: example Init 4 ^ R p ; p Current node is Node 5 Incoming = [4] Old = [] New = [^ R p] Next = [] (^ R p) (p ^) (p X(^ R p)) New(node) not empty, removing h = ^ R p, node split into 6, 7 about to expand them 70
LTL to BA: example Init Current node is Node 6 Incoming = [4] Old = [^ R p] New = [p] Next = [^ R p] 4 ^ R p ; p New(node) not empty, removing h = p, node replaced by 8, about to expand it 71
LTL to BA: example Init Current node is Node 8 Incoming = [4] Old = [^ R p ; p] New = [] Next = [^ R p] 4 ^ R p ; p New(node) empty, found equivalent old node in Node_Set (4). Returning it instead. 72
LTL to BA: example From the split of Node 5 Init Current node is Node 7 Incoming = [4] Old = [^ R p] New = [^ ; p] Next = [] 4 ^ R p ; p New(node) not empty, removing h = ^, inconsistent node deleted - dead end!. 73
LTL to BA: example From the split of Node 1 Init Current node is Node 3 Incoming = [Init] Old = [^ R p] New = [^ ; p] Next = [] 4 ^ R p ; p New(node) not empty, removing h = ^, inconsistent node deleted - dead end!. 74
LTL to BA: example Init 4 ^ R p ; p Final graph for G p ^ R p ^ R p p 75
LTL to BA: example 2 Consider the following formula: p U q where p and q are atomic formulae. 76
LTL to BA: example 2 Init Current node is Node 1 Incoming = [Init] Old = [] New = [p U q] Next = [] (p U q) q (p X(p U q)) New(node) not empty, removing h = p U q node split into 3, 2, about to expand them 77
LTL to BA: example 2 Init Current node is Node 2 Incoming = [Init] Old = [p U q] New = [p] Next = [p U q] New(node) not empty, removing h = p node replaced by 4, about to expand them 78
LTL to BA: example 2 Init Current node is Node 4 Incoming = [Init] Old = [p U q ; p] New = [] Next = [p U q] New(node) empty, no equivalent nodes. Add, timeshift and expand. 79
LTL to BA: example 2 Init 4 p U q ; p Current node is Node 5 Incoming = [4] Old = [] New = [p U q] Next = [] (p U q) q (p X(p U q)) New(node) not empty, removing h = p U q, node split into 6, 7, about to expand. 80
LTL to BA: example 2 Init 4 p U q ; p Current node is Node 6 Incoming = [4] Old = [p U q] New = [p] Next = [p U q] New(node) not empty, removing h = p, node replaced by 8, about to expand it 81
LTL to BA: example 2 Init 4 p U q ; p Current node is Node 8 Incoming = [4] Old = [p U q ; p] New = [] Next = [p U q] New(node) empty. Found equivalent old note (4) in Node_Set. Returning it instead. 82
LTL to BA: example 2 From the split of Node 5 Init 4 p U q ; p Current node is Node 7 Incoming = [4] Old = [p U q] New = [q] Next = [] New(node) not empty, removing h = q, node replaced by 9, about to expand it 83
LTL to BA: example 2 Init 4 p U q ; p Current node is Node 9 Incoming = [4] Old = [p U q ; q] New = [] Next = [] New(node) empty, no equivalent node found. Add timeshift and expand 84
LTL to BA: example 2 Init Current node is Node 10 Incoming = [9] Old = [] New = [] Next = [] 4 p U q ; p 9 p U q ; q New(node) empty, no equivalent node found. Add timeshift and expand 85
LTL to BA: example 2 Init Current node is Node 11 Incoming = [10] Old = [] New = [] Next = [] 4 p U q ; p 9 p U q ; q 10 New(node) empty. Found equivalent old node in Node_Set (10). Returning it instead. 86
LTL to BA: example 2 From the split of Node 1 Init Current node is Node 3 Incoming = [Init] Old = [p U q] New = [q] Next = [] 4 p U q ; p 9 p U q ; q New(node) not empty, node replaced by 12, about to expand. 10 87
LTL to BA: example 2 Init Current node is Node 12 Incoming = [Init] Old = [p U q ; q] New = [] Next = [] 4 p U q ; p 9 p U q ; q 10 New(node) empty. Found equivalent old node (4) in Node_Set. Returning it instead. 88
LTL to BA: example 2 Init 4 p U q ; p 9 p U q ; q 10 Final graph for p U q 89
Comparison of the two algorithms p U q q p U q p,q p U q p p U q p p U q q p,q q p The graphs for p U q obtained from the two algorithms 90
Notes on the algorithm Notice that nodes do not necessarily assign truth value to all atomic propositions (in AP)! Indeed the labeling to be associated to a node can be any element of 2 AP which agrees with the literals (AP or negations of AP) in Old(Node). Let Pos(q) = Old(q) AP Let Neg(q) = {h AP h Old(q)} L(q) = { X AP X Pos(q) (X Neg(q)) = } 91
Notes on the algorithm p U q p L(q) = {{p},{p,q}} p U q q L(q) = {{q},{p,q}} p U q q p U q p,q p U q p L(q) = {{},{p},{q},{p,q}} p,q q p 92
Composing A sys and A f In general what we need to do is to compute the intersection of the languages recognized by the two automata A sys and A f and check it for emptiness. We have already seen (slide 12) how this can be done. When the System needs not satisfy FAIRNESS conditions (or in general A sys have the trivial acceptance condition, i.e. all the states are accepting) there is a more efficient construction... 93
Efficient composition of A sys and A f When A sys have the trivial acceptance condition, i.e. all the states are accepting there is a more efficient construction. In this case we can just compute: A sys A f = < S, S sys S f, R, S 0sys S 0f, S sys F f > where (<s,t>,a,<s,t >) R iff (s,a,s ) R sys and (t,a,t ) R f 94
Efficient composition of A sys and A f Notice that in our case both automata have labels in the states (instead of on the transitions). This can be dealt with by simply restricting the set of states of the intersection automaton to those which agree on the labeling on both automata. Therefore we define A sys A f = < S, S,R, (S 0sys S 0f ) S, (S sys F f ) S > where S = {(s,t) S sys S f L sys (s) APf = L f (t)} and (<s,t>,<s,t >) R iff (s,s ) R sys and (t,t ) R f 95