Andreas Morgenstern

From LTL to symbolically represented deterministic automata

Temporal logics like LTL are frequently used for the specification and verification of reactive systems. For verification, LTL formulas are typically translated to generalized nondeterministic Buchi automata so that the verification problem is reduced to checking the emptiness of automata. While this can be done symbolically for nondeterministic automata, other applications require deterministic automata, so that a subsequent determinization step is required. Unfortunately, currently known determinization procedures for Buchi automata like Safras procedure are not amenable to a symbolic implementation. It is well-known that ω-automata that stem from LTL formulas have special properties. In this paper, we exploit such a property in a new determinization procedure for these automata. Our procedure avoids the use of complicated tree structures as used in Safras procedure and it generates symbolic descriptions of equivalent deterministic parity automata which was so far not possible for full LTL.

Solving Games Using Incremental Induction

Recently, IC3 has been presented as a new algorithm for formal verification. Based on incremental induction, it is often much faster compared to otherwise used fixpoint-based model checking algorithms. In this paper, we use the idea of incremental induction for solving two-player concurrent games. While formal verification requires to prove that a given system satisfies a given specification, game solving aims at automatically synthesizing a system to satisfy the specification. This involves both universal (player 1) and existential quantification (player 2) over the formulas that represent state transitions. Hence, algorithms for solving games are usually implemented with BDD packages that offer both kinds of quantification. In this paper, we show how to compute a solution of games by using incremental induction.

Exploiting the Temporal Logic Hierarchy and the Non-Confluence Property for Efficient LTL Synthesis

The classic approaches to synthesize a reactive system from a linear temporal logic (LTL) specification first translate the given LTL formula to an equivalent w-automaton and then compute a winning strategy for the corresponding w-regular game. To this end, the obtained w-automata have to be (pseudo)-determinized where typically a variant of Safra’s determinization procedure is used. In this paper, we show that this determinization step can be significantly improved for tool implementations by replacing Safra’s determinization by simpler determinization procedures. In particular, we exploit (1) the temporal logic hierarchy that corresponds to the well-known automata hierarchy consisting of safety, liveness, B¨ uchi, and co-B¨ uchi automata as well as their boolean closures, (2) the non-confluence property of w-automata that result from certain translations of LTL formulas, and (3) symbolic implementations of determinization procedures for the Rabin-Scott and the Miyano-Hayashi breakpoint construction. In particular, we present convincing experimental results that demonstrate the practical applicability of our new synthesis procedure.

A LTL Fragment for GR(1)-Synthesis

The idea of automatic synthesis of reactive programs starting from temporal logic (LTL) specifica-tions is quite old, but was commonly thought to be infeasible due to the known double exponentialcomplexity of the problem. However, new ideas have recently renewed the interest in LTL synthesis:One major new contribution in this area is the recent work of Piterman et al. who showed how poly-nomial time synthesis can be achieved for a large class of LTL specifications that is expressive enoughto cover many practical examples. These LTL specifications are equivalent to w-automata having aso-called GR(1) acceptance condition. This approach has been used to automatically synthesize im-plementations of real-world applications. To this end, manually written deterministic w-automatahaving GR(1) conditions were used instead of the original LTL specifications. However, manuallygenerating deterministic monitors is, of course, a hard and error-prone task. In this paper, we there-fore present algorithms to automatically translate specifications of a remarkable large fragment ofLTL to deterministic monitors having a GR(1) acceptance condition so that the synthesis algorithmscan start with more readable LTL specifications.

An asymptotically correct finite path semantics for LTL

Runtime verification of temporal logic properties requires a definition of the truth value of these properties on the finite paths that are observed at runtime. However, while the semantics of temporal logic on infinite paths has been precisely defined, there is not yet an agreement on the definition of the semantics on finite paths. Recently, it has been observed that the accuracy of runtime verification can be improved by a 4-valued semantics of temporal logic on finite paths. However, as we argue in this paper, even a 4-valued semantics is not sufficient to achieve a semantics on finite paths that converges to the semantics on infinite paths. To overcome this deficiency, we consider in this paper Manna and Pnuelis temporal logic hierarchy consisting of safety, liveness (guarantee), co-Buchi (persistence), and Buchi (recurrence) properties. We propose the use of specialized semantics for each of these subclasses to improve the accuracy of runtime verification. In particular, we prove that our new semantics converges to the infinite path semantics which is an important property that has not been achieved by previous approaches.

Synthesizing Deterministic Controllers in Supervisory Control

Supervisory control theory for discrete event systems is based on finite state automata whose inputs are partitioned into controllable and uncontrollable events. Well-known algorithms used in the Ramadge-Wonham framework disable or enable controllable events such that it is finally possible to reach designated final states from every reachable state. However, as these algorithms compute the least restriction on controllable events, their result is usually a nondeterministic automaton that can not be directly implemented. For this reason, one distinguishes between supervisors (directly generated by supervisory control) and controllers that are further restrictions of supervisors to achieve determinism. Unfortunately, controllers that are generated from a supervisor may be blocking, even if the underlying discrete event system is nonblocking. In this paper, we give a modification of a supervisor synthesis algorithm that enables us to derive deterministic controllers. Moreover, we show that the algorithm is both correct and complete, i.e., that it generates a deterministic controller whenever one exists.

Program sketching via CTL* model checking

Sketching is an approach to automated software synthesis where the programmer develops a partial implementation called a sketch and a separate specification of the desired functionality. A synthesizer tool then automatically completes the sketch to a complete program that satisfies the specification. Previously, sketching has been applied to finite programs with a desired functional input/output behavior and given invariants. In this paper, we consider (non-terminating) reactive programs and use the full branching time logic CTL* to formalize specifications. We show that the sketching problem can be reduced to a CTL* model checking problem provided there is a translation of the program to labeled transition systems.

Using Model Checking to Solve Supervisor Synthesis Problems

Verification procedures, which check whether a given system satisfies a given specification, are nowadays mature for industrial usage. The more general supervisor synthesis problem asks how a system has to be restricted or which actions have to be selected such that the system satisfies a given specification. Supervisor synthesis problems are often formulated in frameworks like game structures that are more general than the Kripke structures that are traditionally used in verification. For this reason, current verification tools can not be used for supervisory control problems. In this paper, however, we present a reduction of alternating time μ-calculus model checking problems (on game structures) to model checking problems of the μ-calculus on Kripke structures. As a result, arbitrary model checkers can be used to solve supervisor synthesis problems. As a demonstration of the applicability of our approach, we show how the classical supervisory control problems of Ramadge and Wonham can be solved within our framework.

Lifting Verification Results for Preemption Statements

The normal operation of synchronous modules may be temporarily suspended or finally aborted due to requests of their environment. Hence, if a temporal logic specification has already been verified for a synchronous module, then the available verification result can typically only be used if neither suspension nor abortion will take place. Also, the simulation of synchronous modules has to be finally aborted so that temporal logic specifications referring to infinite behaviors cannot be completely answered. In this paper, we therefore define transformations on temporal logic specifications to lift available verification results for synchronous modules without suspension or abortion to refined temporal logic specifications that take care of these preemption statements. This way, one can establish simulation and modular verification of synchronous modules in contexts where preemptions are used.