Widening Automata

Verification of assertions Forward fixpoint computation Set of initial states I Postcondition function Post() Error states I . . . Post(I) ? Post(Post(I)) E

Verification of assertions Backward fixpoint computation Set of initial states I Precondition function Pre() Error states E E . . . Pre(E) ? Pre(Pre(E)) I

Fixpoints may not converge For infinite state systems fixpoint computations may not converge at all require a large number of iterations Widening is a approximation technique that helps a fixpoint computation converge

A widening operator Idea: Instead of computing a sequence of automata A1, A2, … where Ai+1=Aipost(Ai), compute A’1, A’2, … where A‘i+1=A’i(A’ipost(A’i)) By definition AB  AB The goal is to find a widening operator  such that: The sequence A’1, A’2, … converges It converges fast The computed fixpoint is as close as possible to the exact set of reachable states

Widening Automata Given automata A and A’ we want to compute AA’ We say that states k and k’ are equivalent (kk’) if either k and k’ can be reached from either initial state with the same string (unless k or k’ is a sink state) or, the languages accepted from k and k’ are equal or, for some state k’’, kk’’ and k’k’’ The states of AA’ are the equivalence classes of 

Example 0 1 0,1 X 1 0 0,1 1 1 1 3 0 1 0,1 1 0 0,1 0 X 0,1 1 1 X 3 1 2 1 2 0 1 0,1 3 1

Example 0 1 0,1 0 1 0,1 X 1 0 0,1 0 X 0,1 1 X 1 0 0,1 1 3 1 1 2 0 1 0,1 1 0 X 0,1 1 X = 1 0 1 0,1 0,1 2 3 1

Example 0, X 1 1 X 1 0 1 0,1 2 1 2 1 1 1 3 2 4 0 X 0,1 X 1 1 1 X 2 1 0 1 0,1 3 4 1 2 1 3 1 1 1 4 X

Example 0 X 0,1 0, X 1 1 X 1 X X 1 1 2 1 0 1 0,1 0 1 0,1 1 2 3 4 1 1 1 1 1 1 X 0 X 0,1 X 1 0,0 = 1 0,2 1,3 1

An exactness result (some definitions) An automaton (Q,,,q0,F) is called state-disjoint if for all qiqjQ, L(qi)L(qj)= An automaton (Q1,,1,q01,F1) is called weakly equivalent to (Q2,,2,q02,F2) iff there exists f: Q1 Q2, such that: f(q01)=q02 f(1(q,))=2(f(q), ) for all qQ1 and  f(q) F2 for all q F1

An exactness result If then a least fixpoint is represented by a state-disjoint automaton A and, the first automaton As in the approximate sequence is weakly equivalent to A then the approximate sequence converges to the exact least fixpoint