an automata-theoretic approach to ltl
DESCRIPTION
An Automata-Theoretic Approach to LTL. Moshe Y. Vardi. Presented By: Tamar Aizikowitz Spring 2006. Presentation Outline. Finite Automata Büchi Automata Finite Alternating Automata Alternating Büchi Automata From LTL to Büchi Automata Satisfiability Validity Verification. - PowerPoint PPT PresentationTRANSCRIPT
An Automata-Theoretic Approach to LTL
Moshe Y. Vardi
Presented By:Tamar Aizikowitz
Spring 2006
2
Presentation Outline
Finite Automata Büchi Automata Finite Alternating Automata Alternating Büchi Automata From LTL to Büchi Automata Satisfiability Validity Verification
3
Introduction (1)
Program verification: always desirable, but never easy.
Step 1: Define a formal specification Linear Temporal Logic (LTL) Specification describes computation
Step 2: Check whether a given program satisfies the specification A program satisfies a specification iff all
computations satisfy the specification.
4
Introduction (2)
Interesting Questions: Is a specification satisfiable? Does a specific program satisfy a specification?
Suggested solutions: Based on Automata Theory A computation is an infinite sequence of states
we look at automata on infinite words. Given an LTL formula, construct an automaton
which accepts precisely the computations accepted by the formula.
5
Finite State Automata (1)
(Nondeterministic) finite automaton:A = ,S,S0,,F
– finite alphabet S – finite set of states S0 S – initial states F S – accepting states : S 2S – transition function
| S0 | = 1 and |(s,a)| 1 deterministic
automaton Deterministic ~ nondeterministic for FSA.
6
Finite State Automata (2)
A run r of A on a finite word w=a0 an-1 is a sequence s0,,sn such that: s0S0
si+1 (si,ai) for 0 i n-1 A run r is accepting if snF . Nondeterministic many runs on w Deterministic one run on w A word w is accepted by A iff A has an
accepting run on w.
7
Finite and Infinite Words
A finite word is an element of *, i.e. a finite sequence a0an of symbols from .
An infinite word is an element of , i.e. an sequence a0a1 of symbols from .
A finitary language is a set of finite words, i.e. a subset of *.
An infinitary language is a set of infinite words, i.e. a subset of .
8
Büchi Automata (1)
Suppose A = ,S,S0,,F receives an infinite input word w = a0a1
A run r of A on w is a sequence s0,s1,… s.t.: s0S0
si+1 (si,ai) for all 0 i
Infinite run acceptance cannot be defined by type of final state.
Instead we consider the limit behavior…
9
Büchi Automata (2)
Define: lim(r) = {s | s = si for infinitely many i’s} S is finite lim(r) A run r is accepting if lim(r)F . An infinite word w is accepted by A if A has
an accepting run on w. The infinitary language of A, L(A) = all the
infinite words that A accepts. When A is viewed as an automaton on infinite
words, A is called a Büchi automaton.
10
Example 1
L(A) = {0,1}*{1}+
L(A) = {w| w has an infinite number of 1’s}
q0 q1
1
010
11
Example 2
L(A) = {0,1}*{1}+
L(A) = {0,1}*{1}
q0 q11
10,1
12
Closure: Union
Given two finite automata A1, A2 construct A such that L(A) = L(A1)L(A2):
A = , S1S2, S10S2
0, , F1F2 (s1,a) = 1(s1,a) , s1S1
(s2,a) = 2(s2,a) , s2S2
Will the same work for Büchi automata?
Yes!
13
Closure: Intersection
Given two finite automata A1, A2 construct A such that L(A) = L(A1)L(A2):
A = , S1S2, S10 S2
0, , F1 F2 ((s,t),a) = 1(s,a) 2(t,a)
Called the product automaton.
Will the same work for Büchi automata?
No!
14
Example 3
Intersection should be all infinite words with infinitely many 0’s and 1’s.
Accepting states are visited alternately suggested product automaton will yield .
q0 q1
1
010
q0 q1
1
010
A1 A2
15
Büchi Intersection
Proposition: Büchi automata are closed under intersection.
Use labels to remember which type of accepting state we are waiting to see.
A = , S1S2 {1, 2}, S10 S2
0 {1}, , F1 S2 {1} (s’,t’,j)((s,t,i),a) if s’1(s,a) and t’2(t,a) and:
i=1 and sF1 j=2
i=2 and tF2 j=1 else i=j
16
Büchi Intersection Example
w = (001) L(A1)L(A2)
q0 q1
1
010
q0 q1
1
010
0 0 1 0 0 1 . . .A1
A2
12
17
Closure: Determinization
Given a nondeterministic finite automata A, construct Ad such that L(Ad) = L(A):
Ad = , 2S, {S0}, d, Fd Fd = {T | TF } d(T,a) = {t | t(s,a) for some sT }
Called the subset automaton.
Will the same work for Büchi automata? No!
18
Büchi Determinization (1)
Büchi automata are not closed under determinization.
Proof: There is no deterministic Büchi automaton equivalent to the nondeterministic Büchi automaton from example 2 which accepts the language L={0,1}*{1}.
19
Büchi Determinization (2)
Continued proof… Assume by way of contradiction there is such a
deterministic Büchi automaton, Ad.
1L i0 0 s.t. (s0,1i0) = sf0F
1i001L i1 0 s.t. (s0,1i0 0 1i1) = sf1F
… (s0,1i0 0 1i1 0 1i|F |) = sf|F|F
n,m s.t. sfn=sfm 1 1in (0 1im )L(Ad)
L(Ad) L ■
20
Closure: Complementation
Given a deterministic finite automata A, construct AC such that L(AC) = * \ L(A): Simply complement the set of accepting states.
For nondeterministic automaton: existential acceptance state complementation does not work.
Complementation of nondeterministic automaton: (1) determinize, (2) complement.
21
Büchi Complementation
Nondeterministic Büchi not closed to determinization algorithm doesn’t work.
Even for deterministic, a far from trivial task. Nevertheless, it can be shown that Büchi
automata (deterministic and nondeterministic) are closed to complementation.
Complexity: singly exponential with an almost linear exponent.
22
Automata Algorithms
An automaton is interesting if it defines an interesting language, i.e. , *.
A is nonempty if L(A) . A is nonuniversal if L(A) *. The nonemptyness problem: given A
decide whether A is nonempty easy! The nonuniversality problem: given A
decide whether A is nonuniversal hard!
23
Nonemptiness (1)
Finite state automaton: BFS to determine whether there exist sS0
and tF such that there is a path from s to t in the graph representation of A.
linear time
Guess sS0. Guess path from s to some tF.
NLOGSPACE-complete
24
Nonemptiness (2)
Büchi automaton: BFS to determine whether there exist sS0
and tF s.t. there is a path from s to t and from t to t in the graph representation of A.Can also be done using SCCs…
linear time Guess sS0. Guess path from s to some tF,
and then from t to itself. NLOGSPACE-complete
25
Nonuniversality (1)
Finite state automaton: Given A, nonuniversality of A is equivalent to
nonemptyness of AC. Complementation is exponential: exponential time PSPACE-complete
AC constructed “on the fly” Yields NPSPACE algorithm By Savitch: NPSPACE PSPACE
26
Nonuniversality (2)
Büchi automaton: As before, nonuniversality of A is equivalent
to nonemptyness of AC.
Complementation is exponential: exponential time PSPACE-complete
27
Break!
28
Recap
Nondeterministic Büchi automata Union linear Intersection linear Complementation exponential Determinization not always possible Emptyness linear time NLOGSPACE Universality exponential time PSPACE
29
Alternating Automaton (1)
Nondeterminism gives a computing device the power of existential choice.
It’s dual gives the power of universal choice.
Alternating automaton: a computing device which has both!
30
Alternating Automaton (2)
Given a set X, B+(X) is the set of positive boolean formulas over X with the addition of true and false.
Let Y X. Y satisfies a formula B+(X) if assigning true to Y and false to X \ Y satisfies . Denoted: Y
Examples: {s1,s3} (s1 s2) (s3 s4) {s1,s2} (s1 s2) (s3 s4)
31
Alternating Automaton (3)
The transition function of a nondeterministic automaton maps a state and input symbol to a set of possible next states. This set can be viewed as a disjunction of states.
Example: (s,a) = {s1,s3} s1 s3
An arbitrary formula from B+(S) can yield transitions combining existential (disjunction) and universal (conjunction) choice.
32
Alternating Automaton (4)
Example: assume the following transition:
(s,a) = (s1 s2) (s3 s4)
The automaton accepts a word aw from state s if it accepts w from s1 and from s3, or from s1 and s4 etc…
33
Alternating Automaton (5)
Alternating automaton:A = ,S,s0,,F
– finite alphabet S – finite set of states s0S – initial state F S – accepting states : S B+(S) – transition function
Note the unique initial state…
34
Alternating Automaton (6)
Universal choice run is a tree A tree is a (finite or infinite) DAG with a root (), s.t.
each inner node has a unique parent. The level of node x, denoted |x|, is its distance from
the root; || = 0. A branch =x0,x1,… is a maximal sequence s.t.
x0= and xi is the parent of xi+1 for all i>0. A -labeled tree is a pair (, T ) where is a tree and
T maps nodes to , i.e. assigns each node a label.
35
Alternating Automaton (7)
A run of A on a finite word w=a0 an-1 is a finite S-labeled tree r such that: r() = s0
|x| = i < n, r(x) = s and (s,ai) = x has k children x1,…,xk, for some k |S|, and {r(x1),…,r(xk)} .
A run tree is accepting if all nodes at depth n are labeled by states in F a branch in an accepting run must hit true or an accepting state after reading the input word w.
36
Example 4
A = {a,b},{s0,s1},s0,,{s0} (s0,a) = s0 s1
(s0,b ) = s0 s1
(s1,a) = s0
(s1,b ) = true
w1= abba … L(A)
w2= b … L(A)
37
Equivalence to NFSA (1)
Proposition: ANFSA there exists an alternating automaton Aa s.t. L(Aa) = L(A).
Proof: Aa = , S{s0}, s0, a, Fa a(s0,a) = tS0, t’(t,a)t’ a(s,a) = t(s,a)t
Note: Empty disjunctions in the definition of a are
taken to be false. Aa is equivalent in size to A.
38
Equivalence to NFSA (2)
Proposition: A is an alternating automaton there exists AnNFSA s.t. L(An) = L(A).
Proof: An = , 2S, {{s0}}, n, 2F
n(T,a) = {T ’ | T ’ tT (t,a)} Note:
Empty conjunctions in the definition of n are taken to be true.
An is exponential to A unavoidable!
40
Alternating Nonemptyness
We showed: Alternating automata can be converted to NFSA
(exponential). Nonemptyness for NFSA can be solved in linear
time and is NLOGSPACE-complete. Nonemptyness for alternating automata:
can be decided in exponential time is PSPACE-complete
41
Alternating Büchi Automaton
Similarly to FSA, an alternating automaton can also be viewed as an automaton on infinite words alternating Büchi automaton.
A run can now be a possibly infinite tree. An run is accepting if every infinite branch
includes infinitely many labels in F.
42
Equivalence to Büchi (1)
Proposition: A is a nondeterministic Büchi automaton there exists an alternating Büchi automaton Aa s.t. L(Aa) = L(A).
Proof: same as in finite case.
Note: Aa is equivalent in size to A.
43
Equivalence to Büchi (2)
Proposition: A is an alternating Büchi automaton there exists a nondeterministic Büchi automaton An s.t. L(An) = L(A).
Proof: more complex than the finite case. Need to make sure each branch hits an infinite number of accepting states. Distinguish between branches that hit an accepting state recently, and those that haven’t. Accepting state after all branches are in the “recent” group.
Note:An is exponential in size to A unavoidable!
44
Alt. Büchi Nonemptyness
We showed: Alternating Büchi automata can be converted to
nondeterministic Büchi automata (exponential). Nonemptyness for NBA can be solved in linear
time and is NLOGSPACE-complete. Nonemptyness for alternating Büchi
automata: can be decided in exponential time is PSPACE-complete
45
Linear Temporal Logic (LTL)
Base: Set Prop of atomic propositions
Closure: Boolean connectives: , Unary temporal connective: X (next) Binary temporal connective: U (until)
Abbreviations: F true U (eventually) G F (globally)
46
LTL Semantics (1)
LTL formulae are interpreted over infinite computations.
A computation is an infinite sequence 0,1,…
i Prop is the set of atomic propositions that hold in the i’th position of .
Denote the suffix i,i+1,… by i .
47
LTL Semantics (2)
indicates that holds in . The relation is inductively defined:
true and false p for pProp iff p0
iff and
iff X iff 1 1U2 iff k 0 s.t. k2 and i1 for all 0i<k.
48
LTL to Alternating Büchi (1)
Computations can also be view as infinite words over the alphabet 2Prop.
Goal: construct a finite automaton on infinite words such that the set of computations that satisfy the LTL formula is exactly the set of accepting runs.
We show a translation from LTL formulae to alternating Büchi automata.
49
LTL to Alternating Büchi (2)
Given an LTL formula , construct an alternating Büchi automaton as follows:
A = 2Prop,S,s0,,F S – all subformulas of and their negation
O(||) s0 – F – all formulas in S of the form (U)
Before we can define we need to define a new variation of duality…
50
LTL to Alternating Büchi (3)
Define: is obtained from by switching with , switching true with false and negating subformulas in S.
Example:p (q Xq) = p (q Xq)
51
LTL to Alternating Büchi (4)
We define inductively on the structure of : (p,a) = true if pa (p,a) = false if pa (,a) = (,a) (,a) (,a) = (,a) (X,a) = (U,a) = (,a) ((,a) U)
52
LTL to Alternating Büchi (5)
Note: infinite branches are labeled from some point on by either U or (U).
(U) fails from that point on indeed U fails at that point infinite branches labeled by (U) should indeed be valid.
U does not ensure that U holds at that point because there is no guarantee that will indeed hold in the future infinite branches labeled by U should not be valid.
53
Example 5
= (Xp)Uq A=2{p,q},S,,,{}
{p,q} {p} {q} true p true p false p false p Xp p p p pXp p p p p
p false false true true
p true true false false
q true false true false
q false true false true
54
LTL to Nondeterministic Büchi
We have shown: Alternating Büchi automata can be converted to
nondeterministic Büchi automata (exponential). Given an LTL formula , we can construct an
alternating Büchi automaton A s.t. |S| is O(||), and L(A) is the set of computations satisfying .
Given an LTL formula , we can construct a nondeterministic Büchi automaton A s.t. |S| is 2O(||), and L(A) is the set of computations satisfying .
55
Satisfiability
An LTL formula is satisfiable if there is some computation s.t. .
An unsatisfiable formula is an uninteresting specification.
Given : Construct A exponential in size of Check nonemptyness of A exponential time
and PSPACE-complete.
56
Validity
An LTL formula is valid if it is satisfied by every computation.
An valid formula is also an uninteresting specification.
Given : is valid iff is not satisfiable exponential
time and PSPACE-complete as well.
57
Verification (1)
A finite state program over a set of atomic propositions Prop is a structure of the form: P = W,w0,R,V W – a finite set of states w0W – the initial state R W2 is a total accessibility relation V : W 2Prop – truth value assignment for
propositions in each state. A program satisfies a specification iff all
computations satisfy the specification.
58
Verification (2)
A finite state program P can be viewed as a nondeterministic Büchi automaton AP = 2Prop,W,{w0},,W s’(s,a) iff (s,s’)R and a = V(s).
any infinite run is accepting. L(AP) is the set of computations of P.
59
Verification (3)
Given a FSP P and an LTL specification , the verification problem reduces to checking whether L(AP) L(A).
equivalent to L(AP)L(A) = . equivalent to L(AP)L(A) = . complexity of verification is:
NLOGSPACE in |P| PSPACE in | | O(|P| 2O(||)) time.
60
Summary
Nondeterministic Büchi AutomataAlternating AutomataLTL Alternating ND BüchiSatisfiabilityValidityVerification
✔✔
✔✔
✔✔