Finding Shortest Witnesses to the Nonemptiness of Automata on Infinite Words [chapter]

Orna Kupferman, Sarai Sheinvald-Faragy
2006 Lecture Notes in Computer Science  
In the automata-theoretic approach to formal verification, the satisfiability and the model-checking problems for linear temporal logics are reduced to the nonemptiness problem of automata on infinite words. Modifying the nonemptiness algorithm to return a shortest witness to the nonemptiness (that is, a word of the form uv ω that is accepted by the automaton and for which |uv| is minimal) has applications in synthesis and counterexample analysis. Unlike shortest accepting runs, which have been
more » ... studied in the literature, the definition of shortest witnesses is semantic and is independent on the specification formalism of the property or the system. In particular, its robustness makes it appropriate for analyzing counterexamples of concurrent systems. We study the problem of finding shortest witnesses in automata with various types of concurrency. We show that while finding shortest witnesses is more complex than just checking nonemptiness in the nondeterministic and in the concurrent models of computation, it is not more complex in the alternating model. It follows that when the system is the composition of concurrent components, finding a shortest counterexample to its correctness is not harder than finding some counterexample. Our results give a computational motivation to translating temporal logic formulas to alternating automata, rather than going all the way to nondeterministic automata. For the applications mentioned above, it is the shortest witness, rather than the shortest accepting run, that we want to return to the user 1 . Indeed, in the case of synthesis, the shortest witness points to the most optimal system that satisfies the specification, and in the case of model checking, the shortest witness is the shortest computation that violates the property. In particular, in the case of model checking, the automaton is the product of the specification automaton with the system, and considering shortest accepting runs rather than shortest witnesses is sensitive to the structure of the specification automaton. The length of a shortest witness is a robust measure, as it is independent of the specification formalism: every language L ⊆ Σ ω has a shortest member, and this member is independent of whether L is specified by an LTL formula, or by a particular type of an automaton. In [32] , the authors point to the fact that a shortest witness may not coincide with a shortest accepting run, and studied automata for which the two measures coincide (that is, the shortest witness is read along a shortest run). Here, we take a different approach, and refer to the length of the witness directly, for various specification formalisms. Note that the shortest-witness measure is especially appropriate when we consider the intersection of several automata, as in the case of model checking a system that is given by means of its underlying components. There, the shortest accepting run is defined with respect to the product of the components of the system. A shortest witness, on the other hand, is independent of the presentation of the system, and can be defined with respect to the underlying components. Classical models of computations, such as Turing machines and automata, have been enriched with features to capture concurrency. Nondeterminism, for example, amounts to letting several processes run over the input word, each following different nondeterministic choices. In the case of nondeterminism, no cooperation between the spawned processes takes place, except when time comes to decide whether the input should be accepted. Then, the input is accepted if some process accepts it. A dual type of cooperation is allowed in universal automata. There, the input word is accepted if all the processes accept it. It turned out that such limited cooperation is sufficient to make nondeterministic and universal automata exponentially more succinct than deterministic automata, and to make their combination, namely alternating automata, doubly exponentially more succinct than deterministic automata [9] . As studied in [10], enriching automata with real concurrency, where the spawned processes can cooperate all along the computation (technically, a concurrent automaton consists of several components that run concurrently, and the transitions of a component depend on the states of the other components), results in even more succinct automata. The automata-theoretic approach to formal verification was originally developed with nondeterministic automata, and is based on an exponential translation of LTL formulas to nondeterministic Büchi automata [35] . In recent years, however, more and more algorithms and tools are based on alternating automata. A significant advantage of alternating automata is the straightforward (and linear) translation of LTL formulas to alternating Büchi automata [26, 34] . Solving the nonemptiness problem for alternating 1 One can consider an even shorter description, where, for example, a subword aaa n . . . a is represented by a n , with n encoded in binary. Then, the description of the word may be logarithmically shorter. We will refer also to such compressed descriptions.
doi:10.1007/11817949_33 fatcat:pix2wbw4trap7an4s6zqvjxb2e