Thursday, May 30, 2013

CTL Model Checking

Fixed-point Theory

Complete Lattice

Complete lattice is a partially-ordered set which has join ($\cup$) and meet ($\cap$) operators. The former generates the least lower bound and the latter the greatest upper bound. The state space of a Kripke model forms a complete lattice under containment, i.e. $(2^S, \subseteq)$ is a complete lattice.

Monotonic Function

$F$ is monotonic if $\forall a < b$, $F(a) < F(b)$.

Tarski's Theorem

A monotonic function over a complete lattice has the least and the greatest fixed point.

Kleene's Theorem

The mentioned fixed points can be calculated this way. Assume $F$ is a monotonic function and $\cup$-continuous (increments), the least fixed point must be reached (this chain converges): $$\emptyset \subseteq F(\emptyset) \subseteq F(F(\emptyset)) \subseteq \ldots$$

Instead, if $F$ is $\cap$-continuous (decrements), the greatest fixed point is obtained by, $$S \supseteq F(S) \supseteq F(F(S)) \supseteq \ldots$$

Formula Rewriting

All CTL formulae can be rewritten in terms of $\neg, \wedge, \mathbf{EX}, \mathbf{EU}, \mathbf{EG}$ only.

  • $\mathbf{AG}\phi = \neg \mathbf{EF} \neg \phi$
  • $\mathbf{EF}\phi = \mathbf{E}(\top \mathbf{U} \phi)$
  • $\mathbf{A}(\phi_1 \mathbf{U} \phi_2 ) = \neg \mathbf{E}(\neg \phi_2 \mathbf{U} (\neg \phi_1 \wedge \neg \phi_2 )) \wedge \neg \mathbf{EG}\neg \phi_2$
  • $\mathbf{AX} \phi = \neg \mathbf{EX} \neg \phi$

Although irrelevant at this context, but it is worthy to note that $\mathbf{EG}\phi = \mathbf{E}(\bot \mathbf{R} \phi)$, this is to say $\phi$ is never released (has to be true forever).

Tableaux Rules

  • $\mathbf{EF}\phi = \phi \vee \mathbf{EXEF}\phi$
  • $\mathbf{EG}\phi = \phi \wedge \mathbf{EXEG}\phi$
  • $\mathbf{E}(\phi \mathbf{U} \psi) = \psi \vee (\phi \wedge \mathbf{EXE}(\phi \mathbf{U} \psi))$

Pre-Image

In CTL model checking, the calculating unit is a set of states that satisfy some formula $\phi$, noted as denotation $[\phi]$. Pre-Image maps the image (in the range) back to the domain (its pre-image). It is thus defined, $$\mathsf{PreImage}([\phi]) = \{s | \exists (s, s') \in R \wedge s' \in [\phi]\}$$

$\mathsf{PreImage}$ is a monotonic function over the complete lattice $(2^S, \subseteq)$, thus Kleene's theorem applies. Pre-Image matches the idea of $\mathbf{EX}$, i.e. $[\mathbf{EX}\phi]$ is the pre-image of $[\phi]$.

Fixed points for CTL Model Checking

According to tableaux rules, $\mathbf{EG}$, $\mathbf{EF}$, $\mathbf{EU}$s are written in the form of fixed points ($\nu$: greatest, $\mu$: least.).

  • $[\mathbf{EG}\phi] = \nu Z. ([\phi] \cap [\mathbf{EX}Z])$
  • $[\mathbf{EF}\phi] = \mu Z. ([\phi] \cup [\mathbf{EX}Z])$
  • $[\mathbf{E}(\phi \mathbf{U} \psi)] = \mu Z. ([\psi] \cup ([\phi] \cap [\mathbf{EX}Z]))$

So given a CTL formula $\phi$, after rewriting, we apply the set operations for negations (complement the set) and disjunctions (union), and fixed points for temporal formulas. We say $M \models \phi$ iff $I \subseteq [\phi]$.

Tuesday, May 28, 2013

On-the-fly Construct Büchi Automata for LTL formulae

The previous post introduced the declarative construction, which is exponential. For instance, the LGBA for $p \mathbf{U} q$ has 8 states. However, on-the-fly construction can build Büchi automata for linear size. Surely, distinct automata can express the same language (further, the LTL formula).

Negative Normal Form

First we write LTL formulas into their NNF equivalence, which is composed by $\vee, \wedge, \mathbf{X}, \mathbf{U}, \mathbf{R}$ only. Negations are pushed down to literals. Here we quote some rules,

  • $\neg \mathbf{X} \phi \Rightarrow \mathbf{X} \neg \phi$
  • $\neg ( \phi \mathbf{U} \psi ) \Rightarrow (\neg \phi \mathbf{R} \neg \psi) $
  • $\neg ( \phi \mathbf{R} \psi ) \Rightarrow (\neg \phi \mathbf{U} \neg \psi) $

Tableaux Expansion

  • $\phi \mathbf{U} \psi \Rightarrow \psi \vee (\phi \wedge \mathbf{X}(\phi \mathbf{U} \psi)) $
  • $\phi \mathbf{R} \psi \Rightarrow \psi \wedge (\phi \vee \mathbf{X}(\phi \mathbf{R} \psi)) $

Disjunctive Normal Form

With all formulas converted to the following form, each disjunct is a state.

$$\bigvee_i \bigg( \bigwedge_j I_{ij} \wedge \bigwedge_k \mathbf{X}\psi_{ik} \bigg)$$

Note $\bigwedge_j I_{ij}$ represents the labels, and $\bigwedge_k \mathbf{X}\psi_{ik}$ shows the transition. When the $\mathbf{X}$-formula is not present, we write $\mathbf{X} \top$.

Cover

A cover of a set of LTL formulas $\Psi= \{ \psi_1, \ldots, \psi_k \}$ calculates the set of initial states of Büchi automaton that represents $\bigwedge_i \psi_i$. A state is denoted as $\langle \lambda, \chi, \sigma \rangle$, which are the set of labels, the next formula, the set of subformulas of satisfied in $s$.

$$\mathsf{Cover}(\Psi) := \mathsf{Expand}(\Psi, \langle \emptyset, \emptyset, \emptyset \rangle)$$

Expand

We quote its definition. Assume $s=\langle \lambda, \chi, \sigma \rangle$, $l$ is a propositional literal, $\mathsf{Expand}(\Psi, s)=$

\begin{align*} \begin{cases} s & \Psi = \emptyset \\ \emptyset & \bot \in \Psi \\ \mathsf{Expand}(\Psi \backslash \top , s) & \top \in \Psi \\ \mathsf{Expand}(\Psi \backslash \{l\}, \langle \lambda \cup \{l\}, \chi, \sigma \cup \{l\} \rangle) & l \in \Psi \\ \mathsf{Expand}(\Psi \backslash \{\mathbf{X}\psi\}, \langle \lambda , \chi \cup \{ \psi \}, \sigma \cup \{\mathbf{X}\psi\} \rangle) & \mathbf{X}\psi \in \Psi \\ \mathsf{Expand}(\Psi \cup \{\psi_1, \psi_2\} \backslash \{\psi_1 \wedge \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi, \sigma \cup \{\psi_1 \wedge \psi_2\} \rangle) & \psi_1 \wedge \psi_2 \in \Psi \\ \mathsf{Expand}(\Psi \cup \{\psi_1\} \backslash \{\psi_1 \vee \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi, \sigma \cup \{\psi_1 \vee \psi_2\} \rangle) \cup \\ \mathsf{Expand}(\Psi \cup \{\psi_2\} \backslash \{\psi_1 \vee \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi, \sigma \cup \{\psi_1 \vee \psi_2\} \rangle) & \psi_1 \vee \psi_2 \in \Psi \\ \mathsf{Expand}(\Psi \cup \{\psi_1\} \backslash \{\psi_1 \mathbf{U} \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi \cup \{\psi_1 \mathbf{U} \psi_2\}, \sigma \cup \{\psi_1 \mathbf{U} \psi_2\} \rangle) \cup \\ \mathsf{Expand}(\Psi \cup \{\psi_2\} \backslash \{\psi_1 \mathbf{U} \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi, \sigma \cup \{\psi_1 \mathbf{U} \psi_2\} \rangle) & \psi_1 \mathbf{U} \psi_2 \in \Psi \\ \mathsf{Expand}(\Psi \cup \{\psi_2\} \backslash \{\psi_1 \mathbf{R} \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi \cup \{\psi_1 \mathbf{R} \psi_2\}, \sigma \cup \{\psi_1 \mathbf{U} \psi_2\} \rangle) \cup \\ \mathsf{Expand}(\Psi \cup \{\psi_1, \psi_2\} \backslash \{\psi_1 \mathbf{R} \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi, \sigma \cup \{\psi_1 \mathbf{R} \psi_2\} \rangle) & \psi_1 \mathbf{R} \psi_2 \in \Psi \end{cases} \end{align*}

Construct $A_\phi$

With the above operations defined, we construct the Büchi Automaton for an LTL formula. $A_\phi = (Q, Q_0 , \Sigma, L, T , FT)$, with $Q_0 = \mathsf{Cover}(\{\phi\})$, $Q$ is the smallest set such that $Q_0 \subseteq Q$, also if $\langle \lambda, \chi, \sigma \rangle \in Q$, then $\mathsf{Cover}(\{\chi\}) \in Q$, the labeling function $L(s) = \{a \in \Sigma | a \models \lambda \}$, transition relation $T = \{(s,s') | s = \langle \lambda, \chi, \sigma \rangle \wedge s' \in \mathsf{Cover}(\{\chi\}) \}$, the fairness conditions $FT = \{F_1, \ldots, F_n\}$, where $F_i = \{s \in Q | \phi_i \mathbf{U} \psi_i \notin \sigma \vee \psi_i \in \sigma \}$.

Examples

Here we present the Büchi Automata built from the stated method.

Fig 1. NBA of $\mathbf{FG}p$

Fig 2. NBA of $p \mathbf{U} q$

References

  1. R. Sebastiani, Automata-theoretic LTL Model Checking, slides on Formal Methods, 2012
  2. Wikipedia, Linear temporal logic to Buchi Automaton, http://en.wikipedia.org/wiki/Linear_temporal_logic_to_Büchi_automaton

Appendix

The following is a copy of original copyright notice of slides which this article is quoting.

Copyright notice: some material (text, figures) displayed in these slides is courtesy of M. Benerecetti, A. Cimatti, P. Pandya, M. Pistore, M. Roveri, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be displayed in public without containing this copyright notice.

Monday, May 27, 2013

Translate LTL formulae into Büchi Automata

LTL formulae are translated in Labelled Generalized Büchi Automata (LGBA), where labels are moved into states. See a previous post (link).

$\omega$-automaton, $\omega$-word, $\omega$-language

An $\omega$-automaton is an automaton which accepts infinite inputs. Büchi Automata are a typical example. An $\omega$-word is an accepting run on an $\omega$-automaton, the set of all $\omega$-words accepted (defined) by an $\omega$-automaton is called an $\omega$-language.

The alphabet of a language is denoted as $\Sigma$, the set of all $\omega$-words composed by symbols in $\Sigma$ is denoted as $\Sigma^{\omega}$. A language recognizable (accepted) by an automaton $A$ is written $L(A)$. Usually we only work in automata that have $L(A) \subset \Sigma^{\omega}$.

$\omega$-regular

Recall that regular languages can be recognized by NFAs/DFAs (equivalent). It can also be generated by regular grammar (left linear or right linear, but not mixed).

A language is called $\omega$-regular when it is represented as $$\bigcup_{i=1}^n U_i(V_i)^{\omega}$$

we require that $U_i$, $V_i$ be regular languages. $L$ is $\omega$-regular iff it can be recognized by Nondeterministic Büchi Automata. The $\omega$-regular languages are closed under complementation (useful for constructing $A_{\neg\phi}$).

Closures

The closure of an LTL formula is intended to calculate its components (including their negations). For instance, a closure set of $p\mathbf{U}q$ is $$\{p, q, p\mathbf{U}q, \mathbf{X}(p\mathbf{U}q), \neg p, \neg q, \neg (p\mathbf{U}q), \neg (\mathbf{X}(p\mathbf{U}q))\}$$

Atoms

An atom $A$ is called a maximal consistent subset of the closure set. First we remove negations. In order to be consistent (agree on assignments), we should have $p,q \in A$ when we have $p \wedge q \in A$. Similarly, when we have $p\mathbf{U}q \in A$, we require either $q \in A$ or $\{p \in A, \mathbf{X}(p\mathbf{U}q)\} \subset A$.

LTL to LGBA

$A_{\phi} = (Q, Q_0, \Sigma, L, T, FT)$, respectively, the set of states Q is the the set of all atoms of $\phi$, the set of initial states $Q_0$ are the atoms where $\phi$ is included, $\Sigma$ is the power set of all free variables in $\phi$, namely the alphabet, labeling function $L$ maps a state to the set of free variables appeared in that state, transition relation is built from $\mathbf{X}$-formulas, say $(\mathbf{X}\psi, \psi) \in T$, $FT$ is a set of fair conditions $\{F_1, \ldots, F_n \}$, where $$F_i = \{ s \text{ is an atom} | \psi \mathbf{U} \phi \in s \vee \phi \in s \}$$

The above is on the condition that $\psi \mathbf{U} \phi$ appears positively in $\phi$. (see Polarity)

Example

One can calculate the atoms of $p \mathbf{U} q$ and other parameters by the stated method, thus its Büchi automaton.

Fig 1. $A_{p \mathbf{U} q}$ constructed by definition

On-the-fly Construction

The above construction is called declarative construction, though an alternative is present, considering its volume, it is to be introduced in another post.

References

  1. R. Sebastiani, Automata-theoretic LTL Model Checking, slides on Formal Methods, 2012
  2. Wikipedia, ω-automaton, https://en.wikipedia.org/wiki/Ω-automaton
  3. Wikipedia, Linear temporal logic to Buchi Automaton, http://en.wikipedia.org/wiki/Linear_temporal_logic_to_Büchi_automaton

Appendix

The following is a copy of original copyright notice of slides which this article is quoting.

Copyright notice: some material (text, figures) displayed in these slides is courtesy of M. Benerecetti, A. Cimatti, P. Pandya, M. Pistore, M. Roveri, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be displayed in public without containing this copyright notice.

Sunday, May 26, 2013

LTL Model Checking - The Automata Approach

Let $M$ be a Kripke model, and $\psi$ be an LTL formula. The model checking problem is whether $$M \models \psi$$

It is rephrased in the manner of Büchi automaton for automatic reasoning. We express both the model and the formula in Büchi automata ($A_M$, $A_\psi$), then the model checking problem is to check whether the language of $A_M$ is contained by the language of $A_\psi$, that is, $\mathcal{L}(A_M) \subseteq \mathcal{L}(A_{\psi})$. In other words, whatever $A_M$ expresses is well captured in $A_\psi$. Further, if we negate $\psi$, then the containment becomes emptiness checking. i.e. $$\mathcal{L}(A_M) \cap \mathcal{L}(A_{\neg\psi}) = \varnothing$$

Büchi Automata

Unlike NFA/DFAs, Büchi automata have infinite words (aka. $\omega$-words). The "final" states are a set of accepting states, where a loop exists. A run on automata is an infinite execution of automaton, e.g., say the alphabet is $\Sigma = \{a,b\}$, $F=\{b\}$, a legal run can be $\rho = abbbbbb\cdots$.

Like NFA, Non-deterministic Büchi automata (NBA) have transition relations $\delta : Q \rightarrow Q $ as partial ($Q$ is the set of states), while the deterministic one total. But the subset construction from NFA to DFA doesn't apply here.

Compute $A_M$

Given a Kripke model $M$, we add an initial state, and move labels from states to incoming edges, every state becomes an accepting state. The fair version is to change the accepting states only to fair states.

Labelled Generalized Büchi Automata

We need to move the labels of Büchi Automata into states. LGBA features a set of fair conditions $FT = \{F_1, ..., F_k \}$, an accepting run must concord with all fair conditions. Formally, $$\forall i . \mathsf{inf}(\rho) \cap F_i \neq \varnothing$$ where $\mathsf{inf}$ calculates the accepting states of the run $\rho$, $F_i \subseteq Q$. Further, an LGBA has a set of initial states rather than only one in BA.

Translate LTL formulas into LGBA

This part is relatively big and it will be introduced in another post.

Synchronous Product of NBAs

Compared to synchronous product of NFAs, NBAs' product employs a tag $(1,2)$ specifying on which NBA it is running. The synchronous product is used to calculate the language intersection, $$\mathcal{L}(A_1 \times A_2) = \mathcal{L} (A_1) \cap \mathcal{L} (A_2)$$

Initial state of the product, $I = I_1 \times I_2 \times \{ 1 \}$, accepting states $F = F_1 \times Q_2 \times \{ 1 \}$, transition relations are defined such that a run on track 1 ends at one of its accepting states $F_1$, then moves on to track 2 until meeting some state in $F_2$, then it switches back. The product has such initial states and finite states to ensure that an infinite run of the product automaton must infinitely run on both $A_1$ and $A_2$.

Complement Büchi automata

The complementation involves conversion to Rabin automaton. This is to construct $A_{\neg\phi}$.

Emptiness Checking - Double nested DFS algorithm

The problem can be addressed as searching an accepting cycle reachable from an initial state. Double nested DFS algorithm employs two Hash tables, two stacks and two nested DFS routines. The following is routine 1,

DFS1(NBA A) {
  stack S1=I; stack S2=∅;
  Hashtable T1=I; Hashtable T2=∅;
  while (S1!=∅) {
    v=top(S1);
    if ∃w s.t. w∈ δ(v) && T1(w)==0 {
      hash(w,T1);
      push(w,S1);
    } else {
      pop(S1);
      if v∈F DFS2(v,S2,T2,A);
    }
  }
  return EMPTY;
}

The following is routine 2,

DFS2(state f, stack S, Hashtable T, NBA A) {
  hash(f,T);
  push(f,S);
  while (S!=∅) {
    v=top(S);
    if f∈ δ(v) return NOT_EMPTY;
    if ∃w s.t. w∈ δ(v) && T(w)==0 {
      hash(w);
      push(w);
    } else pop(S);
  }
}

DFS1 starts with the initial state, hashes each state on the path when visiting it for the first time. It invokes DFS2 when no more moves are possible and the top of stack is an accepting state. DFS2 tries to search a loop starting from this accepting state and going back to itself. When such a loop is found, it means $A$ is not empty, and the path is a combination of stack 1 and stack 2.

References

  1. R. Sebastiani, Automata-theoretic LTL Model Checking, slides on Formal Methods, 2012

Appendix

The following is a copy of original copyright notice of slides which this article is quoting.

Copyright notice: some material (text, figures) displayed in these slides is courtesy of M. Benerecetti, A. Cimatti, P. Pandya, M. Pistore, M. Roveri, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be displayed in public without containing this copyright notice.

Friday, May 24, 2013

Install terminal and gcc on Android

Always read instructions carefully.

- #1 note on a survival manual, Yann Martel Life of Pi

On Android, everything is an app.

- mzt

Shell for Android is an app too. Install Terminal IDE (210MB) from the app store. Yes, this is not built-in, not default, also with limited use: vi, javac, gcc, git, ssh etc. It runs without root permission. After the installation, switch on its ugly but complete keyboard to get the full function use.

Install gcc

Under Terminal IDE, gcc is paralleled by terminal-gcc, which is not installed by default (due to the volume of gcc). If you go to help file from its main menu, you will see a series of tutorials explaining how to start making the best use of it. Here I just quote the part on gcc. On any of its terminal window (there are 4),

# cat `which install_gcc`
# install_gcc

After installation, use the following command to compile,

# terminal-gcc foo.c -o foo.o

Thursday, May 23, 2013

Bounded Model Checking Encoding

See appendix for credits.

Bounded Model Checking (BMC) is a SAT-based technique, distinguished from symbolic model checking. It converts model checking problem into satisfiability problem. BMC tends to look for counter-examples by progressively increasing an integer bound, which is the number of steps in a path. Yes, once you verified there are no counter-examples within the bound $k$, it doesn't prove $M \models f$ at all. BMC is useful in troubleshooting, to capture the flaws in the model design.

The bridge

Given a Kripke model $M$, a LTL formula $f$ and a bound $k$,

$M \models_k \mathbf{E}f$ iff ⟦$M$,$f$⟧$_k$ is satisfiable.

$\models_k$ means the property is verified in the path of $k$ steps. ⟦$M$,$f$⟧$_k$ is defined as follows,

Fig. 1 The encoding of ⟦$M$,$f$⟧$_k$ in BMC

(1) divides the denotion into the model part (2) and the property part (3). (2) shows the execution of $M$ in $k$ steps, by providing the initial state ($s_0$ is a vector of boolean variables that are assigned in such state) and transition relations of each step. (3) also consists of two portions that disjunct. The first portion says there are no loops at $s_k$ to all former states (negation of transition relation from $s_k$ to $s_{k-1}$,..., $s_0$). The second one is with loops.

Fig. 2 The paths with and without loop

We do need to separate the encodings (i.e. ⟦$f$⟧$^i_k$, $_l$⟦$f$⟧$^i_k$). For instance, only the finite path carrying a loop can verify the properties like $\mathbf{G}p$. We need to describe properties in different manner according to the existence of a loop. Here is the formal chart,

Fig. 3 ⟦$f$⟧$^i_k$ and $_l$⟦$f$⟧$^i_k$ unfolded alongside their LTL correspondence

The above is a recursive definition. The indices $i$, $k$, $l$ say respectively the current state, the integer bound, the loop point (there is an edge from $s_k$ back to $s_l$). The base case $p$, an atom, matches $p_i$ which is the assignment of $p$ at the state $s_i$. The negation is thereby defined. The loop doesn't matter for these two since we only consider an atom in the current state. The disjunction and conjunction are defined recursively. Before going further, we shall see this figure,

Fig. 4 The loop case

$\mathbf{X}g$ parallels a conditional branch definition. In the loop-less case, when $i < k$, the current state is before the bound state, then there is a next state for $s_i$. Otherwise false. Similar in the loop case, but when $i = k$, since there is a loop from $s_k$ to $s_l$, the next state exists. Think there is no $i > k$, when it loops back, $k+1$ becomes $l$, so everything is still within the bound $k$.

$\mathbf{G}g$ is simply false in the loop-less case, always UNSAT. If there is a loop, we need to make sure every state (hence as a big conjunction) with in the loop verifies $g$ and also the relays from the current state $s_i$ to the loop point $s_l$ in case of $i < l$.

$\mathbf{F}g$ is straight-forward, regarding the fact that we'd like at least one $g$ on such path (both loop-less and with loop), so a big disjunction is used.

Recall that $h \mathbf{U} g$ means $h$ remains true till $g$ becomes true. So in the loop-less case, it compares to the disjunction (satisfiable at least one of the components is true) of all possible captures, e.g., $g_i$, $h_ig_{i+1}$, $h_ih_{i+1}g_{i+2}$, ..., etc. Similar for $h \mathbf{R} g$, which says the advent of the truth of $h$ releases $g$ from being always true. That said, $g$ wasn't free (being true always) before $h$ gets its truth.

The situation becomes much more complex in the loop case for these two. If $i < l$, then it gets the part similar to the loop-less one, $$ \bigvee_{j=i}^k \bigg( {}_l\llbracket \; g \; \lrbracket_k^j \wedge \bigwedge_{n=i}^{j-1} {}_l \llbracket \; h \; \lrbracket ^n_k \bigg)$$ It is accompanied by the case that $i > l$, the idea is the property shall be verified from $s_i$ to $s_k$, then from $s_l$ to $s_{i-1}$ since there is loop $(s_k, s_l)$. So we have, $$ \bigvee_{j=l}^{i-1} \bigg( {}_l\llbracket \; g \; \lrbracket_k^j \wedge \bigwedge_{n=i}^{k} {}_l \llbracket \; h \; \lrbracket ^n_k \wedge \bigwedge_{n=l}^{j-1} {}_l\llbracket \; h \; \lrbracket_k^n \bigg)$$

The last one can be accordingly rendered.

References

  • R. Sebastiani, SAT-based Bounded Model Checking, slides on Formal Methods, 2012, link
  • A. Biere et al, Bounded Model Checking, Vol. 58, Advances in Computers, 2003, pdf

Appendix

The following is a copy of original copyright notice of slides where the images here were taken.

Copyright notice: some material (text, figures) displayed in these slides is courtesy of M. Benerecetti, A. Cimatti, P. Pandya, M. Pistore, M. Roveri, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be displayed in public without containing this copyright notice.

Tuesday, May 21, 2013

Conflict-Driven Backtracking and Clause-Learning

See appendix for credits.

Conflict-Driven backtracking is a huge advancement to the classical chronological backtracking applied to the DPLL algorithm. It solves the Boolean formulas with about $10^7$ variables.

State of the art

The idea was to learn from error. When we see a conflict, we find the cause (building a conflict set), and we go back to the decision point where we could do it differently if we have had known this conflict set. It seems hard to catch for a machine. However, it is operable through the following algorithm. This is the most advanced modern approach in many SAT solvers.

Deciphering the myth

Data structure: stack partitioned into decision levels. Each level comprises of a decision literal and its implied literals (unit-propagated). Every implied literal is tagged with the clause causing its unit propagation (aka. antecedent clause).

One level in the stack can be depicted by an implication graph, where there are nodes and edges. A node without edges means a decision literal , because an edge is are marked with the antecedent clause of the literal. E.g.,

Fig. 1 An Implication Graph (Shown on Right)

Building the conflict set

It has two steps,

1. C := conflicting clause
2. repeat {
      C <- resolve C with the antecedent clause of the last
      unit-propagated literal in C
}
until { C verifies some termination criteria }

Well, we wonder what this "resolve" mean, it is a disjunction but removing $A_i \vee \neg A_i$ since they become true. Resolution is a rule saying two input clauses entails the output clause (aka. resolvent). For a detailed discussion, see Resolution (logic). By performing this, the unit propagation is undone. What about some termination criteria? Here comes the magic.

1st UIP

It means First Unique Implication Point, this is the state-of-the-art strategy. It is the first point where we find only one literal of current decision level in C. For instance (built from the same example above),

Fig. 2 Conflict set construction

Upon this, we build the conflict set: $\{ \neg A_{10} , \neg A_{11} , A_4 \}$, and "learn" (add) a new clause $c_{10} := A_{10} ∨ A_{11} ∨ \neg A_4$. Now that we reached the conflict, also we know these $\neg A_{10}$, $\neg A_{11}$ can not survive with $A_4$, so we backtrack to $\neg A_{11}$, and right there we assign $\neg A_4$. Yes, we cut off all paths to $A_4$ from that point on. We would never fall into this conflict set again (we learned from the error).

Drawbacks and a solution

We saved all these learned clauses, on a larger scale ($10^7+$), we can reach an exhaustion of space. The solution is to keep only the active ones, i.e. the ones showed up (on the edges of implication graph) in the current decision level.

Fig. 3 The breath-taking jump


Appendix

The following is a copy of original copyright notice of slides where the images here were taken.

Copyright notice: some material (text, figures) displayed in these slides is courtesy of M. Benerecetti, A. Cimatti, P. Pandya, M. Pistore, M. Roveri, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be displayed in public without containing this copyright notice.

Monday, May 20, 2013

Classical Chronological Backtracking

See appendix for credits.

Chronological backtracking is an improvement for the DPLL algorithm backtracking. It can provide multiple jumps back to the assignment tree, while DPLL when there is a conflict, it simply flips the last assigned literal (thus one step).

The idea

There are two types of assignment, one is binary decision, the other is unit propagation, which is implied by the decisions. So when we reach a conflict, we jump back to the binary decision point, omitting all the implied assignment caused by that decision.

Implementation

Assignments are stored in a stack with tags: unit, open, closed. They respectively mean unit-propagation, first try (chances are still there, thus open), second try (no more chances on this literal). When a conflict is met, we pop the stack till the most recent open assignment and toggle it into closed, and continues the search.

Example

The background is a CNF SAT problem. The presented is part of its assignment tree. Red literals are already assigned. We make a binary decision (true) on $A_1$, leading the clauses $c_7$, $c_8$ be satisfied.

Fig. 1

As a consequence, $A_2, A_3, A_4, A_5, A_6$ are unit-propagated in order. But then $c_6$ would be false, reaching a conflict. Hence due to chronological backtracking idea, we remove all these new assignments since $A_1$, and push $\neg A_1$ to the stack.

Fig. 2


Appendix

The following is a copy of original copyright notice of slides where the images here were taken.

Copyright notice: some material (text, figures) displayed in these slides is courtesy of M. Benerecetti, A. Cimatti, P. Pandya, M. Pistore, M. Roveri, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be displayed in public without containing this copyright notice.

Sunday, May 19, 2013

Tube view on Web Backgrounding

A single color is the simplest choice, but choosing a color is not simple. Pure white background or black might be mediocre. It can't be too bright, because it is subsidiary as the name indicates.

Not So White

If we go to ubuntu.com, press ctrl+shift+I (Chrome), navigate to body tag, here it might be

background: #fff url("/sites/ubuntu/latest/u/img/patterns/body_bg.jpg");

If you examine clearly (tilt your screen), body_bg.jpg is not a pure white image, otherwise it would be here. Yep, it is a seamless background image with patterns on it.

credit: ubuntu.com

Under Ubuntu, one may turn to GIMP for such mission (link). An excerpt is to use Filters > Map > Make Seamless, you can test it under Filters > Map > Tile in a bigger canvas (e.g., double-sized). Remind that the seamless background images come in squares so that they can be easily tiled.

Stripes

credit: ibelieveinadv.com

A 1px stripe is not alluring, but the arrangement of many of them might. See this website for instance (link), it uses

background: #2f2f2f url("http://www.ibelieveinadv.com/commons/stripes.gif");

By default, a background-image is repeated (tiled) both vertically and horizontally.

When backgrounds become content

Indeed, the role of images of large resolution seems blurred, but the effect won't. See worldwildlife.org (link), but the technologies behind should be applied too (Large Images in Rails). A full-size illustration may make your site cuter (link).

More is to come...

Wednesday, May 15, 2013

Anatomy of A Periodic Program

The program body is here,

http://disi.unitn.it/~abeni/RTOS/periodic-1.c

First to mention that a periodic program is that it is activated periodically, i.e. the program wakes up periodically (it is ready for execution). Under Linux kernel, you could trace such wake up events (sched_wake_up) through ftrace. The sample program uses a real-time timer ITIMER_REAL to create periodic interrupts. The timer is set initially 2000000 us (=2s) and thence 5000us (5ms).

start_periodic_timer(2000000, 5000);

In further detail, that is

signal(SIGALRM, sighand);

Notice that sighand is the name of the call-back function. Whenever there a SIGALRM fires within the program, the function sighand is called. Though in the example it is a do-nothing function. The signal function registers sighand as the call-back, but it doesn't execute it.

The following does the job to set periods and the first round offset (this is to ensure the periodicity since we are still initializing the timer before the real periodic part comes). The timer ITIMER_REAL fires the signal SIGALRM when the timer count decreases to zero (expires), as a consequence, signal goes executed.

setitimer(ITIMER_REAL, &t, NULL);

So there are periodic interrupts on which a futile function is run (whence the program wakes up). The following infinite loop does sleeping till the signal is fired (pause()), then an in-genuine job_body() is under way. The job body function is "controlled" within 5ms such that all interrupt signals are captured on-time.

    while(1) {
        wait_next_activation();
        job_body();
    }

Conclusion

An implementation of periodic programs follows this pattern,

void *PeriodicTask(void *arg)
{
    <initialization>;
    <start periodic timer, period = T>;
    while (cond) {
        <read sensors>;
        <update outputs>;
        <update state variables>;
        <wait next activation>;
    }
}

Thursday, May 9, 2013

Region Automata and Zone Automata

As a sequel of a previous article on timed automaton (link), here we introduce its computational models.

1. Region

Why region automata? Timed automata have infinite state space (time be divided into infinite pieces), region automata give a finite partition of timed automata such that the computation becomes possible.

Intuition A region is a set of equivalent states. The partition divides the state space into different equivalent classes (regions).

Temporal constraint given by this grammar $\phi := x > c | x < c | x = c | \phi \wedge \phi$, $c$ must be an integer constant (to ensure non-zenoness)

Equivalent class The set of states which satisfies the same set of temporal constraints.

Region equivalence states are equivalent due to being in the same region, they are either within the integer grid, on the $x=c$ or $y=c$ axes, or above/below the diagonal of the integer grid. (see Figure 1.)

Fig 1. Regions as equivalent classes

Remind that largest constant relevant $c$ is actually the ceiling of $x_i$, i.e. $c = \lceil x_i \rceil$. Figure 2 is an example of partitions (regions) of the state space of a timed automaton. Not only are those shadowed areas regions, but also segments of lines (they usually are a result of clock resetting).

Fig 2. Regions on a 2-clock timed automaton

A further example Figure 3 shows the region representation of a simple timed automaton. Location $F$ is shadowed since it may loop forever, a bad design (livelock).

Fig 3. Timed automaton represented in regions

Time-abstract bisimulation If $w \simeq v$, $w,v \in l$, 1) after action $a$, $w'$ is in the region of location $l'$, so is $v'$; 2) $\forall d \exists d' . w+d \simeq v+d'$. They are respectively the transition on action and the transition on delay.

Region equivalence relation is a time-abstract bisimulation ($\simeq$).

Region reset The clock for all equivalent states is reset, hence the operation projects the whole region onto the clock axis (i.e. a line of shadow).

2. Zone

Why zone automata? Regions are still too many, we can force them collapse into unions of regions, where the unions are convex, i.e. no angles are larger than 180 degrees.

Zone Zones are so-called symbolic state (conjunction of regions). Formally, $Z = (s, \varphi)$, that is to start from a location (state) $s$ in a timed automaton, we make a conjunction of regions specified by temporal constraint $\varphi$.

Zone automaton A transition system for zones. Formally, $Z = (Q, Q^0, \Sigma, R)$, set of zones, initial zone, set of transition labels, transition relation.

Symbolic transition It may involve operations such as intersection (conjuncts), delay (stretches diagonally as x,y propagate in time simultaneously), reset (projects a shadow on the time axis). For a zone $Z = (s, \varphi)$, the transition is denoted as $\mathsf{succ}(\varphi, e)$, where $e$ is the label of switch. When $e$ is executed, $Z$ propagates by time till the time constraint $\varphi$ is met. The action is thus invoked. Proceed with a reset if it is needed.

Fig 4. Transitions on Zone Automaton

Figure 4 showed a symbolic transition from location n to m, i.e. $(n, 1 \leqslant x \leqslant 4, 1 \leqslant y \leqslant 3) \rightarrow (m, x>3,y=0)$

References

  1. R. Sebastiani, Timed and Hybrid Systems: Formal Modeling and Verification, slides of Formal Methods course, 2012, link

Appendix

The most of this post is heavily extracted from the RS's teaching slides, hence I don't claim the copyright. The character of this post is intended to be a note, with marginal and personal remarks. For those who need to respect the source, please refer the link in the references.

Wednesday, May 8, 2013

A Glimpse of Timed Automata

Terms

Timed Automaton Intuitively, an automaton with clocks, the transitions from state to state are constrained by time. Formally, $A = (L, L^0, \Sigma, X, I, E)$, respectively the set of locations (states), the set of initial locations, labels, clocks, invariants, the set of edges (transitions) $$E = \{ (s, a, \varphi, \lambda, s') | s,s' \in L, a \in \Sigma, \varphi \text{:clock constraints}, \lambda \subseteq X \}$$

Clock a stopwatch in this context, i.e. clocks are to measure the elapsed time, it can be reset.

Guard Boolean comparison between the clock and some integer value, serves as a constraint for the switch from one location to another

Action the label of transition, used to synchronize actions among several timed automata

Reset set the clock to time 0 and meanwhile the clock starts ticking again

Invariant a time constraint residing inside the state which must be respected when staying within such state, otherwise, it must move out.

Deadlock cases are, there are no more allowed moves (due to bad design of automata).

Example

We quote an automaton from this slide [1],

Figure 1. An Example Timed Automaton

  • $s_i$'s are state labels
  • two clocks present $x$, $y$
  • after action $a$, it can only stay in $s_1$ for no more than $1$ time unit
  • action $d$ can occur only when clock $y$ reads more than $2$ (due to the guard $y>2$)

References

  1. R. Sebastiani, Timed and Hybrid Systems: Formal Modeling and Verification, slides of Formal Methods course, 2012

Sunday, May 5, 2013

Life of Me

So it comes to this moment that I shall write what a true blogger practices. Not those lifeless pieces of knowledge, not wild copies of diffused computer techniques, or minute excerpts or backup discoveries. After all, after hunting after the ocean of webpages to obtain a very portion of nutrition, one wonders about the behind scenes and how the world bloggers think. Simply, a real person to talk with, on the somewhat crossed paths, or even colleagues of the same kind. You know, the laws of attraction.

The prime purpose of this blog was nothing but put aside some tricks that I came across so that later on I can easily find them. So why this turn? Why didn't I write these lines from the very beginning?

Well, I tried, in my second mother tongue. I was a pride self-assumed writer. I have jotted down many of my own guts, most of them obscure and in an archaic style so that no one except those who know me well could bother reading. My journalist-to-be brother definitely attempted to seek a way to understand me, being elder made him fraternal and faster-matured. We had a geographic segregation since every of us had departed to different universities, his in northwest and mine northeast. The span was the width of China. My mother tongue is a Long dialect. And I quickly mastered Mandarin with the spicy of northeastern accent while I stayed four years in the college. I admit that I have quite a talent of mimicking sounds, but not so much on memory. I was terrified to force myself to remember at grade two. We were asked to recite a short paragraph, only three lines. I had fought so hard but I could not manage. Nonetheless, I grew up, with a rather noteworthy fame at the place. During my university period, I observed and struggled, sought and sighed, alone. We met a few times, each time ended up arguing until both were tired. There was a lack of perception. We are seemingly divided by fate. It lasted until today and I have moved to Europe while he becomes a real news reporter. We haven't talked in depth, only some family greetings. There have not been acknowledgeable comments of my writings. My perplexed groaning was like a grain dropped into a pond. Until one day I was provoked to take off everything from my first blog. The blog host set one post as hidden. I thus wrote a python snippet to scrape out my fruits. My major is Informatics, not to brag. To write a piece of running code you need aches as the same when I construe the very picture in my head and put them into readable words. They do take time more than you could plan. I am still on this steep rising learning curve. I had a plea to terminate the amateur author life. Being in a prestigious European university and studying science you could just accord that writing is too much a luxurious leisure. The reality smashed in my face saying nothing is necessary but survival. Music is just in the background to sooth you in hardship. Parties belong to the drinking dudes. News is all of a manipulation of public thought. Religion, a salvation when you have lost your secular hope and become desperate. Talent for languages in such a multilingual context, a not-so-relevant skill to have for decoding the mystery of mathematics, to mention, Computability and Computational Complexity etc. To speak of truth, right now I am into this far-reaching nearby leisure again. Then why?

To solve this, I need to tell more of my latest deviation from the thesis work. I have taken my liberty to taste the whole of Yann's Life of Pi, so the Ang Lee's film. Shall we put this page down at our feet, and scream we are back?! We will see. I had meant to write a comment of Pi, but what do you see?

Abstraction in Model Checking

Finite Transition System $M = (S, I, R, L)$, respectively the set of states, the set of initial states, the set of transition relations, labels. Simply put, a computational model, similar to Finite State Machine.

Which Computation? Well, model checking. $M \models \varphi$

Why abstraction? Too many states to compute and the abstraction reduces the number of states.

Why abstraction works? The existential-quantified properties (ECTL) are preserved after the abstraction ($M$ simulates $M'$, i.e., $M$ has whatever $M'$ has), that is, $M' \models \varphi \rightarrow M \models \varphi$. (But not vice versa!)

Now let's go to terms.

Abstraction function $h: S \rightarrow S'$

Simulation $M$ simulates $M'$ when each transition of $M'$ has a corresponding one in $M$. The simulation is the set of pairs of states $p \subseteq \{ (s,s') | s \in S, s' \in S' \}$ that records such behavior. It is the set denotation of the abstract function $h$.

Bisimulation The simulation applies on both sides. According to property preservation, $M \models \varphi \rightarrow M' \models \varphi$. As a consequence, $M \not \models \varphi \rightarrow M' \not \models \varphi$, otherwise we reach a contradiction.

$M$ simulates $M'$, plainly put, $M$ is an abstraction (simulation) from $M'$.

What about universal-quantified properties? (in LTL or ACTL) They are preserved when $M'$ simulates $M$. That is, $$M' \models \varphi \rightarrow M \models \varphi$$ Yes, same conclusion but different condition. Still, the reverse doesn't hold.

Exercise

Credit: ~rseba, disi.unitn.it

If we draw a relation $p = \{(S_{ij}, T_i) | \text{for all possible } i,j \}$, we see (with effort) that $p$ is a simulation from $M$ to $M'$ (i.e. $M'$ simulates $M$). Verify it by the rigorous definition, if $(S_{11}, T_1) \in p$, $(S_{11}, S_{12}) \in R_M$, $\exists (T_1, T_1) \in R_{M'}$ s.t. $(S_{12}, T_1) \in p$. So are the rest transition relations of $M$. Hence, the universal-quantified property preservation applies. e.g. if $\varphi$ is pure boolean, $$M' \models \mathbf{AG} \varphi \rightarrow M \models \mathbf{AG} \varphi$$

To note that the reverse doesn't hold. For instance, $(S_{13}, T_1) \in p$, $(T_1, T_1) \in R_{M'}$, $\forall j. \nexists (S_{13},S_{1j}) \in R_{M}$ s.t. $(S_{1j},T_1) \in p$.

Saturday, May 4, 2013

Shell: Copy to Clipboard

With the help of xclip, one can copy the whole text file to the system clipboard

$ sudo apt-get install xclip

The following copys the content of foo file to clipboard (X selection)

$ cat foo | xclip -selection c

Once copied, put it into a file

xclip -o > foo

Friday, May 3, 2013

A Walk-through of A Character Device Driver

This article explains how to compile a sample Linux character device driver and how to read and write from the device.

A Sample Character Device Driver

The sample code is a copy of ldd3's example code sleepy.

/*
 * sleepy.c -- the writers awake the readers
 *
 * Copyright (C) 2001 Alessandro Rubini and Jonathan Corbet
 * Copyright (C) 2001 O'Reilly & Associates
 *
 * The source code in this file can be freely used, adapted,
 * and redistributed in source or binary form, so long as an
 * acknowledgment appears in derived source files.  The citation
 * should list that the code comes from the book "Linux Device
 * Drivers" by Alessandro Rubini and Jonathan Corbet, published
 * by O'Reilly & Associates.   No warranty is attached;
 * we cannot take responsibility for errors or fitness for use.
 *
 * $Id: sleepy.c,v 1.7 2004/09/26 07:02:43 gregkh Exp $
 */

#include <linux/module.h>
#include <linux/init.h>

#include <linux/sched.h>  /* current and everything */
#include <linux/kernel.h> /* printk() */
#include <linux/fs.h>     /* everything... */
#include <linux/types.h>  /* size_t */
#include <linux/wait.h>

MODULE_LICENSE("Dual BSD/GPL");

static int sleepy_major = 0;

static DECLARE_WAIT_QUEUE_HEAD(wq);
static int flag = 0;

ssize_t sleepy_read (struct file *filp, char __user *buf, size_t count, loff_t *pos)
{
 printk(KERN_DEBUG "process %i (%s) going to sleep\n",
   current->pid, current->comm);
 wait_event_interruptible(wq, flag != 0);
 flag = 0;
 printk(KERN_DEBUG "awoken %i (%s)\n", current->pid, current->comm);
 return 0; /* EOF */
}

ssize_t sleepy_write (struct file *filp, const char __user *buf, size_t count,
  loff_t *pos)
{
 printk(KERN_DEBUG "process %i (%s) awakening the readers...\n",
   current->pid, current->comm);
 flag = 1;
 wake_up_interruptible(&wq);
 return count; /* succeed, to avoid retrial */
}


struct file_operations sleepy_fops = {
 .owner = THIS_MODULE,
 .read =  sleepy_read,
 .write = sleepy_write,
};


int sleepy_init(void)
{
 int result;

 /*
  * Register your major, and accept a dynamic number
  */
 result = register_chrdev(sleepy_major, "sleepy", &sleepy_fops);
 if (result < 0)
  return result;
 if (sleepy_major == 0)
  sleepy_major = result; /* dynamic */
 return 0;
}

void sleepy_cleanup(void)
{
 unregister_chrdev(sleepy_major, "sleepy");
}

module_init(sleepy_init);
module_exit(sleepy_cleanup);

Makefile

obj-m = sleepy.o
KVERSION = $(shell uname -r)
PWD = $(shell pwd)
all:
	make -C /lib/modules/$(KVERSION)/build M=$(PWD) modules
clean:
	make -C /lib/modules/$(KVERSION)/build M=$(PWD) clean

Compile The Driver

The ultimate way is to compile it along with a built kernel tree. However, for the time being, installing Linux kernel headers would suffice. It should already be installed by default.

sudo apt-get install linux-headers-$(uname -r)

If installed, type

make

Load and Remove The Driver

You will see some new files are generated, including sleepy.ko, to load this module

sudo insmod sleepy.ko

To unload,

sudo rmmod sleepy

Read from and write to the device

The sleepy is created with a dynamic major, we need to create a device file for it. First get the major number,

$ cat /proc/devices | grep sleepy
250 sleepy

Then create a node under /dev, c is to create a character file, 0 is its minor number.

sudo mknod /dev/sleepy c 250 0

Now we can read and write the device using C library function read, write, or from shell

echo "sleep" > /dev/sleepy
cat /dev/sleepy

Though what sleepy does is that it makes the reader process fall asleep while the writer process wakes all readers up.

#include <fcntl.h>
#include <unistd.h>

int fd;
char buffer[32];

fd = open("/dev/sleepy", O_RDONLY);
read(fd,buffer,10);