CIS 540 Principles of Embedded Computation Spring 2015 cis540/ Instructor: Rajeev Alur [email protected].

CIS 540Principles of Embedded Computation

Spring 2015 http://www.seas.upenn.edu/~cis540/

Instructor: Rajeev [email protected]

Example Tableau Construction

j = Eventually e & Next ~ eSub(j )={e, ~e, N ~e, E e, N E e, E e & N ~e}Tableau states:

q0 = { e, N ~e, N E e, E e, E e & N ~e }q1 = { e, N E e, E e }q2 = { e, N ~e, E e, E e & N ~e }q3 = { e, E e }q4 = { ~e, N ~e, N E e, E e, E e & N ~e }q5 = { ~e, N E e, E e }q6 = { ~e, N ~e }q7 = { ~e }

Transitions from q0: q0 – e q4 q0 – e q5Transitions from q1: q1 – e q0 q1 – e q1 q1 – e q2 q1 – e q3Transitions from q6: q6 - ~e q6 q6 - ~e q7

Initial states = { q0, q2, q4 }Accepting set F1 = { q0, q1, q2, q3, q6, q7 }

CIS 540 Spring 2015; Lecture March 25

Tableau Construction: Acceptance

For a subformula “Eventually y ” whenever “Eventually y“ appears is in a state either y or “Next Eventually y“ (or both) are included

If a state include “Eventually y“ but not y , each successor state is guaranteed to include “Eventually y“, but we need to ensure that satisfaction of y is not postponed forever

Define F to be the set tableau states that either include y or exclude Eventually y

Accepting condition: Repeatedly F

Similarly, for a subformula “Always y”, define F’ to be the set that either include Always y or exclude y, state in F’ is required to appear repeatedly on an accepting run


Handling Acceptance

In general, if there are multiple temporal formulas, then acceptance condition should ensure that each is satisfied

Generalized Buchi automaton: Modest syntactic generalization Automaton M has k accepting sets F1, F2, … Fk

An execution is accepting if for each j, some state in Fj appears repeatedly

Repeatedly F1 & Repeatedly F2 & … & Repeatedly Fk

It is possible to “compile” a generalized Buchi automaton to a standard Buchi automaton

It is also possible to adapt cycle-detection algorithms to handle multiple accepting sets


Tableau Construction: Summary

Correctness claim: A trace over V satisfies the given LTL formula j if and only if it is accepted by the Generalized Buchi Automaton Mj

Complexity: Size of Mj is 2l, where l is the size of j, such a blow-up is unavoidable

Practical implementations with a number of optimizations exist


Reachability Problem for Transition Systems

Transition System T

Property j

Yes/Counter-exampleno

VerifierIs j reachable?

Is there a (finite) execution from an initial state to a state satisfying j

Checking whether j is an invariant of T => Checking if ~ j is reachable

Verification techniques1. Proof-based: Inductive invariants2. Enumerative on-the-fly search (not covered, see notes)3. Symbolic search based on iterative image computation


Repeatable Property for Transition Systems

Transition System = States, Initial states, Transitions

Property j : Subset of states

Property j is repeatable if thereexists an infinite execution thatsatisfies Repeatedly j

Is there a state s such that 1. s is reachable 2. s satisfies j 3. there is a cycle containing s


Repeatability Problem for Transition Systems

Transition System T

Property j

Yes/Counter-exampleno

VerifierIs j repeatable?

Is there an infinite execution along which states satisfying j appear repeatedly?

To check whether a system C satisfies an LTL formula j, check if

Mode is Accepting is repeatable in composition of C and Buchi

monitor M~j

Verification techniques1. Proof-based: Ranking functions (Sec 5.3, not covered)2. Enumerative: Nested Depth-first Search (not covered, see

5.2.3)3. Symbolic search


Recap: Symbolic Transition Systems

Region over variables X is a data structure that represents a set of states assigning values to X

Transition system T with state variables S represented by Region jI over S for initial states

Region jT over S U S’ for transitions

Symbolic representation can be compiled automatically from code for updating variables


Towards Symbolic Algorithm

Init Find states that are reachable andsatisfy the property j

Property j

Find set of reachable states usingsymbolic reachability algorithm, and intersect it with j


Symbolic Image Computation

Core problem in symbolic search: Compute the post-image (i.e. the set of successors) of states in a given region

Given: A of type reg over state variables S Trans of type reg over S U S’

Post(A, Trans) = Rename(Exists(Conj(A,Trans),S), S’, S)1. Take conjunction of A and Trans2. Project out the variables in S using existential quantification3. Rename primed variables to get a region over S


Symbolic BFS Algorithm

Given region Init over S and region Trans over S U S’, compute the region representing all reachable states

reg Reach := Empty; /* States found reachable */reg New := Init; /* States not yet explored for outgoing transitions */while IsEmpty(New) = 0 { /* while there are states to be explored */ Reach := Disj(Reach,New); /* add new states to reachable states */ New := Diff(Post(New,Trans),Reach);

/*These are states in post-image of New, but not previously found reachable, so to be

explored */};First phase of Symbolic Repeatability Check involves computing Reach


Symbolic Repeatability Check

Recur0 = Reachable & jProperty j

Find states s in Recur0 such thatfrom s there is a path with 1 or more transitions to some state in Recur0

Recur1 = Reachable & j & Next Eventually j

Repeat to get Recur2 from Recur1

Recur2 = Reachable & j & Next Eventually (j & Next Eventually j )

Repeat to get Recuri+1 from Recuri



What can we conclude if Recuri+1 = Recuri

What can we conclude if Recuri+1 is empty



Key step: Given a region A, find the sub-region{ s in A | there exists t in A that is reachable from s in >=1 transitions}

Recall: To compute states reachable from Init, we repeatedly apply Post-image operator

Symmetrically, to find from which states A is reachable, we can repeatedly apply pre-image operator

To get desired result, intersect this set with A


Symbolic Pre-Image Computation

Pre-image of a region A = Set of predecessors of states in A Pre(A,Trans) = { s | there exists a state t in A s.t. s t is a transition}

Given: A of type reg over state variables S Trans of type reg over S U S’

Pre(A, Trans) = Exists(Conj(Rename(A,S,S’),Trans),S’)1. Rename variables in A to primed copies to get a region over S’2. Take conjunction of the result with Trans (this captures the set

of transitions whose target states belong to A)3. Project out the variables in S’ using existential quantification


Symbolic Repeatability AlgorithmPhase 1: Compute Reach as shown beforereg Recur := Conj(Reach, j); /* Potential candidate states for cycle */while IsEmpty(Recur) = 0 { /* while there are potential candidates */

/* Compute from which states Recur is reachable */ Reach := Empty; New := Pre(Recur, Trans); /*Ensure at least one transition */

While IsEmpty(New)=0 { Reach := Disj(Reach,New);

if IsSubset(Recur,Reach)=1 then return 1; /*Recur won’t change; Property repeatable */

New := Diff(Pre(New,Trans),Reach); };

Recur := Conj(Recur, Reach); /* Subset from which Recur is reachable};

return 0. /* No execution with property repeating */


Example

A

B

D

C

E

F


H

Analysis of Symbolic Repeatability

Correctness (1): If there is a reachable state s that satisfies j, and there is an infinite execution starting in s satisfying Repeatedly j, then s will always stay in Recur (and thus, Recur cannot get empty)

Correctness (2): If inner loop finds that from every state in Recur, some state in Recur is reachable with >=1 transitions, then indeed there is an infinite execution satisfying Repeatedly j

Algorithm is sound: cannot give wrong answers

If transition system has n reachable states of which k satisfy j, then algorithm terminates with O(nk) region operations

In practice, depends on how effective is data structure for regions


Logistics

Homework 4: Due next Wednesday, April 1 Exercises 5.4, 5.5, 5.9, 5.10, 5.15

Recitation on Friday for problems in Chapter 5

Next week: Dynamical systems

Project description will be available next week


CIS 540 Principles of Embedded Computation Spring 2015 cis540/ Instructor: Rajeev Alur [email protected].

Documents

e q6 q6

q0 e q4 q0 e q5 transitions

e q7 initial states

sets f

state s

set tableau states

accepting run cis

transitions property