1. Model Checking Lecture 3 Tom Henzinger

2. Model-Checking Problem I |= S System modelSystem property

3. -state-transition graph -weak or strong fairness constraints System Model

4. Temporal logics -STL (finite runs) :  ,  U -CTL (infinite runs) :  ,  U,   -LTL (infinite traces) : , U Automata -specification automata (trace containment) -monitor automata (trace emptiness) -simulation automata (relation on finite runs) System Properties

5. Acceptance Conditions -finite automata:  -Buchi automata:  -coBuchi automata:  -Streett automata:  (    ) -Rabin automata:  (    )

6. Response specification automaton :  (a   b) assuming (a  b) = false a bb b aa s1s1 s2s2 s3s3 s0s0 Buchi condition { s 0, s 3 }

7. Response monitor automaton :  (a   b) assuming (a  b) = false a bb s1s1 s2s2 Buchi condition { s 2 } s0s0 true

8. a aa s0s0 s1s1 Buchi condition { s 0 } No coBuchi condition  a Streett condition { ({s 0,s 1 }, {s 0 }) } Rabin condition { ( , {s 0 }) }

9. a aa s0s0 s1s1 No Buchi condition coBuchi condition { s 0 }  a Streett condition { ({s 1 },  ) } Rabin condition { ({s 1 }, {s 0,s 1 }) }

10. a aa s0s0 s1s1 Buchi condition { s 2 }  a a s2s2

11. -Buchi and coBuchi automata cannot be determinized -Streett and Rabin automata can be determinized nondeterministic Buchi = deterministic Streett = deterministic Rabin = nondeterministic Streett = nondeterministic Rabin = omega-regular [Buchi 1960]

12. Omega-automata are strictly more expressive than LTL Omega-automata:omega-regular languages LTL: counter-free omega-regular languages 

13. Omega-automata:omega-regular languages = second-order theory of monadic predicates & successor = omega-regular expressions LTL: counter-free omega-regular languages = first-order theory of monadic predicates & successor = star-free omega-regular expressions 

14. Structure of the Omega-Regular Languages Streett = Rabin Buchi coBuchi FinitecoFinite

15. Structure of the Counter-free Omega-Regular Languages    finite boolean combinations of  and 

16. The location of a linear-time property in the Borel hierarchy indicates how hard (theoretically as well as conceptually) the corresponding model-checking problem is.

17.    finite boolean combinations of  and  safety weak fair strong fair response

18. Model-Checking Algorithms = Graph Algorithms

19. 1Safety: -solve: STL (  U model checking), finite monitors (  emptiness) -algorithm: reachability (linear) 2Response under weak fairness: -solve: weakly fair CTL (   model checking), Buchi monitors (  emptiness) -algorithm: strongly connected components (linear) 3Liveness: -solve: strongly fair CTL, Streett monitors (  (    ) emptiness) -algorithm: recursively nested SCCs (quadratic)

20. From specification automata to monitor automata: determinization (exponential) + complementation (easy) Simulation automata: preorder refinement (quadratic) From LTL to monitor automata: complementation (easy) + tableau construction (exponential)

21. Five Algorithms 1Reachability 2Strongly connected components 3Recursively nested SCCs 4Tableau construction 5Preorder refinement 6Streett determinization

22. Finite Emptiness Given: finite automaton (S, S 0, , , FA) Find: is there a path from a state in S 0 to a state in FA ? Solution: depth-first or breadth-first search

23. Application 1:STL model checking Application 2:finite monitors

24. Buchi Emptiness Given: Buchi automaton (S, S 0, , , BA) Find: is there an infinite path from a state in S 0 that visits some state in BA infinitely often ? Solution: 1. Compute SCC graph by depth-first search 2. Mark SCC C as fair iff C  BA   3. Check if some fair SCC is reachable from S 0

25. Application 1:CTL model checking over weakly-fair transition graphs (note: really need multiBuchi) Application 2:Buchi monitors

26. Streett Emptiness Given: Streett automaton (S, S 0, , , SA) Find: is there an infinite path from a state in S 0 that satisfies all Streett conditions (l,r) in SA ? Solution: check if S 0  RecSCC (S, , SA)  

27. function RecSCC (S, , SA) : X :=  for each C  SCC (S,  ) do F :=  if  C   then for each (l,r)  SA do if C  r   then F := F  (l,r) else C := C \ l if F = SA then X := X  pre * (C) else X := X  RecSCC (C,  C, F) return X

28. Complexity n number of states m number of transitions snumber of Streett pairs Reachability:O(n+m) SCC:O(n+m) RecSCC:O((n+m) · s 2 )

29. Application 1:CTL model checking over strongly-fair transition graphs Application 2:Streett monitors

30. Tableau Construction Given: LTL formula  Find: Buchi automaton M  such that L(M  ) = L(  ) [Fischer & Ladner 1975; Manna & Wolper 1982]

31. Fischer-Ladner Closure of a Formula Sub (a)= { a } Sub (  )={  }  Sub (  )  Sub (  ) Sub (  )={  }  Sub (  ) Sub (   )={   }  Sub (  ) Sub (  U  )={  U ,  (  U  ) }  Sub (  )  Sub (  ) | Sub (  ) | = O(|  |)

32. s  Sub (  ) is consistent iff -if (  )  Sub (  ) then (  )  s iff   s and   s -if (  )  Sub (  ) then (  )  s iff   s -if (  U  )  Sub (  ) then (  U  )  s iff either   s or   s and  (  U  )  s

33. Tableau M  = (S, S 0, , , BA) S...set of consistent subsets of Sub (  ) s  S 0 iff   s s  t iff for all (   )  Sub (  ), (   )  s iff   t  (s)... conjunction of atomic observations in s and negated atomic observations not in s For each (  U  )  Sub (  ), BA contains { s |   s or (  U  )  s }

34. Size of M  is O(2 |  | ). CTL model checking:linear / quadratic LTL model checking:PSPACE-complete

35. Preorder Refinement Given: state-transition graph (Q, , A, [ ] ) Find: for each state q  Q, the set sim(q)  Q of states that simulate q [ Bloom & Paige; H, H, & Kopke 1995 ]

36. for each t  Q do sim(t) := { u  Q | [u] = [t] } while there are three states s, t, u such that t  s & u  sim(t) & sim(s)  post(u) =  do sim(t) := sim(t) \ {u} {assert if u simulates t, then u  sim(t) }