Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction

Similar documents
Limit-Deterministic Büchi Automata for Linear Temporal Logic

Comparison of LTL to Deterministic Rabin Automata Translators

Effective Translation of LTL to Deterministic Rabin Automata: Beyond the (F,G)-Fragment

One Theorem to Rule Them All: A Unified Translation of LTL into ω-automata

Automata on Infinite words and LTL Model Checking

The theory of regular cost functions.

Optimal Translation of LTL to Limit Deterministic Automata

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Büchi Automata and Linear Temporal Logic

ω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear:

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Impartial Anticipation in Runtime-Verification

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Fast LTL to Büchi Automata Translation

Comparing LTL Semantics for Runtime Verification

Chapter 3: Linear temporal logic

Automata-based Verification - III

Almost Linear Büchi Automata

Deciding the weak definability of Büchi definable tree languages

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

Reasoning about Time and Reliability

A Symbolic Approach to Safety LTL Synthesis

Decision Procedures for CTL

Automata, Logic and Games: Theory and Application

Automata-based Verification - III

Logic Model Checking

Computer-Aided Program Design

Automata and Reactive Systems

Automata-Theoretic Verification

Theoretical Foundations of the UML

PSL Model Checking and Run-time Verification via Testers

From Liveness to Promptness

Automaten und Formale Sprachen Automata and Formal Languages

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Automata, Logic and Games. C.-H. L. Ong

Linear-Time Logic. Hao Zheng

Modal and Temporal Logics

Languages, logics and automata

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Linear Temporal Logic and Büchi Automata

Efficient Model Checking of Safety Properties

Minimising Deterministic Büchi Automata Precisely using SAT Solving

Infinite Games. Sumit Nain. 28 January Slides Credit: Barbara Jobstmann (CNRS/Verimag) Department of Computer Science Rice University

Controller synthesis for MDPs and Frequency LTL \GU

Timo Latvala. March 7, 2004

Efficient Model Checking of Safety Properties

Alan Bundy. Automated Reasoning LTL Model Checking

Homework 2: Temporal logic

Visibly Linear Dynamic Logic

A Hierarchy for Accellera s Property Specification Language

LTL with Arithmetic and its Applications in Reasoning about Hierarchical Systems

Decision Procedures for CTL

Bounded Synthesis. Sven Schewe and Bernd Finkbeiner. Universität des Saarlandes, Saarbrücken, Germany

Łukasz Kaiser Joint work with Diana Fischer and Erich Grädel

Büchi Automata and Their Determinization

Strategy Synthesis for Markov Decision Processes and Branching-Time Logics

Linear-time Temporal Logic

Generating Deterministic ω-automata for most LTL Formulas by the Breakpoint Construction

Automata, Logic and Games. C.-H. L. Ong

Subsumption of concepts in FL 0 for (cyclic) terminologies with respect to descriptive semantics is PSPACE-complete.

Overview. overview / 357

Systems Verification. Alessandro Abate. Day 1 January 25, 2016

Optimal Bounds in Parametric LTL Games

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

Modal and Temporal Logics

From Monadic Second-Order Definable String Transformations to Transducers

CHURCH SYNTHESIS PROBLEM and GAMES

Applied Automata Theory

Automata, Logic and Games: Theory and Application

Quasi-Weak Cost Automata

Lecture Notes on Classical Modal Logic

A Logical Characterization for Weighted Event-Recording Automata

Advanced Automata Theory 7 Automatic Functions

Model Checking LTL with Regular Valuations for Pushdown Systems 1

Propositional Calculus - Semantics (3/3) Moonzoo Kim CS Dept. KAIST

On the Succinctness of Nondeterminizm

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

On Model Checking Techniques for Randomized Distributed Systems. Christel Baier Technische Universität Dresden

Transformation Between Regular Expressions and ω-automata

Course Runtime Verification

LTL and CTL. Lecture Notes by Dhananjay Raju

Quantitative Verification

On the coinductive nature of centralizers

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

Tree Automata and Rewriting

Lecture 9 Synthesis of Reactive Control Protocols

Logic in Automatic Verification

LOGIC PROPOSITIONAL REASONING

The State Explosion Problem

Chapter 5: Linear Temporal Logic

arxiv: v1 [cs.lo] 17 Jun 2014

arxiv: v2 [cs.lo] 22 Jul 2017

Inducing syntactic cut-elimination for indexed nested sequents

Chapter 4: Computation tree logic

T Reactive Systems: Temporal Logic LTL

Löwenheim-Skolem Theorems, Countable Approximations, and L ω. David W. Kueker (Lecture Notes, Fall 2007)

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Description Logics. Deduction in Propositional Logic. franconi. Enrico Franconi

Temporal logics and model checking for fairly correct systems

Transcription:

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction Javier Esparza 1 Jan Křetínský 2 Salomon Sickert 1 1 Fakultät für Informatik, Technische Universität München, Germany 2 IST Austria May 11, 2015 Salomon Sickert (TU München) 1 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction Salomon Sickert (TU München) 2 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction Salomon Sickert (TU München) 3 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction System with stochasticity and non-determinism expressed as a Markov decision process M Linear time property expressed as an LTL formula ϕ Non-deterministic Büchi automaton B Product M R to be analysed Deterministic Rabin automaton R Salomon Sickert (TU München) 3 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction System with stochasticity and non-determinism expressed as a Markov decision process M Linear time property expressed as an LTL formula ϕ Non-deterministic Büchi automaton B Safra Product M R to be analysed Deterministic Rabin automaton R Salomon Sickert (TU München) 3 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction System with stochasticity and non-determinism expressed as a Markov decision process M Linear time property expressed as an LTL formula ϕ Product M R to be analysed Deterministic (transition-based) Generalised Rabin automaton R Salomon Sickert (TU München) 4 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction Salomon Sickert (TU München) 5 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction Directly yields a deterministic system Salomon Sickert (TU München) 5 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction Directly yields a deterministic system Product of several automata Salomon Sickert (TU München) 5 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction Directly yields a deterministic system Product of several automata Logical structure of the input formula is preserved e.g.: Which G-subformulae are eventually true? Salomon Sickert (TU München) 5 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction Directly yields a deterministic system Product of several automata Logical structure of the input formula is preserved e.g.: Which G-subformulae are eventually true? Smaller Systems 1 1 In most cases according to our experimental data; compared to the standard approach Salomon Sickert (TU München) 5 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction Directly yields a deterministic system Product of several automata Logical structure of the input formula is preserved e.g.: Which G-subformulae are eventually true? Smaller Systems 1 Bonus: Construction and correctness theorem verified in Isabelle/HOL 1 In most cases according to our experimental data; compared to the standard approach Salomon Sickert (TU München) 5 / 16

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction Directly yields a deterministic system Product of several automata Logical structure of the input formula is preserved e.g.: Which G-subformulae are eventually true? Smaller Systems 1 Bonus: Construction and correctness theorem verified in Isabelle/HOL with code extraction 50% done 1 In most cases according to our experimental data; compared to the standard approach Salomon Sickert (TU München) 5 / 16

Experimental Data i {1,...,n} GFa i GFb i NBA DRA DTGRA LTL2BA ltl2dstar Rabinizer 3 n = 1 4 n = 2 14 n = 3 40 Salomon Sickert (TU München) 6 / 16

Experimental Data i {1,...,n} GFa i GFb i NBA DRA DTGRA LTL2BA ltl2dstar Rabinizer 3 n = 1 4 4 n = 2 14 > 10 4 n = 3 40 > 10 6 Salomon Sickert (TU München) 6 / 16

Experimental Data i {1,...,n} GFa i GFb i NBA DRA DTGRA LTL2BA ltl2dstar Rabinizer 3 n = 1 4 4 1 n = 2 14 > 10 4 1 n = 3 40 > 10 6 1 Salomon Sickert (TU München) 6 / 16

ω-words and LTL An ω-word is an infinite sequence: w = a 0 a 1 a 2 a 3.... Salomon Sickert (TU München) 7 / 16

ω-words and LTL An ω-word is an infinite sequence: w = a 0 a 1 a 2 a 3.... Definition (LTL Semantics, Negation-Normal-Form) :: α set word α ltl B w tt = True w ff = False w a = a w 0 w a = a w 0 w ϕ ψ = w ϕ w ψ w ϕ ψ = w ϕ w ψ Salomon Sickert (TU München) 7 / 16

ω-words and LTL An ω-word is an infinite sequence: w = a 0 a 1 a 2 a 3.... Definition (LTL Semantics, Negation-Normal-Form) :: α set word α ltl B w tt = True w ff = False w a = a w 0 w a = a w 0 w ϕ ψ = w ϕ w ψ w ϕ ψ = w ϕ w ψ w Fϕ = k. w k ϕ w Gϕ = k. w k ϕ w ψuϕ = k. w k ϕ j < k. w j ψ w Xϕ = w 1 ϕ Salomon Sickert (TU München) 7 / 16

ω-words and LTL An ω-word is an infinite sequence: w = a 0 a 1 a 2 a 3.... Definition (LTL Semantics, Negation-Normal-Form) :: α set word α ltl B w tt = True w ff = False w a = a w 0 w a = a w 0 w ϕ ψ = w ϕ w ψ w ϕ ψ = w ϕ w ψ w Fϕ = k. w k ϕ w Gϕ = k. w k ϕ w ψuϕ = k. w k ϕ j < k. w j ψ w Xϕ = w 1 ϕ Salomon Sickert (TU München) 7 / 16

ω-words and LTL An ω-word is an infinite sequence: w = a 0 a 1 a 2 a 3.... Definition (LTL Semantics, Negation-Normal-Form) :: α set word α ltl B w tt = True w ff = False w a = a w 0 w a = a w 0 w ϕ ψ = w ϕ w ψ w ϕ ψ = w ϕ w ψ w Fϕ = k. w k ϕ w Gϕ = k. w k ϕ w ψuϕ = k. w k ϕ j < k. w j ψ w Xϕ = w 1 ϕ Salomon Sickert (TU München) 7 / 16

Unfolding Modal Operators Fϕ XFϕ ϕ Gϕ XGϕ ϕ ψuϕ ϕ (ψ X(ψUϕ)) Salomon Sickert (TU München) 8 / 16

Co-Büchi Automata for G-free ϕ ϕ = a (b U c) Salomon Sickert (TU München) 9 / 16

Co-Büchi Automata for G-free ϕ ϕ ϕ = a (b U c) Salomon Sickert (TU München) 9 / 16

Co-Büchi Automata for G-free ϕ ϕ = a (b U c) ϕ a c (b X(bUc)) Salomon Sickert (TU München) 9 / 16

Co-Büchi Automata for G-free ϕ ϕ = a (b U c) ϕ a c (b X(bUc)) āb c buc Salomon Sickert (TU München) 9 / 16

Co-Büchi Automata for G-free ϕ ϕ = a (b U c) ϕ a c (b X(bUc)) āb c buc q 1 : a (b U c) āb c a + āc q 2 : b U c c b c b c ā b c true q 3 : tt q 4 : ff true Salomon Sickert (TU München) 9 / 16

Tackling the G-Operator Relaxed case: FGϕ w = FGϕ iff w i = ϕ for almost all i Reason: G-subformulae may be nested inside X, F, U. Salomon Sickert (TU München) 10 / 16

Automata for FGϕ where ϕ is G-free w =... a + āc āb c ā b c c q 2 b c b c q 3 q 4 Salomon Sickert (TU München) 11 / 16

Automata for FGϕ where ϕ is G-free w = abc... q 1 a + āc āb c q 2 c b c b c ā b c q 4 Salomon Sickert (TU München) 11 / 16

Automata for FGϕ where ϕ is G-free w = abc... q 1 a + āc āb c ā b c a + āc āb c ā b c c q 2 b c b c c q 2 b c b c q 4 q 3 q 4 Salomon Sickert (TU München) 11 / 16

Automata for FGϕ where ϕ is G-free w = abc āb c... q 1 q 1 a + āc āb c ā b c a + āc q 2 b c c b c āb c c b c b c ā b c a + āc āb c ā b c q 2 b c c b c q 4 q 3 q 4 q 3 q 4 Salomon Sickert (TU München) 11 / 16

Automata for FGϕ where ϕ is G-free w = abc āb c āb c... q 1 q 1 q 1 a + āc āb c ā b c a + āc q 2 b c c b c āb c c b c ā b c a + āc b c āb c c b c b c ā b c a + āc āb c ā b c q 2 b c c b c q 4 q 3 q 4 q 3 q 4 q 3 q 4 Salomon Sickert (TU München) 11 / 16

Automata for FGϕ where ϕ is G-free w = abc āb c āb c... q 1 q 1 q 1 a + āc āb c ā b c a + āc q 2 b c c b c āb c c b c ā b c a + āc b c āb c c b c b c ā b c a + āc āb c ā b c q 2 b c c b c q 4 q 3 q 4 q 3 q 4 q 3 q 4 3 a + āc 0 āb c 1, 2 c b c ā b c b c Salomon Sickert (TU München) 11 / 16

Mojmir Automata 3 α 2 α 1 α 3 1, 2 β 2 β 3 β 1 Σ 0 Σ Salomon Sickert (TU München) 12 / 16

Mojmir Automata 3 α 2 α 1 α 3 1, 2 β 2 β 3 β 1 Σ 0 Σ In every step a new token is placed in the initial state and all other tokens are moved according to the transition function. Salomon Sickert (TU München) 12 / 16

Mojmir Automata 3 α 2 α 1 α 3 1, 2 β 2 β 3 β 1 Σ 0 Σ In every step a new token is placed in the initial state and all other tokens are moved according to the transition function. Deterministic Salomon Sickert (TU München) 12 / 16

Mojmir Automata 3 α 2 α 1 α 3 1, 2 β 2 β 3 β 1 Σ 0 Σ In every step a new token is placed in the initial state and all other tokens are moved according to the transition function. Deterministic Accepts an ω-word w iff almost all tokens reach the final states Salomon Sickert (TU München) 12 / 16

Mojmir Automata 3 α 2 α 1 α 3 1, 2 β 2 β 3 β 1 Σ 0 Σ In every step a new token is placed in the initial state and all other tokens are moved according to the transition function. Deterministic Accepts an ω-word w iff almost all tokens reach the final states Mojmir automata are blind to events that only happen finitely often Salomon Sickert (TU München) 12 / 16

Mojmir Automata 3 α 2 α 1 α 3 1, 2 β 2 β 3 β 1 Σ 0 Σ In every step a new token is placed in the initial state and all other tokens are moved according to the transition function. Deterministic Accepts an ω-word w iff almost all tokens reach the final states Mojmir automata are blind to events that only happen finitely often Salomon Sickert (TU München) 12 / 16

Going Further From Mojmir to Rabin Automata Salomon Sickert (TU München) 13 / 16

Going Further From Mojmir to Rabin Automata Unbounded number of tokens? Salomon Sickert (TU München) 13 / 16

Going Further From Mojmir to Rabin Automata Unbounded number of tokens? Abstraction with ranking functions for states and tokens Salomon Sickert (TU München) 13 / 16

Going Further From Mojmir to Rabin Automata Unbounded number of tokens? Abstraction with ranking functions for states and tokens Mojmir acceptance ( ) vs. Rabin acceptance (finite, )? Salomon Sickert (TU München) 13 / 16

Going Further From Mojmir to Rabin Automata Unbounded number of tokens? Abstraction with ranking functions for states and tokens Mojmir acceptance ( ) vs. Rabin acceptance (finite, )? Alternative definition for Mojmir acceptance Salomon Sickert (TU München) 13 / 16

Going Further From Mojmir to Rabin Automata Unbounded number of tokens? Abstraction with ranking functions for states and tokens Mojmir acceptance ( ) vs. Rabin acceptance (finite, )? Alternative definition for Mojmir acceptance Mojmir Automata for FGϕ for arbitrary ϕ Salomon Sickert (TU München) 13 / 16

Going Further From Mojmir to Rabin Automata Unbounded number of tokens? Abstraction with ranking functions for states and tokens Mojmir acceptance ( ) vs. Rabin acceptance (finite, )? Alternative definition for Mojmir acceptance Mojmir Automata for FGϕ for arbitrary ϕ Divide-and-conquer approach Construct for every G-subformula a separate automaton Instead of expanding G s rely on the other automata Intersection and Union of several Mojmir Automata Salomon Sickert (TU München) 13 / 16

Overview of the Construction Master-Transition-System LTL G-subformulae Product Generalised Rabin Mojmir Rabin Salomon Sickert (TU München) 14 / 16

Overview of the Construction Master-Transition-System LTL G-subformulae Product Generalised Rabin Mojmir Rabin The Master-Transition-System tracks a finite prefix of the ω-word. Salomon Sickert (TU München) 14 / 16

Overview of the Construction Master-Transition-System LTL G-subformulae Product Generalised Rabin Mojmir Rabin The Master-Transition-System tracks a finite prefix of the ω-word. Acceptance: 1 Guess the set of eventually true G-subformulae 2 Verify this guess using the Mojmir automata 3 Accept iff almost all the time this guess entails the current state of the master-transition-system Salomon Sickert (TU München) 14 / 16

Conclusion and Future Work The presented translation... preservers the logical structure of the formula is compositional Aggressive optimization can lead to huge space savings Some optimizations are already verified yields small deterministic ω-automata Salomon Sickert (TU München) 15 / 16

Conclusion and Future Work The presented translation... preservers the logical structure of the formula is compositional Aggressive optimization can lead to huge space savings Some optimizations are already verified yields small deterministic ω-automata Open Problems: Explore and formalize further optimizations Adapt construction to support: Alternation-free linear-time µ-calculus (contains LTL) Parity automata Salomon Sickert (TU München) 15 / 16

Getting More Information Javier Esparza, Jan Kretínský: From LTL to Deterministic Automata: A Safraless Compositional Approach. CAV 2014: pages 192 208 From LTL to Deterministic Automata: A Safraless Compositional Approach Javier Esparza and Jan Křetínský p 2014 Institut für Informatik, Technische Universität München, Germany IST Austria Salomon Sickert (TU München) 16 / 16 Abstract. We present a new algorithm to construct a (generalized) deterministic Rabin automaton for an LTL formula ϕ. The automaton is

Getting More Information Javier Esparza, Jan Kretínský: From LTL to Deterministic Automata: A Safraless Compositional Approach. CAV 2014: pages 192 208 Isabelle/HOL Formalisation To be submitted to the Archive of Formal Proofs - afp.sourceforge.net Available on request: sickert@in.tum.de From LTL to Deterministic Automata: A Safraless Compositional Approach Javier Esparza and Jan Křetínský p 2014 Institut für Informatik, Technische Universität München, Germany IST Austria Salomon Sickert (TU München) 16 / 16 Abstract. We present a new algorithm to construct a (generalized) deterministic Rabin automaton for an LTL formula ϕ. The automaton is

Getting More Information Javier Esparza, Jan Kretínský: From LTL to Deterministic Automata: A Safraless Compositional Approach. CAV 2014: pages 192 208 Isabelle/HOL Formalisation To be submitted to the Archive of Formal Proofs - afp.sourceforge.net Available on request: sickert@in.tum.de Thank you for your attention! From LTL to Deterministic Automata: A Safraless Compositional Approach Javier Esparza and Jan Křetínský p 2014 Institut für Informatik, Technische Universität München, Germany IST Austria Salomon Sickert (TU München) 16 / 16 Abstract. We present a new algorithm to construct a (generalized) deterministic Rabin automaton for an LTL formula ϕ. The automaton is

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback