emptiness of büchi automata - university of...
Post on 20-Jul-2018
223 Views
Preview:
TRANSCRIPT
Automata-Theoretic LTL ModelChecking
Graph Algorithms for Software Model Checking
(based on Arie Gurfinkel’s csc2108 project)
Automata-Theoretic LTL Model Checking – p.1
Emptiness of Büchi Automata
ab c
d
e
f
An automation is non-empty iffthere exists a path to an accepting state,such that there exists a cycle containing it
Is this automaton empty?No – it accepts
Automata-Theoretic LTL Model Checking – p.2
Emptiness of Büchi Automata
ab c
d
e
f
An automation is non-empty iffthere exists a path to an accepting state,such that there exists a cycle containing it
Is this automaton empty?
No – it accepts
Automata-Theoretic LTL Model Checking – p.2
Emptiness of Büchi Automata
ab c
d
e
f
An automation is non-empty iffthere exists a path to an accepting state,such that there exists a cycle containing it
Is this automaton empty?No – it accepts � � � � � �
�
Automata-Theoretic LTL Model Checking – p.2
Emptiness of Büchi Automata
ab c
d
e
f
a
An automation is non-empty iffthere exists a path to an accepting state,such that there exists a cycle containing it
Is this automaton empty?No – it accepts � � � � � �
�
Automata-Theoretic LTL Model Checking – p.2
Emptiness of Büchi Automata
ab c
d
e
f
ab
An automation is non-empty iffthere exists a path to an accepting state,such that there exists a cycle containing it
Is this automaton empty?No – it accepts � � � � � �
�
Automata-Theoretic LTL Model Checking – p.2
Emptiness of Büchi Automata
ab c
d
e
f
ab
e
An automation is non-empty iffthere exists a path to an accepting state,such that there exists a cycle containing it
Is this automaton empty?No – it accepts � � � � � �
�
Automata-Theoretic LTL Model Checking – p.2
Emptiness of Büchi Automata
ab c
d
e
f
ab
e
f
An automation is non-empty iffthere exists a path to an accepting state,such that there exists a cycle containing it
Is this automaton empty?No – it accepts � � � � � �
�
Automata-Theoretic LTL Model Checking – p.2
LTL Model-Checking
LTL Model-Checking = Emptiness of Büchi automataa tiny bit of automata theory +trivial graph-theoretic problem
typical solution – use depth-first search (DFS)
Problem: state-explosion
the graph is HUGEThe result
LTL model-checking is just a very elaborate DFS
Automata-Theoretic LTL Model Checking – p.3
Depth-First Search – Refresher
depth-first tree
Automata-Theoretic LTL Model Checking – p.4
Depth-First Search – Refresher
1
depth-first tree
Automata-Theoretic LTL Model Checking – p.4
Depth-First Search – Refresher
1
2
depth-first tree
Automata-Theoretic LTL Model Checking – p.4
Depth-First Search – Refresher
1
2
3
depth-first tree
Automata-Theoretic LTL Model Checking – p.4
Depth-First Search – Refresher
1
2
3 4
depth-first tree
Automata-Theoretic LTL Model Checking – p.4
Depth-First Search – Refresher
1
2
3 4
5
depth-first tree
Automata-Theoretic LTL Model Checking – p.4
Depth-First Search – Refresher
1
2
3 4
5
6
depth-first tree
Automata-Theoretic LTL Model Checking – p.4
Depth-First Search – Refresher
1
2
3 4
5
67
depth-first tree
Automata-Theoretic LTL Model Checking – p.4
Depth-First Search – Refresher
1
2
3 4
5
67
depth-first tree
1 2 3
7
4 5 6
Automata-Theoretic LTL Model Checking – p.4
DFS – The Algorithm
1: proc � � � � � �
2: add � to � � � � � � �
3: � � � � � � �
4: � � � � � � � � � �
5: for all � � � � � � � � � do6: if � �� � � � � � � � then7: � � � � � �
8: end if9: end for
10: � � � � � � �
11: � � � � � � � � � �
12: end proc
Automata-Theoretic LTL Model Checking – p.5
DFS – Data Structures
implicit STACKstores the current path through the graph
Visited tablestores visited nodesused to avoid cycles
for each nodediscovery time – array �
finishing time – array �
Automata-Theoretic LTL Model Checking – p.6
What we want
Running timeat most linear — anything else is not feasible
Memory requirementssequentially accessed – like STACK
disk storage is good enoughassume unlimited supply – so can ignore
randomly accessed – like hash tablesmust use RAMlimited resource – minimizewhy cannot use virtual memory?
Automata-Theoretic LTL Model Checking – p.7
What else we want
Counterexamplesan automaton is non-empty iff exists an acceptingrunthis is the counterexample – we want it
Approximate solutionspartial result is better than nothing!
Automata-Theoretic LTL Model Checking – p.8
DFS – Complexity
Running timeeach node is visited oncelinear in the size of the graph
Memorythe STACK
accessed sequentiallycan store on disk – ignore
Visited tablerandomly accessed – important
� Visited � � � � �� – number of nodes in the graph
� – number of bits needed to represent each node
Automata-Theoretic LTL Model Checking – p.9
Take 1 – Tarjan’s SCC algorithm
1
2
3
7 4
5
6
1
2
3 4
5
67
Idea: find all maximal SCCs: SCC � , SCC � , etc.an automaton is non-empty iff exists SCC �
containing an accepting state
Fact: each SCC is a sub-tree of DFS-treeneed to find roots of these sub-trees
Automata-Theoretic LTL Model Checking – p.10
Take 1 – Tarjan’s SCC algorithm
1
2
3
7 4
5
6
1
2
3 4
5
67
Idea: find all maximal SCCs: SCC � , SCC � , etc.an automaton is non-empty iff exists SCC �
containing an accepting state
Fact: each SCC is a sub-tree of DFS-treeneed to find roots of these sub-trees
Automata-Theoretic LTL Model Checking – p.10
Take 1 – Tarjan’s SCC algorithm
1
2
3
7 4
5
6
1
2
3 4
5
67
Idea: find all maximal SCCs: SCC � , SCC � , etc.an automaton is non-empty iff exists SCC �
containing an accepting state
Fact: each SCC is a sub-tree of DFS-treeneed to find roots of these sub-trees
Automata-Theoretic LTL Model Checking – p.10
Finding a Root of an SCC
For each node �, compute � � � � � � � �
� � � � � � � � is the minimum ofdiscovery time of �
discovery time of �, where
� belongs to the same SCC as �
the length of a path from � to � is at least 1
Fact: � is a root of an SCC iff
� � � � � � � � � � �
Automata-Theoretic LTL Model Checking – p.11
Finally: the algorithm
1: proc � � �_ � � � � � � �
2: add to � � � � �
3: � � � � � � � �
4: � � � � � � � � � �
5: � � � � � � � � � � � � �
6: push on � � � � �
7: for all � � ! " " � do8: if � # � � � � � then9: � � �_ � � � � � � � �
10: � � � � � � � � � � $ % & � � � � � � � � ' � � � � � � � � � �
11: else if � � � � ( � � � and � is on � � � � � then12: � � � � � � � � � � $ % & � � � � ' � � � � � � � � �
13: end if14: end for15: if � � � � � � � � � � � � then16: repeat17: pop ) from top of � � � � �
18: if ) * then19: terminate with “Yes”20: end if21: until ) �
22: end if23: end proc
1
2
3 4
5
67
Automata-Theoretic LTL Model Checking – p.12
Finally: the algorithm
1: proc � � �_ � � � � � � �
2: add to � � � � �
3: � � � � � � � �
4: � � � � � � � � � �
5: � � � � � � � � � � � � �
6: push on � � � � �
7: for all � � ! " " � do8: if � # � � � � � then9: � � �_ � � � � � � � �
10: � � � � � � � � � � $ % & � � � � � � � � ' � � � � � � � � � �
11: else if � � � � ( � � � and � is on � � � � � then12: � � � � � � � � � � $ % & � � � � ' � � � � � � � � �
13: end if14: end for15: if � � � � � � � � � � � � then16: repeat17: pop ) from top of � � � � �
18: if ) * then19: terminate with “Yes”20: end if21: until ) �
22: end if23: end proc
1
2
3 4
5
67
Automata-Theoretic LTL Model Checking – p.12
Tarjan’s SCC algorithm – Analysis
Running timelinear in the size of the graph
MemorySTACK – sequential, ignore
� � � � � � � – � � � � � �� � � � � � � – � � � � � � (wasted space?)
� is not known a prioriassume � is at least � � � �
Counterexamplescan be extracted from the STACKeven more – get multiple counterexamples
If we sacrifice some of generality, can we do better?
Automata-Theoretic LTL Model Checking – p.13
Take 2 – Two Sweeps
1 2 3 4 5
Don’t look for maximal SCCs
Find a reachable accepting state that is on a cycle
Idea: use two sweepssweep one: find all accepting statessweep two: look for cycles from accepting states
Problem?no longer a linear algorithm (revisit the statesmultiple times)
Automata-Theoretic LTL Model Checking – p.14
Take 2 – Two Sweeps
1 2 3 4 5
Don’t look for maximal SCCs
Find a reachable accepting state that is on a cycle
Idea: use two sweepssweep one: find all accepting statessweep two: look for cycles from accepting states
Problem?no longer a linear algorithm (revisit the statesmultiple times)
Automata-Theoretic LTL Model Checking – p.14
Take 2 – Two Sweeps
1 2 3 4 5
Don’t look for maximal SCCs
Find a reachable accepting state that is on a cycle
Idea: use two sweepssweep one: find all accepting statessweep two: look for cycles from accepting states
Problem?no longer a linear algorithm (revisit the statesmultiple times)
Automata-Theoretic LTL Model Checking – p.14
Fixing non-linearity: Graph Theoretic Result
Fact: let � and � be two nodes, such that
� � � � � � is not on a cycle
then, no cycle containing � contains nodesreachable from �
Automata-Theoretic LTL Model Checking – p.15
Fixing non-linearity: Graph Theoretic Result
Fact: let � and � be two nodes, such that
� � � � � � is not on a cycle
then, no cycle containing � contains nodesreachable from �
Automata-Theoretic LTL Model Checking – p.15
Fixing non-linearity: Graph Theoretic Result
Fact: let � and � be two nodes, such that
� � � � � � is not on a cycle
then, no cycle containing � contains nodesreachable from �
Automata-Theoretic LTL Model Checking – p.15
Take 3 – Double DFS
1: proc � * � � �
2: add to � � � � �
3: for all � � ! " " � do4: if � # � � � � � then5: � * � � � �
6: end if7: end for8: if * then9: add to �
10: end if11: end proc
1: proc � � � � � � � �
2: while � # � � � do3: � � � � � � ! � ! � � �
4: � * � � � ' � �
5: end while6: terminate with “No”7: end proc
1: proc � * � � ' � �
2: add to � � � � �
3: for all � � ! " " � do4: if � � then5: terminate with “Yes”6: else if � # � � � � � then7: � * � � � ' � �
8: end if9: end for10: end proc
1: proc � � * � �
2: � � �
3: � � � � � � �
4: � * � � �
5: � � � � � � �
6: � � � � � � � �
7: end proc
Automata-Theoretic LTL Model Checking – p.16
Double DFS – Analysis
Running timelinear! (single � � � � � � � table for different final states,so no state is processed twice)
Memory requirements
� � � � � �
Problemwhere is the counterexample?!
Automata-Theoretic LTL Model Checking – p.17
Take 4 – Nested DFS
Ideawhen an accepting state is finished
stop first sweepstart second sweep
if cycle is found, we are doneotherwise, restart the first sweep
As good as double DFS, butdoes not need to always explore the full graphcounterexample is readily available
a path to an accepting state is on the stack of thefirst sweepa cycle is on the stack of the second
Automata-Theoretic LTL Model Checking – p.18
A Few More Tweaks
No need for two Visited hashtablesempty hashtable wastes spacemerge into one by adding one more bit to each node
� � � � � � � � � � � � � iff � was seen by the first sweep
� � � � � � � � � � � � � iff � was seen by the second sweep
Early termination conditionnested DFS can be terminated as soon as it finds anode that is on the stack of the first DFS
Automata-Theoretic LTL Model Checking – p.19
On-the-fly Model-Checking
Typical problem consists ofdescription of several process � � � � � � � � �
property � in LTL
Before applying DFS algorithmconstruct graph for � � � �
� � �� �
construct Büchi automaton � � for �
construct Büchi automaton for � � � �
But,all constructions can be done in DFS ordercombine everything with the searchresult: on-the-fly algorithm, only the necessary partof the graph is built
Automata-Theoretic LTL Model Checking – p.20
On-the-fly Model-Checking
Typical problem consists ofdescription of several process � � � � � � � � �
property � in LTL
Before applying DFS algorithmconstruct graph for � � � �
� � �� �
construct Büchi automaton � � for �
construct Büchi automaton for � � � �
But,all constructions can be done in DFS ordercombine everything with the searchresult: on-the-fly algorithm, only the necessary partof the graph is built
Automata-Theoretic LTL Model Checking – p.20
State Explosion Problem
the size of the graph to explore is huge
on real programsDFS dies after examining just 1% of the state space
What can be done?abstraction
false negativespartial order reduction. (to be covered)
exact – but not applicable to full LTLpartial exploration – explore as much as possible
false positives
In practice – combine all 3
Automata-Theoretic LTL Model Checking – p.21
Partial exploration techniques
Explore as much of the graph as possible
The requirementsmust be compatible with
on-the-fly model-checkingnested depth-first search
size of the graph not known a priorimust perform as good as full exploration whenenough memory is available
must degrade gracefully
We will look at two techniquesbitstate hashinghashcompact – a type of state compression
Automata-Theoretic LTL Model Checking – p.22
Bitstate Hashing
a hashtable isan array � of � entriesa hash function � � � � � States � � � � � � �
a collision resolution protocol
to insert � into a hashtablecompute � � � � � � �
if � � � � � � � � is empty, � � � � � � � � � �
otherwise, apply collision resolution
to lookup �
if � � � � � � � � is empty, � is not in the tableelse if � � � � � � � � � �, � is in the tableotherwise, apply collision resolution
Automata-Theoretic LTL Model Checking – p.23
Bitstate Hashing
if there are no collisions, don’t need to store � at all!instead, just store one bit – empty or not
even better, use two hash functionsto insert �, set � � � � � � � � � � � and � � � � � � � � � � �
sound with respect to false answersif a counterexample is found, it is found!
in practice, up to � � � coverage
collisions increase gradually when not enough memory
coverage decreases at the rate collisions increase
Automata-Theoretic LTL Model Checking – p.24
Why does this work?
If nested DFS stops when a successor to � in � � � � ison the stack of � � � � , how is soundness guaranteed,i.e., why is the counterexample returned bymodel-checker real?
Answer: States are stored on the stack without hashing,since stack space does not need to be saved.
Automata-Theoretic LTL Model Checking – p.25
Hashcompact
Assume a large virtual hashtable, say � � � entries
For each node �,instead of using �,use � � � � � � � , its hash value in the large table
Store � � � � � � � in a normal hashtable,or even the one with bitstate hashing
When there is enough memory
probability of missing a node is � � �� �
Degradationexpected coverage decreases rapidly, when notenough memory
Automata-Theoretic LTL Model Checking – p.26
Symbolic LTL Model-Checking
LTL Model-Checking = Finding a reachable cycle
Represent the graph symbolicallyand use symbolic techniques to search
There exists an infinite path from �, iff � � � � true � � � � �
the graph is finiteinfinite � cyclic!
exists a cycle containing an accepting state � iff �
occurs infinitely oftenuse fairness to capture accepting states
LTL Model-Checking = � � true under fairness!
Automata-Theoretic LTL Model Checking – p.27
food for slide eater
Automata-Theoretic LTL Model Checking – p.28
top related