CS 267: Automated Verification. Lecture 8: Automata Theoretic Model Checking. Instructor: Tevfik Bultan

Similar documents
Lecture 9: LTL and Büchi Automata

Software Engineering using Formal Methods

Formal Methods in Software Engineering

Design and Analysis of Distributed Interacting Systems

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Nondeterminism and Nodeterministic Automata

Automata Theory 101. Introduction. Outline. Introduction Finite Automata Regular Expressions ω-automata. Ralf Huuck.

Minimal DFA. minimal DFA for L starting from any other

Java II Finite Automata I

NFA DFA Example 3 CMSC 330: Organization of Programming Languages. Equivalence of DFAs and NFAs. Equivalence of DFAs and NFAs (cont.

Chapter 2 Finite Automata

From LTL to Symbolically Represented Deterministic Automata

Converting Regular Expressions to Discrete Finite Automata: A Tutorial

1 Nondeterministic Finite Automata

AUTOMATA AND LANGUAGES. Definition 1.5: Finite Automaton

Types of Finite Automata. CMSC 330: Organization of Programming Languages. Comparing DFAs and NFAs. Comparing DFAs and NFAs (cont.) Finite Automata 2

CMSC 330: Organization of Programming Languages

Grammar. Languages. Content 5/10/16. Automata and Languages. Regular Languages. Regular Languages

Chapter Five: Nondeterministic Finite Automata. Formal Language, chapter 5, slide 1

Types of Finite Automata. CMSC 330: Organization of Programming Languages. Comparing DFAs and NFAs. NFA for (a b)*abb.

CS 301. Lecture 04 Regular Expressions. Stephen Checkoway. January 29, 2018

Good-for-Games Automata versus Deterministic Automata.

Designing finite automata II

On Determinisation of History-Deterministic Automata.

Theory of Computation Regular Languages. (NTU EE) Regular Languages Fall / 38

CS103B Handout 18 Winter 2007 February 28, 2007 Finite Automata

Let's start with an example:

Strong Bisimulation. Overview. References. Actions Labeled transition system Transition semantics Simulation Bisimulation

Theory of Computation Regular Languages

CMPSCI 250: Introduction to Computation. Lecture #31: What DFA s Can and Can t Do David Mix Barrington 9 April 2014

Non-Deterministic Finite Automata. Fall 2018 Costas Busch - RPI 1

Convert the NFA into DFA

Lecture 08: Feb. 08, 2019

80 CHAPTER 2. DFA S, NFA S, REGULAR LANGUAGES. 2.6 Finite State Automata With Output: Transducers

NFAs continued, Closure Properties of Regular Languages

Lexical Analysis Part III

Lexical Analysis Finite Automate

Section: Other Models of Turing Machines. Definition: Two automata are equivalent if they accept the same language.

CS415 Compilers. Lexical Analysis and. These slides are based on slides copyrighted by Keith Cooper, Ken Kennedy & Linda Torczon at Rice University

Non-Deterministic Finite Automata

Speech Recognition Lecture 2: Finite Automata and Finite-State Transducers. Mehryar Mohri Courant Institute and Google Research

LTL Translation Improvements in Spot

Regular Expressions (RE) Regular Expressions (RE) Regular Expressions (RE) Regular Expressions (RE) Kleene-*

Coalgebra, Lecture 15: Equations for Deterministic Automata

FABER Formal Languages, Automata and Models of Computation

GNFA GNFA GNFA GNFA GNFA

Assignment 1 Automata, Languages, and Computability. 1 Finite State Automata and Regular Languages

The size of subsequence automaton

Formal Languages and Automata

4 Deterministic Büchi Automata

12.1 Nondeterminism Nondeterministic Finite Automata. a a b ε. CS125 Lecture 12 Fall 2016

Introduction to ω-autamata

1. For each of the following theorems, give a two or three sentence sketch of how the proof goes or why it is not true.

CSCI 340: Computational Models. Kleene s Theorem. Department of Computer Science

Speech Recognition Lecture 2: Finite Automata and Finite-State Transducers

Normal Forms for Context-free Grammars

Finite-State Automata: Recap

Homework 3 Solutions

Harvard University Computer Science 121 Midterm October 23, 2012

Worked out examples Finite Automata

Formal Language and Automata Theory (CS21004)

Model Reduction of Finite State Machines by Contraction

Anatomy of a Deterministic Finite Automaton. Deterministic Finite Automata. A machine so simple that you can understand it in less than one minute

5.1 Definitions and Examples 5.2 Deterministic Pushdown Automata

Non Deterministic Automata. Formal Languages and Automata - Yonsei CS 1

CHAPTER 1 Regular Languages. Contents. definitions, examples, designing, regular operations. Non-deterministic Finite Automata (NFA)

Finite Automata. Informatics 2A: Lecture 3. John Longley. 22 September School of Informatics University of Edinburgh

Deterministic Finite Automata

CS:4330 Theory of Computation Spring Regular Languages. Equivalences between Finite automata and REs. Haniel Barbosa

CHAPTER 1 Regular Languages. Contents

Formal languages, automata, and theory of computation

Compiler Design. Fall Lexical Analysis. Sample Exercises and Solutions. Prof. Pedro C. Diniz

Regular expressions, Finite Automata, transition graphs are all the same!!

NFAs continued, Closure Properties of Regular Languages

Finite Automata Theory and Formal Languages TMV027/DIT321 LP4 2018

12.1 Nondeterminism Nondeterministic Finite Automata. a a b ε. CS125 Lecture 12 Fall 2014

5. (±±) Λ = fw j w is string of even lengthg [ 00 = f11,00g 7. (11 [ 00)± Λ = fw j w egins with either 11 or 00g 8. (0 [ ffl)1 Λ = 01 Λ [ 1 Λ 9.

Closure Properties of Regular Languages

a,b a 1 a 2 a 3 a,b 1 a,b a,b 2 3 a,b a,b a 2 a,b CS Determinisitic Finite Automata 1

Finite state automata

More on automata. Michael George. March 24 April 7, 2014

1.4 Nonregular Languages

More general families of infinite graphs

The University of Nottingham SCHOOL OF COMPUTER SCIENCE A LEVEL 2 MODULE, SPRING SEMESTER LANGUAGES AND COMPUTATION ANSWERS

Foundations of XML Types: Tree Automata

CISC 4090 Theory of Computation

Scanner. Specifying patterns. Specifying patterns. Operations on languages. A scanner must recognize the units of syntax Some parts are easy:

CS 275 Automata and Formal Language Theory

Chapter 1, Part 1. Regular Languages. CSC527, Chapter 1, Part 1 c 2012 Mitsunori Ogihara 1

Fundamentals of Computer Science

input tape head moves current state

CS 330 Formal Methods and Models

First Midterm Examination

Lecture 09: Myhill-Nerode Theorem

Finite Automata-cont d

11.1 Finite Automata. CS125 Lecture 11 Fall Motivation: TMs without a tape: maybe we can at least fully understand such a simple model?

Exercises Chapter 1. Exercise 1.1. Let Σ be an alphabet. Prove wv = w + v for all strings w and v.

CMSC 330: Organization of Programming Languages. DFAs, and NFAs, and Regexps (Oh my!)

Finite Automata. Informatics 2A: Lecture 3. Mary Cryan. 21 September School of Informatics University of Edinburgh

On the Relative Succinctness of Nondeterministic Büchi and co-büchi Word Automata

Transcription:

CS 267: Automted Verifiction Lecture 8: Automt Theoretic Model Checking Instructor: Tevfik Bultn

LTL Properties Büchi utomt [Vrdi nd Wolper LICS 86] Büchi utomt: Finite stte utomt tht ccept infinite strings The etter known vrint of finite stte utomt ccept finite strings (used in lexicl nlysis for exmple) A Büchi utomton ccepts string when the corresponding run visits n ccepting stte infinitely often Note tht n infinite run never ends, so we cnnot sy tht n ccepting run ends t n ccepting stte LTL properties cn e trnslted to Büchi utomt The utomton ccepts pth if nd only if the pth stisfies the corresponding LTL property

LTL Properties Büchi utomt G p p p true F p p p true G (F p) p p p p The size of the property utomton cn e exponentil in the size of the LTL formul (recll the complexity of LTL model checking)

Büchi Automt: Lnguge Emptiness Check Given Buchi utomton, one interesting question is: Is the lnguge ccepted y the utomton empty? i.e., does it ccept ny string? A Büchi utomton ccepts string when the corresponding run visits n ccepting stte infinitely often To check emptiness: Look for cycle which contins n ccepting stte nd is rechle from the initil stte Find strongly connected component tht contins n ccepting stte, nd is rechle from the initil stte If no such cycle cn e found the lnguge ccepted y the utomton is empty

LTL Model Checking Generte the property utomton from the negted LTL property Generte the product of the property utomton nd the trnsition system Show tht there is no ccepting cycle in the product utomton (check lnguge emptiness) i.e., show tht the intersection of the pths generted y the trnsition system nd the pths ccepted y the (negted) property utomton is empty If there is cycle, it corresponds to counterexmple ehvior tht demonstrtes the ug

LTL Model Checking Exmple Exmple trnsition system Property to e verified G q p,q 1 Negtion of the property G q F q q 2 Ech stte is leled with the propositions tht hold in tht stte 3 p Property utomton for the negted property q q Equivlently {q},, {p} 1 2 true,{p},{q},

Trnsition System to Buchi Automton Trnsltion Exmple trnsition system Corresponding Buchi utomton p,q 1 i 1 q 2 Ech stte is leled with the propositions tht hold in tht stte 3 p {q} {q} 2 3 {p}

Buchi utomton for the trnsition system (every stte is ccepting) Product utomton 1,1 1 2 {q} 2,1 {q} {q}, {q} 3 4 {p} Property Automton, {p} 1 2,{p},{q}, {p} 3,1 4,2 {q} {p} 3,2 Accepting cycle: (1,1), (2,1), (3,1), ((4,2), (3,2)) ω Corresponds to counter-exmple pth for the property G q

SPIN [Holzmnn 91, TSE 97] Explicit stte model checker Finite stte Temporl logic: LTL Input lnguge: PROMELA Asynchronous processes Shred vriles Messge pssing through (ounded) communiction chnnels Vriles: oolen, chr, integer (ounded), rrys (fixed size) Structured dt types

SPIN Verifiction in SPIN Uses the LTL model checking pproch Constructs the product utomton on-the-fly It is possile to find n ccepting cycle (i.e. counterexmple) without constructing the whole stte spce Uses nested depth-first serch lgorithm to look for n ccepting cycle Uses vrious heuristics to improve the efficiency of the nested depth first serch: prtil order reduction stte compression

Exmple Mutul Exclusion Protocol Two concurrently executing processes re trying to enter criticl section without violting mutul exclusion Process 1: while (true) { out: := true; turn := true; wit: wit ( = flse or turn = flse); cs: := flse; } Process 2: while (true) { out: := true; turn := flse; } wit: wit ( = flse or turn); cs: := flse;

Exmple Mutul Exclusion Protocol in Promel #define cs1 process1@cs #define cs2 process2@cs #define wit1 process1@wit #define wit2 process2@wit #define true 1 #define flse 0 ool ; ool ; ool turn; proctype process1() { out: = true; turn = true; wit: ( == flse turn == flse); cs: = flse; goto out; } proctype process2() { out: = true; turn = flse; wit: ( == flse turn == true); cs: = flse; goto out; } init { run process1(); run process2() }

Property utomton genertion % spin -f "! [] (! (cs1 && cs2)) never { /*! [] (! (cs1 && cs2)) */ T0_init: if :: ((cs1) && (cs2)) -> goto ccept_ll :: (1) -> goto T0_init fi; ccept_ll: skip } % spin -f "!([](wit1 -> <>(cs1))) Input formul [] mens G <> mens F spin f option genertes Buchi utomton for the input LTL formul never { /*!([](wit1 -> <>(cs1))) */ T0_init: if :: (!((cs1)) && (wit1) ) -> goto ccept_s4 :: (1) -> goto T0_init fi; ccept_s4: if :: (! ((cs1))) -> goto ccept_s4 fi; } Conctnte the generted never clims to the end of the specifiction file

SPIN spin mutex.spin genertes C progrm pn.c from the specifiction file This C progrm implements the on-the-fly nested-depth first serch lgorithm You compile pn.c nd run it to the model checking Spin genertes counter-exmple trce if it finds out tht property is violted

%mutex - wrning: for p.o. reduction to e vlid the never clim must e stutter-invrint (never clims generted from LTL formule re stutter-invrint) (Spin Version 4.2.6 -- 27 Octoer 2005) + Prtil Order Reduction Full sttespce serch for: never clim + ssertion violtions + (if within scope of clim) cceptnce cycles + (firness disled) invlid end sttes - (disled y never clim) Stte-vector 28 yte, depth reched 33, errors: 0 22 sttes, stored 15 sttes, mtched 37 trnsitions (= stored+mtched) 0 tomic steps hsh conflicts: 0 (resolved) 2.622 memory usge (Myte) unreched in proctype process1 line 18, stte 6, "-end-" (1 of 6 sttes) unreched in proctype process2 line 27, stte 6, "-end-" (1 of 6 sttes) unreched in proctype :init: (0 of 3 sttes)

Automt Theoretic LTL Model Checking Input: A trnsition system T nd n LTL property f Trnslte the trnsition system T to Buchi utomton A T Negte the LTL property nd trnslte the negted property f to Buchi utomton A f Check if the intersection of the lnguges ccepted y A T nd A f is empty Is L(A T ) L(A f ) =? If L(A T ) L(A f ), then the trnsition system T violtes the property f

Automt Theoretic LTL Model Checking Note tht L(A T ) L(A f ) = if nd only if L(A T ) L(A f ) By negting the property f we re converting lnguge susumption check to lnguge intersection followed y lnguge emptiness check Given the Buchi utomt A T nd A f we will construct product utomton A T A f such tht L(A T A f ) = L(A T ) L(A f ) So ll we hve to do is to check if the lnguge ccepted y the Buchi utomton A T A f is empty

Buchi Automt A Buchi utomton is tuple A = (Σ, Q, Δ, Q 0, F) where Σ is finite lphet Q is finite set of sttes Δ Q Σ Q is the trnsition reltion Q 0 Q is the set of initil sttes F Q is the set of ccepting sttes A Buchi utomton A recognizes lnguge which consists of infinite words over the lphet Σ L(A) Σ ω Σ ω denotes the set of infinite words over the lphet Σ

Buchi Automton Given n infinite word w Σ ω where w = 0, 1, 2, run r of the utomton A over w is n infinite sequence of utomton sttes r = q 0, q 1, q 2, where q 0 Q 0 nd for ll i 0, (q i, i,q i+1 ) Δ Given run r, let inf(r) Q e the set of utomt sttes tht pper in r infinitely mny times A run r is n ccepting run if nd only if inf(r) F i.e., run is n ccepting run if some ccepting sttes pper in r infinitely mny times

Trnsition System to Buchi Automton Trnsltion Given trnsition system T = (S, I, R) set of tomic propositions AP nd leling function L : S AP {true, flse} the corresponding Buchi utomton A T = (Σ T, Q T, Δ T, Q 0T, F T ) Σ T = 2 AP n lphet symol corresponds to set of tomic propositions Q T = S {i} i is new stte which is not in S Q ot = {i} i is the only initil stte F T = S {i} ll sttes of A T re ccepting sttes Δ T is defined s follows: (s,,s ) Δ iff either (s,s ) R nd p iff L(s,p) = true or s=i nd s I nd p iff L(s,p) = true

Trnsition System to Buchi Automton Trnsltion Exmple trnsition system Corresponding Buchi utomton p,q 1 i 1 q 2 Ech stte is leled with the propositions tht hold in tht stte 3 p {q} {q} 2 3 {p}

Generlized Buchi Automton A generlized Buchi utomton is tuple A = (Σ, Q, Δ, Q 0, F) where Σ is finite lphet Q is finite set of sttes Δ Q Σ Q is the trnsition reltion Q 0 Q is the set of initil sttes F 2 Q is sets of ccepting sttes i.e., F = {F 1, F 2,, F k } where F i Q for 1 i k This is different thn the stndrd definition Given generlized Buchi utomton A, run r is n ccepting run if nd only if for ll 1 i k, inf(r) F i

Buchi Automt Product Given A 1 = (Σ, Q 1, Δ 1, Q 01, F 1 ) nd A 2 = (Σ, Q 2, Δ 2, Q 02, F 2 ) the product utomton A 1 A 2 = (Σ, Q, Δ, Q 0, F) is defined s: Q = Q 1 Q 2 Q 0 = Q 01 Q 02 F = {F 1 Q 2, Q 1 F 2 } ( generlized Buchi utomton) Δ is defined s follows: ((q 1,q 2 ),,(q 1,q 2 )) Δ iff (q 1,,q 1 ) Δ 1 nd (q 2,,q 2 ) Δ 2 Bsed on the ove construction, we get L(A 1 A 2 ) = L(A 1 ) L(A 2 )

Exmple from the Lst Lecture is Specil Cse Buchi utomton 1 {q} 1 2 {q} {p} 3 4 Since ll the sttes in the utomton 1 is ccepting, only the ccepting sttes of utomton 2 decide the ccepting sttes of the product utomton Product utomton 1,1 2,1 {q} 3,1 Buchi utomton 2 {p} {q} {q},, {p} 1 2,{p},{q}, 4,2 {p} 3,2

Buchi Automt Product Exmple Automton R Automton Q r1 r2 q1 q2 L(R) = ( * ) ω L(Q) = ( * ) ω Automton R Q L(R Q) = L(R) L(Q) r1,q1 r2,q1 r1,q2 r2,q2 F = { {(r1,q1), (r1,q2)}, {(r1,q1), (r2,q1)} }

Generlized to Stndrd Buchi Automt Conversion Given generlized Buchi utomton A = (Σ, Q, Δ, Q 0, F) where F = {F 1, F 2,, F k } it is equivlent to stndrd Buchi utomton A = (Σ, Q, Δ, Q 0, F ) where Q = Q {1, 2,, k} Q 0 = Q 0 {1} F = F 1 {1} Δ is defined s follows: ((q 1, i),, (q 2, j)) Δ iff (q 1,,q 2 ) Δ nd j=i j=(i mod k) + 1 Keep counter. When the counter is i look only for the ccepting sttes in F i. When you see stte from F i, increment the counter (mod k). When the counter mkes one round, you hve seen n ccepting stte from ll F i s. if q 1 F i if q 1 F i Bsed on the ove construction we hve L(A ) = L(A)

Exmple (Cont d) A generlized Buchi utomton G A stndrd Buchi utomton S where L(S) = L(G) q1 q2 q1,1 q1,2 q3 q4 q2,1 q3,1 q2,2 q3,2 F = { {q1, q3}, {q1, q2} } q4,1 q4,2 F = { (q1,1), (q3,1)}

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback