235 research outputs found
One Theorem to Rule Them All: A Unified Translation of LTL into {\omega}-Automata
We present a unified translation of LTL formulas into deterministic Rabin
automata, limit-deterministic B\"uchi automata, and nondeterministic B\"uchi
automata. The translations yield automata of asymptotically optimal size
(double or single exponential, respectively). All three translations are
derived from one single Master Theorem of purely logical nature. The Master
Theorem decomposes the language of a formula into a positive boolean
combination of languages that can be translated into {\omega}-automata by
elementary means. In particular, Safra's, ranking, and breakpoint constructions
used in other translations are not needed
A Verified and Compositional Translation of LTL to Deterministic Rabin Automata
We present a formalisation of the unified translation approach from linear temporal logic (LTL) to omega-automata from [Javier Esparza et al., 2018]. This approach decomposes LTL formulas into "simple" languages and allows a clear separation of concerns: first, we formalise the purely logical result yielding this decomposition; second, we develop a generic, executable, and expressive automata library providing necessary operations on automata to re-combine the "simple" languages; third, we instantiate this generic theory to obtain a construction for deterministic Rabin automata (DRA). We extract from this particular instantiation an executable tool translating LTL to DRAs. To the best of our knowledge this is the first verified translation of LTL to DRAs that is proven to be double-exponential in the worst case which asymptotically matches the known lower bound
An Efficient Normalisation Procedure for Linear Temporal Logic and Very Weak Alternating Automata
In the mid 80s, Lichtenstein, Pnueli, and Zuck proved a classical theorem
stating that every formula of Past LTL (the extension of LTL with past
operators) is equivalent to a formula of the form , where
and contain only past operators. Some years later, Chang,
Manna, and Pnueli built on this result to derive a similar normal form for LTL.
Both normalisation procedures have a non-elementary worst-case blow-up, and
follow an involved path from formulas to counter-free automata to star-free
regular expressions and back to formulas. We improve on both points. We present
a direct and purely syntactic normalisation procedure for LTL yielding a normal
form, comparable to the one by Chang, Manna, and Pnueli, that has only a single
exponential blow-up. As an application, we derive a simple algorithm to
translate LTL into deterministic Rabin automata. The algorithm normalises the
formula, translates it into a special very weak alternating automaton, and
applies a simple determinisation procedure, valid only for these special
automata.Comment: This is the extended version of the referenced conference paper and
contains an appendix with additional materia
Near-Optimal Scheduling for LTL with Future Discounting
We study the search problem for optimal schedulers for the linear temporal
logic (LTL) with future discounting. The logic, introduced by Almagor, Boker
and Kupferman, is a quantitative variant of LTL in which an event in the far
future has only discounted contribution to a truth value (that is a real number
in the unit interval [0, 1]). The precise problem we study---it naturally
arises e.g. in search for a scheduler that recovers from an internal error
state as soon as possible---is the following: given a Kripke frame, a formula
and a number in [0, 1] called a margin, find a path of the Kripke frame that is
optimal with respect to the formula up to the prescribed margin (a truly
optimal path may not exist). We present an algorithm for the problem; it works
even in the extended setting with propositional quality operators, a setting
where (threshold) model-checking is known to be undecidable
Two-Stage Technique for LTLf Synthesis Under LTL Assumptions
In synthesis, assumption are constraints on the environments that rule out certain environment behaviors. A key observation is that even if we consider system with LTLf goals on finite traces, assumptions need to be expressed considering infinite traces, using LTL on infinite traces, since the decision to stop the trace is controlled by the agent. To solve synthesis of LTLf goals under LTL assumptions, we could reduce the problem to LTL synthesis. Unfortunately, while synthesis in LTLf and in LTL have the same worst-case complexity (both are 2EXPTIME-complete), the algorithms available for LTL synthesis are much harder in practice than those for LTLf synthesis. Recently, it has been shown that in basic forms of fairness and stability assumptions we can avoid such a detour to LTL and keep the simplicity of LTLf synthesis. In this paper, we generalize these results and show how to effectively handle any kind of LTL assumptions. Specifically, we devise a two-stage technique for solving LTLf under general LTL assumptions and show empirically that this technique performs much better than standard LTL synthesis
Model Checking Strategies from Synthesis Over Finite Traces
The innovations in reactive synthesis from {\em Linear Temporal Logics over
finite traces} (LTLf) will be amplified by the ability to verify the
correctness of the strategies generated by LTLf synthesis tools. This motivates
our work on {\em LTLf model checking}. LTLf model checking, however, is not
straightforward. The strategies generated by LTLf synthesis may be represented
using {\em terminating} transducers or {\em non-terminating} transducers where
executions are of finite-but-unbounded length or infinite length, respectively.
For synthesis, there is no evidence that one type of transducer is better than
the other since they both demonstrate the same complexity and similar
algorithms.
In this work, we show that for model checking, the two types of transducers
are fundamentally different. Our central result is that LTLf model checking of
non-terminating transducers is \emph{exponentially harder} than that of
terminating transducers. We show that the problems are EXPSPACE-complete and
PSPACE-complete, respectively. Hence, considering the feasibility of
verification, LTLf synthesis tools should synthesize terminating transducers.
This is, to the best of our knowledge, the \emph{first} evidence to use one
transducer over the other in LTLf synthesis.Comment: Accepted by ATVA 2
Lazy Probabilistic Model Checking without Determinisation
The bottleneck in the quantitative analysis of Markov chains and Markov
decision processes against specifications given in LTL or as some form of
nondeterministic B\"uchi automata is the inclusion of a determinisation step of
the automaton under consideration. In this paper, we show that full
determinisation can be avoided: subset and breakpoint constructions suffice. We
have implemented our approach---both explicit and symbolic versions---in a
prototype tool. Our experiments show that our prototype can compete with mature
tools like PRISM.Comment: 38 pages. Updated version for introducing the following changes: -
general improvement on paper presentation; - extension of the approach to
avoid full determinisation; - added proofs for such an extension; - added
case studies; - updated old case studies to reflect the added extensio
INCREMENTAL FAULT DIAGNOSABILITY AND SECURITY/PRIVACY VERIFICATION
Dynamical systems can be classified into two groups. One group is continuoustime systems that describe the physical system behavior, and therefore are typically modeled by differential equations. The other group is discrete event systems (DES)s that represent the sequential and logical behavior of a system. DESs are therefore modeled by discrete state/event models.DESs are widely used for formal verification and enforcement of desired behaviors in embedded systems. Such systems are naturally prone to faults, and the knowledge about each single fault is crucial from safety and economical point of view. Fault diagnosability verification, which is the ability to deduce about the occurrence of all failures, is one of the problems that is investigated in this thesis. Another verification problem that is addressed in this thesis is security/privacy. The two notions currentstate opacity and current-state anonymity that lie within this category, have attracted great attention in recent years, due to the progress of communication networks and mobile devices.Usually, DESs are modular and consist of interacting subsystems. The interaction is achieved by means of synchronous composition of these components. This synchronization results in large monolithic models of the total DES. Also, the complex computations, related to each specific verification problem, add even more computational complexity, resulting in the well-known state-space explosion problem.To circumvent the state-space explosion problem, one efficient approach is to exploit the modular structure of systems and apply incremental abstraction. In this thesis, a unified abstraction method that preserves temporal logic properties and possible silent loops is presented. The abstraction method is incrementally applied on the local subsystems, and it is proved that this abstraction preserves the main characteristics of the system that needs to be verified.The existence of shared unobservable events means that ordinary incremental abstraction does not work for security/privacy verification of modular DESs. To solve this problem, a combined incremental abstraction and observer generation is proposed and analyzed. Evaluations show the great impact of the proposed incremental abstraction on diagnosability and security/privacy verification, as well as verification of generic safety and liveness properties. Thus, this incremental strategy makes formal verification of large complex systems feasible
- …