Model Checking and Automata Theory

About This Presentation

Title:

Model Checking and Automata Theory

Description:

Goal: Present basic facts from automata theory and demonstrate how model ... Eg if AP= {p,q,r}, an edge labelled with p ^ -q signifies all transitions (i.e., set ... – PowerPoint PPT presentation

Number of Views:44

Avg rating:3.0/5.0

Slides: 37

Provided by: Technology9

Category:

more less

Transcript and Presenter's Notes

Title: Model Checking and Automata Theory

1
Model Checking and Automata Theory
2

Goal Present basic facts from automata theory
and demonstrate how model checking (for LTL) can
be done in this framework
Bonus on the fly model checking the checked
property guides the construction of the state
graph for the modelled system may avoid
constructing large parts of the state graph

3
Outline

Basics of Automata Theory
Buchi Automata
Model Checking Using Automata
Nondeterministic Buchi Automata
Generalized Buchi Automata
Checking Emptiness and the double DFS
Translating LTL into Automata
On the Fly Model Checking
Checking Language Containment Symbolically

4
Basics of Automata Theory

A finite automaton is a mathematical model of a
device (computer) that has a constant amount of
memory independent of its input
A finite automaton A is a five tuple (?, Q,D, Q0,
F), such that

5
(No Transcript)
6

Terminology
Graph representation with initial and final
states
Let v be a word (string) v of ?? of length v .
A run over A is a mapping ? 0,1,...,v) -gt Q
such that
The first state is an initial state (?(0) ? Q0 )
(?(i), v(i), ?(i1)) ? ?
A run ? on A corresponds to a path in the
automaton graph from an initial state ?(0) to a
state ?(v) where the edges are labelled
according to the letters of v say v is input to
A or A reads v.
A run ? on A is accepting if ?(v) ? F. A
accepts v iff there is an accepting run of A on
v.

Language of A, L(A) consists of all the words
accepted by A
Notation
operator denotes any finite number of
repetitions (including zero repetitions)
denotes choice
the empty word ?
Regular expressions over alphabet S
the empty word ? is regular
Elements of S are regular
If e and f are regular so are (e f) and e
Regular language a subset of S generated by a
regular expression
The language of a finite automaton is regular
(i.e., corresponds to a regular expression) and
to every regular expression E there is a finite
automaton A
A(E) AE and L(A) EA then A(L(A)) A and
L(A(E)) E

8
Buchi Automata

Model computations by infinite sequences of
states so have words of infinite length (ie
words over ??)
Concurrent systems are designed not to halt
during normal executions
Simplest automata over infinite words are Buchi
automata
Same components as finite automata, except F is
called the set of accepting states
Infinite word v has v ?
Let inf (?) be the set of states that appear
infinitely often in a run. A run of a Buchi
automaton A over an infinite word is accepting if
and only if inf (?) n F ? ?

Fig 9.1 can be interpreted as a Buchi automaton
-- example one word it is accepts (ab)?
Language it accepts is the set of words with
infinitely many as written as ? -regular
expression (ba)?

10
Model Checking using Automata

Finite Automata can model concurrent and
interactive systems either the state or the
alphabet can represent the states of the modeled
system
Main advantage both modeled system and
specification are represented the same way
A Kripke structure M corresponds to an ? -
regular automaton A where all the states are
accepting
Behaviours of M is the language L(A)

Kripke structure M (S, R, S0, L) can be
transformed to automaton A (?, S U t, ?, t,
S U t where ? 2AP.
(s,a,s) ? ? iff (s,s) ? R and a L(s)
(t,a,s) ? ? iff s ? S0 and a L(s)

12
(No Transcript)
13

The specification can also be given as an
automaton
In these Examples edges are labelled with boolean
expressions (representing sets of atomic
propositions)
Each edge may represent a several transitions Eg
if AP p,q,r, an edge labelled with p -q
signifies all transitions (i.e., set of
propositions) that must include p and must not
include q and may include r so transitions
labelled with p,r and p

14
(No Transcript)
15

In fig 9.3 the automaton specifies the property
that the two critical processes cannot enter
their critical section at the same time use LTL
path formula G (CR0 CR1)
In fig 9.4 the automaton specifies that the
process will eventually enter its critical
section - use LTL formula
F CR0
A system A satisfies specification S when L(A)
L(S)
Equivalently when L(A) n L(S)c ?
If intersection is nonempty, any behaviour in it
is a counterexample ie a run on A that violates
the specification
We see (later) that an infinite word in the
intersection can be represented in a finitary way
(as uv?, u,v, finite words)

Buchi automata are closed under intersection and
complement Do intersection - automaton that
accepts intersection of the 2 languages

Remark Clarke et al. text seems to have mistake
in the definition as it does not agree with
their example!see rather the following
http//www.cs.uu.nl/docs/vakken/pv/resources/LTL_b
uchi_slides1.pdf

18
(No Transcript)
19

Remark The third component is responsible for
guaranteeing that accepting states from both B1
and B2 appear infinitely often (so setting F F1
x F2 does not work)
third component is initially 0
it changes from 0 to 1 when an accepting state of
B1 is seen
it changes from 1 to 2 when an accepting state of
B2 is seen
and in the next state returns back to 0
Remark a simpler intersection is obtained when
all of the states of one of the automata are
accepting. If all states of B1 are accepting and
accepting states of B2 are F2 then B1 n B2 ( ?,
Q1 x Q2, ?, Q10 x Q20, Q1 x F2) where ((r,q),
a, (r,q)) ? ? iff (r,a,r) ? ?1 and (q,a,q) ?
?2
Remark General algorithm is useful in verifying
systems with fairness

The system A satisfies the specification S when
L(A) L(S)
Model Checking Method (specification S wrt system
M)
Construct the automaton A that models the system
M
Construct automaton Sc that recognizes the
language L(S)c
Construct the automaton that accepts the
intersection of the languages L(A) and L(S)c
If intersection is empty, announce that
specification S holds for system A else we
provide a counterexample -- see later

21
Nondeterministic Buchi Automata

For regular and Buchi automata, transition
relation ? can be nondeterministic - transitions
(q,a,l) and (q,a,l), l ? l).
Nondet FA on finite words can be translated to
det FA accepting same language using subset
construction .
Nondet M (?, Q, ?, Q0, F) -gt det M (?, 2Q,
?, Q0, F)
? 2Q x ? x 2Q, contains (Q1, a, Q2) where
Q2 U (q (q,a,q) ? ?)
q ? Q1
the set F is defined as Q Q Q and Q n F
? ?
Because M is det, ? can be rep as function 2Q x
? -gt 2Q
State of M corresponds to the set of states M
can reach after reading some input

Complementing a nondet automaton over finite
words is easy (1) construct its deterministic
equivalent by subset construction and then (2)
interchange accepting and nonaccepting states
For BA theres a problem not every BA is
equivalent to det BA. A language recognized by a
det BA satisfies the following condition, for
each word v ? ??
If there are infinitely many finite prefixes
of v whose finite runs reach an accepting
state then v is in the language.

Justification If the automaton is deterministic
there is a unique run for each finite prefix of a
word.
Suppose there are infinitely many finite prefixes
of v whose finite runs reach accepting states.
These runs are prefixes of the unique run of the
automaton on v. By definition this run must be
accepting.
Conversely if v is in the language it corresponds
to a run p which is accepting there are
infinitely many i such that p(i) is an accepting
state for each i we have a finite prefix of v
whose finite run reaches an accepting state.

24
(No Transcript)
25

A nondeterministic automaton whose language is
the set of words that have only a finite number
of as.
Why? Recall that if a word is recognized it
corresponds to a run over the automaton which
corresponds to a function from the natural
numbers to Q (with some conditions). If a word is
accepted the state q1 must occur infinitely many
times in the run. Let i be the first time it
occurs then the word has at most i-1 as.
There is no det BA that recognizes this language
Suppose there were a det BA that recognizes this
language then it would have to reach some
accepting state after a finite string bn1 some n1
gt 0 else b ? would not be in the language.
Continuing it must reach an accepting state after
bn1abn2, else bn1ab? would not be in the language
and again after bn1abn2abn3 etc. Eventually we
conclude that
bn1abn2abn3 with infinitely many as must
be in the language which is a contradiction.

26
Generalized BA

Sometimes convenient to work with so called
generalized Buchi Automaton which has
acceptance component of the form of F a subset of
2Q (ie, an element Pi of F is a set of states
(this doesnt extend set of languages expressible
by BA). A run p is accepting iff for each Pi ? F,
inf (p) n Pi? Ø
Use of multiple fairness constraints with Kripke
structures corresponds with acceptance in
generalized BA
Translation from generalized BA to BA (see next
slide) expands the size of automaton by a factor
of n 1, when F P1,,Pn
Exercise for next assignment show the two
automata accept the same language.

27
(No Transcript)
28
Checking Emptiness and the double DFS

Claim Checking nonemptiness of L(B) is
equivalent to finding a strongly connected
component that is reachable from the initial
state and contains an accepting state.
Proof Let L(B) be nonempty let p be an
accepting run of B (?, Q, ?, Q0, F). Then inf
(p) n F ? Ø so p contains infinitely many states
from F. Since Q is finite, there is some suffix
p of p such that every state on it appears
infinitely many times (assume not --- then for
every suffix p there is a state on it that
appears only a finite number of times end up
with a suffix of p of infinite length and no
states). At least one of the states on it must be
from F since at least one of them appears
infinitely many times. Each state on p is
reachable from any other state on p hence the
states in p are included in a strongly connected
component containing an accepting state. This
component is reachable from the initial state.
Conversely, any strongly connected component
that is reachable from an initial state and
contains an accepting state generates an
accepting run of the automaton, so L(B) is
nonempty.

Conclude L(B) is nonempty iff there is a
reachable accepting state with a cycle back to
itself hence the nodes of the cycle are in a
SCC. Conversely, given a SCC with an accepting
state, it is possible to find a cycle thru the
accepting state
Significance if L(B) is nonempty, there is a run
in L(B) which can be represented in a finitary
manner it is constructed from a finite prefix
and a periodic sequence of states. (In text they
say counterexample where I say run in L(B) this
run is the counterexample discussed below also
is counterexample to emptiness)
If B is the intersection of the automaton
that represents the checked system and an
automaton that represents the complement of the
specification, this run in L(B) is a
counterexample to the desired specification, and
shows specification does not hold (in general)

30
(No Transcript)
31

Using Dfs1 on B, add states to hash table until
you find an accepting state q invoke Dfs2 on q
to inspect successors q of q to determine
if a successor q is on Dfs1 stack which gives
an accepting cycle and terminates, and returns
True
OR
If else performs Dfs2 on q
When the algorithm terminates with True, a cycle
thru a reachable state is reported as a
counterexample. Let q1 be the accepting state
that started the Dfs2 the Dfs1 stack contains a
path from an initial state to q1 --- this path is
the finite prefix of the counterexample. Let q2
be the state that terminates Dfs2. The periodic
part consists of a path from q1 to q1 and is
constructed as follows the Dfs2 stack contains a
path from q1 to q2 q2 appears on the search
stack of Dfs1 states that were inserted on Dfs1
stack after q2 was inserted complete a cycle back
to q1.
Theorem (Correctness) The double FDFS algorithms
returns a counterexample for the emptiness of the
checked automaton if and only if the language
L(B) is not empty.
Proof see text

Algorithm to translate a LTL formula to
generalized BA is found in text
Remark the negation of the specification formula
f is translated translating f and then finding
the complement automaton may result in an
automaton whose size is doubly exponential in the
size of f while at worst translating f results
in an automaton which size is exponential in the
size of f.
(The languages of the resulting automata are the
same)

33
On the fly model checking

Model checking efficiently instead of
constructing both the system model automaton (the
BA) A and the property (specification) automaton
S, and then the intersection automaton,
construct S and use it to guide the construction
of A while computing intersection
Frequently find a counter example when only a
small portion of state space for the
intersection is generated
Suppose double Dfs is used to check emptiness of
intersection of A and S. Recall states of
intersection are pairs of states from A and S
the states of A are all accepting so a state of
the automaton for the intersection is accepting
iff its S component is accepting
In on the fly model checking, the states of the
automaton for the intersection are computed as
they are needed by the double DFS algorithm as
follows

Assume S and the part of A used in the search so
far have been constructed. Let s (r,q) be the
current state of the double Dfs, r ? A and q ? S.
To continue, compute the successors of s one at a
time. All successors qi of q have been
constructed let r be successor of r that is
calculated next. Then a successor si (r, qi)
exists exactly if the labelings of the transition
from r to r and q to qi with propositions from
AP are the same Two ways of reducing the state
space result
Labeling of r doesnt agree with any of the
successors of q - search algorithm doesnt
explore successors of r
A cycle is detected before the algorithm
backtracks to s search terminates before
additional successors of s which may involves
other successors of r are explored.

35
Interesting application of MC

Theorem Let A and A be Buchi automata there
is a Kripke structure M(A,A) over AP p,p
such that
L(A) L(A) iff M(A,A) A (GF q
gt GF q)
So we can use MC to determine language
containment!
Remark construction of M(A,A) is in the text