Beyond Vacuity:Towards the Strongest Passing

Formula

Hana Chockler Arie Gurfinkel Ofer Strichman

Technion -Israel Instituteof Technology

IBM Research SEI Technion

(Appeared in fmcad’08 )

IBM HRL

2

The players: s.t. M ²

l does not affect in M if M ² [l à false].

Exists such a literal is satisfied vacuously in M.

Connection with original definition of vacuity [BBER01]

An LTL formula φ in NNFA structure MA literal occurrence l in φ

PreliminariesPreliminaries

IBM HRL

3

PreliminariesPreliminaries

M ² [ack à false]

= G(req ! ack)

M::req

Perhaps we should have written a stronger property ’ = G(:req)

“satisfies vacuously” = “satisfies from the wrong reasons”

IBM HRL

4

Preliminaries

Vacuity can be checked with respect to literal occurrences.

= G(p U (q U :p))

Renaming: each literal appears once

= G(p1 U (q U p2))

Requires changing M, e.g.,

replace p’ = exp with p1’ = exp and p2’=:exp

IBM HRL

5

Mutual vacuity [GC04]

Find the largest number of literals that can be replaced with false without falsifying in M.

r

=

M:

p U ( q U r)falsefalse r

IBM HRL

6

Question

What is the strongest formula that is satisfied by M, still “captures the user’s intent”? ( = “based on

”)

IBM HRL

7

M ² a b c

M ² a b c

Towards the strongest formula – step I

If there are several possible strongest replacements of literals with false, we can take all of them:

a,b,c = a b c

M:

M ² a b c

false

false false

false

falsefalse

M ² ( a b c )

IBM HRL

8

Towards the strongest formula – step II

We can compute vacuity separately for each path:

= p U (q U r)

¼1 ² p U ( q U r)false

¼2 ² p U (q U r)

p U r

falseq U r

M ² ( (p U r) (q U r) )

r r

p qM:

¼1 ¼2

note that is not vacuous in M

IBM HRL

9

Combining both steps

Φ(M,) = disjunction over all paths in M,each disjunct is a conjunction of all possible strongest formulas obtained from by applying mutual vacuity

Example:

v v

p,q rM: ¼1 ¼2

¼1 ² (p U v) (q U v)

¼2 ² r U v

Φ(M,) = ((p U v) (q U v)) (r U v)

= (p q) U ( r U v)

IBM HRL

10

v v

p,q rM: ¼1 ¼2

v

¼3

We are not done yet …

Φ(M,) can be vacuous in M, because it can contain redundant

disjuncts:

Modified example:

= (p q) U ( r U v)

Φ(M,) = ((p U v) (q U v)) (r U v) v

can be replaced with false without falsifying in MTrying to get rid of

vacuity we created a

vacuous formula!

¼1 ¼2¼3

IBM HRL

11

Getting rid of vacuity in Φ(M,) There is clearly a partial order between disjuncts

in Φ(M,), so we can keep only the weakest disjuncts

Φ(M,)

Φmin(M,)

removing redundant disjuncts

ΦΦminmin(M,(M,φφ)) is the strongest formula that is satisfied in M from all the formulas in the

Boolean closure of strengthened versions of φ.

It can be shown that:

Φ(M,) , Φmin(M,)

IBM HRL

12

How?

An algorithm for computing Φmin(M,) has to enumerate paths in M (?) compute all-mutual-vacuity of each path (?)

It’s not so bad in practice.

IBM HRL

13

The vacuity value

v v

p,q r

¼1 ¼2

v

¼3

Example: = (p q) U ( r U v)

The vacuity value vac(¼, isaset of sets of literals that can be replaced with false in without falsifying in ¼.

vac(¼i,) {{p,r},{q,r}} {{p,q}} {{p,q,r}}

(Here we only wrote the maximal elements)

IBM HRL

14

The Vacuity Lattice

For a set of literals L, the vacuity lattice V(L) is the set of downset-closed elements in 22L

Example: Lattice for L = {a,b}:

{{}}

{{a},{}}{{b},{}}

{{a},{b},{}}

{{a,b},{a},{b},{}}

{}

{{}}

{{a}} {{b}}

{{a},{b}}

{{a,b}}

{}

Denote by maximal

representatives

{{}}

{{a}} {{b}}

{{a},{b}}

{{a,b}}

{}

Remove arrows

IBM HRL

15

Another example of the vacuity Lattice

Lattice V(L) for L = {a,b,c}. 20 rather than 223 = 256

{{a}} {{b}}

{{a},{b}}

{{a,b}}

{{c}}

{{a},{b},{c}}

{{b},{c}}{{a},{c}}

{{a,c}} {{b,c}}

{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}

{{a,b,c}}

{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}

{{a,b},{a,c},{b,c}}

{{}}

{}

2L · |V(L)| · 22L

Exact size is unknown for |L|

>8 [DP02]

IBM HRL

16

{{a,b},{c}}

{{b,c}}

Useful restrictions on the vacuity lattice

{{b,c}}

Let L = lit()

1. Let V(φ) µ V(L) be the set of elements that correspond to satisfiable formulas.

2. Let V(M,φ) µ V() be the subset of V() that corresponds to witnesses in M.

φ = G( a b c)

{{a}} {{b}}

{{a},{b}}

{{a,b}}

{{c}}

{{a},{b},{c}}

{{b},{c}}{{a},{c}}

{{a,c}}

{{a,c},{b}}{{b,c},{a}}

{{a,b,c}}

{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}

{{a,b},{a,c},{b,c}}

{{}}

{}

IBM HRL

17

Useful restrictions on the vacuity lattice

3. Let Vmin(M,φ) µ V(M,φ) be the frontier of V(M,φ) from below

{{a}} {{b}}

{{a},{b}}

{{a,b}}

{{c}}

{{a},{b},{c}}

{{b},{c}}{{a},{c}}

{{a,c}} {{b,c}}

{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}

{{a,b,c}}

{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}

{{a,b},{a,c},{b,c}}

{{}}

{}

IBM HRL

18

From Vmin(M,) to Φmin(M,) by example

= G(a b c)

Φmin(M,φ) = G(c) (G(b c) G(a b))

{{a}} {{b}}

{{a},{b}}

{{a,b}}

{{c}}

{{a},{b},{c}}

{{b},{c}}{{a},{c}}

{{a,c}} {{b,c}}

{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}

{{a,b,c}}

{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}

{{a,b},{a,c},{b,c}}

{{}}

{}

IBM HRL

19

So how do we compute Vmin(M,) ?

{{a},{c}}

{{a,b}}

{{}}

{{a}} {{b}}

{{a},{b}}

{{c}}

{{a},{b},{c}}

{{b},{c}}

{{a,c}} {{b,c}}

{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}

{{a,b,c}}

{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}

{{a,b},{a,c},{b,c}}

{}

V = ;

While M contains a path ¼ such that vac(¼, φ) V",

add vac(¼, φ) to V.

Vmin(M,) = minimal elements in V.

The upset of V

V Vmin

IBM HRL

20

Model checking

How do we compute its vacuity value ?

So how do we compute Vmin(M,) ?

V = ;

While M contains a path ¼ such that vac(¼, φ) V",

add vac(¼, φ) to V.

Vmin(M,) = minimal elements in V.

How do we find the next such path ?

- Brute-force model-checking, or- via lattice automaton

IBM HRL

21

{{a},{c}}

{{a,b}}

{{}}

{{a}} {{b}}

{{a},{b}}

{{c}}

{{a},{b},{c}}

{{b},{c}}

{{a,c}} {{b,c}}

{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}

{{a,b,c}}

{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}

{{a,b},{a,c},{b,c}}

{}

Finding the next path ¼

We need a path ¼ with a vacuity value outside V"

IBM HRL

22

Finding the next path ¼ / single element in V

Let L be a set of literals. For s µ L let s = [l à false | l 2 s]For v 2 V(L) let C(v) = s2v s

Example: = G(a b c)

v = {{a},{c}}C(v) = G(b c) G(a b)

{{a},{c}}

{{a,b}}

{{}}

{{a}} {{b}}

{{a},{b}}

{{c}}

{{a},{b},{c}}

{{b},{c}}

{{a,c}} {{b,c}}

{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}

{{a,b,c}}

{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}

{{a,b},{a,c},{b,c}}

{}

A countereample to M ² C(v) must

be out of v"

IBM HRL

23

Let L be a set of literals. For s µ L let s = [l à false | l 2 s]For v 2 V(L) let C(v) = s2v s

For V µ V(L) let C(V) = v2V C(v)

Example: = G(a b c)

v1 = {{a},{c}} v2 = {{a,b}}

C(V) = (G(b c) G(a b)) (G(c))

{{a},{c}}

{{a,b}}

{{}}

{{a}} {{b}}

{{a},{b}}

{{c}}

{{a},{b},{c}}

{{b},{c}}

{{a,c}} {{b,c}}

{{a,b},{c}}{{a,c},{b}}{{b,c},{a}}

{{a,b,c}}

{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}

{{a,b},{a,c},{b,c}}

{}

A counterexample to M ² C(V) must

be out of V"

Finding the next path ¼ / multiple elements in V

IBM HRL

24

Finding the vacuity value of a path

Given ¼ and , compute vac(¼, ). Several options:

1. Traverse the vacuity lattice: (2-exp in lit()) With BFS order on V() – V" from top

if ¼ ² C(v) return v.

2. An approach based on the subset lattice (1-exp in lit(), for each ¼).

3. An approach based on a lattice automaton (between 1-exp and 2-exp in lit(), but only once)

IBM HRL

25

Let S = hlit(), ½i vac(¼) = ; For each s 2 S // BFS from top

if ¼ ² s

vac(¼) = vac(¼) [ sremove s from S

2. Computing vac(¼) with the subset lattice

{}

{a,b,c}

{a} {b} {c}

{a,b} {a,c} {b,c}

IBM HRL

26

3. Computing vac(¼) with a vacuity automaton

Vacuity automaton is a lattice automaton [Kupferman-Lustig 07] over the vacuity lattice A lattice automaton maps an input word to a value on the

lattice

The vacuity automaton Amaps each path ¼ to the vacuity value of on ¼

So we: Compute A (once).

Simulate ¼ on Ato get vac(¼)

...details in [CGS08]

IBM HRL

27

If the minimal element of V() is not { {} }, then is satisfied vacuously in all structures – called inherently vacuous [FKSV08].

Some observations about V() and V(M,)

{{}}

{{a}} {{b}}

{{a},{b}}

{{a,b}}

{}

F (a b)

IBM HRL

28

Some observations about V() and V(M,)

If {{}} is the minimal element of V(M,), then M has an interesting witness for

{{}}

{{a}} {{b}}

{{a},{b}}

{{a,b}}

{}

IBM HRL

29

Some observations about V() and V(M,)

If then is vacuous in M.

{{a},{c}}

{{a,b}}

{{}}

{{a}} {{b}}

{{a},{b}}

{{c}}

{{a},{b},{c}}

{{b},{c}}

{{a,c}} {{b,c}}

{{a,b},{c}} {{a,c},{b}

}

{{b,c},{a}}

{{a,b,c}}

{{a,b},{a,c}}{{a,b},{b,c}}{{a,c},{b,c}}

{{a,b},{a,c},{b,c}}

{}

IBM HRL

30

Summary

Defined the formulas Φ(M,φ) and Φmin(M,φ)

Proved that they are the strongest Showed how to compute them

IBM HRL

31

backup slides

IBM HRL

32

The complexity is … .hideous!

in theory

O(|V(M,)| ¢ |M| ¢ 2(||¢ 2(||)

Model-checking

Size of a formula

that corresponds to a lattice element

Number of elements in V(M, ).

Number of sets of literals

IBM HRL

33

How to find ¼ and compute its vacuity value:

We define the notion of vacuity automata Vacuity automaton is a lattice automaton [KL07] over the

vacuity lattice A lattice automaton maps an input word to a value on the

lattice

The vacuity automaton Amaps each path ¼ to the vacuity value of on ¼:

L(A) (¼) = vac(¼, )

Actually, we first translate to a Latticed LTL formula …details are in the paper

IBM HRL

34

Lattice Automata [KL07]

Lattice automata are an extension of finite automata: we allow transitions to be labeled with values from the lattice.

For an automaton A and a word w, the value of a run r of A on w is the meet of all intermediate lattice values obtained during r.

The value of A on w is the join of all values of accepting runs of A on w (in case A is non-deterministic).

The acceptance condition of lattice Büchi automata is the same as for standard Büchi.

Example:G(a Ç b)

**{a},{b},{a,b}

Büchi automaton

IBM HRL

35

Lattice Automata [KL07]

Lattice automata are an extension of finite automata: we allow transitions to be labeled with values from the lattice.

For an automaton A and a word w, the value of a run r of A on w is the meet of all intermediate lattice values obtained during r.

The value of A on w is the join of all values of accepting runs of A on w (in case A is non-deterministic).

The acceptance condition of lattice Büchi automata is the same as for standard Büchi.

Example:

<*,>> <*,>><{a},{{b}}>,<{b},{{a}}>,

<{a,b},{{a},{b}}>

Vacuity lattice automatonletter lattice value

s0 s1

G(a Ç b)

IBM HRL

36

Example: G(a Ç b)

<*,>> <*,>>

<{a},{{b}}>,<{b},{{a}}>,

<{a,b},{{a},{b}}>

letter lattice value

s0 s1

We’ll consider three words of the accepting run: s0

{{b}} w ² G(a)

b ¢ b ¢ b ¢ b ¢ … {{a}} w ² G(b)

(ab) ¢ (ab) ¢ (ab) ¢… {{a},{b}} w ² G(a) Æ G(b)

a ¢ a ¢ a ¢ a ¢ …

word wLattice value =

vac(w,) Indeed…

Vacuity lattice automaton

IBM HRL

37

Computing Φ(M,) and Φmin(M,) with the vacuity lattice automata

Observation: vacuity value vac(M,) = emptiness value of M £ Avac(:)

Recall the algorithm for computing Φ(M,φ):

V = ;While M contains a path ¼ such that vac(¼ ,) V,

add vac(¼ ,) to V.Return V.

we use vacuity lattice automata to

compute vacuity values of paths

here

Possible improvement: 1. take one path; 2. use its vacuity value to build an

intermediate formula;3. model-check the result;4. take a counterexample

IBM HRL

38

Some cool observations about V() and V(M,)

If { {} } is the minimal element of V(M,), then M has an interesting witness for (a path that satisfies non-vacuously). Otherwise, either is vacuous in M …

r r

p,q qM:

¼1 ¼2

= (p Ç q) U rvac(¼1) = {{q},{p}}vac(¼2) = {{p}}M ² [p à false]