1 / 38

Technion - Israel Institute of Technology

Technion - Israel Institute of Technology. Beyond Vacuity: Towards the Strongest Passing Formula Hana Chockler Arie Gurfinkel Ofer Strichman. IBM Research SEI Technion. (Appeared in fmcad’08 ). Preliminaries. Preliminaries. The players: s.t. M ² 

lisbet
Télécharger la présentation

Technion - Israel Institute of Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Technion -Israel Instituteof Technology Beyond Vacuity:Towards the Strongest Passing FormulaHana Chockler Arie Gurfinkel Ofer Strichman IBM Research SEI Technion (Appeared in fmcad’08 )

  2. Preliminaries Preliminaries • The players: s.t.M ²  • ldoes notaffect in M if M ² [l Ãfalse]. • Exists such a literal   is satisfied vacuously in M. • Connection with original definition of vacuity [BBER01] • An LTL formula φin NNF • A structure M • A literal occurrence l in φ

  3. Preliminaries Preliminaries  = G(req ! ack) M: :req M ² [ack à false] Perhaps we should have written a stronger property ’ = G(:req) “satisfies vacuously” = “satisfies from the wrong reasons”

  4. Preliminaries • Vacuity can be checked with respect to literal occurrences.  = G(p U (q U :p)) • Renaming: each literal appears once  = G(p1 U (q U p2)) • Requires changing M, e.g.,replace p’ = expwith p1’ =exp and p2’=:exp

  5. Mutual vacuity [GC04] false false r • Find the largest number of literals that can be replaced with false without falsifying  in M. r M:  = p U ( q U r)

  6. Question • What is the strongest formula that is • satisfied by M, • still “captures the user’s intent”? ( = “based on ”)

  7. Towards the strongest formula – step I false false false false false false If there are several possible strongest replacements of literals with false, we can take all of them:  = a  b  c M: a,b,c M ² a  b  c M ² a  b  c M ² a  b  c M ² ( a  b  c )

  8. Towards the strongest formula – step II ¼1 ¼2 M: p U r q U r p q r r false false We can compute vacuity separately for each path:  = p U (q U r) ¼1² p U ( q U r) ¼2² p U (q U r) M ² ( (p U r)  (q U r) ) note that  is not vacuous in M

  9. Combining both steps ¼2 ¼1 M: p,q r v v Φ(M,) = disjunction over all paths inM, each disjunct is a conjunction of all possible strongest formulas obtained fromby applying mutual vacuity Example:  = (p  q) U ( r U v) ¼2² r U v ¼1² (p U v) (q U v) Φ(M,) = ((p U v)  (q U v))  (r U v)

  10. We are not done yet … ¼2 ¼1 ¼3 M: p,q r v v v Trying to get rid of vacuity we created a vacuous formula! Φ(M,)can be vacuous inM, because it can contain redundant disjuncts: Modified example:  = (p  q) U ( r U v) ¼3 ¼2 ¼1 Φ(M,) = ((p U v)  (q U v))  (r U v)  v can be replaced with false without falsifyinginM

  11. Getting rid of vacuity in Φ(M,) It can be shown that: Φmin(M,φ)is the strongest formula that is satisfied in M from all the formulas in the Boolean closureof strengthened versions of φ. There is clearly a partial order between disjuncts inΦ(M,), so we can keep only the weakest disjuncts Φ(M,) removing redundant disjuncts Φmin(M,) Φ(M,) , Φmin(M,)

  12. How? • An algorithm for computing Φmin(M,) has to • enumerate paths in M (?) • compute all-mutual-vacuity of each path (?) • It’s not so bad in practice.

  13. The vacuity value  = (p  q) U ( r U v) Example: ¼1 ¼2 ¼3 p,q r v v v The vacuity valuevac(¼, )isaset of sets of literals that can be replaced with false in  without falsifying  in ¼. vac(¼i,) {{p,r},{q,r}} {{p,q,r}} {{p,q}} (Here we only wrote the maximal elements)

  14. The Vacuity Lattice Remove arrows Denote by maximal representatives {{a,b}} {{a,b}} {{a},{b}} {{a},{b}} {{b}} {{a}} {{b}} {{a}} {{}} {{}} {} {} • For a set of literals L, the vacuity lattice V(L) is the set of downset-closed elements in 22L Example: Lattice for L = {a,b}: {{a,b},{a},{b},{}} {{a},{b},{}} {{b},{}} {{a},{}} {{}} {}

  15. Another example of the vacuity Lattice {{a,b,c}} {{a,b},{a,c},{b,c}} {{a,b},{b,c}} {{a,b},{a,c}} {{a,c},{b,c}} {{a,b},{c}} {{a,c},{b}} {{b,c},{a}} {{a},{b},{c}} {{a,b}} {{a,c}} {{b,c}} {{a},{c}} {{b},{c}} {{a},{b}} {{c}} {{b}} {{a}} {{}} {} • Lattice V(L) for L = {a,b,c}. • 20 rather than 223 = 256 2L· |V(L)| · 22L Exact size is unknownfor|L| >8[DP02]

  16. Useful restrictions on the vacuity lattice φ = G( a  b  c) Let L = lit() 1. Let V(φ) µ V(L) be the set of elements that correspond to satisfiable formulas. {{a,b,c}} {{a,b},{a,c},{b,c}} 2. Let V(M,φ) µ V() be the subset of V() that corresponds to witnesses in M. {{a,b},{b,c}} {{a,b},{a,c}} {{a,c},{b,c}} {{a,b},{c}} {{a,c},{b}} {{b,c},{a}} {{a},{b},{c}} {{a,b}} {{a,c}} {{b,c}} {{b,c}} {{a},{c}} {{b},{c}} {{a},{b}} {{c}} {{b}} {{a}} {{}} {}

  17. Useful restrictions on the vacuity lattice {{a,b,c}} {{a,b},{a,c},{b,c}} {{a,b},{b,c}} {{a,b},{a,c}} {{a,c},{b,c}} {{a,b},{c}} {{a,c},{b}} {{b,c},{a}} {{a},{b},{c}} {{a,b}} {{a,c}} {{b,c}} {{a},{c}} {{b},{c}} {{a},{b}} {{c}} {{b}} {{a}} {{}} {} 3. Let Vmin(M,φ) µV(M,φ) be the frontier ofV(M,φ)from below

  18. From Vmin(M,) to Φmin(M,) by example {{a,b,c}} {{a,b},{a,c},{b,c}} {{a,b},{b,c}} {{a,b},{a,c}} {{a,c},{b,c}} {{a,b},{c}} {{a,c},{b}} {{b,c},{a}} {{a},{b},{c}} {{a,b}} {{a,c}} {{b,c}} {{a},{c}} {{b},{c}} {{a},{b}} {{c}} {{b}} {{a}} {{}} {}  = G(a  b  c) Φmin(M,φ) = G(c) (G(b  c)  G(a  b))

  19. So how do we compute Vmin(M,) ? {{a,b,c}} {{a,b},{a,c},{b,c}} {{a,b},{b,c}} {{a,b},{a,c}} {{a,c},{b,c}} {{a,b},{c}} {{a,c},{b}} {{b,c},{a}} {{a},{b},{c}} {{a,b}} {{a,c}} {{b,c}} {{a},{c}} {{b},{c}} {{a},{b}} {{c}} {{b}} {{a}} Vmin V {{}} {} The upset of V V = ; While M contains a path ¼ such that vac(¼,φ)  V", add vac(¼,φ) to V. Vmin(M,) = minimal elements in V.

  20. So how do we compute Vmin(M,) ? V = ; While M contains a path ¼ such that vac(¼,φ)  V", add vac(¼,φ) to V. Vmin(M,) = minimal elements in V. How do we find the next such path ? How do we compute its vacuity value ? Model checking • Brute-force model-checking, or • via lattice automaton

  21. Finding the next path ¼ {{a,b,c}} {{a,b},{a,c},{b,c}} {{a,b},{b,c}} {{a,b},{a,c}} {{a,c},{b,c}} {{a,b},{c}} {{a,c},{b}} {{b,c},{a}} {{a},{b},{c}} {{a,b}} {{a,c}} {{b,c}} {{a},{c}} {{b},{c}} {{a},{b}} {{c}} {{b}} {{a}} {{}} {} We need a path ¼ with a vacuity value outside V"

  22. Finding the next path ¼/singleelement in V {{a,b,c}} {{a,b},{a,c},{b,c}} {{a,b},{b,c}} {{a,b},{a,c}} {{a,c},{b,c}} {{a,b},{c}} {{a,c},{b}} {{b,c},{a}} {{a},{b},{c}} {{a,b}} {{a,c}} {{b,c}} {{a},{c}} {{b},{c}} {{a},{b}} {{c}} {{b}} {{a}} {{}} {} • Let L be a set of literals. For s µ L let s = [là false | l2 s] For v 2 V(L) let C(v) = s2vs • Example:  = G(a  b  c) v = {{a},{c}} C(v) = G(b  c)  G(a  b) A countereample to M ²C(v) must be out of v"

  23. Finding the next path ¼ /multipleelements in V {{a,b,c}} {{a,b},{a,c},{b,c}} {{a,b},{b,c}} {{a,b},{a,c}} {{a,c},{b,c}} {{a,b},{c}} {{a,c},{b}} {{b,c},{a}} {{a},{b},{c}} {{a,b}} {{a,c}} {{b,c}} {{a},{c}} {{a},{b}} {{b},{c}} {{c}} {{b}} {{a}} {{}} {} • Let L be a set of literals. For s µ L let s = [là false | l2 s] For v 2 V(L) let C(v) = s2vs For V µ V(L) let C(V) = v2V C(v) • Example:  = G(a  b  c) v1 = {{a},{c}} v2 = {{a,b}} C(V) = (G(b  c)  G(a  b))(G(c)) A counterexample to M ²C(V) must be out of V"

  24. Finding the vacuity value of a path • Given ¼ and , compute vac(¼, ). • Several options: • Traverse the vacuity lattice: (2-exp in lit()) • With BFS order on V()– V" from top if ¼² C(v) return v. • An approach based on the subset lattice(1-exp in lit(), for each ¼). • An approach based on a lattice automaton (between 1-exp and 2-exp in lit(), but only once)

  25. 2. Computing vac(¼) with the subset lattice • Let S = hlit(), ½i • vac(¼) = ; • For each s 2 S // BFS from top • if ¼²s • vac(¼) = vac(¼) [ s • remove sfrom S {a,b,c} {a,b} {a,c} {b,c} {a} {b} {c} {}

  26. 3. Computing vac(¼) with a vacuity automaton • Vacuity automaton is a lattice automaton [Kupferman-Lustig 07] over the vacuity lattice • A lattice automaton maps an input word to a value on the lattice • The vacuity automaton Amaps each path ¼ to the vacuity value of  on ¼ • So we: • Compute A (once). • Simulate ¼ on A to get vac(¼) • ...details in [CGS08]

  27. Some observations about V() and V(M,) {{a,b}} {{a},{b}} {{b}} {{a}} {{}} {} • If the minimal element of V() is not { {} }, then  is satisfied vacuously in all structures – called inherently vacuous [FKSV08]. F (a  b)

  28. Some observations about V() and V(M,) {{a,b}} {{a},{b}} {{b}} {{a}} {{}} {} • If {{}} is the minimal element of V(M,), then M has an interesting witness for .

  29. Some observations about V() and V(M,) {{a,b,c}} {{a,b},{a,c},{b,c}} {{a,b},{b,c}} {{a,b},{a,c}} {{a,c},{b,c}} {{a,b},{c}} {{b,c},{a}} {{a,c},{b}} {{a},{b},{c}} {{a,b}} {{a,c}} {{b,c}} {{a},{c}} {{a},{b}} {{b},{c}} {{c}} {{b}} {{a}} {{}} {} • If then  is vacuous in M.

  30. Summary • Defined the formulas Φ(M,φ) and Φmin(M,φ) • Proved that they are the strongest • Showed how to compute them

  31. backup slides

  32. The complexity is … .  in theory hideous! Number of sets of literals O(|V(M,)| ¢ |M| ¢ 2(||¢ 2(||)) Size of a formula that corresponds to a lattice element Number of elements in V(M, ). Model-checking

  33. How to find ¼ and compute its vacuity value: • We define the notion of vacuity automata • Vacuity automaton is a lattice automaton [KL07] over the vacuity lattice • A lattice automaton maps an input word to a value on the lattice • The vacuity automaton Amaps each path ¼ to the vacuity value of  on ¼: L(A) (¼) = vac(¼, ) Actually, we first translate  to a Latticed LTL formula … details are in the paper

  34. Lattice Automata [KL07] Lattice automata are an extension of finite automata: we allow transitions to be labeled with values from the lattice. • For an automaton A and a word w, the value of a run r of A on w is the meet of all intermediate lattice values obtained during r. • The value of A on w is the join of all values of accepting runs of A on w (in case A is non-deterministic). • The acceptance condition of lattice Büchi automata is the same as for standard Büchi. Example: G(a Ç b) Büchi automaton {a},{b},{a,b} * *

  35. Lattice Automata [KL07] Lattice automata are an extension of finite automata: we allow transitions to be labeled with values from the lattice. • For an automaton A and a word w, the value of a run r of A on w is the meet of all intermediate lattice values obtained during r. • The value of A on w is the join of all values of accepting runs of A on w (in case A is non-deterministic). • The acceptance condition of lattice Büchi automata is the same as for standard Büchi. Example: G(a Ç b) Vacuity lattice automaton letter lattice value <{a},{{b}}>, <{b},{{a}}>, <{a,b},{{a},{b}}> <*,>> <*,>> s1 s0

  36. Lattice value = vac(w,) Indeed… word w a ¢ a ¢ a ¢ a ¢ … Example: G(a Ç b) letter lattice value Vacuity lattice automaton <{a},{{b}}>, <{b},{{a}}>, <{a,b},{{a},{b}}> <*,>> s1 <*,>> s0 We’ll consider three words of the accepting run: s0 w ² G(a) {{b}} b ¢ b ¢ b ¢ b ¢ … {{a}} w ² G(b) (ab) ¢ (ab) ¢ (ab) ¢… {{a},{b}} w ² G(a) Æ G(b)

  37. Computing Φ(M,) and Φmin(M,) withthe vacuity lattice automata Observation: vacuity value vac(M,) = emptiness value of M £ Avac(:) Recall the algorithm for computing Φ(M,φ): V = ; While M contains a path ¼ such that vac(¼ ,)  V, add vac(¼ ,) to V. Return V. we use vacuity lattice automata to compute vacuity values of paths here Possible improvement: take one path; use its vacuity value to build an intermediate formula; model-check the result; take a counterexample

  38. Some cool observations about V() and V(M,) ¼1 ¼2 M:  = (p Ç q) U r vac(¼1) = {{q},{p}} vac(¼2) = {{p}} M ²[p à false] p,q q r r • If { {} } is the minimal element of V(M,), then M has an interesting witness for  (a path that satisfies  non-vacuously). • Otherwise, either  is vacuous in M …

More Related