Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

Published byScot Mitchell Edwards Modified over 9 years ago

Similar presentations

Presentation on theme: "CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur"— Presentation transcript:

1 CIS 540 Principles of Embedded Computation Spring 2015 http://www.seas.upenn.edu/~cis540/ Instructor: Rajeev Alur alur@cis.upenn.edu

2 Buchi Automaton M Definition  V: set of Boolean input variables  Finite set Q of states  Set Init of initial states  Set F of accepting states  Set of edges/transitions, where each edge is of the form q –Guard  q’ where Guard is a Boolean-valued condition over input vars V  Given an input trace  = v 1, v 2, v 3, … over V, an accepting run/execution of M over  is an infinite sequence of states q 0, q 1, q 2, … such that 1.State q 0 is initial 2.For each i, there exists an edge q i -Guard  q i+1 such that input v i satisfies Guard 3.There are infinitely many positions i such that state q i is in F  The automaton M accepts the input trace  if there exists an accepting run of M over  CIS 540 Spring 2015; Lecture March 23

3 Buchi Automata Examples a e c b f Eventually [e & Next Eventually f] Eventually e | Eventually f a e c f b CIS 540 Spring 2015; Lecture March 23

4 Nondeterministic Buchi Automaton e Persistently e Can we construct an equivalent deterministic Buchi automaton ? No! Nondeterminism is sometimes necessary! CIS 540 Spring 2015; Lecture March 23

5 Omega-Regular Languages  The language of a Buchi automaton is the set of traces it accepts  Such languages are called omega-regular  Well-developed theory of omega-regular languages  Analogous the classical theory of regular languages (i.e. languages of finite strings of input characters accepted by finite automata)  Relevance to us: Given an LTL formula , there is an algorithm to construct a Buchi automaton M  that accepts exactly those traces that satisfy the formula  CIS 540 Spring 2015; Lecture March 23

6 System Safety Monitors Monitor Is there an execution of the System for which the Monitor can enter an error state? Monitor is designed so that such an execution indicates a bug! Verification => Reachability Check if error state is reachable in composition of System and Monitor CIS 540 Spring 2015; Lecture March 23

7 System Buchi Monitors Is there an infinite execution of the System which is accepted by M? that is, an execution in which some error state appears repeatedly? Monitor is designed so that such an execution indicates a bug! Verification => Search for cycles Check if there is a reachable cycle containing an error state in the composition of System and Monitor Buchi Monitor M CIS 540 Spring 2015; Lecture March 23

8 RailRoadController Example Buchi Monitor Correctness requirement: Always (West train waiting  Eventually West signal is green) Buchi Monitor M signal W mode W Violation of requirement: Infinite execution where, at some step, west train is waiting and in all subsequent times west signal is red signal W = red mode W = wait Verification => Search for reachable cycle containing red monitor state in the composite system CIS 540 Spring 2015; Lecture March 23

9 From LTL to Buchi Automata LTL Formula  Buchi Automaton M  Tableau Construction Automaton M  accepts exactly those traces that satisfy formula  To check if a system C satisfies the LTL correctness requirement   Construct the Buchi automaton M ~  corresponding to negated spec  Search for cycles in composition of C and M ~  CIS 540 Spring 2015; Lecture March 23

10 Tableau Construction Example A e & E f Consider Always e & Eventually f: A e & E f A state is a collection of formulas that must be satisfied Initial state contains given formula A e E f Formulas in a state must be consistent with rules of logical connectives: for example, if a state has  & , then it must have both  and  CIS 540 Spring 2015; Lecture March 23

11 Tableau Construction Example A e & E f Consider Always e & Eventually f: A e & E f If a state has Always , it must have both  and Next Always  A eE fe, N A e If a state has Eventually , it must have either  or Next Eventually  ; this leads to 3 cases f A e & E f A e, e, N A e, E f, N E f A e & E f A e, e, N A e, E f, N E f, f CIS 540 Spring 2015; Lecture March 23

12 Tableau Construction Example Consider Always e & Eventually f: A e & E f Transition Rules: If a state contains input var e, then e must hold on outgoing transitions If a state contains Next  then target of transition must contain  A e & E f A e, e, E f, N A e, N E f A e & E f A e, e, E f, N A e, N E f, f A e & E f A e, e, E f, N A e, f A e, e, N A e e & f e e e e CIS 540 Spring 2015; Lecture March 23

13 Tableau Construction Example Consider Always e & Eventually f: A e & E f Acceptance condition: Satisfaction of eventuality should not be postponed forever Accepting states: States that either contain f or do not contain E f A e & E f A e, e, E f, N A e, N E f A e & E f A e, e, E f, N A e, N E f, f A e & E f A e, e, E f, N A e, f A e, e, N A e e & f e e e e CIS 540 Spring 2015; Lecture March 23

14 Tableau Construction Example Consider Always e & Eventually f Indeed this is a correct Buchi automaton for the given formula! e & f e e e e CIS 540 Spring 2015; Lecture March 23

15 Tableau Construction Overview e & ~f , , N , N , e, ~f, … , , N , f, … , , e, … Automaton/tableau state: Collection of “relevant” LTL formulas Intended meaning: All the formulas in a state must hold on every infinite path starting at a state Local consistency rules ensure that for every “non-atomic” formula , the state contains additional formulas ensuring that  holds Transition rules ensure that (1) every atomic formula holds at current time, and (2) all Next-formulas are propagated to next state CIS 540 Spring 2015; Lecture March 23

16 Formal Construction  Given an LTL-formula , define Sub(  ), called the closure of formula  These are all the formulas that are relevant to evaluation of   Contains all the syntactic subformulas of   If it contains Always , should also contain Next Always   If it contains Eventually , should also contain Next Eventually   If it contains  U , should also contain Next (  U  )  What is Sub( Always Eventually e & Next f) { Always Eventually e & Next f, Always Eventually e, Next f, f, Eventually e, Next Always Eventually e, e, Next Eventually e }  Note: Number of formulas in Sub(  ) is linear in length of  CIS 540 Spring 2015; Lecture March 23

17 Tableau States  A state of the desired automaton is a subset of Sub(  ) that satisfies some consistency rules  Should not contain both a formula  and its negation   Contains  &  exactly when it contains both  and   Contains  |  exactly when it contains at least one of  and   If it contains Always  then must have both  and Next Always   If it contains Eventually  then must have at least one of  and Next Eventually   If it contains  U  then must have  or both  and Next (  U  )  Note: Number of possible states is exponential in size of  CIS 540 Spring 2015; Lecture March 23

18 Example Construction  Formula  = Eventually e & Next ~e Sub(  ) = { E e & N ~e, E e, N ~e, ~e, e, N E e }  Tableau states: q0 = { e, N ~e, N E e, E e, E e & N ~e } q1 = { e, N E e, E e } q2 = { e, N ~e, E e, E e & N ~e } q3 = { e, E e } q4 = { ~e, N ~e, N E e, E e, E e & N ~e } q5 = { ~e, N E e, E e } q6 = { ~e, N ~e } q7 = { ~e } CIS 540 Spring 2015; Lecture March 23

19 Tableau Construction Continued  Input variables V: Boolean valued base formulas appearing in   States: Consistent subsets of Sub(  )  Initial states: States that contain the formula   Transitions: q –Guard  q’ is a transition provided  Next  is in q exactly when  is in q’  If a base formula e is in q, then e is a conjunct in Guard, else ~e is a conjunct in Guard CIS 540 Spring 2015; Lecture March 23

20 Example Construction Continued  Formula  = Eventually e & Next ~ e  Tableau states: q0 = { e, N ~e, N E e, E e, E e & N ~e } q1 = { e, N E e, E e } q2 = { e, N ~e, E e, E e & N ~e } q3 = { e, E e } q4 = { ~e, N ~e, N E e, E e, E e & N ~e } q5 = { ~e, N E e, E e } q6 = { ~e, N ~e } q7 = { ~e } CIS 540 Spring 2015; Lecture March 23 Transitions from q0: q0 – e  q4 q0 – e  q5 Transitions from q1: q1 – e  q0 q1 – e  q1 q1 – e  q2 q1 – e  q3 Transitions from q6: q6 - ~e  q6 q6 - ~e  q7

21 Tableau Construction: Acceptance  For a subformula “Eventually  ”, need to ensure that satisfaction of  is not postponed forever  Define F to be the set tableau states that either include  or exclude Eventually   Accepting condition: Repeatedly F  Similarly, for a subformula “Always  ”, define F’ to be the set that either include Always  or exclude , state in F’ is required to appear repeatedly on an accepting run CIS 540 Spring 2015; Lecture March 23

22 Example Construction Continued  Formula  = Eventually e & Next ~ e  Tableau states: q0 = { e, N ~e, N E e, E e, E e & N ~e } q1 = { e, N E e, E e } q2 = { e, N ~e, E e, E e & N ~e } q3 = { e, E e } q4 = { ~e, N ~e, N E e, E e, E e & N ~e } q5 = { ~e, N E e, E e } q6 = { ~e, N ~e } q7 = { ~e } CIS 540 Spring 2015; Lecture March 23 Transitions from q0: q0 – e  q4 q0 – e  q5 Transitions from q1: q1 – e  q0 q1 – e  q1 q1 – e  q2 q1 – e  q3 Transitions from q6: q6 - ~e  q6 q6 - ~e  q7 Accepting states = { q0, q1, q2, q3, q6, q7 }

Download ppt "CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur"

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
Introduction to Computability Theory

Introduction to Computability Theory
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Discrete Abstractions of Hybrid Systems Rajeev Alur, Thomas A. Henzinger, Gerardo Lafferriere and George J. Pappas.

Discrete Abstractions of Hybrid Systems Rajeev Alur, Thomas A. Henzinger, Gerardo Lafferriere and George J. Pappas.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.

Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
Lecture 3 Goals: Formal definition of NFA, acceptance of a string by an NFA, computation tree associated with a string. Algorithm to convert an NFA to.

Lecture 3 Goals: Formal definition of NFA, acceptance of a string by an NFA, computation tree associated with a string. Algorithm to convert an NFA to.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.

Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.

Similar presentations

Ads by Google