Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University of Warwick. These notes are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current form or modified form without the express written permission of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of the copyright holders. Model Checking with Büchi Automata The University of Iowa 22c:296 Automated Software Verification

Correctness condition We want to find a correctness condition for a model to satisfy a specification. Language of a model: L(Model) Language of a specification: L(Spec). We need: L(Model)  L(Spec).

Correctness All sequences Sequences satisfying Spec Program executions

How to prove correctness? Show that L(Model)  L(Spec). Equivalently: ______ Show that L(Model)  L(Spec) = Ø. Also: can obtain L(Spec) by translating from LTL!

What do we need to know? How to intersect two automata? How to complement an automaton? How to translate from LTL to an automaton?

Intersecting M 1 =(S 1, ,T 1,I 1,A 1 ) and M 2 =(S 2, ,T 2,I 2,S 2 ) Run the two automata in parallel. Each state is a pair of states: S 1 x S 2 Initial states are pairs of initials: I 1 x I 2 Acceptance depends on first component: A 1 x S 2 Conforms with transition relation: (x 1,y 1 )-a->(x 2,y 2 ) when x 1 -a->x 2 and y 1 -a->y 2.

Intersection of Büchi Automata: Example q0q0 q2q2 q3q3 q1q1 q 0, q 3 q 1, q 3 q 1, q 2 A/\¬B ¬A ¬A/\B A\/¬B red states are final A/\¬B¬A/\B¬A/\¬B

From Generalized Büchi Automata to Büchi Automata A/\¬B q 0,q 3 ¬A/\¬B q 1,q 3 ¬A/\B q 1,q 2 A/\¬B q 0,q 3 ¬A/\¬B q 1,q 3 ¬A/\B q 1,q 2

From Generalized Büchi Automata to Büchi Automata Level 0 Level 1 A/\¬B q 0,q 3,1 ¬A/\¬B q 1,q 3,1 ¬A/\B q 1,q 2,1 A/\¬B q 0,q 3,0 ¬A/\¬B q 1,q 3,0 ¬A/\B q 1,q 2,0

From Generalized Büchi Automata to Büchi Automata Level 0 Level 1 A/\¬B q 0,q 3,1 ¬A/\¬B q 1,q 3,1 ¬A/\B q 1,q 2,1 A/\¬B q 0,q 3,0 ¬A/\¬B q 1,q 3,0 ¬A/\B q 1,q 2,0

From Generalized Büchi Automata to Büchi Automata Level 0 Level 1 A/\¬B q 0,q 3,1 ¬A/\¬B q 1,q 3,1 ¬A/\B q 1,q 2,1 A/\¬B q 0,q 3,0 ¬A/\¬B q 1,q 3,0 ¬A/\B q 1,q 2,0

From Generalized Büchi Automata to Büchi Automata Level 0 Level 1 A/\¬B q 0,q 3,1 ¬A/\¬B q 1,q 3,1 ¬A/\B q 1,q 2,1 A/\¬B q 0,q 3,0 ¬A/\¬B q 1,q 3,0 ¬A/\B q 1,q 2,0

How to check for emptiness? S0,T0 S0,T1 S1,T1 B B A C A C

Emptiness... Need to check if there exists an accepting run (passes through an accepting state infinitely often).

Finding accepting runs If there is an accepting run, then at least one accepting state repeats on it forever. This state appears on a cycle. So, find a reachable accepting state on a cycle.

Equivalently... A strongly connected component: a set of nodes where each node is reachable by a path from each other node. Find a reachable strongly connected component with an accepting node.

How to complement? Complementation is hard! Can ask for the negated property (the sequences that should never occur). Can translate from LTL formula  to automaton A, and complement A. But: can translate ¬  into an automaton directly!

Model Checking under Fairness Express the fairness as a property φ. To prove a property ψ under fairness, model check φ  ψ. Fair (φ) Bad (¬ψ)Program Counter example

Model Checking under Fairness Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either it contains on occurrence of a transition from P, or it contains a state where P is disabled.