Sunday, May 26, 2013

LTL Model Checking - The Automata Approach

Let $M$ be a Kripke model, and $\psi$ be an LTL formula. The model checking problem is whether $$M \models \psi$$

It is rephrased in the manner of Büchi automaton for automatic reasoning. We express both the model and the formula in Büchi automata ($A_M$, $A_\psi$), then the model checking problem is to check whether the language of $A_M$ is contained by the language of $A_\psi$, that is, $\mathcal{L}(A_M) \subseteq \mathcal{L}(A_{\psi})$. In other words, whatever $A_M$ expresses is well captured in $A_\psi$. Further, if we negate $\psi$, then the containment becomes emptiness checking. i.e. $$\mathcal{L}(A_M) \cap \mathcal{L}(A_{\neg\psi}) = \varnothing$$

Büchi Automata

Unlike NFA/DFAs, Büchi automata have infinite words (aka. $\omega$-words). The "final" states are a set of accepting states, where a loop exists. A run on automata is an infinite execution of automaton, e.g., say the alphabet is $\Sigma = \{a,b\}$, $F=\{b\}$, a legal run can be $\rho = abbbbbb\cdots$.

Like NFA, Non-deterministic Büchi automata (NBA) have transition relations $\delta : Q \rightarrow Q $ as partial ($Q$ is the set of states), while the deterministic one total. But the subset construction from NFA to DFA doesn't apply here.

Compute $A_M$

Given a Kripke model $M$, we add an initial state, and move labels from states to incoming edges, every state becomes an accepting state. The fair version is to change the accepting states only to fair states.

Labelled Generalized Büchi Automata

We need to move the labels of Büchi Automata into states. LGBA features a set of fair conditions $FT = \{F_1, ..., F_k \}$, an accepting run must concord with all fair conditions. Formally, $$\forall i . \mathsf{inf}(\rho) \cap F_i \neq \varnothing$$ where $\mathsf{inf}$ calculates the accepting states of the run $\rho$, $F_i \subseteq Q$. Further, an LGBA has a set of initial states rather than only one in BA.

Translate LTL formulas into LGBA

This part is relatively big and it will be introduced in another post.

Synchronous Product of NBAs

Compared to synchronous product of NFAs, NBAs' product employs a tag $(1,2)$ specifying on which NBA it is running. The synchronous product is used to calculate the language intersection, $$\mathcal{L}(A_1 \times A_2) = \mathcal{L} (A_1) \cap \mathcal{L} (A_2)$$

Initial state of the product, $I = I_1 \times I_2 \times \{ 1 \}$, accepting states $F = F_1 \times Q_2 \times \{ 1 \}$, transition relations are defined such that a run on track 1 ends at one of its accepting states $F_1$, then moves on to track 2 until meeting some state in $F_2$, then it switches back. The product has such initial states and finite states to ensure that an infinite run of the product automaton must infinitely run on both $A_1$ and $A_2$.

Complement Büchi automata

The complementation involves conversion to Rabin automaton. This is to construct $A_{\neg\phi}$.

Emptiness Checking - Double nested DFS algorithm

The problem can be addressed as searching an accepting cycle reachable from an initial state. Double nested DFS algorithm employs two Hash tables, two stacks and two nested DFS routines. The following is routine 1,

DFS1(NBA A) {
  stack S1=I; stack S2=∅;
  Hashtable T1=I; Hashtable T2=∅;
  while (S1!=∅) {
    v=top(S1);
    if ∃w s.t. w∈ δ(v) && T1(w)==0 {
      hash(w,T1);
      push(w,S1);
    } else {
      pop(S1);
      if v∈F DFS2(v,S2,T2,A);
    }
  }
  return EMPTY;
}

The following is routine 2,

DFS2(state f, stack S, Hashtable T, NBA A) {
  hash(f,T);
  push(f,S);
  while (S!=∅) {
    v=top(S);
    if f∈ δ(v) return NOT_EMPTY;
    if ∃w s.t. w∈ δ(v) && T(w)==0 {
      hash(w);
      push(w);
    } else pop(S);
  }
}

DFS1 starts with the initial state, hashes each state on the path when visiting it for the first time. It invokes DFS2 when no more moves are possible and the top of stack is an accepting state. DFS2 tries to search a loop starting from this accepting state and going back to itself. When such a loop is found, it means $A$ is not empty, and the path is a combination of stack 1 and stack 2.

References

  1. R. Sebastiani, Automata-theoretic LTL Model Checking, slides on Formal Methods, 2012

Appendix

The following is a copy of original copyright notice of slides which this article is quoting.

Copyright notice: some material (text, figures) displayed in these slides is courtesy of M. Benerecetti, A. Cimatti, P. Pandya, M. Pistore, M. Roveri, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be displayed in public without containing this copyright notice.

No comments:

Post a Comment