An Automata-Theoretic Approach to LTL

An Automata-Theoretic Approach to LTL

Moshe Y. Vardi

Presented By:Tamar Aizikowitz

Spring 2006

2

Presentation Outline

Finite Automata Büchi Automata Finite Alternating Automata Alternating Büchi Automata From LTL to Büchi Automata Satisfiability Validity Verification

3

Introduction (1)

Program verification: always desirable, but never easy.

Step 1: Define a formal specification Linear Temporal Logic (LTL) Specification describes computation

Step 2: Check whether a given program satisfies the specification A program satisfies a specification iff all

computations satisfy the specification.

4

Introduction (2)

Interesting Questions: Is a specification satisfiable? Does a specific program satisfy a specification?

Suggested solutions: Based on Automata Theory A computation is an infinite sequence of states

we look at automata on infinite words. Given an LTL formula, construct an automaton

which accepts precisely the computations accepted by the formula.

5

Finite State Automata (1)

(Nondeterministic) finite automaton:A = ,S,S0,,F

– finite alphabet S – finite set of states S0 S – initial states F S – accepting states : S 2S – transition function

| S0 | = 1 and |(s,a)| 1 deterministic

automaton Deterministic ~ nondeterministic for FSA.

6

Finite State Automata (2)

A run r of A on a finite word w=a0 an-1 is a sequence s0,,sn such that: s0S0

si+1 (si,ai) for 0 i n-1 A run r is accepting if snF . Nondeterministic many runs on w Deterministic one run on w A word w is accepted by A iff A has an

accepting run on w.

7

Finite and Infinite Words

A finite word is an element of *, i.e. a finite sequence a0an of symbols from .

An infinite word is an element of , i.e. an sequence a0a1 of symbols from .

A finitary language is a set of finite words, i.e. a subset of *.

An infinitary language is a set of infinite words, i.e. a subset of .

8

Büchi Automata (1)

Suppose A = ,S,S0,,F receives an infinite input word w = a0a1

A run r of A on w is a sequence s0,s1,… s.t.: s0S0

si+1 (si,ai) for all 0 i

Infinite run acceptance cannot be defined by type of final state.

Instead we consider the limit behavior…

9

Büchi Automata (2)

Define: lim(r) = {s | s = si for infinitely many i’s} S is finite lim(r) A run r is accepting if lim(r)F . An infinite word w is accepted by A if A has

an accepting run on w. The infinitary language of A, L(A) = all the

infinite words that A accepts. When A is viewed as an automaton on infinite

words, A is called a Büchi automaton.

10

Example 1

L(A) = {0,1}*{1}+

L(A) = {w| w has an infinite number of 1’s}

q0 q1

1

010

11

Example 2

L(A) = {0,1}*{1}+

L(A) = {0,1}*{1}

q0 q11

10,1

12

Closure: Union

Given two finite automata A1, A2 construct A such that L(A) = L(A1)L(A2):

A = , S1S2, S10S2

0, , F1F2 (s1,a) = 1(s1,a) , s1S1

(s2,a) = 2(s2,a) , s2S2

Will the same work for Büchi automata?

Yes!

13

Closure: Intersection

Given two finite automata A1, A2 construct A such that L(A) = L(A1)L(A2):

A = , S1S2, S10 S2

0, , F1 F2 ((s,t),a) = 1(s,a) 2(t,a)

Called the product automaton.

Will the same work for Büchi automata?

No!

14

Example 3

Intersection should be all infinite words with infinitely many 0’s and 1’s.

Accepting states are visited alternately suggested product automaton will yield .

q0 q1

1

010

q0 q1

1

010

A1 A2

15

Büchi Intersection

Proposition: Büchi automata are closed under intersection.

Use labels to remember which type of accepting state we are waiting to see.

A = , S1S2 {1, 2}, S10 S2

0 {1}, , F1 S2 {1} (s’,t’,j)((s,t,i),a) if s’1(s,a) and t’2(t,a) and:

i=1 and sF1 j=2

i=2 and tF2 j=1 else i=j

16

Büchi Intersection Example

w = (001) L(A1)L(A2)

q0 q1

1

010

q0 q1

1

010

0 0 1 0 0 1 . . .A1

A2

12

17

Closure: Determinization

Given a nondeterministic finite automata A, construct Ad such that L(Ad) = L(A):

Ad = , 2S, {S0}, d, Fd Fd = {T | TF } d(T,a) = {t | t(s,a) for some sT }

Called the subset automaton.

Will the same work for Büchi automata? No!

18

Büchi Determinization (1)

Büchi automata are not closed under determinization.

Proof: There is no deterministic Büchi automaton equivalent to the nondeterministic Büchi automaton from example 2 which accepts the language L={0,1}*{1}.

19

Büchi Determinization (2)

Continued proof… Assume by way of contradiction there is such a

deterministic Büchi automaton, Ad.

1L i0 0 s.t. (s0,1i0) = sf0F

1i001L i1 0 s.t. (s0,1i0 0 1i1) = sf1F

… (s0,1i0 0 1i1 0 1i|F |) = sf|F|F

n,m s.t. sfn=sfm 1 1in (0 1im )L(Ad)

L(Ad) L ■

20

Closure: Complementation

Given a deterministic finite automata A, construct AC such that L(AC) = * \ L(A): Simply complement the set of accepting states.

For nondeterministic automaton: existential acceptance state complementation does not work.

Complementation of nondeterministic automaton: (1) determinize, (2) complement.

21

Büchi Complementation

Nondeterministic Büchi not closed to determinization algorithm doesn’t work.

Even for deterministic, a far from trivial task. Nevertheless, it can be shown that Büchi

automata (deterministic and nondeterministic) are closed to complementation.

Complexity: singly exponential with an almost linear exponent.

22

Automata Algorithms

An automaton is interesting if it defines an interesting language, i.e. , *.

A is nonempty if L(A) . A is nonuniversal if L(A) *. The nonemptyness problem: given A

decide whether A is nonempty easy! The nonuniversality problem: given A

decide whether A is nonuniversal hard!

23

Nonemptiness (1)

Finite state automaton: BFS to determine whether there exist sS0

and tF such that there is a path from s to t in the graph representation of A.

linear time

Guess sS0. Guess path from s to some tF.

NLOGSPACE-complete

24

Nonemptiness (2)

Büchi automaton: BFS to determine whether there exist sS0

and tF s.t. there is a path from s to t and from t to t in the graph representation of A.Can also be done using SCCs…

linear time Guess sS0. Guess path from s to some tF,

and then from t to itself. NLOGSPACE-complete

25

Nonuniversality (1)

Finite state automaton: Given A, nonuniversality of A is equivalent to

nonemptyness of AC. Complementation is exponential: exponential time PSPACE-complete

AC constructed “on the fly” Yields NPSPACE algorithm By Savitch: NPSPACE PSPACE

26

Nonuniversality (2)

Büchi automaton: As before, nonuniversality of A is equivalent

to nonemptyness of AC.

Complementation is exponential: exponential time PSPACE-complete

27

Break!

28

Recap

Nondeterministic Büchi automata Union linear Intersection linear Complementation exponential Determinization not always possible Emptyness linear time NLOGSPACE Universality exponential time PSPACE

29

Alternating Automaton (1)

Nondeterminism gives a computing device the power of existential choice.

It’s dual gives the power of universal choice.

Alternating automaton: a computing device which has both!

30

Alternating Automaton (2)

Given a set X, B+(X) is the set of positive boolean formulas over X with the addition of true and false.

Let Y X. Y satisfies a formula B+(X) if assigning true to Y and false to X \ Y satisfies . Denoted: Y

Examples: {s1,s3} (s1 s2) (s3 s4) {s1,s2} (s1 s2) (s3 s4)

31

Alternating Automaton (3)

The transition function of a nondeterministic automaton maps a state and input symbol to a set of possible next states. This set can be viewed as a disjunction of states.

Example: (s,a) = {s1,s3} s1 s3

An arbitrary formula from B+(S) can yield transitions combining existential (disjunction) and universal (conjunction) choice.

32

Alternating Automaton (4)

Example: assume the following transition:

(s,a) = (s1 s2) (s3 s4)

The automaton accepts a word aw from state s if it accepts w from s1 and from s3, or from s1 and s4 etc…

33

Alternating Automaton (5)

Alternating automaton:A = ,S,s0,,F

– finite alphabet S – finite set of states s0S – initial state F S – accepting states : S B+(S) – transition function

Note the unique initial state…

34

Alternating Automaton (6)

Universal choice run is a tree A tree is a (finite or infinite) DAG with a root (), s.t.

each inner node has a unique parent. The level of node x, denoted |x|, is its distance from

the root; || = 0. A branch =x0,x1,… is a maximal sequence s.t.

x0= and xi is the parent of xi+1 for all i>0. A -labeled tree is a pair (, T ) where is a tree and

T maps nodes to , i.e. assigns each node a label.

35

Alternating Automaton (7)

A run of A on a finite word w=a0 an-1 is a finite S-labeled tree r such that: r() = s0

|x| = i < n, r(x) = s and (s,ai) = x has k children x1,…,xk, for some k |S|, and {r(x1),…,r(xk)} .

A run tree is accepting if all nodes at depth n are labeled by states in F a branch in an accepting run must hit true or an accepting state after reading the input word w.

36

Example 4

A = {a,b},{s0,s1},s0,,{s0} (s0,a) = s0 s1

(s0,b ) = s0 s1

(s1,a) = s0

(s1,b ) = true

w1= abba … L(A)

w2= b … L(A)

37

Equivalence to NFSA (1)

Proposition: ANFSA there exists an alternating automaton Aa s.t. L(Aa) = L(A).

Proof: Aa = , S{s0}, s0, a, Fa a(s0,a) = tS0, t’(t,a)t’ a(s,a) = t(s,a)t

Note: Empty disjunctions in the definition of a are

taken to be false. Aa is equivalent in size to A.

38

Equivalence to NFSA (2)

Proposition: A is an alternating automaton there exists AnNFSA s.t. L(An) = L(A).

Proof: An = , 2S, {{s0}}, n, 2F

n(T,a) = {T ’ | T ’ tT (t,a)} Note:

Empty conjunctions in the definition of n are taken to be true.

An is exponential to A unavoidable!

40

Alternating Nonemptyness

We showed: Alternating automata can be converted to NFSA

(exponential). Nonemptyness for NFSA can be solved in linear

time and is NLOGSPACE-complete. Nonemptyness for alternating automata:

can be decided in exponential time is PSPACE-complete

41

Alternating Büchi Automaton

Similarly to FSA, an alternating automaton can also be viewed as an automaton on infinite words alternating Büchi automaton.

A run can now be a possibly infinite tree. An run is accepting if every infinite branch

includes infinitely many labels in F.

42

Equivalence to Büchi (1)

Proposition: A is a nondeterministic Büchi automaton there exists an alternating Büchi automaton Aa s.t. L(Aa) = L(A).

Proof: same as in finite case.

Note: Aa is equivalent in size to A.

43

Equivalence to Büchi (2)

Proposition: A is an alternating Büchi automaton there exists a nondeterministic Büchi automaton An s.t. L(An) = L(A).

Proof: more complex than the finite case. Need to make sure each branch hits an infinite number of accepting states. Distinguish between branches that hit an accepting state recently, and those that haven’t. Accepting state after all branches are in the “recent” group.

Note:An is exponential in size to A unavoidable!

44

Alt. Büchi Nonemptyness

We showed: Alternating Büchi automata can be converted to

nondeterministic Büchi automata (exponential). Nonemptyness for NBA can be solved in linear

time and is NLOGSPACE-complete. Nonemptyness for alternating Büchi

automata: can be decided in exponential time is PSPACE-complete

45

Linear Temporal Logic (LTL)

Base: Set Prop of atomic propositions

Closure: Boolean connectives: , Unary temporal connective: X (next) Binary temporal connective: U (until)

Abbreviations: F true U (eventually) G F (globally)

46

LTL Semantics (1)

LTL formulae are interpreted over infinite computations.

A computation is an infinite sequence 0,1,…

i Prop is the set of atomic propositions that hold in the i’th position of .

Denote the suffix i,i+1,… by i .

47

LTL Semantics (2)

indicates that holds in . The relation is inductively defined:

true and false p for pProp iff p0

iff and

iff X iff 1 1U2 iff k 0 s.t. k2 and i1 for all 0i<k.

48

LTL to Alternating Büchi (1)

Computations can also be view as infinite words over the alphabet 2Prop.

Goal: construct a finite automaton on infinite words such that the set of computations that satisfy the LTL formula is exactly the set of accepting runs.

We show a translation from LTL formulae to alternating Büchi automata.

49

LTL to Alternating Büchi (2)

Given an LTL formula , construct an alternating Büchi automaton as follows:

A = 2Prop,S,s0,,F S – all subformulas of and their negation

O(||) s0 – F – all formulas in S of the form (U)

Before we can define we need to define a new variation of duality…

50

LTL to Alternating Büchi (3)

Define: is obtained from by switching with , switching true with false and negating subformulas in S.

Example:p (q Xq) = p (q Xq)

51

LTL to Alternating Büchi (4)

We define inductively on the structure of : (p,a) = true if pa (p,a) = false if pa (,a) = (,a) (,a) (,a) = (,a) (X,a) = (U,a) = (,a) ((,a) U)

52

LTL to Alternating Büchi (5)

Note: infinite branches are labeled from some point on by either U or (U).

(U) fails from that point on indeed U fails at that point infinite branches labeled by (U) should indeed be valid.

U does not ensure that U holds at that point because there is no guarantee that will indeed hold in the future infinite branches labeled by U should not be valid.

53

Example 5

= (Xp)Uq A=2{p,q},S,,,{}

{p,q} {p} {q} true p true p false p false p Xp p p p pXp p p p p

p false false true true

p true true false false

q true false true false

q false true false true

54

LTL to Nondeterministic Büchi

We have shown: Alternating Büchi automata can be converted to

nondeterministic Büchi automata (exponential). Given an LTL formula , we can construct an

alternating Büchi automaton A s.t. |S| is O(||), and L(A) is the set of computations satisfying .

Given an LTL formula , we can construct a nondeterministic Büchi automaton A s.t. |S| is 2O(||), and L(A) is the set of computations satisfying .

55

Satisfiability

An LTL formula is satisfiable if there is some computation s.t. .

An unsatisfiable formula is an uninteresting specification.

Given : Construct A exponential in size of Check nonemptyness of A exponential time

and PSPACE-complete.

56

Validity

An LTL formula is valid if it is satisfied by every computation.

An valid formula is also an uninteresting specification.

Given : is valid iff is not satisfiable exponential

time and PSPACE-complete as well.

57

Verification (1)

A finite state program over a set of atomic propositions Prop is a structure of the form: P = W,w0,R,V W – a finite set of states w0W – the initial state R W2 is a total accessibility relation V : W 2Prop – truth value assignment for

propositions in each state. A program satisfies a specification iff all

computations satisfy the specification.

58

Verification (2)

A finite state program P can be viewed as a nondeterministic Büchi automaton AP = 2Prop,W,{w0},,W s’(s,a) iff (s,s’)R and a = V(s).

any infinite run is accepting. L(AP) is the set of computations of P.

59

Verification (3)

Given a FSP P and an LTL specification , the verification problem reduces to checking whether L(AP) L(A).

equivalent to L(AP)L(A) = . equivalent to L(AP)L(A) = . complexity of verification is:

NLOGSPACE in |P| PSPACE in | | O(|P| 2O(||)) time.

60

Summary

Nondeterministic Büchi AutomataAlternating AutomataLTL Alternating ND BüchiSatisfiabilityValidityVerification

✔✔

✔✔

✔✔