Beyond Vacuity: Towards the Strongest Passing Formula Hana ChocklerArie Gurfinkel Ofer Strichman Technion - Israel Institute of Technology IBM Research SEI Technion (Appeared in fmcad’08 )

IBM HRL 2  The players: s.t. M ²   l does not affect  in M if M ²  [l à false ].  Exists such a literal   is satisfied vacuously in M.  Connection with original definition of vacuity [BBER01] An LTL formula φ in NNF A structure M A literal occurrence l in φ Preliminaries

IBM HRL 3 Preliminaries M ²  [ack à false]  = G(req ! ack) M:M: : req Perhaps we should have written a stronger property  ’ = G( : req) “satisfies vacuously” = “satisfies from the wrong reasons”

IBM HRL 4 Preliminaries  Vacuity can be checked with respect to literal occurrences.  = G(p U (q U : p))  Renaming: each literal appears once  = G(p 1 U (q U p 2 ))  Requires changing M, e.g., replace p’ = exp with p 1 ’ = exp and p 2 ’= : exp

IBM HRL 5 Mutual vacuity [GC04]  Find the largest number of literals that can be replaced with false without falsifying  in M. r  = M:M: p U ( q U r) false r

IBM HRL 6 Question  What is the strongest formula that is  satisfied by M,  still “captures the user’s intent”? ( = “based on  ”)

IBM HRL 7 M ² a  b  c Towards the strongest formula – step I If there are several possible strongest replacements of literals with false, we can take all of them: a,b,c  = a  b  c M:M: M ² a  b  c false M ² ( a  b  c )

IBM HRL 8 Towards the strongest formula – step II We can compute vacuity separately for each path:  = p U (q U r) ¼ 1 ² p U ( q U r) false ¼ 2 ² p U (q U r) p U r false q U r M ² ( (p U r)  (q U r) ) r r p q M:M: ¼1¼1 ¼2¼2 note that  is not vacuous in M

IBM HRL 9 Combining both steps Φ(M,  ) = disjunction over all paths in M, each disjunct is a conjunction of all possible strongest formulas obtained from  by applying mutual vacuity Example: v v p,q r M:M: ¼1¼1 ¼2¼2 ¼ 1 ² (p U v)  (q U v) ¼ 2 ² r U v Φ(M,  ) = ((p U v)  (q U v))  (r U v)  = (p  q) U ( r U v)

IBM HRL 10 v v p,q r M:M: ¼1¼1 ¼2¼2 v ¼3¼3 We are not done yet … Φ(M,  ) can be vacuous in M, because it can contain redundant disjuncts: Modified example:  = (p  q) U ( r U v) Φ(M,  ) = ((p U v)  (q U v))  (r U v)  v can be replaced with false without falsifying  in M Trying to get rid of vacuity we created a vacuous formula! ¼1¼1 ¼2¼2 ¼3¼3

IBM HRL 11 Getting rid of vacuity in Φ(M,  ) There is clearly a partial order between disjuncts in Φ(M,  ), so we can keep only the weakest disjuncts Φ(M,  ) Φ min (M,  ) removing redundant disjuncts Φ min (M,φ) Φ min (M,φ) is the strongest formula that is satisfied in M from all the formulas in the Boolean closure of strengthened versions of φ. It can be shown that: Φ(M,  ), Φ min (M,  )

IBM HRL 12 How?  An algorithm for computing Φ min (M,  ) has to  enumerate paths in M (?)  compute all-mutual-vacuity of each path (?)  It’s not so bad in practice.

IBM HRL 13 The vacuity value v v p,q r ¼1¼1 ¼2¼2 v ¼3¼3 Example:  = (p  q) U ( r U v) The vacuity value vac( ¼,  is  a  set of sets of literals that can be replaced with false in  without falsifying  in ¼. vac( ¼ i,  ) {{p,r},{q,r}} {{p,q}} {{p,q,r}} (Here we only wrote the maximal elements)

IBM HRL 14 The Vacuity Lattice  For a set of literals L, the vacuity lattice V(L) is the set of downset-closed elements in 2 2 L Example: Lattice for L = {a,b}: {{}} {{a},{}} {{b},{}} {{a},{b},{}} {{a,b},{a},{b},{}} {} {{}} {{a}} {{b}} {{a},{b}} {{a,b}} {} Denote by maximal representatives {{}} {{a}} {{b}} {{a},{b}} {{a,b}} {} Remove arrows

IBM HRL 15 Another example of the vacuity Lattice  Lattice V(L) for L = {a,b,c}.  20 rather than = 256 {{a}} {{b}} {{a},{b}} {{a,b}} {{c}} {{a},{b},{c}} {{b},{c}} {{a},{c}} {{a,c}} {{b,c}} {{a,b},{c}}{{a,c},{b}} {{b,c},{a}} {{a,b,c}} {{a,b},{a,c}} {{a,b},{b,c}} {{a,c},{b,c}} {{a,b},{a,c},{b,c}} {{}} {} 2 L · |V(L)| · 2 2 L Exact size is unknown for |L| >8 [DP02]

IBM HRL 16 {{a,b},{c}} {{b,c}} Useful restrictions on the vacuity lattice {{b,c}} Let L = lit(  ) 1. Let V(φ) µ V(L) be the set of elements that correspond to satisfiable formulas. 2. Let V(M,φ) µ V(  ) be the subset of V(  ) that corresponds to witnesses in M. φ = G( a  b  c) {{a}} {{b}} {{a},{b}} {{a,b}} {{c}} {{a},{b},{c}} {{b},{c}} {{a},{c}} {{a,c}} {{a,c},{b}} {{b,c},{a}} {{a,b,c}} {{a,b},{a,c}} {{a,b},{b,c}} {{a,c},{b,c}} {{a,b},{a,c},{b,c}} {{}} {}

IBM HRL 17 Useful restrictions on the vacuity lattice 3. Let V min (M,φ) µ V(M,φ) be the frontier of V(M,φ) from below {{a}} {{b}} {{a},{b}} {{a,b}} {{c}} {{a},{b},{c}} {{b},{c}} {{a},{c}} {{a,c}} {{b,c}} {{a,b},{c}}{{a,c},{b}} {{b,c},{a}} {{a,b,c}} {{a,b},{a,c}} {{a,b},{b,c}} {{a,c},{b,c}} {{a,b},{a,c},{b,c}} {{}} {}

IBM HRL 18 From V min (M,  ) to Φ min (M,  ) by example  = G(a  b  c) Φ min (M,φ) = G(c)  (G(b  c)  G(a  b)) {{a}} {{b}} {{a},{b}} {{a,b}} {{c}} {{a},{b},{c}} {{b},{c}} {{a},{c}} {{a,c}} {{b,c}} {{a,b},{c}}{{a,c},{b}} {{b,c},{a}} {{a,b,c}} {{a,b},{a,c}} {{a,b},{b,c}} {{a,c},{b,c}} {{a,b},{a,c},{b,c}} {{}} {}

IBM HRL 19 So how do we compute V min (M,  ) ? {{a},{c}} {{a,b}} {{}} {{a}} {{b}} {{a},{b}} {{c}} {{a},{b},{c}} {{b},{c}} {{a,c}} {{b,c}} {{a,b},{c}}{{a,c},{b}} {{b,c},{a}} {{a,b,c}} {{a,b},{a,c}} {{a,b},{b,c}} {{a,c},{b,c}} {{a,b},{a,c},{b,c}} {} V = ; While M contains a path ¼ such that vac( ¼, φ)  V ", add vac( ¼, φ) to V. V min (M,  ) = minimal elements in V. The upset of V V V min

IBM HRL 20 Model checking How do we compute its vacuity value ? So how do we compute V min (M,  ) ? V = ; While M contains a path ¼ such that vac( ¼, φ)  V ", add vac( ¼, φ) to V. V min (M,  ) = minimal elements in V. How do we find the next such path ? - Brute-force model- checking, or - via lattice automaton

IBM HRL 21 {{a},{c}} {{a,b}} {{}} {{a}} {{b}} {{a},{b}} {{c}} {{a},{b},{c}} {{b},{c}} {{a,c}} {{b,c}} {{a,b},{c}}{{a,c},{b}} {{b,c},{a}} {{a,b,c}} {{a,b},{a,c}} {{a,b},{b,c}} {{a,c},{b,c}} {{a,b},{a,c},{b,c}} {} Finding the next path ¼ We need a path ¼ with a vacuity value outside V "

IBM HRL 22 Finding the next path ¼ / single element in V  Let L be a set of literals. For s µ L let  s =  [ l à false | l 2 s] For v 2 V(L) let C  (v) =  s 2 v  s  Example:  = G(a  b  c) v = {{a},{c}} C  (v) = G(b  c)  G(a  b) {{a},{c}} {{a,b}} {{}} {{a}} {{b}} {{a},{b}} {{c}} {{a},{b},{c}} {{b},{c}} {{a,c}} {{b,c}} {{a,b},{c}}{{a,c},{b}} {{b,c},{a}} {{a,b,c}} {{a,b},{a,c}} {{a,b},{b,c}} {{a,c},{b,c}} {{a,b},{a,c},{b,c}} {} A countereample to M ² C  (v) must be out of v "

IBM HRL 23  Let L be a set of literals. For s µ L let  s =  [ l à false | l 2 s] For v 2 V(L) let C  (v) =  s 2 v  s For V µ V(L) let C  (V) =  v 2 V C  (v)  Example:  = G(a  b  c) v 1 = {{a},{c}} v 2 = {{a,b}} C  (V) = ( G(b  c)  G(a  b) )  ( G(c) ) {{a},{c}} {{a,b}} {{}} {{a}} {{b}} {{a},{b}} {{c}} {{a},{b},{c}} {{b},{c}} {{a,c}} {{b,c}} {{a,b},{c}}{{a,c},{b}} {{b,c},{a}} {{a,b,c}} {{a,b},{a,c}} {{a,b},{b,c}} {{a,c},{b,c}} {{a,b},{a,c},{b,c}} {} A counterexample to M ² C  (V) must be out of V " Finding the next path ¼ / multiple elements in V

IBM HRL 24 Finding the vacuity value of a path  Given ¼ and , compute vac( ¼,  ).  Several options: 1.Traverse the vacuity lattice: (2-exp in lit(  ))  With BFS order on V(  ) – V " from top if ¼ ² C  (v) return v. 2.An approach based on the subset lattice (1-exp in lit(  ), for each ¼ ). 3.An approach based on a lattice automaton (between 1-exp and 2-exp in lit(  ), but only once)

IBM HRL 25  Let S = h lit(  ), ½i  vac( ¼ ) = ;  For each s 2 S // BFS from top  if ¼ ²  s  vac( ¼ ) = vac( ¼ ) [ s  remove s  from S 2. Computing vac( ¼ ) with the subset lattice {} {a,b,c} {a}{b}{c} {a,b}{a,c}{b,c}

IBM HRL Computing vac( ¼ ) with a vacuity automaton  Vacuity automaton is a lattice automaton [Kupferman-Lustig 07] over the vacuity lattice  A lattice automaton maps an input word to a value on the lattice  The vacuity automaton A  maps each path ¼ to the vacuity value of  on ¼  So we:  Compute A  (once).  Simulate ¼ on A  to get vac( ¼ ) ...details in [CGS08]

IBM HRL 27  If the minimal element of V(  ) is not { {} }, then  is satisfied vacuously in all structures – called inherently vacuous [FKSV08]. Some observations about V(  ) and V(M,  ) {{}} {{a}} {{b}} {{a},{b}} {{a,b}} {} F (a  b)

IBM HRL 28 Some observations about V(  ) and V(M,  )  If {{}} is the minimal element of V(M,  ), then M has an interesting witness for  {{}} {{a}} {{b}} {{a},{b}} {{a,b}} {}

IBM HRL 29 Some observations about V(  ) and V(M,  )  If then  is vacuous in M. {{a},{c}} {{a,b}} {{}} {{a}} {{b}} {{a},{b}} {{c}} {{a},{b},{c}} {{b},{c}} {{a,c}} {{b,c}} {{a,b},{c}} {{a,c},{b}} {{b,c},{a}} {{a,b,c}} {{a,b},{a,c}} {{a,b},{b,c}} {{a,c},{b,c}} {{a,b},{a,c},{b,c}} {}

IBM HRL 30 Summary  Defined the formulas Φ(M,φ) and Φ min (M,φ)  Proved that they are the strongest  Showed how to compute them

IBM HRL 31 backup slides

IBM HRL 32 The complexity is …. hideous! in theory O(|V(M,  )| ¢ |M| ¢ 2 (|  | ¢ 2 (|  |  ) Model- checking Size of a formula that corresponds to a lattice element Number of elements in V(M,  ). Number of sets of literals

IBM HRL 33 How to find ¼ and compute its vacuity value:  We define the notion of vacuity automata  Vacuity automaton is a lattice automaton [KL07] over the vacuity lattice  A lattice automaton maps an input word to a value on the lattice  The vacuity automaton A  maps each path ¼ to the vacuity value of  on ¼ : L(A  ) ( ¼ ) = vac( ¼,  ) Actually, we first translate  to a Latticed LTL formula … details are in the paper

IBM HRL 34 Lattice Automata [KL07] Lattice automata are an extension of finite automata: we allow transitions to be labeled with values from the lattice.  For an automaton A and a word w, the value of a run r of A on w is the meet of all intermediate lattice values obtained during r.  The value of A on w is the join of all values of accepting runs of A on w (in case A is non-deterministic).  The acceptance condition of lattice Büchi automata is the same as for standard Büchi. Example: G(a Ç b) * * {a},{b},{a,b} Büchi automaton

IBM HRL 35 Lattice Automata [KL07] Lattice automata are an extension of finite automata: we allow transitions to be labeled with values from the lattice.  For an automaton A and a word w, the value of a run r of A on w is the meet of all intermediate lattice values obtained during r.  The value of A on w is the join of all values of accepting runs of A on w (in case A is non-deterministic).  The acceptance condition of lattice Büchi automata is the same as for standard Büchi. Example: >, Vacuity lattice automaton letter lattice value s0s0 s1s1 G(a Ç b)

IBM HRL 36 Example: G(a Ç b) >, letter lattice value s0s0 s1s1 We’ll consider three words of the accepting run: s 0  {{b}} w ² G(a) b ¢ b ¢ b ¢ b ¢ … {{a}} w ² G(b) (ab) ¢ (ab) ¢ (ab) ¢ … {{a},{b}} w ² G(a) Æ G(b) a ¢ a ¢ a ¢ a ¢ … word w Lattice value = vac(w,  ) Indeed… Vacuity lattice automaton

IBM HRL 37 Computing Φ(M,  ) and Φ min (M,  ) with the vacuity lattice automata Observation: vacuity value vac(M,  ) = emptiness value of M £ A vac ( :  ) Recall the algorithm for computing Φ(M,φ): V = ; While M contains a path ¼ such that vac( ¼,  )  V, add vac( ¼,  ) to V. Return V. we use vacuity lattice automata to compute vacuity values of paths here Possible improvement: 1.take one path; 2.use its vacuity value to build an intermediate formula; 3.model-check the result; 4.take a counterexample

IBM HRL 38 Some cool observations about V(  ) and V(M,  )  If { {} } is the minimal element of V(M,  ), then M has an interesting witness for  (a path that satisfies  non- vacuously).  Otherwise, either  is vacuous in M … r r p,q q M: ¼1¼1 ¼2¼2  = (p Ç q) U r vac( ¼ 1 ) = {{q},{p}} vac( ¼ 2 ) = {{p}} M ²  [p à false]