The University of Iowa 22 c 296 Automated

The University of Iowa 22 c: 296 Automated Software Verification Model Checking with Büchi Automata Copyright 2003 -04, Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University of Warwick. These notes are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current form or modified form without the express written permission of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of the copyright holders.

Correctness condition n We want to find a correctness condition for a model to satisfy a specification. Language of a model: L(Model) Language of a specification: L(Spec). n We need: L(Model) L(Spec). n n

Correctness Sequences satisfying Spec Program executions All sequences

How to prove correctness? n n n Show that L(Model) L(Spec). Equivalently: ______ Show that L(Model) L(Spec) = Ø. Also: can obtain L(Spec) by translating from LTL!

What do we need to know? n n n How to intersect two automata? How to complement an automaton? How to translate from LTL to an automaton?

Intersecting M 1=(S 1, , T 1, I 1, A 1) and M 2=(S 2, , T 2, I 2, S 2) n n n Run the two automata in parallel. Each state is a pair of states: S 1 x S 2 Initial states are pairs of initials: I 1 x I 2 Acceptance depends on first component: A 1 x S 2 Conforms with transition relation: (x 1, y 1)-a->(x 2, y 2) when x 1 -a->x 2 and y 1 -a->y 2.

Intersection of Büchi Automata: Example A/¬B ¬A q 0 q 2 q 1 q 3 ¬A/B red states are final A/¬B q 0 , q 3 q 1 , q 2 q 1 , q 3 A/¬B ¬A/¬B

From Generalized Büchi Automata to Büchi Automata A/¬B q 0, q 3 ¬A/B q 1, q 2 ¬A/¬B q 1, q 3

From Generalized Büchi Automata to Büchi Automata A/¬B q 0, q 3, 0 ¬A/B q 1, q 2, 0 ¬A/¬B q 1, q 3, 0 Level 1 A/¬B q 0, q 3, 1 ¬A/B q 1, q 2, 1 ¬A/¬B q 1, q 3, 1

From Generalized Büchi Automata to Büchi Automata A/¬B q 0, q 3, 0 ¬A/B q 1, q 2, 0 ¬A/¬B q 1, q 3, 0 Level 1 A/¬B q 0, q 3, 1 ¬A/B q 1, q 2, 1 ¬A/¬B q 1, q 3, 1

From Generalized Büchi Automata to Büchi Automata A/¬B q 0, q 3, 0 ¬A/B q 1, q 2, 0 ¬A/¬B q 1, q 3, 0 Level 1 A/¬B q 0, q 3, 1 ¬A/B q 1, q 2, 1 ¬A/¬B q 1, q 3, 1

From Generalized Büchi Automata to Büchi Automata A/¬B q 0, q 3, 0 ¬A/B q 1, q 2, 0 ¬A/¬B q 1, q 3, 0 Level 1 A/¬B q 0, q 3, 1 ¬A/B q 1, q 2, 1 ¬A/¬B q 1, q 3, 1

How to check for emptiness? A S 0, T 1 C S 0, T 0 B A S 1, T 1 C B

Emptiness. . . Need to check if there exists an accepting run (passes through an accepting state infinitely often).

Finding accepting runs If there is an accepting run, then at least one accepting state repeats on it forever. This state appears on a cycle. So, find a reachable accepting state on a cycle.

Equivalently. . . n A strongly connected component: a set of nodes where each node is reachable by a path from each other node. Find a reachable strongly connected component with an accepting node.

How to complement? n n n Complementation is hard! Can ask for the negated property (the sequences that should never occur). Can translate from LTL formula to automaton A, and complement A. But: can translate ¬ into an automaton directly!

Model Checking under Fairness Express the fairness as a property φ. To prove a property ψ under fairness, model check φ ψ. Counter example Fair (φ) Bad (¬ψ) Program

Model Checking under Fairness Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either n it contains on occurrence of a transition from P, or n it contains a state where P is disabled.