ω-Automaton

which can then be used to define the straightforward abstraction function:

definition(innfa_by_lts_defs)nfa_α::('q_set, 'l_set, 'd)NFA_impl⇒('q, 'l)NFAwhere nfa_αA =

LQ= s.α(nfa_states A), Σ= l.α(nfa_labels A),

∆= d.α(nfa_trans A), I = s.α(nfa_initial A), F = s.α(nfa_accepting A)_M

While the LTS implementation itself was very short and in general only mapped to the underlying TripleSet, the NFA implementation is more involved (88 lines vs 3500 lines).

This is due to the multitude of operations that are defined on the abstract NFA definition and now are replaced by efficient implementations. So, while for the LTS we had more or less a chaining of the underlying map/set structures, the implementations for the NFA are often very different from their abstract counterpart. Therefore the proofs are more complicated.

We will not go in any more detail for the NFA implementation. While, as mentioned, being more complicated, the general idea is like the one given for the LTS.

Eventually, Tuerk defines an instance of the NFA implementation using all Red-Black-Trees. This is then used for code generation and providing an accessor layer around the generated structures to make it possible to be used in raw SML or OCaml code as a mathematically correct library. In [31], Tuerk and Lammich go in more detail for one specific algorithm (Hopcroft’s algorithm for automata minimisation [20]) and present benchmarks for the generated code in comparison with other, unchecked, implementations.

3.1.5 ω-Automaton

Similar to how NFA and DFA were defined, generalω-automata are defined in terms of semi-automata. The only addition to semi-automata is a general set F to be a'f set, for some type'f:

record('q, 'l, 'f)OmegaAutomaton = ('q, 'l)SemiAutomaton +

F :: 'f set

localeOmegaAutomaton = SemiAutomatonA forA::('q, 'l, 'f)OmegaAutomaton

F is deliberately not of type'q setlike for NFAs, because different types of ω-automata have different ways of encoding acceptance. Thus while for Büchi automata (BA)'q setis a

3.1 The Comprehensive Library

right choice, for Generalized Büchi Automata (GBA) a set of sets of nodes ('q set set) has to be used.

Mixing in finite semi-automata via the localeFinSemiAutomaton, finiteω-automata are defined:

localeFinOmegaAutomaton = OmegaAutomatonA+ FinSemiAutomatonA forA::('q, 'l, 'f)OmegaAutomaton

A general acceptance condition onω-automata is defined in terms of an acceptance func-tiona_fun(OmegaAutomaton_is_inf_runis a typed abbreviation ofSemiAutomaton_is_inf_run):

abbreviation ExOmegaAutomaton_accept a_funAw

≡ ∃r::'q word. OmegaAutomaton_is_inf_runAw r∧a_funAw r

That is, a word w is accepted by A, iff there exists a run r such that some acceptance conditiona_fun holds on it. For Büchi automata,a_fun would for example encode that

“some state ofF would occur infinitly often inr”.

Furthermore some general properties on ω-automata are shown. For example, it is proven that for any infinite runr, thelimit, i. e., the set of states that occur infinitly often in the runr, are all part ofQand also that it is always non-empty:

lemma(inFinOmegaAutomaton)is_inf_run__limit_sub_Q: assumesOmegaAutomaton_is_inf_runAw r

showslimit r⊆ Q(A)

lemma(inFinOmegaAutomaton)is_inf_run__limit_nempty:

assumesOmegaAutomaton_is_inf_runAw r showslimit r∩ Q(A)6={}

Using this as a basis, different kinds of Büchi automata are defined, which we will describe in detail in the following.

Generalized Büchi Automata

Generalized Büchi Automata are defined in terms ofFinOmegaAutomaton, with 'fbeing instantiated with'q setthus modelling sets of sets of states⁴:

type_synonym('q,'l)GBArel =('q, 'l, 'q set)OmegaAutomaton localeGBArel = FinOmegaAutomatonA

forA::('q,'l)GBArel +

assumesF_consistent:^SF(A)⊆ Q(A)

The acceptance condition is modelled accordingly, thus accepting a word if the run hits a state of each of the acceptance sets:

definitionGBArel_accept≡

ExOmegaAutomaton_accept(λAw r.(∀S∈F(A). limit r∩S6= {}))

4The nameGBArelstems from them being defined in terms of an underlying relation (the LTS), opposed to the elementaryω-automata of Section 3.1.6.

This leads to the obvious definition of its language:

definitionL_GBArelA={w. GBArel_acceptAw}

The most important operation for our model checking application is the product con-struction, which is then defined as a functionGBArel_product, such that the following is true (we omit the definition itself for its technicalities):

lemmaGBArel_product_simps:

showsQ(GBArel_productA₁A₂)=Q A₁× Q A₂ and Σ(GBArel_productA₁ A₂)=ΣA₁ ∩_ΣA₂ and (q, a, q')∈ _∆(GBArel_productA₁ A₂)←→

(fst q, a, fst q')∈_∆A₁ ∧(snd q, a, snd q')∈_∆A₂ and I (GBArel_productA₁ A₂)=I A₁× I A₂

and F (GBArel_productA₁ A₂)=(λF. F× Q A₂)`F A<sub>1</sub>∪op× (Q A<sub>1</sub>)`F A₂

The definition of the acceptance sets expresses⁵: The cartesian product of each acceptance set of A₁ with all states ofA₂ union the cartesian product of all states ofA_{1 with each} acceptance set ofA₂.

It can be shown that this construction is indeed correct:

lemmaGBArel_product_is_GBArel:

assumesGBArelA₁andGBArelA₂ showsGBArel(GBArel_productA₁A₂) lemmaGBArel_product__language_eq:

assumesGBArelA₁andGBArelA₂

showsL_GBArel(GBArel_productA₁A₂)=L_GBArelA₁ ∩ L_GBArelA₂

Büchi Automata

Büchi automata are defined similarly to GBAs, but with'fbeing instantiated with'q, thus definingF Ato be a set of states:

type_synonym('q,'l)BArel =('q, 'l, 'q)OmegaAutomaton localeBArel = FinOmegaAutomatonA

forA::('q,'l)BArel + assumesF A ⊆ Q A

definitionBArel_accept≡ExOmegaAutomaton_accept(λAw r.(limit r∩ F A 6={})) definitionL_BArelA ≡ {w. BArel_acceptAw}

Having a Büchi automaton with a non-empty language, we can find a run that is part of the language, i. e., accepted by the automaton. Such a run is represented by a lasso:

For acceptance in a Büchi automaton, accepting states have to be visited infinitly often, thus ending the run in a circle. Combined with the (possibly empty) part from an initial

5f ` Adenotes the image offonA.

3.1 The Comprehensive Library

node to the first node of the circle, the run forms a lasso. We need to show that this lasso property holds, i. e., if the language of a Büchi automaton is non-empty, there exists a lasso.

And also the counter-side: If a lasso exists, we can construct a word that is accepted by this automaton:

lemmaBArel_accept_lasso:

assumesL_BArelA 6={}

shows∃q_i q_f r₁r2. q_i ∈ I A ∧q_f ∈ F A

∧ (∃w. LTS_is_fin_run(_∆A)w r₁)∧hd r₁ = q_i ∧last r₁= q_f

∧ (∃w. LTS_is_fin_run(_∆A)w r₂)∧hd r₂ = q_f ∧last r₂= q_f ∧length r₂> 1 lemmalasso_in_L_BArel:

assumesq_i ∈ I A andq_f ∈ F A

andLTS_is_fin_run(_∆A)w₁r₁∧hd r₁= q_i ∧last r₁= q_f

andLTS_is_fin_run(_∆A)w₂r₂∧hd r₂= q_f ∧last r₂= q_f ∧length r₂ > 1 showsw₁ _w₂^ω ∈ L_BArelA

andOmegaAutomaton_is_inf_runA(w₁ _w2ω) ((butlast r₁)_(butlast r2)^ω)

Here,w₁ _w₂ concatenates the two wordsw₁andw₂, andw^ω denotes the infinite word w_w_w_...

Thereafter, the relation between Büchi automata and their generalized counterpart is established. First the simple direction: A GBA is constructed from a BA. This is expressed by setting the accepting set of the BA as the one and only accepting set of the GBA. As a further optimization, whenF A=Q A, i. e., each state is accepting, the set of accepting sets for the GBA is set to the empty set: This is formally equivalent but gives a good runtime advantage in a later implementation. For technical reasons we omit the full definition and only show the important part for the initialization ofF:

definitionBArel_to_GBArel ::('q, 'l)BArel⇒('q,'l)GBArel

whereBArel_to_GBArel A ≡. . . (ifF A=Q Athen{}else{F A}) This construction is shown to have all expected properties:

lemmaBArel_to_GBArel__is_GBArel:

assumesBArelA

showsGBArel(BArel_to_GBArelA)

lemmaOmegaAutomaton_is_inf_run__BArel_to_GBArel_eq:

OmegaAutomaton_is_inf_run(BArel_to_GBArelA)w r

←→OmegaAutomaton_is_inf_runAw r

theorem(inBArel)BArel_to_GBArel__language_eq:

showsL_BArelA=L_GBArel(BArel_to_GBArelA)

Showing the other direction is more involved for the (possible) different accepting sets need to be encoded as a single set. In this formalization different counter constructions are used – further details are given by Schimpf [49].

System Automata

After having established this relation, it can be shown that the product construction on GBAs can be lifted to BAs – given that one of the BAs is aSystem Automaton. With this term we denote a BA where all states are final. The name stems from the fact that in model checking the system, or model, (as yielded by the construction in Chapter 5) is represented by such an automaton. We define such a specialization

localeSArel = BArelA forA+

assumesF A=Q A

lemma(inSArel)system_accept:

BArel_acceptAw←→(∃r. OmegaAutomaton_is_inf_runAw r)

and show that the native definition of the product is equal to the product at the GBA-level (A_S denotes the system,A_B the “normal” Büchi automaton, i. e., the property in model checking):

definitionSArel_BArel_productA_S A_B ≡

. . . {(q₁,q₂). q₁ ∈ Q A_S∧q₂∈ Q A_B ∧q₂ ∈ F A_B} definitionSArel_BArel_product_gbaA_SA_B

≡GBArel_to_BArel(GBArel_product(BArel_to_GBArelA_S) (BArel_to_GBArel A_B)) lemmaSArel_BArel_product__SArel_BArel_product_gba__eq:

assumesSArelA_S andBArelA_B

showsSArel_BArel_productA_SA_B= SArel_BArel_product_gbaA_SA_B

Labelled Büchi Automata

The algorithm of Gerth [15] uses a different representation of automata, where the labels are not part of the transition, but part of the state. As the CAVA project uses this algorithm to convert LTL properties into Büchi automata, they are also modelled here.

We will not go into detail here, and refer to Schimpf instead [49]. It is just to be noted that those structures are placed in the same hierarchy of automata types, by defining them as GBAs where the alphabet consists of the single token()and then adding a labelling function on states.

Im Dokument CAVA – A Verified Model Checker  (Seite 30-34)