CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Buchi Automaton M Definition  V: set of Boolean input variables  Finite set Q of states  Set Init of initial states  Set F of accepting states  Set of edges/transitions, where each edge is of the form q –Guard  q’ where Guard is a Boolean-valued condition over input vars V  Given an input trace  = v 1, v 2, v 3, … over V, an accepting run/execution of M over  is an infinite sequence of states q 0, q 1, q 2, … such that 1.State q 0 is initial 2.For each i, there exists an edge q i -Guard  q i+1 such that input v i satisfies Guard 3.There are infinitely many positions i such that state q i is in F  The automaton M accepts the input trace  if there exists an accepting run of M over  CIS 540 Spring 2015; Lecture March 23

Buchi Automata Examples a e c b f Eventually [e & Next Eventually f] Eventually e | Eventually f a e c f b CIS 540 Spring 2015; Lecture March 23

Nondeterministic Buchi Automaton e Persistently e Can we construct an equivalent deterministic Buchi automaton ? No! Nondeterminism is sometimes necessary! CIS 540 Spring 2015; Lecture March 23

Omega-Regular Languages  The language of a Buchi automaton is the set of traces it accepts  Such languages are called omega-regular  Well-developed theory of omega-regular languages  Analogous the classical theory of regular languages (i.e. languages of finite strings of input characters accepted by finite automata)  Relevance to us: Given an LTL formula , there is an algorithm to construct a Buchi automaton M  that accepts exactly those traces that satisfy the formula  CIS 540 Spring 2015; Lecture March 23

System Safety Monitors Monitor Is there an execution of the System for which the Monitor can enter an error state? Monitor is designed so that such an execution indicates a bug! Verification => Reachability Check if error state is reachable in composition of System and Monitor CIS 540 Spring 2015; Lecture March 23

System Buchi Monitors Is there an infinite execution of the System which is accepted by M? that is, an execution in which some error state appears repeatedly? Monitor is designed so that such an execution indicates a bug! Verification => Search for cycles Check if there is a reachable cycle containing an error state in the composition of System and Monitor Buchi Monitor M CIS 540 Spring 2015; Lecture March 23

RailRoadController Example Buchi Monitor Correctness requirement: Always (West train waiting  Eventually West signal is green) Buchi Monitor M signal W mode W Violation of requirement: Infinite execution where, at some step, west train is waiting and in all subsequent times west signal is red signal W = red mode W = wait Verification => Search for reachable cycle containing red monitor state in the composite system CIS 540 Spring 2015; Lecture March 23

From LTL to Buchi Automata LTL Formula  Buchi Automaton M  Tableau Construction Automaton M  accepts exactly those traces that satisfy formula  To check if a system C satisfies the LTL correctness requirement   Construct the Buchi automaton M ~  corresponding to negated spec  Search for cycles in composition of C and M ~  CIS 540 Spring 2015; Lecture March 23

Tableau Construction Example A e & E f Consider Always e & Eventually f: A e & E f A state is a collection of formulas that must be satisfied Initial state contains given formula A e E f Formulas in a state must be consistent with rules of logical connectives: for example, if a state has  & , then it must have both  and  CIS 540 Spring 2015; Lecture March 23

Tableau Construction Example A e & E f Consider Always e & Eventually f: A e & E f If a state has Always , it must have both  and Next Always  A eE fe, N A e If a state has Eventually , it must have either  or Next Eventually  ; this leads to 3 cases f A e & E f A e, e, N A e, E f, N E f A e & E f A e, e, N A e, E f, N E f, f CIS 540 Spring 2015; Lecture March 23

Tableau Construction Example Consider Always e & Eventually f: A e & E f Transition Rules: If a state contains input var e, then e must hold on outgoing transitions If a state contains Next  then target of transition must contain  A e & E f A e, e, E f, N A e, N E f A e & E f A e, e, E f, N A e, N E f, f A e & E f A e, e, E f, N A e, f A e, e, N A e e & f e e e e CIS 540 Spring 2015; Lecture March 23

Tableau Construction Example Consider Always e & Eventually f: A e & E f Acceptance condition: Satisfaction of eventuality should not be postponed forever Accepting states: States that either contain f or do not contain E f A e & E f A e, e, E f, N A e, N E f A e & E f A e, e, E f, N A e, N E f, f A e & E f A e, e, E f, N A e, f A e, e, N A e e & f e e e e CIS 540 Spring 2015; Lecture March 23

Tableau Construction Example Consider Always e & Eventually f Indeed this is a correct Buchi automaton for the given formula! e & f e e e e CIS 540 Spring 2015; Lecture March 23

Tableau Construction Overview e & ~f , , N , N , e, ~f, … , , N , f, … , , e, … Automaton/tableau state: Collection of “relevant” LTL formulas Intended meaning: All the formulas in a state must hold on every infinite path starting at a state Local consistency rules ensure that for every “non-atomic” formula , the state contains additional formulas ensuring that  holds Transition rules ensure that (1) every atomic formula holds at current time, and (2) all Next-formulas are propagated to next state CIS 540 Spring 2015; Lecture March 23

Formal Construction  Given an LTL-formula , define Sub(  ), called the closure of formula  These are all the formulas that are relevant to evaluation of   Contains all the syntactic subformulas of   If it contains Always , should also contain Next Always   If it contains Eventually , should also contain Next Eventually   If it contains  U , should also contain Next (  U  )  What is Sub( Always Eventually e & Next f) { Always Eventually e & Next f, Always Eventually e, Next f, f, Eventually e, Next Always Eventually e, e, Next Eventually e }  Note: Number of formulas in Sub(  ) is linear in length of  CIS 540 Spring 2015; Lecture March 23

Tableau States  A state of the desired automaton is a subset of Sub(  ) that satisfies some consistency rules  Should not contain both a formula  and its negation   Contains  &  exactly when it contains both  and   Contains  |  exactly when it contains at least one of  and   If it contains Always  then must have both  and Next Always   If it contains Eventually  then must have at least one of  and Next Eventually   If it contains  U  then must have  or both  and Next (  U  )  Note: Number of possible states is exponential in size of  CIS 540 Spring 2015; Lecture March 23

Example Construction  Formula  = Eventually e & Next ~e Sub(  ) = { E e & N ~e, E e, N ~e, ~e, e, N E e }  Tableau states: q0 = { e, N ~e, N E e, E e, E e & N ~e } q1 = { e, N E e, E e } q2 = { e, N ~e, E e, E e & N ~e } q3 = { e, E e } q4 = { ~e, N ~e, N E e, E e, E e & N ~e } q5 = { ~e, N E e, E e } q6 = { ~e, N ~e } q7 = { ~e } CIS 540 Spring 2015; Lecture March 23

Tableau Construction Continued  Input variables V: Boolean valued base formulas appearing in   States: Consistent subsets of Sub(  )  Initial states: States that contain the formula   Transitions: q –Guard  q’ is a transition provided  Next  is in q exactly when  is in q’  If a base formula e is in q, then e is a conjunct in Guard, else ~e is a conjunct in Guard CIS 540 Spring 2015; Lecture March 23

Example Construction Continued  Formula  = Eventually e & Next ~ e  Tableau states: q0 = { e, N ~e, N E e, E e, E e & N ~e } q1 = { e, N E e, E e } q2 = { e, N ~e, E e, E e & N ~e } q3 = { e, E e } q4 = { ~e, N ~e, N E e, E e, E e & N ~e } q5 = { ~e, N E e, E e } q6 = { ~e, N ~e } q7 = { ~e } CIS 540 Spring 2015; Lecture March 23 Transitions from q0: q0 – e  q4 q0 – e  q5 Transitions from q1: q1 – e  q0 q1 – e  q1 q1 – e  q2 q1 – e  q3 Transitions from q6: q6 - ~e  q6 q6 - ~e  q7

Tableau Construction: Acceptance  For a subformula “Eventually  ”, need to ensure that satisfaction of  is not postponed forever  Define F to be the set tableau states that either include  or exclude Eventually   Accepting condition: Repeatedly F  Similarly, for a subformula “Always  ”, define F’ to be the set that either include Always  or exclude , state in F’ is required to appear repeatedly on an accepting run CIS 540 Spring 2015; Lecture March 23

Example Construction Continued  Formula  = Eventually e & Next ~ e  Tableau states: q0 = { e, N ~e, N E e, E e, E e & N ~e } q1 = { e, N E e, E e } q2 = { e, N ~e, E e, E e & N ~e } q3 = { e, E e } q4 = { ~e, N ~e, N E e, E e, E e & N ~e } q5 = { ~e, N E e, E e } q6 = { ~e, N ~e } q7 = { ~e } CIS 540 Spring 2015; Lecture March 23 Transitions from q0: q0 – e  q4 q0 – e  q5 Transitions from q1: q1 – e  q0 q1 – e  q1 q1 – e  q2 q1 – e  q3 Transitions from q6: q6 - ~e  q6 q6 - ~e  q7 Accepting states = { q0, q1, q2, q3, q6, q7 }