1 \documentclass[9pt]{beamer}
5 \usecolortheme{dolphin}
6 %\usecolortheme{seagull}
8 \usepackage{amsmath, amsthm, amssymb, amsfonts, verbatim}
14 \usetikzlibrary{automata}
15 \usepackage{subfigure}
17 \renewcommand{\emph}{\textit}
18 \renewcommand{\em}{\it}
20 \newcommand{\cross}{\ding{55}}
21 \newcommand{\M}{\mathcal{M}}
22 \newcommand{\N}{\mathbb{N}_0}
23 \newcommand{\F}{\mathcal{F}}
24 \newcommand{\Fs}{\mathbb{F}}
25 \newcommand{\Prop}{\mathcal{P}}
26 \newcommand{\A}{\mathcal{A}}
27 \newcommand{\X}{\mathcal{X}}
28 \newcommand{\U}{\mathcal{U}}
29 \newcommand{\V}{\mathcal{V}}
30 \newcommand{\dnf}{\mathsf{dnf}}
31 \newcommand{\consq}{\mathsf{consq}}
33 \theoremstyle{definition} %plain, definition, remark, proof, corollary
34 \newtheorem*{def:finite words}{Finite words}
35 \newtheorem*{def:infinite words}{Infinite words}
36 \newtheorem*{def:regular languages}{Regular languages}
37 \newtheorem*{def:regular languages closure}{Regular closure}
38 \newtheorem*{def:omega regular languages}{$\omega$-regular languages}
39 \newtheorem*{def:omega regular languages closure}{$\omega$-regular closure}
40 \newtheorem*{def:buechi automata}{Automaton}
41 \newtheorem*{def:automata runs}{Run}
42 \newtheorem*{def:inf}{Infinite occurrences}
43 \newtheorem*{def:automata acceptance}{Acceptance}
44 \newtheorem*{def:automata language}{Recognised language}
45 \newtheorem*{def:general automata}{Generalised automaton}
46 \newtheorem*{def:general acceptance}{Acceptance}
47 \newtheorem*{def:syntax}{Syntax}
50 \newtheorem*{def:vocabulary}{Vocabulary}
51 \newtheorem*{def:frames}{Frame}
52 \newtheorem*{def:models}{Model}
53 \newtheorem*{def:satisfiability}{Satisfiability}
54 \newtheorem*{def:fs closure}{Closure}
55 \newtheorem*{def:atoms}{Atoms}
56 \newtheorem*{def:rep function}{Representation function}
57 \newtheorem*{def:next}{Next function}
58 \newtheorem*{def:dnf}{Disjunctive normal form}
59 \newtheorem*{def:positive formulae}{Positive formulae}
60 \newtheorem*{def:consq}{Logical consequences}
61 \newtheorem*{def:partial automata}{Partial automata}
64 \newtheorem{prop:vocabulary sat}{Proposition}[section]
65 \newtheorem{prop:general equiv}{Proposition}[section]
66 \newtheorem{prop:computation set=language}{Proposition}[section]
69 \newtheorem{thm:model language}{Theorem}[section]
70 \newtheorem{cor:mod=model language}{Corollary}[thm:model language]
71 \newtheorem{cor:mod=program language}[cor:mod=model language]{Corollary}
72 \newtheorem{thm:model checking}{Theorem}[section]
73 \newtheorem{lem:dnf}{Lemma}[section]
74 \newtheorem{lem:consq}[lem:dnf]{Lemma}
76 \title[Algorithmic Verification]{Algorithmic Verification of Reactive Systems}
78 \institute[University of Freiburg]
80 Research Group for Foundations in Artificial Intelligence\\
81 Computer Science Department\\
82 University of Freiburg
84 \date[SS 2011]{Seminar: Automata Constructions in Model Checking}
85 \subject{Model Checking}
91 \frametitle{Motivation}
92 \framesubtitle{Model Checking 1/2}
94 %\only<1>{\colorbox{black}{\makebox(35,10){\color{white} $\M \models \varphi$}}}
95 \[\M \models \varphi\]
100 \frametitle{Motivation}
101 \framesubtitle{Model Checking 2/2}
103 Given a program $P$ and specification $\varphi$:\\
104 \colorbox{black}{\makebox(150,10){\color{white} does every run of $P$ satisfy $\varphi$?}}
109 \frametitle{Motivation}
110 \framesubtitle{Industry}
113 \subfigure{\includegraphics[width=70pt,height=50pt]{images/intel.jpg}}
114 \subfigure{\includegraphics[width=70pt,height=50pt]{images/airbag.jpg}}
115 \subfigure{\includegraphics[width=70pt,height=50pt]{images/atc.jpg}}
120 \setbeamercolor{normal text}{bg=black, fg=white}
121 \setbeamercolor{frametitle}{fg=white!30!black}
122 \usebeamercolor*{normal text}
123 \usebeamercolor*{frametitle}
125 \frametitle{Linear Temporal Logic}
126 \framesubtitle{Natural language 1/2}
129 \visible<2->{``It is \emph{always} dark.''\\}
130 \visible<3->{``It is \emph{currently} dark.''\\}
131 \visible<4->{``It will \emph{necessarily} be dark.''\\}
132 \visible<5->{``It is dark \emph{until} someone puts the light on.''}
138 \frametitle{Linear Temporal Logic}
139 \framesubtitle{Natural language 2/2}
143 \colorbox{black}{\makebox(50,10){It is dark}} \colorbox{orange}{\makebox(30,10){until}} \colorbox{black!30}{\makebox(50,10){there is light}}\\
145 \colorbox{black}{\makebox(50,10){$p_0$}} \colorbox{orange}{\makebox(30,10){$\U$}} \colorbox{black!30}{\makebox(50,10){$p_1$}}}
151 \frametitle{Linear Temporal Logic}
152 \framesubtitle{Syntax}
154 Let $\Prop$ be the countable set of \emph{atomic propositions}, LTL-formulae $\varphi$ are defined using following productions:
155 \[\varphi ::= p \in \Prop \,|\, \neg \varphi \,|\, \varphi \lor \varphi \,|\, \X \varphi \,|\, \varphi \U \varphi\]
157 \item $\neg, \lor$ corresponds to the Boolean \emph{negation} and \emph{disjunction}.
158 \item $\X$ reads \emph{next}.
159 \item $\U$ reads \emph{until}.
165 \frametitle{Linear Temporal Logic}
166 \framesubtitle{Semantics}
168 An LTL-\emph{frame} is a tuple $\F = (S, R)$:
170 \item $S = \{s_i \mid i \in \N\}$ is the set of states.
171 \item $R = \{(s_i, s_{i+1}) \mid i \in \N\}$ is the accessibility relation.
176 An LTL-\emph{model} is a tuple $\M = (\F, V)$:
178 \item $\F$ is a \emph{frame}.
179 \item $V: S \to 2^\Prop$ is a \emph{valuation function}.
180 \item Intuitively we say $p \in \Prop$ is \emph{true} at time instant $i$ iff $p \in V(i)$.
186 \frametitle{Linear Temporal Logic}
187 \framesubtitle{Model Example}
190 \begin{tikzpicture}[shorten >=1pt, node distance=2.5cm, auto, semithick, >=stealth
191 ,accepting/.style={fill, gray!50!black, text=white}]
192 \node[state, initial, initial text=] (s_0) {$\{p_0\}$};
193 \path (s_0) [late options={label=below:$s_0$}];
194 \node[state] (s_1) [right of= s_0] {$\{p_0, p_2\}$};
195 \path (s_1) [late options={label=below:$s_1$}];
196 \node[state] (s_2) [right of= s_1] {$\{p_1\}$};
197 \path (s_2) [late options={label=below:$s_2$}];
198 \node[state] (s_i) [right of= s_2] {$\{p_1\}$};
199 \path (s_i) [late options={label=below:$s_i$}];
201 (s_0) edge node {$R$} (s_1)
202 (s_1) edge node {$R$} (s_2);
204 (s_2) edge node {$R$} (s_i);
210 \frametitle{Linear Temporal Logic}
211 \framesubtitle{Satisfiability}
212 \begin{def:satisfiability}
213 A model $\M = (\F, V)$ \emph{satisfies} a formula $\varphi$ at time instant $i$ is denoted by $\M,i \models \varphi$:
215 \item $\M,i \models p$ for $p \in \Prop \iff p \in V(i)$
216 \item $\M,i \models \neg \varphi \iff$ not $\M,i \models \varphi$
217 \item $\M,i \models \varphi \lor \psi \iff \M,i \models \varphi$ or $\M,i \models \psi$
218 \item $\M,i \models \X \varphi \iff \M,i+1 \models \varphi$
219 \item $\M,i \models \varphi \U \psi \iff \exists{k \geq i}: \M,k \models \psi$ and $\forall{i \leq j < k}: \M,j \models\varphi$
221 \end{def:satisfiability}
225 \frametitle{Reactive Systems}
226 \framesubtitle{Infinite inputs}
229 \setcounter{subfigure}{0}
230 \subfigure[Terminating program]{
231 \begin{tikzpicture}[shorten >=1pt, node distance=1.5cm, semithick, >=stealth
232 ,accepting/.style={fill, gray!50!black, text=white}]
233 \node[state, initial, initial text=$input$] (p) {$P$};
234 \coordinate (b) at (1,0);
235 %\coordinate (b) at ($(a)+1/2*(3,3)$);
236 \draw (p) edge[->] node[right] {$\hspace{8pt}output$} (b);
237 %\draw[->] (p) -- (b);
241 \visible<2>{\subfigure[Reactive program]{
242 \begin{tikzpicture}[shorten >=1pt, node distance=1.5cm, semithick, >=stealth
243 ,accepting/.style={fill, gray!50!black, text=white}]
244 \node[state, initial, initial text=$event$] (p) {$RP$};
245 \coordinate (b) at (1.1,0);
246 %\coordinate (b) at ($(a)+1/2*(3,3)$);
248 (p) edge [loop right] node {$action$} ();
256 \frametitle{Automata}
257 \framesubtitle{Example 1/2}
261 \begin{tikzpicture}[shorten >=1pt, node distance=2cm, auto, semithick, >=stealth
262 %every state/.style={fill, draw=none, gray, text=white},
263 ,accepting/.style={fill, gray!50!black, text=white}
264 %initial/.style ={gray, text=white}]%, thick]
266 \node[state,initial, initial text=] (q_0) {$q_0$};
267 \node[state] (q_1) [above right of= q_0] {$q_1$};
268 \node[state,accepting](q_2) [below right of= q_1] {$q_2$};
270 (q_0) edge node {$a$} (q_1)
271 edge [loop above] node {$b$} ()
272 (q_1) edge node {$b$} (q_2)
273 edge [loop above] node {$a$} ()
274 (q_2) %edge node {$a$} (q_1)
275 edge node {$b$} (q_0);
276 \draw[->] (q_2) .. controls +(up:1cm) and +(right:1cm) .. node[above] {$a$} (q_1);
279 \visible<2-3>{$w_1 = \overline{bbaa} \implies \rho_1 = q_0q_0\overline{q_0q_1q_1q_2}$}\\
280 \visible<3>{$w_2 = bb\overline{ab} \implies \rho_2 = q_0q_0\overline{q_1q_2}$}\\
282 \visible<4>{Accepts all inputs with infinite occurrences of $ab$.}
286 \begin{tikzpicture}[shorten >=1pt, node distance=2cm, auto, semithick, >=stealth
287 %every state/.style={fill, draw=none, gray, text=white},
288 ,accepting/.style={fill, gray!50!black, text=white}
289 %initial/.style ={gray, text=white}]%, thick]
291 \node[state,initial, initial text=] (q_0) {$q_0$};
292 \node[state] (q_1) [above right of= q_0] {$q_1$};
293 \node[state,accepting](q_2) [below right of= q_1] {$q_2$};
296 edge [loop above] node {$b$} ()
298 edge [loop above] node {$a$} ()
299 (q_2) %edge node {$a$} (q_1)
300 edge node {$b$} (q_0);
303 (q_0) edge node {$a$} (q_1)
304 (q_1) edge node {$b$} (q_2);
305 \draw[->] (q_2) .. controls +(up:1cm) and +(right:1cm) .. node[above] {$a$} (q_1);
309 \visible<2->{$w_1 = \overline{\textcolor{green}{b}ba\textcolor{green}{a}} \implies \rho_1 = q_0q_0\overline{q_0q_1q_1\textcolor{green}{q_2}}$}\\
310 \visible<3->{$w_2 = bb\overline{\textcolor{green}{ab}} \implies \rho_2 = q_0q_0\overline{q_1\textcolor{green}{q_2}}$}\\
312 \visible<4>{Accepts all inputs with infinite occurrences of $ab$.}
319 \frametitle{Automata}
320 \framesubtitle{Example 2/2 (Complement)}
326 \begin{tikzpicture}[shorten >=1pt, node distance=2cm, auto, semithick, >=stealth
327 %every state/.style={fill, draw=none, gray, text=white},
328 ,accepting/.style={fill, gray!50!black, text=white}
329 %initial/.style ={gray, text=white}]%, thick]
331 \node[state,initial, initial text=, accepting] (q_0) {$q_0$};
332 \node[state, accepting] (q_1) [above right of= q_0] {$q_1$};
333 \node[state](q_2) [below right of= q_1] {$q_2$};
335 (q_0) edge node {$a$} (q_1)
336 edge [loop above] node {$b$} ()
337 (q_1) edge node {$b$} (q_2)
338 edge [loop above] node {$a$} ()
339 (q_2) %edge node {$a$} (q_1)
340 edge node {$b$} (q_0);
341 \draw[->] (q_2) .. controls +(up:1cm) and +(right:1cm) .. node[above] {$a$} (q_1);
348 \begin{tikzpicture}[shorten >=1pt, node distance=2cm, auto, semithick, >=stealth
349 %every state/.style={fill, draw=none, gray, text=white},
350 ,accepting/.style={fill, gray!50!black, text=white}
351 %initial/.style ={gray, text=white}]%, thick]
353 \node[state,initial, initial text=, accepting] (q_0) {$q_0$};
354 \node[state, accepting] (q_1) [above right of= q_0] {$q_1$};
355 \node[state](q_2) [below right of= q_1] {$q_2$};
358 edge [loop above] node {$b$} ()
360 edge [loop above] node {$a$} ();
363 (q_0) edge node {$a$} (q_1)
364 (q_1) edge node {$b$} (q_2)
365 (q_2) edge node {$b$} (q_0);
366 \draw[->] (q_2) .. controls +(up:1cm) and +(right:1cm) .. node[above] {$a$} (q_1);
367 \end{tikzpicture} \color{red}
371 \only<3->{ \setcounter{subfigure}{0}
372 \subfigure[Complement automaton \cross]
374 \begin{tikzpicture}[shorten >=1pt, node distance=2cm, auto, semithick, >=stealth
375 %every state/.style={fill, draw=none, gray, text=white},
376 ,accepting/.style={fill, gray!50!black, text=white}
377 %initial/.style ={gray, text=white}]%, thick]
379 \node[state,initial, initial text=, accepting] (q_0) {$q_0$};
380 \node[state, accepting] (q_1) [above right of= q_0] {$q_1$};
381 \node[state](q_2) [below right of= q_1] {$q_2$};
384 edge [loop above] node {$b$} ()
386 edge [loop above] node {$a$} ();
388 (q_0) edge node {$a$} (q_1)
389 (q_1) edge node {$b$} (q_2)
390 (q_2) edge node {$b$} (q_0);
391 \draw[->] (q_2) .. controls +(up:1cm) and +(right:1cm) .. node[above] {$a$} (q_1);
392 \end{tikzpicture} \color{red}
398 \subfigure[Complement automaton \checkmark]
400 \label{fig:complement automaton}
401 \begin{tikzpicture}[shorten >=1pt, node distance=2cm, auto, semithick, >=stealth
402 ,accepting/.style={fill, gray!50!black, text=white}]
403 \node[state, initial, initial text=] (q_0) {$q_0$};
404 \node[state, accepting] (q_1) [above right of= q_0] {$q_1$};
405 \node[state, accepting](q_2) [below right of= q_1] {$q_2$};
407 (q_0) edge node {$a$} (q_1)
408 edge node {$b$} (q_2)
409 edge [loop above] node {$a, b$} ()
410 (q_1) edge [loop above] node {$a$} ()
412 edge [loop above] node {$b$} ();
413 \end{tikzpicture}\color{green}
417 Accepts all inputs with finite many $ab$.
419 %\caption{Automata from Example \ref{ex:automaton}}
425 \frametitle{Automata}
426 \framesubtitle{Definition}
427 \begin{def:buechi automata}
428 A non-deterministic B\"uchi automaton is a tuple $\A = (\Sigma, S, S_0, \Delta, F)$ with:
430 \item $\Sigma$ is a finite \emph{alphabet}.
431 \item $S$ is a finite set of \emph{states}.
432 \item $S_0 \subseteq S$ is the set of \emph{initial states}.
433 \item $\Delta: S \times \Sigma \times S$ is a \emph{transition relation}.
434 \item $F \subseteq S$ is the set of \emph{accepting states}.
436 \end{def:buechi automata}
440 \frametitle{Automata}
442 \begin{def:automata runs}
443 Let $\A = (\Sigma, S, S_0, \Delta, F)$ be an automaton:
445 \item A run $\rho$ of $\A$ on an infinite word $w = a_0,a_1,...$ is a sequence $\rho = s_0,s_1,...$:
448 \item $(s_i, a_i, s_{i+1}) \in \Delta$, for all $i \geq 0$.
450 \item Alternative view of a run $\rho$ as a function $\rho : \N \to S$, with $\rho(i) = s_i$.
452 \end{def:automata runs}
453 \visible<2->{\[w_1 = \overline{\textcolor{green}{b}ba\textcolor{green}{a}} \implies \rho_1 = q_0q_0\overline{q_0q_1q_1\textcolor{green}{q_2}}\]
454 \[w_2 = bb\overline{\textcolor{green}{ab}} \implies \rho_2 = q_0q_0\overline{q_1\textcolor{green}{q_2}}\]}
458 \frametitle{Automata}
459 \framesubtitle{Acceptance}
461 Let $\A = (\Sigma, S, S_0, \Delta, F)$ be an automaton and let $\rho$ be a run of $\A$:
463 \item $\exists^\omega$ denotes the existential quantifier for \emph{infinitely} many occurrences.
464 \item $inf(\rho) = \{s \in S \mid \exists^\omega{n \in \N}: \rho(n) = s\}$.
468 \begin{def:automata acceptance}
469 Let $\A = (\Sigma, S, S_0, \Delta, F)$ be an automaton and let $\rho$ be a run of $\A$:
471 \item $\rho$ is \emph{accepting} iff $inf(\rho) \cap F \neq \emptyset$.
472 \item $\A$ \emph{accepts} an input word $w$ iff there exists a run $\rho$ of $\A$ on $w$, such that $\rho$ is accepting.
474 \end{def:automata acceptance}
478 \frametitle{Automata}
479 \framesubtitle{Language}
480 \begin{def:automata language}
481 Let $\A = (\Sigma, S, S_0, \Delta, F)$ be an automaton:
483 \item $L_\omega(\A) = \{w \in \Sigma^\omega \mid \A \text{ accepts } w\}$, we say $\A$ recognises language $L_\omega(\A)$.
484 \item Language $L$ is \emph{B\"uchi-recognisable} iff there is an automaton $\A$ with $L = L_\omega(\A)$.
486 \end{def:automata language}
490 \frametitle{Generalised Automata}
491 \begin{def:general automata}
492 A \emph{generalised B\"uchi automaton} is a tuple $\A_G = (\Sigma, S, S_0, \Delta, \{F_i\}_{i<k})$:
494 \item $\{F_i\}$ is a finite set of sets for a given $k$.
495 \item Each $F_i \subseteq S$ is a finite set of accepting states.
497 \end{def:general automata}
499 \begin{def:general acceptance}
500 Let $\A_G = (\Sigma, S, S_0, \Delta, \{F_i\}_{i<k})$ be a generalised automaton and let $\rho$ be a run of $\A_G$:
502 \item $\rho$ is \emph{accepting} iff $\forall{i < k}: inf(\rho) \cap F_i \neq \emptyset$.
503 \item $\A_G$ \emph{accepts} an input word $w$ iff there exists a run $\rho$ of $\A_G$ on $w$, such that $\rho$ is accepting.
505 \end{def:general acceptance}
507 \begin{prop:general equiv}
508 Let $\A_G = (\Sigma, S, S_0, \Delta, \{F_i\}_{i < k})$ be a generalised automaton and let $\A_i = (\Sigma, S, S_0, \Delta, F_i)$ be non-deterministic automata:
509 \[L_\omega(\A_G) = \bigcap_{i < k} L_\omega(\A_i)\]
510 \end{prop:general equiv}
514 \frametitle{Automata Construction}
515 \framesubtitle{Formula automata}
517 Model $\M_\varphi$ for formula $\varphi$\\
519 Closure $CL(\varphi)$ of $\varphi$\\
521 Automaton $\A_\varphi$ for $\varphi$\\
523 \textcolor{red}{On-the-fly methods} \`a la Gerth et al.
528 \frametitle{Automata Construction}
529 \framesubtitle{System automata}
531 Model $\M_\varphi$ for formula $\varphi$\\
533 Closure $CL(\varphi)$ of $\varphi$\\
535 Automaton $\A_\varphi$ for $\varphi$
540 \frametitle{Model Checking}
541 \framesubtitle{Definition}
542 \begin{thm:model checking}
543 \label{thm:model checking}
544 Let $\A_P$ be the automaton for program $P$ and let $\A_\varphi$ be the automaton for formula $\varphi$.\\
545 P satisfies $\varphi$ iff:
547 \item $L_\omega(\A_P) \subseteq L_\omega(\A_\varphi)$.
548 \item $L_\omega(\A_P) \cap L_\omega(\A_{\neg \varphi}) = \emptyset$.
550 \end{thm:model checking}
553 \begin{frame}[allowframebreaks]
554 \frametitle<presentation>{Literature}
555 \begin{thebibliography}{10}
557 \beamertemplatearticlebibitems
558 \bibitem{ref:ltl&büchi}
560 \newblock {\em Linear-Time Temporal Logic and B\"uchi Automata}.
561 \newblock Winter School on Logic and Computer Science, Indian Statistical Institute, Calcutta, 1997.
563 \beamertemplatearticlebibitems
564 \bibitem{ref:alternating verification}
566 \newblock {\em Alternating Automata and Program Verification}.
567 \newblock Computer Science Today, Volume 1000 of Lecture Notes in Computer Science, Springer-Verlag, Berlin, 1995.
569 \beamertemplatebookbibitems
570 \bibitem{ref:handbook}
571 Patrick Blackburn and Frank Wolter and Johan van Benthem.
572 \newblock {\em Handbook of Modal Logic}.
573 \newblock 3rd Edition, Elsevier, Amsterdam, Chapter 11 P. 655-720 and Chapter 17 P. 975-989, 2007.
575 \end{thebibliography}