Alexandre Duret-Lutz
avril 2009
Hypotheseson the system to verify.
Youmay onsider fairness hypothesis anytime you have to deal
with a repeated hoie.
Messagessentover alossyhannel willbe deliveredafteranite
numberof retries(therepeatedhoie iswhether the hannel
willlosethe message)
Starvation-free resoure alloator: anybodyrequestingthe
resoure eventually getsit.
Two independent proessesrunningon the same hostgetarun
slie innitelyoften(therepeated hoieis doneby the
These hypotheses an beseen as onstraints for the emptiness hek.
Iftwo independent proesses running onthe same host shouldget a
runslie innitely often:
Wewanta ounterexamplewhere both proesses are progressing
innitelyoften.
Wean ignoreruns where one proess is stuk.
Do we reallyneed to modifythe emptiness hek algorithm?
To hekproposition prop underhypothesis fairness
we hekfairness
→
prop.To hekproposition prop underhypothesis fairness
we hekfairness
→
prop.A
M⊗ A ¬ (
fairness→
prop)
To hekproposition prop underhypothesis fairness
we hekfairness
→
prop.A
M⊗ A ¬ (
fairness→
prop)
A
M⊗ A
fairness∧¬
propA
M⊗ A
fairness⊗ A ¬
propunonditionalfairness Something will happen innitely often.
weak fairness If something happens ontinuously, something else will
happen innitely often.
strongfairness If something happens innitelyoften, something else
will happeninnitely often.
unonditionalfairness Something will happen innitely often. GFp
weak fairness If something happens ontinuously, something else will
happen innitely often.
strongfairness If something happens innitelyoften, something else
will happeninnitely often.
unonditionalfairness Something will happen innitely often. GFp
weak fairness If something happens ontinuously, something else will
happen innitely often. FGe
→
GFe′
strongfairness If something happens innitelyoften, something else
will happeninnitely often.
unonditionalfairness Something will happen innitely often. GFp
weak fairness If something happens ontinuously, something else will
happen innitely often. FGe
→
GFe′
strongfairness If something happens innitelyoften, something else
will happeninnitely often. GFe
→
GFe′
unonditionalfairness Something will happen innitely often. GFp
weak fairness If something happens ontinuously, something else will
happen innitely often. FGe
→
GFe′
strongfairness If something happens innitelyoften, something else
will happeninnitely often. GFe
→
GFe′
Wehave
FGe
→
GFe′ = ¬
FGe∨
GFe′
=
GF¬
e∨
GFe′
=
GF(¬
e∨
e′ )
therefore weak fairness an beexpressed as unonditionalfairness.
fairness
Wemay want to applyseveral fairness hypotheses.
weak fairness strong fairness
n
V
ni
=
1GF(¬
eni∨
oi) V
ni
=
1GFeni→
GFoi1 1 state 4 states
2 1 state 10states
3 1 state 28states
4 1 state 82states
.
.
.
.
.
.
Look of A
GF
(¬
en∨
o)
¬
en∨
o en∧ ¬
oBühiaeptane onditions orrespond to formulæsuh as GFa.
Look of A
GF
(¬
en∨
o)
¬
en∨
o en∧ ¬
oBühiaeptane onditions orrespond to formulæsuh as GFa.
A
M
⊗
Afairness⊗
A¬
propLook of A
GFen
→
GFo¬
eno
¬
en⊤ ⊤
⊤
¬
o o¬
en¬
en⊤
¬
en¬
o oNote: Idon't know of anyLTLtranslator whois able to reate the
leftautomaton!
Withn fairness hypotheses, the left automatonreahes 3 n
states and
the right automatonreahes 3
n
+
1states.fairness
Weakfairness:
V
ni
=
1GF(¬
eni∨
oi)
Strongfairness:
V
ni
=
1GFeni→
GFoifairness
Weakfairness:
V
ni
=
1GF(¬
eni∨
oi)
GeneralizedBühi automataalways1 state,deterministi.
Weakfairness omesforfree ifyou haveageneralizedemptiness
hekforgeneralizedBühiautomata.
Strongfairness:
V
ni
=
1GFeni→
GFoifairness
Weakfairness:
V
ni
=
1GF(¬
eni∨
oi)
GeneralizedBühi automataalways1 state,deterministi.
Weakfairness omesforfree ifyou haveageneralizedemptiness
hekforgeneralizedBühiautomata.
Strongfairness:
V
ni
=
1GFeni→
GFoiGeneralizedBühi automatawith 3
n
+
1states,non-deterministi.
fairness
Weakfairness:
V
ni
=
1GF(¬
eni∨
oi)
GeneralizedBühi automataalways1 state,deterministi.
Weakfairness omesforfree ifyou haveageneralizedemptiness
hekforgeneralizedBühiautomata.
Strongfairness:
V
ni
=
1GFeni→
GFoiGeneralizedBühi automatawith 3
n
+
1states,non-deterministi.
Streettautomata always1 state,deterministi.
Dierfrom Bühi automataonly in aeptane onditions.
Aeptane onditions look likeif a run sees innitely often,
then it will see innitelyoften (an be generalized to more
pairs of olors)
Dierfrom Bühi automataonly in aeptane onditions.
Aeptane onditions look likeif a run sees innitely often,
then it will see innitelyoften (an be generalized to more
pairs of olors)
Exatly whatis needed to reognize GFen
→
GFo:en
∧ ¬
oo
¬
en∧ ¬
o(with
⇒
)For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.Sine there isno in this SCC, westart again,but read as a
one-way barrier forbidding attemptsto ome bak.
For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.Sine there isno in this SCC, westart again,but read as a
one-way barrier forbidding attemptsto ome bak.
For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.Sine there isno in this SCC, westart again,but read as a
one-way barrier forbidding attemptsto ome bak.
For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.Sine there isno in this SCC, westart again,but read as a
one-way barrier forbidding attemptsto ome bak.
For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.For Bühi, we look for SCCswhose aeptane onditionsverify
∧ ∧ ∧
.For Streett they must verify something like
⇒ ∧ ⇒
.Sine there isno in this SCC, westart again,but read as a
one-way barrier forbidding attemptsto ome bak.
To be orret, has to be ombined with a variantof heuristi H2
(orderingsuessors SCC-wise)
Barriers must be rossedonly after all normal suessors have
been visited.
Slowdown (w.r.t. generalized Bühi emptiness hek):
SCC arerevisited at worst m times ifm pairs of aeptane
onditions.
Comparewith the 3
m
+
1states of the Bühiautomaton fortheConverting(generalized) Bühiautomatainto Streett automata?
ConvertingStreett automatainto (generalized) Bühiautomata?
Converting(generalized) Bühiautomatainto Streett automata?
Easy!
s s s
s
4 s
5
Converting(generalized) Bühiautomatainto Streett automata?
Easy!
s
1
s
2
s
3 s
4 s
5
with
⇒ ∧ ⇒
.ConvertingStreett automatainto (generalized) Bühiautomata?
Converting(generalized) Bühiautomatainto Streett automata?
Easy!
s s s
s
4 s
5
1 2 s
r
Client C
1
2 3
r
1
s
1
r
2
s
2
Server S
− ×
a
d
ChannelB
Synhronizationrules for the system
h
C,
C,
S,
B,
B,
B,
Bi
:(
1) h
s , . , . , . , . , a , .i
(
2) h
. , s , . , . , . , . , ai
(
3) h
r , . , . ,d , . , . , .i
(
4) h
. , r , . , . , d , . , .i
(
5) h
. , . , r1 , . , . , d , .i
(
6) h
. , . , s1 , a , . , . , .i
(
7) h
. , . , r2 , . , . , . , di
(
8) h
. , . , s2 , . , a , . , .i
¯
r
1
¯
r2¯
d
1
¯
d
2
¯
r1
¯
r2d
1
¯
d
2
¯
r1
¯
r2¯
d
1 d
2
¯
r1¯
r2¯
d1
¯
d2
¯
r
1
¯
r2 d1d2¯
r
1
¯
r2¯
d1
¯
d2
r1
¯
r2¯
d
1
¯
d
2
¯
r1
¯
r2¯
d
1 d
2
¯
r1¯
r2d
1
¯
d
2
¯
r1r2
¯
d
1
¯
d
2
r
1
¯
r2¯
d1d2
¯
r1 r2
d1
¯
d2
(
1) h
s , . , . , . , . , a , .i
(
2) h
. , s , . , . , . , . , ai
(
3) h
r , . , . ,d , . , . , .i
(
4) h
. , r , . , . , d , . , .i
(
5) h
. , . , r1 , . , . , d , .i
(
6) h
. , . , s1 , a , . , . , .i
(
7) h
. , . , r2 , . , . , . , di
(
8) h
. , . , s2 , . , a , . , .i
(
1) h
s , . , . , . , . , a , .i (
2) h
. , s , . , . , . , . , ai (
3) h
r , . , . ,d , . , . , .i (
4) h
. , r , . , . , d , . , .i (
5) h
. , . , r1 , . , . , d , .i (
6) h
. , . , s1 , a , . , . , .i (
7) h
. , . , r2 , . , . , . , di (
8) h
. , . , s2 , . , a , . , .i
Wewantthe hoie between transition (5)and (6)to befair.
Do we want strongor weakfairness?
(
1) h
s , . , . , . , . , a , .i (
2) h
. , s , . , . , . , . , ai (
3) h
r , . , . ,d , . , . , .i (
4) h
. , r , . , . , d , . , .i (
5) h
. , . , r1 , . , . , d , .i (
6) h
. , . , s1 , a , . , . , .i (
7) h
. , . , r2 , . , . , . , di (
8) h
. , . , s2 , . , a , . , .i
Wewantthe hoie between transition (5)and (6)to befair.
Do we want strongor weakfairness?
Ifboth (5)and (7)areenabled (= an our) and we pik (5), then
transition(7) will not be enabled until(6) ours. Therefore ifwe
alwayspik (5), (7)will not beenabled ontinuously: it will only be
enabledinnitely often.
¯
r
1
¯
r2¯
d
1
¯
d
2
¯
r1
¯
r2d
1
¯
d
2
¯
r1
¯
r2¯
d
1 d
2
¯
r1¯
r2¯
d1
¯
d2
¯
r
1
¯
r2 d1d2¯
r
1
¯
r2¯
d1
¯
d2
r1
¯
r2¯
d
1
¯
d
2
¯
r1
¯
r2¯
d
1 d
2
¯
r1¯
r2d
1
¯
d
2
¯
r1r2
¯
d
1
¯
d
2
r
1
¯
r2¯
d1d2
¯
r1 r2
d1
¯
d2
Making the Kripke Struture fair (
⇒ ∧ ⇒
)¯
r
1
¯
r2¯
d
1
¯
d
2
¯
r1
¯
r2d
1
¯
d
2
¯
r1
¯
r2¯
d
1 d
2
¯
r1¯
r2¯
d1
¯
d2
¯
r
1
¯
r2 d1d2¯
r
1
¯
r2¯
d1
¯
d2
r1
¯
r2¯
d
1
¯
d
2
¯
r1
¯
r2¯
d
1 d
2
¯
r1¯
r2d
1
¯
d
2
¯
r1r2
¯
d
1
¯
d
2
r
1
¯
r2¯
d1d2
¯
r1 r2
d1
¯
d2
r1
¯
r2¯
d
1
¯
d
2
¯
r1r2¯
d
1
¯
d
2
r
1 r
2
¯ ¯
Theprevious example still allows senarioswhere onelient never
work. What ifwe want to disallow this?
(
1) h
s , . , . , . , . , a , .i (
2) h
. , s , . , . , . , . , ai (
3) h
r , . , . ,d , . , . , .i (
4) h
. , r , . , . , d , . , .i (
5) h
. , . , r1 , . , . , d , .i (
6) h
. , . , s1 , a , . , . , .i (
7) h
. , . , r2 , . , . , . , di
( ) h i
Theprevious example still allows senarioswhere onelient never
work. What ifwe want to disallow this?
(
1) h
s , . , . , . , . , a , .i (
2) h
. , s , . , . , . , . , ai (
3) h
r , . , . ,d , . , . , .i (
4) h
. , r , . , . , d , . , .i (
5) h
. , . , r1 , . , . , d , .i (
6) h
. , . , s1 , a , . , . , .i (
7) h
. , . , r2 , . , . , . , di (
8) h
. , . , s2 , . , a , . , .i
Wewant(1)or (3) to our innitely often (i.e., lient 1progresses),
and (2)or (3) toour innitely often (i.e., lient 2 progresses too).
Theprevious example still allows senarioswhere onelient never
work. What ifwe want to disallow this?
(
1) h
s , . , . , . , . , a , .i (
2) h
. , s , . , . , . , . , ai (
3) h
r , . , . ,d , . , . , .i (
4) h
. , r , . , . , d , . , .i (
5) h
. , . , r1 , . , . , d , .i (
6) h
. , . , s1 , a , . , . , .i (
7) h
. , . , r2 , . , . , . , di
( ) h i
¯
r
1
¯
r2¯
d
1
¯
d
2
¯
r1
¯
r2d
1
¯
d
2
¯
r1
¯
r2¯
d
1 d
2
¯
r1¯
r2¯
d1
¯
d2
¯
r
1
¯
r2 d1d2¯
r
1
¯
r2¯
d1
¯
d2
r1
¯
r2¯
d
1
¯
d
2
¯
r1
¯
r2¯
d
1 d
2
¯
r1¯
r2d
1
¯
d
2
¯
r1r2
¯
d
1
¯
d
2
r
1
¯
r2¯
d1d2
¯
r1 r2
d1
¯
d2
r1
¯
r2¯
d
1
¯
d
2
¯
r1r2¯
d
1
¯
d
2
r
1 r
2
¯ ¯
¯
r
1
¯
r2¯
d
1
¯
d
2
¯
r1
¯
r2d
1
¯
d
2
¯
r1
¯
r2¯
d
1 d
2
¯
r1¯
r2¯
d1
¯
d2
¯
r
1
¯
r2 d1d2¯
r
1
¯
r2¯
d1
¯
d2
r1
¯
r2¯
d
1
¯
d
2
¯
r1
¯
r2¯
d
1 d
2
¯
r1¯
r2d
1
¯
d
2
¯
r1r2
¯
d
1
¯
d
2
r
1
¯
r2¯
d1d2
¯
r1 r2
d1
¯
d2
(
GFp0→
GFp1) ∧ (
GFp2→
GFp0) ∧
(
GFp3→
GFp2) ∧ (
GFp4→
GFp2) ∧ (
GFp5→
GFp3) ∧ (
GFp6→
GF(
p5∨
p4)) ∧ (
GFp7→
GFp6) ∧ (
GFp1→
GFp7)
→
GFp8How many states to enode the negation in a Bühi automaton?
(
GFp0→
GFp1) ∧ (
GFp2→
GFp0) ∧
(
GFp3→
GFp2) ∧ (
GFp4→
GFp2) ∧ (
GFp5→
GFp3) ∧ (
GFp6→
GF(
p5∨
p4)) ∧ (
GFp7→
GFp6) ∧ (
GFp1→
GFp7)
→
GFp8How many states to enode the negation in a Bühi automaton?
Spot'sLTL to Bühitranslation without optimizations : 7291 states.
Withoptimizations : 1731 states.
(
GFp0→
GFp1) ∧ (
GFp2→
GFp0) ∧ (
GFp3→
GFp2) ∧ (
GFp4→
GFp2) ∧ (
GFp5→
GFp3) ∧ (
GFp6→
GF(
p5∨
p4)) ∧ (
GFp7→
GFp6) ∧ (
GFp1→
GFp7)
→
GFp8How many states to enode the negation in a Streett automaton?
(
GFp0→
GFp1) ∧ (
GFp2→
GFp0) ∧ (
GFp3→
GFp2) ∧ (
GFp4→
GFp2) ∧ (
GFp5→
GFp3) ∧ (
GFp6→
GF(
p5∨
p4)) ∧ (
GFp7→
GFp6) ∧ (
GFp1→
GFp7)
→
GFp8How many states to enode the negation in a Streett automaton?
Formula of the form
