Regular Properties

Definition 4.11. Regular Safety Property

4.2.2 Verifying Regular Safety Properties

Let Psafe be a regular safety property over the atomic propositions AP and A an NFA recognizing the (minimal) bad prefixes ofP_safe. (Recall that by Lemma 4.12 on page 161 it is irrelevant whetherAaccepts all bad prefixes for Psafe or only the minimal ones.) For technical reasons, we assume that ε /∈ L(A). In fact, this is not a severe restriction since otherwise all finite words over 2^AP are bad prefixes, and hence, P_safe =∅. In this case, TS|=Psafe if and only if TShas no initial state.

Furthermore, letTSbe afinite transition system without terminal states with correspond- ing set of propositions AP. In this section, we aim to establish an algorithmic method for verifying whether TS satisfies regular safety property Psafe, i.e., to check whether

TS|=Psafe holds. According to Lemma 3.25 on page 114 we have

TS|=P_safe if and only if Traces_fin(TS)∩BadPref(P_safe) =∅ if and only if Tracesfin(TS)∩ L(A) =∅.

Thus, it suffices to check whether Traces_fin(TS) ∩ L(A) =∅to establishTS|=P_safe. To do so, we adopt a similar strategy as for checking whether two NFAs intersect. Recall that in order to check whether the NFAs A1 and A2 do intersect, it suffices to consider their product automaton, so

L(A¹)∩ L(A²) = ∅ if and only if L(A¹⊗ A²) = ∅.

The question whether two automata do intersect is thus reduced to a simple reachability problem in the product automaton.

This is now exploited as follows. In order to check whether Tracesfin(TS)∩ L(A) = ∅, we first build a product of transition system TS and NFA A in the same vein as the synchronous product of NFA. This yields the transition systemTS⊗A. For this transition system, an invariant can be given using a propositional logic formula Φ –derived from the accept states ofA– such thatTraces_fin(TS)∩L(A) =∅if and only ifTS⊗A |= “always Φ”.

In this way, the verification of a regular safety property is reduced to invariant checking.

Recall that for checking invariants, Algorithm 4 (see page 110) can be exploited.

We start by formally defining the product between a transition system TS and an NFA A, denoted TS⊗ A. Let TS = (S,Act,→, I,AP, L) and A = (Q,2^AP, δ, Q0, F) with Q0∩F =∅. Recall that the alphabet ofA consists of sets of atomic proposition in TS.

Transition system TS⊗ Ahas state spaceS×Qand a transition relation such that each path fragment π=s0s1. . . sn inTScan be extended to a path fragment

s0, q1 s1, q2. . .sn, qn+1 inTS⊗ A which has an initial stateq0 ∈Q0 for which

q0 L(s₀)

−−−−→q1 L(s₁)

−−−−→q2 L(s₂)

−−−−→. . . −−−−→^L(sn) qn+1

is a run—not necessarily accepting—of NFA A that generates the word trace(π) = L(s0)L(s1). . . L(sn).

Finally, labels of states are state names of A. These considerations lead to the following definition:

Model-Checking Regular Safety Properties 165 Definition 4.16. Product of Transition System and NFA

Let TS = (S,Act,→, I,AP, L) be a transition system without terminal states and A = (Q,Σ, δ, Q0, F) an NFA with the alphabet Σ = 2^AP and Q0 ∩F = ∅. The product transition system TS⊗ A is defined as follows:

TS⊗ A = (S,Act,→, I,AP, L) where

• S =S×Q,

• → is the smallest relation defined by the rule s−−→^α t ∧ q−−−→^L(t) p

s, q−−→^α t, p ,

• I ={ s0, q | s0 ∈I ∧ ∃q0 ∈Q0. q0 L(s₀)

−−−−→q},

• AP=Q, and

• L :S×Q→2^Q is given by L(s, q) = {q}.

Remark 4.17. Terminal States

For the definition of LT properties (and thus of invariants) we have assumed transition systems to have no terminal states. It is, however, not guaranteed that TS⊗ A possesses this property, even ifTSdoes. This stems from the fact that in NFAAthere may be a state q, say, that has no direct successor states for some setA of atomic propositions, i.e., with δ(q,A) =∅. This technical problem can be treated by either requiringδ(q,A)=∅for all states q∈Qand A⊆AP or by extending the notion of invariants to arbitrary transition systems. Note that imposing the requirement δ(q, A) = ∅ is not a severe restriction, as any NFA can be easily transformed into an equivalent one that satisfies this property by introducing a state qtrap and adding transition q−−→^A qtrap to A whenever δ(q, A) = ∅ or q =q_trap. We finally remark that for the algorithm for invariant checking, it is not of any relevance whether terminal states exist or not.

Example 4.18. A Product Automaton

The language of the minimal bad prefixes of the safety property “each red light phase

red

yellow red/yellow

green

q0

q1 qF

red yellow∧ ¬red

¬yellow

¬red∧ ¬yellow

green, q0 red/yellow, q0

yellow, q1 red, q0 yellow

Figure 4.6: German traffic light (left upper figure), an NFA (right upper figure), and their product (lower figure).

is preceded by a yellow light phase” is accepted by the DFA A indicated in Example 4.14 (page 162). We consider a German traffic light, which besides the usual possible colors red, green, and yellow, has the possibility to indicate red and yellow simultaneously indicating “green light soon”. The transition system GermanTrLightthus has four states with the usual transitions red → red+yellow, red+yellow → green, green → yellow, and yellow → red. Let AP = {red,yellow} indicating the corresponding light phases.

The labeling is defined as follows: L(red) = {red}, L(yellow) = {yellow}, L(green) =

∅=L(red+yellow). The product transition systemGermanTrLight⊗ A consists of four reachable states (see Figure 4.6). As action labels are not relevant here, they are omitted.

The following theorem shows that the verification of a regular safety property can be reduced to checking an invariant in the product.

Let TS and A be as before. LetP_inv(A) be the invariant over AP = 2^Q which is defined by the propositional formula

q∈F

¬q.

In the sequel, we often write ¬F as shorthand for

q∈F¬q. Stated in words, ¬F holds in all nonaccept states.

Model-Checking Regular Safety Properties 167 Theorem 4.19. Verification of Regular Safety Properties

For transition system TSover AP, NFAAwith alphabet 2^APas before, and regular safety property Psafe over AP such that L(A) equals the set of (minimal) bad prefixes of Psafe, the following statements are equivalent:

(a) TS |= P_safe

(b) Tracesfin(TS) ∩ L(A) = ∅ (c) TS⊗ A |= P_inv(A)

Proof: LetTS= (S,Act,→, I,AP, L) andA= (Q,2^AP, δ, Q0, F).

The equivalence of (a) and (b) follows immediately by Lemma 3.25 (page 114). To establish the equivalence of (a), (b), and (c), we show

(c) =⇒(a) : TS |= Psafe implies TS⊗ A |= P_inv(A)

and

(b) =⇒(c) : TS⊗ A |= P_inv(A) implies Tracesfin(TS) ∩ L(A) = ∅.

Proof of “(c) =⇒ (a)”: If TS |= P_safe, then there is a finite initial path fragment π = s0s1. . . sn inTSwith

trace(π) = L(s0)L(s1). . . L(sn) ∈ L(A).

Since trace(π) ∈ L(A), there exists an accepting run q0q1. . . qn+1 of A for trace(π).

Accordingly

q0∈Q0 and qi L(s_i)

−−−−→qi+1 for all 0in, and qn+1∈F.

Thus,s0, q1 s1, q2. . .sn, qn+1 is an initial path fragment inTS⊗ A with sn, qn+1 |= ¬F.

It thus follows that TS⊗ A |=P_inv(A).

Proof of “(b) =⇒ (c)”: LetTS⊗ A |=Pinv(A). Then there exists an initial path fragment s0, q1. . .sn, qn+1

in TS⊗ A with qn+1 ∈ F, and q1, . . . , qn ∈ F. Besides, s0s1. . . sn is an initial path fragment in TS. Further,

qi L(s_i)

−−−−→qi+1 for all 0in.

Since s0, q1 is an initial state of TS⊗ A, there is an initial state q0 in A such that q0 L(s₀)

−−−−→q1. Sequenceq0q1. . . qn+1 is thus an accepting run fortrace(s0s1. . . sn). Thus, trace(s0s1. . . sn)∈Tracesfin(TS) ∩ L(A)

which yields Traces_fin(TS) ∩ L(A)=∅.

Stated in words, Theorem 4.19 yields that in order to check the transition system TS versus the regular safety property P_safe, it suffices to check whether no state s, q in TS⊗ A is reachable where the A-component q is an accept state in A. This invariant

“visit never an accept state in A” (formally given by the invariant condition Φ = ¬F) can be checked using a depth-first search approach as described in detail in Algorithm 4 (page 110). Note that in case the safety property is refuted, the invariant checking algo- rithm provides a counterexample. This counterexample is in fact a finite path fragment s0, q1 s1, q2. . .s_n, qn+1in the transition system TS⊗ Athat leads to an accept state.

The projection to the states in TSyields an initial finite path fragments0s1. . . sn inTS where the induced trace trace(s0s1. . . sn)∈ (2^AP)^∗ is accepted by A (since it has an ac- cepting run of the form q0q1. . . qn+1). Thus, trace(s0s1. . . sn) is a bad prefix for P_safe. Hence, s0s1. . . sn yields a useful error indication since trace(π)∈/ Psafe for all pathsπ in TS that start with the prefixs0s1. . . sn.

Corollary 4.20.

LetTS,A, andPsafe be as in Theorem 4.19. Then, for each initial path fragments0, q1. . . sn, qn+1 of TS⊗ A:

q1, . . . , qn∈F and qn+1∈F implies trace(s0s1. . . sn)∈ L(A).

As a result, the skeleton in Algorithm 5 can be used to check a regular safety property against a transition system and to report a counterexample (i.e., finite initial path fragment in TS inducing a bad prefix) as diagnostic feedback if the safety property does not hold forTS.

Example 4.21. Checking a Regular Safety Property for the Traffic Light

Consider again the German traffic light system and the regular safety property Psafe

Model-Checking Regular Safety Properties 169 Algorithm 5 Model-checking algorithm for regular safety properties

Input: finite transition systemTSand regular safety propertyP_safe

Output: true if TS|=P_safe. Otherwise false plus a counterexample forP_safe. Let NFA A(with accept statesF) be such thatL(A) = bad prefixes ofP_safe Construct the product transition system TS⊗ A

Check the invariantP_inv(A)with proposition¬F =

q∈F¬qonTS⊗ A. ifTS⊗ A |=P_inv(A)then

returntrue else

Determine an initial path fragments₀, q₁. . .s_n, q_n+1ofTS⊗ Awith q_n+1∈F return(false, s₀s₁. . . s_n)

fi

that each red light phase should be immediately preceded by a yellow light phase. The transition system of the traffic light, the NFA accepting the bad prefixes of the safety property, as well as their product automaton, are depicted in Figure 4.6 (page 166). To check the validity of Psafe, only the second component of the statess, q is relevant. The fact that no state of the form . . . , qF is reachable ensures the invariant ¬qF to hold in all reachable states. Thus GermanTrLight|=P_safe.

If the traffic light is modified such that the state “red” is the initial state (instead of

“green”), then we obtain a transition system that violates Psafe. Actually, in this case the invariant¬qF is already violated in the initial state of the resulting product transition system that has the following form:

red, δ(q0,{red}) = red, qF.

We conclude this part by considering the worst-case time and space complexity of the automata-based algorithm for checking regular safety properties.

Theorem 4.22. Complexity of Verifying Regular Safety Properties

The time and space complexity of Algorithm 5 is inO(|TS|·|A|)where|TS|and|A|denote the number of states and transitions in TS and A, respectively.

Assuming an generation of the reachable states of TS from a syntactic description of the processes, the above bound also holds if |TS| denotes the size of the reachable fragment of TS.

Proof: Follows directly from the fact that the number of states in the product automaton TS⊗ Ais in O(|S|·|Q|) (whereS and Qdenote the state space ofTSandA, respectively) and the fact that the time and space complexity of invariant checking is linear in the number of states and transitions of the transition system TS⊗ A. (Thus, we can even establish the boundO(|S|·|Q|+| → |·|δ|) for the runtime where| → |denotes the number of transitions in TSand |δ|the number of transitions inA.)