CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Example Tableau Construction  = Eventually e & Next ~ e Sub(  )={e, ~e, N ~e, E e, N E e, E e & N ~e} Tableau states: q0 = { e, N ~e, N E e, E e, E e & N ~e } q1 = { e, N E e, E e } q2 = { e, N ~e, E e, E e & N ~e } q3 = { e, E e } q4 = { ~e, N ~e, N E e, E e, E e & N ~e } q5 = { ~e, N E e, E e } q6 = { ~e, N ~e } q7 = { ~e } Transitions from q0: q0 – e  q4 q0 – e  q5 Transitions from q1: q1 – e  q0 q1 – e  q1 q1 – e  q2 q1 – e  q3 Transitions from q6: q6 - ~e  q6 q6 - ~e  q7 Initial states = { q0, q2, q4 } Accepting set F1 = { q0, q1, q2, q3, q6, q7 } CIS 540 Spring 2015; Lecture March 25

Tableau Construction: Acceptance  For a subformula “Eventually  ” whenever “Eventually  “ appears is in a state either  or “Next Eventually  “ (or both) are included  If a state include “Eventually  “ but not , each successor state is guaranteed to include “Eventually  “, but we need to ensure that satisfaction of  is not postponed forever  Define F to be the set tableau states that either include  or exclude Eventually   Accepting condition: Repeatedly F  Similarly, for a subformula “Always  ”, define F’ to be the set that either include Always  or exclude , state in F’ is required to appear repeatedly on an accepting run CIS 540 Spring 2015; Lecture March 25

Handling Acceptance  In general, if there are multiple temporal formulas, then acceptance condition should ensure that each is satisfied  Generalized Buchi automaton: Modest syntactic generalization  Automaton M has k accepting sets F 1, F 2, … F k  An execution is accepting if for each j, some state in F j appears repeatedly Repeatedly F 1 & Repeatedly F 2 & … & Repeatedly F k  It is possible to “compile” a generalized Buchi automaton to a standard Buchi automaton  It is also possible to adapt cycle-detection algorithms to handle multiple accepting sets CIS 540 Spring 2015; Lecture March 25

Tableau Construction: Summary  Correctness claim: A trace over V satisfies the given LTL formula  if and only if it is accepted by the Generalized Buchi Automaton M   Complexity: Size of M  is 2 l, where l is the size of , such a blow-up is unavoidable  Practical implementations with a number of optimizations exist CIS 540 Spring 2015; Lecture March 25

Reachability Problem for Transition Systems Transition System T Property  Yes/Counter- example no Verifier Is  reachable?  Is there a (finite) execution from an initial state to a state satisfying   Checking whether  is an invariant of T => Checking if ~  is reachable  Verification techniques 1.Proof-based: Inductive invariants 2.Enumerative on-the-fly search (not covered, see notes) 3.Symbolic search based on iterative image computation CIS 540 Spring 2015; Lecture March 25

Repeatable Property for Transition Systems Transition System = States, Initial states, Transitions Property  : Subset of states Property  is repeatable if there exists an infinite execution that satisfies Repeatedly  Is there a state s such that 1. s is reachable 2. s satisfies  3. there is a cycle containing s CIS 540 Spring 2015; Lecture March 25

Repeatability Problem for Transition Systems Transition System T Property  Yes/Counter- example no Verifier Is  repeatable?  Is there an infinite execution along which states satisfying  appear repeatedly?  To check whether a system C satisfies an LTL formula , check if Mode is Accepting is repeatable in composition of C and Buchi monitor M ~   Verification techniques 1.Proof-based: Ranking functions (Sec 5.3, not covered) 2.Enumerative: Nested Depth-first Search (not covered, see 5.2.3) 3.Symbolic search CIS 540 Spring 2015; Lecture March 25

Recap: Symbolic Transition Systems  Region over variables X is a data structure that represents a set of states assigning values to X  Transition system T with state variables S represented by  Region  I over S for initial states  Region  T over S U S’ for transitions  Symbolic representation can be compiled automatically from code for updating variables CIS 540 Spring 2015; Lecture March 25

Towards Symbolic Algorithm Init Find states that are reachable and satisfy the property  Property  Find set of reachable states using symbolic reachability algorithm, and intersect it with  CIS 540 Spring 2015; Lecture March 25

Symbolic Image Computation  Core problem in symbolic search: Compute the post-image (i.e. the set of successors) of states in a given region  Given:  A of type reg over state variables S  Trans of type reg over S U S’  Post(A, Trans) = Rename(Exists(Conj(A,Trans),S), S’, S) 1.Take conjunction of A and Trans 2.Project out the variables in S using existential quantification 3.Rename primed variables to get a region over S CIS 540 Spring 2015; Lecture March 25

Symbolic BFS Algorithm Given region Init over S and region Trans over S U S’, compute the region representing all reachable states reg Reach := Empty; /* States found reachable */ reg New := Init; /* States not yet explored for outgoing transitions */ while IsEmpty(New) = 0 { /* while there are states to be explored */ Reach := Disj(Reach,New); /* add new states to reachable states */ New := Diff(Post(New,Trans),Reach); /*These are states in post-image of New, but not previously found reachable, so to be explored */ }; First phase of Symbolic Repeatability Check involves computing Reach CIS 540 Spring 2015; Lecture March 25

Symbolic Repeatability Check Recur0 = Reachable &  Property  Find states s in Recur0 such that from s there is a path with 1 or more transitions to some state in Recur0 Recur1 = Reachable &  & Next Eventually  Repeat to get Recur2 from Recur1 Recur2 = Reachable &  & Next Eventually (  & Next Eventually  ) Repeat to get Recur i+1 from Recur i CIS 540 Spring 2015; Lecture March 25

Symbolic Repeatability Check What can we conclude if Recur i+1 = Recur i What can we conclude if Recur i+1 is empty CIS 540 Spring 2015; Lecture March 25

Symbolic Repeatability Check  Key step: Given a region A, find the sub-region { s in A | there exists t in A that is reachable from s in >=1 transitions}  Recall: To compute states reachable from Init, we repeatedly apply Post-image operator  Symmetrically, to find from which states A is reachable, we can repeatedly apply pre-image operator  To get desired result, intersect this set with A CIS 540 Spring 2015; Lecture March 25

Symbolic Pre-Image Computation  Pre-image of a region A = Set of predecessors of states in A Pre(A,Trans) = { s | there exists a state t in A s.t. s  t is a transition}  Given:  A of type reg over state variables S  Trans of type reg over S U S’  Pre(A, Trans) = Exists(Conj(Rename(A,S,S’),Trans),S’) 1.Rename variables in A to primed copies to get a region over S’ 2.Take conjunction of the result with Trans (this captures the set of transitions whose target states belong to A) 3.Project out the variables in S’ using existential quantification CIS 540 Spring 2015; Lecture March 25

Symbolic Repeatability Algorithm Phase 1: Compute Reach as shown before reg Recur := Conj(Reach,  ); /* Potential candidate states for cycle */ while IsEmpty(Recur) = 0 { /* while there are potential candidates */ /* Compute from which states Recur is reachable */ Reach := Empty; New := Pre(Recur, Trans); /*Ensure at least one transition */ While IsEmpty(New)=0 { Reach := Disj(Reach,New); if IsSubset(Recur,Reach)=1 then return 1; /*Recur won’t change; Property repeatable */ New := Diff(Pre(New,Trans),Reach); }; Recur := Conj(Recur, Reach); /* Subset from which Recur is reachable }; return 0. /* No execution with property repeating */ CIS 540 Spring 2015; Lecture March 25

Example ABDCEF CIS 540 Spring 2015; Lecture March 25 H

Analysis of Symbolic Repeatability  Correctness (1): If there is a reachable state s that satisfies , and there is an infinite execution starting in s satisfying Repeatedly , then s will always stay in Recur (and thus, Recur cannot get empty)  Correctness (2): If inner loop finds that from every state in Recur, some state in Recur is reachable with >=1 transitions, then indeed there is an infinite execution satisfying Repeatedly   Algorithm is sound: cannot give wrong answers  If transition system has n reachable states of which k satisfy , then algorithm terminates with O(nk) region operations  In practice, depends on how effective is data structure for regions CIS 540 Spring 2015; Lecture March 25

Logistics  Homework 4: Due next Wednesday, April 1  Exercises 5.4, 5.5, 5.9, 5.10, 5.15  Recitation on Friday for problems in Chapter 5  Next week: Dynamical systems  Project description will be available next week CIS 540 Spring 2015; Lecture March 25