a.a. 2003-2004, cdls in informatica introduction to formal methods … › ~artale › fm ›...
TRANSCRIPT
![Page 1: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/1.jpg)
1. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
A.A. 2003-2004, CDLS in Informatica
Introduction to Formal
Methods for SW and HW
Development
08: Automata-Theoretic LTL ModelChecking
Roberto Sebastiani – [email protected]
Some material (text, figures) displayed in these slides is courtesy of M. Benerecetti, A. Cimatti, F. Giunchiglia, P. Pandya, M. Pistore, M. Roveri.
CDLS in Informatica
![Page 2: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/2.jpg)
2. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Content� � THE PROBLEM . . . . . . . . . . . . . . . . . 2
� AUTOMATA ON FINITE WORDS . . . . . . . . 7
� AUTOMATA ON INFINITE WORDS . . . . . . . 25
� FROM KRIPKE STRUCTURES TO BUCHI AUT. 41
� FROM LTL FORMULAS TO BUCHI AUTOMATA . 45
� AUTOMATA-THEORETIC LTL MODEL CHECKING 60
CDLS in Informatica
![Page 3: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/3.jpg)
3. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
The problem
� Given a Kripke structure M and an LTL specification ψ, does Msatisfy ψ?:
M ��� ψ
� Equivalent to the CTL � M.C. problem:
M � � Aψ
� Dual CTL � M.C. problem:
M � � E� ψ
CDLS in Informatica
![Page 4: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/4.jpg)
4. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Automata-Theoretic LTL Model Checking
� M � � Aψ (CTL � )
� � M � � ψ (LTL)
� � L � M ��� L � ψ �
� � L � M ��� L � ψ � � ��
� � L � AM ��� L � A ψ � � ��
� � L � AM A ψ � � ��
� AM is a Buchi Automaton equivalent to M (which represents all
and only the executions of M)
� A ψ is a Buchi Automaton which represents all and only the
paths that satisfy� ψ (do not satisfy ψ)
� � AM A ψ represents all and only the paths appearing in Mand not in ψ.
CDLS in Informatica
![Page 5: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/5.jpg)
5. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Automata-Theoretic LTL M.C. (dual version)
� M � � Eϕ
� � M �� � A� ϕ
� � ...
� � L � AM Aϕ � �� � �
� AM is a Buchi Automaton equivalent to M (which represents all
and only the executions of M)
� Aϕ is a Buchi Automaton which represents all and only the
paths that satisfy ϕ
� � AM Aϕ represents all and only the paths appearing in both
AM and Aϕ.
CDLS in Informatica
![Page 6: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/6.jpg)
6. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Automata-Theoretic LTL Model Checking
Four steps:
1. Compute AM
2. Compute Aϕ
3. Compute the product AM Aϕ
4. Check the emptiness of L � AM Aϕ �
CDLS in Informatica
![Page 7: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/7.jpg)
7. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Content� THE PROBLEM . . . . . . . . . . . . . . . . . 2
� � AUTOMATA ON FINITE WORDS . . . . . . . . 7
� AUTOMATA ON INFINITE WORDS . . . . . . . 25
� FROM KRIPKE STRUCTURES TO BUCHI AUT. 41
� FROM LTL FORMULAS TO BUCHI AUTOMATA . 45
� AUTOMATA-THEORETIC LTL MODEL CHECKING 60
CDLS in Informatica
![Page 8: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/8.jpg)
8. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Finite Word Languages
� An Alphabet Σ is a collection of symbols (letters).
E.g. Σ � � a�
b� .
� A finite word is a finite sequence of letters. (E.g. aabb.)
The set of all finite words is denoted by Σ � .
� A language U is a set of words, i.e. U � Σ � .
Example: Words over Σ � � a�
b� with equal number of a’s and
b’s. (E.g. aabb or abba.)
Language recognition problem:
determine whether a word belongs to a language.
Automata are computational devices able to solve language
recognition problems.
CDLS in Informatica
![Page 9: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/9.jpg)
9. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Finite State Automata
Basic model of computational systems with finite memory.
Widely applicable
� Embedded System Controllers.
Languages: Ester-el, Lustre, Verilog.
� Synchronous Circuits.
� Regular Expression Pattern Matching
Grep, Lex, Emacs.
� Protocols
Network Protocols
Architecture: Bus, Cache Coherence, Telephony,...
CDLS in Informatica
![Page 10: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/10.jpg)
10. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Notation
a
�
b � Σ finite alphabet.
u
�
v
�
w � Σ � finite words.
λ empty word.
u� v catenation.
ui � u� u� � u repeated i-times.
U
�
V� Σ � Finite word languages.
CDLS in Informatica
![Page 11: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/11.jpg)
11. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
FSA Definition
Nondeterministic Finite State Automaton (NFA):
NFA is � Q �
Σ�
δ�
I�
F �Q Finite set of states.
I� Q set of initial states.
F� Q set of final states.
� � Q Σ Q transition relation (edges).
We use qa� � q� to denote � q �
a
�
q� � � δ.
Deterministic Finite State Automaton (DFA):
DFA has δ : Q Σ � Q, a total function.
Single initial state I � � q0� .
CDLS in Informatica
![Page 12: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/12.jpg)
12. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Regular Languages
� A run of NFA A on u � a0 �
a1 �
� � ��
an� 1 is a finite sequence of
states q0 �
q1 �
� � ��
qn s.t. q0 � I and qiai� � qi � 1 for 0 � i � n.
� An accepting run is one where the last state qn � F .
� The language accepted by AL � A � � � u � Σ � � A has an accepting run on u�
� The languages accepted by a NFA are called regular
languages.
CDLS in Informatica
![Page 13: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/13.jpg)
13. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Finite State Automata
Example: DFA A1 over Σ � � a
�
b� .
Recognizes words which do not end in b.
s1 s2
a b b
a
NFA A2. Recognizes words which end in b.
s1 s2
ba,b
b
CDLS in Informatica
![Page 14: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/14.jpg)
14. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Determinisation
Theorem (determinisation) Given a NFA A we can construct a
DFA A� s.t. L � A � � L � A� � . Size �A� � � 2O
� �
A
�� .
CDLS in Informatica
![Page 15: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/15.jpg)
15. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Determinisation [cont.]
NFA A2: Words which end in b.
s1 s2
ba,b
b
A2 can be determinised into the automaton DA2 below.
States = 2Q.
s1
a b b
a
s1,s2
Study Topic There are NFA’s of size n for which the size of the
minimum sized DFA must have size O � 2n � .
CDLS in Informatica
![Page 16: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/16.jpg)
16. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Closure Properties
Theorem (boolean closure) Given NFA A1 �
A2 over Σ we can
construct NFA A over Σ s.t.
� L � A � � L � A1 � (Complement). � A � � 2O
� �
A1 �� .
� L � A � � L � A1 � � L � A2 � (union). � A � � � A1 ��� � A2 � .
� L � A � � L � A1 � � L � A2 � (intersection). � A � � � A1 ��� � A2 � .
CDLS in Informatica
![Page 17: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/17.jpg)
17. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Complementation of a NFA
A NFA A � � Q �
Σ
�
δ
�
I
�
F � is complemented by:
� determinizing it into a DFA A� � � Q��
��
�
I��
F� �
� complementing it: A� � � Q��
��
�
I��
F� �
� � A� � � � A� � � 2O
� �
A1 ��
CDLS in Informatica
![Page 18: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/18.jpg)
18. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Union of two NFA’s
Two NFA’s A1 � � Q1 �
Σ1 �
δ1 �
I1 �
F1 � , A2 � � Q2 �
Σ2 �
δ2 �
I2 �
F2 � ,A � A1 � A2 � � Q �
Σ
�
δ
�
I
�
F � is defined as follows
� Q : � Q1 � Q2, I : � I1 � I2, F : � F1 � F2
� R � s �
s� � : �
R1 � s �
s� � i f s � Q1
R2 � s �
s� � i f s � Q2
� � A is an automaton which just runs nondeterministically either
A1 or A2
� L � A � � L � A1 � � L � A2 �
� � A � � � A1 �� � A2 �
CDLS in Informatica
![Page 19: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/19.jpg)
19. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Synchronous Product Construction
Let A1 � � Q1 �
Σ
�
δ1 �
I1 �
F1 � and A2 � � Q2 �
Σ
�
δ2 �
I2 �
F2 � . Then,
A1 A2 � � Q �
Σ�
δ�
I
�
F � where
� Q � Q1 Q2. I � I1 I2.
F � F1 F2.
� � p
�
q �
a� � � p��
q� � iff pa� � p� and q
a� � q� .
Theorem L � A1 A2 � � L � A1 � � L � A2 � .
CDLS in Informatica
![Page 20: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/20.jpg)
20. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Example
a
a
b b bb
aa a
b
s0
t12t
t0
s1
� A1 recognizes words with an even number of b.
� A2 recognizes words with a number of a mod 3 � 0.
� The Product Automaton A1 A2 with F � � s0 �
t0� .
2tt1
t0
t12ts0s0
s1
s1s1
t0s0
aa a
aa a
b
b
b
b b
b
CDLS in Informatica
![Page 21: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/21.jpg)
21. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Synchronized Product Construction
Let A1 � � Q1 �
Σ1 �
δ1 �
I1 �
F1 � and A2 � � Q2 �
Σ2 �
δ2 �
I2 �
F2 � .Then,
A1 �
A2 � � Q �
Σ
�
δ�
I�
F � , where
� Q � Q1 Q2. Σ � Σ1 � Σ2.
I � I1 I2. F � F1 F2.
� � p
�
q �
a� � � p��
q� � if a � Σ1� Σ2 and pa� � p� and q
a� � q� .
� � p
�
q �
a� � � p��
q � if a � Σ1, a �� Σ2 and pa� � p� .
� � p
�
q �
a� � � p
�
q� � if a �� Σ1, a � Σ2 and qa� � q� .
CDLS in Informatica
![Page 22: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/22.jpg)
22. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Asynchronous Product Construction
Let A1 � � Q1 �
Σ1 �
δ1 �
I1 �
F1 � and A2 � � Q2 �
Σ2 �
δ2 �
I2 �
F2 � .Then,
A1 � A A2 � � Q �
Σ�
δ�
I�
F � , where
� Q � Q1 Q2. Σ � Σ1 � Σ2.
I � I1 I2. F � F1 F2.
� � p
�
q �
a� � � p��
q � if a � Σ1 and pa� � p� .
� � p
�
q �
a� � � p
�
q� � if a � Σ2 and qa� � q� .
CDLS in Informatica
![Page 23: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/23.jpg)
23. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Decision Problems
Theorem (Emptiness) Given a NFA A we can decide whether
L � A � � /0.
Method Forward/Backward Reachability of acceptance states in
Automaton graph. Complexity is O � � Q �� � δ � � .
Theorem (Language Containment) Given NFA A1 and A2 we
can decide whether L � A1 ��� L � A2 � .
Method: L � A1 � � L � A2 � iff L � A1 � � L � A2 � � /0. Complexity is
O � � A1 ��� 2 �
A2 � � .N.B. Model Checking:
Typically, L � A1 A2 � � � An � � L � Aprop � .
CDLS in Informatica
![Page 24: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/24.jpg)
24. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Regular Expressions
Syntax: /0 � ε � a � reg1� reg2 � reg1� reg2 � reg � .
Every regular expression reg denotes a language L � reg � .Example: � a �� � b� bb �� a � . The words with either 1 b or 2
consecutive b’s.
Theorem: For every regular expression reg we can construct a
language equivalent NFA of size O � � reg � � .
Theorem: For every DFA A we can construct a language
equivalent regular expression reg � A � .
CDLS in Informatica
![Page 25: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/25.jpg)
25. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Content� THE PROBLEM . . . . . . . . . . . . . . . . . 2
� AUTOMATA ON FINITE WORDS . . . . . . . . 7
� � AUTOMATA ON INFINITE WORDS . . . . . . . 25
� FROM KRIPKE STRUCTURES TO BUCHI AUT. 41
� FROM LTL FORMULAS TO BUCHI AUTOMATA . 45
� AUTOMATA-THEORETIC LTL MODEL CHECKING 60
CDLS in Informatica
![Page 26: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/26.jpg)
26. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Infinite Word Languages
Modeling infinite computations of reactive systems.
� An ω-word α over Σ is infinite sequence
a0 �
a1 �
a2� � � .
Formally, α : � � Σ.
The set of all infinite words is denoted by Σω.
� A ω-language L is collection of ω-words, i.e. L� Σω.
Example All words over � a
�
b� with infinitely many a’s.
Notation
omega words α
�
β
�
γ � Σω.
omega-languages L
�
L1� Σω
For u � Σ � , let uω � u� u� u� � �
CDLS in Informatica
![Page 27: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/27.jpg)
27. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Omega-Automata
We consider automaton runs over infinite words.
s1 s2
ba,b
b
Let α � aabbbb� � � . There are several possible runs.
Run ρ1 � s1 �
s1 �
s1 �
s1 �
s2 �
s2� � �
Run ρ2 � s1 �
s1 �
s1 �
s1 �
s1 �
s1� � �
Acceptance Conditions Buchi, (Muller, Rabin, Street).
Acceptance is based on states occurring infinitely often
Notation Let ρ � Qω. Then,
In f � ρ � � � s � Q ��� ∞i � � � ρ � i � � s� .
CDLS in Informatica
![Page 28: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/28.jpg)
28. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Buchi Automata
Nondeterministic Buchi Automaton
A � � Q �
Σ
�
δ�
I�
F � , where F� Q is the set of accepting states.
� A run ρ of A on omega word α is an infinite sequence
ρ � qo �
q1 �
q2 �
� � � s.t. q0 � I and qiai� � qi � 1 for 0 � i.
� The run ρ is accepting if
In f � ρ � � F �� /0.
� The language accepted by AL � A � � � α � Σω � A has an accepting run on α�
CDLS in Informatica
![Page 29: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/29.jpg)
29. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Buchi Automaton: Example
Let Σ � � a�
b� .
Let a Deterministic Buchi Automaton (DBA) A1 be
s1 s2
a b b
a
� With F � � s1� the automaton recognizes words with infinitely
many a’s.
� With F � � s2� the automaton recognizes words with infinitely
many b’s.
CDLS in Informatica
![Page 30: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/30.jpg)
30. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Buchi Automaton: Example (2)
Let a Nondeterministic Buchi Automaton (NBA) A2 be
s1 s2
ba,b
b
With F � � s2� , automaton A2 recognizes words with finitely
many a.Thus, L � A2 � � L � A1 � .
CDLS in Informatica
![Page 31: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/31.jpg)
31. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Deterministic vs. Nondeterministic Buchi Automata
Theorem DBA’s are strictly less powerful than NBA’s.
CDLS in Informatica
![Page 32: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/32.jpg)
32. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Closure Properties
Theorem (union, intersection)
For the NBA’s A1 �
A2 we can construct
– the NBA A s.t. L � A � � L � A1 � � L � A2 � . � A � � � A1 �� � A2 �
– the NBA A s.t. L � A � � L � A1 � � L � A2 � . � A � � � A1 ��� � A2 ��� 2.
CDLS in Informatica
![Page 33: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/33.jpg)
33. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Union of two NBA’s
Two NBA’s A1 � � Q1 �
Σ1 �
δ1 �
I1 �
F1 � , A2 � � Q2 �
Σ2 �
δ2 �
I2 �
F2 � ,A � A1 � A2 � � Q �
Σ
�
δ
�
I
�
F � is defined as follows
� Q : � Q1 � Q2, I : � I1 � I2, F : � F1 � F2
� R � s �
s� � : �
R1 � s �
s� � i f s � Q1
R2 � s �
s� � i f s � Q2
� � A is an automaton which just runs nondeterministically either
A1 or A2
� L � A � � L � A1 � � L � A2 �
� � A � � � A1 �� � A2 �
� (same construction as with ordinary automata)
CDLS in Informatica
![Page 34: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/34.jpg)
34. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Synchronous Product of NBA’s
Let A1 � � Q1 �
Σ
�
δ1 �
I1 �
F1 � and A2 � � Q2 �
Σ
�
δ2 �
I2 �
F2 � .Then, A1 A2 � � Q �
Σ
�
δ
�
I
�
F � , where
Q � Q1 Q2 � 1
�
2� .
I � I1 I2 � 1� .
F � F1 Q2 � 1� .
� p
�
q
�
1 �
a� � � p��
q��
1 � iff pa� � p� and q
a� � q� and p �� F1.
� p
�
q
�
1 �
a� � � p��
q��
2 � iff pa� � p� and q
a� � q� and p � F1.
� p
�
q
�
2 �
a� � � p��
q��
2 � iff pa� � p� and q
a� � q� and q �� F2.
� p
�
q
�
2 �
a� � � p��
q��
1 � iff pa� � p� and q
a� � q� and q � F2.
Theorem L � A1 A2 � � L � A1 � � L � A2 � .
CDLS in Informatica
![Page 35: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/35.jpg)
35. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Product of NBA’s: Intuition
� The automaton remembers two tracks, one for each source
NBA, and it points to one of the two tracks
� As soon as it goes through an accepting state of the current
track, it switches to the other track
� � to visit infinitely often a state in F (i.e., F1), it must visit
infinitely often some state also in F2
� Important subcase: If F2 � Q2, then
Q � Q1 Q2.
I � I1 I2.
F � F1 Q2.
CDLS in Informatica
![Page 36: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/36.jpg)
36. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Product of NBA’s: Example
a
a
b b bb
aa a
b
s0
t12t
t0
s1
2tt1
t0
t12ts0s0
s1
s1s1
t0s0
2tt1
t0
t12ts0s0
s1
s1s1
t0s0
aa a
b
b
aa
aa
b
b b
b
b
b
a
a
b
a
aa
b TRACK 1
TRACK 2
1 to 22 to 1
1
1 1
1
1 1
2
2 2 2
2
2
b
b
CDLS in Informatica
![Page 37: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/37.jpg)
37. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Closure Properties (2)
Theorem (complementation)
For the NBA A1 we can construct an NBA A2 such that
L � A2 � � L � A1 � .
� A2 � � O � 2 �
A1 ��� log
� �
A1 �� � .
Method: (hint)
(1) convert a Buchi automaton into a Non-Deterministic Rabin
automaton.
(2) Determinize and Complement the Rabin automaton
(3) convert the Rabin automaton into a Buchi automaton
CDLS in Informatica
![Page 38: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/38.jpg)
38. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Generalized Buchi Automaton
A Generalized Buchi Automaton is A : � � Q �
Σ
�
δ
�
I
�
FT � where
FT � � F1 �
F2 �
� � ��
Fk � with Fi� Q.
A run ρ of A is accepting if In f � ρ ��� Fi �� /0 for each 1 � i � k.
Theorem For every Generalized Buchi Automaton � A �
FT � we
can construct a language equivalent Buchi Automaton � A��
G� � .
Construction (Hint) Let Q� � Q � 1�
� � ��
k� .
Automaton remains in i phase till it visits a state in Fi. Then, it
moves to i� 1 mode. After phase k it moves to phase 1.
Size: � A� � � � A ��� k.
CDLS in Informatica
![Page 39: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/39.jpg)
39. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Omega Regular Expressions
A language is called ω-regular if it has the form � ni � 1 Ui� � Vi � ω
where Ui �
Vi are regular languages.
Theorem A language L is ω-regular iff it is NBA-recognizable.
CDLS in Informatica
![Page 40: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/40.jpg)
40. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Decision Problem
Emptiness For a NBA A, it is decidable whether L � A � � /0.
Method
� Find the maximal strongly connected components (MSCC) in
the graph of A (disregarding the edge labels).
� A MSCC C is called non-trivial if C� F �� /0 and C has at least
one edge.
� Find all nodes from which there is a path to a non-trivial SCC.
Call the set of these nodes as N.
� L � A � � /0 iff N� I � /0.
Time Complexity: O � � Q �� � δ � � .
CDLS in Informatica
![Page 41: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/41.jpg)
41. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Content� THE PROBLEM . . . . . . . . . . . . . . . . . 2
� AUTOMATA ON FINITE WORDS . . . . . . . . 7
� AUTOMATA ON INFINITE WORDS . . . . . . . 25
� � FROM KRIPKE STRUCTURES TO BUCHI AUT. 41
� FROM LTL FORMULAS TO BUCHI AUTOMATA . 45
� AUTOMATA-THEORETIC LTL MODEL CHECKING 60
CDLS in Informatica
![Page 42: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/42.jpg)
42. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Computing a NBA AM from a Kripke Structure M
� Transforming a K.S. M ��
S
�
S0 �
R
�
L
�
AP
�
into an NBA
AM ��
Q
�
Σ�
δ�
I�
F
�
s.t.:
� States: Q : � S � � init� , init being a new initial state
� Alphabet: Σ : � 2AP
� Initial State: I : � � init�
� Accepting States: F : � Q � S � � init�
� Transitions:
δ : qa� � q� iff � q �
q� � � R and L � q� � � a
inita� � q iff q � S0 and L � q� � � a
� L � AM � � L � M �
� � AM � � � M �� 1
CDLS in Informatica
![Page 43: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/43.jpg)
43. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Computing a NBA AM from a Kripke Structure M: Example
� � Substantially, add one initial state, move labels from states
to incoming edges, set all states as accepting states
CDLS in Informatica
![Page 44: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/44.jpg)
44. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Computing a NBA AM from a Fair Kripke Structure M
� Transforming a fair K.S. M ��
S
�
S0 �
R
�
L
�
AP
�
FT
�
,
FT � � F1 �
� � ��
Fn� , into an NBA AM ��
Q
�
Σ
�
δ
�
I
�
F
�
s.t.:
� States: Q : � S � � init� , init being a new initial state
� Alphabet: Σ : � 2AP
� Initial State: I : � � init�
� Accepting States: F : � FT
� Transitions:
δ : qa� � q� iff � a �
a� � � R and L � q� � � a
inita� � q iff q � S0 and L � q� � � a
� L � AM � � L � M �
� � AM � � � M �� 1
CDLS in Informatica
![Page 45: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/45.jpg)
45. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Content� THE PROBLEM . . . . . . . . . . . . . . . . . 2
� AUTOMATA ON FINITE WORDS . . . . . . . . 7
� AUTOMATA ON INFINITE WORDS . . . . . . . 25
� FROM KRIPKE STRUCTURES TO BUCHI AUT. 41
� � FROM LTL FORMULAS TO BUCHI AUTOMATA . 45
� AUTOMATA-THEORETIC LTL MODEL CHECKING 60
CDLS in Informatica
![Page 46: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/46.jpg)
46. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Paths as ω-words
Let ϕ be an LTL formula.
� Var � ϕ � denotes the set of free variables of ϕ.
E.g. Var � p � �� q U q � � � � p
�
q� .
� Let Σ : � 2Var
�
ϕ
� .
� � a model for ϕ is an ω-word α � a0 �
a1 �
� � � in Σω.
� We can define α
�
i � � ϕ. Also, α ��� ϕ iff α
�
0 � � ϕ.
Example A model of p � �� q U q � is the ω-word
� p� � �� � � q� � � p
�
q� ω.
� N.B.: correspondence between ω-words and paths in Kripke
structures:
α
�
i ��� ϕ � � π
�
si � � ϕ, α
�
0 � � ϕ � � π
�
s0 � � ϕ
CDLS in Informatica
![Page 47: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/47.jpg)
47. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Automata for LTL model checking
Let Mod � ϕ � denote the set of models of ϕ.
Theorem For any LTL formula ϕ, the set Mod � ϕ � is
omega-regular.
� � Technique: Construct a (Generalized) NBA Aϕ such that
Mod � ϕ � � L � Aϕ � .
CDLS in Informatica
![Page 48: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/48.jpg)
48. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Closures
Closure Given ϕ � LT L, let CL� � ϕ � be the smallest set s.t.
� ϕ � CL� � ϕ � .
� If� ϕ1 � CL� � ϕ � then ϕ1 � CL� � ϕ � .
� If ϕ1� ϕ2 � CL� � ϕ � then ϕ1 �
ϕ2 � CL� � ϕ � .
� If Xϕ1 � CL� � ϕ � then ϕ1 � CL� � ϕ � .
� If � ϕ1Uϕ2 � � CL� � ϕ � then ϕ1 �
ϕ2 � CL� � ϕ � and
X � ϕ1Uϕ2 � � CL� � ϕ �
CL � ϕ � : � � ϕ1 �
� ϕ1 � ϕ1 � CL� � ϕ �� (we identify� � ϕ1 with ϕ1.)
N.B.: �CL � ϕ � � � O � � ϕ � � .
CDLS in Informatica
![Page 49: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/49.jpg)
49. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Atoms
An Atom is a maximal consistent subset of CL � ϕ � .
� Definition A set A� CL � ϕ � is called an atom if
� For all ϕ1 � CL � ϕ � , we have ϕ1 � A iff� ϕ1 �� A.
� For all ϕ1� ϕ2 � CL � ϕ � , we have ϕ1� ϕ2 � A iff ϕ1 � A or
ϕ2 � A (or both).
� For all � ϕ1Uϕ2 � � CL � ϕ � , we have � ϕ1Uϕ2 � � A iff ϕ2 � A or
(ϕ1 � A and X � ϕ1Uϕ2 � � A).
� In practice, an atom is a consistent truth assignment to the
elementary subformulas of ϕ� , ϕ� being the result of applying
the tableau expansion rules to ϕ
� We call Atoms � ϕ � the set of all atoms of ϕ.
CDLS in Informatica
![Page 50: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/50.jpg)
50. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Definition of Aϕ
For an LTL formula ϕ, we construct a Generalized NBA
Aϕ � � Q �
Σ�
δ�
Q0 �
FT � as follows:
� Σ � 2vars
�
ϕ
�
� Q � Atoms � ϕ � , the set of atoms.
� δ is s.t., for q
�
q� � Atoms � ϕ � and a � Σ, qa� � q� holds in δ iff
� q� � Var � ϕ � � a,
� for all Xϕ1 � CL � ϕ � , we have Xϕ1 � q iff ϕ1 � q� .
� Q0 � � q � Atoms � ϕ � � ϕ � q� .
� FT � � F1 �
F2 �
� � ��
Fk � where, for all � ψiUϕi � occurring
positively in ϕ,
Fi � � q � Atoms � ϕ � � � ψiUϕi � �� q or ϕi � q� .
CDLS in Informatica
![Page 51: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/51.jpg)
51. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Definition of Aϕ [cont.]
Theorem Let α � a0 �
a1 �
� � � � Σω. Then,
α � � ϕ iff α � L � Aϕ � .Size: � Aϕ � � O � 2 �
ϕ� � .
CDLS in Informatica
![Page 52: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/52.jpg)
52. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
LTL Negative Normal Form (NNF)
� Every LTL formula ϕ can be written as equivalent formula ϕ�
using only the operators� ,� X and U.
� We can further push negations down to literal level:
� � ϕ1� ϕ2 � � � �� ϕ1 � � ϕ2 �
� � ϕ1 � ϕ2 � � � �� ϕ1� � ϕ2 �
� Xϕ1 � � X� ϕ1
� � ϕ1Uϕ2 � � � �� ϕ1R� ϕ2 �
� � the resulting formula is expressed in terms of� , � , X , U, Rand literals (Negative Normal Form, NNF).
� In the construction of Aϕ we now assume that ϕ is in NNF.
CDLS in Informatica
![Page 53: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/53.jpg)
53. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Construction of Aϕ (Schema)
Apply recursively the following steps:
Step 1: Apply the tableau expansion rules to ϕψ1Uψ2 � � ψ2� � ψ1 � X � ψ1Uψ2 � �
ψ1Rψ2 � � ψ2 � � ψ1� X � ψ1Rψ2 � �
until we get a boolean combination of elementary subformulas
of ϕ
CDLS in Informatica
![Page 54: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/54.jpg)
54. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Construction of Aϕ (Schema) [cont.]
Step 2: Convert all formulas into Disjunctive Normal Form:
i
�j
li j �
k
Xψik �
� Each disjunct �
labels
�� � �
j
li j �
next part
� � � �
k
Xψik � represents a state:
� the conjunction of literals j li j represents a set of labels in Σ(e.g., if Vars � ϕ � � � p
�
q
�
r� , p � � q represents the two labels
� p
�
� q
�
r� and � p
�
� q
�
� r� )
� k Xψik represents the next part of the state (obbligations
for the successors)
� N.B., if no next part occurs, X � is implicitly assumed
CDLS in Informatica
![Page 55: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/55.jpg)
55. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Construction of Aϕ (Schema) [cont.]
Step 3: For every state represented by � j li j � k Xψik �
� draw an edge to all states which satisfy k ψik
� label the incoming edges with j li j
N.B., if no next part occurs, X � is implicitly assumed, so that an
edge to a “true” node is drawn
CDLS in Informatica
![Page 56: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/56.jpg)
56. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Construction of Aϕ (Schema) [cont.]
Step 4: For every ψiUϕi, for every state q j, mark q j with Fi iff
� ψiUϕi � �� q j or ϕi � q j
CDLS in Informatica
![Page 57: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/57.jpg)
57. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Example: pUq
ϕ � pUq
� q� � p � X � pUq � �
� � q � X � �� � p � X � pUq � �q
p
[ X(pUq) ]
pq
[ XT ] [ XT ]
N.B.: e.g.,
“� � �
p� � � � � ” here equivalent to� � � � �
p
�
q
� � �
p
� q
� �� � � � � ,
“� � � � � � � � ” here equivalent to� � � � �
p
�
q
� � �
p
� q
� � �
p
�
q
� � �
p� q
� �� � � � �
CDLS in Informatica
![Page 58: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/58.jpg)
58. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Example: FGp
ϕ � FGp
� � U � � Rp �
� � Rp� Xϕ
� � p � X � � Rp � �� � � �
� Rp
� Xϕ
p
p
p
[ XGp ] [ XFGp ]
CDLS in Informatica
![Page 59: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/59.jpg)
59. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Example: GF p
ϕ � GFp
� � R � � Up �
� � Up � Xϕ
� � p� X � Fp � � � Xϕ
� � p � Xϕ �� � Xϕ � XFp �
� � p � Xϕ �� X � ϕ � Fp �
� � p � Xϕ �� Xϕ N.B.: � ϕ � Fp � � ϕ
[ XGFp ] [ XGFp ]
pp
p
CDLS in Informatica
![Page 60: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/60.jpg)
60. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Content� THE PROBLEM . . . . . . . . . . . . . . . . . 2
� AUTOMATA ON FINITE WORDS . . . . . . . . 7
� AUTOMATA ON INFINITE WORDS . . . . . . . 25
� FROM KRIPKE STRUCTURES TO BUCHI AUT. 41
� FROM LTL FORMULAS TO BUCHI AUTOMATA . 45
� � AUTOMATA-THEORETIC LTL MODEL CHECKING 60
CDLS in Informatica
![Page 61: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/61.jpg)
61. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Automata-Theoretic LTL Model Checking
Four steps:
1. Compute AM
2. Compute Aϕ
3. Compute the product AM Aϕ
4. Check the emptiness of L � AM Aϕ �
CDLS in Informatica
![Page 62: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/62.jpg)
62. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Automata-Theoretic LTL Model Checking: complexity
Four steps:
1. Compute AM: � AM � � O � � M � �
2. Compute Aϕ
3. Compute the product AM Aϕ
4. Check the emptiness of L � AM Aϕ �
CDLS in Informatica
![Page 63: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/63.jpg)
63. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Automata-Theoretic LTL Model Checking: complexity [cont.]
Four steps:
1. Compute AM: � AM � � O � � M � �
2. Compute Aϕ: � Aϕ � � O � 2 �
ϕ
� �3. Compute the product AM Aϕ
4. Check the emptiness of L � AM Aϕ �
CDLS in Informatica
![Page 64: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/64.jpg)
64. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Automata-Theoretic LTL Model Checking: complexity [cont.]
Four steps:
1. Compute AM: � AM � � O � � M � �
2. Compute Aϕ: � Aϕ � � O � 2 �
ϕ
� �3. Compute the product AM Aϕ:
� AM Aϕ � � � AM ��� � Aϕ � � O � � M ��� 2 �
ϕ
� �
4. Check the emptiness of L � AM Aϕ �
CDLS in Informatica
![Page 65: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/65.jpg)
65. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Automata-Theoretic LTL Model Checking: complexity [cont.]
Four steps:
1. Compute AM: � AM � � O � � M � �
2. Compute Aϕ: � Aϕ � � O � 2 �
ϕ
� �3. Compute the product AM Aϕ:
� AM Aϕ � � � AM ��� � Aϕ � � O � � M ��� 2 �
ϕ
� �
4. Check the emptiness of L � AM Aϕ � :O � � AM Aϕ � � � O � �M ��� 2 �
ϕ
� �
� � the complexity of LTL M.C. grows linearly wrt. the size of
the model M and exponentially wrt. the size of the property ϕ
CDLS in Informatica
![Page 66: A.A. 2003-2004, CDLS in Informatica Introduction to Formal Methods … › ~artale › FM › 08_ltl_automata_mc.pdf · 2011-05-01 · 24. Introduction to Formal Methods for SW and](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f181c1f2b811355fd25f752/html5/thumbnails/66.jpg)
66. Introduction to Formal Methods for SW and HW development, A.A. 2003-2004 c� Roberto Sebastiani, 2003
Final Remarks
� Buchi automata are in general more expressive than LTL!
� � Some tools (e.g., Spin, ObjectGEODE) allow specifications to
be expressed directly as NBA’s
� � complementation of NBA important!
� for every LTL formula, there are many possible equivalent NBA’s
� � lots of research for finding “the best” conversion algorithm
� performing the product and checking emptiness very relevant
� � lots of techniques developed (e.g., partial order reduction)
� � lots on ongoing research
CDLS in Informatica