hierarchy.org 24 KB
Newer Older
1
2
3
# -*- coding: utf-8 -*-
#+TITLE: Exploring the temporal hierarchy of Manna & Pnueli
#+DESCRIPTION: Spot command-line tools for exploring the temporal hierarchy of Manna & Pnueli
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
4
#+INCLUDE: setup.org
5
#+HTML_LINK_UP: tools.html
6
#+PROPERTY: header-args:sh :results verbatim :exports both
7
8

/A hierarchy of temporal properties/ was defined by Manna & Pnueli in
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
9
their [[ftp://www-cs.stanford.edu/cs/theory/amir/hierarchy.ps][PODC'90 paper]].
10
11
12
13
14
15
16
17
18

This hierarchy relates "properties" (i.e., omega-regular languages) to
structural properties of the automata that can recognize them.

* Description of the classes

The hierarchy is built from the classes pictured in the following
diagram, where each class includes everything below it. For instance,
the /recurrence/ class includes the /obligation/ class which also
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
19
20
includes the /safety/ and /guarantee/ classes, as well as the unnamed
intersection of /safety/ and /guarantee/ (=B= in the picture).
21

22
[[file:hierarchy.svg]]
23
24
25
26

Forget about the LTL properties and about the red letters displayed in
this picture for a moment.

Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
27
28
29
- The /reactivity/ class represents all possible omega-regular
  languages, i.e., all languages that can be recognized by a
  non-deterministic Büchi automaton.
30

Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
31
32
- The /recurrence/ subclass contains all properties that can be
  recognized by a deterministic Büchi automaton.
33

Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
34
- The dual class, /persistence/ properties, are those that can be
Maximilien Colange's avatar
Typos    
Maximilien Colange committed
35
  recognized by a weak Büchi automaton (i.e., in each SCC either all
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
36
  states are accepting, or all states are rejecting).
37

Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
38
39
40
- The intersection of /recurrence/ and /persistence/ classes form the
  /obligation/ properties: any of those can be recognized by a weak
  and deterministic Büchi automaton.
41

Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
42
43
44
- /Guarantee/ properties are a subclass of /obligation/ properties
  that can be recognized by terminal Büchi automata (i.e., upon
  reaching an accepting state, any suffix will be accepted).
45

Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
46
- /Safety/ properties are the dual of /Guarantee/ properties: they can
Maximilien Colange's avatar
Typos    
Maximilien Colange committed
47
  be recognized by ω-automata that accept all their runs (i.e., the
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
48
  acceptance condition is "true").  Note that since these automata are
Maximilien Colange's avatar
Typos    
Maximilien Colange committed
49
  not necessary complete, it is still possible for some words not to
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
50
51
52
53
  be accepted.  If we interpret the ω-automata with "true" acceptance
  as finite automata with all states marked as final, we obtain
  monitors, i.e., finite automata that recognize all finite prefixes
  that can be extended into valid ω-words.
54

Maximilien Colange's avatar
Typos    
Maximilien Colange committed
55
- Finally, at the very bottom is an unnamed class that contains
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
56
57
58
  /Safety/ properties that are also /Guarantee/ properties: those are
  properties that can be represented by monitors in which the only
  cycles are self-loops labeled by true.
59
60
61

The "LTL normal forms" displayed in the above figure help to visualize
the type of LTL formulas contained in each of these class.  But note
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
62
that (1) this hierarchy applies to all omega-regular properties, not
63
64
65
66
67
68
69
70
71
72
just LTL-defined properties, and (2) the LTL expression displayed in
the figure are actually normal forms in the sense that if an
LTL-defined property belongs to the given class, then there exists an
equivalent LTL property under the stated form, were $p$, $q$, $p_i$
and $q_i$ are subexpressions that may use only Boolean operators, the
next operator ($\mathsf{X}$), and past-LTL operators (which are not
supported by Spot).  The combination of these allowed operators only
makes it possible to express constraints on finite prefixes.

/Obligations/ can be thought of as Boolean combinations of /safety/
73
and /guarantee/ properties, while /reactivity/ properties are Boolean
74
75
76
77
78
79
80
81
82
83
84
85
86
combinations of /recurrence/ and /persistence/ properties.  The
negation of a /safety/ property is a /guarantee/ property (and
vice-versa), and the same duality hold for /persistence/ and
/recurrence/ properties.

The red letters in each of these seven classes are keys used in
Spot to denote the classes.

* Deciding class membership

The =--format=%h= option can be used to display the "class key" of the
most precise class to which a formula belongs.

87
#+BEGIN_SRC sh
88
89
90
91
92
93
94
95
ltlfilt -f 'a U b' --format=%h
#+END_SRC
#+RESULTS:
: G

If you find hard to remember the class name corresponding to the class
keys, you can request verbose output with =%[v]h=:

96
#+BEGIN_SRC sh
97
98
99
100
101
102
103
104
105
ltlfilt -f 'a U b' --format='%[v]h'
#+END_SRC
#+RESULTS:
: guarantee

But actually any /guarantee/ property is also an /obligation/, a
/recurrence/, a /persistence/, and a /reactivity/ property.  You can
get the complete list of classes using =%[w]h= or =%[vw]h=:

106
#+BEGIN_SRC sh
107
108
109
110
111
112
113
114
115
ltlfilt -f 'a U b' --format='%[w]h = %[vw]h'
#+END_SRC
#+RESULTS:
: GOPRT = guarantee obligation persistence recurrence reactivity

This =--format= option is also supported by =randltl=, =genltl=, and
=ltlgrind=.  So for instance if you want to classify the 55 LTL
patterns of [[http://patterns.projects.cs.ksu.edu/documentation/patterns/ltl.shtml][Dwyers et al. (FMSP'98)]] using this hierarchy, try:

116
#+BEGIN_SRC sh
117
118
119
120
121
122
123
124
125
126
127
genltl --dac-patterns --format='%[v]h' | sort | uniq -c
#+END_SRC

#+RESULTS:
:       1 guarantee
:       2 obligation
:       1 persistence
:       2 reactivity
:      12 recurrence
:      37 safety

Maximilien Colange's avatar
Typos    
Maximilien Colange committed
128
In this output, the most precise class is given for each formula, and
129
the count of formulas for each subclass is given.  We have to remember
Maximilien Colange's avatar
Typos    
Maximilien Colange committed
130
that the recurrence class also includes obligation, safety, and
131
132
133
134
135
136
137
138
139
guarantee properties.  In this list, there are no formulas that belong
to the intersection of the /guarantee/ and /safety/ classes (it would
have been listed as =guarantee safety=).

From this list, only 3 formulas are not recurrence properties (i.e.,
not recognized by deterministic Büchi automata): one of them is a
persistence formula, the other two cannot be classified better than in
the /reactivity/ class.  Let's pretend we are interested in those
three non-recurrence formulas, we can use =ltlfilt -v --recurrence= to
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
140
141
remove all recurrence properties from the =genltl --dac-pattern=
output:
142

143
#+BEGIN_SRC sh
144
145
146
147
148
149
150
151
152
153
genltl --dac-patterns |
  ltlfilt -v --recurrence --format='%[v]h, %f'
#+END_SRC

#+RESULTS:
: persistence, G!p0 | F(p0 & (!p1 W p2))
: reactivity, G(p0 -> ((p1 -> (!p2 U (!p2 & p3 & X(!p2 U p4)))) U (p2 | G(p1 -> (p3 & XFp4)))))
: reactivity, G(p0 -> ((p1 -> (!p2 U (!p2 & p3 & !p4 & X((!p2 & !p4) U p5)))) U (p2 | G(p1 -> (p3 & !p4 & X(!p4 U p5))))))

Similar filtering options exist for other classes.  Since these tests
Maximilien Colange's avatar
Typos    
Maximilien Colange committed
154
are automata-based, they work with PSL formulas as well. For instance,
155
156
157
here is how to generate 10 random recurrence PSL formulas that are
not LTL formulas, and that are not obligations:

158
#+BEGIN_SRC sh
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
randltl --psl -n -1 a b |
   ltlfilt -v --ltl |
   ltlfilt -v --obligation |
   ltlfilt --recurrence -n10
#+END_SRC
#+RESULTS:
#+begin_example
((Fb W 0) | (1 U !a)) W ({b[*]}[]-> 0)
GF({[*]}<>-> !a)
{[*]}[]-> X(b M F!Gb)
G!({a[*2]}<>-> (b & F(0 R a)))
FX({[*]} -> GFb)
G({b[*][:*1]} xor (Fb U Fa)) W b
(b R a) & (({1 | [*0]} -> (1 U a)) W 0)
G({[*]}[]-> Fa)
{[*]}[]-> F(1 U b)
0 R !({!a | a[*]}[]-> GXa)
#+end_example

Note that the order of the =ltlfilt= filters could be changed provided
the =-n10= stays at the end.  For instance we could first keep all
recurrence before removing obligations and then removing LTL formulas.
The order given above actually starts with the easier checks first and
keep the most complex tests at the end of the pipeline so they are
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
183
184
applied to fewer formulas.  Testing whether a formula is an LTL
formula is very cheap, testing if a formula is an obligation is harder
185
(it may involves a translation to automata and a powerset
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
186
187
188
189
190
construction), and testing whether a formula is a recurrence is the
most costly procedure (it involves a translation as well, plus
conversion to deterministic Rabin automata, and an attempt to convert
the automaton back to deterministic Büchi).  As a rule of thumb,
testing classes that are lower in the hierarchy is cheaper.
191
192
193
194
195
196

Since option =-o= (for specifying output file) also honors =%=-escape
sequences, we can use it with =%h= to split a list of formulas in 7
possible files.  Here is a generation of 200 random LTL formulas
binned into aptly named files:

197
#+BEGIN_SRC sh
198
199
200
201
202
randltl -n 200 a b -o random-%h.ltl
wc -l random-?.ltl
#+END_SRC

#+RESULTS:
203
:   45 random-B.ltl
204
205
206
207
:   49 random-G.ltl
:   12 random-O.ltl
:   21 random-P.ltl
:   18 random-R.ltl
208
:   46 random-S.ltl
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
:    9 random-T.ltl
:  200 total

#+BEGIN_SRC sh :results silent :exports results
rm -f random-?.ltl
#+END_SRC
#+RESULTS:

* Deciding classes membership syntactically

LTL formulas can also be classified into related classes which we
shall call /syntactic-safety/, /syntactic-guarantee/, etc.  See [[https://spot.lrde.epita.fr/tl.pdf][tl.pdf]]
for the grammar of each syntactic class.  Any LTL-definable property
of class C can be defined by an LTL formulas in class syntactic-C, but
an LTL formula can describe a property of class C even if that formula
is not in class syntactic-C (we just know that some equivalent formula
is in class syntactic-C).

=ltlfilt= has options like =--syntactic-guarantee=,
=--syntactic-persistence=, etc. to match formulas from this classes.

Maximilien Colange's avatar
Typos    
Maximilien Colange committed
230
Here is how to generate 10 random LTL formulas that describe safety
231
232
properties but that are not in the syntactic-safety class:

233
#+BEGIN_SRC sh
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
randltl -n-1 a b |
  ltlfilt -v --syntactic-safety |
  ltlfilt --safety -n10
#+END_SRC

#+RESULTS:
#+begin_example
F!(!b <-> FGb)
!Fb xor G((b xor (Xa M b)) U b)
a W F(a -> b)
((0 R Xa) R a) -> Fa
X(Xb & (!Ga R Ga))
(1 U b) | F(Fb W (a <-> FXa))
(a M 1) | (!a W a)
(G!a W ((b M 1) -> Fa)) -> !a
!a -> ((a xor !GFa) W 0)
b M Gb
#+end_example

Since all those formulas describe safety properties, an exercise would
Maximilien Colange's avatar
Typos    
Maximilien Colange committed
254
be to suggest equivalent formulas that are in the syntactic-safety
255
256
257
258
fragment.  For instance =b M Gb= can be rewritten as just =Gb=, which
belongs to this fragment.  In this particular case, =ltlfilt
--simplify= recognizes this:

259
#+BEGIN_SRC sh
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
ltlfilt --simplify -f 'b M Gb'
#+END_SRC
#+RESULTS:
: Gb

However in the general case Spot is not able to provide the equivalent
formula from the appropriate syntactic class.

* What to do with each class?

** Obligation

Spot implements algorithms from Löding ([[http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.24.6718][/Efficient minimization of
deterministic weak ω-automata/, IPL 2001]]) and Dax et al. ([[http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.83.2081][/Mechanizing
the powerset constructions for restricted classes of ω-automata/,
ATVA'07]]) in order to detect obligation properties, and produce minimal
weak deterministic automata for them.

Maximilien Colange's avatar
Typos    
Maximilien Colange committed
278
When running =ltl2tgba -D= on a formula that represents an
279
280
281
282
obligation property, you are guaranteed to obtain a minimal (in the
number of states) deterministic weak Büchi automaton that recognizes
it.  Note that since the /obligation/ class includes the /safety/ and
/guarantee/ classes, minimal deterministic automata will also be
Maximilien Colange's avatar
Typos    
Maximilien Colange committed
283
produced for those classes.  Dax et al.'s determinization of obligation
284
properties combined with Löding's minimization renders obsolete
Maximilien Colange's avatar
Typos    
Maximilien Colange committed
285
older algorithms (and tools) that produced minimal deterministic
286
287
automata but only for the subclasses of /safety/ or /guarantee/.

Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
288
289
290
291
If =ltl2tgba= is run without =-D= (but still with the default =--high=
optimization level), the minimal weak deterministic automaton will
only be output if it is smaller than the non-deterministic automaton
the translator could produce before determinization and minimization.
292
293
294

For instance =Fa R b= is an obligation:

295
#+BEGIN_SRC sh
296
297
298
299
300
301
302
303
304
305
306
ltlfilt -f 'Fa R b' --format='%[v]h'
#+END_SRC

#+RESULTS:
: obligation

If we translate it without =-D= we get a 3-state non-deterministic
automaton (here we use =autfilt --highlight-nondet= to show where the
non-determinism occurs):

#+NAME: hier-oblig-1
307
#+BEGIN_SRC sh :exports code
308
309
310
ltl2tgba 'Fa R b' | autfilt --highlight-nondet -d
#+END_SRC

311
#+BEGIN_SRC dot :file hier-oblig-1.svg :var txt=hier-oblig-1 :exports results
312
313
314
315
$txt
#+END_SRC

#+RESULTS:
316
[[file:hier-oblig-1.svg]]
317

318
319
320
321
322
323
324
Note that the default translation used by =ltl2tgba= will turn any
syntactic persistence formulas (this includes obligations formulas)
into a weak automaton.  In a weak automaton, the acceptance condition
could be defined in term of SCCs, i.e., the cycles of some SCCs are
either all accepting, or all rejecting.  As a consequence, it there is
no incentive to use transition-based acceptance; instead, state-based
acceptance is output by default.
325
326
327
328
329
330
331
332
333

With =ltl2tgba -D= we get a (minimal) deterministic weak Büchi
automaton instead.

#+NAME: hier-oblig-2
#+BEGIN_SRC sh :results verbatim :exports code
  ltl2tgba -D 'Fa R b' -d
#+END_SRC

334
#+BEGIN_SRC dot :file hier-oblig-2.svg :var txt=hier-oblig-2 :exports results
335
336
337
338
$txt
#+END_SRC

#+RESULTS:
339
[[file:hier-oblig-2.svg]]
340
341
342
343
344
345
346
347
348
349
350
351


When we called =ltl2tgba=, without the option =-D=, the two automata
(non-deterministic and deterministic) were constructed, but the
deterministic one was discarded because it was bigger.  Using =-D=
forces the deterministic automaton to be used regardless of its size.

The detection and minimization of obligation properties is also used
by =autfilt= when simplifying deterministic automata (they need to be
deterministic so that =autfilt= can easily compute their complement).

For instance, let us use =ltl2dstar= to construct a Streett automaton
352
for the obligation property =Ga | XFb=.
353
354

#+NAME: hier-oblig-3
355
#+BEGIN_SRC sh :exports code
356
ltldo 'ltl2dstar --automata=streett' -f 'Ga | XFb' -d
357
#+END_SRC
358

359
#+BEGIN_SRC dot :file hier-oblig-3.svg :var txt=hier-oblig-3 :exports results
360
361
362
363
$txt
#+END_SRC

#+RESULTS:
364
[[file:hier-oblig-3.svg]]
365
366
367
368

We can now minimize this automaton with:

#+NAME: hier-oblig-4
369
#+BEGIN_SRC sh :exports code
370
ltldo 'ltl2dstar --automata=streett' -f 'Ga | XFb' | autfilt -D -C -d
371
#+END_SRC
372
#+BEGIN_SRC dot :file hier-oblig-4.svg :var txt=hier-oblig-4 :exports results
373
374
375
$txt
#+END_SRC
#+RESULTS:
376
[[file:hier-oblig-4.svg]]
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393

Here we have used option =-C= to keep the automaton complete, so that
the comparison with =ltl2dstar= is fair, since =ltl2dstar= always
output complete automata.

** Guarantee

/Guarantee/ properties can be translated into terminal automata.
There is nothing particular in Spot about /guarantee/ properties, they
are all handled like /obligations/.

Again, using =-D= will always produce (minimal) deterministic Büchi
automata, even if they are larger than the non-deterministic version.
The output should be a terminal automaton in either case,

An example is =a U Xb=:

394
#+BEGIN_SRC sh
395
396
397
398
399
400
401
402
ltlfilt -f 'a U Xb' --format='%[v]h'
#+END_SRC

#+RESULTS:
: guarantee


#+NAME: hier-guarantee-1
403
#+BEGIN_SRC sh :exports code
404
405
ltl2tgba 'a U Xb' | autfilt --highlight-nondet -d
#+END_SRC
406
#+BEGIN_SRC dot :file hier-guarantee-1.svg :var txt=hier-guarantee-1 :exports results
407
408
409
410
$txt
#+END_SRC

#+RESULTS:
411
[[file:hier-guarantee-1.svg]]
412
413

#+NAME: hier-guarantee-2
414
#+BEGIN_SRC sh :exports code
415
416
ltl2tgba -D 'a U Xb' -d
#+END_SRC
417
#+BEGIN_SRC dot :file hier-guarantee-2.svg :var txt=hier-guarantee-2 :exports results
418
419
420
421
$txt
#+END_SRC

#+RESULTS:
422
[[file:hier-guarantee-2.svg]]
423
424

** Safety
425
426
427
   :PROPERTIES:
   :CUSTOM_ID: safety
   :END:
428
429
430
431
432
433
434

/Safety/ properties also form a subclass of /obligation/ properties,
and again there is no code specific to them in the translation.
However, the /safety/ class corresponds to what can be represented
faithfully by monitors, i.e., automata that accept all their infinite
runs.

Maximilien Colange's avatar
Typos    
Maximilien Colange committed
435
For most safety formulas, the acceptance output by =ltl2tgba= will
436
437
438
439
440
441
442
443
already be =t= (meaning that all runs are accepting).  However since
the translator does not do anything particular about safety formulas,
it is possible to find some pathological formulas for which the
translator outputs a non-deterministic Büchi automaton where not all
run are accepting.

Here is an example:

444
#+BEGIN_SRC sh
445
446
447
448
449
450
451
452
ltlfilt -f '(a W Gb) M b' --format='%[v]h'
#+END_SRC

#+RESULTS:
: safety


#+NAME: hier-safety-1
453
#+BEGIN_SRC sh :exports code
454
455
ltl2tgba '(a W Gb) M b' | autfilt --highlight-nondet -d
#+END_SRC
456
#+BEGIN_SRC dot :file hier-safety-1.svg :var txt=hier-safety-1 :exports results
457
458
459
460
$txt
#+END_SRC

#+RESULTS:
461
[[file:hier-safety-1.svg]]
462
463
464
465
466

Actually, marking all states of this automaton as accepting would not
be wrong, the translator simply does not know it.

Using =-D= will fix that: it then produces a deterministic automaton
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
467
that is guaranteed to be minimal, and where all runs are accepting.
468
469

#+NAME: hier-safety-2
470
#+BEGIN_SRC sh :exports code
471
472
ltl2tgba -D '(a W Gb) M b' -d
#+END_SRC
473
#+BEGIN_SRC dot :file hier-safety-2.svg :var txt=hier-safety-2 :exports results
474
475
476
477
$txt
#+END_SRC

#+RESULTS:
478
[[file:hier-safety-2.svg]]
479
480


Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
481
482
483
484
If you are working with safety formula, and know you want to work with
monitors, you can use the =-M= option of =ltl2tgba=.  In this case
this will output the same automaton, but using the universal
acceptance (i.e. =t=).  You can interpret this output as a monitor
Maximilien Colange's avatar
Typos    
Maximilien Colange committed
485
(i.e., a finite automaton that accepts all prefixes that can be
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
486
extended into valid ω-words).
487
488

#+NAME: hier-safety-1m
489
#+BEGIN_SRC sh :exports code
490
491
ltl2tgba -M '(a W Gb) M b' | autfilt --highlight-nondet -d
#+END_SRC
492
#+BEGIN_SRC dot :file hier-safety-1m.svg :var txt=hier-safety-1m :exports results
493
494
495
496
  $txt
#+END_SRC

#+RESULTS:
497
[[file:hier-safety-1m.svg]]
498
499

#+NAME: hier-safety-2m
500
#+BEGIN_SRC sh :exports code
501
502
ltl2tgba -M -D '(a W Gb) M b' -d
#+END_SRC
503
#+BEGIN_SRC dot :file hier-safety-2m.svg :var txt=hier-safety-2m :exports results
504
505
506
507
$txt
#+END_SRC

#+RESULTS:
508
[[file:hier-safety-2m.svg]]
509
510
511
512
513
514
515
516
517
518
519
520


Note that the =-M= option can be used with formulas that are not
safety properties.  In this case, the output monitor will recognize a
language larger than that of the property.

** Recurrence

/Recurrence/ properties can be represented by deterministic Büchi
automata.

For the subclass of /obligation/ properties, using =-D= is a sure way
521
to obtain a deterministic automaton (and even a minimal one), but for
522
the /recurrence/ properties that are not /obligations/ the translator
523
does not make /too much/ effort to produce deterministic automata,
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
524
even with =-D= (this might change in the future).
525

Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
526
527
528
529
All properties that are not in the /persistence/ class (this includes
the /recurrence/ properties that are not /obligations/) can benefit
from transition-based acceptance.  In other words using
transition-based acceptance will often produce shorter automata.
530
531
532
533

The typical example is =GFa=, which can be translated into a 1-state
transition-based Büchi automaton:

534
#+BEGIN_SRC sh
535
536
537
538
539
540
541
ltlfilt -f 'GFa' --format='%[v]h'
#+END_SRC

#+RESULTS:
: recurrence

#+NAME: hier-recurrence-1
542
#+BEGIN_SRC sh :exports code
543
544
ltl2tgba 'GFa' -d
#+END_SRC
545
#+BEGIN_SRC dot :file hier-recurrence-1.svg :var txt=hier-recurrence-1 :exports results
546
547
548
549
$txt
#+END_SRC

#+RESULTS:
550
[[file:hier-recurrence-1.svg]]
551
552
553
554

Using state-based acceptance, at least two states are required.  For instance:

#+NAME: hier-recurrence-2
555
#+BEGIN_SRC sh :exports code
556
557
ltl2tgba -S 'GFa' -d
#+END_SRC
558
#+BEGIN_SRC dot :file hier-recurrence-2.svg :var txt=hier-recurrence-2 :exports results
559
560
561
562
$txt
#+END_SRC

#+RESULTS:
563
[[file:hier-recurrence-2.svg]]
564
565


Maximilien Colange's avatar
Typos    
Maximilien Colange committed
566
Here is an example of a formula for which =ltl2tgba= does not produce a
567
568
deterministic automaton, even with =-D=.

569
#+BEGIN_SRC sh
570
571
572
573
574
575
576
ltlfilt -f 'G(Gb | Fa)' --format='%[v]h'
#+END_SRC

#+RESULTS:
: recurrence

#+NAME: hier-recurrence-3
577
#+BEGIN_SRC sh :exports code
578
579
ltl2tgba -D 'G(Gb | Fa)' | autfilt --highlight-nondet -d
#+END_SRC
580
#+BEGIN_SRC dot :file hier-recurrence-3.svg :var txt=hier-recurrence-3 :exports results
581
582
583
584
$txt
#+END_SRC

#+RESULTS:
585
[[file:hier-recurrence-3.svg]]
586
587

One way to obtain a deterministic Büchi automaton (it has to exist, since this is
588
589
590
591
592
593
a /recurrence/ property), is to request a deterministic automaton with parity
acceptance using =-P=.  The number of color output with =-P= is always reduced
to the minimal number possible, so for a /recurrence/ property the output
automaton can only have one of three possible acceptance: =Inf(0)=, =t=, or =f=.

#+NAME: hier-recurrence-4
594
#+BEGIN_SRC sh :exports code
595
ltl2tgba -P -D 'G(Gb | Fa)' -d
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
596
#+END_SRC
597
#+BEGIN_SRC dot :file hier-recurrence-4.svg :var txt=hier-recurrence-4 :exports results
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
598
599
$txt
#+END_SRC
600
601
602
603
604
605
606
#+RESULTS:
[[file:hier-recurrence-4.svg]]

Note that if the acceptance is =t=, the property is a monitor, and if
its =f=, the property is =false=.  In any way, if you would like to
obtain a DBA for any recurrent property, a sure way to avoid these
difference is to pipe the result through =autfilt -B=
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
607

608
609
610
611
612
613
614
#+NAME: hier-recurrence-5
#+BEGIN_SRC sh :exports code
ltl2tgba -P -D 'G(Gb | Fa)' | autfilt -B -d
#+END_SRC
#+BEGIN_SRC dot :file hier-recurrence-5.svg :var txt=hier-recurrence-5 :exports results
$txt
#+END_SRC
Alexandre Duret-Lutz's avatar
Alexandre Duret-Lutz committed
615
#+RESULTS:
616
[[file:hier-recurrence-5.svg]]
617

618
619
620
621

It is likely that =ltl2tgba -B -D= will implement these steps in the
future, but so originally =-D= was only expressing a preference not a
requirement.
622
623
624
625
626
627
628
629

** Persistence

Since /persistence/ properties are outside of the /recurrence/ class,
they cannot be represented by deterministic Büchi automata.  The typical
persistence formula is =FGa=, and using =-D= on this is hopeless.

#+NAME: hier-persistence-1
630
#+BEGIN_SRC sh :exports code
631
ltl2tgba -D FGa -d
632
#+END_SRC
633
#+BEGIN_SRC dot :file hier-persistence-1.svg :var txt=hier-persistence-1 :exports results
634
635
636
637
$txt
#+END_SRC

#+RESULTS:
638
[[file:hier-persistence-1.svg]]
639
640
641
642
643
644
645
646
647


However since the *negation* of =FGa= is a /recurrence/, this negation
can be represented by a deterministic Büchi automaton, which means
that =FGa= could be represented by a deterministic co-Büchi automaton.
=ltl2tgba= does not generate co-Büchi acceptance, but we can do the
complementation ourselves:

#+NAME: hier-persistence-2
648
#+BEGIN_SRC sh :exports code
649
ltl2tgba --negate -D FGa | autfilt --complement -d
650
#+END_SRC
651
#+BEGIN_SRC dot :file hier-persistence-2.svg :var txt=hier-persistence-2 :exports results
652
653
654
655
$txt
#+END_SRC

#+RESULTS:
656
[[file:hier-persistence-2.svg]]
657
658
659

Note that in this example, we know that =GFa= is trivial enough that
=ltl2tgba -D GFa= will generate a deterministic automaton.  In the
660
661
662
general case we might have to determinize the automaton using =-P -D= as
we did in the previous section.  For persistence properties, =-P -D= should
return an automaton whose acceptance is one of =Fin(0)=, =t=, or =f=.
663

664
665
666
667
668
/Persistence/ properties can be represented by weak Büchi automata.
The translator is aware of that, so when it detects that the input
formula is a syntactic-persistence, it simplifies its translation
slightly to ensure that the output will use at most one acceptance
set.  (It is possible to define a persistence properties using an LTL
669
formula that is not a syntactic-persistence, in that case this
670
optimization is simply not applied.)
671
672
673
674

If the input is a weak property that is not syntactically weak, the
output will not necessarily be weak.  One costly way to obtain a weak
automaton for a formula $\varphi$ would be to first compute a
675
676
deterministic co-Büchi automaton $\varphi$ then transform that into a
Büchi automaton.
677

678
679
Let's do that on the persistence formula =F(G!a | G(b U a))=, just for
the fun of it.
680

681
#+BEGIN_SRC sh
682
683
684
685
686
687
688
689
ltlfilt -f 'F(G!a | G(b U a))' --format='%[v]h'
#+END_SRC
#+RESULTS:
: persistence

Unfortunately the default output of the translation is not weak:

#+NAME: hier-persistence-3
690
#+BEGIN_SRC sh :exports code
691
692
ltl2tgba 'F(G!a | G(b U a))' -d
#+END_SRC
693
#+BEGIN_SRC dot :file hier-persistence-3.svg :var txt=hier-persistence-3 :exports results
694
695
696
697
$txt
#+END_SRC

#+RESULTS:
698
[[file:hier-persistence-3.svg]]
699

700
So let's determinize using parity acceptance:
701
702

#+NAME: hier-persistence-4
703
#+BEGIN_SRC sh :exports code
704
ltl2tgba -P -D 'F(G!a | G(b U a))' -d
705
#+END_SRC
706
#+BEGIN_SRC dot :file hier-persistence-4.svg :var txt=hier-persistence-4 :exports results
707
708
709
710
$txt
#+END_SRC

#+RESULTS:
711
[[file:hier-persistence-4.svg]]
712

713
And finally we convert the result back to Büchi with =autfilt -B=.
714
715

#+NAME: hier-persistence-7
716
#+BEGIN_SRC sh :exports code
717
ltl2tgba -P -D 'F(G!a | G(b U a))' | autfilt -B --highlight-nondet --small -d
718
#+END_SRC
719
#+BEGIN_SRC dot :file hier-persistence-7.svg :var txt=hier-persistence-7 :exports results
720
721
722
$txt
#+END_SRC
#+RESULTS:
723
[[file:hier-persistence-7.svg]]
724

725
That is indeed, a weak non-deterministic automaton.
726
727
728
729
730
731
732

#  LocalWords:  utf Pnueli html args PODC SCC subexpressions mathsf
#  LocalWords:  SRC ltlfilt vw GOPRT randltl genltl ltlgrind Dwyers
#  LocalWords:  et al FMSP dac uniq XFp psl Fb GF Gb FX GFb GXa wc tl
#  LocalWords:  powerset pdf FGb Xa Xb FXa GFa Löding IPL Dax ATVA
#  LocalWords:  tgba Löding's nondet hier oblig svg txt SCCs dstar
#  LocalWords:  XFb ltldo streett DBA FGa varphi