Научная статья на тему 'On the model checking of finite state transducers over semigroups'

On the model checking of finite state transducers over semigroups Текст научной статьи по специальности «Математика»

CC BY
193
79
i Надоели баннеры? Вы всегда можете отключить рекламу.
Ключевые слова
REACTIVE PROGRAM / TRANSDUCER / ВЕРИФИКАЦИЯ / VERIFICATION / ПРОВЕРКА НА МОДЕЛИ / MODEL CHECKING / ТЕМПОРАЛЬНАЯ ЛОГИКА / TEMPORAL LOGIC / КОНЕЧНЫЙ АВТОМАТ / FINITE STATE AUTOMATON / РЕГУЛЯРНЫЙ ЯЗЫК / REGULAR LANGUAGE / РЕАГИРУЮЩАЯ СИСТЕМА / АВТОМАТ-ПРЕОБРАЗОВАТЕЛЬ

Аннотация научной статьи по математике, автор научной работы — Gnatenko A.R., Zakharov V.A.

Sequential reactive systems represent programs that interact with the environment by receiving signals or requests and react to these requests by performing operations with data. Such systems simulate various software like computer drivers, real-time systems, control procedures, online protocols etc. In this paper, we study the verification problem for the programs of this kind. We use finite state transducers over semigroups as formal models of reactive systems. We introduce a new specification language LP-CTL* to describe the behavior of transducers. This language is based on the well-known temporal logic CTL* and has two distinguished features: 1) each temporal operator is parameterized with a regular expression over input alphabet of the transducer, and 2) each atomic proposition is specified by a regular expression over the output alphabet of the transducer. We develop a tabular algorithm for model checking of finite state transducers over semigroups against LP-CTL* formulae, prove its correctness, and estimate its complexity. We also consider a special fragment of LP-CTL* language, where temporal operators are parameterized with regular expressions over one-letter alphabet, and show that this fragment may be used to specify usual Kripke structures, while it is more expressive than usual CTL*.

i Надоели баннеры? Вы всегда можете отключить рекламу.
iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы.
i Надоели баннеры? Вы всегда можете отключить рекламу.

Текст научной работы на тему «On the model checking of finite state transducers over semigroups»

On the model checking of finite state transducers over semigroups

1 A.R. Gnatenko<[email protected]> 2 V.A. Zakharov<[email protected]> 1 Lomonosov Moscow State University, GSP-1, Leninskie Gory, Moscow, 119991, Russia 2 National Research University High School of Economics, 20, Myasnitskaya str., Moscow, 101000, Russia

Abstract. Sequential reactive systems represent programs that interact with the environment by receiving signals or requests and react to these requests by performing operations with data. Such systems simulate various software like computer drivers, real-time systems, control procedures, online protocols etc. In this paper, we study the verification problem for the programs of this kind. We use finite state transducers over semigroups as formal models of reactive systems. We introduce a new specification language LP-CTL* to describe the behavior of transducers. This language is based on the well-known temporal logic CTL* and has two distinguished features: 1) each temporal operator is parameterized with a regular expression over input alphabet of the transducer, and 2) each atomic proposition is specified by a regular expression over the output alphabet of the transducer. We develop a tabular algorithm for model checking of finite state transducers over semigroups against LP-CTL* formulae, prove its correctness, and estimate its complexity. We also consider a special fragment of LP-CTL* language, where temporal operators are parameterized with regular expressions over one-letter alphabet, and show that this fragment may be used to specify usual Kripke structures, while it is more expressive than usual CTL*.

Keywords: reactive program; transducer; verification; model checking; temporal logic; finite state automaton; regular language

DOI: 10.15514/ISPRAS-2018-30(3)-21

For citation: Gnatenko A.R., Zakharov V.A. On the model checking of finite state transducers over semigroups. Trudy ISP RAN/Proc. ISP RAS, vol. 30, issue 3, 2018, pp. 303324. DOI: 10.15514/ISPRAS-2018-30(3)-21

1. Introduction

Finite state machines are widely used in the field of computer science and formal methods for various purposes. While finite automata represent regular sets, transducers stand for regular (or, rational) relations and, therefore, can serve as models of programs and algorithms that operate with input and output data. For

example, transducers are used as formal models in software engineering to represent numerous algorithms, protocols and drivers that manipulate with strings, dataflows, etc. [1, 15, 25].

By extending the concept of ordinary transducers, we build a new formal model for sequential reactive systems. These systems are software programs or hardware devices that receive requests (control signals, commands) from the environment and perform in response some manipulations (actions, transformations) with data, interactions with the environment, mechanical movements, etc. While the flow of requests can be represented by finite or infinite words in some fixed alphabet, the sequence of actions of the system needs a more sophisticated interpretation. The key point here is that different sequences of actions may bring a computing system to the same result. To capture this effect the collection of actions performed by a reactive system can be viewed as a generating set of some algebraic structure (e.g. semigroup, group, ring, etc.) and particular algebraic properties of basic actions should be taken into account when choosing adequate formal models for this class of information processing systems. Let us illustrate this consideration by several examples.

• A network switch with several input and output ports. A switch is a device, which receives data packets on its input port, modifies their heads and commutes them to one of the output ports. Once received a special control signal, this switch changes its packet-forwarding table and, thus, its behaviour. Since packets from different flows may be processed in any order, the switch can be modeled by a transducer, which operates over a free partially commutative semigroup, or a trace monoid. Trace monoids are commonly used as an algebraic foundation of concurrent computations and process calculi (see, e.g., [9]).

• A real-time device that control the operation of some industrial equipment (say, a boiling system). Such device receives data from temperature and pressure sensors and switches some processes on and off according to its instructions and the current state of the system. It seems reasonable that for some actions the order of their implementation is not important (routine actions), while others must follow in a strictly specified order (e.g. an execution of some complex operation). Moreover, there are also actions which bring system to certain predefined operation mode (set-up actions). These actions are implemented in the emergency situations. A partially commutative semigroup with right-zero elements 0 which satisfy the equalities xO = 0 for every element x provides an adequate interpretation for such operations.

• A system supervisor that maintains a log-file. For each entry its date and time is recorded in the file and there is no way to delete entries from the log - only to append it. Thus, for any two basic actions (record operations to the log-file) it is crucial in which order they are performed and such a supervisor can be modeled by a transducer over a free semigroup. Verification techniques for such reactive

systems are considered in [17]; this is the main topic of this paper as well.

• A radio-controlled robot, that moves on a surface. It can make one step moves in any of direction. When it receives a control signal in a state q' it must choose and carry out a sequence of steps and enter to the next state q". At some distinguished state qf the robot reports its current location. Movements of the robot may be regarded as basic actions, and the simplest model of computation which is suitable for analyzing a behaviour of this robot is a nondeterministic finite state transducer operating on a free Abelian group of rank 2.

To construct a reliable system or network it is crucial for its components to have a correct behaviour. For example, a network switch must process received data packets within a specified number of execution steps and the boiling system should never be overheated, that is, will never remain for a long time in a particular condition without appropriate responses from the control device. By using finite state transducers as formal models of reactive systems, one can develop verification algorithms for these models to solve such problems as equivalence checking, deductive verification or model checking.

The study of the equivalence checking problem for classical transducers began in the early 60s. It was established that the equivalence checking problem for non-deterministic transducers is undecidable [13] even over 1-letter input alphabet [16]. However, the undecidability displays itself only in the case of unbounded transductions when an input word may have arbitrary many images. The equivalence checking problem was shown to be decidable for deterministic [4], functional (single-valued) [5, 19], and k-valued transducers [6, 26]. In a series of papers [20-22] techniques for checking bounded valuedness, k-valuedness and equivalence of finite state transducers over words were developed. Recently in [29] equivalence checking problem was shown to be decidable for finite state transducers that operate over finitely generated semigroups embeddable in decidable groups. There are also papers where equivalence checking problem for transducers is studiedin the framework of program verification. The authors of [23] proposed models of communication protocols as finite state transducers operating on bit strings. They set up the verification problem as equivalence checking between the protocol transducer and the specification transducer. The authors of [25] extended finite state transducers with symbolic alphabets, which are represented as parametric theories. They showed that a number of classical problems for extended transducers, including equivalence checking problem, are decidable modulo underlying theories. In [1] a model of streaming transducers was proposed for programs that access and modify sequences of data items in a single pass. It was shown that a number of verification problems such as equivalence checking, assertion checking, and checking correctness with respect to pre/post conditions, are decidable for this program model.

Meanwhile, very few papers on the model checking problem for transducers are known. Transducers can be conveniently used as auxiliary means in regular model

checking of parameterized distributed systems where configurations are represented as words over a finite alphabet. In such models, a transition relation on these configurations may be regarded as a rational relation and, thus, it may be specified by finite state transducers (see [7, 28]). In these papers, finite state transducers just play the role of verification instrument, but not an object of verification. However, as far as we know, a deeper investigation of the model checking problem for the reactive systems represented by transducers has not yet been carried out. We think that this is due the following main reason. A transducer is a model of computation which, given an input word, computes an output word. The letters of input and output alphabets can be regarded as valuations (tuples of truth values) of some set of basic predicates. Therefore, a transducer can be viewed as some special representation of a labeled transition system (Kripke structure) (see [2]). From this viewpoint model checking problem for finite state transducers conforms well to standard model checking scheme for finite structures, and, hence, it is not worthy of any particular treatment.

However, our viewpoint is quite different. Transducer is a more complex model of computation than a finite state automaton (transition systems). Its behaviorism characterized by the correspondence between input and output words. A typical property of such behaviour to be checked is whether for every (some) input word from a given pattern a transducer outputs a word from another given pattern. Therefore, when formally expressing the requirements of this kind one needs not only temporal operators to specify an order in which events occur but also some means to refer to such patterns. Conventional Temporal Logics like LTL or CTL are not sufficient in this case; they should be modified in such a way as to acquire an ability to express correspondences between the sets (languages) of input words and the sets (languages) of output words. This could be achieved by supplying temporal operators with patterns as parameters. Every such pattern is a formal description of a language L over an input alphabets; automata, formal grammars, regular expressions, language equations are suitable for this purpose. The basic properties of output words can be also represented by languages over an output alphabet. Then, for instance, an expression GLP can be understood as the requirement that for every input word w from the language L the output word h of a transducer belongs to the language P.

The advantages of this approach are twofold. On the one hand, such extensions of Temporal Logics make it possible to express explicitly relationships between input and output words and specify thus desirable behaviours of transducers. On the other hand, it can be hoped that such extensions could rather easily assimilate some well-known model checking techniques (see [3, 8]) developed for conventional Temporal Logics. The first attempt to implement this approach was made in [17]. The authors of this paper introduced an LT-LTL specification language based on LTL temporal logic and developed a checking procedure for transducers over free monoids against specifications from LT-LTL. It was shown that this procedure has double exponential time complexity.

In this paper we continue this line of research and "raise'' the specification language introduced in [17] to the level of JLT-CTL*. We will focus only on one task related to the use of new logic for the verification of reactive systems, namely, the development of a general model checking algorithm for finite state transducers against specifications in JLT-CTL*. Such issues as expressive power of JLT-CTL*, complexity of model checking and satisfiability checking problems, the influence of types of languages used as parameters and basic predicates in JLT-CTL* on decidability and complexity of model checking problem remain topic of our further research and will be covered in our subsequent works. We also leave beyond this work a number of applied questions, which are worthy of consideration in a separate paper. For example, it is important to understand to what extent the already developed model checking tools can be adapted to the new temporal logic. And, of course, in the future we will have a well-chosen series of examples that illustrate the new possibilities of using JLT-CTL*to describe the behavior of reactive systems.

The paper is organized as follows. In Section 2, we define the concept of finite state transducer over semigroup as a formal model of sequential reactive systems (see [29]) and in Section 3, we describe the syntax and the semantics of JLT-CTL* as a formal language for specifying behaviour of sequential reactive systems. In Section 3 we also set up formally model checking problem for finite state transducers against JLT-CTL* formulae. In Section 4, we present an JLT-CTL* model checking algorithm for the case when parameters of temporal operators and basic predicates are regular languages represented by finite state automata. The model checking algorithm we designed has time complexity which is linear of the size of a transducer but exponential of the size of JLT-CTL* formula. This complexity estimate is in contrast to the case of conventional CTL model checking: its time complexity is linear of both the size of a model and the size of a CTL formula. To explain this effect in Section 5 we show how JLT-CTL* formulae can be also checked on the conventional Kripke structures. Finally, we compare JLT-CTL* with some other known extensions Temporal Logics and discuss some topics for further research.

2. Finite state transducers as models of reactive systems

In this section, we introduce a Finite State Transducer as a formal model of a reactive computing system which receives control signals from the environment and reacts to these signals by performing operations with data.

Let C be a finite set of signals. Finite words over C are called signal flows; the set of all signal flows is denoted byC*. Given a pair of signal flows u and v we write uv for their concatenation, and denote by £ the empty flow.

Let <A = {at, ...,an} be a finite set of elements called basic actions; these actions stand for the elementary operations performed by a reactive system. Finite words over <A are called compound actions; they denote sequential compositions of basic actions. Since different sequences of basic actions could produce the same result,

one may interpret compound actions over a semigroup (S, e, generated by a set of basic actions <A. The elements of S are called data states. Every compound action h = ai±ai2 ...aik is evaluated by the data state [h] = [a^J ° [a¿J ° ...o [aik]. For example, if a reactive system just keeps a track of input requests by adding certain records to a log-file then a free semigroup will be suitable for interpretation of these operations. But when a robot moves on a 2-dimensional surface then the actions (movements) performed by this robot may be regarded as generating elements of Abelian group G of rank 2, and the positions on the surface occupied by this robot can be specified by the elements from G. In this paper we restrict ourselves to the consideration of free semigroups when [h] = h holds for every compound action h, and o is the word concatenation operation.

Let C be a set of signals and <A be a set of basic actions that are interpreted over a semigroup (S,e,o). Then a Finite State Transducer (in what follows, FST) is a quintuple n = (Q, C,^,qinit,T), where

• Q is a finite set of control states;

• Rinit E Q is an initial control state;

• TQQxCxQx M*is a finite transition relation.

Each tuple (q', c, q", h) in T is called a transition: when a transducer is in a control state q' and receives a signal c, it changes its state to q'' and performs a compound

c,h

action h. We denote such transition by q' — q''. A run of a FST n is any finite sequence of transitions

c1>h1 c2>h2 c3>h3 cn>hn

q± —>q2 —>93 —>----> qn+i;

this run transduces a signal flow w = c1c2 ... cn into a data state [h1h2 ... hn]. The behaviour of a FST n = (Q, C,^,qinit,T) over a semigroup (data space) (S,e,o) is presented formally by a transition system TS(n, S) = (D,C,dinit,T), where

• D = Q x S is (in general case, infinite) set of states of computation,

• dinit = (qinit, e) is the initial state, and

• TQDxCxD is a transition relation such that for every states of computation d' = (q', s'), d!' = (q", s") and every signal c E C the relationship

(d',c,d")ET ^ 3hEM*(q',c,q",h) ET and s" = s' o [h] holds.

c

As usual, a transition (d', c, d'') ET is denoted by d' ^ d''.

A trajectory in a transition system 7S(n, S) is a pair tr = (d0, a), where d0 E D and a = (c1,d1),(c2,d2), ..,(ci,di),... is a sequence of pairs (ci,di) such that

ci

di-1 ^ di holds for every i,i > 1. A trajectory represents a possible scenario of a behaviour of a sequential reactive system: when receiving a signal flow 308

c1,c2,... ,Ci,... the reactive system performs a sequence of basic actions h and follows sequentially via the states of computation d1, d2,..., dh .... By trl1 we mean the trajectory(d0 a|'), where all = (ci+1,di+1),(ci+2,di+2),... is a suffix of a, respectively.

3. LT-CTL* specification language

When designing sequential reactive systems one should be provided with a suitable formalism to specify the requirements for their desirable behaviour. For example, one may expect that

• a mobile robot, receiving an equal number of control signals "go_left'' and "go_right'', will always return to its original position,

• a network switch will never commute data packets from different packet flows into the same output buffer,

• it is not possible for the interrupt service routine to complete the processing of one interrupt before it receives a request to handle another.

These and many other requirements which refer to the correspondences between control flows and compound actions in the course of FST runs can be specified by means of Temporal Logics. When choosing a suitable temporal logic as a formal specification language of FST behaviours one should take into account two principal features of our model of sequential reactive systems:

• since a FST operates over a data space which is semigroup, the basic predicates must be interpreted over semigroups as well, and

• since a behaviour of a FST depends not on the time flow itself but on a signal flow which it receives as an input, temporal operators must be parameterized by certain descriptions of admissible signal flows.

To adapt traditional temporal logic formalism to these specific features of FST behaviours the authors of [17] introduced a new variant of Linear Temporal Logic (LTL). We assume that in general case one may be interested in checking the correctness of FST's responses to arbitrary set of signal flows. Every set of control flows may be regarded as a language over the alphabet C of signals. Therefore, it is reasonable to supply temporal operators ("globally" G, "eventually'' F, etc.) with certain descriptions of such languages as parameters. In more specific cases we may confine ourselves with considering only a certain family of languages (finite, regular, context-free, etc.) L used as parameters of temporal operators. These languages will be called environment behaviour patterns.

A reactive system performs finite sequences of basic actions in response to control signals from the environment and thus follows in the course of its run via a sequence of data states, which are elements of a semigroup (S, e, °), Therefore, basic predicates used in LTL formulae may be viewed as some sets of data states S', S' c s. These sets can be also specified in language-theoretic fashion.

Any language P over the alphabet of basic actions <A corresponds to a predicate (set of data states) SP = {[h] | he P}. As in the case of environment behaviour patterns we may distinguish a certain class T of languages and use them as specifications of basic predicates. When these languages are used as parameters in temporal formulae then it will be assumed that they are defined constructively by means of automata, grammars, Turing machines, etc.

Thus, we arrive at the concept of X^-variants of Temporal Logics. In [17] the syntax and semantics of LT-LTL was studied in some details in the case when both environment behaviour patterns and basic predicates are regular languages presented by finite automata. In this paper we make one step further and extend the concept of -variants of Temporal Logics to CTL*. Select an arbitrary family of environment behaviour patterns L and a family of basic predicates T. The set of LT-CTL* formulae consists of state formulae and trajectory formulae, which are defined as follows:

• each basic predicate P e T is a state formula;

• if (p1, (p2 are state formulae then — (p1, A (p2 and V (p2 are state formulae;

• if ^ is a trajectory formula then Aip and E^ are state formulae;

• if (p is a state formula then (p is a trajectory formula;

• if are trajectory formulae then — ip1, A ip2 and V ip2 are trajectory formulae;

• if (p, (p1, (p2 are state formulae, c e C, and L e L then Xcy, Ycy, Fhy, GLy and p1Uy2 are trajectory formulae.

The specification language JLT-CTL* is the set of all state formulae constructed as defined above.

Now we introduce the semantics of JLT-CTL* formulae. These formulae are interpreted over transition systems. Let M = 7S(n, S) be a transition system, d be a state of computation in this system, and tr be a trajectory in M. Then for every state formula (p we write M,d ^ (p to denote the fact that the assertion (p is true in the state d of M, and for every trajectory formula ^ we write M,tr ^ ip to denote the fact that the assertion ^ holds for the trajectory tr in M.

In the definition below it is assumed that M is a transition system, d = (q, s) is a state of computation in M, and tr = (d0, a) is a trajectory in M such that a = (c1,d1),(c2,d2),... ,(ci,di),.... We define the satisfiability relation ^ by induction on the height of formulae:

• M,d*= P ^ s e P;

• M,d^ — y ^ it is not true that M.d^y ;

• M,d^^1A^2 and M,d^y2;

• M,d^ Ey ^ there exists a trajectory tr' = (d,a') in M such that M,tr' ^ <p;

• M,d^ Afi ^ for any trajectory tr' = (d,a') in M it is true that $M,tr' ^ (p;

• if fi is a state formula then M,tr ^ fi ^ M,d0^ fi;

• M,tr ^ — ^ ^ it is not true that M, tr ^

• M,tr ^ ^1A M, tr ^ ^1 and M, tr \models ^2 ;

• M,tr ^ Xcp ^ c = c1 and M, d1 ^ fi;

• M,tr ^ Ycp ^ either c ^ c1, or M,d1 ^ p;

• M,tr ^ Fh(p i > 0 : c1c2... ciE L and M,trli ^ fi;

• M,tr ^ Gh(p ^ V i > 0 : if c1c2... ci E L then M, trli ^ fi;

• M,tr ^ fi ^3 i> 0 : c1c2 ... ci E L,M,trli ^ ^ and V j,0 < j < i, if c1c2 ... ci E L then M,trlj ^ fi.

Observe, that operators Xc and Yc, as well as Fh and GL, are dual to each other:

Proposition 1. For any LT-CTL* formula fi, any c E C and any L E L, and for an arbitrary trajectory tr in M

• tr ^ Xr fi ^^ tr ^ — Yc — fi,

• tr ^ FLfi ^ tr ^ — Gl — fi.

As usual, other Boolean connectives like V, ^, = may be defined by means of — and A. Some other CTL* operators like, for example, R (release) or W (weak until) may be parametrized by environmental behaviour patterns in the same fashion. The model checking problem we deal with is that of checking, given a finite state transducer n operating over a semigroup (S, e, o), and an JLT-CTL* formula fi, whether 7S(n,S), dinit ^ fi holds. When a semigroup is fixed then we use a brief notation n^ fi.

4. Model checking against LP-CTL* specifications

In this paper, we discuss only the most simple case of model checking problem for finite state transducers against JLT-CTL* formulae when

• the semigroup (S, o, e) the transducers operate over is a free monoid, which means that S is the set of all finite words in the alphabet <A, the binary operation o is concatenation of words, and the neutral element e is the empty word £;

• the family of environment behaviour patterns L is the family of regular languages in the alphabet C;

• all basic predicates in T are specified by regular languages in the alphabet <A. All regular languages used as environment behaviour patterns and basic predicate specifications are defined by means of deterministic finite state automata (DFAs). Therefore, the size of a LT-CTL* formula is the number of Boolean connectives and temporal operators occurred in fi plus the total size of automata used in fi to specify environment behaviour patterns and basic predicates.

Let us first describe a model checking algorithm for LT-CTL fragment of HP-CTL*, which consists of all JLT-CTL* formulae such that every temporal operator Xc, Yc, Fl, Gl Ul is immediately preceded by a trajectory quantifier E or A. In our algorithm, we involve an explicit iterative model checking techniques for the ordinary CTL (see [8, 10]). Following this approach satisfiability checking of a formula ty in a state d of a model M is reduced to satisfiability checking of the largest subformulae of ty in the state d and in the neighboring states of M. In other words, a model checking procedure incrementally labels all states of a model by those subformulae of ty which are satisfied in these states.

Let n = (Q,C,^,qinit,T) be a finite state transducer over the free semigroup (,A*, ■, e) and let ty be an LT-CTL formula. There are five pairs of coupled JLT-CTL temporal operators: AXC and EXC, AYC and EYC, AFL and EFL, AGL and EGL, AUl and EUl . As in the case of "ordinary" CTL (see ), each of these couple can be expressed in terms of four main coupled operators EXC, EYC, EGL and EUL:

Proposition 2. For every formula ty the following equalities hold

1. ^ AXcy = —EYC —(p,

2. ^ A\c(p = —EXC — (p,

3. ^ = —EGl — p,

4. = E[true^h^],

5. ^ AGLp = —EFl — p,

6. = —E[—^UL(—yA—^)] A —EGl—^.

iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы.

Certainly, some other relationships like fixed-point identities are also valid in JLT-CTL* (see [17]) but they will not be involved in this paper.

We can now bound our consideration with those LT-CTL formulae which are constructed using only —, A, EXC, EYC, EGL and EUL. Let M be a transition system TS(n, A*) = (D, C,dinit, T) of n over A*. It should be noticed that M is, in general, infinite. Therefore, to obtain an effective model checking procedure we need a construction that will model the behaviour of M w.r.t. a target formula ty. For every basic predicate P e T let AP = (QP, <A,initP,SP ,FP) be a minimal DFA recognizing this language. Here QP is a finite set of states, initP is an initial state, FP is a set of accepting states and SP ■ QPx QP is a transition function. The latter can be extended to the set in the usual fashion:

SP(qP,£) = qP and SP(qP,ra) = SP(SP(qP,Y),a).

Let P1,P2,-,Pk be all basic predicates occurred in the formula ty. Given a transducer n = (Q, C, qinit, T) and a formula ty, we build a checking machine — a transducer M = (Q qinit, T), where

• Q = Q x Qp±x ...x QPk is a set of states (to avoid misunderstanding we will call them metastates);

• Rinit = (q^it, initPl,..., initPk) is an initial metastate;

• f c Q x C x Q x <A* is a transition relation, such that:

( (ч'п,с' Ч"п, h)ET and (q',c,q",h) Eq о { 8P.{q'P.,h) = q" P.

( for all j, l<j<k.

Thus, every metastate is a tuple q = (q0, q±,..., qk) such that q0 E Q and qj E QP

for every j, 1 < j < k, and the transition relation T synchronizes transitions of n and the automata APl, ...,APk in response to every signal c. Recall that the elements of the free monoid are words s from <A*. The checking machine M induces a binary relation ~ on the set D: for an arbitrary pair d' = (q', s') and d" = (q", s") of states of computation of n over <A*

d'~d" f q' = q"and

~ {SP.(initP.,s') = SP.(initP.,s") for all j.

The relation ~ is clearly an equivalence relation of finite index, and every equivalence class of states of computation in M corresponds to a metastate of the checking machine M. As it can be seen from the definition of ~, if two states of computation d' and d" are equivalent and there is a trajectory tr' = (d', a') in M, where a' = (c±, d\), (c2, d'2),..., from one of these states, then there is

also a corresponding trajectory tr" = (d",a"), where a" = (c1,d"1),(c2,d"2),... from the other state, such that d\ ~ d"j holds for every i,i>l. Actually, this means that ~ is a bisimulation relation on the state space of the transition system M. It is well known (see [3, 8]) that bisimulation preserves the satisfiability of CTL formulae. The Proposition below shows that the same is true for £T-CTL. This means that the checking machine provides a finite contraction of the infinite transition system M = TS(n, w.r.t. satisfiability of LT-CTL formulae.

Proposition 3. Suppose that d' and d" are two states of computation in M such that d' ~ d". Then M,d' ^ ty o M, d" ^ ty.

Proof. It is carried out by induction on the nesting depth of ty. When ty is a basic predicate the assertion follows from the definition of ~. The cases when ty = —ty and ty = A are obvious. We focus only on the case of ty = E[tyULx]; the other cases when ty is of the form EXcty, EYcty, or EGLty can be treated similarly. Suppose that M,d' ^ E[tyULx]. Then, by the definition of LT-CTL semantics, there exists a trajectory tr' = (d', a'), such that M, tr' ^ ty ULx and a' = (c1,d'1),(c2,d'2),.... As it was noticed above, there is also a corresponding trajectory tr" = (d",a") in M, where a" = (c1,d"1),(c2,d"2),..., such that d\ ~ d"i holds for every i,i>l. Then, by induction hypotheses, M,d\ ^ ty o M, d"i ^ ty and M, d\ ^ x o M, d"t ^ x hold for every i,i>l. Since M, tr' ^ ty ULx, there exists i such that

1. c1c2.ciEL and M,tr'li^x;

2. for all j < i if c1c2 ... Cj E L then M, tr'lj ^

However, taking into account the fact that ty and x are state formulas, we must recognize that M,tr"ll = x and that M,tr"l^ = ty every time when M,tr'y = ty. Thus, we arrive at the conclusion that M, tr" = ip WLx and, hence, M, d" =

mvLxi ■

Each metastate q = (q0,Ri, -,Rk) of the checking machine <A. represents an equivalence class D^ which includes all states d = (q,h) e D such that q = q0 and SP.(initp.,h) = qj for allj,l <j<k. By using Proposition 3, we can correctly introduce a new satisfiability relation l=0 on the metastates of the checking machine: q = ty o for some d e fl^: M,d = ty.

Not only the states of the transition system M = TS(n, S) correspond to the metastates of the checking machine M, but also there is a relationship between the trajectories in M and the traces in M (they can be quite naturally called metatrajectories). More formally, every trajectory tr = (d0, a) in M with a = (c1,d1)(c2,d2) ..., corresponds to a metatrajectory tr = (q0,a), where a = (c1,q1)(c2,q2) - is such that for all i > 0: die D* . It is easy to see that every metatrajectory tr = (q0,a) corresponds to the only trajectory tr = (d0,a), which originates in a given state d0 from .

The well-known labeling algorithm for conventional CTL and ordinary Kripke structures can be now adapted in such a way as to cope with model checking problem for £T-CTL. The algorithm operates as follows. For every metastate q e Q of the checking machine M it computes a set label(q) of all subformulae of ty satisfied in q. More formally, let Sub(ty) be the minimal set of LT-CTL formulae such that:

1. ye Sub(<p);

2. if —ty e Sub(<p) then ty e Sub(<p);

3. if ty Axe Sub(cp) then ty, x e Sub(<p);

4. if EXcty e Sub(<p), E\cip e Sub(<p) or EGhip e Sub(<p) then ty e Sub(<p);

5. if E[tyULx] e Sub(<p) then ty, x e Sub(<p).

The algorithm builds incrementally the sets label(q) of all those ty e Sub(p) for which q holds. At the first step every label(q) contains only basic predicates, i. e. label(q) c Sub(p) n T. Then, at step i the algorithm processes those subformulae ty whose nesting depth is i - 1. Every time when the algorithm adds a subformula ty to label (q) it thus detects that q =0 ty.

All we need now is to describe how the algorithm should process formulae of 7 types: basic predicate P, —ty, A EXcty, EYcty, EGLty and ULx].

• A basic predicate Pt is added to label(q) iff q = (q0,q1, ...,qt,... ,qk) and qt e FP., i > 1;

• A subformula —ty is added to label(q) iff ty label(q);

• A subformula A ip2 is added to label(q) iff both ip2 e label(q); 314

• A subformula ЕХС^ is added to label (q) iff there exists a transition

c,h

q — q' such that ^ E label(q');

• A subformula EYCгр is added to label(q) iff there exists a transition

c,h л c,h

q — q' such that ^ E label(q') or a transition q — q' such that с' Ф c;

• To handle a subformula Е[ф ULx] we construct a directed labeled graph (DLG) Ги(М, L) as follows. Let AL = (QL, C, initL, SL, FL) be a minimal DFA that recognizes the language L. Then the nodes of ru(M,L) are all pairs (q,qL)EQxQL. This DLG has an arc of the form (q',qL')

c,h c,h

— ($'', Чь") iff ч' — 4'' is a transition of М and SL(qL', c) = qL". We then delete all those nodes (q ,qL) of ru(M,L) for which the relations ^ g label(q), x £ label(q) and qL E Fh hold simultaneously and discard all arcs incoming to or outcoming from such nodes. A DLG thus reduced is denoted by r^(M,L).

A subformula Е[ф ULx] is added to the set label(q) iff Гц(М, L) includes the node (q, initL) and there exists a directed path in this graph from this node to some node (q',qL') such that x E label(q') and qL' E Fh.

• For a subformula EGL^ we construct a DLG rc(M,L) in the same fashion and delete all the nodes (q,qL) for which the relations ^ g label(q) and qL E Fl hold simultaneously. As the result we obtain the reduced DLG r'_G (M,L).

The subformula EGL^ is added to the set label(q) iff r'(M,L) includes the node (q, initL) and there exists a directed path in this graph from this node to some nontrivial strongly connected component (SCC), that is, to a subgraph, every node of which is reachable from any other node by some non-empty path.

As soon as all the subformulae from Sub (<p) (including the formula (p) are processed we obtain the result of the model checking as

П \=<p о <pE label(qinit).

The correctness of this assertion is based on the following relationship: q ф о Ф E label(q). It can be proved by applying induction on the nesting depth of formulae with the help of Proposition 3. We also need Propositions 4 and 5 to justify the induction step for formulae of the form Е[ф WLx] and Suppose, that for every metastate q EQ it is true that q l=0 ty о-ф e label(q) and q =0 X о x E label(q). This statement is used as an inductive hypothesis.

Proposition 4. Let q0 E Q be an arbitrary metastate in Ж. Then q0 =0 Е[ф ULx] iff some node (q'.qi ) in DLG Г^-Ж.Ь), such that q'=o X and qL' EFL, is reachable from the node (q0, initL) by a directed path.

Proposition 5. Let q0 e Q be an arbitrary metastate in M'. Then q =0 iff

some nontrivial strongly connected component is reachable from the node (q, initL) in DLG r'c(M, L) by a directed path.

The proofs of these Propositions are straightforward adaptations of the correctness proof of the tabular model checking algorithm for CTL which is discussed in much details in [8]. However, for completeness of the exposition we give here a proof of Proposition 5. The proof of Proposition 4 follows the similar line of reasoning.

Proof of Proposition 5 (Sketch).

Suppose, that q0 =0 EG^. Consider an arbitrary state d0 e Dq0. Then, by definition of =0 and by Proposition 3, it is true that M, d0 = EGLty. This means that there is a trajectory tr=(d0,a), where a = (c1,d1),(c2,d2),..., such that M,tr = By the semantics of LT-CTL*, M,dt holds for every i such that c1c2 .c^e L.

Consider now the corresponding metatrajectory tt = (q0, a) in the checking machine, where a = (c±, (j^, (c2,q2),..., and let

■ ■ n cl'hl — N c2'h2 „ c3'h3

n = (q0,initL)—>(q1,q1L)—>(q2,R2L)—> .■■,

be the respective path in the DLG TC(M,L) which originates in the node (q0, initL). Relying on Proposition 3 and taking into account the fact that qiL = SL(initL,cic2 ...Ci) for every i,i > 0, we may conclude that qi =0 ty holds for every i such that qiL e F. By induction hypothesis, qi =0 ty is equivalent to ty e label(qi). Therefore, by definition of DLG TG(M,L) the path n is the infinite path which is entirely contained in the Y'C(:M,L). Due to the finiteness of Y'C(M,L), this path may be represented as a concatenation n = n1n2, where n1 is a finite path, and n2 is an infinite path passing through each of its nodes infinitely often. It is clear that the set V(n2) of all nodes of n2 is included in some strongly connected component. Thus, a nontrivial strongly connected component is reachable from the node (q0, initL) in DLG (M, L).

Suppose, that a nontrivial strongly connected component is reachable from the node (q0, initL) in DLG (M, L). Then there exists an infinite path

n = (q0,initL)—>(q1,q1L)—>(q2,Q2L)—> .■■,

in Tq(M,L) from the node (q0,initL) Consider now the sequence of the first components qi of all nodes (qi, qiL), i > 0, occurred in this path. By the definition of the DLG T'(M,L),

1. this sequence is a metatrajectory tr in the checking machine M,

2. ty e label(cji) holds for every node (cji, qiL) such that qiL e Fh.

By the induction hypothesis, the latter implies cji =0 ty for every metastate qi in this trajectory such that c1c2.cieL. Consider an arbitrary state d0 e D^ and a

trajectory tr=(d0,a) in М, where а = (c1,d1),(c2,d2),..., which corresponds to tr. By definition of =0 and Proposition 3, M,di =гр holds for every i such that c1c2... ct E L. Then, according to the semantics of LT-CTL*, M, tr = GL^, and, hence, M,d0 = EGL^. Thus, by referring once again to definition of =0, we arrive at the conclusion that q0 =0 EGL^. я

Now we estimate the complexity of the model checking algorithm for LT-CTL described above. By the size of a transducer П = (Q, C, A, qinit, T) we will mean the sum || П ||= |Q| + |T|. The size of a formula ф is defined as follows. Suppose that basic predicates {Pi}'[=1 occurred in ф are recognized by minimal DFAs {AP. = Qp.,M,initp.,Sp.,Fp.)},l=i. Suppose also that environment patterns {Li}\=i used in ф are recognized by minimal DFAs {Al. = ^.^тИ^б^,^.)}^. Then the size of ф is the sum || ф || =

ISиЬ(ф)\ + IjUlGpJ+IuiciJ.

As it can be seen from the description of our model checking algorithm, the size of auxiliary graphs Гц (M, L) and Г^ (M, L) used in this algorithm does not exceed the

value || П || - ( П \Qpi\ ) ' max(\0^\: 1 <i< s). These graphs are processed in no 4=0 '

more than \5иЬ(ф)\ steps. So, the total time complexity of our model checking

algorithm does not exceed the value Ц П Ц- \5иЬ(ф) \ ( П IQp^I )' max(IQiJ: 1 ^

ч=о '

i < s) which is 0(| П ||-2||'P||).

Because of these considerations, we get the following

Theorem 1. Model checking of a finite state transducer n operating over a free monoid against a formula ty E LT-CTL can be performed in time 0(|| n ||- 2^).

When a more general case of model checking problem of FSTs against JLT-CTL* formulae is concerned we can rely on the well-known combining approach which is based on the interleaving application of model checking algorithms for CTL and LTL. The details can be found in [8]. The similar procedure for JLT-CTL* can be obtained in the same fashion by means of LT-CTL model checking algorithm described above and LT-LTL model checking algorithm developed in . Since this approach does not take into account any specific features of JLT-CTL* formulae, we will not give a complete description of it.

5. LT-LTL* and ordinary Kripke structures

In this section, we consider the model checking problem for two subfamilies of JLT-CTL* whose semantics can be defined on ordinary Kripke structures.

Recall, that a Kripke structure over a finite set AP of atomic propositions is a quadruple M = (Q,qinit,R,P), where Q is a finite set of states which includes an initial state qinit, R £ Q x Q is a transition relation and p:Q ^ 2AP is a labeling function which for each state q gives a matching set p(q) £ AP of all atomic propositions that are evaluated to true in this state. As usual, the size of M is the sum || M ||= |Q| + |R|. Below we present two modifications of JLT-CTL* that are well suited for model checking of Kripke structures.

Given a Kripke structure M = (Q, qinit, R, L), consider a set of JLT-CTL* formulae where £is a family of regular languages over one-letter alphabet (c) and T = AP (we denote this formulae by £!P-1-CTL*) and a transition system Mc = (Q.(c),qinit.Rc.L) where (q',c,q") £ Rc iff (q',q") £ R. Then for q £ Q the relation q ^ P holds iff P £ p(q). The semantics of more complex formulae is defined exactly as in Section 3.

Some LT-1-CTL* formulae have an ability to keep track of the number of steps of the run. For example, an LT-1-LTL formula AG£ where L = (c2n) is a regular language which contains all 1-letter words of even length, expresses the assertion that y holds at every even step of a run. By using the techniques of Ehrenfeucht-Fraisse games for Temporal Logics developed and studied in [11] one can prove that this property cannot be specified by means of usual LTL. This certifies that JLT-1-CTL* is more expressive than CTL* and justifies its use as a new specification language for finite state transducers and Kripke structures.

Observe, that given a set AP of all atomic propositions used in formulae we can use the Mc directly as a checking machine M for the algorithm described in Section 4. Suppose that formula y refers to 1-letter regular languages L1,L2,-,LS as the parameters of temporal operators, and every language Li, 1 < i < s, is recognized by a DFA with a set of states QLi. Then the size of the graphs used in this algorithm does not exceed the value I M I- max(|Ç£.|: 1 < i < s) which is 0(|| M ||-|| V II), where Uv^lSub^l+ZUolQL.I. '

Another modification of the Kripke structure M allows one to encode more detailed information of the computation flow. Let E = 2AP. For each state q in M there exists a letter op(q) £ £ corresponding to the label p(q) assigned to this state. Let MAP = (Qv (err), qinit, RAP, pAP) be a transition system for M, where for every q £ Q the following equalities hold: pAP(q) = p(q), PAp(err) = (err) and Rap £ Q x 2ap x Q is a minimal transition relation such that:

• for each transition (q',q") of the Kripke structure M there exists a fair transition (q',op(qu),q") and erroneous transitions (q',a,err) for each

• (err, a, err) £ RAP holds for each a £ S and (err, a, q) RAP holds for each q * err.

Then consider a specification language LT-n-CTL* which is a set of all such formulae where L is a family of regular languages over Z and T = AP. To model

check a transition system MAP against these formulae one needs to process only the states in Q and only the fair transitions. To do so, we replace all state formulae of type A(p with A(G — err —> (p) and all state formulae of type Ey with E(G — err A (p). The transition system MAP thus obtained may as well be used as a checking machine for the model checking algorithm described in Section 4. Thereby, the following theorem holds.

Theorem 2.

1. There exists an algorithm for model checking of a Kripke structure M against a formula y E LT-1-CTL with time complexity 0(|| M ||-|| ^ II2).

2. There exists an algorithm for model checking of a Kripke structure M against a formula y E LT-n-CTL with time complexity 0(|| M ||-|| y H2-

As it can be seen from this theorem, the exponential complexity of model checking procedure described in Section 4 is due to the language-theoretic nature of basic predicates used in JLT-CTL*.

6. Related papers and conclusion

Actually, the idea of providing parameterization of temporal operators is not new. In [27] right-linear grammar patterns were offered to define new temporal operators. The same kind of temporal patterns but specified by means of finite state automata were introduced in [18, 24]. For these extensions it was proved that they have the same expressiveness as SIS and that satisfiability checking problem in these logics is PSPACE-complete. We did not pursue a goal of merely expanding the expressive possibilities of CTL*; our aim was to make CTL* more adequate for describing the behaviour of reactive systems. Almost the same kind of parametrization is used in Dynamic LTL. However, our extension of CTL* differs from that which was developed in [14], since in our logic basic predicates are also parameterized. The JLT-CTL* formulae allows one to specify and verify the behaviour of finite state transducers that operate over semigroups as well as classical Kripke structures. Moreover, when Kripke structures are concerned JLT-CTL* has more expressive power than conventional temporal logics. But the place of JLT-CTL* in the expressive hierarchy of specification languages, such as S1S, PDL or ^-calculus, has not yet been established and remains a matter for our further research. The results of this paper combined with the results of [17] provide positive solution to model checking for transducers over free semigroups. Free semigroups is the most simple algebraic structure which can be used for interpretation of basic actions performed by transducers when they are regarded as formal models of sequential reactive systems. Next, we are going to find out whether model checking algorithms could be built for transducers operating over more specific semigroups. Some preliminary results showed that this is not an easy problem. In [12] we proved that it is undecidable for the case of Abelian groups and free commutative semigroups.

It is also interesting how much the complexity of model checking algorithms for JLT-CTL* depends on languages that are used as parameters of temporal operators. We assume that model checking problem becomes undecidable when context-free languages are allowed for this purpose. The complexity issues of model checking for regular variant of JLT-CTL* also need further research. We assume that even for regular LT-CTL this problem is PSPACE-complete.

As for practical application of the results obtained, the most important issue is that of adapting the existing means of working with finite automata to widely known model checking tools (like SPIN, v-SMV, etc.) in order to be able to effectively implement the proposed model checking algorithms for LT-CTL*.

Acknowledgments

The authors of the article thank the anonymous reviewers for their valuable comments and advice on improving the article. This work was supported by the Russian Foundation for Basic Research, Grant N 18-01-00854.

References

[1]. Alur R., Cerny P. Streaming transducers for algorithmic verification of single-pass list-processing programs. In Proceedings of 38-th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, 2011, pp. 599-610

iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы.

[2]. Alur R., Moarref S., and Topcu U. Pattern-based refinement of assume-guarantee specifications in reactive synthesis. In Proceedings of 21-st International Conference on Tools and Algorithms for the Construction and Analysis of Systems, 2015, pp. 501-516.

[3]. Baier C., Katoen J. Principles of Model Checking, 2008, MIT Press.

[4]. Blattner M., Head T. The decidability of equivalence for deterministic finite transducers. Journal of Computer and System Sciences, 1979, vol. 1, pp. 45-49.

[5]. Blattner M., T. Head T. Single-valued a-transducers. Journal of Computer and System Sciences, vol. 15, 1977, pp. 310-327.

[6]. Culik K, Karhumaki J. The equivalence of finite-valued transducers (on HDTOL languages) is decidable. Theoretical Computer Science, 1986, vol. 47, pp. 71-84.

[7]. Bouajjani A., Jonsson B., Nilsson M., Touili T. Regular Model Checking. Proceedings of 12-th International Conference on Computer Aided Verification, 2000, p. 403-418.

[8]. Clarke (Jr.) E. M., Grumberg O., Peled D. A. Model Checking. MIT Press, 1999.

[9]. Diekert V., Rozenberg G. eds. The Book of Traces, 1995, World Scientific, Singapore.

[10]. Emerson E.A., Halpern J.Y. Decision procedures and expressiveness in the temporal logic of branching time. Journal of Computer and System Sciences, vol. 30, N 1, 1985, pp. 1-24.

[11]. Etessami K., WilkeT. An Until Hierarchy and Other Applications of and Ehrenfeucht-Fraisse Game for Temporal Logic. Information and Computation, vol. 160, 2000, pp. 88-108.

[12]. Gnatenko A.R., Zakharov V. A. On the complexity of verification of finite state machines over commutative semigroups. In Proceedings of the 18-th International Conference "Problems of Theoretical Cybernetics", 2017, pp. 68-70 (in Russian).

[13]. Griffiths T. The unsolvability of the equivalence problem for free nondeterministic generalized machines. Journal of the ACM, vol. 15, 1968, pp. 409-413.

[14]. HenriksenJ. G., Thiagarajan P.S. Dynamic linear time temporal logic. Annals of Pure and Applied Logic, vol. 96, 1999, pp.187-207.

[15]. Hu Q., D'Antoni L. Automatic Program Inversion using Symbolic Transducers. In Proceedings of the 38-th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2017, pp. 376-389.

[16]. Ibarra O. The unsolvability of the equivalence problem for Efree NGSM's with unary input (output) alphabet and applications. SIAM Journal on Computing, vol. 4, 1978, pp. 524-532.

[17]. Kozlova D. G., Zakharov V. A. On the model checking of sequential reactive systems. Proceedings of the25-th International Workshop on Concurrency, Specification and Programming (CS&P 2016), CEUR Workshop Proceedings, vol. 1698, 2016, pp. 233244.

[18]. Kupferman O., Piterman N., Vardi M.Y. Extended Temporal Logic Revisited. In Proceedings of 12-th International Conference on Concurrency Theory, 2001, pp. 519535.

[19]. Schutzenberger M. P. Sur les relations rationnelles. In Proceedings of Conference on Automata Theory and Formal Languages, 1975, pp. 209-213.

[20]. Sakarovitch J., de Souza R. On the decomposition of k-valued rational relations. In Proceedings of 25-th International Symposium on Theoretical Aspects of Computer Science, 2008, pp. 621-632.

[21]. Sakarovitch J., de Souza R. On the decidability of bounded valuedness for transducers. In Proceedings of the 33-rd International Symposium on Mathematical Foundations of Computer Science, 2008, pp. 588-600.

[22]. De Souza R. On the decidability of the equivalence for k-valued transducers. In Proceedings of 12-th International Conference on Developments in Language Theory, 2008, pp. 252-263.

[23]. Thakkar J., Kanade A., Alur R. A transducer-based algorithmic verification of retransmission protocols over noisy channels. In Proceedings of IFIP Joint International Conference on Formal Techniques for Distributed Systems, 2013, pp. 209-224.

[24]. Vardi M.Y., Wolper P. Yet Another Process Logic. Logic of Programs, 1983, pp. 501512.

[25]. Veanes M., Hooimeijer P., Livshits B. et al. Symbolic finite state transducers: algorithms and applications. In Proceedings of the 39-th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, ACM SIGPLAN Notices, vol. 147, 2012, pp. 137-150.

[26]. Weber A. Decomposing finite-valued transducers and deciding their equivalence. SIAM Journal on Computing. vol. 22, 1993, pp. 175-202.

[27]. Wolper P. Temporal Logic Can Be More Expressive. Information and Control, vol. 56, N 1/2, 1983, pp. 72-99.

[28]. Wolper P., Boigelot B. Verifying systems with infinite but regular state spaces. In Proceedings of the 10-th Int. Conf. on Computer Aided Verification (CAV-1998), 1998, pp. 88-97.

[29]. Zakharov V.A. Equivalence checking problem for finite state transducers over semigroups. In Proceedings of the~6-th International Conference on Algebraic Informatics (CAI-2015), 2015, pp. 208-221.

О верификации конечных автоматов-преобразователей

над полугруппами

1 А.Р. Гнатенко< [email protected]> 2 В.А. Захаров<[email protected]> 1 Московский государственный университет им. М. В. Ломоносова, 119991, Российская Федерация, Москва, Ленинские горы, д. 1 2 Национальный исследовательский университет Высшая школа экономики, 101000, Российская Федерация, Москва, ул. Мясницкая, д. 20

Аннотация. Последовательные реагирующие системы - это программы, которые взаимодействуют с окружением, получая от него сигналы или запросы, и реагируют на эти запросы, проводя операции с данными. Подобные системы могут служить моделью для многих программ: драйверов, систем реального времени, сетевых протоколов и др. В статье исследуются задача верификации программ такого вида. В качестве формальных моделей для реагирующих систем мы используем конечные автоматы-преобразователи, работающие над полугруппами. Для описания поведения автоматов-преобразователей введён новый язык спецификаций LP-CTL*. В его основу положена темпоральная логика CTL*. Этот язык спецификаций имеет две характерные особенности: 1) каждый темпоральный оператор снабжён регулярным выражением над входным алфавитом автомата, и 2) каждое атомарное высказывание задается регулярным выражением над выходным алфавитом автомата-преобразователя. В данной работе представлен табличный алгоритм проверки выполнимости формул LP-CTL* на моделях конечных автоматов-преобразователей, работающих над свободными полугруппами. Доказана корректность предложенного алгоритма и получена оценка его сложности. Кроме того, рассмотрен специальный фрагмент языка LP-CTL*, содержащий в качестве параметров темпоральных операторов только регулярные выражения над однобуквенным алфавитом. Показано, что этот фрагмента применим для спецификаций обычных моделей Крипке, и при этом его выразительные возможности превосходят обычную логику CTL*.

Ключевые слова: реагирующая система, автомат-преобразователь, верификация, проверка на модели, темпоральная логика, конечный автомат, регулярный язык.

DOI: 10.15514/ISPRAS-2018-30(3 )-21

Для цитирования: Гнатенко А.Р., Захаров В.А. О верификации конечных автоматов-преобразователей над полугруппами. Труды ИСП РАН, том 30, вып. 3, 2018 г., стр. 303-324 (на английском языке). DOI: 10.15514/ISPRAS-2018-30(3)-21

Список литературы

[1]. Alur R., Cerny P. Streaming transducers for algorithmic verification of single-pass list-processing programs. In Proceedings of 38-th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, 2011, pp. 599-610

[2]. Alur R., Moarref S., and Topcu U. Pattern-based refinement of assume-guarantee specifications in reactive synthesis. In Proceedings of 21-st International Conference on Tools and Algorithms for the Construction and Analysis of Systems, 2015, pp. 501-516.

[3]. Baier C., Katoen J. Principles of Model Checking, 2008, MIT Press.

[4]. Blattner M., Head T. The decidability of equivalence for deterministic finite transducers. Journal of Computer and System Sciences, 1979, vol. 1, pp. 45-49.

[5]. Blattner M., T. Head T. Single-valued a-transducers. Journal of Computer and System Sciences, vol. 15, 1977, pp. 310-327.

[6]. Culik K, Karhumaki J. The equivalence of finite-valued transducers (on HDTOL languages) is decidable. Theoretical Computer Science, 1986, vol. 47, pp. 71-84.

[7]. Bouajjani A., Jonsson B., Nilsson M., Touili T. Regular Model Checking. Proceedings of 12-th International Conference on Computer Aided Verification, 2000, p. 403-418.

[8]. Clarke (Jr.) E. M., Grumberg O., Peled D. A. Model Checking. MIT Press, 1999.

[9]. Diekert V., Rozenberg G. eds. The Book of Traces, 1995, World Scientific, Singapore.

[10]. Emerson E.A., Halpern J.Y. Decision procedures and expressiveness in the temporal logic of branching time. Journal of Computer and System Sciences, vol. 30, N 1, 1985, pp. 1-24.

[11]. Etessami K., WilkeT. An Until Hierarchy and Other Applications of and Ehrenfeucht-Fraisse Game for Temporal Logic. Information and Computation, vol. 160, 2000, pp. 88-108.

[12]. Гнатенко А.Р., Захаров В.А. О сложности верификации конечных автоматов-преобразователей над коммутативными полугруппами. Материалы XVIII международной конференции «Проблемы теоретической кибернетики»' (Пенза, 20-24 июня, 2017), стр. 68-70.

[13]. Griffiths T. The unsolvability of the equivalence problem for free nondeterministic generalized machines. Journal of the ACM, vol. 15, 1968, pp. 409-413.

[14]. HenriksenJ. G., Thiagarajan P.S. Dynamic linear time temporal logic. Annals of Pure and Applied Logic, vol. 96, 1999, pp.187-207.

[15]. Hu Q., D'Antoni L. Automatic Program Inversion using Symbolic Transducers. In Proceedings of the 38-th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2017, pp. 376-389.

[16]. Ibarra O. The unsolvability of the equivalence problem for Efree NGSM's with unary input (output) alphabet and applications. SIAM Journal on Computing, vol. 4, 1978, pp. 524-532.

[17]. Kozlova D. G., Zakharov V. A. On the model checking of sequential reactive systems. Proceedings of the25-th International Workshop on Concurrency, Specification and Programming (CS&P 2016), CEUR Workshop Proceedings, vol. 1698, 2016, pp. 233244.

[18]. Kupferman O., Piterman N., Vardi M.Y. Extended Temporal Logic Revisited. In Proceedings of 12-th International Conference on Concurrency Theory, 2001, pp. 519535.

[19]. Schutzenberger M. P. Sur les relations rationnelles. In Proceedings of Conference on Automata Theory and Formal Languages, 1975, pp. 209-213.

[20]. Sakarovitch J., de Souza R. On the decomposition of k-valued rational relations. In Proceedings of 25-th International Symposium on Theoretical Aspects of Computer Science, 2008, pp. 621-632.

[21]. Sakarovitch J., de Souza R. On the decidability of bounded valuedness for transducers. In Proceedings of the 33-rd International Symposium on Mathematical Foundations of Computer Science, 2008, pp. 588-600.

[22]. De Souza R. On the decidability of the equivalence for k-valued transducers. In Proceedings of 12-th International Conference on Developments in Language Theory, 2008, pp. 252-263.

[23]. Thakkar J., Kanade A., Alur R. A transducer-based algorithmic verification of retransmission protocols over noisy channels. In Proceedings of IFIP Joint International Conference on Formal Techniques for Distributed Systems, 2013, pp. 209-224.

[24]. Vardi M.Y., Wolper P. Yet Another Process Logic. Logic of Programs, 1983, pp. 501512.

[25]. Veanes M., Hooimeijer P., Livshits B. et al. Symbolic finite state transducers: algorithms and applications. In Proceedings of the 39-th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, ACM SIGPLAN Notices, vol. 147, 2012, pp. 137-150.

[26]. Weber A. Decomposing finite-valued transducers and deciding their equivalence. SIAM Journal on Computing. vol. 22, 1993, pp. 175-202.

[27]. Wolper P. Temporal Logic Can Be More Expressive. Information and Control, vol. 56, N 1/2, 1983, pp. 72-99.

[28]. Wolper P., Boigelot B. Verifying systems with infinite but regular state spaces. In Proceedings of the 10-th Int. Conf. on Computer Aided Verification (CAV-1998), 1998, pp. 88-97.

[29]. Zakharov V.A. Equivalence checking problem for finite state transducers over semigroups. In Proceedings of the~6-th International Conference on Algebraic Informatics (CAI-2015), 2015, pp. 208-221.

i Надоели баннеры? Вы всегда можете отключить рекламу.