N ◦ d’ordre : 1036 TH ` ESE pr´ esent´ ee ` a l’Institut National des Sciences Appliqu´ ees de Toulouse pour l’obtention du titre de DOCTEUR de l’Universit´ e de Toulouse d´ elivr´ e par l’INSA Sp´ ecialit´ e: Syst` emes Informatiques par Zhe CHEN Lab. Toulousain de Technologie et d’Ing´ enierie des Syst` emes (LATTIS) Laboratoire d’Analyse et d’Architecture des Syst` emes (LAAS-CNRS) ´ Ecole Doctorale Syst` emes Titre de la th` ese : The Control System in Formal Language Theory and The Model Monitoring Approach for Reliability and Safety Soutenue le 9 Juillet 2010, devant le jury : Rapporteur : Maritta Heisel Professeur ` a l’Universit¨ at Duisburg-Essen, Germany Rapporteur : Fabrice Bouquet Professeur ` a l’INRIA, Universit´ e de Franche-Comt´ e Examinateur: Gilles Motet Professeur ` a l’INSA de Toulouse - Directeur de th` ese Examinateur: Karama Kanoun Directeur de Recherche au LAAS-CNRS Examinateur: Jean-Paul Blanquart Astrium, European Aeronautic Defence and Space (EADS)
Transcript
N◦ d’ordre : 1036
THESE
presentee a
l’Institut National des Sciences Appliquees de Toulouse
pour l’obtention du titre de
DOCTEUR
de l’Universite de Toulouse delivre par l’INSA
Specialite: Systemes Informatiques
par
Zhe CHEN
Lab. Toulousain de Technologie et d’Ingenierie des Systemes (LATTIS)Laboratoire d’Analyse et d’Architecture des Systemes (LAAS-CNRS)
Ecole Doctorale Systemes
Titre de la these :
The Control System in Formal Language Theory andThe Model Monitoring Approach for Reliability and Safety
Soutenue le 9 Juillet 2010, devant le jury :
Rapporteur : Maritta Heisel Professeur a l’Universitat Duisburg-Essen, GermanyRapporteur : Fabrice Bouquet Professeur a l’INRIA, Universite de Franche-ComteExaminateur: Gilles Motet Professeur a l’INSA de Toulouse - Directeur de theseExaminateur: Karama Kanoun Directeur de Recherche au LAAS-CNRSExaminateur: Jean-Paul Blanquart Astrium, European Aeronautic Defence and Space (EADS)
Acknowledgement
Although I have been mostly working independently in the lab during all thoseyears, I would not have been able to do this thesis without the support, advice andencouragement of others, teachers, friends and colleagues. Accordingly, I would liketo use this opportunity to express my gratitude to a number of people who over theyears have contributed in various ways to the completion of this work.
In the first place I would like to record my gratitude to my thesis supervisorProf. Gilles Motet for guiding me in my research, and at the same time, for lettingme the freedom to take initiatives in the development of my lines of research. Heprovided me unflinching encouragement and support in various ways. His trulyscientist intuition has made him as a constant oasis of ideas and passions in science.Thanks also for being available almost at all times for me. Working with you was areal pleasure.
Thanks to the reading committee, Prof. Maritta Heisel and Prof. Fabrice Bou-quet for accepting to spend time reading and evaluating my thesis and their con-structive comments on this thesis. I am thankful that in the midst of all theiractivities, they accepted to be members of the reading committee. Also, I wouldlike to thank the other members of my committee, Prof. Karama Kanoun and Dr.Jean-Paul Blanquart who all immediately agreed when I asked them to join in.
Thanks to all members of the lab LATTIS, LAAS-CNRS, and the Departmentof Electronic and Computer Engineering at INSA. If I look back to all these years,I think that at one moment or another, each one of them helped me in some way.Thanks in particular to Stephanie, Roberto, Samuel, Guillaume and Karim for dis-cussions. Thanks to our director Daniele and our secretaries, Rosa, Estelle, Joelle,Karima, Sophie, Helene. I would like to thank you all for the nice atmosphere withinthe lab.
I would like to thank all my Chinese friends in France: Ping, Ruijin, Yanwen,Junfeng, Susu, Yanjun, Hongwei, Yanping, Xiaoxiao, Fan, Letian, Wei, Dongdong,Haojun, Xinwei, Hong, Juan, Haoran, Linqing, Tao, Lijian, Jie, Jing, Lei, Binhong,Bo, Wenhua. With your friendship, the time in France became joyful and memo-rable. Our celebration of the Chinese Spring Festival, our parties and games werefantastic!
I was extraordinarily fortunate in having several nice and apt supervisors inChina. I could never have embarked and started all of this without their priorguidance in computer science and thus opened up unknown areas to me. I conveyspecial acknowledgement to them: Dunwei Wen and Dezhi Xu at Central SouthUniversity, Ming Zhou, Chin-Yew Lin and Jiantao Sun at Microsoft Research Asia,and Yuxi Fu at Shanghai Jiao Tong University.a�·�¤kP��§´\�¦·�eûÐ��£Ä:"AOa�ÙýP
Finally, I would like to thank everybody who were important to the successfulrealization of this thesis, as well as express my apology that I could not mentionpersonally one by one.
Abstract
This thesis contributes to the study of reliability and safety of computer andsoftware systems which are modeled as discrete event systems. The major contribu-tions include the theory of Control Systems (C Systems) and the model monitoringapproach.
In the first part of the thesis, we study the theory of control systems which com-bines and significantly extends regulated rewriting in formal languages theory andsupervisory control. The control system is a generic framework, and contains twocomponents: the controlled component and the controlling component that restrictsthe behavior of the controlled component. The two components are expressed usingthe same formalism, e.g., automata or grammars. We consider various classes ofcontrol systems based on different formalisms, for example, automaton control sys-tems, grammar control systems, and their infinite versions and concurrent variants.After that, an application of the theory is presented. The Buchi automata basedcontrol system is used to model and check correctness properties on execution tracesspecified by nevertrace claims.
In the second part of the thesis, we investigate the model monitoring approachwhose theoretical foundation is the theory of control systems. The key principle ofthe approach is “property specifications as controllers”. In other words, the func-tional requirements and property specification of a system are separately modeledand implemented, and the latter one controls the behavior of the former one. Themodel monitoring approach contains two alternative techniques, namely model mon-itoring and model generating. The approach can be applied in several ways to im-prove reliability and safety of various classes of systems. We present some typicalapplications to show its strong power. First, the approach provides better supportfor the change and evolution of property specifications. Second, it provides thetheoretical foundation of safety-related systems in the standard IEC 61508 for en-suring the functional validity. Third, it is used to formalize and check guidelinesand consistency rules of UML.
These results lay out the foundations for further study of more advanced controlmechanisms, and provide a new way for ensuring reliability and safety.
Keywords: C system, control system, model monitoring, model generating, modelchecking, formal language, automaton, grammar, regulated rewriting, supervisorycontrol, safety-related system, UML
Résumé
Cette thèse contribue à l'étude de la �abilité et de la sécurité-innocuité dessystèmes informatisés, modélisés par des systèmes à événements discrets. Les prin-cipales contributions concernent la théorie des Systèmes de Contrôle (C Systems) etl'approche par Monitoring des modèles.
Dans la première partie de la thèse, nous étudions la théorie des systèmes decontrôle qui combine et étend de façon signi�cative, les systèmes de réécriture dela théorie des langages et le contrôle supervisé. Un système de contrôle est unestructure générique qui contient deux composants : le composant contrôlé et le com-
posant contrôlant qui restreint le comportement du composant contrôlé. Les deuxcomposants sont exprimés en utilisant le même formalisme comme des automates oudes grammaires. Nous considérons di�érentes classes de systèmes de contrôle baséssur di�érents formalismes comme, par exemple, les automates, les grammaires, ainsique leurs versions in�nies et concurrentes. Ensuite, une application de cette théorieest présentée. Les systèmes de contrôle basés sur les automates de Büchi sont util-isés pour véri�er par model-checking, des propriétés dé�nissant la correction sur destraces d'exécution spéci�ées par une assertion de type nevertrace.
Dans la seconde partie de la thèse, nous investiguons l'approche de monitoring desmodèles dont la théorie des systèmes de contrôle constitue les fondations formelles.Le principe pivot de cette approche est la spéci�cation de propriétés comme con-
trôleur. En d'autres termes, pour un système, les exigences fonctionnelles, d'unepart, et des propriétés, d'autre part, sont modélisées et implantées séparément, lespropriétés spéci�ées contrôlant le comportement issu des exigences fonctionnelles.De cette approche découle ainsi deux techniques alternatives, respectivement nom-mées monitoring de modèle et génération de modèle. Cette approche peut être util-isée de diverses manières pour améliorer la �abilité et la sécurité-innocuité de diverstypes de systèmes. Nous présentons quelques applications qui montrent l'intérêtpratique de cette contribution théorique. Tout d'abord, cette approche aide à pren-dre en compte les évolutions des spéci�cations des propriétés. En second lieu, ellefournit une base théorique à la sécurité fonctionnelle, popularisée par la norme IEC61508. En troisième lieu, l'approche peut être utilisée pour formaliser et véri�erl'application de guides de bonnes pratiques ou des règles de modélisation appliquéespar exemple pour des modèles UML.
Ces résultats constituent les bases pour des études futures de dispositifs plusperfectionnés, et fournissent une nouvelle voie pour s'assurer de la �abilité et de lasécurité-innocuité des systèmes.
Mots clef : C system, système de contrôle, monitoring de modèle, génération demodèle, model checking, langage formel, automate, grammaire, réécriture, contrôlesupervisé, sécurité fonctionnelle, UML
This thesis contributes to the study of reliability and safety of computer and softwaresystems, which are modeled as discrete event systems. In this chapter, after summarizingbasic concepts, a new methodology, namely the model monitoring approach, is informallyproposed, in order to treat several identified problems and challenges.
1.1 Failures and Accidents of Computer and Software Systems
Computer and software systems are pervasive in our society nowadays. People is increas-ingly dependent on computers and software applications in almost every aspect of dailylife, e.g., Internet technology, mobile phones, audio and video systems, consumer electron-ics. A more important fact is that, embedded software solutions control safety criticalsystems whose failures may cause accidents and great loss, such as satellite constellation,aircraft and flight control, high-speed trains, cars, traffic control, nuclear plant, chemicalprocesses, medical devices, cash dispensers. Therefore, it becomes critical to ensure theabsence of failures and accidents.
A (design, interaction or physical) fault in a system may be activated and cause anerror, which will be propagated and cause a failure [3, 4]. A failure is an event switchingthe system to incorrect behavior (deviation from the specification). An error is the part ofthe internal state of a system that may lead to failure. Fortunately, in the past two decades,the overall mean time to failure has decreased by two orders, thanks to the progressivemastering of physical faults [3]. Therefore, the current dominate sources of failure aredesign and interaction faults, due to the increasing size and complexity of systems.
Failures may have substantial financial consequences for the manufacturer. For in-stance, the bug in Intel’s Pentium II floating point division unit caused a loss of about475 million US dollars to replace faulty processors in the early nineties.
More seriously, the failure of safety critical systems may result in accidents, which leadto severe harms to the environment and the user.
Between 1985 and 1987, a software fault in the control module of the radiation therapymachine Therac-25 caused the death of six cancer patients, because they were exposed toan overdose of radiation due to bad but authorized use of the system.
A more recent example is the self-destructing explosion of Ariane 5 launcher on June4, 1996. The accident was resulted from the successive failures of the active InertialReference System (IRS) and the backup IRS [88]. Ariane 5 adopted the same referencesystem as Ariane 4. However, the profile of Ariane 5 was different from that of Ariane
1
2 Chapter 1. Introduction
4 — the acceleration communicated as input value to the IRS of Ariane 5 was higher.Furthermore, the interactions between the IRS and other components were not redefinedand checked. During the launch, an exception occurred when a large 64-bit floating pointnumber was converted to a 16-bit signed integer. Due to the overflow of input valuecomputation, the IRS stopped working [81]. Then, the signaled error was interpreted asa launcher attitude, and led the control system to rotate the tailpipe at the end stop [59],which caused the self-destruction of the rocket.
It is worth noting that the absence of failures does not necessarily mean the absence ofaccidents. Some safety constraints may be unknown when developing, or not included inthe specification, or not correctly described at design time. As a result, the requirements,specification and their reliable implementation may be all unsafe.
As an example, consider an accident occurred in a batch chemical reactor in England[80, 87]. Figure 1.1 shows the design of the system. The computer, which served as acontrol system, controlled the flow of catalyst into the reactor and the flow of water forcooling off the reaction, by manipulating the valves. Additionally, the computer receivedsensor inputs indicating the status of the system. The designers were told that if anabnormal signal occurred in the plant, they were to leave all controlled variables as theywere and to sound an alarm.
Gearbox
Catalyst
Reactor CoolingWater
ControlSystem
Figure 1.1: Reactor Control System
On one occasion, the control system received an abnormal signal indicating a low oillevel in a gearbox, and reacted as the functional requirements specified, that is, sounded analarm and maintained all variables with their present condition. Unfortunately, a catalysthad just been added into the reactor, but the control system had not opened the flow ofcooling water completely. As a result, the reactor overheated, the relief valve lifted andthe contents of the reactor were discharged into the atmosphere. Note that there were nofailures involved in this accident, since all components worked as specified.
Another example is the loss of the Mars Polar Lander, which was attributed to amisapprehensive interaction between the onboard software and the landing leg system[10]. The landing leg system was expected and specified to generate noise (spurious signals)when the landing legs were deployed during descent to the planet surface. However, theonboard software interpreted these signals as an indication that landing had occurred (asspecified in their requirements) and shut down the descent engines, causing the spacecraftto crash into the Mars surface. Note that again there were no failures involved in thisaccident, since all components (the landing legs and the software) worked as specified.
1.2. Dependability, Reliability and Safety 3
1.2 Dependability, Reliability and Safety
Dependability of a computing system is the ability to deliver services that can justifi-ably be trusted [85, 3, 4, 59]. Other similar concepts exist, such as trustworthiness andsurvivability.
Dependability includes the following basic attributes: reliability, safety, confidentiality,availability, integrity, maintainability [3, 4]. Combinations or specializations of the basicattributes derive several other attributes, such as security and robustness.
Here, we are interested in the first two criteria, i.e., reliability and safety.Reliability means continuity of correct service [87, 3], i.e., the aptitude of a system to
accomplish a required function in given conditions, and for a given interval of time [59].Note that a system is said to be “correct” if it fulfills the specification, i.e., correctness isalways relative to a specification. Thus, reliability is defined as the absence of failures. Thereliability of a physical product is always decreasing, due to the degradation of hardware.However, in the case of software systems, reliability stays constant, due to the absence ofageing phenomena.
Safety means the absence of accidents [87], involving severe consequences on the envi-ronment including the user [3], i.e., freedom from unacceptable risk of physical injury orof damage to the health of people, either directly, or indirectly as a result of damage toproperty or to the environment [77].
In fact, reliability and safety are different attributes. High reliability is neither neces-sary nor sufficient for safety [86]. This observation opposes the most pervasive assumptionin engineering that, safety is proportional to reliability, i.e., safety can be increased byonly increasing system or component reliability.
A system can be reliable but unsafe. Accidents may result from a reliable systemimplementing unsafe requirements and specification. For example, the loss of the MarsPolar Lander was caused by an interaction accident, which results from noise generatedby the landing legs. The landing legs and the onboard software performed correctlyand reliably (as specified in their requirements), but the accident occurred because thedesigners did not consider all possible interactions between components [87, 88].
A system can be safe but unreliable. For example, human operators are not reliable,if they do not follow the specified requirements (i.e., procedures). But they may preventan accident if the specified requirements turn out to be unsafe under the environment ata particular time. Another example is fail-safe systems, which are designed to fail into asafe state [87]. A stopped car can avoid traffic accidents.
Therefore, a more reasonable assumption is that, if all the necessary safety constraintsare known and completely and correctly included in requirements and specification, thensafety can be increased by increasing reliability. Unfortunately, it is always hard to satisfythis assumption in practice.
First, it is frequently impossible to identify all the necessary safety constraints whendesigning. Also, requirements and specification may evolve or change through learningnew safety constraints from historical accidents [90].
Second, in some cases, we cannot include some safety constraints in the requirementsand specification, although they are known. There are various reasons, such as the techni-cal limit, the tradeoff between economics and safety, etc. Sometimes, reliability and safetyeven conflict, that is, increasing one of them may decrease the other [86]. For example,some missions are inherently unsafe, such as toxic chemical reaction, nuclear bomb, etc.
4 Chapter 1. Introduction
Not building such systems is the most safe solution.However, we shall also acknowledge that there is an intersection between reliability
and safety, because if a necessary safety constraint is explicitly specified then the reliableimplementations can improve safety.
To conclude, we may increase reliability by eliminating failures, while we shall increasesafety by eliminating or preventing effects of hazards. High reliability does not necessarilymean high safety, due to the safety constraints which are unknown, or not included in thespecification, or not correctly described.
1.3 Formal Verification and Correctness
An important stage of development is verification and validation (V&V). The formerchecks that the design satisfies the identified requirements (whether we are building thesystem right), while the latter judges whether the formalized problem statement (model+ properties) is consistent with the informal conception of the design (whether we areverifying the right system).
System verification aims at improving reliability, i.e., checking that the design satisfiescertain properties. The properties to be verified are mostly obtained from the specificationof the system. The system is considered to be “correct” if it fulfills all specified proper-ties, i.e., the correctness contributes to reliability. It is a major challenge to ensure thecorrectness of the design at the earliest stage possible. In fact, the cost of verificationand validation of a computing system is at least half of the development cost, and threequarters for highly critical systems [3].
The most currently practiced verification techniques include peer reviewing, simulationand testing [103]. Empirical studies show that peer reviewing of uncompiled code catchesbetween 31% and 93% of the faults with a median around 60%, but concurrency andalgorithm faults are hard to catch. Simulation and testing are dynamic techniques thattraverse a set of execution paths. However, exhaustive testing of all execution paths ispractically infeasible.
A serious problem with these techniques is that we never know when to stop verifica-tion, and whether there are still bugs in the design, although they are effective in earlystages of debugging. Another problem is their inability to scale up for large complexdesigns, because they can only explore a small portion of the possible behaviors of thesystem.
Over the last thirty years, a very attractive approach toward the correctness is formalverification, which uses an exhaustive exploration of all possible behaviors of the system.Generally, formal methods are considered as the applied mathematics for modeling andanalyzing systems, and are one of the “highly recommended” verification techniques ac-cording to several international standards. For formal verification, computer and softwaresystems are usually modeled as Discrete Event Systems (DES) which are discrete-state,event-driven systems. That is, the state space is a discrete set, and the state evolutiondepends entirely on the occurrence of asynchronous discrete events over time [18].
A prominent technique of formal verification is model checking [31, 5], which wasdeveloped independently by Clarke and Emerson [30] and Quielle and Sifakis [111]. Itallows the desired properties to be verified automatically by exploring exhaustively andsystematically the state space of the system model.
The methodology of model checking is shown in Fig. 1.2.
1.4. Problems and Challenges 5
systemmodel
propertyspecification
system behaviors(sequences of events)
verification
satisfies
Figure 1.2: The Methodology of Model Checking
The system model, describing the behaviors of the system, is usually written usingspecific languages (e.g., Promela), or automatically generated from a model descriptionspecified in some dialect of programming languages (e.g., C, Java) or hardware descriptionlanguages (e.g., Verilog, VHDL).
The property specification prescribes what the system should or should not do, suchas functional correctness (does the system do what it is expected to do?), reachability(is it possible to reach a certain state, e.g., deadlock?), safety (something bad never oc-curs), liveness (something good will eventually occur), fairness (does an event can occurrepeatedly?), and real-time properties (is the system acting in time?).
Then efficient algorithms are used to determine whether the system model satisfies theproperty specification by checking all possible system behaviors, i.e., through exhaustiveenumeration (explicit or implicit) of all states reachable by the system and the sequences ofevents that traverse through them. If there exists one behavior that violates the property,it is highlighted as a counterexample.
The model checking approach enjoys two remarkable advantages. First, it is fully auto-matic. Unlike theorem proving, neither user interaction nor expertise is required. Second,if the model fails to satisfy a property, a counterexample is always produced serving aspriceless debugging information. If the design is announced correct, it implies that allbehaviors have been explored, and the coverage problem becomes irrelevant. As a result,model checking has been widely used in industrial projects to verify safety critical sys-tems, such as aircraft [11, 13], traffic alert and control system for airplanes [19], spacecraft[68], train control system [52], storm surge barrier control system [122, 126] and otherembedded software [117].
1.4 Problems and Challenges
In this section, we list some current problems and challenges in the domains related toreliability and safety. These issues inspired us to develop the new theory in this thesis,which in turn contributes to these applications.
1.4.1 Checking Properties on Execution Traces
Software model checkers, e.g., SPIN, support various constructs for formalizing differentclasses of properties. The most powerful constructs are the never claim, the trace andnotrace assertions. The never claim is used to specify the properties on sequences of statesthat should never occur, while the trace and notrace assertions are used to specify theproperties on sequences of transitions of simple channel operations, i.e., simple send andreceive operations on message channels. A transition is a statement between two states,thus the trace and notrace assertions only treat a restricted subset of transitions.
6 Chapter 1. Introduction
However, we observed that the existing constructs cannot specify the properties onfull sequences of transitions apart from the transitions of simple channel operations, e.g.,assignments, random receive operations, etc. Therefore, we need a new construct forspecifying correctness properties related to execution traces, and a theory to support thechecking of the properties.
1.4.2 Supporting the Change and Evolution of Property Specifications
The change and evolution of property specifications are now challenges to the tradi-tional development process. The changes are common both at design-time and post-implementation, especially for the systems whose life period is long, e.g., aircrafts, nuclearplants, critical embedded electronic systems, etc. The changes may result from variousfactors, such as the change of dependability requirements and new safety regulations.
Unfortunately, the changes always cause high expenditure of rechecking and revisingthe system, especially when the system is too complex to be clearly analyzed manuallyor so large that the revision is not trivial. Moreover, the changes may not only lead tomodify a small portion of the system, but to revise the entire design. Therefore, we needa technique to support changeful property specifications at a lower cost.
1.4.3 Functional Validity of Safety-Related Systems in IEC 61508
The international standard IEC 61508 [77] provides a generic process for electrical, elec-tronic, or programmable electronic (E/E/PE) Safety-Related Systems (SRS) to achievean acceptable level of functional safety. The achieved safety requirements consist of twoparts, safety functions and associated safety integrity levels (SIL).
However, the standard focuses more on the realization of integrity requirements ratherthan function requirements. As a result, the standard indicates only the product is of agiven reliable integrity, but not whether it implements the right safety requirements. Fur-thermore, the standard does not prescribe exactly how the verification of safety functionsof an SRS could technically be done.
As a result, the problem of functional validity arises. Functional validity meanswhether the safety functions realized by the SRS can really prevent accidents and recoverthe system from hazardous states, provided the expected safety integrity level is reached.Therefore, we need a generic technical methodology to achieve functional validity.
1.4.4 Guidelines and Consistency Rules of UML Models
The Unified Modeling Language (UML) is a visual modeling language developed by ObjectManagement Group (OMG) [108, 109]. Guidelines and consistency rules of UML are usedto control the degrees of freedom provided by the UML language to prevent faults. Guide-line contains a set of rules which recommend certain uses of technologies (e.g., modelingand programming languages) to produce more reliable, safe and maintainable productssuch as computer and software systems. Consistency problems of UML models have at-tracted great attention from both academic and industrial communities [83, 82, 76]. A listof 635 consistency rules are identified by [124, 125].
However, guidelines and consistency rules provide informal restrictions on the use oflanguage, which makes checking difficult. Therefore, we need theories and techniques toformalize guidelines and consistency rules to control the use of UML.
1.5. A Preview of the Model Monitoring Approach 7
1.5 A Preview of the Model Monitoring Approach
In order to treat the identified problems and challenges, a new formal method, namely themodel monitoring approach, and its theoretical foundation, namely the Control System (CSystem), will be proposed in this thesis. In this section, we will informally introduce themethodology and its applications.
1.5.1 The Methodology
Let us consider the language-theoretic approach for modeling, analyzing and controllingdiscrete event systems. These systems receive input events acquired from sensors andproduce output events via actuators. The set of all possible sequences of events (i.e., words)is a language whose alphabet is the set of inputs and outputs (timed and stochastic featuresare not considered). If a language is finite, we could list all its elements, i.e., all possiblesystem behaviors. Unfortunately, this is rarely practical, since infinite sequences exist.Note that these sequences are not random but restrained by the system implementation.Therefore, we use discrete event modeling formalisms to represent the system model, whichis implemented to generate system behaviors.
It is usually expected that a system satisfies some properties to ensure dependability.The properties restrict all possible system behaviors to a subset. That is, some undesiredsequences of events and execution traces are not admissible, since they violate the propertyspecification. The admissible subset of execution traces can be defined by a controllinglanguage whose alphabet includes the elements of execution traces. Again, the controllinglanguage cannot be specified by enumerating all admissible execution traces, since infiniteadmissible execution traces exist. Therefore, the properties are also modeled using certainformalisms, such as automata and temporal logic.
Usually, the properties are verified during the development process to restrict thedesign of the system. However, as the natures of the system model and the properties aredifferent, their manual integration is complex and error-prone. Therefore, we try to find anew methodology to ensure the properties at a lower cost by separating the system modeland the property specification.
The Model Monitoring Approach. As shown in Fig. 1.3, our new methodologyconsists in preserving the parting of the system model and the property specification. Theproperty specification is modeled and implemented as a control structure which supervisesthe behavior of the system. Thus the behaviors generated by the global system satisfythe properties. This is significantly different from the methodology of model checking (c.f.Fig. 1.2).
The system behaviors are expressed as a language L on the inputs and outputs, gener-ated by the system model. Whereas the properties are formulated as a controlling modelaccepting a controlling language L on the execution traces rather than inputs and out-puts. Then the two models can be automatically merged or, preferably, executed in par-allel. Technically, we use two alternative implementations: model monitoring and modelgenerating. For model monitoring, the controlling model supervises the execution of thesystem at runtime. Whereas model generating automatically combines the two modelsto generate a global system satisfying the properties. As a result, the sequence of inputscontrols certain degrees of freedom of the system behaviors, and the properties controlother degrees of freedom leading to correct and safe outputs.
8 Chapter 1. Introduction
systemmodel
propertyspecification
system behaviors(sequences of events)
globalsystem
control
Figure 1.3: The Methodology of the Model Monitoring Approach
Control System (C System). As the theoretical foundation of the model monitoringapproach, a new formalism based on the formal language theory, namely the Control Sys-tem (C System), will be proposed. The C System is a generic framework, and containstwo components: the controlled component and the controlling component. The controlledcomponent expresses a language L on inputs and outputs. Whereas the controlling com-ponent, also called a controller, expresses a controlling language L restricting the use ofL without changing L itself. Technically, each component can be formulated using au-tomata or grammars, resulting in two types of C systems: automaton control systems andgrammar control systems, respectively.
Automaton Control System (AC System). A discrete event system is always mod-eled as an automaton A which accepts a language L(A) = L. The property specificationis modeled as a controlling automaton A accepting a language L(A) = L. The model Acontrols the execution of A, thus all controlled behaviors satisfy the properties. Therefore,the global system which consists of A and A satisfies the desired property specification.
Grammar Control System (GC System). A grammar system is always modeled asa grammar G which accepts a language L(G) = L. The property specification is modeledas a controlling grammar G accepting a language L(G) = L. The grammar G controlsthe derivation of G, thus all controlled derivations produce only the words satisfying theproperties. Therefore, the global system which consists of G and G satisfies the desiredproperty specification.
Infinite Versions. Some system behaviors may be of infinite length, e.g., nonstop sys-tems. If we consider the system behaviors of infinite length as ω-words, then the set of allpossible sequences of events is an ω-language, which can be generated by an ω-automatonor an ω-grammar. In this case, we define the infinite versions of the above types of controlsystem, namely ω-C System, ω-AC System, and ω-GC System, respectively.
We would like to mention some obvious differences between our formalism and Ra-madge and Wonham’s supervisory control [112]. The C System is a more generic frame-work taking into account automata, grammars, ω-automata and ω-grammars etc., whereassupervisory control only considers finite state automata. Furthermore, other technical dif-ferences will be discussed in the subsequent chapters.
1.6. Outline of the Thesis 9
1.5.2 Applications
One generic application of the model monitoring approach is to provide better supportfor the change and evolution of property specifications. If the property specification ob-tained from dependability requirements changes, only the controlling component needsmodifications, thus decreasing the cost.
The model monitoring approach can also serve as the theoretical foundation of safety-related systems in IEC 61508. A safety-related system can be modeled as a controllingcomponent that supervises the execution of the controlled system.
The GC system can be used to formalize and check guidelines and consistency rules ofUML. The grammar of UML is considered as a grammar system, and the system behaviorsare the conforming user models. With the supervisory of controlling grammars specifyingguidelines and consistency rules, the global system accepts only consistent UML usermodels.
A variant of the ω-AC system can be used to specify and model checking the prop-erties on execution traces, since the controlling language defines the admissible subset ofexecution traces.
1.6 Outline of the Thesis
This dissertation consists of two parts, which expose the theory of Control Systems (CSystems), and the model monitoring approach, respectively.
The first part proposes the theory of C Systems, based on the theory of automata andformal languages. The C System has two versions: finite and infinite, which are named CSystem and ω-C System, respectively. The finite version is based on the classic theory ofautomata and formal languages, and used to model systems with finite length behaviors,e.g., the systems with final states, the grammar of UML which accepts conforming modelsthrough finite derivations. The infinite version is based on the theory of ω-automata andω-languages, and used to model nonstop systems, e.g., chemical reactor systems.
Chapter 2 briefly recalls the necessary preliminaries. We introduce some basic no-tions about automata, grammars and languages. We then review some related theories,including regulated rewriting, supervisory control and model checking.
Chapter 3 proposes the theory of Control Systems (C Systems) on finite words. Tech-nically, three types of C Systems and their generative power are studied, namely Gram-mar Control Systems (GC Systems), Leftmost-derivation-based Grammar Control Systems(LGC Systems) and Automaton Control Systems (AC Systems).
Chapter 4 provides the preliminary for Chapter 5. We propose the (σ, ρ, π)-acceptingω-grammar, and study its relative generative power to (σ, ρ)-accepting ω-automata.
Chapter 5 proposes the theory of ω-Control Systems (ω-C Systems) on infinite words.Technically, three types of ω-C Systems and their generative power are studied, namely ω-Grammar Control Systems (ω-GC Systems), Leftmost-derivation-based ω-Grammar Con-trol Systems (ω-LGC Systems) and ω-Automaton Control Systems (ω-AC Systems).
Chapter 6 proposes the Buchi Automaton Control System (BAC System), which isa special case of the ω-AC system. The variants of BAC systems in the context of con-currency are also discussed, such as Input/Output Automaton Control System (IO-ACSystem) and Interface Automaton Control System (IN-AC System).
Chapter 7 presents an application of the BAC system in model checking. We propose
10 Chapter 1. Introduction
the nevertrace claim, which is a new construct for specifying correctness properties. Thetheoretical foundation for checking nevertrace claims is studied.
The second part proposes the model monitoring approach based on the theory of CSystems, and introduces its applications.
Chapter 8 presents the model monitoring approach. An application concerning sup-porting the change and evolution of property specifications is discussed to illustrate themerits.
Chapter 9 discusses two additional applications of the model monitoring approach toshow its strong power. The first one concerns safety-related systems in IEC 61508, whichare automata-based systems. The second one concerns guidelines and consistency rules ofUML, which is a grammar system.
Chapter 10 concludes this thesis by summarizing contributions and future work.
It is worth noting that the two parts are strongly connected. This means, in order toread the second part, the reader needs to understand the basic idea and notations intro-duced in the first part. However, the proofs can be skipped in a first reading. Furthermore,as an exception, Chapters 4 and 5, which explore the theoretical aspects of the ω-languagestheory, could be safely skipped if the reader is more interested in the applications thanthe theoretical results.
Provenance of the material. This thesis is partially based on published materials.Chapter 6, which presents the Buchi Automaton Control System (BAC System) and itsconcurrent variants, is an improved and extended version of our earlier work on thesesubjects. In particular, the BAC system was proposed in [26, 25], the IO-AC systemwith existential meta-composition operator was introduced in [22], and the IN-AC systemwith universal meta-composition operator was discussed in [23, 20]. A short version ofChapter 7 which proposes the nevertrace claim appeared in [24]. In Chapter 8, theidea of separating functional and dependability requirements was introduced in [25, 26].In Chapter 9, the application of grammar control systems for modeling and checkingguidelines and consistency rules of UML was discussed in [21].
Part I
Control Systems in FormalLanguage Theory (C Systems)
11
Chapter 2
Preliminaries
In this chapter, we briefly recall the necessary preliminaries. We introduce some basicnotions about automata, grammars and languages. We then review some related theories,including regulated rewriting, supervisory control and model checking.
2.1 Automata, Grammars and Languages
Some basic definitions, conventions and notations are recalled in this section. The exhaus-tive investigations on this subject could be found in the monographs [61, 74, 116, 115].
2.1.1 The Chomsky Hierarchy
The Chomsky hierarchy is a containment hierarchy of classes of formal grammars andlanguages, which was first proposed in [28, 29]. The four numbered types and two addi-tional important types of languages, along with their associated classes of grammars andautomata, are summarized in Table 2.1.
Conventions: The capital letters A,B,C,D,E and S denote nonterminals, S is the startsymbol unless stated. The lowercase letters near the beginning of the alphabet a, b, c, d, edenote terminals. The capital letters near the end of the alphabet X,Y, Z denote eitherterminals or nonterminals. The lowercase letters near the end of the alphabet u, v, w, x, y, zdenote strings of terminals. The lowercase Greek letters α, β, γ denote strings of eitherterminals or nonterminals.
Definition 2.1. A phrase structure grammar (PSG) is denoted G = (N,T, P, S), where Nis a finite set of nonterminals, T is a finite set of terminals, P is a finite set of productions
13
14 Chapter 2. Preliminaries
of the form α→ β with α 6= ε, and α, β are strings of symbols from (N ∪ T )∗, and S ∈ Nis the start symbol. We define the vocabulary V = N ∪ T . The language accepted by G isL(G) = {w ∈ T ∗ | S ⇒∗ w}. �
Some other names for phrase structure grammars include type 0 grammars, or unre-stricted grammars.
Definition 2.2. A context-sensitive grammar (CSG) is a phrase structure grammar whoseproductions are of the form α→ β with α 6= ε and |α| ≤ |β|, and α, β ∈ (N ∪ T )∗. �
The term “context-sensitive” comes from a normal form for these grammars, whereeach production is of the form α1Aα2 → α1βα2, with β 6= ε.
Definition 2.3. A context-free grammar (CFG) is a phrase structure grammar whoseproductions are of the form A→ α where A ∈ N is a nonterminal, and α ∈ (N ∪ T )∗. �
Definition 2.4. A right-linear grammar is a phrase structure grammar whose productionsare of the form A → wB or A → w, where A and B are nonterminals and w ∈ T ∗ is astring of terminals. If all productions are of the form A → Bw or A → w, we call itleft-linear grammar. A right- or left-linear grammar is called a regular grammar (REG).�
2.1.3 Automata and Languages
Conventions: The lowercase letters a, b, c, d, e near the beginning of the alphabet denoteinput symbols. The lowercase letters u, v, w, x, y, z near the end of the alphabet denotestrings of input symbols. The capital letters A,B,C,X, Y, Z denote tape/stack symbols.The lowercase Greek letters α, β, γ denote strings of tape/stack symbols.
Definition 2.5. A (nondeterministic) Turing machine (TM) is a tuple M = (Q,Σ,Γ,δ, q0, B, F ), where Q is a finite set of states, Σ is a finite input alphabet not including B, Γis a finite tape alphabet, δ is a transition function mapping Q× Γ 7→ 2Q×Γ×{L,R,S} whereL, R and S denote moving left, right and stationary, respectively, q0 ∈ Q is the initialstate, B ∈ Γ is the blank, and F ⊆ Q is a set of final states. �
A TM M = (Q,Σ,Γ, δ, q0, B, F ) is a deterministic Turing machine (DTM), if δ is atransition function mapping Q× Γ 7→ Q× Γ× {L,R, S}.
An instantaneous description (ID) is denoted by α1qα2, where q is the current state,α1α2 ∈ Γ∗ is the contents of the tape up to the rightmost nonblank symbol. The tape headis assumed to be scanning the leftmost symbol of α2, or if α2 = ε, the head is scanning ablank.
We denote by `M a move, `∗M zero or multiple moves, `iM exactly i moves. Thesubscript is dropped if M is understood, i.e., `, `∗ and `i.
Definition 2.6. For a TM M = (Q,Σ,Γ, δ, q0, B, F ), the language accepted is the set
L(M) = {w | w ∈ Σ∗ and q0w `∗ α1pα2 for some p ∈ F and α1, α2 ∈ Γ∗}
�
2.2. Grammars with Regulated Rewriting 15
Definition 2.7. A (nondeterministic) pushdown automaton (PDA) is a tupleD = (Q,Σ,Γ,δ, q0, Z0, F ), where Q is a finite set of states, Σ is a finite input alphabet, Γ is a finite stackalphabet, δ is a transition function mapping Q × (Σ ∪ {ε}) × Γ 7→ 2Q×Γ∗ , q0 ∈ Q is theinitial state, Z0 ∈ Γ is the start symbol, and F ⊆ Q is a set of final states. �
A PDA D = (Q,Σ,Γ, δ, q0, Z0, F ) is a deterministic pushdown automata (DPDA), if:
1. for each q ∈ Q and Z ∈ Γ, whenever δ(q, ε, Z) is nonempty, then δ(q, a, Z) is emptyfor all a ∈ Σ;
2. for each q ∈ Q, Z ∈ Γ, and a ∈ Σ∪{ε}, δ(q, a, Z) contains no more than one element.
An instantaneous description (ID) is a triple (q, w, γ), where q is a state, w is a stringof input symbols, and γ is a string of stack symbols.
We say (q, aw, Zα) `D (p, w, βα) is a move, if δ(q, a, Z) contains (p, β), where a ∈Σ ∪ {ε}. We denote by `∗D zero or multiple moves, `iD exactly i moves. The subscript isdropped if D is understood, i.e., `, `∗ and `i.
Definition 2.8. For PDA D = (Q,Σ,Γ, δ, q0, Z0, F ), the language accepted by final stateis the set
L(D) = {w | (q0, w, Z0) `∗ (p, ε, γ) for some p ∈ F and γ ∈ Γ∗}
The language accepted by empty stack is the set
N(D) = {w | (q0, w, Z0) `∗ (p, ε, ε) for some p ∈ Q}
When acceptance is by empty stack, we usually let the set of final states be ∅. �
Definition 2.9. A (nondeterministic) finite state automaton (FSA) with ε-transitions isa tuple A = (Q,Σ, δ, q0, F ), where Q is a finite set of states, Σ is a finite input alphabet,δ is a transition function mapping Q × (Σ ∪ {ε}) 7→ 2Q, q0 ∈ Q is the initial state, andF ⊆ Q is a set of final states. �
A FSA A = (Q,Σ, δ, q0, F ) is a deterministic finite state automaton (DFSA), if δ is atransition function mapping Q× Σ 7→ Q.
We define the extended transition function δ mapping Q×Σ∗ 7→ 2Q by extending δ toapply to a state and a string (see [74]).
Definition 2.10. A string w is accepted by an FSA A = (Q,Σ, δ, q0, F ), if δ(q0, w) containsa state in F . The language accepted by A is the set
L(A) = {w | δ(q0, w) contains a state in F}
�
2.2 Grammars with Regulated Rewriting
There are reasons for introducing control structures over grammars and automata. For ex-ample, grammars with regulated rewriting [64, 39] and path-controlled grammars [95, 96]are defined to impose restrictions on the derivations of context-free grammars to increase
16 Chapter 2. Preliminaries
generative power, since context-free grammars are not able to cover all linguistic phenom-ena.
Typical types of grammars with controlled derivations are the regularly controlledgrammar and the matrix grammar. Generally, a regular set is used to control the deriva-tions of a grammar [40, 38]. They are defined as follows.
Notations. We denote by REG, CFG, CSG, PSG the families of regular, context-free, context-sensitive, arbitrary phrase structure grammars, respectively. For REG, weonly consider right-linear grammars as in [39]. We denote by FSA, PDA, TM the familiesof nondeterministic finite state, nondeterministic pushdown automata, and nondeterminis-tic Turing machines, respectively, while the deterministic machines are denoted by DFSA,DPDA, DTM , respectively. For a family X of grammars or automata, we denote theassociated family of languages by L(X).
A phrase structure grammar is denoted G = (N,T, P, S), where P is a finite set ofproductions of the form p : α→ β where p is the name (or label) of the production.
A derivation using a specified production p is denoted by αp⇒ β, and its reflexive
and transitive closure is denoted by α⇒∗ γ, or with the sequence of applied productionsαp1...pk=⇒ γ.
Definition 2.11 (Def. 1 of [38] and Def. 2.1.2 of [39]). A regularly controlled grammaris a quintuple G = (N,T, P, S,R), where N,T, P, S are specified as in a phrase structuregrammar, R is a regular set over P .The language L(G) accepted by G consists of all words w ∈ T ∗ such that there is aderivation S
p1...pk=⇒ w with p1...pk ∈ R. �
In words, a regular set controls the acceptable sequences of derivation. We denoteby L(rC,X) the family of languages accepted by regularly controlled grammars with Pcontaining all productions of type X, e.g. L(rC,CFG).
Definition 2.12 (Def. 4 of [38] and Def. 1.1.1 of [39]). A matrix grammar is a tupleG = (N,T, P, S,M), where N,T, P, S are specified as in a phrase structure grammar,M = {m1,m2, ...,mn} is a finite set of sequences of productions mi = (pi1 , pi2 , ..., pik(i)
),k(i) ≥ 1, 1 ≤ i ≤ n, pi1 , pi2 , ..., pik(i)
∈ P .
For mi, 1 ≤ i ≤ n, and α, β ∈ (N ∪ T )∗, we define α mi=⇒ β by α = α0pi1=⇒ α1
pi2=⇒ · · ·pik(i)=⇒
αk(i) = β.The language L(G) accepted by G consists of all words w ∈ T ∗ such that there is a
derivation Smj1=⇒ β1
mj2=⇒ · · ·mjk=⇒ βk = w, for some k ≥ 1, 1 ≤ ji ≤ n, 1 ≤ i ≤ k. �
In words, a set of sequences of productions controls the acceptable sequences of deriva-tion. We denote by L(M,X) the family of languages accepted by matrix grammars withP containing all productions of type X, e.g. L(M,CFG).
Concerning the generative power of the two types of controlled grammars above, wehave the following theorem, of which (i) follows from Thm. 1.2.1 and Thm. 2.1.1 of [39],(ii) follows from Thm. 1 of [38] and Thm. 2.1.1 of [39], and (iii) follows from Thm. 2.1 of[40].
The theory of supervisory control on deterministic systems was first introduced by P. J.Ramadge and W. M. Wonham in their papers [112, 113]. An extensive survey on thesupervisory control of deterministic systems can be found in [18].
The supervisory control is used to restrict the inadmissible behavior of a DiscreteEvent System (DES). Given a DES, or a plant, whose uncontrolled behavior is modeledby automaton G, we introduce a supervisor modeled by automaton S to restrict thebehavior of the plant.
Let L ⊆ Σ∗ be a language, and s ∈ Σ∗, then the prefix-closure of L is L = {s ∈Σ∗ | ∃t ∈ Σ∗, st ∈ L}. L is prefix-closed if L = L.
A deterministic finite state automaton (DFSA) is a tuple A = (Q,Σ, δ, q0, F ). Wedefine the active event function Γ : Q → 2Σ, such that Γ(q), the active event set at q, isthe set of all events e for which δ(q, e) is defined.
Definition 2.14. The language generated by a DFSA A = (Q,Σ, δ, q0, F ) is the set
Lg(A) = {s ∈ Σ∗ | δ(q0, s) is defined}
The language marked (or accepted) by A is the set
Lm(A) = {s ∈ Σ∗ | δ(q0, s) ∈ F}
�
Note that Lg(A) is prefix-closed by definition, i.e., Lg(A) = Lg(A). Also, we haveLm(A) ⊆ Lm(A) ⊆ Lg(A).
Definition 2.15. AutomatonA is blocking if Lm(A) ⊂ Lg(A), and nonblocking if Lm(A) =Lg(A). �
Let a DES be G = (Q,Σ, δ, q0, F ), where the set of events can be partitioned into twodisjoint subsets Σ = Σc ∪ Σuc where Σc is the set of controllable events, Σuc is the set ofuncontrollable events.
A supervisor S is a function S : Lg(G) → 2Σ to dynamically enable or disable eventsof G. For each generated string s ∈ Lg(G), the set of enabled events at current state isS(s) ∩ Γ(δ(q0, s)).
A supervisor S is admissible if for all s ∈ Lg(G), Σuc ∩ Γ(δ(q0, s)) ⊆ S(s). That is, Sis not allowed to disable a feasible uncontrollable event. We will only consider admissiblesupervisors.
Given G and S, the resulting controlled system is denoted by S/G.
Definition 2.16. The language generated by S/G is defined recursively as follows
1. ε ∈ Lg(S/G)
2. sσ ∈ Lg(S/G) if and only if, s ∈ Lg(S/G) and sσ ∈ Lg(G) and σ ∈ S(s).
The language marked by S/G is
Lm(S/G) = Lg(S/G) ∩ Lm(G)
Overall, we have the inclusions ∅ ⊆ Lm(S/G) ⊆ Lm(S/G) ⊆ Lg(S/G) = Lg(S/G) ⊆Lg(G). �
18 Chapter 2. Preliminaries
Definition 2.17. The DES S/G is blocking if Lm(S/G) ⊂ Lg(S/G), and nonblockingif Lm(S/G) = Lg(S/G). We say S is blocking (nonblocking resp.) if S/G is blocking(nonblocking resp.). �
The controllability theorem states the necessary and sufficient condition of the exis-tence of supervisors under partial controllability.
Theorem 2.18 (Controllability Theorem (CT)). Given a DES G = (Q,Σ, δ, q0, F ) whereΣ = Σc∪Σuc, letK ⊆ Lg(G) andK 6= ∅. There exists supervisor S such that Lg(S/G) = Kif and only if
KΣuc ∩ Lg(G) ⊆ K
�
The standard realization of S is to build an automaton R that marks exactly thelanguage K, i.e., Lg(R) = Lm(R) = K. Other realizations are extensively discussed in theliterature, such as induced supervisors, reduced state realization.
If it is required that the supervisor S is nonblocking, i.e., Lm(S/G) = Lg(S/G), weneed to extend CT to nonblocking supervisors.
Theorem 2.19 (Nonblocking Controllability Theorem (NCT)). Given a DESG = (Q,Σ, δ,q0, F ) where Σ = Σc ∪Σuc, let K ⊆ Lm(G) and K 6= ∅. There exists a nonblocking super-visor S such that
Lm(S/G) = K and Lg(S/G) = K
if and only if the two following conditions hold:
1. Controllability: KΣuc ∩ Lg(G) ⊆ K
2. Lm(G)-closure: K = K ∩ Lm(G). �
2.4 From Propositional Logic to Temporal Logic
Logic systems are widely used in modeling, reasoning and specification checking aboutcomputer systems [75]. In this section, we briefly recall several classic logics and theirnotations.
Propositional logic. Propositional logic is the most basic and simple logic system. Itcan only express formulas that contain atomic propositions and a small set of connectives.Its grammar can be defined in Backus-Naur Form (BNF) as
φ ::= p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ)
Given a propositional model M , a set of propositional formulas Γ, and a property φ, thechecking problems of whether M |= φ and whether the semantic entailment Γ |= φ holdsare both decidable. The validating algorithm can be based on the truth table.
2.5. Automata-Theoretic Model Checking 19
Predicate logic. Predicate logic extends propositional logic by introducing quantifiers∀,∃ and predicate expressions. Its grammar can be defined in BNF as
In the upper production, t is a term, x ranges over a set of variables, c over nullary functionsymbols, and f over the function symbols with parameters. In the lower production, P isa predicate symbol of arity n ≥ 1, and ti are terms.
Temporal logic. There are mainly three types of temporal logic.Linear-time temporal logic (LTL) extends propositional logic by introducing temporal
connectives X,F,G,U,W,R. LTL implicitly quantifies universally over paths. Its syntaxis given in BNF as
Computation tree logic (CTL) is a branching-time logic that extends propositional logicby introducing quantified temporal connectives AX,EX,AF,EF , etc., in order to quantifyexplicitly over paths. Its syntax is given in BNF as
CTL* is a logic which combines the expressive powers of LTL and CTL, by droppingthe CTL constraint that every temporal operator has to be associated with a uniquepath quantifier. The syntax involves two classes of formulas: state formulas φ, which areevaluated in states, and path formulas α, which are evaluated along paths:
Pnueli was the first to use temporal logic for reasoning about programs [110] in 1977.Temporal logic model checking algorithms were introduced by Clarke and Emerson [30]and Quielle and Sifakis [111] in the early 1980s to automate reasoning.
In this section, we will briefly recall the notations and fundamentals of standardautomata-theoretic model checking technique. The exhaustive investigations on this sub-ject could be found in the monographs [31, 5].
The first step of model checking is constructing a formal model M that captures thebehavior of system. We always use the Kripke structure.
Definition 2.20. Let AP be a set of atomic propositions. A Kripke structure M overAP is a tuple (S, S0, R, L), where S is a finite set of states, S0 ⊆ S is a set of initial states,R ⊆ S × S is a transition relation, L : S → 2AP is a labeling function that labels eachstate with the set of atomic propositions true in that state. �
20 Chapter 2. Preliminaries
The second step is to specify the property to be verified φ in a certain temporal logic,typically LTL (Linear Temporal Logic), CTL (Computation Tree Logic), CTL* [75]. Weuse the path quantifiers A (“for all computation paths”) and E (“for some computationpath”), and the temporal operators X (“next state”), F (“in the future”), G (“globally”),U (“until”) and R (“release”).
Given the model M and the formula φ, the model checking problem is to decide whetherS0 ⊆ {s ∈ S | M, s |= φ}. There are two popular solutions as follows.
• symbolic approach, which operates by labeling each state s with the set label(s) ofsubformulas of φ which are true in s (initially label(s) = L(s)). When the algorithmterminates, we have M, s |= φ if and only if φ ∈ label(s). The SMV [98] is a typicalimplementation.
• automata-theoretic approach, which translates the formula φ into an automaton forchecking. The SPIN [73, 71] is a typical implementation.
systemdesign
(1)modeling
modelM
(3)translating
automatonAM
propertyspecification
(2)modeling
formulaφ
(4)translating
automatonA¬φ (5)
intersectAI =
AM ∩A¬φ
(6)emptinesschecking
nocounterexample(7)revision
yesEND
Figure 2.1: The Process of Model Checking
For the convenience of comparison, we are concerned with the automata-theoreticapproach. The overall process of model checking is shown in Fig. 2.1 where the steps arenumbered. This method is based on Buchi automata [16, 120, 121].
Definition 2.21. A (nondeterministic) Buchi automaton is a tuple A = (Q,Σ, δ, q0, F ),where Q is a finite set of states, Σ is a finite alphabet, δ ⊆ Q×Σ×Q is a set of transitions,q0 ∈ Q is the initial state, F ⊆ Q is a set of accepting states.
A run of A on an ω-word v = v(0)v(1) . . . ∈ Σω is a sequence of states ρ = ρ(0)ρ(1) . . . ∈Qω such that ρ(0) = q0, (ρ(i), v(i), ρ(i+1)) ∈ δ for i ≥ 0. Let inf(ρ) be the set of states thatappear infinitely often in the run ρ, then ρ is a successful run if and only if inf(ρ)∩F 6= ∅.A accepts v if there is a successful run of A on v. The ω-language accepted by A isL(A) = {v ∈ Σω | A accepts v}. �
If an ω-language L = L(A) for some Buchi automaton A, then L is Buchi recognizable.Buchi recognizable ω-languages are called regular ω-languages. The expressive power ofregular ω-languages includes that of LTL [120], although Buchi automata are syntacticallysimple. Thus, we can translate LTL formulas into Buchi automata.
At the third and fourth steps, the modeled system M and the property φ are bothrepresented in Buchi automata, respectively.
A Kripke structure M = (S,R, S0, L) is translated into an automaton AM = (S ∪{q0},Σ, δ, {q0}, S ∪ {q0}), where q0 6∈ S and Σ = 2AP . We have (s, a, s′) ∈ δ for s, s′ ∈ S ifand only if (s, s′) ∈ R and a = L(s′), and (q0, a, s) ∈ δ if and only if s ∈ S0 and a = L(s).
2.5. Automata-Theoretic Model Checking 21
The negation of the property ¬φ in LTL is translated into an automaton A¬φ over thesame alphabet 2AP [60]. L(A¬φ) includes exactly the ω-words satisfying ¬φ. Note thateach edge of A¬φ is annotated with a boolean expression that represents several sets ofatomic propositions, where each set corresponds to a truth assignment for AP that satisfiesthe boolean expression. For example, let AP = {a, b, c}, an edge labeled a∧ b matches thetransitions labeled with {a, b} and {a, b, c}. We denote by Σ(a ∧ b) = {{a, b}, {a, b, c}}.
The mathematical foundation of checking is the following one. The system AM satis-fies the specification φ when L(AM ) ⊆ L(Aφ). Therefore, one checks whether L(AM ) ∩L(A¬φ) = ∅, since L(A¬φ) = Σω − L(Aφ). If the intersection is not empty, any behaviorin it corresponds to a counterexample.
At the fifth step, we compute the automaton AI accepting L(AM ) ∩L(A¬φ) (denotedby AI = AM ∩ A¬φ), by using the following theorem about the intersection of two Buchiautomata.
Theorem 2.22. Let A1 = (Q1,Σ, δ1, q1, F1) and A2 = (Q2,Σ, δ2, q2, F2). We can con-struct an automaton accepting L(A1) ∩ L(A2) as follows:
where ((qi, qj , x), a, (qm, qn, y)) ∈ δ if and only if (qi, a, qm) ∈ δ1, (qj , a, qn) ∈ δ2, and x, ysatisfy the following conditions:
y =
0, if x = 21, if x = 0 and qm ∈ F1
2, if x = 1 and qn ∈ F2
x, otherwise
�
Notice that all states of AM are accepting, the computation of intersection can besimplified as follows.
Theorem 2.23. Let A1 = (Q1,Σ, δ1, q1, Q1) and A2 = (Q2,Σ, δ2, q2, F2). We can con-struct an automaton accepting L(A1) ∩ L(A2) as follows:
A1 ∩A2 = (Q1 ×Q2,Σ, δ, (q1, q2), Q1 × F2)
where ((qi, qj), a, (qm, qn)) ∈ δ if and only if (qi, a, qm) ∈ δ1 and (qj , a, qn) ∈ δ2. �
Finally, at the sixth step, the last task is to check emptiness of the intersection AI . Amemory efficient algorithm, namely double DFS (Depth First Search) [37], was developedby extending Tarjan’s DFS [118]. If L(AI) = ∅, then the system M satisfies the propertyφ. Or else, a counterexample v ∈ L(AI) will be reported, and guide the revision of theoriginal design (step 7).
On one hand, revisions of the design may bring in new faults. On the other hand,model checkers always produce only one counterexample each time, indicating a singlefault. Thus, the iterative process of model checking, counterexample analysis and revisionwill be repeated, until L(AI) = ∅.
Chapter 3
Control Systems in FormalLanguage Theory
In this chapter, we propose the theory of Control Systems (C Systems) in formal languagetheory. The control system is a generic framework, and contains two components: thecontrolled component and the controlling component. The two components are expressedusing the same formalism, e.g., automata or grammars. The reason is that people can usethe same technique to implement the two components in practice. In contrast, traditionalgrammars with regulated rewriting do not satisfy this principle. Indeed, their controlledcomponents are grammars, but their controlling components are other structures such asregular sets and matrix.
The control system adopts one restriction and three extensions of regulated rewriting[39]. The restriction is that the appearance checking mode is disabled, since it is not easyto implement this mechanism in practice. The extensions are as follows.
First, the controlling components are expressed using the same formalism as the con-trolled components, e.g., automata or grammars, rather than regular sets or matrix.
Second, context-free control sets are enabled to increase expressive power. The regularset has limited expressive power in specifying constraints, thus context-free control setsmay be needed in some applications. Therefore, we need to use context-free languages ascontrolling sets, and study their generative power.
Third, the controlled derivations are restricted to be leftmost, in order to make theglobal system LL-parsable. Regularly controlled grammars are not LL-parsable, sincethey are not compatible with LL parsers by introducing conflicts in parsing (see the ex-ample in Section 3.4). Therefore, we need to define LL-parsable grammars with controlledderivations, whose controlling components should be based on leftmost derivations of thecontrolled grammars.
We will define three types of control systems. The Grammar Control System (GC Sys-tem) and Leftmost-derivation-based Grammar Control System (LGC System) implementthe two extensions, respectively. The third type, namely the Automaton Control System(AC System), is a novel formalism based on the automaton representation. Emergingapplications call for such a theory, since automata have become a popular tool for systemmodeling [75].
23
24 Chapter 3. Control Systems in Formal Language Theory
3.1 Grammar Control Systems (GC Systems)
3.1.1 Definitions
A grammar control system consists of a controlled grammar and a controlling grammarthat restricts the derivation of the controlled grammar. The set of terminals of the con-trolling grammar equals the set of production names of the controlled grammar.
Definition 3.1. Given a controlled grammar (or simply grammar) G1 = (N1, T1, P1, S1),a controlling grammar over G1 is a quadruple G2 = (N2, T2, P2, S2) with T2 = P1. L(G1)and L(G2) are called controlled language and controlling language, respectively. �
Without loss of generality, we assume that N1∩N2 = ∅. Note that several productionsmay have the same name. Generally, we denote the controlled grammar and the controllinggrammar by G1 and G2 respectively.
Definition 3.2. A Grammar Control System (GC System) includes a grammar G1 =(N1, T1, P1, S1) and a controlling grammar G2. The global language of G1 controlled byG2 is:
Obviously, the set of accepted input strings is a subset of the controlled language,such that the sequences of applied productions belong to the controlling language, i.e.,L(G1, G2) ⊆ L(G1).
Example 3.3. Given G1, G2 with the following productions:
G1
p1 : S1 → ABp2 : A→ aAb p3 : B → Bcp4 : A→ ab p5 : B → c
G2
{S2 → p1C
C → p2p3C | p4p5
The context-free language L(G1) = anbnc+ and the regular language L(G2) = p1(p2p3)∗p4p5
constitute a non-context-free global language L(G1, G2) = anbncn, n ≥ 1. �
Two trivial types of controlling grammars are empty controlling grammars and fullcontrolling grammars. The former ones accept the empty controlling language which rejectsall the sequences of productions applied in derivations, i.e., L(G2) = ∅. The latter onesaccept full controlling languages that accept all the sequences of productions applied inderivations, i.e., L(G2) = P ∗1 , where P1 is the set of production names of the controlledgrammar G1. Note that the two types of languages are both regular languages.
3.1.2 Generative Power
We denote by L(X,Y ) the family of languages accepted by GC systems whose controlledgrammars are of type X and controlling grammars are of type Y .
If the controlling grammars are regular grammars, we observe that L(X,REG) isequivalent to L(rC,X) accepted by regularly controlled grammars. Therefore, we havethe following two theorems by Thm. 2.13.
Theorem 3.4. L(REG,REG) = L(REG).
3.1. Grammar Control Systems (GC Systems) 25
Theorem 3.5. L(CFG) ⊂ L(CFG,REG) ⊂ L(PSG), and L(CFG,REG) is incompa-rable with L(CSG).
We now examine the cases of context-free controlling grammars. We need the followingresult by [97], which is proved in [97, 6].
Lemma 3.6. Let G = (N,T, P, S) be a grammar such that the rules in P have the formα → β, α ∈ N+. Then the language accepted by G in a leftmost manner is context-free,i.e., Ll(G) ∈ L(CFG).
Theorem 3.7. L(REG,CFG) = L(CFG).
Proof. (i) L(REG,CFG) ⊇ L(CFG). Given a grammar G = (N,T, P, S) ∈ CFG, weconstruct G1 = ({S1}, T, P1, S1) ∈ REG where P1 = {pa : S1 → aS1 | a ∈ T} ∪ {pε : S1 →ε}, and G2 = (N ∪ {S2}, T2, P2, S2) ∈ CFG where
1. h is a homomorphism from T to T2: h(a) = pa,
2. T2 = h(T ) ∪ {pε},
3. P2 = {S2 → Spε} ∪ h(P ), where h(P ) is the set of productions replacing eachterminal a ∈ T of productions in P by pa ∈ T2.
It is easy to see, G accepts w, if and only if G1 accepts w by using productions h(w) · pε,and L(G2) accepts h(w) · pε. Therefore, L(G) = L(G1, G2) ∈ L(REG,CFG).
(ii) L(REG,CFG) ⊆ L(CFG). Given an REG G1 = (N1, T1, P1, S1) and a CFGG2 = (N2, T2, P2, S2) with T2 = P1, P1 contains all productions of the forms: A → wB,A→ w, w ∈ T ∗1 . We construct a grammar
G = (N1 ∪N2 ∪ T2 ∪ {S}, T1, P, S)
where S 6∈ N1 ∪N2 ∪ T2, P consists of the following productions:
1. S → S1S2,
2. AC → Aα, for A ∈ N1, C ∈ N2, C → α ∈ P2,
3. Ap→ wB, for p ∈ T2, A,B ∈ N1, p : A→ wB ∈ P1,
4. Ap→ w, for p ∈ T2, A ∈ N1, p : A→ w ∈ P1.
It is easy to see that the nonterminals p ∈ T2 control the derivation in such a way thatthe acceptable derivations in G1 are simulated by leftmost derivations in G. Therefore,L(G1, G2) = Ll(G) ∈ L(CFG), as G fulfils the conditions in Lemma 3.6. �
Theorem 3.8. L(CFG) ⊂ L(CFG,CFG) ⊆ L(PSG).
Proof. (i) L(CFG) ⊂ L(CFG,CFG) is obvious, by Thm. 3.5 and L(CFG,REG) ⊆L(CFG,CFG).
(ii) L(CFG,CFG) ⊆ L(PSG). Given CFG’s G1 = (N1, T1, P1, S1) and G2 = (N2, T2,P2, S2) with T2 = P1, we construct a grammar:
G = (N1 ∪N2 ∪ T2 ∪ {S}, T1, P2 ∪ P, S)
where S 6∈ N1 ∪N2 ∪ T2, P consists of the following productions:
26 Chapter 3. Control Systems in Formal Language Theory
1. S → S1S2,
2. Xp→ pX, for X ∈ N1 ∪ T1 and p ∈ T2,
3. Ap→ α, for p : A→ α ∈ P1.
At first, we derive S ⇒ S1S2 (rule 1). Then S2 derives an acceptable sequence of produc-tions by using P2. The name of each derived production p can move leftward (rule 2) andrewrite a nonterminal A ∈ N1 (rule 3). It is easy to see, L(G1, G2) = L(G) ∈ L(PSG). �
We remark that it remains an open problem whether L(PSG) ⊆ L(CFG,CFG). Thedifficulty comes from how to simulate context-sensitive productions by using only context-free productions, e.g., productions of the form AB → CD.
3.2 Leftmost-Derivation-Based Grammar Control Systems (LGC Sys-tems)
3.2.1 Definitions
An important variant of the grammar control system is the one whose control is basedon leftmost derivations. Suppose there is a leftmost derivation (denoted by lm) of thegrammar G for w: S
p1⇒lmα1
p2⇒lm· · · pk⇒
lmαk = w. As an abbreviation, we write S
p1...pk=⇒lm
w. If
p1 = p2 = · · · = pk = p, we write Spk
⇒lmw. We will omit “lm” if there is no confusion.
Definition 3.9. A Leftmost-derivation-based Grammar Control System (LGC System)includes a grammar G1 = (N1, T1, P1, S1) and a controlling grammar G2. The globallanguage of G1 controlled by G2 in a leftmost manner is:
We may also denote L(G1, G2, lm) by L(G1 ~· G2). �
Example 3.10. Given G1, G2 with the following productions:
G1
p1 : S1 → ABp2 : A→ aAb p3 : B → Bcp4 : A→ ab p5 : B → c
G2
{S2 → p1Cp5
C → p2Cp3 | p4
The context-free languages L(G1) = anbnc+ and L(G2) = p1pk2p4p
k3p5 constitute a non-
context-free global language L(G1, G2, lm) = anbncn, k ≥ 0, n ≥ 1. Note that G2 isdifferent from that of Example 3.3. �
3.2.2 Generative Power
We denote by L(X,Y, lm) the family of languages accepted by LGC systems whose con-trolled grammars are of type X and controlling grammars are of type Y .
If the controlled grammars are regular grammars, we observe that L(REG,X, lm)is equivalent to L(REG,X), since every derivation of regular grammars is a leftmostderivation. Therefore, we have the following two theorems by Theorems 3.4 and 3.7.
Theorem 3.11. L(REG,REG, lm) = L(REG).
Theorem 3.12. L(REG,CFG, lm) = L(CFG).
3.2. Leftmost-Derivation-Based Grammar Control Systems (LGC Systems) 27
We now examine the cases of context-free controlled grammars.
Theorem 3.13. L(CFG,REG, lm) = L(CFG).
Proof. (i) L(CFG,REG, lm) ⊇ L(CFG) is obvious, since we can use a regular controllinggrammar accepting a full controlling language.
(ii) L(CFG,REG, lm) ⊆ L(CFG). Given a CFG G1 = (N1, T1, P1, S1) and an REGG2 = (N2, T2, P2, S2) with T2 = P1, P2 contains all productions of the forms: B → pC,B → ε, p ∈ P1. We construct a grammar
G = (N1 ∪ T ′1 ∪N2 ∪ {S, $}, T1, P, S)
where T ′1 = {a′ | a ∈ T1}, and P consists of the following productions:
1. S → S2S1$,
2. BA → Cα′, for B → pC ∈ P2 and p : A → α ∈ P1, where α′ is the string replacingeach terminal a ∈ T1 of α by a′,
3. Ba′ → aB, for a ∈ T1, B ∈ N2,
4. B$→ ε, for B → ε.
It is easy to see that the nonterminals B ∈ N2 control the derivation in such a waythat the acceptable leftmost derivations in G1 are simulated by leftmost derivations in G.Therefore, L(G1, G2, lm) = Ll(G) ∈ L(CFG), as G fulfils the conditions in Lemma 3.6.�
To prove the generative power of L(CFG,CFG, lm), we need the following lemma,which is a result of [63].
Lemma 3.14. For each recursively enumerable set L ∈ L(PSG), there exist deterministiccontext-free languages L1 and L2, and a homomorphism h : Σ∗1 → Σ∗2 such that L =h(L1 ∩ L2). Without loss of generality, we assume that Σ1 ∩ Σ2 = ∅.
Theorem 3.15. L(CFG,CFG, lm) = L(PSG).
Proof. (i) L(CFG,CFG, lm) ⊆ L(PSG). Given CFG’s G1 = (N1, T1, P1, S1) and G2 =(N2, T2, P2, S2) with T2 = P1, we construct a grammar
G = (N1 ∪N2 ∪ T2 ∪ T ′2 ∪ {S, §, $}, T1, P2 ∪ P, S)
where T ′2 = {p′ | p ∈ T2}, and P consists of the following productions:
1. S → §S1S2$,
2. Xp→ pX, for X ∈ N1 ∪ T1 and p ∈ T2, (move p leftward skipping X)
3. §p→ §p′, for p ∈ T2, (p becomes p′ at the leftmost position)
4. p′a→ ap′, for a ∈ T1 and p ∈ T2, (p′ skips terminals)
5. p′A→ α, for p : A→ α ∈ P1, (p′ rewrites A using the production p)
6. a$→ $a, for a ∈ T1, (move $ leftward, skipping terminals)
28 Chapter 3. Control Systems in Formal Language Theory
7. §$→ ε. (eliminate § and $ at the leftmost position)
It is easy to see that the nonterminals p′ ∈ T ′2 control the derivation in such a way thatthe acceptable leftmost derivations in G1 are simulated by derivations in G. Therefore,L(G1, G2, lm) = L(G) ∈ L(PSG).
(ii) L(CFG,CFG, lm) ⊇ L(PSG). Given L ∈ L(PSG), there exist context-free lan-guages L1, L2, and h such that L = h(L1∩L2) by Lemma 3.14. We only need to translateh(L1∩L2) into an LGC system L(G1, G2, lm), where L1, L2 ∈ T ∗, h : T ∗ → T ∗1 , T ∩T1 = ∅.
There exists a context-free grammar G = (N,T, P, S) such that L(G) = L1 ∈ L(CFG).We construct G1 = (N ∪T, T1, P ∪P1, S), where P1 = {pa : a→ h(a) | a ∈ T}, h(a) ∈ T ∗1 ,T ∩ T1 = ∅. Note that P only generates nonterminals, while P1 only generates terminals.Clearly, L(G1) = h(L1).
Then, we construct G2. Let h′ be a homomorphism such that h′(p) = ε for p ∈ P ,h′(pa) = a for a ∈ T . Let L′ = h′−1(L2) ∈ L(CFG), there exists a context-free grammarG2 such that L(G2) = L′. Note that h′−1(L2) makes G2 to restrict the use of P1 whichgenerates terminals, but no restriction is imposed on the use of P .
Therefore, G2 ensures that the acceptable sequences of productions of G1 derive h(L2).This means, G1 can only derive strings in both h(L1) and h(L2). Thus, L(G1, G2, lm) =h(L1 ∩ L2). That is, L = h(L1 ∩ L2) = L(G1, G2, lm) ∈ L(CFG,CFG, lm). �
Theorem 3.16. LetX be a family of grammars with L(CFG) ⊆ L(X), then L(CFG,X, lm) =L(PSG).
Proof. (i) L(CFG,X, lm) ⊆ L(PSG). The proof is the same as the proof (i) of Thm. 3.15by noting G2 is of type X.
(ii) L(CFG,X, lm) ⊇ L(PSG). This part is obvious,since L(CFG,X, lm) ⊇ L(CFG,CFG, lm) ⊇ L(PSG). �
Immediately, we have the following corollary.
Corollary 3.17. L(CFG,PSG, lm) = L(PSG).
For context-sensitive controlling grammars, we should modify the proof a little.
Theorem 3.18. L(CFG,CSG, lm) = L(PSG).
Proof. (i) L(CFG,CSG, lm) ⊆ L(PSG). The proof is the same as the proof (i) of Thm.3.15 by noting G2 is a context-sensitive grammar.
(ii) L(CFG,CSG, lm) ⊇ L(PSG). Given L ∈ L(PSG), there exist CFG’s G1, G2
such that L(G1, G2, lm) = L by the proof (ii) of Thm. 3.15.(1) if ε 6∈ L(G2), we can construct a context-sensitive grammar G3 such that L(G3) =L(G2) by eliminating ε-productions.(2) if ε ∈ L(G2), we can construct a context-sensitive grammar G3 such that L(G3) =L(G2)− {ε} by eliminating ε-productions.Thus, we have L = L(G1, G2, lm) = L(G1, G3, lm) ∈ L(CFG,CSG, lm). �
3.3. Automaton Control Systems (AC Systems) 29
3.3 Automaton Control Systems (AC Systems)
3.3.1 Definitions
An automaton control system consists of a controlled automaton and a controlling au-tomaton that restricts the behavior of the controlled automaton. The input alphabet ofthe controlling automaton equals the set of transition names of the controlled automaton.
Definition 3.19. Given a controlled automaton (or simply automaton) A1 with a set oftransitions δ1 = {pi}i∈I where pi is a name of transition, a controlling automaton A2 overA1 has the input alphabet Σ2 = δ1. L(A1) and L(A2) are called controlled language andcontrolling language, respectively. �
Note that the concept of transition name is introduced. We do not make any specificassumptions about the relation between the name and symbol of a transition. That is,several transitions may have the same name but different symbols, or they may havedistinct names but the same symbol. For example, assume an FSA with the transitionsδ(q1, a) = {q2, q3} and δ(q3, b) = {q2}, we may denote by pi : (q1, a, q2) ∈ δ and pj :(q1, a, q3) ∈ δ and pk : (q3, b, q2) ∈ δ with the names pi, pj , pk. All the following cases arepossible: pi = pj or pi 6= pj , pi = pk or pi 6= pk, and so forth.
Definition 3.20. An Automaton Control System (AC System) includes an automaton A1
and a controlling automaton A2, denoted by A1~· A2. The global language of A1 controlledby A2 is:
L(A1 ~· A2) = {w|A1 accepts w by using a sequence of transitions p1p2...pk ∈ L(A2)}
�
The symbol ~· is called “meta-composition”, denoting the left operand is controlledby the right operand.
Example 3.21. Given a PDA D1 = ({q, f}, {a, b, c}, {S,Z, Z ′, A,B, a, b, c}, δ, q, Z, {f}),where δ includes the following transitions:
ps : δ(q, ε, Z) = (q, SZ ′) p1 : δ(q, ε, S) = (q, AB) p2 : δ(q, ε, A) = (q, aAb)p3 : δ(q, ε, B) = (q,Bc) p4 : δ(q, ε, A) = (q, ab) p5 : δ(q, ε, B) = (q, c)pa : δ(q, a, a) = (q, ε) pb : δ(q, b, b) = (q, ε) pc : δ(q, c, c) = (q, ε)pf : δ(q, ε, Z ′) = (f, ε)
Given a controlling PDA D2 such that L(D2) = psp1(p2pa)n−1p4pap+b p
n−13 p5p
+c pf , it is
easy to see that L(D1 ~· D2) = anbncn, n ≥ 1. �
If we let P = {pa, pb, pc}, L(D3) = psp1P∗(p2P
∗)n−1p4P∗(p3P
∗)n−1p5P∗pf , we also
have L(D1 ~· D3) = anbncn, n ≥ 1. Note that L(D3) specifies a weaker constraint, i.e.,L(D2) ⊂ L(D3). However, the two AC systems accept the same global language. Weremark that the controlling language can express a “weaker” or “stronger” restrictionto obtain the same effect, if the “valid” constraint on the controlled automaton is notchanged.
Two trivial types of controlling automata are empty controlling automata and fullcontrolling automata. The former ones accept the empty controlling language which rejectsall the sequences of applied transitions, i.e., L(A2) = ∅. The latter ones accept fullcontrolling languages that accept all the sequences of applied transitions, i.e., L(A2) = δ∗1 ,
30 Chapter 3. Control Systems in Formal Language Theory
where δ1 is the set of transition names of the controlled automaton A1. Note that the twotypes of languages are both regular languages.
3.3.2 Generative Power
We denote by L(X~· Y ) the family of languages accepted by AC systems whose controlledautomata are of type X and controlling automata are of type Y .
Theorem 3.22. L(FSA~· FSA) = L(FSA).
Proof. (i) L(FSA~· FSA) ⊇ L(FSA) is obvious, since we can use a controlling finite stateautomaton accepting a full controlling language.
(ii) L(FSA ~· FSA) ⊆ L(FSA). Given FSA’s A1 = (Q1,Σ1, δ1, q1, F1) and A2 =(Q2,Σ2, δ2, q2, F2) with Σ2 = δ1, we construct an FSA A = (Q,Σ1, δ, q0, F ) where:
1. Q = Q1 ×Q2,
2. δ((qi, qj), a) contains (ri, rj), for p : δ1(qi, a) = ri, a ∈ Σ1 ∪{ε} and δ2(qj , p) containsrj ,δ((qi, qj), ε) contains (qi, rj), for δ2(qj , ε) contains rj ,
3. q0 = (q1, q2),
4. F = F1 × F2.
A simulates the actions of A1, and changes the state of A2. Given an input stringw, A1 enters a final state ri ∈ F1, and A2 enters a final state rj ∈ F2 by reading thesequence of transitions, if and only if A enters the final state (ri, rj) ∈ F1 × F2. Thus,L(A1 ~· A2) = L(A) ∈ L(FSA). �
Theorem 3.23. L(FSA~· PDA) = L(PDA).
Proof. (i) L(FSA ~· PDA) ⊇ L(PDA). Given a PDA D = (Q,Σ,Γ, δ, q0, Z0, F ), weconstruct an FSA A and a controlling PDA D2 as follows:
A = ({qA},Σ, δA, qA, {qA})
where δA contains pa : δA(qA, a) = qA, for each a ∈ Σ.
D2 = (Q, h(Σ),Γ, δ2, q0, Z0, F )
where,
1. h is a homomorphism: h(a) = pa, h(ε) = ε, for a ∈ Σ,
2. for a set Σ, h(Σ) = {h(a) | a ∈ Σ},
3. δ2(q, h(a), B) contains (r, β), for δ(q, a,B) contains (r, β), where a ∈ Σ∪{ε}, B ∈ Γ,β ∈ Γ∗.
Clearly, L(D2) = h(L(D)). Since each transition pa ∈ δA generates exactly a symbol a,we have L(A~· D2) = h−1(L(D2)) = h−1(h(L(D))) = L(D).
(ii) L(FSA ~· PDA) ⊆ L(PDA). Given an FSA A1 = (Q1,Σ1, δ1, q1, F1) and a con-trolling PDA D2 = (Q2,Σ2,Γ, δ2, q2, Z0, F2), we construct a PDA:
3.3. Automaton Control Systems (AC Systems) 31
D = (Q,Σ1,Γ, δ, q0, Z0, F )
where:
1. Q = Q1 ×Q2,
2. δ((qi, qj), a, B) contains ((ri, rj), β), for p : δ1(qi, a) = ri, and δ2(qj , p, B) contains(rj , β), where a ∈ Σ1 ∪ {ε}, B ∈ Γ, β ∈ Γ∗,δ((qi, qj), ε, B) contains ((qi, rj), β), for qi ∈ Q1, and δ2(qj , ε, B) contains (rj , β),where B ∈ Γ, β ∈ Γ∗,
3. q0 = (q1, q2),
4. F = F1 × F2.
D simulates the actions of D2 and changes the state of A1. Given an input string w,A1 enters a final state ri ∈ F1, and D2 enters a final state rj ∈ F2 by reading thesequence of transitions, if and only if D enters the final state (ri, rj) ∈ F1 × F2. Thus,L(A1 ~· D2) = L(D) ∈ L(PDA). �
Theorem 3.24. L(PDA~· FSA) = L(PDA).
Proof. (i) L(PDA ~· FSA) ⊇ L(PDA) is obvious, since we can use a controlling finitestate automaton accepting a full controlling language.
(ii) L(PDA ~· FSA) ⊆ L(PDA). Given a PDA D1 = (Q1,Σ1,Γ, δ1, q1, Z0, F1) and acontrolling FSA A2 = (Q2,Σ2, δ2, q2, F2), we construct a PDA:
D = (Q,Σ1,Γ, δ, q0, Z0, F )
where:
1. Q = Q1 ×Q2,
2. δ((qi, qj), a, B) contains ((ri, rj), β), for p : δ1(qi, a, B) = (ri, β), and δ2(qj , p) con-tains rj , where a ∈ Σ1 ∪ {ε}, B ∈ Γ, β ∈ Γ∗,δ((qi, qj), ε, B) contains ((qi, rj), B), for qi ∈ Q1, B ∈ Γ, and δ2(qj , ε) contains rj ,
3. q0 = (q1, q2),
4. F = F1 × F2.
D simulates the actions of D1 and changes the state of A2. Given an input string w,D1 enters a final state ri ∈ F1, and A2 enters a final state rj ∈ F2 by reading thesequence of transitions, if and only if D enters the final state (ri, rj) ∈ F1 × F2. Thus,L(D1 ~· A2) = L(D) ∈ L(PDA). �
Theorem 3.25. L(PDA~· PDA) = L(TM).
Proof. (i) L(PDA~· PDA) ⊆ L(TM). Given two PDA’s D1, D2, we construct a TuringMachine M with four tapes. The first tape holds the input string w. The second tapesimulates the stack of D1. Once D1 applies a transition, the name of the transition issequentially recorded on the third tape. When D1 accepts w, M starts to simulate D2
using the third and fourth tapes (the third tape holds the sequence of transitions wp as
32 Chapter 3. Control Systems in Formal Language Theory
the input string to D2, and the fourth tape simulates the stack of D2). M accepts if andonly if D2 accepts. Obviously, L(D1 ~· D2) = L(M).
(ii) L(PDA ~· PDA) ⊇ L(TM). Given L ∈ L(TM) = L(PSG), we can translate Linto an LGC system L(G1, G2, lm) by Thm. 3.15. Then we can translate L(G1, G2, lm)into L(A1 ~· A2) by using the automaton representation (c.f. Corollary 3.32 in the sequel).�
3.3.3 Equivalence and Translation between AC and LGC Systems
In this section, we study the equivalence and translation between automaton control sys-tems and grammar control systems.
The equivalence between automata and grammars is well known. We can establishequivalence and translation between controlled (resp. controlling) automata and con-trolled (resp. controlling) grammars, i.e. L(A1) = L(G1) (resp. L(A2) = L(G2)). Thus,one might think that an automaton control system was equivalent to a grammar con-trol system. However, we will show that an automaton control system is equivalent to aleftmost-derivation-based grammar control system.
At first, we prove a lemma which shows that we can make each name in the controlledgrammar or automaton unique without changing the global language.
Lemma 3.26. (i) Given two grammars G1 of type X and G2 of type Y with T2 = P1,if L(Y ) is closed under substitution by ε-free regular sets, there exist two grammars G′1of type X and G′2 of type Y where T ′2 = P ′1, and P ′1 only renames some productionsof P1 such that each production name in P ′1 is unique and L(G1, G2) = L(G′1, G
′2) and
L(G1, G2, lm) = L(G′1, G′2, lm).
(ii) Given two automata A1 of type X and A2 of type Y with Σ2 = δ1, if L(Y ) isclosed under substitution by ε-free regular sets, there exist two automata A′1 of type Xand A′2 of type Y where Σ′2 = δ′1, and δ′1 only renames some transitions of δ1 such thateach transition name in δ′1 is unique and L(A1 ~· A2) = L(A′1 ~· A′2).
Proof. The proofs of the two propositions are similar, thus we only prove the first one.Suppose there are k productions having the name pi in P1, we rename them to be pi1, ..., pikin P ′1. Thus, L(G1) = L(G′1).
We define the substitution s(pi) = {pij}1≤j≤k for each pi. There exists a grammarG′2 ∈ Y such that L(G′2) = s(L(G2)) ∈ L(Y ), since L(Y ) is closed under substitution byε-free regular sets. It is easy to see, a sequence of productions of G1 is accepted by L(G2)if and only if the corresponding renamed sequence of productions of G′1 is accepted bys(L(G2)). Therefore, the proposition holds. �
The above lemma makes it reasonable to make the assumption that each name in acontrolled grammar or automaton is unique, when necessary.
Theorem 3.27. Let X be a family of automata, Y be a family of grammars, if L =L(X) = L(Y ) is closed under (1) concatenation with finite sets, (2) substitution by ε-free regular sets, (3) ε-free homomorphisms, (4) right derivatives, then L(FSA ~· X) =L(REG, Y, lm).
Proof. (i) L(FSA~· X) ⊆ L(REG, Y, lm). Given an automaton control system (A~· A2),A ∈ FSA, A2 ∈ X, we construct G ∈ REG, G2 ∈ Y as follows.
3.3. Automaton Control Systems (AC Systems) 33
First, we construct a right-linear grammar G from A. The key point of the translationis the name mapping between transitions and productions. Given A = (Q,Σ, δ, q0, F ), weconstruct G = (N,T, P, S0) where:
1. for each qi ∈ Q, there is a nonterminal Si ∈ N , and S0 is the start symbol.
2. T = Σ.
3. for each transition pk : δ(qi, ak) = qj , where pk is the name of transition and ak ∈Σ ∪ {ε}, there is a production pk : Si → akSj ∈ P .
4. for each final state qi ∈ F , there is a production pεi : Si → ε ∈ P .
Second, we construct G2 ∈ Y from A2 ∈ X. Let Pε = {pεi}qi∈F and L′ = L(A2) · Pε, wehave L′ ∈ L, since L is closed under concatenation with finite sets and Pε is a finite andregular set. Thus, there exists G2 ∈ Y such that L(G2) = L′.
We now prove L(A ~· A2) = L(G,G2, lm). It is easy to see, an input string w =ai1...aik ∈ L(A~·A2) where aij = ε for some j, if and only if (q0, ai1...aik) `pi1 (qj1, ai2...aik) `pi2
· · · `pik(qjk, ε), where qjk ∈ F and pi1...pik ∈ L(A2), if and only if there exists a derivation
of G: S0pi1⇒lmai1Sj1
pi2⇒lm· · · pik⇒
lmai1...aikSjk
pεjk⇒lm
ai1...aik, and pi1...pikpεjk ∈ L(G2), if and only
if w = ai1...aik ∈ L(G,G2, lm).(ii) L(FSA ~· X) ⊇ L(REG, Y, lm). Given an LGC system (G,G2, lm), G2 ∈ Y ,
G = (N,T, P, S0) ∈ REG, where N = {Si}0≤i<|N |, P consists of all productions of theforms: Si → wSj , Si → w, w ∈ T ∗. We assume that each name of production in P isunique, since L(Y ) is closed under substitution by ε-free regular sets.
First, we construct from G a right-linear grammar G1 = (N1, T, P1, S0), where P1
consists of the following productions:
1. pkm : Sk(m−1) → akmSkm, if pk : Si → wSj ∈ P , where w = ak1 · · · ak|w|, |w| ≥ 1,1 ≤ m ≤ |w|, Sk0 = Si, Sk|w| = Sj .
2. pk : Si → εSj , if pk : Si → Sj ∈ P .
3. pkm : Sk(m−1) → akmSkm, if pk : Si → w ∈ P , where w = ak1 · · · ak|w|, |w| ≥ 1,1 ≤ m ≤ |w|, Sk0 = Si, Sk|w| = Sε.
4. pk : Si → εSε, if pk : Si → ε ∈ P .
5. pε : Sε → ε.
Then, we construct from G1 a finite automaton A = (Q,Σ, δ, q0, {qε}), where:
1. for each Si ∈ N1, there is a state qi ∈ Q, and q0 is the start state.
2. Σ = T .
3. for each production pk : Si → akSj ∈ P1, where ak ∈ T ∪ {ε}, there is a transitionpk : δ(qi, ak) = qj .
34 Chapter 3. Control Systems in Formal Language Theory
Second, we construct A2 ∈ X from G2 ∈ Y . Let h be an ε-free homomorphism asfollows:
h(pk) =
pk, if pk is of the form Si → Sj in P
pkpε, if pk is of the form Si → ε in P
pk1 · · · pk|w|, if pk is of the form Si → wSj in P , |w| ≥ 1
pk1 · · · pk|w|pε, if pk is of the form Si → w in P , |w| ≥ 1
Let L′ = h(L(G2))/{pε}, we have L′ ∈ L, since L(G2) ∈ L and L is closed under ε-freehomomorphisms and right derivatives. There exists an automaton A2 ∈ X such thatL(A2) = L′ ∈ L(X).
It is easy to see, an input string w ∈ L(A~· A2), if and only if w ∈ L(G,G2, lm). �Note that the translations between X and Y in the above proof are independent of
concrete automata or grammars, but it is easy to concretize the translations. For example,in the proof (i), the translation from A2 ∈ FSA to G2 ∈ REG is the following one: letG1 = (N1, T1, P1, S) such that L(G1) = L(A2) (using the translation from automaton toright-linear grammar), then G2 = (N1, T1 ∪ Pε, P2, S), where P2 is obtained by replacingeach production in P1 of the form A → w, A ∈ N1, w ∈ T ∗1 by a set of productions{A→ wpεi | pεi ∈ Pε}. Clearly, L(G2) = L(A2) · Pε finishes the construction.
The following corollaries are based on the theory of Abstract Families of Languages(AFL), which is initiated by [62] (a summary can be found in [61]). The theory of AFLproved that, any AFL satisfies the closure properties required in the above theorem, andthe family of regular languages and the family of context-free languages are both AFL.
Let X be FSA, Y be REG, we have the following corollary.
Corollary 3.28. L(FSA~· FSA) = L(REG,REG, lm).
Let X be PDA, Y be CFG, we have the following corollary.
Corollary 3.29. L(FSA~· PDA) = L(REG,CFG, lm).
Theorem 3.30. Let X be a family of automata, Y be a family of grammars, if L =L(X) = L(Y ) is closed under (1) substitution by ε-free regular sets, (2) concatenationwith regular sets, then L(PDA~· X) = L(CFG, Y, lm).
Proof. (i) L(PDA ~· X) ⊆ L(CFG, Y, lm). Given an AC system (D ~· A2), A2 ∈ X,D = (Q,Σ,Γ, δ, q0, Z0, F ) ∈ PDA, we construct grammars G ∈ CFG, G2 ∈ Y as follows.
First, let qe 6∈ Q, Ze 6∈ Γ, we construct G = (N,Σ, P, S) from D, where N is the setof objects of the form [q,B, r] (denoting popping B from the stack by several transitions,switching the state from q to r), q, r ∈ Q, B ∈ Γ, P is the union of the following sets ofproductions:
2. Pk = {[q,B, qm+1]→ a[q1, B1, q2][q2, B2, q3] · · · [qm, Bm, qm+1] |pk : δ(q, a,B) = (q1, B1B2...Bm), q2, ..., qm+1 ∈ Q}, where a ∈ Σ ∪ {ε}, andB,B1, ..., Bm ∈ Γ. (If m = 0, then the production is [q,B, q1]→ a.)
3. Pf = {[q,X, r] → [qe, X, r] | q ∈ F,X ∈ Γ ∪ {Ze}, r ∈ Q ∪ {qe}}. (simulating thecase of entering a final state)
3.3. Automaton Control Systems (AC Systems) 35
4. Pe = {[qe, X, qe] → ε | X ∈ Γ ∪ {Ze}}. (eliminating remaining nonterminals in thesentential form)
Note that for each transition pk ∈ δ, there exists a finite set of corresponding produc-tions Pk in P , whereas each of Ps, Pf , Pe is a unique finite set in P .
Second, we construct G2 ∈ Y from A2 ∈ X. Let s be a substitution by ε-free finitesets, such that s(pk) = Pk, L′ = Ps · s(L(A2)) · Pf · P ∗e , we have L′ ∈ L(X), since L(A2) ∈L(X) = L and L is closed under substitution by ε-free regular sets and concatenation withregular sets. Thus, there exists G2 ∈ Y such that L(G2) = L′.
It is easy to see, an input string w ∈ L(D ~· A2), if and only if w ∈ L(G,G2, lm).Indeed, G starts with Ps, then Pk simulates the transition pk of D. D enters a final state
q and accepts w, if and only if G has the derivations: S ⇒∗ w[q,X1, qe][qe, X2, qe]...Pf⇒
w[qe, X1, qe][qe, X2, qe]...P ∗
e⇒ w.(ii) L(PDA ~· X) ⊇ L(CFG, Y, lm). Given an LGC system (G,G2, lm), where G =
(N,T, P, S) ∈ CFG, G2 ∈ Y , we construct an AC system as follows.First, we construct from G an equivalent PDA D that accepts L(G) as follows:
D = ({q, f}, T,N ∪ T ∪ {Z,Z ′}, δ, q, Z, {f})
where δ is defined as follows:
1. ps : δ(q, ε, Z) = (q, SZ ′),
2. pi : δ(q, ε, B) = (q, β), for pi : B → β ∈ P , B ∈ N ,
3. pa : δ(q, a, a) = (q, ε), for a ∈ T ,
4. pf : δ(q, ε, Z ′) = (f, ε).
Second, we construct A2 ∈ X from G2 ∈ Y . Let s(pi) = pi · {pa | a ∈ T}∗ be asubstitution by ε-free regular sets, L′ = {ps} · s(L(G2)) · {pf}, we have L′ ∈ L, since L isclosed under substitution by ε-free regular sets and concatenation with regular sets. Thus,there exists A2 such that L(A2) = L′.
It is easy to see, the leftmost derivations in G are simulated by sequences of transitionsin D. Thus, an input string w ∈ L(D~· A2), if and only if w ∈ L(G,G2, lm). �
Note that the translations between X and Y in the above proof are independent ofconcrete automata or grammars, but it is easy to concretize the translations. For example,in the proof (ii), the translation from G2 ∈ REG to A2 ∈ FSA is the following one:first, we construct from G2 an equivalent finite automaton A = (Q,Σ, δ, q0, F ) such thatL(A) = L(G2) by the translation from regular grammars to finite automata. Then, weconstruct
36 Chapter 3. Control Systems in Formal Language Theory
Clearly, L(A2) = {ps} · s(L(A)) · {pf} finishes the construction.The following corollaries are based on the result that any AFL satisfies the closure
properties required by the above theorem.Let X be FSA, Y be REG, we have the following corollary.
Corollary 3.31. L(PDA~· FSA) = L(CFG,REG, lm).
Let X be PDA, Y be CFG, we have the following corollary.
Corollary 3.32. L(PDA~· PDA) = L(CFG,CFG, lm).
Because of these equivalences, we may also denote an LGC system (G1, G2, lm) byG1 ~· G2 for a uniform notation. Moreover, this operator is more straightforward forexpressing the result of constructive computation of meta-composition, e.g., A = A1 ~· A2,G = G1 ~· G2. The construction of meta-compositions appeared in the previous proofs areuseful and important, not only in the proofs of generative power, but also in emergingapplications.
3.4 Parsing Issues
3.4.1 GC Systems are not LL-Parsable
The GC systems are not compatible with LL (also LR) parsers, which are based on leftmost(or rightmost) derivations [1]. Indeed, GC systems introduce conflicts in parsing. Considerthe following example.
Example 3.33. Consider the regularly controlled grammar (also a grammar control sys-tem in L(CFG,REG)):
G = ({S,A}, {a, b}, {p1, p2, p3}, S,R)
where: p1 : S → AA, p2 : A → a, p3 : A → b, R = {p1p2p3}. Thus the following twoderivations are both accepted by L(G) = {ab, ba}:{
D1 : Sp1⇒ AA
p2⇒ aAp3⇒ ab
D2 : Sp1⇒ AA
p2⇒ Aap3⇒ ba
However, when we use an LL parser to analyze the input string ba, a leftmost derivationwill produce the sequence of productions p1p3p2, which is not accepted by R and leads toreject ba. However, we know that ba ∈ L(G). Therefore, there is a conflict. �
The conflict results from the fact that R is not a control set based on leftmost deriva-tions. Indeed, if R controls leftmost derivations, then only D1 will be accepted and D2
will be rejected.
3.4.2 Parsing by Extending Classical Algorithms
It is easy to extend LL parsing algorithms [1] to parse LGC systems. Let us consider anLGC system in which CFG G1 is controlled by CFG G2, where G1 is an LL grammar.Given an input string w, the parsing algorithm is as follows:
3.5. Related Work 37
1. parsing w with G1 using an LL parser. If G1 rejects w, the LGC system rejects. If G1
accepts w, we obtain a sequence of productions wp that is applied in the associatedleftmost derivation. Note that the sequence is unique, since LL grammars have noambiguity.
2. checking if wp is a member of L(G2). Note that G2 could be any context-freegrammar, since this step could be implemented using CYK algorithm. The LGCsystem accepts w if and only if wp ∈ L(G2).
Similarly, we can also extend Earley’s algorithm [43] to parse LGC systems. We willnot discuss the technical details of this extension, since it is intuitive and easy.
3.5 Related Work
In this section, we show the differences between the control system and related work. Inparticular, we compare the LGC system with regulated rewriting, and the AC system withsupervisory control.
3.5.1 Grammars with Regulated Rewriting
The control system is a generic framework, and the controlled component and the con-trolling component are expressed using the same formalism, e.g., automata or grammars.Therefore, the two components of an LGC system are both expressed using grammars.In contrast, traditional grammars with regulated rewriting do not satisfy this principle.Indeed, their controlled components are grammars, but their controlling components areother structures such as regular sets and matrix.
The control system adopts one restriction and three extensions of regulated rewriting[39]. The restriction is that the appearance checking mode is disabled. The extensions areas follows.
First, the controlling components are expressed using the same formalism as the con-trolled components, e.g., automata or grammars, rather than regular sets or matrix.
Second, the controlled derivations of an LGC system are restricted to be leftmost,in order to make the global system LL-parsable. We aim at obtaining an LL-parsablegrammar control system. Since a controlled LL grammar can be implemented as an LLparser generating leftmost derivations, the control mechanism and the controlling compo-nent should be compatible and easy to be integrated into the parser. However, regularlycontrolled grammars are not LL-parsable nor compatible with LL parsers.
Third, context-free controlling grammars are enabled to increase generative power.The generative power of L(CFG,REG) is reduced to be L(CFG ~· REG) = L(CFG)because of the restriction of leftmost derivations. Indeed, we proved that L(CFG) ⊂L(CFG,REG) ⊂ L(PSG) and L(CFG ~· REG) = L(CFG). As a result, in order toexpress non-context-free languages, we have to use context-free controlling grammars. Toillustrate this point, we may compare Example 3.3 and Example 3.10 (both of them acceptanbncn). The different controlling grammars are due to their different generative power.
3.5.2 Supervisory Control
The theory of supervisory control on deterministic systems was first introduced by P. J.Ramadge and W. M. Wonham in their papers [112, 113]. The supervisory control is used
38 Chapter 3. Control Systems in Formal Language Theory
to restrict the inadmissible behavior of a Discrete Event System (DES). Given a DES, or aplant, whose uncontrolled behavior is modeled by automaton G, we introduce a supervisormodeled by automaton S to restrict the behavior of the plant.
Let L ⊆ Σ∗ be a language, and s ∈ Σ∗, then the prefix-closure of L is L = {s ∈Σ∗ | ∃t ∈ Σ∗, st ∈ L}. L is prefix-closed if L = L.
The language generated by a deterministic finite state automaton (DFSA) A = (Q,Σ, δ,q0, F ) is the set
Lg(A) = {s ∈ Σ∗ | δ(q0, s) is defined}
The language marked (or accepted) by A is the set
Lm(A) = {s ∈ Σ∗ | δ(q0, s) ∈ F}
We say that the automaton A is blocking if Lm(A) ⊂ Lg(A), and nonblocking ifLm(A) = Lg(A).
The first significant difference between the AC system and supervisory control is thatthe AC system is a more generic formalism. Indeed, AC systems may consist of all typesof automata, while supervisory control only considers finite state automaton. Therefore,the AC system can express a wider range of classes of systems.
Second, let us compare finite state AC systems in L(FSA ~· FSA) and supervisorycontrol. We would like to say that the AC system uses the transition-level control, whilesupervisory control uses the alphabet-level control.
We can show that the power of supervisory control is not greater than the power ofAC systems. Given a controlled automaton, if we set each transition name identical to itsassociated symbol, then each supervisor can be expressed as a controlling automaton.
Furthermore, the AC system is strictly more powerful, because the AC system canimpose some constraints outside the power of supervisory control. We use a simple exampleto show the difference between them.
Suppose an automaton A1 shown in Fig. 3.1. Obviously, the automaton accepts thelanguage L(A1) = (abd+ abcd)∗ or Lm(A1) = (abd+ abcd)∗. Now we need a nonblockingcontroller or supervisory to restrict the behavior of the automaton to be (abd)∗.
q0 q1
q2
q3p1 : a
p2 : b
p3 : b
p4 : cp5 : d
Figure 3.1: A Controlled Automaton
It is easy to construct an AC system with the controlling automaton A2 accepting(p1 + p2 + p4 + p5)∗ by excluding p3. Thus, the new global system accepts the languageL(A1 ~· A2) = (abd)∗, which satisfies the requirement.
However, there does not exist a nonblocking supervisor satisfying the requirement. Thekey problem is the nondeterminism at the state q1. Assume there is such a supervisory S.Then S can only specify whether b can occur in a state which is reached after a occurs. Ifno, then neither of p2 and p3 is allowed, thus violates the requirement. If yes, then bothof p2 and p3 are allowed. In this case, to avoid the occurrence of abcd, S may disable the
3.6. Conclusion 39
transition labeled c in the next state. However, the automaton enters a blocking state q3
after choosing p3 : b. As a result, the supervisor is blocking, and violates the requirement.Thus, S does not exist.
Therefore, we conclude that the AC system is strictly more powerful than supervisorycontrol.
3.6 Conclusion
In this chapter, we proposed the theory of Control Systems (C Systems). The controlsystem is a generic framework, and contains two components: the controlled componentand the controlling component. We defined three types of control systems, namely GC,LGC, and AC systems. The generative power and parsing issues were studied. As wementioned, the proofs of generative power provide also the techniques for constructingmeta-compositions, which are useful for the verification and implementation of the globalsystem.
The inclusion relationships of generative power are summarized in Fig. 3.2, where a linedenotes equivalence, an arrow denotes that the upper family includes (maybe properly)the lower family. The generative power of AC systems are not explicitly presented, sincethey are equivalent to that of LGC systems.
L(REG,REG) L(REG) L(REG~· REG)
L(REG,CFG) L(CFG) L(REG~· CFG) L(CFG~· REG)
L(CFG,REG) L(CSG)
L(CFG,CFG) L(PSG) L(CFG~· CFG)
GC Systems LGC Systems
Figure 3.2: Generative Power of Control Systems
Chapter 4
On the Generative Power of(σ, ρ, π)-accepting ω-Grammars
The theory of ω-languages has been studied in the literature in various formalisms. Mostof the works focus on two aspects.
The first one is the relationship between ω-automata and the theory of second orderlogic, and related decision problems. Buchi [16] started the study of obtaining decisionprocedures for the restricted second order logic theory by using finite state ω-automata.Thomas summarized related work in [120, 121].
The second aspect concerns the generative power of ω-automata and ω-grammars, andthe closure property of ω-languages. McNaughton [99] investigated finite state ω-automataand the equivalences between their variants. Landweber [84] classified the families of ω-languages accepted by deterministic finite state ω-automata in the Borel hierarchy withrespect to the product topology. Later, Cohen studied systematically the Chomsky hierar-chy for ω-languages [32, 33, 35] and deterministic ω-automata [34, 36]. Engelfriet studied(σ, ρ)-accepting X-automata on ω-words [49].
In this chapter, we propose the (σ, ρ, π)-accepting ω-grammar, motivated by the sec-ond aspect above. The tuple (σ, ρ, π) includes various accepting models, where σ denotesthat certain productions appear infinitely often or at least once, ρ is a relation betweena set of productions and an accepting set, and π denotes leftmost or non-leftmost deriva-tions. Cohen only focused on the ω-automata with five types of i-acceptances and theω-grammars with Muller acceptance condition that leads to the Chomsky hierarchy for ω-languages [32], while Engelfriet studied the ω-automata with six types of (σ, ρ)-acceptance[49]. As a result, there does not exist the ω-grammar corresponding to the (σ, ρ)-acceptingω-automaton in the literature.
Therefore, this chapter aims at defining the (σ, ρ, π)-accepting ω-grammar associatedwith Engelfriet’s (σ, ρ)-accepting ω-automaton, systematically studying the relative gener-ative power to (σ, ρ)-accepting ω-automata. In particular, by establishing the translationmethods, we will prove that the relationship between the two types of ω-devices is similarto the one in the case of finite words for most of the accepting models. However, for someaccepting models, the generative power of non-leftmost derivations of ω- CFG is strictlyweaker than ω- PDA, and the generative power of non-leftmost derivations of ω- CSG isequal to ω- TM (rather than linear-bounded ω-automata-like devices). Furthermore, wewill discuss remaining open questions for two of the accepting models. The questions
41
42 Chapter 4. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
show that the relationship between ω-grammars and ω-automata is not easy, although therelationship between grammars and automata on finite words has been well established.
This chapter is organized as follows. In Section 4.1, notations, definitions and impor-tant known results are recalled. In Section 4.2, the generative power of (σ, ρ, π)-acceptingω-grammars is explored. Related work is discussed in Section 4.3, and we conclude inSection 4.4.
4.1 Preliminaries
The terminology and notations are mostly taken from [32, 33, 49], and conform to [74].We may use the terms “w.r.t.” and “s.t.” denoting “with respect to” and “such that”respectively.
Definition 4.1. Let Σ denote a finite alphabet, Σω denote all infinite (ω-length) stringsu =
∏∞i=1 ai where ai ∈ Σ. Any member u of Σω is called an ω-word or ω-string. An
ω-language is a subset of Σω.For any language L ⊆ Σ∗, define:
Lω = {u ∈ Σω | u =∞∏i=1
xi, where for each i, ε 6= xi ∈ L}
Note that if L = {ε} then Lω = ∅. �
The following definitions will be used to define the accepting models for ω-automataand ω-grammars.
Definition 4.2. Let A and B be two sets, for a mapping f : A→ B, we define:
inf(f) = {b | b ∈ B, |f−1(b)| ≥ ω}ran(f) = {b | b ∈ B, |f−1(b)| ≥ 1}
where |X| denotes the cardinality of the set X. �
Let N be the set of natural numbers, Q be a finite set, f ∈ Qω be an infinite sequencef = f1f2 . . .. We consider f as a mapping from N to Q where f(i) = fi. Therefore, inf(f)is the set of all elements that appear infinitely often in f , and ran(f) is the set of allelements that appear at least once in f .
To define various accepting models, in the sequel of this chapter, we assume thatσ ∈ {ran, inf} and ρ ∈ {u,⊆,=} unless specified [49], where A u B means A ∩ B 6= ∅.Thus we consider the six types of acceptance given in Table 4.1, which includes also therelation between our notation and the five types of i-acceptance used in [84, 32]. Formally,we define the (σ, ρ)-accepting model as follows.
Definition 4.3. Let σ : Qω → 2Q be a mapping that assigns to each infinite sequenceover Q a subset of Q, ρ be a binary relation over 2Q, F ⊆ 2Q be a family of sets. Theinfinite sequence f : N → Q is (σ, ρ)-accepting w.r.t. F , if there exists a set F ∈ F suchthat σ(f)ρF . �
The definitions of ω-automata are generalized from those of classical automata by addinga set of designated state sets.
Definition 4.4. A finite state ω-automaton (ω- FSA) is a tuple A = (Q,Σ, δ, q0,F),where Q is a finite set of states, Σ is a finite input alphabet, q0 ∈ Q is the initial state,δ ⊆ Q × (Σ ∪ {ε}) × Q is a transition function, and F ⊆ 2Q is a set of designated statesets. If δ is deterministic, then A is a deterministic finite state ω-automaton (ω- DFSA).
Let u =∏∞i=1 ai ∈ Σω, where ∀i ≥ 1, ai ∈ Σ. A legal run (or complete run) of A on
u is an infinite sequence of states r = r1r2 . . ., where r1 = q0 and ∀i ≥ 1,∃bi ∈ Σ ∪ {ε}satisfying δ(ri, bi) 3 ri+1 and
∏∞i=1 bi =
∏∞i=1 ai. �
Note that bi is introduced due to the existence of ε-transitions. All computations whichdo not correspond to complete runs, e.g. computations which involve infinite ε-loops, willbe disregarded.
Definition 4.5. A pushdown ω-automaton (ω- PDA) is a tuple D = (Q,Σ,Γ, δ, q0, Z0,F),where Γ is a finite stack alphabet, δ ⊆ Q× (Σ∪{ε})×Γ×Q×Γ∗ is a transition function,Z0 ∈ Γ is the start symbol. If δ is deterministic, then D is a deterministic pushdownω-automaton (ω- DPDA).
A configuration of an ω- PDA is a pair (q, γ), where q ∈ Q, γ ∈ Γ∗ and the leftmostsymbol of γ is on the top of the stack. For a ∈ Σ ∪ {ε}, β, γ ∈ Γ∗ and Z ∈ Γ, we writea : (q, Zγ) `D (q′, βγ) if δ(q, a, Z) 3 (q′, β).
Let u =∏∞i=1 ai ∈ Σω, where ∀i ≥ 1, ai ∈ Σ. A legal run (or complete run) of D on
u is an infinite sequence of configurations r = {(qi, γi)}i≥1, where (q1, γ1) = (q0, Z0) and∀i ≥ 1,∃bi ∈ Σ ∪ {ε} satisfying bi : (qi, γi) `D (qi+1, γi+1) and
∏∞i=1 bi =
∏∞i=1 ai. �
Definition 4.6. A Turing ω-machine (ω- TM) with a single semi-infinite tape is a tupleM = (Q,Σ,Γ, δ, q0,F), where Γ is a finite tape alphabet such that Σ ⊆ Γ, δ ⊆ Q × Γ ×Q× Γ× {L,R, S} is a transition function. If δ is deterministic, then M is a deterministicTuring ω-machine (ω- DTM).
A configuration of an ω- TM is a tuple (q, γ, i), where q ∈ Q and γ ∈ Γω and i ∈ Nindicating the position of the tape head. The relations `M are defined as usual.
Let u =∏∞i=1 ai ∈ Σω, where ∀i ≥ 1, ai ∈ Σ. A run of M on u is an infinite
sequence of configurations r = {(qi, γi, ji)}i≥1, where (q1, γ1, j1) = (q0, u, 1) and ∀i ≥ 1,(qi, γi, ji) `M (qi+1, γi+1, ji+1).
A run r is complete if ∀n ≥ 1, ∃k ≥ 1, s.t. jk > n. A run r is oscillating if ∃n0 ≥1,∀l ≥ 1, ∃k ≥ l, s.t. jk = n0.
44 Chapter 4. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
A legal run (or complete non-oscillating run, abbreviated c.n.o.) of M on u is a runwhich is complete and non-oscillating, and corresponds to an infinite computation thatscans each square on the tape only finitely many times. �
An m-tape Turing ω-machine (m-ω- TM) (m ≥ 1) has m semi-infinite tapes, each witha separate reading head. We assume that initially the input appears on the first tape andthe other tapes are blank. The transitions are defined in the usual way [74]. The notionof c.n.o. run for an m-ω- TM means an infinite computation that scans each square on thefirst tape only finitely many times. There is no such restriction for the other tapes.
Definition 4.7. A state qT ∈ Q is a traverse state iff ∀a ∈ Γ, δ(qT , a) = {(qT , a, R)}. �
The following definitions are common notations for all the types of ω-automata definedabove.
Definition 4.8. Let A be an ω-automaton, u =∏∞i=1 ai ∈ Σω, where ∀i ≥ 1, ai ∈ Σ. A
legal run r of A on u induces an infinite sequence of states fr = f1f2 . . ., where f1 = q0
and fi is the state entered in the i-th step of the legal run r. We define the ω-language(σ, ρ)-accepted by A as
Lσ,ρ(A) = {u ∈ Σω | there exists a legal run r of A on u such thatfr is (σ, ρ)-accepting w.r.t. F}
�
Since (inf,=)-acceptance is the most powerful model of ω-recognition (i.e. 3-acceptancein [32, 33]), we adopt (inf,=)-acceptance as our standard definition of acceptance. Hence-forth, (inf,=)-acceptance will be referred to simply as “acceptance”, and Linf,=(A) will bedenoted by L(A) (the ω-language “accepted” by A) by omitting (inf,=).
In the sequel, we denote by ω- FSA, ω- PDA, ω- TM the families of finite state, push-down ω-automata, and Turing ω-machines, and denote by ω- DFSA, ω- DPDA, ω- DTMthe families of deterministic ones, respectively. For a family X of ω-automata, we denotethe associated family of (σ, ρ)-accepted ω-languages by Lσ,ρ(X). As usual, we denotesimply Linf,=(X) by L(X).
Definition 4.9. Two ω-automata A1 and A2 are (σ, ρ)-equivalent iff Lσ,ρ(A1) = Lσ,ρ(A2).They are equivalent iff L(A1) = L(A2). �
Definition 4.10. An ω-automaton with a unique designated set, i.e., |F| = 1, is called aU-ω-automaton. We may denote the unique designated set by F ⊆ Q instead of F = {F}.�
Lemma 4.11 (Lemma 2.7 of [49]). Let ρ ∈ {u,⊆}, for every (deterministic) ω-automatonA there exists a (deterministic) U-ω-automaton A′ such that Lσ,ρ(A) = Lσ,ρ(A′). �
Definition 4.12. An ω-automaton A has the continuity property, abbreviated Property C,iff for every ω-words u ∈ Σω there is a legal run of A on u. We say A is a C-ω-automaton.�
Note that a legal run is not necessarily accepted, but only means that it does notblock the ω-automaton. It is easy to see, by utilizing the nondeterminism, for all (σ, ρ)-acceptances, every X-type ω-automaton A without Property C can be modified into a(σ, ρ)-equivalent nondeterministic X-type ω-automaton A′ with Property C.
4.1. Preliminaries 45
4.1.2 ω-grammars and ω-languages
Let us recall that a phrase structure grammar is denoted G = (N,T, P, S), where N is afinite set of nonterminals, T is a finite set of terminals, P is a finite set of productions ofthe form p : α → β where p is the name (or label) of the production, α 6= ε, and α, β arestrings of symbols from (N ∪T )∗, and S ∈ N is the start symbol. We define the vocabularyV = N ∪ T . The language accepted by G is L(G) = {w ∈ T ∗ | S ⇒∗ w}.
A derivation using a specified production p is denoted by αp⇒ β, and its reflexive
and transitive closure is denoted by α⇒∗ γ, or with the sequence of applied productionsαp1...pk=⇒ γ.
We denote a leftmost derivation (denoted by lm) in the language L(G) by αp1=⇒lm
α1p2=⇒lm
· · · pk=⇒lm
αk. As an abbreviation, we write αp1...pk=⇒lm
αk. We will omit “lm” if there is no
confusion.
Definition 4.13. A phrase structure ω-grammar (ω- PSG) is a quintupleG = (N,T, P, S,F),where G1 = (N,T, P, S) is an ordinary phrase structure grammar, the productions in Pare all of the form p : α → β, where p is the name (or label) of the production, α ∈ N+,β ∈ V ∗, and F ⊆ 2P . The sets in F are called the production repetition sets.
Let d be an infinite derivation in G, starting from some string α ∈ V ∗:
d : α = u0α0p1=⇒ u0u1α1
p2=⇒ · · · pi=⇒ u0u1 · · ·uiαipi+1=⇒ · · ·
where for each i ≥ 0, ui ∈ T ∗, αi ∈ NV ∗, pi+1 ∈ P . We say d is a leftmost derivation ifffor each i ≥ 1, the production pi rewrites the leftmost nonterminal of αi−1.
Let u =∏∞i=0 ui. If u ∈ Tω, we write d : α⇒ω u. The derivation d induces a sequence
of productions dP = p1p2 . . ., i.e., a mapping dP : N→ P where dP (i) = pi.For π ∈ {l, nl} (denoting leftmost and non-leftmost derivations, respectively), we define
the ω-languages (σ, ρ, π)-accepted by G as
Lσ,ρ,l(G) = {u ∈ Tω | there exists a leftmost derivation d : S =⇒lm
ω u in G
such that dP is (σ, ρ)-accepting w.r.t. F}Lσ,ρ,nl(G) = {u ∈ Tω | there exists a derivation d : S ⇒ω u in G
such that dP is (σ, ρ)-accepting w.r.t. F}
As usual, Linf,=,π(G) will be denoted by Lπ(G). �
Definition 4.14. A context sensitive ω-grammar (ω- CSG) is an ω- PSG in which for eachproduction α→ β, |β| ≥ |α| holds. �
Definition 4.15. A context-free ω-grammar (ω- CFG) with production repetition sets isan ω- PSG whose productions are of the form A→ α, A ∈ N , α ∈ (N ∪ T )∗. �
Definition 4.16. A right linear ω-grammar (ω- RLG) with production repetition sets isan ω- PSG whose productions are of the form A→ uB or A→ u, A,B ∈ N , u ∈ T ∗. �
In the sequel, we denote by ω- RLG, ω- CFG, ω- CSG, ω- PSG the families of right-linear, context-free, context-sensitive, arbitrary phrase structure ω-grammars, respectively.For a family X of ω-grammars, we denote the associated families of (σ, ρ, π)-accepted ω-languages by Lσ,ρ,π(X). As we mentioned, we denote simply Linf,=,π(X) by Lπ(X).
46 Chapter 4. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
Definition 4.17. Two ω-grammars G1 and G2 are (σ, ρ, π)-equivalent iff Lσ,ρ,π(G1) =Lσ,ρ,π(G2). They are equivalent in π-derivation iff Lπ(G1) = Lπ(G2). �
Definition 4.18. An ω-grammar with a unique designated set, i.e., |F| = 1, is called aU-ω-grammar. We may denote the unique designated set by F ⊆ P instead of F = {F}.�
Definition 4.19. An ω-grammar with a designated set F = 2P is a unrestricted ω-grammar, denoted by u-ω-grammar. �
The previous definitions concern the grammars with production repetitions sets. Nowwe switch to the (σ, ρ, π)-acceptance w.r.t. variable repetition sets of context-free ω-grammars.
Definition 4.20. A context-free ω-grammar with variable repetition sets (ω- CFG - V)is a quintuple G = (N,T, P, S,F), where G1 = (N,T, P, S) is an ordinary context-freegrammar and F ⊆ 2N . The sets in F are called the variable repetition sets.
Let d : α ⇒ω u ∈ Tω be an infinite derivation in G. The derivation d induces asequence of nonterminals dN = n1n2 . . ., i.e., a mapping dN : N → N with dN (i) = ni,where ni ∈ N is the nonterminal which is the left-hand side of the i-th production in dP .
For π ∈ {l, nl}, we define the ω-languages (σ, ρ, π)-accepted by G as
Lσ,ρ,l(G) = {u ∈ Tω | there exists a leftmost derivation d : S =⇒lm
ω u in G
such that dN is (σ, ρ)-accepting w.r.t. F}Lσ,ρ,nl(G) = {u ∈ Tω | there exists a derivation d : S ⇒ω u in G
such that dN is (σ, ρ)-accepting w.r.t. F}
As usual, Linf,=,π(G) will be denoted by Lπ(G). �
Definition 4.21. A right linear ω-grammar with variable repetition sets (ω- RLG - V) isan ω- CFG - V whose productions are of the form A → uB or A → u, A,B ∈ N , u ∈ T ∗.�
The following theorem states that the (inf,=, π)-acceptance w.r.t. the two types ofrepetition sets defined above are equivalent in generative power. The proofs of the twoequations can be found in Remark 2.7 and Proposition 4.1.1 of [33].
Therefore, we choose the leftmost derivation as our standard definition of acceptancein ω- CFG’s. That means, Lσ,ρ,l(G), Ll(G), Lσ,ρ,l(X), Ll(X) will be denoted simply byLσ,ρ(G), L(G), Lσ,ρ(X), L(X), respectively.
4.1. Preliminaries 47
4.1.3 Main Characterizations
We denote by REGL, CFL, REL the families of regular, context-free, recursive enumer-able languages, and denote by ω- REGL, ω- CFL, ω- REL the families of ω-type ones thatare defined in this section, respectively.
Definition 4.25. For any family L of languages over alphabet Σ, the ω-Kleene closureof L, denoted by ω- KC(L) is:
ω- KC(L) = {L ⊆ Σω | L =k⋃i=1
UiVωi for some Ui, Vi ∈ L, 1 ≤ i ≤ k ∈ N}
where N is the set of natural numbers. �
Theorem 4.26 (Thm. 2.2.2 and 3.1.9 of [32], [16], [99]). For any ω-language L ⊆ Σω,the following conditions are equivalent:
1. L ∈ ω- KC(REGL)
2. L ∈ L(ω- FSA)
3. L ∈ Linf,u(U - ω- FSA) or L ∈ Linf,u(ω- FSA)
4. L ∈ L(ω- DFSA)
5. L ∈ L(ω- RLG) or L ∈ L(ω- RLG - V)
The ω-language L is a regular ω-language (ω- REGL), if it satisfies the conditions. It iseffectively given if it is given in one of the forms above. �
Theorem 4.27 (Thm. 2.2.4 of [32], Thm. 1.8 and 1.12 of [33], [16], [99]). The familyof regular ω-languages (ω- REGL, i.e., L(ω- FSA)) is closed under all Boolean operations,regular substitution and generalized sequential machine (gsm) mapping. �
Theorem 4.28 (Thm. 2.2.5 of [32]). For any regular ω-languages L1 and L2 effectivelygiven, it is decidable whether (1) L1 is empty, finite or infinite; (2) L1 = L2; (3) L1 ⊆ L2;(4) L1 ∩ L2 = ∅. �
Theorem 4.29 (Thm. 4.1.8 of [32]). For any ω-language L ⊆ Σω, the following conditionsare equivalent:
1. L ∈ ω- KC(CFL)
2. L ∈ L(ω- PDA)
3. L ∈ Linf,u(U - ω- PDA) or L ∈ Linf,u(ω- PDA)
4. L ∈ L(ω- CFG) or L ∈ L(ω- CFG - V)
The ω-language L is a context-free ω-language (ω- CFL), if it satisfies the conditions. Itis effectively given if it is given in one of the forms above. �
Theorem 4.30 (Section 1 of [33]). The family of context-free ω-languages (ω- CFL, i.e.,L(ω- PDA)) is closed under union, intersection with ω- REGL, quotient with ω- REGL,context-free substitution and gsm mapping, is not closed under intersection and comple-mentation. �
48 Chapter 4. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
Theorem 4.31 (Thm. 4.2.6 and 4.2.8 of [32]). For any context-free ω-language L andregular ω-language R effectively given, it is decidable whether (1) L is empty, finite orinfinite; (2) L ⊆ R. �
Theorem 4.32. For every m-ω- TM, m ≥ 1, there can be constructed a (σ, ρ)-equivalentω- TM. Therefore, Lσ,ρ(m-ω- TM) = Lσ,ρ(ω- TM).
Proof. The proof resembles that of Thm. 7.3 of [35]. If m ≥ 3, then m-ω- TM can betranslated into a 2 -ω- TM. For every 2 -ω- TM M with the set of designated sets F , therecan be constructed an ω- TM M ′ who simulates M by two tracks α, β on the tape. Thesimulation applies the relative folding process for β w.r.t. α (see Section 6 of [35]). Foreach (σ, ρ)-acceptance, one can define a set of designated sets H to finish the proof. �
Theorem 4.33 (Theorems 5.1, 5.9 and 8.2 of [35]). For any ω-language L ⊆ Σω, thefollowing conditions are equivalent:
1. L ∈ Lσ,ρ(ω- TM), for σ ∈ {ran, inf} and ρ ∈ {u,⊆,=}
2. L ∈ Lσ,ρ(m-ω- TM)
3. L ∈ Lnl(ω- PSG)
4. L ∈ Lnl(ω- CSG)
The ω-language L is a recursive enumerable ω-language (ω- REL), if it satisfies the condi-tions. Note that ω- KC(REL) ⊂ ω- REL. �
Note that (1) extends Thm. 8.2 of [35] where only i-acceptances are considered, and(2) follows from Thm. 4.32.
Theorem 4.34 (Section 5.3 and Thm. 8.4 of [35]). The family of recursive enumerableω-languages (ω- REL, i.e., L(ω- TM)) is closed under union, intersection, recursive enu-merable substitution and concatenation with recursive enumerable languages, is not closedunder complementation. �
The following result shows inclusion or equivalence between the families of ω-languagesrecognized by various (σ, ρ)-accepting X-type ω-automata.
Theorem 4.35 (Thm. 3.5 of [49]). For the above various accepting models of X-type ω-automata, X ∈ {ω- FSA, ω- PDA, ω- TM}, we have Lran,⊆(X) ⊆ Lran,u(X) = Lran,=(X) =Linf,⊆(X) ⊆ Linf,u(X) = Linf,=(X). �
4.2 On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
This section is devoted to explore the relationships between (σ, ρ, π)-accepting ω-grammarsand (σ, ρ)-accepting ω-automata. After introducing some special forms of ω-grammars,we study the leftmost and non-leftmost derivations of ω-grammars.
4.2. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars 49
4.2.1 Special Forms of ω-Grammars
We introduce some special forms of ω-grammars that will be used to study the generativepower in the sequel. Some of the results are extensions of these on the grammar on finitewords. We start with a special form of ω- RLG.
Lemma 4.36. Given an ω- RLG G = (N,T, P, S0,F), there can be constructed a (σ, ρ, π)-equivalent ω- RLG G′ = (N ′, T, P ′, S0,H) whose productions are of the form A → aB orA→ a, a ∈ T ∪ {ε}, such that Lσ,ρ,π(G) = Lσ,ρ,π(G′).
Proof. Without loss of generality, assume that N = {Sk}0≤k<|N |, P = {pk}1≤k≤|P | consistsof all productions of the forms: pk : Si → uSj , pk : Si → u, u ∈ T ∗. We construct G′ asfollows: P ′ consists of all productions of the following forms:
1. pk : Si → aSj , if pk : Si → aSj ∈ P , a ∈ T ∪ {ε}.
2. pk : Si → a, if pk : Si → a ∈ P , a ∈ T ∪ {ε}.
3. pkm : Sk(m−1) → akmSkm, for 1 ≤ m ≤ |u|, Sk0 = Si, Sk|u| = Sj , if pk : Si → uSj ∈P , where u = ak1 · · · ak|u|, |u| ≥ 2.
4. pkm : Sk(m−1) → akmSkm, for 1 ≤ m ≤ |u|, Sk0 = Si, Sk|u| = ε, if pk : Si → u ∈ P ,where u = ak1 · · · ak|u|, |u| ≥ 2.
We denote by Pk the set of productions named pk or pkm. Let F = {Fi}1≤i≤n, weconstruct the set H = {Hi}1≤i≤n where Hi =
⋃pk∈Fi
Pk. It can be easily verified thatLσ,ρ,π(G) = Lσ,ρ,π(G′) for the different (σ, ρ, π)-accepting models. �
The next lemma concerns the ε-production-free ω- CFG.
Lemma 4.37. Given an ω- CFG G = (N,T, P, S,F), there can be constructed a (σ, ρ, π)-equivalent ε-production-free ω- CFG G′ = (N,T, P ′, S,H) with no productions of the formA→ ε, such that Lσ,ρ,π(G) = Lσ,ρ,π(G′), for (σ, ρ, π) 6∈ {(ran,u, l), (ran,=, l)}.
Proof. Define NL(α) = {D ⊆ P | there exists a finite derivation d : α⇒∗ ε s.t. ran(dP ) =D}. Define the substitution h as: for A ∈ N , h(A) = A if NL(A) = ∅, h(A) = {A, ε} ifNL(A) 6= ∅, and for a ∈ T , h(a) = a.
Let α =∏li=1Ai and β =
∏li=1Bi ∈ h(α), where ∀1 ≤ i ≤ l, Ai ∈ N ∪ T , Bi ∈ h(Ai).
To accumulate the productions that rewrite some nonterminals in α to be ε, we definePE(β) = {
⋃li=1 Pi | Pi = ∅ if Bi = Ai, and Pi ∈ NL(Ai) if Bi = ε}.
Let P ′ = {[p,K, β] : A → β | p : A → α ∈ P, ε 6= β ∈ h(α),K ∈ PE(β)}. DefinePro([p,K, β]) = {p} ∪K for each production in P ′, and Pro(H) =
⋃p∈H Pro(p) for a set
H of productions.An intuitive view of the simulation is shown in Fig. 4.1. The productions used to
rewrite Ai and Aj are accumulated in the name of the production p.Let F = {Fk}1≤k≤n, we construct the set H according to different accepting models:
1. (ran,u, nl)-acceptance. H = {{p ∈ P ′ | Pro(p) ∩⋃nk=1 Fk 6= ∅}}.
2. (ran,⊆, nl)-acceptance. Let Hk = {H ⊆ P ′ | Pro(H) ⊆ Fk}, then H =⋃
1≤k≤nHk.
3. (ran,=, nl)-acceptance. H = {H ⊆ P ′ | Pro(H) ∈ F}.
4. (inf,u, nl)-acceptance. The same as (1).
50 Chapter 4. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
A
p
α = A1 · · · Ai · · · Aj · · · Al
Pi ∈ NL(Ai)Pj ∈ NL(Aj)
C1 · · · Cm ε · · · ε ε · · · ε
A
[p, · · · ∪ Pi ∪ · · · ∪ Pj ∪ · · · , β]
β = A1 · · · ε · · · ε · · · Al
C1 · · · Cm
Figure 4.1: Simulation by an ε-production-free ω- CFG
5. (inf,⊆, nl)-acceptance. The same as (2).
6. (inf,=, nl)-acceptance. The same as (3).
7. (ran,⊆, l)-acceptance. The same as (2).
8. (inf,⊆, l)-acceptance. The same as (2).
For the above cases, it can be easily verified that Lσ,ρ,π(G) = Lσ,ρ,π(G′). However, theconstructive proof does not work for other cases.
For (inf,u, l)-acceptance and (inf,=, l)-acceptance, it is easy to prove Linf,u,l(ω- CFG) =ω- KC(CFL), and Linf,=,l(ω- CFG) = ω- KC(CFL) by Thm. 4.29. Therefore, every ω-language L accepted by the two models can be expressed in the form L =
⋃ki=1 UiV
ωi , for
some natural number k, and ∀1 ≤ i ≤ k, ε 6∈ Ui ∈ CFL, ε 6∈ Vi ∈ CFL. Obviously, the 2kcontext-free languages can be generated by 2k ε-production-free context-free grammars.Thus, for each of the two accepting models, an ε-production-free ω- CFG that accepts Lcan be constructed from the 2k ε-production-free context-free grammars. �
Unfortunately, for (ran,u, l)-acceptance and (ran,=, l)-acceptance, the construction ofε-production-free ω- CFG is still an open problem. If we use a similar construction asthe nl-derivation case, the difficulty is the following one: there may exist a production[p,K, β] : A → β in P ′, where Bi in β is supposed to be ε (Ai is rewritten by someproductions to be ε) but Ai cannot be reached by the corresponding leftmost derivationin the original ω-grammar G.
The following lemmas concern some special forms of ω- PSG.
Lemma 4.38. Given an ω- PSG G = (N,T, P, S,F), there can be constructed a (σ, ρ, nl)-equivalent ω- PSG G′ = (N ′, T, P ′, S,H) whose productions are of the forms α→ β, A→ aor A→ ε, α, β ∈ N+, A ∈ N , a ∈ T , such that Lσ,ρ,nl(G) = Lσ,ρ,nl(G′).
Proof. Without loss of generality, assume that P = {pk}1≤k≤|P |, the maximal length ofthe right-hand sides of the productions is l. We construct G′ with N ′ = N ∪ {aki | a ∈T, pk ∈ P, 1 ≤ i ≤ l}∪{Ek | pk ∈ P}. P ′ consists of all productions of the following forms:
1. pk : α→ β, if pk : α→ β ∈ P , α, β ∈ N+.
2. pk : A→ ε, if pk : A→ ε ∈ P , A ∈ N .
3. pk : α → a1,k1...a|γ|,k|γ| where ai,ki = ai if ai ∈ N , and pki : ai,ki → ai for eachai ∈ T , if pk : α→ γ ∈ P , α ∈ N+, γ = a1...a|γ| ∈ V + −N+.
4. pk : α→ Ek and pkε : Ek → ε, if pk : α→ ε ∈ P , α ∈ N+ −N .
4.2. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars 51
We define the function f as follows:
f(pk) =
{pk}, if pk ∈ P is of the form in case (1) or (2).{pk} ∪ {pki | ai ∈ T and ai is the i-th symbol of γ},
if pk ∈ P is of the form in case (3).{pk, pkε}, if pk ∈ P is of the form in case (4).
For a set H of productions, f(H) =⋃pk∈H f(pk). Let F = {Fi}1≤i≤n, we construct the set
H = {f(Fi)}1≤i≤n. It can be easily verified that Lσ,ρ,nl(G) = Lσ,ρ,nl(G′) for the differentaccepting models. �
We have similar lemmas for ω- CFG and ω- CSG, by using the same proof techniqueas the above one.
Lemma 4.39. Given an ω- CFG G = (N,T, P, S,F), there can be constructed a (σ, ρ, nl)-equivalent ω- CFG G′ = (N ′, T, P ′, S,H) whose productions are of the forms A → β,A→ a or A→ ε, β ∈ N+, A ∈ N , a ∈ T , such that Lσ,ρ,nl(G) = Lσ,ρ,nl(G′).
Lemma 4.40. Given an ω- CSG G = (N,T, P, S,F), there can be constructed a (σ, ρ, nl)-equivalent ω- CSG G′ = (N ′, T, P ′, S,H) whose productions are of the forms α → β orA→ a, α, β ∈ N+, |α| ≤ |β|, A ∈ N , a ∈ T , such that Lσ,ρ,nl(G) = Lσ,ρ,nl(G′).
For completeness, the following definition concerning $-boundary is taken from Def.4.5 of [35].
Definition 4.41. An ω- PSG (ω- CSG, resp.) with $-boundary is an ω-grammar G =(N ∪ {$, S}, T, P, S0,F), in which each production is of one of the following forms (1)-(4)((1)-(3), resp.):
1. α→ β, α, β ∈ N+,
2. S → $α, α ∈ N+,
3. $A→ a$, A ∈ N , a ∈ T ,
4. A→ ε, A ∈ N . �
The $-boundary divides sentential forms into two parts. The left part consists ofterminals generated. The right part consists of nonterminals to be rewritten.
The following lemma extends Thm. 4.6 of [35] where only 3-acceptance was considered(furthermore, the assumption in the proof was used without justification, while we providea proof in Lemma 4.38).
Lemma 4.42. Given an ω- PSG (ω- CSG, resp.), there can be constructed a (σ, ρ, nl)-equivalent ω- PSG (ω- CSG, resp.) with $-boundary.
Proof. Let G = (N,T, P, S,F) be an ω- PSG. By Lemma 4.38, we assume P = P1 ∪P2 ∪ P3, where P1 = {pk : α → β, α, β ∈ N+}, P2 = {pk : A → a,A ∈ N, a ∈ T},P3 = {pk : A → ε, A ∈ N}. There can be constructed a (σ, ρ, nl)-equivalent ω- PSGG′ = (N ∪ {a | a ∈ T} ∪ {S1, $}, T, P ′, S1,H), where P ′ = Ps ∪ P1 ∪ P ′2 ∪ P3 ∪ P4, andPs = {S1 → $S}, P ′2 = {pk : A→ a | pk : A→ a ∈ P2}, P4 = {pa : $a→ a$ | a ∈ T}.
Let F = {Fi}1≤i≤n, we construct the set H according to different accepting models:
52 Chapter 4. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
1. (ran,u, nl)-acceptance. H = F .
2. (ran,⊆, nl)-acceptance. H = {Fi ∪ Ps ∪ P4}1≤i≤n.
3. (ran,=, nl)-acceptance. Let Hi = {Fi ∪ Ps ∪H | ∅ ⊂ H ⊆ P4}, then H =⋃ni=1Hi.
4. (inf,u, nl)-acceptance. The same as (1).
5. (inf,⊆, nl)-acceptance. H = {Fi ∪ P4}1≤i≤n.
6. (inf,=, nl)-acceptance. Let Hi = {Fi ∪H | ∅ ⊂ H ⊆ P4}, then H =⋃ni=1Hi.
It can be easily verified that Lσ,ρ,nl(G) = Lσ,ρ,nl(G′).If G is an ω- CSG, P3 above will be empty and G′ will be an ω- CSG with $-boundary.
�The important special forms discussed can facilitate the proofs in the sequel.
4.2.2 Leftmost Derivation of ω-Grammars
In the case of leftmost derivation, we will show the equivalences of ω- RLG and ω- FSA,of ω- CFG and ω- PDA, as we expect. Furthermore, the generative power of ω- CSG orω- PSG is not greater than ω- PDA. Most of the results are obtained by extending theseon the grammar on finite words.
Theorem 4.43. Lσ,ρ,l(ω- RLG) = Lσ,ρ(ω- FSA).
Proof. (i) Lσ,ρ,l(ω- RLG) ⊆ Lσ,ρ(ω- FSA). Let G = (N,T, P, S0,F) be an ω- RLG withN = {Sk}0≤k<|N |, P = {pk}1≤k≤|P |. Without loss of generality, we assume the productionsare of the form Si → aSj or Si → a, a ∈ T ∪ {ε} (by Lemma 4.36). Construct an ω- FSAA = (Q,T, δ, q0,H), where:
1. Q = {q0} ∪ {qik | pk : Si → γ ∈ P , γ ∈ (N ∪ T )∗}, q0 is the start state.
2. δ(q0, ε) = {q0k | pk : S0 → γ ∈ P , γ ∈ (N ∪ T )∗}.
3. δ(qik, a) contains {qjn | pn : Sj → γ ∈ P , γ ∈ (N ∪ T )∗}, for each productionpk : Si → aSj ∈ P , where a ∈ T ∪ {ε}.
We define f(pk) = qik if pk : Si → γ ∈ P , γ ∈ (N ∪ T )∗. Obviously, G uses pk, iff A uses atransition starting from qik in a simulation. Let F = {Fk}1≤k≤n, we construct the set Haccording to different accepting models:
1. (ran,u)-acceptance. Let Hk = {f(pi) | pi ∈ Fk}, then H = {Hk}1≤k≤n.
2. (ran,⊆)-acceptance. Let Hk = {q0} ∪ {f(pi) | pi ∈ Fk}, then H = {Hk}1≤k≤n.
3. (ran,=)-acceptance. The same as (2).
4. (inf,u)-acceptance. The same as (1).
5. (inf,⊆)-acceptance. The same as (1).
6. (inf,=)-acceptance. The same as (1).
4.2. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars 53
It can be easily verified that Lσ,ρ,l(G) = Lσ,ρ(A).(ii) Lσ,ρ,l(ω- RLG) ⊇ Lσ,ρ(ω- FSA). Let A = (Q,Σ, δ, q0,F) be an ω- FSA with Q =
{qk}0≤k<|Q|. Construct an ω- RLG G = (N,Σ, P, S0,H) where:
1. for each qi ∈ Q, there is a nonterminal Si ∈ N , and S0 is the start symbol.
2. for each transition δ(qi, a) 3 qj , where a ∈ Σ ∪ {ε}, there is a production piaj : Si →aSj ∈ P .
We denote by Pi the set of the production piaj ∈ P for any a ∈ Σ∪{ε}, Sj ∈ N . Obviously,A uses a transition starting from qi, iff G uses a production in Pi in a simulation. LetF = {Fk}1≤k≤n, we construct the set H according to different accepting models:
1. (ran,u, l)-acceptance. Let Hk =⋃qi∈Fk
Pi, then H = {Hk}1≤k≤n.
2. (ran,⊆, l)-acceptance. The same as (1).
3. (ran,=, l)-acceptance. Let Hk = {H ⊆⋃qi∈Fk
Pi | ∀qi ∈ Fk, H ∩ Pi 6= ∅}, thenH =
⋃nk=1Hk.
4. (inf,u, l)-acceptance. The same as (1).
5. (inf,⊆, l)-acceptance. The same as (1).
6. (inf,=, l)-acceptance. The same as (3).
It can be easily verified that Lσ,ρ,l(G) = Lσ,ρ(A). �
Theorem 4.44. Lσ,ρ,l(ω- CFG) = Lσ,ρ(ω- PDA).
Proof. (i) Lσ,ρ,l(ω- CFG) ⊆ Lσ,ρ(ω- PDA). Let G = (N,T, P, S,F) be an ω- CFG withP = {pi}1≤i≤|P |. Construct an ω- PDA D = (Q,T,Γ, δ, q′0, Z0,H), where Γ = N∪T ∪{Z0},Q = {q′0, q0} ∪ {qi | pi ∈ P}, δ is defined as follows:
1. δ(q′0, ε, Z0) = (q0, SZ0),
2. δ(q0, a, a) = (q0, ε) for all a ∈ T ,
3. δ(q0, ε, A) 3 (qi, ε) if pi : A→ γ ∈ P , A ∈ N , γ ∈ (N ∪ T )∗,
4. δ(qi, ε,X) = (q0, γX) if pi : A→ γ ∈ P , X ∈ Γ.
Let F = {Fk}1≤k≤n, we construct the set H according to different accepting models:
1. (ran,u)-acceptance. Let Hk = {qi | pi ∈ Fk}, then H = {Hk}1≤k≤n.
2. (ran,⊆)-acceptance. Let Hk = {q′0, q0} ∪ {qi | pi ∈ Fk}, then H = {Hk}1≤k≤n.
3. (ran,=)-acceptance. The same as (2).
4. (inf,u)-acceptance. The same as (1).
5. (inf,⊆)-acceptance. Let Hk = {q0} ∪ {qi | pi ∈ Fk}, then H = {Hk}1≤k≤n.
6. (inf,=)-acceptance. The same as (5).
54 Chapter 4. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
It can be easily verified that Lσ,ρ,l(G) = Lσ,ρ(D).(ii) Lσ,ρ,l(ω- CFG) ⊇ Lσ,ρ(ω- PDA). Let D = (Q,Σ,Γ, δ, q0, Z0,F) be an ω- PDA.
Construct an ω- CFG G = (N,Σ, P, S,H), where N is the set of objects of the form[q,B, r] (denoting popping B from the stack by several transitions, switching the statefrom q to r), q, r ∈ Q, B ∈ Γ, P is the union of the following sets of productions:
1. Ps = {S → [q0, Z0, qi] | qi ∈ Q}.
2. P ′ = {[qi, B, qj ]→ a[qj1 , B1, qj2 ][qj2 , B2, qj3 ] · · · [qjm , Bm, qj ] |δ(qi, a, B) = (qj1 , B1B2...Bm), qj2 , ..., qjm , qj ∈ Q}, where a ∈ Σ ∪ {ε}, andB,B1, ..., Bm ∈ Γ. (If m = 0, then the production is [qi, B, qj1 ]→ a.)
We denote by Pi the set of productions of the form [qi, B, qj ]→ γ, for any B ∈ Γ, qj ∈ Q,γ ∈ N∗ ∪ΣN∗. Obviously, D uses a transition starting from qi, iff G uses a production inPi in a simulation.
Let F = {Fk}1≤k≤n, we construct the set H according to different accepting models:
1. (ran,u, l)-acceptance. Let Hk =⋃qi∈Fk
Pi, then H = {Hk}1≤k≤n.
2. (ran,⊆, l)-acceptance. Let Hk = Ps ∪⋃qi∈Fk
Pi, then H = {Hk}1≤k≤n.
3. (ran,=, l)-acceptance. Let Hk = {H ⊆ P | H ∩ Ps 6= ∅ and ∀qi ∈ Fk, H ∩ Pi 6= ∅},then H =
It can be easily verified that Lσ,ρ,l(G) = Lσ,ρ(D). �
Theorem 4.45. Lσ,ρ,l(ω- PSG) = Lσ,ρ,l(ω- CFG).
Proof. (i) Lσ,ρ,l(ω- PSG) ⊇ Lσ,ρ,l(ω- CFG) is trivial.(ii) Lσ,ρ,l(ω- PSG) ⊆ Lσ,ρ,l(ω- CFG). We only need to prove Lσ,ρ,l(ω- PSG) ⊆ Lσ,ρ(ω- PDA)
and the result follows from Thm. 4.44.Let G = (N,T, P, S,F) be an ω- PSG with P = {pi}1≤i≤|P |. Construct an ω- PDA
D = (Q,T,Γ, δ, q′0, Z0,H), where Γ = N ∪ T ∪ {Z0}. Let l be the maximal length of theleft-hand sides of the productions of P , then Q = {q′0, q0} ∪ {q[iα] | pi ∈ P, α ∈
⋃lj=1N
j}.δ is defined as follows:
1. δ(q′0, ε, Z0) = (q0, SZ0),
2. δ(q0, a, a) = (q0, ε) for all a ∈ T ,
3. δ(q0, ε, A) 3 (q[iA], ε) if pi : Aγ1 → γ ∈ P , A ∈ N , γ1 ∈ N∗, γ ∈ (N ∪ T )∗,
4. δ(q[iα], ε, A) = (q[iαA], ε) if pi : αAγ1 → γ ∈ P , α ∈ N+,
5. δ(q[iα], ε,X) = (q0, γX) if pi : α→ γ ∈ P , X ∈ Γ.
4.2. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars 55
We denote by Pref(α) the set of prefixes (length between 1 and |α|) of finite word α. LetF = {Fk}1≤k≤n, Qi = {q[iβ] | pi : α → γ ∈ P and β ∈ Pref(α)}, we construct the set Haccording to different accepting models:
1. (ran,u)-acceptance. Let Hk = {q[iα] | pi : α→ γ ∈ Fk}, then H = {Hk}1≤k≤n.
2. (ran,⊆)-acceptance. Let Hk = {q′0, q0} ∪⋃pi∈Fk
Qi, then H = {Hk}1≤k≤n.
3. (ran,=)-acceptance. The same as (2).
4. (inf,u)-acceptance. The same as (1).
5. (inf,⊆)-acceptance. Let Hk = {q0} ∪⋃pi∈Fk
Qi, then H = {Hk}1≤k≤n.
6. (inf,=)-acceptance. The same as (5).
It can be easily verified that Lσ,ρ,l(G) = Lσ,ρ(D). �
In the case of non-leftmost derivation, we will show the equivalences of ω- RLG and ω- FSA,of ω- PSG and ω- TM, as we expect. Furthermore, the generative power of ω- CFG is notgreater than (may be strictly included in, or equal to) ω- PDA. The generative power ofω- CSG is also equal to ω- TM. Most of the results are obtained by extending these on thegrammar on finite words.
Proof. It is trivial, since every derivation is a leftmost derivation for ω- RLG. �To study the generative power of ω- CFG, we must have in mind the following fact.
Recall that for CFG on finite words, given G ∈ CFG, the language generated by leftmostderivations and the one generated by non-leftmost derivations are equal, i.e., Ll(G) =Lnl(G). For ω- CFG, given G ∈ ω- CFG, if we do not take into account the productionrepetition sets F , then G generates leftmostly u ∈ Tω, iff G generates u in a non-leftmostderivation, because u is the leftmost substring consisting of terminals in a sentential form.
56 Chapter 4. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
Therefore, in some non-leftmost derivations of ω- CFG’s, a string may appear in the un-reached part of the sentential form (does not contribute to u), then its possible impact onthe derivation lies only in its set of applied productions.
Definition 4.50. Let G = (N,T, P, S,F) be an ω- CFG and V = N ∪ T . Let d be anon-leftmost infinite derivation in G, d : α1 ⇒ α2 ⇒ · · · ⇒ αi ⇒ · · · . Every sententialform αi can be decomposed into αi = βiγi, and the derivation starting from αi can bedecomposed into dβi
: βi ⇒ βi+1 ⇒ · · · and dγi : γi ⇒ γi+1 ⇒ · · · where αk = βkγk fork ≥ i, such that
1. for any nonterminal A in βi s.t. βi = γAγ′, γ, γ′ ∈ V ∗, dβirewrites γ ⇒∗ T ∗,
2. for any k ≥ i, βk ∈ V ∗NV ∗.
We say βi and γi are the reached part and the unreached part of αi, respectively. �
If a string γ appears in the unreached part of a sentential form, then it does notcontribute to the terminals in the generated ω-word, but only contributes to the sets ofthe productions used (by its transient sets) and the sets of the productions that appearinfinitely often (by its self-providing sets).
Definition 4.51. Let G = (N,T, P, S,F) be an ω- CFG. For any γ ∈ (N ∪ T )∗, the classof self-providing sets SP (γ) and the class of transient sets TR(γ) are defined as
SP (γ) = {D ⊆ P | there exists an infinite nl-derivation d
starting in γ s.t. inf(dP ) = D}TR(γ) = {D ⊆ P | there exists a finite nl-derivation d : γ ⇒∗ γ′
Using the above concepts, we are ready to show the nl-derivation of ω- CFG can be simu-lated by the computation of ω- PDA.
Theorem 4.52. Lσ,ρ,nl(ω- CFG) ⊆ Lσ,ρ(ω- PDA).
Proof. Given a (σ, ρ, nl)-accepting ω- CFG G = (N,T, P, S,F), we need only show how toconstruct an ω- PDA D = (Q,T,Γ, δ, q, S,H), such that G and D accept exactly the sameω-language.
Without loss of generality (because of the closure property under union), we mayassume F consists of only one repetition set, denoted by F . We may also assume thatP = P1 ∩ P2, where P1 are of the form A → α, α ∈ N+, and P2 are of the form A → a,a ∈ Σ ∪ {ε} (by Lemma 4.39). Let TR1(γ) = {D ⊆ F | there exists a finite nl-derivationd : γ ⇒∗ γ′ for some γ′ ∈ (N ∪ T )∗ s.t. ran(dP ) = D}.
(Case 1) (inf,⊆, nl)-acceptance. Assume P = {pi}1≤i≤|P |, we construct an ω- PDA Dwith Q = {q, q0} ∪ {qi | pi ∈ P}, Γ = N ∪ T ∪ {Z} where Z 6∈ N ∪ T . The transitionfunction δ is defined as follows.
4.2. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars 57
1. δ(q, ε, S) = (q0, SZ),
2. δ(q0, ε, A) 3 (qk, ε) for pk : A→ γ ∈ P ,
3. δ(qk, ε,X) = (q0, γX) for X ∈ Γ, pk : A→ γ ∈ P ,
4. δ(q0, a, a) = (q0, ε) for a ∈ T .
Let H = {{q0} ∪ {qk | pk ∈ F}}, it can be easily verified that Linf,⊆,nl(G) = Linf,⊆(D).(Case 2) (ran,⊆, nl)-acceptance. The same as Case 1, except H = {{q, q0}∪{qk | pk ∈
F}}.(Case 3) (inf,u, nl)-acceptance. We construct an ω- PDA D with Q = {q0, q1} ×
{0, 1, 2}, Γ = N ∪ {Z} where Z 6∈ N , and q = [q0, 0]. Define the function f as follows:if p ∈ F , then f(0, p) = 1, else f(0, p) = 0; for p ∈ P , f(1, p) = 0 and f(2, p) = 2. Thetransition function δ is defined as follows.
1. δ([q0, i], a, A) = ([q0, f(i, p)], ε), if p : A→ a ∈ P2,
2. δ([q0, i], ε, A) 3 ([q0, f(i, p)], γ), if p : A→ γ ∈ P1,
3. δ([q0, i], ε, A) 3 ([q0, 2], γ1Z), if A → γ1γ2 ∈ P1, γ1, γ2 6= ε, and ∃K ∈ SP (γ2) s.t.F ∩K 6= ∅, (nondeterministically choose γ2 as a unreached part.)
4. δ([q0, i], ε, A) 3 ([q1, i], A) for A ∈ N , (start the derivation of the reached part usingonly productions that appear infinitely often.)
5. δ([q1, i], a, A) = ([q1, f(i, p)], ε), if p : A→ a ∈ P2,
6. δ([q1, i], ε, A) 3 ([q1, f(i, p)], γ) if p : A→ γ ∈ P1,
7. δ([q1, i], ε, A) 3 ([q1, 1], γ1Z) if A → γ1γ2 ∈ P1, γ1, γ2 6= ε, and ∃K ∈ TR(γ2) s.t.F ∩K 6= ∅.
Let H = {{[q1, 1], [q1, 2]}}, it can be easily verified that Linf,u,nl(G) = Linf,u(D).(Case 4) (ran,u, nl)-acceptance. We construct an ω- PDA D with Q = {q0} × {0, 1},
Γ = N ∪ {Z} where Z 6∈ N , and q = [q0, 0]. Define the function f as follows: if p ∈ F ,then f(0, p) = 1, else f(0, p) = 0; for p ∈ P , f(1, p) = 1. The transition function δ isdefined as follows.
1. δ([q0, i], a, A) 3 ([q0, f(i, p)], ε), if p : A→ a ∈ P2,
2. δ([q0, i], ε, A) 3 ([q0, f(i, p)], γ), if p : A→ γ ∈ P1,
3. δ([q0, i], ε, A) 3 ([q0, 1], γ1Z), if A → γ1γ2 ∈ P1, γ1, γ2 6= ε, and ∃K ∈ TR(γ2) s.t.F ∩K 6= ∅, (nondeterministically choose γ2 as a unreached part.)
Let H = {{[q0, 1]}}, it can be easily verified that Lran,u,nl(G) = Lran,u(D).(Case 5) (inf,=, nl)-acceptance. We construct an ω- PDA D with Q = {q0} × 22F ∪
{q1} × 2F × 2F ∪ {q} × 2F , Γ = N ∪ {Z} where Z 6∈ N , and q = [q0, ∅]. The transitionfunction δ is defined as follows.
1. δ([q0, H], a, A) 3 ([q0, H], ε) for H ⊆ 2F , if A→ a ∈ P2,
58 Chapter 4. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
2. δ([q0, H], ε, A) 3 ([q0, H], γ) for H ⊆ 2F , if A→ γ ∈ P1,
3. δ([q0, H], ε, A) 3 ([q0, H1], γ1Z) for H ⊆ 2F , if A → γ1γ2 ∈ P1, γ1, γ2 6= ε, andH1 = {K1 ∪ K2 | K1 ∈ H,K2 ∈ SP (γ2)}, (nondeterministically choose γ2 as aunreached part, and accumulate the productions that appear infinitely often byrewriting γ2.)
4. δ([q0, H], ε, A) 3 ([q1, F − K, ∅], A) for H ⊆ 2F , A ∈ N , and K ∈ H, (start thederivation of the reached part using only productions that appear infinitely often.The third component of the state is used to accumulate productions applied infinitelyoften hereafter. F −K computes the productions needed to appear infinitely oftenhereafter.)
5. δ([q1,K,H], a, A) 3 ([q1,K,H ∪ {p}], ε) for K,H ⊆ F , if p : A→ a ∈ P2 and p ∈ F ,(accumulate a production that appears once.)
6. δ([q1,K,H], ε, A) 3 ([q1,K,H ∪ {p}], γ) for K,H ⊆ F , if p : A→ γ ∈ P1 and p ∈ F ,(accumulate a production that appears once.)
7. δ([q1,K,H], ε, A) 3 ([q1,K,H ∪ H1 ∪ {p}], γ1Z) for K,H ⊆ F , H1 ∈ TR1(γ2), ifp : A→ γ1γ2 ∈ P1, γ1, γ2 6= ε, and p ∈ F , (accumulate the productions that appearin γ2.)
8. δ([q1,K,H], ε, A) 3 ([q,K], A) for K,H ⊆ F , A ∈ N , if K ⊆ H, (all the requiredproductions appearing infinitely often are accumulated.)
9. δ([q,K], ε, A) 3 ([q1,K, ∅], A) for K ⊆ F , A ∈ N . (restart accumulating, becauseeach production in K has been used at least once since the last time D has entered[q1,K, ∅].)
Let H = {{q × 2F }}, it can be easily verified that, there can be constructed an ω- PDAD′ from D by modifying H, such that Linf,=,nl(G) = Linf,u(D) = Linf,=(D′).
(Case 6) (ran,=, nl)-acceptance. We construct an ω- PDA D with Q = {q0} × 2F ,Γ = N ∪{Z} where Z 6∈ N , and q = [q0, ∅]. The transition function δ is defined as follows.
1. δ([q0, H], a, A) 3 ([q0, H1], ε) for H ⊆ F , if p : A → a ∈ P2 and p ∈ F , andH1 = H ∪ {p},
2. δ([q0, H], ε, A) 3 ([q0, H1], γ) for H ⊆ F , if p : A → γ ∈ P1 and p ∈ F , andH1 = H ∪ {p},
3. δ([q0, H], ε, A) 3 ([q0, H1], γ1Z) for H ⊆ F , if p : A → γ1γ2 ∈ P1 and p ∈ F ,γ1, γ2 6= ε, and H1 ∈ {H ∪ {p} ∪K | K ∈ TR1(γ2)}, (nondeterministically choose γ2
as a unreached part.)
Let H = {H ⊆ Q | [q0, F ] ∈ H}, it can be easily verified that Lran,=,nl(G) = Lran,=(D). �The above result also means Lσ,ρ,nl(ω- CFG) ⊆ Lσ,ρ,l(ω- CFG). Now we consider
whether the proper inclusion or the equivalence holds.
4.2. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars 59
Proof. We consider the accepting models one by one.
1. Linf,=,nl(ω- CFG) ⊂ Linf,=,l(ω- CFG). It was proved that there exists an ω-languageL = {anbn | n ≥ 1}ω, such that L ∈ Linf,=,l(ω- CFG), but L 6∈ Linf,=,nl(ω- CFG) (seeProposition 4.3.6 of [33]). It follows that Linf,=,l(ω- CFG) * Linf,=,nl(ω- CFG), thusLinf,=,l(ω- CFG) 6= Linf,=,nl(ω- CFG).
2. Linf,u,nl(ω- CFG) ⊂ Linf,u,l(ω- CFG). In one hand, we have L ∈ Linf,u,l(ω- CFG),since Linf,=,l(ω- CFG) = Linf,u,l(ω- CFG) by Thm. 4.44 and Thm. 4.35. On theother hand, L 6∈ Linf,u,nl(ω- CFG), because it is easy to see Linf,u,nl(ω- CFG) ⊆Linf,=,nl(ω- CFG).
3. Lσ,⊆,nl(ω- CFG) = Lσ,⊆,l(ω- CFG), for σ ∈ {ran, inf}. It is easy to show Lσ,⊆,l(ω- CFG) ⊆Lσ,⊆,nl(ω- CFG) holds: for any G ∈ ω- CFG, Lσ,⊆,l(G) = Lσ,⊆,nl(G). �
Unfortunately, for (σ, ρ) ∈ {(ran,u), (ran,=)}, whether proper inclusion or equivalenceholds is still an open problem.
The following lemmas lead to the characterization of the generative power of ω- CSGand ω- PSG.
Lemma 4.54. Lσ,ρ(ω- TM) ⊆ Lσ,ρ,nl(ω- CSG).
Proof. Let M = (Q,Σ,Γ, δ, q0,F) be an ω- TM. Construct an ω- CSG G = (N,Σ, P, S,H),where N = Σ× Γ ∪Q ∪ {$, S, S1}, P contains the following productions:
1. S → $q0S1,
2. S1 → [a, a]S1, for every a ∈ Σ,
3. q[a,A]→ [a,C]p, if δ(q, A) 3 (p, C,R) for every a ∈ Σ,
4. [b, B]q[a,A]→ p[b, B][a,C], if δ(q, A) 3 (p, C, L) for every a, b ∈ Σ, B ∈ Γ,
5. q[a,A]→ p[a,C], if δ(q, A) 3 (p, C, S) for every a ∈ Σ,
6. $[a,A]→ a$, for every a ∈ Σ, A ∈ Γ.
Rule (2) generates the input ω-word. The first component of Σ× Γ is used to record theinput symbol, and the second is used to simulate M .
We denote by Pi the set of productions of type (i) above. For every q ∈ Q, we denoteby Pq the set of productions in which q appears on the left-hand side.
Let F = {Fk}1≤k≤n, we construct the set H according to different accepting models:
1. (ran,u, nl)-acceptance. Let Hk =⋃q∈Fk
Pq, then H = {Hk}1≤k≤n.
2. (ran,⊆, nl)-acceptance. Let Hk = P1 ∪ P2 ∪ P6 ∪⋃q∈Fk
Pq, then H = {Hk}1≤k≤n.
3. (ran,=, nl)-acceptance. Let Hk = {H ⊆ P1 ∪ P2 ∪ P6 ∪⋃q∈Fk
Pq | P1 ⊆ H andH ∩ P2 6= ∅ and H ∩ P6 6= ∅ and ∀q ∈ Fk, H ∩ Pq 6= ∅}, then H =
⋃nk=1Hk.
4. (inf,u, nl)-acceptance. The same as (1).
5. (inf,⊆, nl)-acceptance. Let Hk = P2 ∪ P6 ∪⋃q∈Fk
Pq, then H = {Hk}1≤k≤n.
60 Chapter 4. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
6. (inf,=, nl)-acceptance. Let Hk = {H ⊆ P2 ∪ P6 ∪⋃q∈Fk
Pq | H ∩ P2 6= ∅ andH ∩ P6 6= ∅ and ∀q ∈ Fk, H ∩ Pq 6= ∅}, then H =
⋃nk=1Hk.
It can be easily verified that Lσ,ρ,nl(G) = Lσ,ρ(M). �
Lemma 4.55. Lσ,ρ,nl(ω- PSG) ⊆ Lσ,ρ(2 -ω- TM).
Proof. Let G = (N,T, P, S,F) be an ω- PSG. By Lemma 4.42, we may assume thatG is an ω- PSG with $-boundary. Construct an 2 -ω- TM M = (Q,T,Γ, δ, q0,H) whereQ = Q′ ∪ {q0, q1, qD} ∪ {qp : p ∈ P}, Q′ is a set of working states and qD is a dead state(no further transitions). The machine has two tapes. The first tape contains the inputword u ∈ Tω, while on the second tape M simulates nondeterministically a derivation inG. M starts with writing S in the first square on the second tape. For every productionp in P there is a corresponding state qp in Q, entered by M every times production pis simulated on the second tape. If M cannot find a production to simulate, then Menters the dead state qD. Furthermore, each times M simulates a production of the form$A→ a$, the terminal a ∈ Σ is checked against the letter pointed to on the first tape. Ifthere is a match, M enters state q1, moves one square to the right on the two tapes andthen proceeds with the simulation. Otherwise, M enters the dead state qD.
Let F = {Fi}1≤i≤n, we construct the set H according to different accepting models:
1. (ran,u)-acceptance. Let Hi = {qp | p ∈ Fi}, then H = {Hi}1≤i≤n.
2. (ran,⊆)-acceptance. Let Hi = Q′ ∪ {q0, q1} ∪ {qp | p ∈ Fi}, then H = {Hi}1≤i≤n.
3. (ran,=)-acceptance. Let Hi = {H ∪ {q0, q1} ∪ {qp | p ∈ Fi} | H ⊆ Q′}, thenH =
⋃ni=1Hi.
4. (inf,u)-acceptance. The same as (1).
5. (inf,⊆)-acceptance. Let Hi = Q′ ∪ {q1} ∪ {qp | p ∈ Fi}, then H = {Hi}1≤i≤n.
6. (inf,=)-acceptance. Let Hi = {H∪{q1}∪{qp | p ∈ Fi} |H ⊆ Q′}, thenH =⋃ni=1Hi.
It can be easily verified that Lσ,ρ,nl(G) = Lσ,ρ(M). �Note that the proof above has two important differences with the proof of Thm. 5.1
in [35] in which only the 3-accepting (i.e., (inf,=)-accepting) ω-grammar was considered.The first difference is that we use two tapes rather than two tracks. Because if we usedtwo tracks, except the (inf,=)-acceptance case, for any input u ∈ Tω the ω- TM M wouldhave a c.n.o. run satisfying the accepting condition by applying an infinite computation asfollows: M generates only finite (maybe zero) terminals on the leftmost side of the secondtrack, and then never uses the productions $A → a$ any more. Thus, M would acceptLσ,ρ(M) = Tω. The second difference is that we use qD instead of the traverse state qT ,because the latter one brings inconvinience for (ran,u)-acceptance: for any input u ∈ Tω,M may simulate certain p ∈ Fi once, then enter qT by a dismatch when checking, andthe run is a c.n.o. run and thus accepted. Therefore, M would accept Lran,u(M) = Tω.In order to provide a uniform constructive proof for all the accepting models, we give ourproof by modifying the proof of Thm. 5.1 in [35].
By the above lemmas and Thm. 4.32, we showed the fact Lσ,ρ(ω- TM) ⊆ Lσ,ρ,nl(ω- CSG) ⊆Lσ,ρ,nl(ω- PSG) ⊆ Lσ,ρ(2 -ω- TM) ⊆ Lσ,ρ(m-ω- TM) = Lσ,ρ(ω- TM). Thus we have the fol-lowing theorems.
4.3. Related Work 61
Theorem 4.56. Lσ,ρ,nl(ω- PSG) = Lσ,ρ(ω- TM).
Theorem 4.57. Lσ,ρ,nl(ω- CSG) = Lσ,ρ(ω- TM).
4.3 Related Work
Cohen only focused on the five types of i-accepting ω-automata and the ω-grammarsdefined with 3-acceptance [32], and mainly discussed the ω- CFG - V with variable rep-etition sets rather than the one with production repetition sets [33]. Therefore, Cohenstudied actually some relationships between (inf,=, π)-accepting ω-grammars and (inf,=)-accepting ω-automata (i.e., 3-acceptance), including (inf,=, π)-accepting ω- CFG - V and(inf,=)-accepting ω- PDA [32, 33], (inf,=, nl)-accepting ω- PSG and (inf,=)-acceptingω- TM [35]. Furthermore, Cohen studied also some special forms and normal forms of(inf,=, π)-accepting ω-grammars.
We extended Cohen’s work in the following aspects. First, we examined the ω-grammars beyond (inf,=, π)-acceptance, since only 3-accepting ω-grammars were con-sidered in the literature. We showed that for some accepting models, the relative gen-erative power of the ω-grammars to corresponding ω-automata is different from that of3-accepting ω-grammars. Second, the ω- CFG with production repetition sets was studiedto form uniform relation and translation over the entire hierarchy of ω-grammars. How-ever, the literature only considered ω- CFG - V, and the variable repetition sets are notapplicable to ω- CSG for example. Third, we tried to provide uniform proofs for vari-ous accepting models, since some of the proofs in the literature are based on the ω-Kleeneclosure of language families (again, related to 3-acceptance), rather than uniform construc-tive proofs over various accepting models, e.g., the proof for ε-production-free 3-acceptingω- CFG - V (see Thm. 4.2.2 - Thm. 4.2.5 in [32]). Fourth, we considered one more ac-cepting model than the five types of i-acceptances for ω-automata, for the correspondingbetween ω-grammars and ω-automata.
Later, Engelfriest studied the six types of (σ, ρ)-accepting ω-automata from the per-spective of X-automata [49], but did not consider the grammar form. It is reasonable toestablish the corresponding grammar forms for these ω-automata. Therefore, we definethe (σ, ρ, π)-accepting ω-grammar corresponding to the (σ, ρ)-accepting ω-automaton, andestablish the relationship and the translation methods between the ω-grammar and theω-automaton.
4.4 Conclusion
This chapter married related works on ω-automata in the literature, and proposed the(σ, ρ, π)-accepting ω-grammar. The relative generative power of ω-grammars and ω-automata was studied in the previous theorems, which are summarized and comparedin Table 4.2.
One should particularly note:
1. the generative power of non-leftmost derivations of ω- CFG may be strictly weakerthan or equal to that of ω- PDA.
2. the generative power of leftmost derivations of ω- CSG or ω- PSG is not greater thanthat of ω- PDA.
3. the generative power of non-leftmost derivations of ω- CSG is equal to ω- TM.
62 Chapter 4. On the Generative Power of (σ, ρ, π)-accepting ω-Grammars
Table 4.2: Relative Generative Power of ω-Grammars and ω-Automata
As a result, it is not necessary to define linear-bounded ω-automata-like devices, sinceω- CSG does not have an independent level of generative power.
The open problems lie on the (ran,u)-accepting and (ran,=)-accepting models. For-tunately, the results are enough for major applications, which concern mainly (inf, ρ)-acceptances.
Thanks to the theorems and the translation methods given in the proofs in this chapter,the closure property and the decision problems of the families of ω-languages generatedby ω-grammars and those of the families of ω-languages recognized by ω-automata can bededuced from each other.
Chapter 5
Control Systems on ω-Words
This chapter is the first to marry restricted ω-grammars and regulated rewriting in classicallanguage theory [39] by proposing the formal control system on ω-words (ω-C system),which is a framework consisting of a controlled ω-device and a controlling ω-device that aremodeled using the same formalism. These ω-devices could be (σ, ρ)-accepting ω-automataor (σ, ρ, π)-accepting ω-grammars. The generative power is studied. The motivation comesfrom extending regularly controlled grammars on finite words [40, 38] and exploring theirproperties in the context of infinite words.
This chapter is organized as follows. In Sections 5.1, 5.2 and 5.3, three types of controlsystems on ω-words (ω-C systems) are studied. Related work is discussed in Section 5.4,and we conclude in Section 5.5.
5.1 ω-Grammar Control Systems (ω-GC Systems)
5.1.1 Definitions
An ω-grammar control system consists of an ω-grammar and a controlling ω-grammar.
Definition 5.1. Given a controlled ω-grammar (or simply ω-grammar) G1 = (N1, T1, P1,S1,F1), a controlling ω-grammar over G1 is a quadruple G2 = (N2, T2, P2, S2,F2), whereT2 = P1. �
Without loss of generality, we assume that N1 ∩ N2 = ∅. Generally, we denote thecontrolled ω-grammar and the controlling ω-grammar by G1 and G2 respectively.
Definition 5.2. An ω-Grammar Control System (simply ω-GC System) includes an ω-grammarG1 = (N1, T1, P1, S1,F1) and a controlling ω-grammarG2. The global ω-languageof G1 controlled by G2 is:
Lσ,ρ,nl(G1, G2) = {u ∈ Tω1 | there exists a derivation d : S1 ⇒ω u of G1
such that dP is (σ, ρ)-accepting w.r.t. F1
and dP ∈ Lσ,ρ,nl(G2)}
We say Lσ,ρ,nl(G2) is a controlling ω-language. �
Obviously, the set of accepted inputs is a subset of the controlled ω-language, suchthat the sequence of applied productions belongs to the controlling ω-language, i.e.,Lσ,ρ,nl(G1, G2) ⊆ Lσ,ρ,nl(G1).
63
64 Chapter 5. Control Systems on ω-Words
As usual, Linf,=,nl(G1, G2) will be denoted by Lnl(G1, G2).
Example 5.3. Given G1 = (N1, T1, P1, S1,F1), G2 = (N2, T2, P2, S2,F2) where F1 ={H | {p1, p2, p5, p6} ⊆ H ⊆ P1}, F2 = {H | {r1} ⊆ H ⊆ P2}, with the following produc-tions:
P1
p1 : S1 → S′1S1 p2 : S′1 → ABp3 : A→ aAb p4 : B → Bcp5 : A→ ab p6 : B → c
P2
r1 : S2 → p1p2C
r2 : C → p3p4C
r3 : C → p5p6S2
Let L1 = {anbnc+ | n ≥ 1}, L2 = p1p2(p3p4)∗p5p6, L3 = {anbncn | n ≥ 1}. Thecontext-free ω-language Lnl(G1) = Lω1 ∪ L∗1aω and the regular ω-language Lnl(G2) =Lω2 ∪L∗2p1p2(p3p4)ω constitute a non-context-free global ω-language Lnl(G1, G2) = Lω3 . �
Two trivial types of controlling ω-grammars are empty controlling ω-grammars and fullcontrolling ω-grammars. The former ones accept the empty controlling ω-language whichrejects all the sequences of productions applied in derivations, i.e., Lσ,ρ,nl(G2) = ∅. Thelatter ones accept full controlling ω-languages that accept all the sequences of productionsapplied in derivations, i.e., Lσ,ρ,nl(G2) = Pω1 , where P1 is the set of productions of thecontrolled ω-grammar G1. Note that the two types of ω-languages are both regular.
5.1.2 Generative Power
In this section, we prove theorems on the generative power. Each theorem concerns dif-ferent combinations of controlled and controlling ω-grammars.
Proof. (i) Lσ,ρ,nl(ω- RLG, ω- RLG) ⊇ Lσ,ρ,nl(ω- RLG) is obvious, since we can use a regularcontrolling ω-grammar generating a full controlling ω-language.
(ii) Lσ,ρ,nl(ω- RLG, ω- RLG) ⊆ Lσ,ρ,nl(ω- RLG). Given an ω- RLGG1 = (N1, T1, P1, S1, E)and an ω- RLG G2 = (N2, T2, P2, S2,F) with P1 = T2, P2 contains all productions of theforms: B → uC, B → u, B,C ∈ N2, u ∈ P ∗1 , E = {Ei}1≤i≤m, F = {Fi}1≤i≤n. Wedefine Rset(pi) = {pk ∈ P1 | pi : B → uC ∈ P2, pk in string u}. Let us consider different(σ, ρ, nl)-accepting models.
(a) For ρ ∈ {⊆,=}, we construct an ω-grammar
G = (N1 ×N2 ∪ {S}, T1, P, S,H)
where N1×N2 includes composite nonterminals of the form [A,B], P includes the followingsets of productions:
1. Ps = {S → [S1, S2]},
2. P ′ = {pkA : [A,B]→ α[D,C], for pk : B → uC ∈ P2, A ∈ N1 and A u=⇒ αD in G1}.
Let f1(pkA) = {pk}, f2(pkA) = Rset(pk). For H ⊆ P ′, f1(H) =⋃pkA∈H f1(pkA),
f2(H) =⋃pkA∈H f2(pkA). We construct the set H as follows:
(a.1) (ran,⊆, nl)-acceptance. H = {H ′ ∪ Ps | H ′ ⊆ P ′, f1(H ′) ⊆ Ei, f2(H ′) ⊆ Fj , Ei ∈E , Fj ∈ F}.
(a.2) (ran,=, nl)-acceptance. H = {H ′ ∪ Ps | H ′ ⊆ P ′, f1(H ′) = Ei, f2(H ′) = Fj , Ei ∈E , Fj ∈ F}.
5.1. ω-Grammar Control Systems (ω-GC Systems) 65
(a.3) (inf,⊆, nl)-acceptance. H = {H ′ | H ′ ⊆ P ′, f1(H ′) ⊆ Ei, f2(H ′) ⊆ Fj , Ei ∈E , Fj ∈ F}.
(a.4) (inf,=, nl)-acceptance. H = {H ′ | H ′ ⊆ P ′, f1(H ′) = Ei, f2(H ′) = Fj , Ei ∈E , Fj ∈ F}.
It is easy to see that the component B of [A,B] controls the derivation in such a waythat the acceptable derivations in G1 are simulated by derivations in G. Therefore, forσ ∈ {ran, inf}, ρ ∈ {⊆,=}, Lσ,ρ,nl(G1, G2) = Lσ,ρ,nl(G) ∈ Lσ,ρ,nl(ω- RLG).
(b) (σ,u)-acceptances. Without loss of generality, assume that E = {E} and F = {F}where E =
⋃mi=1Ei, F =
⋃ni=1 Fi. We construct an ω-grammar
G = (N ∪ {S}, T1, P, S,H)
where N = N1 ×N2 × {0, 1}2, and P includes the following sets of productions:
1. S → [S1, S2, 00],
2. pkAx : [A,B, x] → α[D,C, y], for pk : B → uC ∈ P2, A ∈ N1 and Au=⇒ αD in G1,
x ∈ {0, 1}2,
y =
00, if x = 1110, if x = 00 and Rset(pk) ∩ E 6= ∅01, if x = 00 and pk ∈ F11, if x = 00 and Rset(pk) ∩ E 6= ∅ and pk ∈ F11, if x = 10 and pk ∈ F11, if x = 01 and Rset(pk) ∩ E 6= ∅x, else.
Let H = {{pkA11 | pk ∈ P2, A ∈ N1}}. It is easy to see that the component B of[A,B, x] ∈ N control the derivation in such a way that the acceptable derivations in G1 aresimulated by derivations in G, while the component x is used to record the appearances ofproductions in the repetition sets E and F . Therefore, for σ ∈ {ran, inf}, Lσ,u,nl(G1, G2) =Lσ,u,nl(G) ∈ Lσ,u,nl(ω- RLG). �
Proof. (i) Lσ,ρ,nl(ω- CFG) ⊆ Lσ,ρ,nl(ω- RLG, ω- CFG). Given an ω- CFGG = (N,T, P, S,H),we construct an ω- RLG G1 = ({S1}, T, P1, S1, E) where P1 = {pa : S1 → aS1 | a ∈ T}and E = 2P1 , and an ω- CFG G2 = (N,T2, P2, S,H) where
1. h is a homomorphism: h(a) = pa, for a ∈ T ,
2. T2 = h(T ),
3. P2 = h(P ), where h(P ) is the set of productions replacing each terminal a ∈ T ofproductions in P by pa ∈ T2.
G generates u ∈ Tω, if and only if G1 generates u by using productions h(u), and G2 gener-ates h(u). Thus it is easy to see that Lσ,ρ,nl(G) = Lσ,ρ,nl(G1, G2) ∈ Lσ,ρ,nl(ω- RLG, ω- CFG)for each accepting model.
66 Chapter 5. Control Systems on ω-Words
(ii) Lσ,ρ,nl(ω- RLG, ω- CFG) ⊆ Lσ,ρ,l(ω- CFG). Given an ω- RLGG1 = (N1, T1, P1, S1, E)and an ω- CFG G3 = (N3, T3, P3, S3,F3) with P1 = T3, P1 contains all productions of theforms: B → uC, B → u, u ∈ T ∗1 .
There exists a (σ, ρ, l)-accepting ω- CFG G2 = (N2, T2, P2, S2,F) with P1 = T2 suchthat the controlling ω-language Lσ,ρ,nl(G3) = Lσ,ρ,l(G2) by Thm. 4.52. Assume N1∩N2 =∅, E = {Ei}1≤i≤m, F = {Fi}1≤i≤n. Let us consider different (σ, ρ, l)-accepting models forG2.
(a) For ρ ∈ {⊆,=}, we construct an ω-grammar
G = (N1 ∪N2 ∪ T2 ∪ {S}, T1, P, S,H)
where P includes productions of the following forms:
1. ps : S → S1S2,
2. p2kB : BA→ Bα, for B ∈ N1, pk : A→ α ∈ P2,
3. p1k : Bpk → uC, for pk ∈ T2, pk : B → uC ∈ P1.
We denote by Pri the set of productions of type (i) above. Let P1k = {p1k ∈ Pr3},P2k = {p2kB ∈ Pr2}. We construct the set H as follows:
(a.1) (ran,⊆, l)-acceptance. Let Hij = {H ′ ∪ H ′′ ∪ Pr1 | H ′ =⋃pk∈Ei
P1k, H′′ =⋃
pk∈FjP2k}, then H =
⋃mi=1
⋃nj=1Hij .
(a.2) (ran,=, l)-acceptance. Let Hij = {H ′ ∪ H ′′ ∪ Pr1 | H ′ =⋃pk∈Ei
P1k, H′′ ⊆⋃
pk∈FjP2k and ∀pk ∈ Fj , H ′′ ∩ P2k 6= ∅}, then H =
⋃mi=1
⋃nj=1Hij .
(a.3) (inf,⊆, l)-acceptance. Let Hij = {H ′∪H ′′ | H ′ =⋃pk∈Ei
P1k, H′′ =
⋃pk∈Fj
P2k},then H =
⋃mi=1
⋃nj=1Hij .
(a.4) (inf,=, l)-acceptance. Let Hij = {H ′ ∪H ′′ | H ′ =⋃pk∈Ei
P1k, H′′ ⊆
⋃pk∈Fj
P2k
and ∀pk ∈ Fj , H ′′ ∩ P2k 6= ∅}, then H =⋃mi=1
⋃nj=1Hij .
It is easy to see that the nonterminals pk ∈ T2 control the derivation in such a waythat the acceptable leftmost derivations in G1 are simulated by leftmost derivations in G.Therefore, for σ ∈ {ran, inf}, ρ ∈ {⊆,=}, Lσ,ρ,nl(G1, G3) = Lσ,ρ,l(G) ∈ Lσ,ρ,l(ω- PSG) =Lσ,ρ,l(ω- CFG), by Theorem 4.45.
(b) (σ,u)-acceptances. Without loss of generality, assume that E = {E} and F = {F}where E =
⋃mi=1Ei, F =
⋃ni=1 Fi. We construct an ω-grammar
G = (N1 ∪N2 ∪ T2 ∪ Y ∪ {S}, T1, P, S,H)
where Y = {0, 1}2, and P includes productions of the following forms:
1. ps : S → xS1S2, x = 00 ∈ Y ,
2. p2kBx : xBA→ yBα, for B ∈ N1, pk : A→ α ∈ P2, x ∈ Y ,
y =
00, if x = 1101, if x = 00 and pk ∈ F11, if x = 10 and pk ∈ Fx, else.
5.1. ω-Grammar Control Systems (ω-GC Systems) 67
3. p1kx : xBpk → uyC, for pk ∈ T2, pk : B → uC ∈ P1, x ∈ Y ,
y =
00, if x = 1110, if x = 00 and pk ∈ E11, if x = 01 and pk ∈ Ex, else.
Let H = {{p1k11 | pk ∈ P1} ∪ {p2kB11 | B ∈ N1, pk ∈ P2}}. It is easy to see, for σ ∈{ran, inf}, Lσ,u,nl(G1, G3) = Lσ,u,l(G) ∈ Lσ,u,l(ω- PSG) = Lσ,u,l(ω- CFG), by Theorem4.45. �
Proof. (i) Lσ,ρ,nl(ω- CFG) ⊂ Lσ,ρ,nl(ω- CFG, ω- RLG) is obvious, since we can use a regularcontrolling ω-grammar generating a full controlling ω-language. The strictness followsfrom Example 5.3.
(ii) Lσ,ρ,nl(ω- CFG, ω- RLG) ⊆ Lσ,ρ,nl(ω- PSG). Given an ω-CFGG1 = (N1, T1, P1, S1, E)and an ω- RLG G2 = (N2, T2, P2, S2,F) with P1 = T2, P2 contains all productions of theforms: B → uC, B → u, B,C ∈ N2, u ∈ P ∗1 . Assume N1 ∩ N2 = ∅, E = {Ei}1≤i≤m,F = {Fi}1≤i≤n. Assume that the maximal length of u of the productions in P2 is l. Letus consider different (σ, ρ, nl)-accepting models.
(a) For ρ ∈ {⊆,=}, we construct an ω-grammar
G = (N1 ∪N2 ∪N ′2 ∪ {S}, T1, P, S,H)
where N ′2 = N2 ×⋃li=0 T
l2 and P includes the following sets of productions:
1. S → S1S2,
2. p2k : B → [C, u], for pk : B → uC ∈ P2,
3. [B, ε]→ B, for B ∈ N2,
4. p1k[B,u] : A[B, pku]→ α[B, u], for [B, pku] ∈ N ′2 and pk : A→ α in P1,
5. BX → XB and XB → BX, for X ∈ N1 ∪ T1, B ∈ N2 ∪N ′2.
We denote by Pri the set of productions of type (i) above. Let P1k = {p1k[B,u] ∈ Pr4},P2k = {p2k ∈ Pr2}. We construct the set H as follows:
(a.2) (ran,=, l)-acceptance. Let Hij = {H ′ ∪H ′′ ∪ Pr1 ∪H3 ∪H5 | H ′ ⊆⋃pk∈Ei
P1k
s.t. ∀pk ∈ Ei, H ′ ∩ P1k 6= ∅, and H ′′ =⋃pk∈Fj
P2k, and ∅ ⊂ H3 ⊆ Pr3, ∅ ⊂ H5 ⊆ Pr5},then H =
⋃mi=1
⋃nj=1Hij .
(a.3) (inf,⊆, l)-acceptance. Let Hij = {H ′ ∪H ′′ ∪ Pr3 ∪ Pr5 | H ′ =⋃pk∈Ei
P1k, H′′ =⋃
pk∈FjP2k}, then H =
⋃mi=1
⋃nj=1Hij .
(a.4) (inf,=, l)-acceptance. Let Hij = {H ′ ∪ H ′′ ∪ H3 ∪ H5 | H ′ ⊆⋃pk∈Ei
P1k s.t.∀pk ∈ Ei, H ′ ∩ P1k 6= ∅, and H ′′ =
⋃pk∈Fj
P2k, and ∅ ⊂ H3 ⊆ Pr3, ∅ ⊂ H5 ⊆ Pr5}, thenH =
⋃mi=1
⋃nj=1Hij .
68 Chapter 5. Control Systems on ω-Words
It is easy to see that the nonterminals [B, pku] ∈ N ′2 control the derivation in such away that the acceptable derivations in G1 are simulated by derivations in G. Therefore,for σ ∈ {ran, inf}, ρ ∈ {⊆,=}, Lσ,ρ,nl(G1, G2) = Lσ,ρ,nl(G) ∈ Lσ,ρ,nl(ω- PSG).
(b) (σ,u)-acceptances. Without loss of generality, assume that E = {E} and F = {F}where E =
⋃mi=1Ei, F =
⋃ni=1 Fi. We construct an ω-grammar
G = (N1 ∪N ′2 ∪N ′′2 ∪ {S}, T1, P, S,H)
where N ′2 = N2 × {0, 1}2, N ′′2 = N2 × {0, 1}2 ×⋃li=0 T
l2 and P includes the following sets
of productions:
1. S → S1[S2, 00],
2. p2k[x] : [B, x]→ [C, y, u], for pk : B → uC ∈ P2, x ∈ {0, 1}2,
y =
00, if x = 1101, if x = 00 and pk ∈ F11, if x = 10 and pk ∈ Fx, else.
3. [B, x, ε]→ [B, x], for B ∈ N2, x ∈ {0, 1}2,
4. p1k[B,x,u] : A[B, x, pku] → α[B, y, u], for [B, x, pku] ∈ N ′′2 and pk : A → α in P1,x ∈ {0, 1}2,
y =
00, if x = 1110, if x = 00 and pk ∈ E11, if x = 01 and pk ∈ Ex, else.
5. BX → XB and XB → BX, for X ∈ N1 ∪ T1, B ∈ N ′2 ∪N ′′2 .
Let H = {{p1k[B,11,u] | pk ∈ P1, [B, 11, u] ∈ N ′′2 } ∪ {p2k[11] | pk ∈ P2}}. It is easyto see that the nonterminals [B, x, pku] ∈ N ′′2 control the derivation in such a way thatthe acceptable derivations in G1 are simulated by derivations in G. Therefore, for σ ∈{ran, inf}, Lσ,u,nl(G1, G2) = Lσ,u,nl(G) ∈ Lσ,u,nl(ω- PSG). �
Proof. (i) Lσ,ρ,nl(ω- CFG) ⊂ Lσ,ρ,nl(ω- CFG, ω- CFG) is obvious, since we can use a regularcontrolling ω-grammar generating a full controlling ω-language. The strictness followsfrom Example 5.3.
(ii) Lσ,ρ,nl(ω- CFG, ω- CFG) ⊆ Lσ,ρ,nl(ω- PSG). Given an ω-CFGG1 = (N1, T1, P1, S1, E)and an ω- CFG G2 = (N2, T2, P2, S2,F) with P1 = T2. Assume N1 ∩ N2 = ∅, E ={Ei}1≤i≤m, F = {Fi}1≤i≤n. Let us consider different (σ, ρ, nl)-accepting models.
(a) For ρ ∈ {⊆,=}, we construct an ω-grammar
G = (N1 ∪ T ′1 ∪N2 ∪ T2 ∪ {$, S}, T1, P, S,H)
where T ′1 = {a′ | a ∈ T1} and P includes the following sets of productions:
5.1. ω-Grammar Control Systems (ω-GC Systems) 69
1. S → $S1S2,
2. p2k : B → β, for pk : B → β ∈ P2,
3. Xp→ pX, for X ∈ N1 ∪ T ′1, p ∈ T2,
4. p1k : Apk → α′, for pk : A→ α in P1, α′ replaces each terminal a ∈ T1 of α by a′,
5. $a′ → a$, for a ∈ T1.
We denote by Pri the set of productions of type (i) above. Let P1k = {p1k ∈ Pr4},P2k = {p2k ∈ Pr2}. We construct the set H as follows:
(a.2) (ran,=, nl)-acceptance. Let Hij = {H ′ ∪H ′′ ∪Pr1 ∪H3 ∪H5 | H ′ =⋃pk∈Ei
P1k,H ′′ =
⋃pk∈Fj
P2k, and ∅ ⊂ H3 ⊆ Pr3, ∅ ⊂ H5 ⊆ Pr5}, then H =⋃mi=1
⋃nj=1Hij .
(a.3) (inf,⊆, nl)-acceptance. Let Hij = {H ′ ∪ H ′′ ∪ Pr3 ∪ Pr5 | H ′ =⋃pk∈Ei
P1k,H ′′ =
⋃pk∈Fj
P2k}, then H =⋃mi=1
⋃nj=1Hij .
(a.4) (inf,=, nl)-acceptance. Let Hij = {H ′ ∪ H ′′ ∪ H3 ∪ H5 | H ′ =⋃pk∈Ei
P1k,H ′′ =
⋃pk∈Fj
P2k, and ∅ ⊂ H3 ⊆ Pr3, ∅ ⊂ H5 ⊆ Pr5}, then H =⋃mi=1
⋃nj=1Hij .
It is easy to see that the nonterminals pk ∈ T2 control the derivation in such a waythat the acceptable derivations in G1 are simulated by derivations in G. Therefore, forσ ∈ {ran, inf}, ρ ∈ {⊆,=}, Lσ,ρ,nl(G1, G2) = Lσ,ρ,nl(G) ∈ Lσ,ρ,nl(ω- PSG).
(b) (σ,u)-acceptances. Without loss of generality, assume that E = {E} and F = {F}where E =
⋃mi=1Ei, F =
⋃ni=1 Fi. We construct an ω-grammar
G = (N1 ∪ T ′1 ∪N2 ∪ T2 ∪ Y ∪ {$, S}, T1, P, S,H)
where T ′1 = {a′ | a ∈ T1}, Y = {0, 1}2 and P includes the following sets of productions:
1. S → $xS1S2, x = 00 ∈ Y ,
2. p2kx : xB → yβ, for pk : B → β ∈ P2, x ∈ Y ,
y =
00, if x = 1101, if x = 00 and pk ∈ F11, if x = 10 and pk ∈ Fx, else.
3. Xp→ pX, for X ∈ N1 ∪ T ′1, p ∈ T2,
4. p1kx : xApk → yα′, for pk : A → α in P1, α′ replaces each terminal a ∈ T1 of α bya′, x ∈ Y ,
y =
00, if x = 1110, if x = 00 and pk ∈ E11, if x = 01 and pk ∈ Ex, else.
5. $a′ → a$, for a ∈ T1,
6. xX → Xx and Xx→ xX, for X ∈ N1 ∪ T ′1 ∪N2 ∪ T2, x ∈ Y .
Let H = {{p1k11 | pk ∈ P1} ∪ {p2k11 | pk ∈ P2}}. It is easy to see, for σ ∈ {ran, inf},Lσ,u,nl(G1, G2) = Lσ,u,nl(G) ∈ Lσ,u,nl(ω- PSG). �
70 Chapter 5. Control Systems on ω-Words
5.2 Leftmost-Derivation-Based ω-Grammar Control Systems (ω-LGC Sys-tems)
5.2.1 Definitions
Definition 5.8. A Leftmost-derivation-based ω-Grammar Control System (simply ω-LGCSystem) includes an ω-grammar G1 = (N1, T1, P1, S1,F1) and a controlling ω-grammarG2. The global ω-language of G1 controlled by G2 is:
Lσ,ρ,l(G1, G2) = {u ∈ Tω1 | there exists a leftmost derivation d : S1 =⇒lm
ω u of G1
such that dP is (σ, ρ)-accepting w.r.t. F1
and dP ∈ Lσ,ρ,l(G2)}
We say Lσ,ρ,l(G2) is a controlling ω-language. We may also denote Lσ,ρ,l(G1, G2) byLσ,ρ(G1 ~· G2). �
As usual, Linf,=,l(G1, G2) will be denoted by Ll(G1, G2).
Example 5.9. Given G1 = (N1, T1, P1, S1,F1), G2 = (N2, T2, P2, S2,F2) where F1 ={H | {p1, p2, p5, p6} ⊆ H ⊆ P1}, F2 = {H | {r1} ⊆ H ⊆ P2}, with the following produc-tions:
P1
p1 : S1 → S′1S1 p2 : S′1 → ABp3 : A→ aAb p4 : B → Bcp5 : A→ ab p6 : B → c
P2
r1 : S2 → S′2S2
r2 : S′2 → p1p2Cp6
r3 : C → p3Cp4
r4 : C → p5
Let L1 = {anbnc+ | n ≥ 1}, L2 = {p1p2pk3p5p
k4p6 | k ≥ 0}, L3 = {anbncn | n ≥ 1}.
The context-free ω-languages Ll(G1) = Lω1 and Ll(G2) = Lω2 constitute a non-context-freeglobal ω-language Ll(G1, G2) = Lω3 . �
Two trivial types of controlling ω-grammars are empty controlling ω-grammars and fullcontrolling ω-grammars. The former ones accept the empty controlling ω-language whichrejects all the sequences of productions applied in derivations, i.e., Lσ,ρ,l(G2) = ∅. Thelatter ones accept full controlling ω-languages that accept all the sequences of productionsapplied in derivations, i.e., Lσ,ρ,l(G2) = Pω1 , where P1 is the set of productions of thecontrolled ω-grammar G1. Note that the two types of ω-languages are both regular.
5.2.2 Generative Power
As every derivation in an ω- RLG is a leftmost derivation, the following result follows fromThm. 5.4.
5.2. Leftmost-Derivation-Based ω-Grammar Control Systems (ω-LGC Systems) 71
Proof. (i) Lσ,ρ,l(ω- CFG, ω- RLG) ⊇ Lσ,ρ,l(ω- CFG) is obvious, since we can use a regularcontrolling ω-grammar generating a full controlling ω-language.
(ii) Lσ,ρ,l(ω- CFG, ω- RLG) ⊆ Lσ,ρ,l(ω- CFG). Given an ω-CFGG1 = (N1, T1, P1, S1, E)and an ω-RLG G2 = (N2, T2, P2, S2,F) with P1 = T2, P2 contains all productions of theforms: B → uC, B → u, B,C ∈ N2, u ∈ P ∗1 . Assume N1 ∩ N2 = ∅, E = {Ei}1≤i≤m,F = {Fi}1≤i≤n. We define Rset(pi) = {pk ∈ P1 | pi : B → uC ∈ P2, pk in u}. Let usconsider different (σ, ρ, l)-accepting models.
(a) For ρ ∈ {⊆,=}, we construct an ω-grammar
G = (N1 ∪ T ′1 ∪N2 ∪ {S}, T1, P, S,H)
where T ′1 = {a′ | a ∈ T1}, and P includes the following sets of productions:
1. Ps = {S → S2S1},
2. P ′ = {pkA : BA → Cα′, for pk : B → uC ∈ P2 and Au=⇒lm
α in G1, where α′ is the
string replacing each terminal a ∈ T1 of α by a′},
3. P ′′ = {Ba′ → aB, for a ∈ T1, B ∈ N2}.
Let f1(pkA) = {pk}, f2(pkA) = Rset(pk). For H ⊆ P ′, f1(H) =⋃pkA∈H f1(pkA),
f2(H) =⋃pkA∈H f2(pkA). We construct the set H as follows:
(a.1) (ran,⊆, l)-acceptance. H = {H ′ ∪ Ps ∪ P ′′ | H ′ ⊆ P ′, f1(H ′) ⊆ Ei, f2(H ′) ⊆Fj , Ei ∈ E , Fj ∈ F}.
(a.2) (ran,=, l)-acceptance. H = {H ′ ∪ Ps ∪ H ′′ | H ′ ⊆ P ′, f1(H ′) = Ei, f2(H ′) =Fj , Ei ∈ E , Fj ∈ F , and ∅ ⊂ H ′′ ⊆ P ′′}.
(a.3) (inf,⊆, l)-acceptance. H = {H ′ ∪ P ′′ | H ′ ⊆ P ′, f1(H ′) ⊆ Ei, f2(H ′) ⊆ Fj , Ei ∈E , Fj ∈ F}.
(a.4) (inf,=, l)-acceptance. H = {H ′ ∪H ′′ | H ′ ⊆ P ′, f1(H ′) = Ei, f2(H ′) = Fj , Ei ∈E , Fj ∈ F , and ∅ ⊂ H ′′ ⊆ P ′′}.
It is easy to see that the nonterminals B ∈ N2 control the derivation in such a waythat the acceptable leftmost derivations in G1 are simulated by leftmost derivations in G.Therefore, for σ ∈ {ran, inf}, ρ ∈ {⊆,=}, Lσ,ρ,l(G1, G2) = Lσ,ρ,l(G) ∈ Lσ,ρ,l(ω- PSG) =Lσ,ρ,l(ω- CFG) by Thm. 4.45.
(b) (σ,u)-acceptances. Without loss of generality, assume that E = {E} and F = {F}where E =
⋃mi=1Ei, F =
⋃ni=1 Fi. We construct an ω-grammar
G = (N1 ∪ T ′1 ∪N ′2 ∪ {S}, T1, P, S,H)
where T ′1 = {a′ | a ∈ T1}, N ′2 = {[A, x] | A ∈ N2, x ∈ {0, 1}2}, and P includes the followingsets of productions:
1. Ps = {S → [S2, 00]S1},
2. P ′ = {pkAx : [B, x]A → [C, y]α′, for pk : B → uC ∈ P2 and Au=⇒lm
α in G1, where
72 Chapter 5. Control Systems on ω-Words
x ∈ {0, 1}2,
y =
00, if x = 1110, if x = 00 and Rset(pk) ∩ E 6= ∅01, if x = 00 and pk ∈ F11, if x = 00 and Rset(pk) ∩ E 6= ∅ and pk ∈ F11, if x = 10 and pk ∈ F11, if x = 01 and Rset(pk) ∩ E 6= ∅x, else.
and α′ is the string replacing each terminal a ∈ T1 of α by a′},
3. P ′′ = {[B, x]a′ → a[B, x], for a ∈ T1, [B, x] ∈ N ′2}.
Let H = {{pkA11 | pk ∈ P2, A ∈ N1}}. It is easy to see that the nonterminals [B, x] ∈ N ′2control the derivation in such a way that the acceptable leftmost derivations in G1 aresimulated by leftmost derivations in G. Therefore, for σ ∈ {ran, inf}, Lσ,u,l(G1, G2) =Lσ,u,l(G) ∈ Lσ,u,l(ω- PSG) = Lσ,u,l(ω- CFG) by Thm. 4.45. �
Proof. (i) Lσ,ρ,l(ω- CFG) ⊂ Lσ,ρ,l(ω- CFG, ω- CFG) is obvious, since we can use a regularcontrolling ω-grammar generating a full controlling ω-language. The strictness followsfrom Example 5.9.
(ii) Lσ,ρ,l(ω- CFG, ω- CFG) ⊆ Lσ,ρ,nl(ω- PSG). Given an ω-CFGG1 = (N1, T1, P1, S1, E)and an ω- CFG G2 = (N2, T2, P2, S2,F) with P1 = T2. Assume N1 ∩ N2 = ∅, E ={Ei}1≤i≤m, F = {Fi}1≤i≤n. Let us consider different (σ, ρ, nl)-accepting models forω- PSG.
(a) For ρ ∈ {⊆,=}, we construct an ω-grammar
G = (N1 ∪ T ′1 ∪N2 ∪ T2 ∪ T ′2 ∪ {$, §, S}, T1, P, S,H)
where T ′1 = {a′ | a ∈ T1}, T ′2 = {p′ | p ∈ T2} and P includes the following sets ofproductions:
1. S → $S1§S2,
2. p2k : §B → §β, for pk : B → β ∈ P2,
3. Xp→ pX, for X ∈ N1 ∪ T ′1 ∪ {§}, p ∈ T2, (move p leftward skipping X)
4. $p→ $p′, for p ∈ T2, (p becomes p′ at the leftmost position)
5. p′a′ → a′p′, for a′ ∈ T ′1 and p′ ∈ T ′2, (p′ skips terminals)
6. p1k : p′kA→ α′, for pk : A→ α ∈ P1, α′ replaces each terminal a ∈ T1 of α by a′, (p′krewrites A using the production pk)
7. $a′ → a$, for a ∈ T1.
5.2. Leftmost-Derivation-Based ω-Grammar Control Systems (ω-LGC Systems) 73
We denote by Pri the set of productions of type (i) above. Let P1k = {p1k ∈ Pr6},P2k = {p2k ∈ Pr2}. We construct the set H as follows:
(a.1) (ran,⊆, nl)-acceptance. Let Hij = {H ′∪H ′′∪Pr1∪Pr3∪Pr4∪Pr5∪Pr7 | H ′ =⋃pk∈Ei
P1k, H′′ =
⋃pk∈Fj
P2k}, then H =⋃mi=1
⋃nj=1Hij .
(a.2) (ran,=, nl)-acceptance. Let Hij = {H ′ ∪H ′′ ∪ Pr1 ∪H3 ∪H4 ∪H5 ∪H7 | H ′ =⋃pk∈Ei
P1k, and H ′′ =⋃pk∈Fj
P2k, and ∅ ⊂ H3 ⊆ Pr3, ∅ ⊂ H4 ⊆ Pr4, ∅ ⊂ H5 ⊆ Pr5, ∅ ⊂H7 ⊆ Pr7}, then H =
⋃mi=1
⋃nj=1Hij .
(a.3) (inf,⊆, nl)-acceptance. Let Hij = {H ′ ∪ H ′′ ∪ Pr3 ∪ Pr4 ∪ Pr5 ∪ Pr7 | H ′ =⋃pk∈Ei
P1k, H′′ =
⋃pk∈Fj
P2k}, then H =⋃mi=1
⋃nj=1Hij .
(a.4) (inf,=, nl)-acceptance. Let Hij = {H ′∪H ′′∪H3∪H4∪H5∪H7 |H ′ =⋃pk∈Ei
It is easy to see that the nonterminals p′k ∈ T ′2 control the derivation in such a way thatthe acceptable leftmost derivations in G1 are simulated by derivations in G. Therefore,for σ ∈ {ran, inf}, ρ ∈ {⊆,=}, Lσ,ρ,l(G1, G2) = Lσ,ρ,nl(G) ∈ Lσ,ρ,nl(ω- PSG).
(b) (σ,u)-acceptances. Without loss of generality, assume that E = {E} and F = {F}where E =
⋃mi=1Ei, F =
⋃ni=1 Fi. We construct an ω-grammar
G = (N1 ∪ T ′1 ∪N2 ∪ T2 ∪ T ′2 ∪ Y ∪ {$, S}, T1, P, S,H)
where T ′1 = {a′ | a ∈ T1}, T ′2 = {p′ | p ∈ T2}, Y = {0, 1}2 and P includes the followingsets of productions:
1. S → $S1xS2, x = 00 ∈ Y ,
2. p2kx : xB → yβ, for pk : B → β ∈ P2, x ∈ Y ,
y =
00, if x = 1101, if x = 00 and pk ∈ F11, if x = 10 and pk ∈ Fx, else.
3. Xp→ pX, for X ∈ N1 ∪ T ′1, p ∈ T2, (move p leftward skipping X)
4. $p→ $p′, for p ∈ T2, (p becomes p′ at the leftmost position)
5. p′a′ → a′p′, for a′ ∈ T ′1 and p′ ∈ T ′2, (p′ skips terminals)
6. p1kx : xp′kA→ yα′, for pk : A→ α ∈ P1, α′ replaces each terminal a ∈ T1 of α by a′,x ∈ Y ,
y =
00, if x = 1110, if x = 00 and pk ∈ E11, if x = 01 and pk ∈ Ex, else.
(p′k rewrites A using the production pk)
7. $a′ → a$, for a ∈ T1,
74 Chapter 5. Control Systems on ω-Words
8. xX → Xx and Xx→ xX, for X ∈ N1 ∪ T ′1 ∪ T2 ∪ T ′2, x ∈ Y .
Let H = {{p1k11 | pk ∈ P1} ∪ {p2k11 | pk ∈ P2}}. It is easy to see, for σ ∈ {ran, inf},Lσ,u,l(G1, G2) = Lσ,u,nl(G) ∈ Lσ,u,nl(ω- PSG). �
5.3 ω-Automaton Control Systems (ω-AC Systems)
5.3.1 Definitions
An ω-automaton control system consists of an ω-automaton and a controlling ω-automaton.
Definition 5.14. Given a controlled ω-automaton (or simply ω-automaton) A1 with a setof transitions δ1 = {pi}i∈I where pi is the name of a transition, a controlling ω-automatonA2 over A1 has the set of terminals Σ2 = δ1. �
Note that each transition has a name. For example, assume δ1(q1, a) = {q2, q3}, wemay denote by pi : δ1(q1, a) = q2 and pj : δ1(q1, a) = q3.
A legal run r of an ω-automaton A1 induces an infinite sequence of transitions tr =t1t2... ∈ δω1 where ti is the transition used in the i-th step of the legal run r, i.e., a mappingtr : N→ δ1 where tr(i) = ti.
Definition 5.15. An ω-Automaton Control System (simply ω-AC System) includes an ω-automaton A1 and a controlling ω-automaton A2. The global ω-language of A1 controlledby A2 is:
Lσ,ρ(A1 ~· A2) = {u ∈ Σω | there exists a legal run r of A1 on u such thatfr is (σ, ρ)-accepting w.r.t. Fand tr ∈ Lσ,ρ(A2)}
We say Lσ,ρ(A2) is a controlling ω-language. �
The symbol ~· is called “meta-composition”, denoting the left operand is controlledby the right operand.
As usual, Linf,=(A1 ~· A2) will be denoted by L(A1 ~· A2).
Example 5.16. Given an ω- PDA D1 = ({q}, {a, b, c}, {S,Z,A,B, a, b, c}, δ, q, Z, {{q}}),where δ includes the following transitions:
ps : δ(q, ε, Z) = (q, SZ) p1 : δ(q, ε, S) = (q, AB) p2 : δ(q, ε, A) = (q, aAb)p3 : δ(q, ε, B) = (q,Bc) p4 : δ(q, ε, A) = (q, ab) p5 : δ(q, ε, B) = (q, c)pa : δ(q, a, a) = (q, ε) pb : δ(q, b, b) = (q, ε) pc : δ(q, c, c) = (q, ε)
Given a controlling ω- PDA D2 such that L(D2) = (psp1(p2pa)n−1p4pap+b p
n−13 p5p
+c )ω,
it is easy to see that L(D1 ~· D2) = {anbncn | n ≥ 1}ω. �
Let P = {pa, pb, pc}, L(D3) = (psp1P∗(p2P
∗)n−1p4P∗(p3P
∗)n−1p5P∗)ω, we also have
L(D1 ~· D3) = {anbncn | n ≥ 1}ω. We remark that the controlling ω-language can expressa “weaker” or “stronger” restriction to obtain the same effect, in the case that the “valid”constraint on the controlled ω-automaton is not changed.
Two trivial types of controlling ω-automata are empty controlling ω-automata andfull controlling ω-automata. The former ones accept the empty controlling ω-languagewhich rejects all the sequences of applied transitions, i.e., Lσ,ρ(A2) = ∅. The latter onesaccept full controlling ω-languages that accept all the sequences of applied transitions, i.e.,Lσ,ρ(A2) = δω1 , where δ1 is the set of transitions of the controlled ω-automaton A1. Notethat the two types of ω-languages are both regular.
5.3. ω-Automaton Control Systems (ω-AC Systems) 75
Proof: (i) Lσ,ρ(ω- FSA ~· ω- FSA) ⊇ Lσ,ρ(ω- FSA) is obvious, since we can use a finitestate controlling ω-automaton generating a full controlling ω-language.
(ii) Lσ,ρ(ω- FSA ~· ω- FSA) ⊆ Lσ,ρ(ω- FSA). Given ω- FSA’s A1 = (Q1,Σ1, δ1, q1, E)and A2 = (Q2,Σ2, δ2, q2,F), where E = {Ei}1≤i≤m, F = {Fi}1≤i≤n. Let us considerdifferent (σ, ρ)-accepting models.
(a) For ρ ∈ {⊆,=}, we construct an ω- FSA A = (Q,Σ1, δ, q0,H) where:
1. Q = Q1 ×Q2,
2. δ((qi, qj), a) contains (ri, rj), if p : δ1(qi, a) = ri, a ∈ Σ1 ∪ {ε} and δ2(qj , p) containsrj ,δ((qi, qj), ε) contains (qi, rj), if δ2(qj , ε) contains rj ,
3. q0 = (q1, q2).
We define f1((qi, qj)) = {qi}, f2((qi, qj)) = {qj}. For H ⊆ Q, f1(H) =⋃q∈H f1(q),
f2(H) =⋃q∈H f2(q). Let Hij = {H | H ⊆ Q, f1(H) = Ei, f2(H) = Fj}, then H =⋃m
i=1
⋃nj=1Hij .
A simulates the actions of A1, and changes the state of A2. It is easy to see, forσ ∈ {ran, inf}, ρ ∈ {⊆,=}, Lσ,ρ(A1 ~· A2) = Lσ,ρ(A) ∈ Lσ,ρ(ω- FSA).
(b) (σ,u)-acceptances. Without loss of generality, assume that E = {E} and F = {F}where E =
⋃mi=1Ei, F =
⋃ni=1 Fi. We construct an ω- FSA A = (Q,Σ1, δ, q0,H) where:
1. Q = Q1 ×Q2 × {0, 1}2,
2. δ((qi, qj , x), a) contains (ri, rj , y), if p : δ1(qi, a) = ri and δ2(qj , p) contains rj , x ∈{0, 1}2,
y =
00, if x = 1110, if x = 00 and qi ∈ E01, if x = 00 and qj ∈ F11, if x = 00 and qi ∈ E and qj ∈ F11, if x = 01 and qi ∈ E11, if x = 10 and qj ∈ Fx, else.
3. q0 = (q1, q2, 00).
Let H = {Q1×Q2×{11}}. It is easy to see, for σ ∈ {ran, inf}, Lσ,u(A1~· A2) = Lσ,u(A) ∈Lσ,u(ω- FSA). �
Proof: (i) Lσ,ρ(ω- FSA ~· ω- PDA) ⊇ Lσ,ρ(ω- PDA). Given an ω- PDA D = (Q,Σ,Γ, δ,q0, Z0,F), we construct an ω- FSA A and a controlling ω- PDA D2 as follows:
A = ({qA},Σ, δA, qA, {{qA}})
76 Chapter 5. Control Systems on ω-Words
where δA contains pa : δA(qA, a) = qA, for each a ∈ Σ.
D2 = (Q, h(Σ),Γ, δ2, q0, Z0,F)
where,
1. h is a homomorphism: h(a) = pa, h(ε) = ε, for a ∈ Σ,
2. for a set Σ, h(Σ) = {h(a) | a ∈ Σ},
3. δ2(q, h(a), B) contains (r, β), if δ(q, a,B) contains (r, β), where a ∈ Σ ∪ {ε}, B ∈ Γ,β ∈ Γ∗.
Clearly, Lσ,ρ(D2) = h(Lσ,ρ(D)). Since each transition pa ∈ δA generates exactly a terminala, we have Lσ,ρ(A~· D2) = h−1(Lσ,ρ(D2)) = h−1(h(Lσ,ρ(D))) = Lσ,ρ(D).
(ii) Lσ,ρ(ω- FSA ~· ω- PDA) ⊆ Lσ,ρ(ω- PDA). Given an ω- FSA A1 = (Q1,Σ1, δ1, q1, E)and a controlling ω- PDA D2 = (Q2,Σ2,Γ, δ2, q2, Z0,F), where E = {Ei}1≤i≤m, F ={Fi}1≤i≤n. Let us consider different (σ, ρ)-accepting models.
(a) For ρ ∈ {⊆,=}, we construct an ω- PDA D = (Q,Σ1,Γ, δ, q0, Z0,H) where:
1. Q = Q1 ×Q2,
2. δ((qi, qj), a, B) contains ((ri, rj), β), for p : δ1(qi, a) = ri, and δ2(qj , p, B) contains(rj , β), where a ∈ Σ1 ∪ {ε}, B ∈ Γ, β ∈ Γ∗,δ((qi, qj), ε, B) contains ((qi, rj), β), for qi ∈ Q1, and δ2(qj , ε, B) contains (rj , β),where B ∈ Γ, β ∈ Γ∗,
3. q0 = (q1, q2),
We define f1((qi, qj)) = {qi}, f2((qi, qj)) = {qj}. For H ⊆ Q, f1(H) =⋃q∈H f1(q),
f2(H) =⋃q∈H f2(q). Let Hij = {H | H ⊆ Q, f1(H) = Ei, f2(H) = Fj}, then H =⋃m
i=1
⋃nj=1Hij .
D simulates the actions of D2 and changes the state of A1. It is easy to see, forσ ∈ {ran, inf}, ρ ∈ {⊆,=}, Lσ,ρ(A1 ~· D2) = Lσ,ρ(D) ∈ Lσ,ρ(ω- PDA).
(b) (σ,u)-acceptances. Without loss of generality, assume that E = {E} and F = {F}where E =
⋃mi=1Ei, F =
⋃ni=1 Fi. We construct an ω- PDA D = (Q,Σ1,Γ, δ, q0, Z0,H)
where:
1. Q = Q1 ×Q2 × {0, 1}2,
2. δ((qi, qj , x), a, B) contains ((ri, rj , y), β), for p : δ1(qi, a) = ri, and δ2(qj , p, B) con-tains (rj , β), where a ∈ Σ1 ∪ {ε}, B ∈ Γ, β ∈ Γ∗,δ((qi, qj , x), ε, B) contains ((qi, rj , y), β), for qi ∈ Q1, and δ2(qj , ε, B) contains (rj , β),where B ∈ Γ, β ∈ Γ∗,in the transitions above, x ∈ {0, 1}2,
y =
00, if x = 1110, if x = 00 and qi ∈ E01, if x = 00 and qj ∈ F11, if x = 00 and qi ∈ E and qj ∈ F11, if x = 01 and qi ∈ E11, if x = 10 and qj ∈ Fx, else.
5.3. ω-Automaton Control Systems (ω-AC Systems) 77
3. q0 = (q1, q2, 00),
Let H = {Q1×Q2×{11}}. It is easy to see, for σ ∈ {ran, inf}, Lσ,u(A1~· D2) = Lσ,u(D) ∈Lσ,u(ω- PDA). �
Proof: (i) Lσ,ρ(ω- PDA ~· ω- FSA) ⊇ Lσ,ρ(ω- PDA) is obvious, since we can use a finitestate controlling ω-automaton generating a full controlling ω-language.
(ii) Lσ,ρ(ω- PDA ~· ω- FSA) ⊆ Lσ,ρ(ω- PDA). Given an ω- PDA D1 = (Q1,Σ1,Γ, δ1, q1,Z0, E) and an ω- FSA A2 = (Q2,Σ2, δ2, q2,F), where E = {Ei}1≤i≤m, F = {Fi}1≤i≤n. Letus consider different (σ, ρ)-accepting models.
(a) For ρ ∈ {⊆,=}, we construct an ω- PDA D = (Q,Σ1,Γ, δ, q0, Z0,H), where:
1. Q = Q1 ×Q2,
2. δ((qi, qj), a, B) contains ((ri, rj), β), if p : δ1(qi, a, B) = (ri, β), and δ2(qj , p) containsrj , where a ∈ Σ1 ∪ {ε}, B ∈ Γ, β ∈ Γ∗,δ((qi, qj), ε, B) contains ((qi, rj), B), if δ2(qj , ε) contains rj , where B ∈ Γ,
3. q0 = (q1, q2).
We define f1((qi, qj)) = {qi}, f2((qi, qj)) = {qj}. For H ⊆ Q, f1(H) =⋃q∈H f1(q),
f2(H) =⋃q∈H f2(q). Let Hij = {H | H ⊆ Q, f1(H) = Ei, f2(H) = Fj}, then H =⋃m
i=1
⋃nj=1Hij .
D simulates the actions of D1 and changes the state of A2. It is easy to see, forσ ∈ {ran, inf}, ρ ∈ {⊆,=}, Lσ,ρ(D1 ~· A2) = Lσ,ρ(D) ∈ Lσ,ρ(ω- PDA).
(b) (σ,u)-acceptances. Without loss of generality, assume that E = {E} and F = {F}where E =
⋃mi=1Ei, F =
⋃ni=1 Fi. We construct an ω- PDA D = (Q,Σ1,Γ, δ, q0, Z0,H),
where:
1. Q = Q1 ×Q2 × {0, 1}2,
2. δ((qi, qj , x), a, B) contains ((ri, rj , y), β), if p : δ1(qi, a, B) = (ri, β), and δ2(qj , p)contains rj , where a ∈ Σ1 ∪ {ε}, B ∈ Γ, β ∈ Γ∗,δ((qi, qj , x), ε, B) contains ((qi, rj , y), B), if δ2(qj , ε) contains rj , where B ∈ Γ,in the transitions above, x ∈ {0, 1}2,
y =
00, if x = 1110, if x = 00 and qi ∈ E01, if x = 00 and qj ∈ F11, if x = 00 and qi ∈ E and qj ∈ F11, if x = 01 and qi ∈ E11, if x = 10 and qj ∈ Fx, else.
3. q0 = (q1, q2, 00).
Let H = {Q1×Q2×{11}}. It is easy to see, for σ ∈ {ran, inf}, Lσ,u(D1~· A2) = Lσ,u(D) ∈Lσ,u(ω- PDA). �
Proof: (i) Lσ,ρ(ω- PDA) ⊂ Lσ,ρ(ω- PDA ~· ω- PDA) is obvious, since we can use a finitestate controlling ω-automaton generating a full controlling ω-language. The strictnessfollow from Example 5.16.
(ii) Lσ,ρ(ω- PDA ~· ω- PDA) ⊆ Lσ,ρ(ω- TM). Given two ω- PDA’s D1, D2, we constructan ω- TM M with four tapes. The first tape holds the input string u. The second tapesimulates the stack of D1. Once D1 applies a transition, the name of the transition issequentially recorded on the third tape, and M starts to simulate D2 using the third andfourth tapes (the third tape holds a prefix of the infinite sequence of transitions tr as theinput to D2, and the fourth tape simulates the stack of D2). Once the pointer of the thirdtape reaches a blank square, M return to the simulation of D1.
The states of M may contain three components: one for simulating D1, one for simu-lating D2, and one for coordinating the two simulations. It is easy to see, Lσ,ρ(D1 ~· D2) =Lσ,ρ(M) by selecting proper sets of designated state sets for various accepting models. �
5.3.3 Equivalence and Translation between ω-AC and ω-LGC Systems
In this section, we study the equivalence and the translation between ω-AC systems andω-LGC systems. To make the proofs succinct, some details are discussed without formaldescription, e.g., the constructions of repetition sets and designated state sets.
We first prove some lemmas that will be used in the latter part of this section. Notethat, if the equivalence between families of ω-automata and ω-grammars holds, we mayonly prove a result on one of them. For example, Lσ,ρ(ω- FSA) and Lσ,ρ,l(ω- RLG) areequivalent in generative power, then we may only prove a result on one of them.
Lemma 5.21. Lσ,ρ(ω- FSA) and Lσ,ρ,l(ω- RLG) are closed under substitution by ε-freefinite sets.
Proof. Given an ω- RLG G and an ε-free finite substitution s, we construct G′ such thatLσ,ρ,l(G′) = s(Lσ,ρ,l(G)) as follows: each productions of the form pk : A→ uB is replacedby a set of productions Pk = {A → vB | v ∈ s(u)}. It is easy to construct the repetitionsets for various accepting models using the correspondence between pk and Pk. �
Lemma 5.22. Lσ,ρ(ω- FSA) and Lσ,ρ,l(ω- RLG) are closed under concatenation with finitesets.
Proof. Given an ω- RLG G = (N,T, P, S,F) and a finite set R, we construct G′ = (N ∪{S′}, T, P ∪ {S′ → uS | u ∈ R}, S′,F ′) such that Lσ,ρ,l(G′) = R · Lσ,ρ,l(G). It is easy toconstruct the repetition sets F ′ for various accepting models, since we only added a set ofstarting productions. �
Lemma 5.23. For (σ, ρ) ∈ {(inf,u), (inf,=)}, Lσ,ρ(ω- FSA) and Lσ,ρ,l(ω- RLG) are closedunder substitution by ε-free regular sets.
Proof. Given an ω- FSA A = (Q,Σ, δ, q,F) and an ε-free regular substitution s, such thatfor each ak ∈ Σ, s(ak) = L(Ak) for a FSA Ak = (Qk,Σk, δk, rk, Fk) on finite words, weconstruct A′ = (Q′,Σ′, δ′, q′,F ′) as follows: if there is a transition from δ(qi, ak) = qj ,then replace the transition by a copy of Ak and add the transitions δ′(qi, ε) = rk andδ′(r, ε) = qj for all r ∈ Fk. It is easy to construct F ′ for various accepting models. �
We have the same closure properties for ω- CFG using the same proof techniques.
5.3. ω-Automaton Control Systems (ω-AC Systems) 79
Lemma 5.24. Lσ,ρ(ω- PDA) and Lσ,ρ,l(ω- CFG) are closed under substitution by ε-freefinite sets and concatenation with finite sets.
Lemma 5.25. For (σ, ρ) ∈ {(inf,u), (inf,=)}, Lσ,ρ(ω- PDA) and Lσ,ρ,l(ω- CFG) are closedunder substitution by ε-free regular sets.
Theorem 5.26. Let X be a family of ω-automata, Y be a family of ω-grammars, for σ ∈{ran, inf}, ρ ∈ {u,⊆,=}, if L = Lσ,ρ(X) = Lσ,ρ,l(Y ) is closed under substitution by ε-freefinite sets and concatenation with finite sets, then Lσ,ρ(ω- FSA ~· X) = Lσ,ρ,l(ω- RLG, Y ).
Proof. (i) Lσ,ρ(ω- FSA ~· X) ⊆ Lσ,ρ,l(ω- RLG, Y ). Given an ω-AC system (A ~· A2), A ∈ω- FSA, A2 ∈ X, we construct G ∈ ω- RLG, G2 ∈ Y as follows.
First, we construct G from A. The key point of the translation is the name mappingbetween transitions and productions. Given A = (Q,Σ, δ, q0, E) where Q = {qi}0≤i<|Q|,we construct G = (N,Σ, P, S0, E ′) where:
1. for each qi ∈ Q, there is a nonterminal Si ∈ N , and S0 is the start symbol.
2. for each transition pk : δ(qi, ak) = qj , where pk is the name of transition and ak ∈Σ ∪ {ε}, there is a production pik : Si → akSj ∈ P .
Let Pi = {pik ∈ P}, it is easy to construct E ′ for various accepting models such thatLσ,ρ(A) = Lσ,ρ,l(G) using the correspondence between qi and Pi.
Second, we construct G2 ∈ Y from A2 ∈ X. Let h(pk) = {pik | pk : δ(qi, ak) = qj}be an ε-free homomorphism, for each (σ, ρ), there exists an ω- FSA A′2 ∈ X such thatLσ,ρ(A′2) = h(Lσ,ρ(A2)), since Lσ,ρ(X) is closed under ε-free homomorphism. Therefore,there exists G2 ∈ Y such that Lσ,ρ,l(G2) = h(Lσ,ρ(A2)) since Lσ,ρ(X) = Lσ,ρ,l(Y ). It iseasy to see Lσ,ρ(A~· A2) = Lσ,ρ,l(G,G2).
(ii) Lσ,ρ(ω- FSA ~· X) ⊇ Lσ,ρ,l(ω- RLG, Y ). Given an ω-LGC system (G,G2), G =(N,T, P, S0, E) ∈ ω- RLG, G2 ∈ Y , where N = {Si}0≤i<|N |, P consists of all productionsof the forms: Si → uSj , Si → u, u ∈ T ∗.
First, we construct from G an ω- RLG G1 = (N1, T, P1, S0, E ′), where P1 consists of allproductions of the following forms:
1. pkm : Sk(m−1) → akmSkm, for 1 ≤ m ≤ |u|, if pk : Si → uSj ∈ P , where u =ak1 · · · ak|u|, Sk0 = Si, Sk|u| = Sj .
2. pk : Si → εSj , if pk : Si → Sj ∈ P .
3. pkm : Sk(m−1) → akmSkm, for 1 ≤ m ≤ |u|, if pk : Si → u ∈ P , where u = ak1 · · · ak|u|,Sk0 = Si, Sk|u| = ε.
4. pk : Si → ε, if pk : Si → ε ∈ P .
We denote by P ′k the set of productions named pk or pkm. Let E = {Ei}1≤i≤n, weconstruct the set E ′ = {E′i}1≤i≤n where E′i =
⋃pk∈Ei
P ′k. It can be easily verified thatLσ,ρ,l(G1) = Lσ,ρ,l(G) for different accepting models.
Then, we construct from G1 an ω- FSA A = (Q,T, δ, q0, E ′′), where Q = {q0}∪{qik | pk :Si → γ ∈ P1, γ ∈ (N1 ∪ T )∗}, q0 is the start state, δ is defined as follows:
2. p[k,n] : δ(qik, a) = qjn for pn : Sj → γ ∈ P1, γ ∈ (N1 ∪ T )∗, if pk : Si → aSj ∈ P1,where a ∈ T ∪ {ε}.
It is easy to construct E ′′ for various accepting models such that Lσ,ρ(A) = Lσ,ρ,l(G1)using the correspondence between pk and qik. We denote by TR1 the set of transitions oftype (1) above, P ′′k the set of transitions named p[k,n].
Second, we construct A2 ∈ X from G2 ∈ Y . Let h be an ε-free homomorphism asfollows:
h(pk) =
pk, if pk is of the form Si → Sj in P
pk, if pk is of the form Si → ε in P
pk1 · · · pk|u|, if pk is of the form Si → uSj in P
pk1 · · · pk|u|, if pk is of the form Si → u in P
Let f be an ε-free finite substitution: f(pk) = P ′′k .For each (σ, ρ), let L′ = TR1 · f(h(Lσ,ρ,l(G2))), we have L′ ∈ L, since Lσ,ρ,l(G2) ∈ L
and L is closed under substitution by ε-free finite sets and concatenation with finite sets.Therefore, there exists A2 ∈ X such that Lσ,ρ(A2) = L′ ∈ Lσ,ρ(X). It is easy to see that,an input u ∈ Lσ,ρ(A~· A2), if and only if u ∈ Lσ,ρ,l(G,G2). �
Let X be ω- FSA, Y be ω- RLG, we have the following corollary.
Theorem 5.29. Let X be a family of ω-automata, Y be a family of ω-grammars, forσ ∈ {ran, inf}, ρ ∈ {u,⊆,=}, if L = Lσ,ρ(X) = Lσ,ρ,l(Y ) is closed under substitu-tion by ε-free regular sets and concatenation with finite sets, then Lσ,ρ(ω- PDA ~· X) =Lσ,ρ,l(ω- CFG, Y ).
Proof. (i) Lσ,ρ(ω- PDA ~· X) ⊆ Lσ,ρ,l(ω- CFG, Y ). Given an ω-AC system (D ~· A2),D = (Q,Σ,Γ, δ, q0, Z0, E) ∈ ω- PDA, A2 ∈ X, we construct ω-grammars G ∈ ω- CFG,G2 ∈ Y as follows.
First, we construct G = (N,Σ, P, S, E ′) from D, where N is the set of objects of theform [q,B, r] (denoting popping B from the stack by several transitions, switching thestate from q to r), q, r ∈ Q, B ∈ Γ, P is the union of the following sets of productions:
1. Ps = {S → [q0, Z0, qi] | qi ∈ Q}.
2. P ′ = {[qi, B, qj ]→ a[qj1 , B1, qj2 ][qj2 , B2, qj3 ] · · · [qjm , Bm, qj ] |δ(qi, a, B) = (qj1 , B1B2...Bm), qj2 , ..., qjm , qj ∈ Q}, where a ∈ Σ ∪ {ε}, andB,B1, ..., Bm ∈ Γ. (If m = 0, then the production is [qi, B, qj1 ]→ a.)
We denote by Pi the set of productions of the form [qi, B, qj ] → γ, for any B ∈ Γ,qj ∈ Q, γ ∈ N∗ ∪ ΣN∗. It is easy to construct E ′ for various accepting models such thatLσ,ρ(D) = Lσ,ρ,l(G) using the correspondence between qi and Pi.
Second, we construct G2 ∈ Y from A2 ∈ X. Let s be an ε-free finite substitution, suchthat s(pi) = Pi. For each (σ, ρ), let L′ = Ps · s(Lσ,ρ(A2)), we have L′ ∈ Lσ,ρ(X), sinceLσ,ρ(A2) ∈ Lσ,ρ(X) = L and L is closed under ε-free finite substitution and concatenation
5.4. Related Work 81
with finite sets. Thus, there exists G2 ∈ Y such that Lσ,ρ,l(G2) = L′. It is easy to see, aninput u ∈ Lσ,ρ(D~· A2), if and only if u ∈ Lσ,ρ,l(G,G2).
(ii) Lσ,ρ(ω- PDA ~· X) ⊇ Lσ,ρ,l(ω- CFG, Y ). Given an ω-LGC system (G,G2), whereG = (N,T, P, S, E) ∈ ω- CFG, G2 ∈ Y , where P = {pi}1≤i≤|P |, we construct an ω-ACsystem as follows.
First, we construct an ω- PDA D = (Q,T,Γ, δ, q′0, Z0, E ′) from G, where Γ = N ∪ T ∪{Z0}, Q = {q′0, q0} ∪ {qi | pi ∈ P}, δ is defined as follows:
1. ps : δ(q′0, ε, Z0) = (q0, SZ0),
2. pa : δ(q0, a, a) = (q0, ε) for all a ∈ T ,
3. pi1 : δ(q0, ε, A) = (qi, ε) if pi : A→ γ ∈ P , A ∈ N , γ ∈ (N ∪ T )∗,
4. pi2Z : δ(qi, ε, Z) = (q0, γZ) if pi : A→ γ ∈ P , Z ∈ Γ.
It is easy to construct E ′ for various accepting models such that Lσ,ρ(D) = Lσ,ρ,l(G) usingthe correspondence between qi and pi. Let Pi2 be the set of transitions named pi2Z .
Second, we construct A2 ∈ X from G2 ∈ Y . Let s(pi) = pi1 · Pi2 · {pa | a ∈ T}∗ bean ε-free regular substitution, L′ = {ps} · s(Lσ,ρ,l(G2)), we have L′ ∈ L, since L is closedunder ε-free regular substitution and concatenation with finite sets. Thus, there existsA2 ∈ X such that Lσ,ρ(A2) = L′.
It is easy to see an input u ∈ Lσ,ρ(D~· A2), if and only if u ∈ Lσ,ρ,l(G,G2). �Let X be ω- FSA, Y be ω- RLG, we have the following corollary.
It is a good news that the equivalence holds for the most important Buchi and Mulleracceptances, although whether the results above hold for other accepting models is stillan open problem.
Because of these equivalences, we may also denote an ω-LGC system Lσ,ρ,l(G1, G2) byLσ,ρ(G1 ~· G2) for a uniform notation. Moreover, this operator is more straightforward forexpressing the result of constructive computing of meta-composition, e.g., A = A1 ~· A2,G = G1~·G2. These meta-compositions are useful and important in the proofs of generativepower, also in emerging applications.
5.4 Related Work
Cohen studied the unrestricted ω-grammars with control sets in [33]. More precisely, withour notation, a family of ω-LGC systems Lσ,ρ,l(X,Y ) was studied in the literature withthe following properties: (1) (σ, ρ) = (inf,=); (2) X is a unrestricted ω-grammar, i.e.,F = 2P ; (3) only consider the leftmost derivation of X; (4) the control set is a regularω-language (i.e., Y is a (inf,=)-accepting ω- RLG). Obviously, only a few types of ω-Csystems were considered.
82 Chapter 5. Control Systems on ω-Words
5.5 Conclusion
In this chapter, we proposed the control system on ω-words (ω-C system), which is aframework consisting of a controlled ω-device and a controlling ω-device that are mod-eled using the same formalism. These ω-devices could be (σ, ρ)-accepting ω-automataor (σ, ρ, π)-accepting ω-grammars. Three subtypes of ω-C systems are proposed: ω-GC,ω-LGC and ω-AC Systems. We are the first to marry restricted ω-grammars with variousaccepting models and regulated rewriting on finite words in classical language theory.
Note that the proofs of the theorems also provide algorithms to build ω-grammars orω-automata accepting ω-languages that are equivalent to the global ω-languages. This isuseful to implement tools based on these theorems.
Chapter 6
Buchi Automaton ControlSystems and Concurrent Variants
In this chapter, we propose the Buchi automaton control system and its concurrent vari-ants. A Buchi automaton control system consists of a controlled Buchi automaton and aBuchi controlling automaton that restricts the behavior of the controlled automaton. TheBuchi automaton is a special case of finite state ω-automata, and has been widely usedfor modeling and reasoning about systems. Therefore, we would like to discuss the controlsystem based on Buchi automata and its variants for concurrent systems, although it is aspecial case of previously introduced ω-AC systems.
6.1 Buchi Automaton Control Systems (BAC Systems)
In this section, we present the definitions and properties of the Buchi automaton controlsystem, after a brief introduction of Buchi automata.
6.1.1 Buchi Automata
Let us recall the classic definition of Buchi automata [16, 120, 121].
Definition 6.1. A (nondeterministic) Buchi automaton (simply automaton) is a tupleA = (Q,Σ, δ, q0, F ), where Q is a finite set of states, Σ is a finite alphabet, δ ⊆ Q×Σ×Qis a set of named transitions, q0 ∈ Q is the initial state, F ⊆ Q is a set of accepting states.For convenience, we denote the set of transition names also by δ. �
A Buchi automaton A = (Q,Σ, δ, q0, F ) is a deterministic Buchi automaton, if δ is atransition function mapping Q× Σ 7→ Q.
Note that the concept of transition name is introduced. A transition in δ is of theform pk : (q, a, q′), where pk is the name of the transition. In the transition diagram, atransition pk : (q, a, q′) ∈ δ is denoted by an arc from q to q′ labeled pk : a.
We do not make any specific assumptions about the relation between the name andsymbol of a transition. That is, several transitions may have the same name but differentsymbols, or they may have distinct names but the same symbol. For example, assumeδ(q1, a) = {q2, q3} and δ(q3, b) = {q2}, we may denote by pi : (q1, a, q2) ∈ δ and pj :(q1, a, q3) ∈ δ and pk : (q3, b, q2) ∈ δ with the names pi, pj , pk. All the following cases arepossible: pi = pj or pi 6= pj , pi = pk or pi 6= pk, and so forth.
83
84 Chapter 6. Buchi Automaton Control Systems and Concurrent Variants
Definition 6.2. A run of A on an ω-word v = v(0)v(1) . . . ∈ Σω is a sequence of statesρ = ρ(0)ρ(1) . . . ∈ Qω such that ρ(0) = q0, σ(i) : (ρ(i), v(i), ρ(i + 1)) ∈ δ for i ≥ 0. Letinf(ρ) be the set of states that appear infinitely often in the run ρ, then ρ is a successfulrun if and only if inf(ρ) ∩ F 6= ∅. A accepts v if there is a successful run of A on v. Theω-language accepted by A is L(A) = {v ∈ Σω | A accepts v}. �
Given a run of A on v, an execution is the sequence of alternating states and inputsymbols ρ(0)v(0)ρ(1)v(1) . . ., while an execution trace (or simply trace) is the sequence oftransitions σ = σ(0)σ(1) . . . ∈ δω.
If an ω-language L = L(A) for some Buchi automaton A, then L is Buchi recognizable.Buchi recognizable ω-languages are called regular ω-languages. The expressive power ofregular ω-languages includes that of LTL (Linear Temporal Logic) [120], although Buchiautomata are syntactically simple. Thus, we can translate LTL formulas into Buchi au-tomata.
Note that whether the transition names of A are unique does not affect L(A). Thismeans, we can arbitrarily modify the names without changing L(A), e.g., making themunique.
6.1.2 Buchi Automaton Control Systems
A Buchi automaton control system consists of a controlled Buchi automaton and a Buchicontrolling automaton that restricts the behavior of the controlled automaton. The al-phabet of the controlling automaton equals the set of transition names of the controlledautomaton.
Definition 6.3. Given a controlled Buchi automaton (or simply automaton) A1 = (Q1,Σ1, δ1, q1, F1), with a set of transition names δ1 = {pi}i∈I where pi is a name of transition,a Buchi controlling automaton (or simply controlling automaton) over A1 is a tuple A2 =(Q2,Σ2, δ2, q2, F2) with Σ2 = δ1. L(A1) and L(A2) are called controlled ω-language andcontrolling ω-language, respectively. �
Definition 6.4. A Buchi Automaton Control System (BAC System) includes an automa-ton A1 and a controlling automaton A2, denoted by A1 ~· A2. A run of A1 ~· A2 on anω-word v = v(0)v(1) . . . ∈ Σω
1 contains- a sequence of states ρ1 = ρ1(0)ρ1(1) . . . ∈ Qω1- a sequence of transitions σ = σ(0)σ(1) . . . ∈ δω1- a sequence of controlling states ρ2 = ρ2(0)ρ2(1) . . . ∈ Qω2such that ρ1(0) = q1, σ(i) : (ρ1(i), v(i), ρ1(i + 1)) ∈ δ1 for i ≥ 0, and ρ2(0) = q2,(ρ2(j), σ(j), ρ2(j + 1)) ∈ δ2 for j ≥ 0. Let inf(ρ1) and inf(ρ2) be the sets of states thatappear infinitely often in the sequences ρ1 and ρ2, respectively. Then the run is successfulif and only if inf(ρ1)∩F1 6= ∅ and inf(ρ2)∩F2 6= ∅. A1~· A2 accepts v if there is a successfulrun on v. The global ω-language accepted by A1 ~· A2 is L(A1 ~· A2) = {v ∈ Σω
1 | A1 ~· A2
accepts v}. �
The symbol ~· is called “meta-composition”, denoting the left operand is controlledby the right operand.
Example 6.5. Given a Buchi automaton A1 = ({q0, q1}, {a, b, c}, δ, q0, {q1}) in Fig. 6.1,where δ includes the following transitions: p1 : (q0, a, q0), p2 : (q0, b, q1), p3 : (q1, a, q1),p2 : (q1, c, q1). Obviously, L(A1) = a∗b(a+ c)ω.
6.1. Buchi Automaton Control Systems (BAC Systems) 85
Given a Buchi controlling automaton A2 such that L(A2) = p2p3pω2 , it is easy to see
that L(A1 ~· A2) = bacω. �
q0 q1
p1 : ap2 : b
p3 : a
p2 : cA1
r0 r1 r2p2 p3
p2
A2
Figure 6.1: A Buchi Automaton Control System
If we let L(A3) = (p2 + p3)p∗1p3pω2 , we also have L(A1 ~· A3) = bacω. Note that L(A3)
specifies a weaker constraint, i.e., L(A2) ⊂ L(A3). However, the two BAC systems acceptthe same global ω-language. We remark that the controlling ω-language can express a“weaker” or “stronger” restriction to obtain the same effect, if the “valid” constraint onthe controlled automaton is not changed.
Two trivial types of controlling automata are empty controlling automata and fullcontrolling automata. The former ones accept the empty controlling ω-language whichrejects all the sequences of applied transitions, i.e., L(A2) = ∅. The latter ones accept fullcontrolling ω-languages that accept all the sequences of applied transitions, i.e., L(A2) =δω1 , where δ1 is the set of transition names of the controlled automaton A1. Note that thetwo types of languages are both regular ω-language.
Let us consider the computation of meta-composition.
Theorem 6.6. Given two Buchi automata A1 = (Q1,Σ1, δ1, q1, F1) and A2 = (Q2,Σ2, δ2,q2, F2) with Σ2 = δ1, the meta-composition of A1 and A2 is a Buchi automaton:
where p : ((qi, qj , x), a, (qm, qn, y)) ∈ δ if and only if p : (qi, a, qm) ∈ δ1, (qj , p, qn) ∈ δ2, andx, y satisfy the following conditions:
y =
0, if x = 21, if x = 0 and qm ∈ F1
2, if x = 1 and qn ∈ F2, or if qm ∈ F1 and qn ∈ F2
x, otherwise
We have L(A) = L(A1 ~· A2).
Proof. Note that a symbol a is enabled at the state (qi, qj , x) by the transition p of A,if and only if a is enabled at qi by the transition p of A1, and p is enabled at qj of A2.Furthermore, A changes the third component of Q1 × Q2 × {0, 1, 2} from 0 to 1 whenan F1 state occurs, from 1 to 2 when subsequently an F2 state occurs, and back to 0immediately afterwards. Thus, 2 occurs infinitely often if and only if some F1 state andsome F2 state appear infinitely often. According to Def. 6.4, it is easy to see A acceptsexactly L(A1 ~· A2). �
If all the states of A1 are accepting states, it is only required that some state in F2
appears infinitely often. Therefore, the computation can be simplified as follows.
86 Chapter 6. Buchi Automaton Control Systems and Concurrent Variants
Theorem 6.7. Given two Buchi automata A1 = (Q1,Σ1, δ1, q1, Q1) and A2 = (Q2,Σ2, δ2,q2, F2) with Σ2 = δ1, the meta-composition of A1 and A2 is a Buchi automaton:
A = A1 ~· A2 = (Q1 ×Q2,Σ1, δ, (q1, q2), Q1 × F2)
where p : ((qi, qj), a, (qm, qn)) ∈ δ if and only if p : (qi, a, qm) ∈ δ1, (qj , p, qn) ∈ δ2. We haveL(A) = L(A1 ~· A2). �
It is easy to see the generative power of BAC systems and that of Buchi automata areequivalent. Formally, let BA be the family of Buchi automata, and L(X) be the family oflanguages accepted by a set X of automata, we have the following theorem.
Theorem 6.8. L(BA~· BA) = L(BA).
Proof. (i). L(BA~· BA) ⊆ L(BA) follows immediately from Thm. 6.6.(ii). L(BA ~· BA) ⊇ L(BA). Given a Buchi automaton A1, it can be constructed a
BAC system A1 ~· A2 such that L(A1 ~· A2) = L(A1) by using a full controlling automatonA2. �
The next theorem shows that we can make each transition name in the controlledautomaton unique without changing the global ω-language.
Theorem 6.9. Given two Buchi automata A1 = (Q1,Σ1, δ1, q1, F1) and A2 = (Q2,Σ2, δ2,q2, F2) with Σ2 = δ1, there exist two Buchi automata A′1 = (Q1,Σ1, δ
′1, q1, F1) and A′2 =
(Q2,Σ′2, δ′2, q2, F2) where Σ′2 = δ′1 and δ′1 only renames some transitions of δ1, such thateach transition name in δ′1 is unique and L(A1 ~· A2) = L(A′1 ~· A′2). �
Proof. Suppose there are k transitions of the name pi in δ1, we rename them to be pi1, ..., pikin δ′1. Then, we replace any transition of the form (q, pi, q′) ∈ δ2 for q, q′ ∈ Q2 by a set oftransitions {(q, pij , q′)}1≤j≤k. It is easy to see the theorem holds. �
Example 6.10. Let us consider the Buchi automaton A1 and the Buchi controlling au-tomaton A2 in Fig. 6.1. We construct the automata A′1 and A′2 in Fig. 6.2, such that A′1renames the two transitions named p2, and A′2 replaces the transition labeled p2 by twotransitions p21, p22. It is easy to see that L(A′1 ~· A′2) = L(A1 ~· A2) = bacω. �
q0 q1
p1 : ap21 : b
p3 : a
p22 : cA′1
r0 r1 r2p21, p22 p3
p21, p22
A′2
Figure 6.2: A Buchi Automaton Control System with Unique Names
Discussion. Theorem 6.6 ensures that the meta-composition is also a Buchi automa-ton, and can be implemented as a reactive system whose behavior is described by a Buchiautomaton. Additionally, Theorem 6.8 also means that any reactive system can be rep-resented in the form of BAC systems. In other words, the family of Buchi automata isclosed under the meta-composition operator. If all of the states of a controlled automa-ton are accepting states, Theorem 6.7 can simplify the computation of meta-composition.Theorem 6.9 makes it reasonable to make the assumption that each transition name in acontrolled automaton is unique, when necessary.
6.1. Buchi Automaton Control Systems (BAC Systems) 87
6.1.3 Alphabet-level Buchi Automaton Control Systems
Let us consider a special subset of the BAC systems that have two properties: (1) eachtransition name of the controlled automaton is unique; (2) all transitions associated withthe same symbol in the controlled automaton always appear together between two statesof the controlling automaton. Formally, we define them as follows.
Definition 6.11. Given two Buchi automataA1 = (Q1,Σ1, δ1, q1, F1) andA2 = (Q2,Σ2, δ2,q2, F2) with Σ2 = δ1. The global system A1 ~· A2 is an Alphabet-level Buchi AutomatonControl System (A-BAC System), if the following conditions are satisfied:(1) each transition name in δ1 is unique;(2) if (qi, p, qj) ∈ δ2 and p : (qm, a, qn) ∈ δ1, then for any transition pk : (qx, a, qy) ∈ δ1
associated with the symbol a, there exists (qi, pk, qj) ∈ δ2.We say A2 is an Alphabet-level Buchi Controlling Automaton (A-BCA). �
An important property of the A-BAC system is that it expresses the semantics ofintersection of two regular ω-languages over the alphabet Σ1.
Theorem 6.12. For each A-BAC system A1 ~· A2, there exists a Buchi automaton A3 =(Q2,Σ1, δ3, q2, F2), where (qj , a, qn) ∈ δ3 if and only if (qj , p, qn) ∈ δ2 and p : (qi, a, qm) ∈ δ1
associates with the symbol a, such that L(A1 ~· A2) = L(A1) ∩ L(A3).
Proof. According to Thm. 6.6, the meta-composition of A1 and A2 is a Buchi automaton:
where p : ((qi, qj , x), a, (qm, qn, y)) ∈ δ if and only if p : (qi, a, qm) ∈ δ1, (qj , p, qn) ∈ δ2.According to the construction of A3, we have p : ((qi, qj , x), a, (qm, qn, y)) ∈ δ if and onlyif p : (qi, a, qm) ∈ δ1, (qj , a, qn) ∈ δ3. Thus, A accepts the intersection of the ω-languagesaccepted by A1 and A3, i.e., L(A) = L(A1) ∩ L(A3). Therefore, the equation holds. �
Example 6.13. Let us consider the Buchi automaton A′1 in Fig. 6.2 and the Buchicontrolling automaton A3 in Fig. 6.3. A3 is an alphabet-level Buchi controlling automaton,since p1, p3 that associate with a always appear together. We can construct A4 in Fig. 6.3such that L(A′1 ~· A3) = L(A′1) ∩ L(A4). �
Obviously, the A-BAC system is a special case of the BAC system. Thus, its generativepower is not greater than the BAC system. In fact, we have the following theorem.
Theorem 6.14. L(BA~· A-BCA) = L(BA).
88 Chapter 6. Buchi Automaton Control Systems and Concurrent Variants
(ii). L(BA~· A-BCA) ⊇ L(BA). Given a Buchi automaton A1, it can be constructed aBAC system A1 ~· A2 such that L(A1 ~· A2) = L(A1) by using a full controlling automatonA2 that is also an alphabet-level Buchi controlling automaton. �
We would like to say that the BAC system is of transition-level. The BAC system ismore flexible, because it is not required that all the transitions associated with the samesymbol in δ1 must appear together between two states of A2.
In particular, the BAC system can impose some constraints outside the power of A-BAC systems. We use a simple example to show the difference between BAC and A-BACsystems in expressive power.
Suppose a nondeterministic vending machine A1 (see Fig. 6.4) that receives coin a anddispenses three types of goods b, c, d (inputs are marked by ?, while outputs are markedby !). The machine may receive a coin a, then output b, c, d in order. It may alsooutput only b, d. The nondeterministic choice may be made by the machine dependingon the luck, or may result from some unobservable or unmodeled events because of thelimitation of sensors or other factors. Obviously, the machine accepts the ω-languageL(A1) = (abd+ abcd)ω.
q0 q1
q2
q3p1 : a?
p2 : b!
p3 : b!
p4 : c!p5 : d!
Figure 6.4: A Nondeterministic Vending Machine
To increase profit, people decide to modify the behavior by adding a new requirement:the dispensation of bcd will be no longer allowed, only bd can be dispensed. That is, thetransition p3 will not be allowed.
It is easy to construct a BAC system with the controlling automaton A2 accepting(p1 + p2 + p4 + p5)ω by excluding p3. Thus, the new global system accepts the ω-languageL(A1 ~· A2) = (abd)ω, which satisfies the new requirement.
However, there does not exist an A-BAC system satisfying the new requirement. Thekey problem is the nondeterminism in the state q1. Assume there is such an alphabet-levelcontrolling automaton A2. Then A2 can only specify whether b can occur in a state whichis reached after a occurs. If no, then neither of p2 and p3 is allowed, i.e., no goods will bedispensed, which violates the requirements. If yes, then both of p2 and p3 are allowed. Inthis case, to avoid the occurrence of abcd, A2 may disable the transition dispensing c in thenext state. However, the machine enters a dead state q3 after choosing p3 and dispensingb. As a result, the global system dispenses only b and enters a dead state. This does notconform to the requirement, since d is not dispensed and the machine is deadlocked. Thus,A2 does not exist.
Therefore, we conclude that the BAC system is more flexible than the A-BAC system.
Let us consider a subset of alphabet-level controlling automata that are constructed
6.2. Input/Output Automaton Control Systems (IO-AC) 89
from LTL formulas (LTL-A-BCA). Suppose there is an LTL formula φ on the alphabet Σ.At first, the LTL formula can be translated into a Buchi automaton A over Σ [120]. Then,we can construct an alphabet-level controlling automaton Aφ from A as follows. For eachtransition (q, a, q′) of A where a ∈ Σ, we replace it by a set of transitions (q, pi, q′) wherepi is a transition associated with a in the controlled automaton.
It is well known that the expressive power of LTL formulas is strictly included in that ofBuchi automata. Thus, similarly, the expressive power of LTL-A-BCA is strictly includedin that of alphabet-level Buchi controlling automata (A-BCA).
We formalize the above results as follows. Let LTL-A-BCA be the family of alphabet-level Buchi controlling automata translated from LTL formulas, A-BCA be the familyof alphabet-level Buchi controlling automata, BCA be the family of Buchi controllingautomata. The following theorem characterizes their difference in expressive power.
Theorem 6.15. Given a Buchi automaton A,(i) for any LTL-A-BCA Aφ, there exists an A-BCA Aα such that L(Aα) = L(Aφ) and
L(A~· Aα) = L(A~· Aφ). The reverse does not hold.(ii) for any A-BCAAα, there exists a BCAA2 such that L(A2) = L(Aα) and L(A~·A2) =
L(A~· Aα). The reverse does not hold.
Proof. Clause (i) follows from the fact that the expressive power of LTL formulas is strictlyincluded in that of Buchi automata [120]. Clause (ii) follows from Def. 6.11 (the A-BACsystem is a special case of the BAC system) and the example above (a BCA can expresssome constraints outside the power of A-BCA’s). �
Discussion. Model checking techniques and tools always use LTL formulas or Buchiautomata to specify properties. Theorem 6.15 shows that the BAC system is more ex-pressive than LTL model checking in specifying properties, since model checking uses theLTL formula which is equivalent to LTL-A-BCA. Theorem 6.15 shows also that the BACsystem is more expressive than the tools checking regular properties, each of which speci-fies a regular ω-language. Because these tools (e.g., SPIN [73, 71, 72]) use the propertiesrepresented by Buchi automata, which are equivalent to alphabet-level Buchi controllingautomata (A-BCA).
It is worth noting, the alphabet-level control and the translation from LTL formulas arenot necessary, and restricts the expressive power of BAC systems. We can define directlythe controlling automaton, c.f. the example of vending machine before Thm. 6.15.
6.1.4 Checking Buchi Automaton Control Systems
We may want to check whether the meta-composition of a BAC system satisfies someproperties. Since the techniques for checking Buchi automata is rather mature, we needonly one more step to achieve this objective. The additional step is to compute the meta-composition of controlled automaton and controlling automaton using Thm. 6.6. Then wecan check whether the meta-composition (also a Buchi automaton) satisfies the propertiesusing the existing techniques.
6.2 Input/Output Automaton Control Systems (IO-AC)
In this section, we first recall input/output automata, then introduce the definitions andproperties of the input/output automaton control system. This formalism is used to
90 Chapter 6. Buchi Automaton Control Systems and Concurrent Variants
model and control concurrent systems that consist of several components with broadcastingcommunications.
6.2.1 Input/Output Automata
The input/output automaton [93, 94, 91] extends classic automata theory [74] for modelingconcurrent and distributed discrete event systems with different input, output and internalactions. The input/output automaton and various variants are widely used for describingand reasoning about asynchronous systems [92].
The input/output automaton is different from CSP (Communicating Sequential Pro-cesses) [70] in the following two aspects. The first feature is input-enableness, i.e., everyinput action is enabled at every state. This means that the automaton is unable to block itsinput, thus required to respond appropriately to every possible input sequences. WhereasCSP assumes the environment behaves correctly, i.e., reasonable input sequences. The sec-ond feature is that an action is controlled by at most one component, i.e., an action couldbe an output action of only one component in composition, but possibly be simultaneousinput action of several components. The output is transmitted to all the passive recipientcomponents. The two features are also different from CCS (Calculus of CommunicatingSystems) [101], where an output can be only transmitted to one recipient component.
Definition 6.16. An (nondeterministic) input/output automaton (I/O automaton orsimply automaton) is a tuple A = (Q,ΣI ,ΣO,ΣH , δ, S), where Q is a set of states,ΣI ,ΣO,ΣH are pairwise disjoint sets of input, output and internal actions, respectively,δ ⊆ Q × Σ × Q is a set of transitions such that for each q ∈ Q and a ∈ ΣI there is atransition pk : (q, a, q′) ∈ δ where pk is the name of the transition (input-enableness),S ⊆ Q is a nonempty set of initial states.
We denote by Σ = ΣI ∪ΣO ∪ΣH the set of actions, ΣE = ΣI ∪ΣO the set of externalactions, and ΣL = ΣO ∪ ΣH the set of locally-controlled actions. �
In the transition diagram, a transition pk : (q, a, q′) ∈ δ is denoted by an arc from q toq′ labeled pk : a. To discriminate explicitly the different sets of actions in diagrams, wemay suffix a symbol “?”, “!” or “;” to an input, output or internal action, respectively.
Note that an I/O automaton A = (Q,Σ, δ, S) is equivalent to a Buchi automatonA = (Q,Σ, δ, S,Q) where all the states are accepting states (if we allow a set of initialstates, and do not consider the fairness condition introduced later). This means, thecontrolling automaton and meta-composition over a single I/O automaton are the sameas the case of Buchi automata. Therefore, here we only consider the systems consisting ofseveral components.
As a preliminary, we recall the composition of I/O automata [94].Let N = {n1, ..., nk} ⊆ N be a countable set with cardinality k, and for each nj ∈ N ,
Snj be a set. We define the Cartesian product as:∏nj∈N
For each j ∈ {1, ..., k}, we denote the j-th component of the vector q = (xn1 , xn2 , ..., xnk)
by the projection q[j], i.e., q[j] = xnj .
6.2. Input/Output Automaton Control Systems (IO-AC) 91
Definition 6.17. A countable collection of I/O automata {An = (Qn,ΣIn,Σ
On ,Σ
Hn , δn, Sn)}n∈N
is said to be strongly compatible if for all i, j ∈ N and i 6= j, we have ΣOi ∩ ΣO
j = ∅,ΣHi ∩ Σj = ∅, and no action is contained in infinitely many sets Σi. �
Definition 6.18. The composition A =∏n∈N An of a countable collection of strongly
compatible I/O automata {An = (Qn,ΣIn,Σ
On ,Σ
Hn , δn, Sn)}n∈N is an I/O automaton
A = (∏n∈N
Qn,ΣI ,ΣO,ΣH , δ,∏n∈N
Sn)
where ΣI =⋃n∈N ΣI
n −⋃n∈N ΣO
n , ΣO =⋃n∈N ΣO
n , ΣH =⋃n∈N ΣH
n , and for each q, q′ ∈∏n∈N Qn and a ∈ Σ, we have pI : (q, a, q′) ∈ δ where pI ⊆
⋃n∈N δn, iff for all 1 ≤ j ≤ |N |
and nj ∈ N ,
1. if a ∈ Σnj then pi : (q[j], a, q′[j]) ∈ δnj and pi ⊆ pI , and for any other transitionpk ∈ δnj − {pi}, pk ∩ pI = ∅;
2. if a 6∈ Σnj then q[j] = q′[j] and for all pi ∈ δnj , pi ∩ pI = ∅. �
We say the transition pI is a composite transition, since its name pI is the union ofseveral sets pi of primitive transitions, where pi is a set of (possibly containing only one)primitive transitions. A transition of A =
∏n∈N An may be composed of i (primitive or
composite) transitions of its components, where 1 ≤ i ≤ |N |.Note that an output action is essentially a broadcast from one component to other
recipient components, so the composition does not hide actions representing interaction.This is different from CCS [101].
We are in general only interested in the executions of a composition in which allcomponents are treated fairly. The fairness is the property that each component infinitelyoften performs one of its locally-controlled actions.
Definition 6.19. An execution α of a composition A =∏n∈N An is fair, if the following
conditions hold
1. If α is finite, then for all n ∈ N , no action in ΣLn is enabled in the final state of α.
2. If α is infinite, then for all n ∈ N , either α contains infinitely many events fromΣLn , or α contains infinitely many occurrences of states in which no action in ΣL
n isenabled. �
6.2.2 Input/Output Automaton Control Systems
The controlling automaton over a composition of I/O automata should control all thetransitions of its primitive components.
Definition 6.20. Given a composition A =∏n∈N An, a (Buchi) controlling automaton
over A is Ac = (Qc,Σc, δc, Sc, Fc) with Σc =⋃n∈N δn. The global system is called an
Input/Output Automaton Control System (IO-AC System). �
There are two alternative mechanisms for controlling automata to control compositetransitions. The first mechanism is that a composite transition is allowed iff at least oneof its member transitions is allowed by the controlling automaton. The second mechanismis that a composite transition is allowed iff all of its member transitions are allowed by the
92 Chapter 6. Buchi Automaton Control Systems and Concurrent Variants
m0
m1
m2
p1 : s!
p3 : b1?
p2 : a!
p4 : b2?
p5 : b1?
p6 : b2?
p7 : b1?
p8 : b2?
(1) Am
u0 u1
p9 : s?p10 : a?
p11 : b1!p12 : b2!
p13 : b1!p14 : b2!
p15 : s?p16 : a?
(2) Au
q00
q11
q21
p1,15 : s!
b1!
p2,16 : a!b2!
p5,13 : b1!
p6,14 : b2!
b1!
b2!
(3) Amu
Figure 6.5: Input/Output Automata of the Candy Machine
controlling automaton. We formally define the two types of meta-composition as follows(the two definitions differ only in their last conditions, i.e., ∃pk ∈ pI vs. ∀pk ∈ pI).
Definition 6.21. The existential meta-composition of a composition A =∏n∈N An =
(∏n∈N Qn, Σ, δ,
∏n∈N Sn) and a controlling automaton Ac = (Qc,Σc, δc, Sc, Fc) with
Σc =⋃n∈N δn is a tuple:
A′ = A~·E Ac = ((∏n∈N
Qn)×Qc,Σ, δ′, (∏n∈N
Sn)× Sc, (∏n∈N
Qn)× Fc)
where for each qi, ql ∈∏n∈N Qn, qj , qm ∈ Qc and a ∈ Σ, we have pI : ((qi, qj), a, (ql, qm)) ∈
δ′ iff, pI : (qi, a, ql) ∈ δ and ∃pk ∈ pI , (qj , pk, qm) ∈ δc. �
Definition 6.22. The universal meta-composition of a composition A =∏n∈N An =
(∏n∈N Qn, Σ, δ,
∏n∈N Sn) and a controlling automaton Ac = (Qc,Σc, δc, Sc, Fc) with
Σc =⋃n∈N δn is a tuple:
A′ = A~·A Ac = ((∏n∈N
Qn)×Qc,Σ, δ′, (∏n∈N
Sn)× Sc, (∏n∈N
Qn)× Fc)
where for each qi, ql ∈∏n∈N Qn, qj , qm ∈ Qc and a ∈ Σ, we have pI : ((qi, qj), a, (ql, qm)) ∈
δ′ iff, pI : (qi, a, ql) ∈ δ and ∀pk ∈ pI , (qj , pk, qm) ∈ δc. �
If we let {An}n∈N contain only one automaton, i.e., |N | = 1, the two definitions willresult in the same case, i.e., the meta-composition over a single I/O automaton. That is,the controlling automaton over a single I/O automaton is only a special case of the abovedefinitions, thus we will not give the formal definition of this case.
Note that the resulting meta-composition is not necessarily input-enabled. This isreasonable, since the controlling automaton rejects some sequences of input actions whichmay lead to unexpected states.
To illustrate the principle, we use an example concerning a system composed of twocomponents: a candy vending machine and a customer. We hope the example will providean interesting illustration of our idea, since this class of examples is so popular in theliteratures of formal methods, e.g., CSP [70] and I/O automata [94].
The candy machine Am in Fig. 6.5(1) may receive inputs b1, b2 indicating that button 1or button 2 is pushed, respectively. It may produce outputs s, a indicating dispensation oftwo types of candy, SKYBAR and ALMONDJOY, respectively. The machine may receiveseveral inputs before delivering a candy.
6.3. Interface Automaton Control Systems (IN-AC) 93
c0 c1
p1, p2
p3, p4
(1) Ac1
c0 c1
δ(s), δ(a)
δ(b1), δ(b2)
(2) Ac2
q000
q111
q211
s!b1!
a!
b2!
(3) A′
Figure 6.6: Controlling Automata for the Input/Output Automata
A greedy user Au in Fig. 6.5(2) may push buttons b1, b2 or get candies s, a. The greedyuser may not wait for a candy before pressing a button again.
The composition of the machine and the user is Amu = Am ·Au which is shown in Fig.6.5(3), where qij denotes a composite state (mi, uj), pi1,...,ik denotes a composite transitionpi1,...,ik = {pi1 , . . . , pik}. For example, p1,15 : s is the synchronization of p1 : s! and p15 : s?which belong to Am and Au, respectively.
If we consider only the fair executions, then we rule out the hazardous situation thatthe user repeatedly pushes a single button without giving the machine a chance to dispensea candy.
Suppose we expect that the machine dispenses s if the user pushed b1 first, and a if theuser pushed b2 first. However, the user may push b1 first, then push b1 or b2 several times,finally push b2 and wait for the candy. Obviously, the machine will dispense a, which isan undesired execution for our expectation. To prevent this situation, we may imposethe constraint “the user is not allowed to change his/her choice,” i.e., whenever one ofthe transitions p3, p4 (actions b1, b2) occurs, the next transition must be p1 or p2 whichdispenses candy. Note that the constraint concerns two components, which is different tothe case of BAC systems.
The constraint can be formalized as the controlling automaton Ac1 in Fig. 6.6(1). Bycomputing the existential meta-composition of Amu and Ac1, we get the global systemA′ = (Am ·Au)~·E Ac1 in Fig. 6.6(3), where qijk denotes a composite state (mi, uj , ck). Itis easy to see, all the behaviors of A′ satisfy the constraint.
The constraint can also be formalized as the controlling automaton Ac2 in Fig. 6.6(2).In the diagram, δ(x) denotes all the primitive transitions associated with the action x ∈ Σ.For example, δ(a) = {p2, p10, p16}. By computing the universal meta-composition of Amuand Ac2, we get also the global system A′ = (Am ·Au)~·A Ac2 in Fig. 6.6(3).
6.3 Interface Automaton Control Systems (IN-AC)
In this section, we first recall interface automata, then introduce the definitions and prop-erties of the interface automaton control system. This formalism is used to model andcontrol concurrent systems that consist of several components with rendezvous communi-cations at interfaces.
6.3.1 Interface Automata
The interface automaton [41] extends the theory of I/O automata [93, 94] for modelingcomponent-based systems with interfaces.
94 Chapter 6. Buchi Automaton Control Systems and Concurrent Variants
The interface automaton is different from the I/O automaton in the following two as-pects. The first feature is that an interface automaton is not required to be input-enabled.This means that some input actions may be recognized as illegal at some states. Thesecond feature is that a synchronization of input and output actions results in an internalaction in the composition, since interface automata use rendezvous communications atinterfaces rather than broadcasting.
Definition 6.23. An (nondeterministic) interface automaton (simply automaton) is atuple A = (Q,ΣI ,ΣO,ΣH , δ, S), where Q is a set of states, ΣI ,ΣO,ΣH are pairwise disjointsets of input, output and internal actions, respectively, δ ⊆ Q×Σ×Q is a set of transitions,S ⊆ Q is a set of initial states, where |S| ≤ 1.
We denote by Σ = ΣI⋃
ΣO⋃
ΣH the set of actions. If |S| = 0, A is called empty. �
An interface automaton A is closed if it has only internal actions, i.e., ΣI = ΣO = ∅.Otherwise, we say A is open.
An action a ∈ Σ is enabled at a state q ∈ Q if there is a transition (q, a, q′) ∈ δ forsome q′ ∈ Q. We denote by ΣI(q),ΣO(q),ΣH(q) the subsets of input, output and internalactions that are enabled at the state q, and let Σ(q) = ΣI(q) ∪ ΣO(q) ∪ ΣH(q). We callthe input actions in ΣI − ΣI(q) the illegal inputs at q.
If a ∈ ΣI (resp. a ∈ ΣO, a ∈ ΣH), then (q, a, q′) ∈ δ is called an input (resp. output,internal) transition. We denote by δI , δO, δH the set of input, output, internal transitions,respectively.
In the transition diagram, a transition pk : (q, a, q′) ∈ δ is denoted by an arc from qto q′ labeled pk : a, where pk is the name of the transition. To discriminate explicitly thedifferent sets of actions in diagrams, we may again suffix a symbol “?”, “!” or “;” to aninput, output or internal action, respectively.
Note that an interface automaton A = (Q,Σ, δ, S) is equivalent to a Buchi automatonA = (Q,Σ, δ, S,Q) where all the states are accepting states (if we allow a set of initialstates). This means, the controlling automaton and meta-composition over a single in-terface automaton are the same as the case of Buchi automata. Therefore, here we onlyconsider the systems consisting of several components.
Now we define the composition of two interface automata [41], where the two compos-able automata will synchronize on shared actions, and asynchronously interleave all otheractions. The composition is defined based on the product of two composable automata.
Definition 6.24. Two interface automataA = (QA,ΣA, δA, SA) andB = (QB,ΣB, δB, SB)are composable if ΣH
A ∩ ΣB = ∅, ΣIA ∩ ΣI
B = ∅, ΣOA ∩ ΣO
B = ∅, ΣA ∩ ΣHB = ∅. We let
shared(A,B) = ΣA ∩ ΣB. �
Note that if A and B are composable, then shared(A,B) = (ΣIA ∩ ΣO
B) ∪ (ΣOA ∩ ΣI
B).
Definition 6.25. Given two composable interface automata A and B, their product A⊗Bis the interface automaton
P = A⊗B = (QA⊗B,ΣA⊗B, δA⊗B, SA⊗B)
where QA⊗B = QA × QB, ΣIA⊗B = (ΣI
A ∪ ΣIB) − shared(A,B), ΣO
A⊗B = (ΣOA ∪ ΣO
B) −
6.3. Interface Automaton Control Systems (IN-AC) 95
shared(A,B), ΣHA⊗B = ΣH
A ∪ ΣHB ∪ shared(A,B),
δA⊗B = {pi : ((v, u), a, (v′, u)) | pi : (v, a, v′) ∈ δA ∧ a 6∈ shared(A,B) ∧ u ∈ QB}∪ {pj : ((v, u), a, (v, u′)) | pj : (u, a, u′) ∈ δB ∧ a 6∈ shared(A,B) ∧ v ∈ QA}∪ {pij : ((v, u), a, (v′, u′)) | pi : (v, a, v′) ∈ δA ∧ pj : (u, a, u′) ∈ δB ∧ a ∈ shared(A,B)}
and SA⊗B = SA × SB. �
Note that some transitions that are present in A or B may not be present in theproduct, due to the lack of input-enableness.
We say the transition pij is a composite transition, since its name contains the namesof two primitive transitions pi ∈ δA and pj ∈ δB. Indeed, pij is an internal transitionrepresenting synchronization of input and output actions. This means, an output actionis transmitted to only one recipient component, and resulting an internal action. This issimilar to CCS [101].
In the product A ⊗ B, there may be illegal states, where one of the automata mayproduce an output action a ∈ shared(A,B) that is an input action of the other automaton,but is not accepted.
Definition 6.26. Given two composable interface automata A and B, the set of illegalstates of the product A⊗B is
Illegal(A,B) = {(u, v) ∈ QA ×QB | ∃a ∈ shared(A,B)( (a ∈ ΣOA(u) ∧ a 6∈ ΣI
B(v))
∨ (a ∈ ΣOB(v) ∧ a 6∈ ΣI
A(u)) )}
�
When the product A ⊗ B is closed (having only internal actions), then A and B arecompatible if no illegal state of A ⊗ B is reachable. When A ⊗ B is open, then A and Bare compatible if there is a legal environment that can prevent entering the illegal statesalthough they are possibly reachable in A⊗B.
Definition 6.27. An environment for an interface automaton P is an interface automatonE such that (1) E is composable with P , (2) E is nonempty, (3) ΣI
E = ΣOP , and (4)
Illegal(P,E) = ∅. �
Definition 6.28. Given two composable interface automata A and B, a legal environmentfor the pair (A,B) is an environment for A⊗B such that no state in Illegal(A,B)×QEis reachable in (A⊗B)⊗ E. �
The composition of two interface automata A,B is obtained by restricting the productof the two automata to the set of compatible states Cmp(A,B), which are the states fromwhich there exists an environment that can prevent entering illegal states.
Definition 6.29. Given two composable interface automata A and B, a pair of states(u, v) ∈ QA ×QB is compatible if there is an environment E for A⊗B such that no statein Illegal(A,B)×QE is reachable in (A⊗B)⊗E from the state {(u, v)}×SE . We denotethe set of compatible states of A⊗B by Cmp(A,B). �
Hence, two nonempty, composable interface automata A and B are compatible iff theirinitial states are compatible, i.e., SA × SB ⊆ Cmp(A,B).
96 Chapter 6. Buchi Automaton Control Systems and Concurrent Variants
Definition 6.30. Given two composable interface automata A and B, the compositionA||B is an interface automaton
Now we can rephrase the definition of compatibility for interface automata.
Definition 6.31. Two interface automata A and B are compatible iff (1) they are com-posable, and (2) their composition is nonempty. �
6.3.2 Interface Automaton Control Systems
The controlling automaton over a composition of interface automata should control all thetransitions of its primitive components.
Definition 6.32. Given a composition of a set of interface automata A =‖n∈N An, a(Buchi) controlling automaton over A is Ac = (Qc,Σc, δc, Sc, Fc) with Σc =
⋃n∈N δn. The
global system is called an Interface Automaton Control System (IN-AC System). �
There are two alternative mechanisms for controlling automata to control compositetransitions. The first mechanism is that a composite transition is allowed iff at least oneof its member transitions is allowed by the controlling automaton. The second mechanismis that a composite transition is allowed iff all of its member transitions are allowed by thecontrolling automaton. We formally define the two types of meta-composition as follows(the two definitions differ only in their last conditions, i.e., ∃pk ∈ pI vs. ∀pk ∈ pI).
Definition 6.33. The existential meta-composition of a composition A = (Q, Σ, δ, S)and a controlling automaton Ac = (Qc,Σc, δc, Sc, Fc) is a tuple:
A′ = A~·E Ac = (Q×Qc,Σ, δ′, S × Sc, Q× Fc)
where for each qi, ql ∈ Q, qj , qm ∈ Qc and a ∈ Σ, we have pI : ((qi, qj), a, (ql, qm)) ∈ δ′ iff,pI : (qi, a, ql) ∈ δ and ∃pk ∈ pI , (qj , pk, qm) ∈ δc. �
Definition 6.34. The universal meta-composition of a composition A = (Q, Σ, δ, S) anda controlling automaton Ac = (Qc,Σc, δc, Sc, Fc) is a tuple:
A′ = A~·A Ac = (Q×Qc,Σ, δ′, S × Sc, Q× Fc)
where for each qi, ql ∈ Q, qj , qm ∈ Qc and a ∈ Σ, we have pI : ((qi, qj), a, (ql, qm)) ∈ δ′ iff,pI : (qi, a, ql) ∈ δ and ∀pk ∈ pI , (qj , pk, qm) ∈ δc. �
Different from the IO-AC system, a composite transition pI contains at most twoprimitive transitions. If we let A be a single primitive automaton, the two definitions willresult in the same case, i.e., the meta-composition over a single interface automaton. Thatis, the controlling automaton over a single interface automaton is only a special case ofthe above definitions, thus we will not give the formal definition of this case.
To illustrate the principle, we use the same example used for I/O automaton controlsystems concerning a system composed of two components: a candy vending machine and acustomer. The candy machine Am, a greedy user Au and their composition Amu = Am||Au
6.4. Related Work 97
m0
m1
m2
p1 : s!
p3 : b1?
p2 : a!
p4 : b2?
p5 : b1?
p6 : b2?
p7 : b1?
p8 : b2?
(1) Am
u0 u1
p9 : b1!p10 : b2!
p12 : b2!p11 : b1!
p14 : a?p13 : s?
(2) Au
q00
q11
q21
p1,13 : s;
b1;
p2,14 : a;b2;
p5,11 : b1;
p6,12 : b2;
b1;
b2;
(3) Amu
Figure 6.7: Interface Automata of the Candy Machine
c0 c1
p1, p2
p3, p4
(1) Ac1
c0 c1
δm ∪ δu − {p11, p12}
δm ∪ δu − {p11, p12}
(2) Ac2
q000
q111
q211
s;
b1;
a;b2;
(3) A′
Figure 6.8: Controlling Automata for the Interface Automata
are shown in Fig. 6.7. Note that pi,j is an internal transition that synchronizes input andoutput actions, and denotes a composite transition pi,j = {pi, pj}.
Suppose we expect that the machine dispenses s if the user pushed b1 first, and a if theuser pushed b2 first. However, the user may push b1 first, then push b1 or b2 several times,finally push b2 and wait for the candy. Obviously, the machine will dispense a, which isan undesired execution for our expectation. To prevent this situation, we may imposethe constraint “the user is not allowed to change his/her choice,” i.e., whenever one ofthe transitions p3, p4 (actions b1, b2) occurs, the next transition must be p1 or p2 whichdispenses candy. Note that the constraint concerns two components, which is different tothe case of BAC systems.
The constraint can be formalized as the controlling automaton Ac1 in Fig. 6.8(1). Bycomputing the existential meta-composition of Amu and Ac1, we get the global systemA′ = (Am||Au)~·E Ac1 in Fig. 6.8(3), where qijk denotes a composite state (mi, uj , ck). Itis easy to see, all the behaviors of A′ satisfy the constraint.
The constraint can also be formalized as the controlling automaton Ac2 in Fig. 6.8(2),which forbids the unexpected transitions p11, p12. By computing the universal meta-composition of Amu and Ac2, we get also the global system A′ = (Am||Au) ~·A Ac2 inFig. 6.8(3).
6.4 Related Work
The BAC system is different from Ramadge and Wonham’s supervisory control [112]. Intheir theory, the supervisor controls an automaton via the alphabet of symbols rather thantransitions, thus it is similar to the alphabet-level controlling automaton. That means, ourcontrolling automata, which specify properties on the transitions instead of the alphabet,
98 Chapter 6. Buchi Automaton Control Systems and Concurrent Variants
have stronger expressiveness in specifying constraints.
6.5 Conclusion
In this chapter, we proposed the Buchi Automaton Control System (BAC system) andits concurrent variants, including the IO-AC system and the IN-AC system. Each of theformalisms consists of a controlled automaton and a Buchi controlling automaton thatrestricts the behavior of the controlled automaton. The BAC system is used for modelingand controlling nonstop systems that generate ω-words, while the concurrent variants areused for modeling and controlling concurrent systems that consist of several componentswith various types of communications.
To control the systems modeled with other types of automata, e.g., team automata[48, 119] and component-interaction automata [14], it is not hard to develop correspondingautomaton control systems using the methodology proposed in this chapter.
Chapter 7
Nevertrace Claims for ModelChecking
In this chapter, we propose the nevertrace claim, which is a new construct for specifyingthe correctness properties that either finite or infinite execution traces (i.e., sequences oftransitions) that should never occur. In semantics, it is neither similar to never claimand trace assertion, nor a simple combination of them. Furthermore, the theoreticalfoundation for checking nevertrace claims, namely the Asynchronous-Composition BuchiAutomaton Control System (AC-BAC System), is proposed. The major contributions ofthe nevertrace claim include: a powerful construct for formalizing properties related totransitions and their labels, and a way for reducing the state space at the design stage.
7.1 Introduction
The SPIN (Simple Promela INterpreter) model checker is an automated tool for verifyingthe correctness of asynchronous distributed software models [73, 71, 72]. System modelsand correctness properties to be verified are both described in Promela (Process MetaLanguage). This chapter is based on SPIN Version 5.2.5, released on 17th April 2010.
Promela supports various constructs for formalizing different classes of properties. Themost powerful constructs are the never claim, the trace and notrace assertions. Thenever claim is used to specify the properties on sequences of states that should never occur,while the trace and notrace assertions are used to specify the properties on sequencesof transitions of simple channel operations, i.e., simple send and receive operations onmessage channels. A transition is a statement between two states, thus the trace andnotrace assertions only treat a restricted subset of transitions.
However, we observed that the existing constructs cannot specify the properties onfull sequences of transitions apart from the transitions of simple channel operations, e.g.,assignments, random receive operations, etc.
In this chapter, we propose the nevertrace claim, which is a new claim constructfor specifying correctness properties related to all types of transitions and their labels.A nevertrace claim specifies the properties that either finite or infinite execution traces(i.e., sequences of transitions) that should never occur. A nevertrace claim could benondeterministic, and performed at every single execution step of the system.
Literally, it seems that the nevertrace claim combines the never claim and the traceassertion. However, we will show that, in semantics, it is neither similar to any of them,
99
100 Chapter 7. Nevertrace Claims for Model Checking
nor a simple combination of them.The major contributions of this construct include the following two aspects:First, the nevertrace claim provides a powerful construct for formalizing properties
related to transitions and their labels. Furthermore, the nevertrace claim can be usedto express the semantics of some existing constructs in Promela.
Second, the nevertrace claim provides a way for reducing the state space at thedesign stage. We observed that variables are always used for two objectives: functionalcomputation, or implicitly recording the execution trace for verification. The nevertraceclaim can reduce the usage of variables for marking the execution trace. The decreasednumber of variables can reduce the state space.
This chapter is organized as follows. In Section 7.2, the existing constructs in Promelaare recalled to facilitate further discussion and comparison. In Section 7.3, the nevertraceclaim is proposed and illustrated by example. The theoretical foundation for checkingnevertrace claims, namely the Asynchronous-Composition Buchi Automaton ControlSystem (AC-BAC System), is presented in Section 7.4. Then in Section 7.5 we show howto express some constructs in Promela using nevertrace claims. We discuss related workin Section 7.6 and conclude in Section 7.7.
To illustrate some constructs in Promela and our new construct in the sequel, we use asimple Promela model (see Listing 7.1) as an example. This model contains two channels(c2s and s2c), three processes (two clients and a server) and four types of messages. Client1 can send msg1 through the channel c2s, and receive ack1 from the channel s2c, andrepeat the procedure infinitely. Client 2 does the similar with msg2 and ack2. There arenine labels in the model, e.g., again at Line 7, c2srmsg at Line 23. The variable x countsthe number of messages in the channel c2s, thus is used for functional computation.
Listing 7.1: A Promela Model of Client and Server1 mtype = {msg1 , msg2 , ack1 , ack2 } ;2 chan c2s = [ 2 ] of {mtype} ;3 chan s2c = [ 0 ] of {mtype} ;4 int x = 0 ;56 active proctype c l i e n t 1 ( ) {7 again :8 c2ssmsg1 : c2s ! msg1 ;9 x i n c : x = x+1;
10 s2c ? ack1 ;11 goto again ;12 }1314 active proctype c l i e n t 2 ( ) {15 again :16 c2ssmsg2 : c2s ! msg2 ;17 x i n c : x = x+1;18 s2c ? ack2 ;19 goto again ;20 }2122 active proctype s e r v e r ( ) {23 c2srmsg : do24 : : c2s ?msg1 ;25 x dec1 : x = x−1;26 s2c ! ack1 ;
7.2. Constructs for Formalizing Properties in SPIN 101
27 : : c2s ?msg2 ;28 x dec2 : x = x−1;29 s2c ! ack2 ;30 od ;31 }
7.2 Constructs for Formalizing Properties in SPIN
Promela supports the following constructs for formalizing correctness properties, of whichnumerous examples could be found in the monographs [72, 8].
• Basic assertions. A basic assertion is of the form assert(expression). A basicassertion should be satisfied in specific reachable states. Otherwise, an assertionviolation is reported, and the execution stops at the point in the model where theassertion failure was detected.
• End-state labels. Every label name that starts with the prefix end is an end-statelabel. At the end of an execution sequence (i.e., no more statements are executable),all processes must have reached a valid end state, i.e., its closing curly brace oran end-state label. Otherwise, an “invalid end states” error is reported, indicatinginvalid deadlock.
• Progress-state labels. Every label name that starts with the prefix progress is aprogress-state label. All potentially infinite execution cycles must pass through atleast one of the progress labels. Otherwise, a “non-progress cycles” error is reported.Note that the search for non-progress cycles is implemented through never claims.
• Accept-state labels. Every label name that starts with the prefix accept is anaccept-state label1. There should not exist any execution that can pass through anaccept-state label infinitely often. An “acceptance cycles” error is reported, if apotentially infinite execution cycle passes through at least one accept-state label.
• Never claims. A never claim specifies either finite or infinite system behavior thatshould never occur. An error is reported, if the full behavior specified in the neverclaim is matched by any feasible execution, where “match” means the terminationof the claim or an acceptance cycle is reachable. Besides control-flow constructs, anever claim may contain only two types of statements: condition statements andassertions.
• Trace assertions. A trace assertion specifies properties about sequences of simplesend and receive operations on message channels. Note that only the channel namesthat appear in the assertion are considered to be within the scope of the check. Anerror is reported, if any feasible sequence of operations within scope cannot matchthe trace assertion, i.e., the assertion does not have a matching event (includingthe assertion reaches at its closing curly brace). Besides control-flow constructs, atrace assertion may contain only simple send and receive operations.
1The accept-state label is normally reserved for specifying acceptance conditions of never claims. Al-though this is rarely done, it can also be used in a Promela model, and does not require the presence of anever claim.
102 Chapter 7. Nevertrace Claims for Model Checking
• Notrace assertions. A notrace assertion specifies the opposite of a trace assertion,but uses the same syntax. An error is reported, if the full behavior specified in thenotrace assertion is matched completely by any feasible execution, i.e., either theclosing curly brace or an end-state label of the assertion is reached.
The basic assertion is the only type of correctness properties that can be checkedin the simulation mode (also the verification mode). The three special types of labelsonly have special meaning in the verification mode. The never claim and the traceand notrace assertions can only be interpreted and checked in the verification mode.Note that never claims could be nondeterministic, whereas trace and notrace assertionsmust be deterministic. Furthermore, Promela also supports Linear Temporal Logic (LTL)formulas, which are converted into never claims for verification [58].
To facilitate the comparison in the sequel, we recall first the semantics of trace andnotrace assertions through simple examples, since they are less used than never claims.
The following trace assertion specifies the property that the sequence of send oper-ations on the channel c2s should alternate between c2s!msg1 and c2s!msg2. Note thatonly the send operations on the channel c2s are within the scope of this check, and otherstatements are ignored.
trace { /* alternating between c2s!msg1 and c2s!msg2 */if
The model in Listing 7.1 violates this assertion, since c2s!msg1 and c2s!msg2 canappear in any order.
The following notrace assertion specifies the property that there should not exist asequence of send operations on the channel c2s that contains two consecutive c2s!msg1.Note that, for notrace assertions, an error is reported, if the assertion is matched com-pletely. Note that only the send operations on the channel c2s are within the scope ofthis check, and other statements are ignored.
notrace { /* containing two consecutive c2s!msg1 */S0:
if:: c2s!msg1 -> goto S1;:: c2s!msg2 -> goto S0;
fi;S1:
if:: c2s!msg1;:: c2s!msg2 -> goto S0;
fi;/* S2 */}
7.3. Nevertrace Claims 103
The model in Listing 7.1 violates this assertion, since sequences containing two consecutivec2s!msg1 are feasible. These sequences cause the termination of the notrace assertion.
S0 S1 S2
c2s!msg1, c2s!msg2
c2s!msg1 c2s!msg1
c2s!msg1, c2s!msg2
Figure 7.1: The Nondeterministic Automaton of notrace Assertion
S0 S1 S2
c2s!msg2
c2s!msg1
c2s!msg2
c2s!msg1
c2s!msg1, c2s!msg2
Figure 7.2: The Deterministic Automaton of notrace Assertion
We observed that notrace assertions could be also constructed from LTL formulas.The procedure reuses the technique that translates LTL formulas into never claims [58].Note that never claims specify Nondeterministic Finite Automata (NFA). Thus, an addi-tional step of manually determinizing NFA [74] is needed, since a notrace assertion mustbe deterministic.
For this example, we can convert the LTL formula <>(c2s!msg1 -> X c2s!msg1) intoan NFA in Fig. 7.1. Note that the condition statement (1) (or true) was replaced byall send operations on the channel c2s in the model. To obtain a deterministic notraceassertion, we have to manually determinize the NFA to a Deterministic Finite Automaton(DFA) and minimize the DFA. The result is shown in Fig. 7.2. Finally, we can write theabove assertion according to the established DFA.
Note that the trace and notrace assertions can only treat simple channel operations,thus the properties on other types of transitions cannot be specified. In the next section,we propose a new construct that can specify the properties on all types of transitions.
7.3 Nevertrace Claims
In this section, we will propose the nevertrace claim. A nevertrace claim may containcontrol-flow constructs and transition expressions, whose major ingredient is the labelexpression. Thus, we will present three new constructs.
7.3.1 Label Expressions
In a program or model (e.g., Promela model), some statements have labels. A statementmay have several labels. A label name in a model contains only the following characters:digits (0 to 9), letters (a to z, A to Z), and underscore ( ). We assume that all the unlabeledstatements have the empty string (denoted by ε) as its default label name.
A label expression is a regular expression for matching label names. The label expres-sion reuses a subset of the characters of POSIX-extended regular expressions2, and addssome new symbols. The special characters are listed in Table 7.1, where the additional
2POSIX-extended regular expressions are widely used in Unix applications.
104 Chapter 7. Nevertrace Claims for Model Checking
symbols in the bottom part are not included in POSIX-extended regular expressions. Allthe characters other than the special characters listed in Table 7.1, including digits, lettersand underscore, match themselves. Also note that the interpretation of these symbols isover the restricted alphabet [0-9A-Za-z ].
Symbol Meaning over the Alphabet [0-9A-Za-z ]. A dot matches any single character.
( ) Parentheses group a series of patterns into a new pattern.[ ] A character class matches any character within the brackets. If the first
character is a circumflex [ˆ], it matches any character except the oneswithin the brackets. A dash inside the brackets indicates a characterrange, e.g., [a-d] means [abcd], [ˆa-d] means [0-9A-Ze-z ].
{ } If the braces contain one number, it indicates the exact number of timesthe previous pattern can match. While two numbers indicate the minimumand maximum number of times.
* A Kleene star matches zero or more copies of the previous pattern.+ A positive closure matches one or more copies of the previous pattern.? A question mark matches zero or one copy of the previous pattern.| An alternation operator matches either the previous pattern or the fol-
lowing pattern.Additional Symbols
(ˆ ) If the first character is a circumflex (ˆ), it matches any string except theones expressed by the expression within the parentheses.
# A hash mark matches any string over the alphabet, i.e., [0-9A-Za-z ]*.
Table 7.1: Special Characters in Label Expressions
For example, in Listing 7.1, the label expression c2ssmsg# matches the labels startingwith c2ssmsg, i.e., c2ssmsg1 and c2ssmsg2. The expression (^c2ss#) matches all labelsin the model other than those starting with c2ss. The empty string ε could be matchedby a{0}, where a could be other letters or any digit.
Let us consider the complexity of deciding whether a label name is matched by a la-bel expression. It is well known that a Deterministic Finite Automaton (DFA) can beeffectively constructed from a regular expression [74]. In the label expression, most of thespecial characters are reused from regular expressions. It is easy to see, the additionalcharacters also produce DFA’s. For example, (^) means constructing the complementa-tion of a regular language (and its DFA) [74]. Therefore, a DFA can be also effectivelyconstructed from a label expression.
It is also well known that the membership problem for regular languages (accepted byDFA’s) can be decided in linear time [74]. Therefore, the membership problem for labelexpressions can be also decided in linear time. This means, given a label name l of lengthn, whether l is matched by a label expression can be decided in linear time O(n). Thisshows that label expressions are feasible in practice.
7.3.2 Transition Expressions
An atomic transition expression is of the form procname[pid]$lblexp, and may takethree arguments. The first optional argument is the name of a previously declared
7.3. Nevertrace Claims 105
proctype procname. The second optional argument is an expression enclosed in brackets,which provides the process identity number pid of an active process. The third requiredargument lblexp is a label expression, which matches a set of label names in the model.There must be a symbol $ between the second and the third arguments.
Given a transition and its labels, an atomic transition expression procname[pid]$lblexpmatches the transition (i.e., returns true), if the transition belongs to the process procname[pid], and at least one of the labels is matched by the label expression lblexp. We shouldnotice that the first two arguments are only used to restrict the application domain of thelabel expression.
A transition expression contains one or more atomic transition expressions connectedby propositional logic connectives. It can be defined in Backus-Naur Form as follows:
t ::= a | (!t) | (t && t) | (t || t) | (t -> t)
where t is transition expression, and a is atomic transition expression.Given a transition and its labels, a transition expression matches the transition (i.e.,
returns true), if the propositional logic formula is evaluated to true according to the valuesof its atomic transition expressions. Note that the transition expression is side effect free.That is, it does not generate new system behavior, just like condition statements.
For example, in Listing 7.1, the (atomic) transition expression client1[0]$c2ssmsg#matches all transitions that have a label starting with c2ssmsg in the process 0 of typeclient1, i.e., the statement with label c2ssmsg1 at Line 8. The transition expression(client2[1]$(c2s#)) && $again# matches all transitions that have a label starting withc2s and a label starting with again, in the process 1 of type client2, i.e., the statementwith two labels again and c2ssmsg2 at Line 16.
In an atomic transition expression, the second arguments (together with the brackets)can be omitted, if there is only one active process of the type specified by the first argument,or the transition expression is imposed on all active processes of the type. The first andthe second arguments (together with the brackets) can be both omitted, if the transitionexpression is imposed on all active processes. But note that the symbol $ cannot beomitted in any case.
For example, in Listing 7.1, the transition expression client1[0]$c2ssmsg# is equiva-lent to client1$c2ssmsg#. The transition expression $c2ssmsg# matches the transitionsthat have a label starting with c2ssmsg in all active processes, i.e., the statements at Lines8 and 16.
The reader may find that the atomic transition expression is syntactically similar tothe remote label reference in Promela, except the symbol $. Note that, at first, there aretwo superficial differences: (1) the first argument of the remote label reference cannot beomitted, (2) the third argument of the remote label reference should be an existing labelname, rather than a label expression. Furthermore, we will show later that they havedifferent semantics in their corresponding claims.
Let us consider the complexity of deciding whether a transition is matched by a tran-sition expression.
For atomic transition expressions, we showed that the membership problem for labelexpressions (the third argument) can be decided in linear time O(n). As mentioned, thefirst two arguments only check the owner of the label, so do not affect the complexity.Thus, given a transition with several labels of the total length n, whether it is matchedby an atomic transition expression can be decided in linear time O(n). That is, the
106 Chapter 7. Nevertrace Claims for Model Checking
membership problem for atomic transition expressions can be also decided in linear timeO(n).
Suppose a transition expression has i atomic transition expressions and j logic con-nectives, then the membership problem can be decided in i ·O(n) +O(j) time. Since i, jare constants for a given transition expression, the membership problem can be decidedin linear time O(n). This shows that transition expressions are feasible in practice.
7.3.3 Nevertrace Claims
A nevertrace claim specifies the properties that either finite or infinite execution traces(i.e., sequences of transitions) that should never occur. A nevertrace claim could benondeterministic, and performed at every single execution step of the system.
A nevertrace claim may contain only control-flow constructs and transition expres-sions. A nevertrace claim can contain end-state, progress-state and accept-state labelswith the usual interpretation in never claims. Therefore, it looks like a never claim,except the keyword nevertrace and allowing transition expressions instead of conditionstatements.
An example of nevertrace claim for the model in Listing 7.1 is as follows:
In the example, the claim specifies the property that increasing x always leads todecrease x later. In other words, if one of the transitions labeled x_inc is executed, thenone of the transitions that have a label starting with x_dec will be executed in the future.By the way, if we replace $x_inc by $x_i#nc#, or replace $x_dec# by server[2]$x_dec#,for this model, the resulting claim is equivalent to the above one.
A nevertrace claim is performed as follows, starting from the initial system state.One transition expression of the claim process is executed each time after the systemexecuted a transition. If the transition expression matches the last executed transition,then it is evaluated to true, and the claim moves to one of the next possible statements.If the claim gets stuck, then this means that the undesirable behavior cannot be matched.Therefore, no error is reported.
For a rendezvous communication, the system executes an atomic event in which twoprimitive transitions are actually executed at a time, one send operation and one receiveoperation. In this case, we assume that the send operation is executed before the receiveoperation in an atomic rendezvous event.
An error is reported, if the full behavior specified could be matched by any feasibleexecution. The violation can be caught as termination of the claim, or an acceptance
7.4. Theoretical Foundation for Checking Nevertrace Claims 107
cycle, just like never claims. Note that all the transitions of the model are within thescope of the check.
In the example, it is easy to see that there exists no violation, since the nevertraceclaim cannot be matched completely.
Note that it is hard to express this property using existing constructs in Promela. Forexample, trace or notrace assertions are not capable of expressing this property, sincethey can only specify properties on simple channel operations. The three types of speciallabels do not have this power neither.
Fortunately, never claims can express this property by introducing new variables toimplicitly record the information about execution traces. For instance, we introducetwo boolean variables a, b. After each statement labeled x_inc, we add the statements“a=1; a=0;”, which let a be 1 once. After each statement labeled x_dec#, we add thestatements “b=1; b=0;”, which let b be 1 once. Then the property can be expressed asLTL formula [](a -> <>b). The negation of this formula can be converted into a neverclaim that specifies the required property.
However, please note that the additional variables quadruple the state space (differentcombinations of a and b), and make the program malformed and harder to read. Incontrast, the nevertrace claim is more economic, since it takes full advantage of thetransition information (e.g., control-flow states and their labels) that is already tracked aspart of the state space in the verification mode of SPIN.
An interesting thing is that nevertrace claims could be also converted from LTLformulas. In the example, a never claim can be generated from the LTL formula by SPIN. Then we can obtain the nevertrace claim aboveby replacing the condition statement (1) or true by $# matching all transitions. Thisfact can facilitate the use of nevertrace claims in practice.
Finally, let us consider the syntax definition of nevertrace claims. There are variousways to modify the grammar of Promela to take into account the nevertrace claim. Forexample, we can add the following productions into the grammar of Promela.
Here unit, body and expr are existing nonterminals in the grammar of Promela, thus weonly extend the grammar by appending the new productions. The productions for thenonterminal expr_label are omitted, since its syntax is clearly specified in Table 7.1.
7.4 Theoretical Foundation for Checking Nevertrace Claims
In this section, we propose the theory of asynchronous-composition Buchi automaton con-trol systems. Then we will show the connection between the theory and the checking ofnevertrace claims by example.
108 Chapter 7. Nevertrace Claims for Model Checking
7.4.1 The Asynchronous Composition of Buchi Automata
At first, we recall the classic definition of Buchi automata [16, 120].
Definition 7.1. A (nondeterministic) Buchi automaton (simply automaton) is a tupleA = (Q,Σ, δ, q0, F ), where Q is a finite set of states, Σ is a finite alphabet, δ ⊆ Q×Σ×Qis a set of named transitions, q0 ∈ Q is the initial state, F ⊆ Q is a set of accepting states.For convenience, we denote the set of transition names also by δ. �
Note that the concept of transition name is introduced. A transition in δ is of theform pk : (q, a, q′), where pk is the name of the transition. In the transition diagram, atransition pk : (q, a, q′) ∈ δ is denoted by an arc from q to q′ labeled pk : a.
Given a set of automata, they execute asynchronously, but may synchronize on ren-dezvous events. We assume that the send operation is executed before the receive opera-tion in an atomic rendezvous event. Formally, we define their asynchronous compositionas follows.
Let N = {n1, ..., nk} ⊆ N be a countable set with cardinality k, and for each nj ∈ N ,Snj be a set. We recall the Cartesian product as:∏
nj∈NSnj = {(xn1 , xn2 , ..., xnk
) | ∀j ∈ {1, ..., k}, xnj ∈ Snj}
For each j ∈ {1, ..., k}, we denote the j-th component of the vector q = (xn1 , xn2 , ..., xnk)
by the projection q[j], i.e., q[j] = xnj .
Definition 7.2. The asynchronous composition A =∏n∈N An of a countable collection
of Buchi automata {An = (Qn,Σn, δn, qn, Fn)}n∈N is a Buchi automaton
A = (∏n∈N
Qn,Σ, δ,∏n∈N
qn, F )
where Σ =⋃n∈N Σn,
δ = {pk : (q, a, q′) | ∃ni ∈ N, a ∈ Σni ∧ pk : (q[i], a, q′[i]) ∈ δni ,
and ∀nj ∈ N,nj 6= ni → q[j] = q′[j]}
F = {q ∈∏n∈N Qn | ∃ni ∈ N, q[i] ∈ Fni}. �
We interpret the asynchronous composition as the expanded version which fully ex-pands all possible values of the variables in the state space (see Appendix A of [72]). Theexecutability of a transition depends on its source state.
The asynchronous composition is different from the Input/Output automaton [93, 94]in the following major aspects: (1) input-enableness is not required, i.e., not all receiveoperations are enabled at every states; (2) strong-compatibility is not required, i.e., differ-ent processes can have the same send operation; (3) the interaction always occurs betweentwo automata, rather than broadcasting of Input/Output automata.
The asynchronous composition is different from the interface automaton [41] in the fol-lowing major aspects: (1) the asynchronous composition is over several processes, ratherthan only two components; (2) The primitive send and receive operations in rendezvouscommunications are still visible to the environment outside the composition; (3) the in-teractions between two automata do not result in internal actions.
7.4. Theoretical Foundation for Checking Nevertrace Claims 109
Furthermore, different from the Input/Output automaton and the interface automaton,the Buchi automaton has a set of accepting states to specify acceptance conditions. Thusit is more suitable for model checking.
7.4.2 The Asynchronous-Composition BAC System
An Asynchronous-Composition Buchi Automaton Control System (AC-BAC System) con-sists of an asynchronous composition of Buchi automata and a Buchi controlling automa-ton. The controlling automaton controls all the transitions of the primitive componentsin the composition. Thus, the alphabet of the controlling automaton equals the set oftransition names of the controlled automata.
Definition 7.3. Given an asynchronous composition of a set of Buchi automata A =∏n∈N An, a (Buchi) controlling automaton over A is Ac = (Qc,Σc, δc, qc, Fc) with Σc =⋃n∈N δn. The global system is called an Asynchronous-Composition Buchi Automaton
Control System (AC-BAC System). �
The controlling automaton is used to specify the sequences of transitions that shouldnever occur, since a controlling automaton accepts sequences of transitions.
We compute the meta-composition of an asynchronous composition and a controllingautomaton. In the meta-composition, a transition is allowed iff it is in the asynchronouscomposition and allowed by the controlling automaton. The name “meta-composition”denotes that the controlling automaton is at a higher level, since it treats the set of tran-sitions rather than the alphabet. We formally define the meta-composition ( ~· operator)as follows.
Definition 7.4. The meta-composition of an asynchronous compositionA = (Q,Σ, δ, q0, F )and a controlling automaton Ac = (Qc,Σc, δc, qc, Fc) is a Buchi automaton:
where for each qi, ql ∈ Q, qj , qm ∈ Qc and a ∈ Σ, we have pk : ((qi, qj), a, (ql, qm)) ∈ δ′ iffpk : (qi, a, ql) ∈ δ and (qj , pk, qm) ∈ δc. �
If we let {An}n∈N contain only a single primitive automaton, i.e., |N | = 1, the defini-tion will express the meta-composition over a single automaton. This means, the control-ling automaton over a single automaton is only a special case of the above definition.
We observe that A has feasible sequences of transitions accepted by Ac (or A matchesAc), iff the language accepted by the meta-composition is not empty. This fact will beused for checking nevertrace claims.
Note that the emptiness problem for meta-compositions is decidable. It is well knownthat the emptiness problem for Buchi automata is decidable [120]. Since the meta-composition is a Buchi automaton, checking its emptiness is also decidable.
It is worth noting that the controlling automaton specifies properties on transitionsrather than states, which is the major difference between our theory and Vardi andWolper’s automata theoretical framework for model checking.
7.4.3 From Nevertrace Claims to AC-BAC Systems
We will show at first how to translate a model with a nevertrace claim into an AC-BACsystem. Let us consider a simple example in Listing 7.2 consisting of a client and a server.
110 Chapter 7. Nevertrace Claims for Model Checking
Listing 7.2: A Simplified Promela Model of Client and Server1 mtype = {msg , ack } ;2 chan c2s = [ 2 ] of {mtype} ;3 chan s2c = [ 0 ] of {mtype} ;4 int x = 0 ;56 active proctype c l i e n t ( ) {7 again :8 c2ssmsg : c2s ! msg ;9 x = x+1;
10 s2crack : s2c ? ack ;11 goto again ;12 }1314 active proctype s e r v e r ( ) {15 c2srmsg : do16 : : c2s ?msg ;17 x = x−1;18 s2csack : s2c ! ack ;19 od ;20 }
Figures 7.3 (1) and (2) on Page 116 show the automata A1, A2 describing the behaviorof the client and the server, respectively. Each transition between two control-flow statesis labeled by its transition name (may be related to line number and control-flow state,etc.) and statement. For example, 8 is the transition name between the states 8 and 9.
The asynchronous composition A1 ·A2 is shown in Fig. 7.3(3). A system state consistsof four elements: the control-flow states of A1 and A2, the value of x and the contents of thechannel c2s. Note that the dashed transitions are not executable at their correspondingstates, although themselves and omitted subsequent states are part of the composition.That is, the figure contains exactly the reachable states in the system. At the bottom ofthe figure, the transitions labeled 18 and 10 constitute a handshake.
The claim specifies the property that any operation on channel c2s always leads toreceive ack from the channel s2c later. In other words, if one of the transitions that havea label starting with c2s is executed, then one of the transitions labeled s2crack will beexecuted in the future.
Figure 7.3(4) shows the automaton specified by the nevertrace claim. Figure 7.3(5)shows the controlling automaton specified by the nevertrace automaton. For example,
7.5. On Expressing Some Constructs in SPIN 111
the transition expression (!$s2crack && $c2s#) matches the transitions 8 and 16.The automata in Figures 7.3 (3) and (5) constitute an AC-BAC system, which is
established from the model and the nevertrace claim. The next step is to check whetherthe asynchronous composition A1 ·A2 matches the claim Ac.
The meta-composition (A1 · A2) ~· Ac is shown in Fig. 7.3(6) (To save space, thestate space starting from the state (9,15,q0) is not drawn). The state of the controllingautomaton is added into the system state. In the meta-composition, a transition is allowed,iff it is in (A1 · A2) and allowed by Ac. Note that the transition 10 is blocked, since it isnot allowed by the state q1 of Ac. It is easy to see there does not exist any acceptancecycle, thus the ω-language accepted by the meta-composition is empty. This means, nocounterexample can be found, and the system satisfies the required correctness property.
To conclude, checking nevertrace claims is equivalent to the emptiness problem formeta-compositions. A nevertrace claim is violated if and only if the meta-composition isnot empty. As we mentioned, the emptiness problem for meta-compositions is decidable.Therefore, checking nevertrace claims is feasible in practice. Furthermore, the emptinessof meta-compositions can be checked on-the-fly, using the technique for checking neverclaims [60].
7.5 On Expressing Some Constructs in SPIN
In this section, we will show how to express the semantics of some constructs in Promelausing nevertrace claims, although the major objective of the nevertrace claim is ex-pressing a new class of properties rather than replacing them.
7.5.1 Expressing Notrace Assertions
There are various ways to convert a notrace assertion into a nevertrace claim. As anexample, let us consider the notrace assertion in Section 7.2. We can construct an NFAin Fig. 7.4 which specifies the same property as the DFA in Fig. 7.2 of the notraceassertion for the model in Listing 7.1.
A nevertrace claim can be written according to the automaton.
nevertrace { /* containing two consecutive c2s!msg1 */S0:
It is easy to see, we used the following rules to convert the notrace assertion into a
112 Chapter 7. Nevertrace Claims for Model Checking
nevertrace claim.First, in the system model, all send operations of message msg on a channel ch must
have a label chsmsg, while all receive operations of message msg on the channel must havea label chrmsg. The labels of all statements other than channel operations should notstart with the names of declared channels.
Second, in the notrace assertion, (1) replace ch!msg by $chsmsg, ch?msg by $chrmsg;(2) for each state, add new transition expressions to match the statements outside thescope of the notrace assertion. In the example, for each state, we add a transition fromthe state to itself with the transition expression (!$c2ss#), since only send operations onthe channel c2s are within the scope of the notrace assertion.
7.5.2 Expressing Remote Label References
The predefined function procname[pid]@label is a remote label reference. It returns anonzero value only if the next statement that can be executed in the process procname[pid]is the statement with label.
It seems that procname[pid]@label can be also used as a transition expression, ifreplacing @ by $. However, there is a little difference in semantics. The remote label refer-ence is evaluated over the next statement of the process procname[pid], but the transitionexpression is evaluated over the last executed transition, which does not necessarily belongto the process procname[pid].
7.5.3 Expressing the Non-Progress Variable
The predefined non-progress variable np_ holds the value false, if at least one runningprocess is at a control-flow state with a progress-state label. It is used to detect theexistence of non-progress cycles.
It seems that the variable np_ is equivalent to our transition expression !$progress#.However, there is a little difference. The variable np_ is evaluated over all the runningprocesses, but the transition expression is evaluated over the last executed process.
7.5.4 Expressing Progress-State Labels
There are two types of progress cycles. A weak progress cycle is an infinite executioncycle that contains at least one of the progress-state labels, which denotes reaching someprogress-state labels infinitely often. A strong progress cycle is a weak progress cyclewith the requirement that each statement with a progress-state label in the cycle must beexecuted infinitely often.
Promela supports only the weak progress cycle, whereas our nevertrace claim canexpress the strong progress cycle.
As an example, let us consider the model in Listing 7.3 consisting of two processes p1and p2. Note that p1 does not execute any statement, but waits at the label progressfor ever.
Listing 7.3: A Promela Model of Two Processes1 chan ch = [ 0 ] of {bool } ;23 active proctype p1 ( ) {4 bool x ;
7.5. On Expressing Some Constructs in SPIN 113
5 prog r e s s : ch?x ;6 }78 active proctype p2 ( ) {9 bool x = 0 ;
In the verification mode of SPIN, none (weak) non-progress cycle is found, both withor without fairness condition3. All executions are weak progress cycles, since p1 stays forever at a progress-state label.
In contrast, we can find a strong non-progress cycle using the following nevertraceclaim, which can be constructed from the LTL formula <>[]!$progress#. If we modify anever claim generated from the LTL formula by SPIN, remember to replace the conditionstatement (1) or true by $# matching all transitions.
Note that the evaluation of transition expressions is over the last executed transition,and all the executable transitions do not have a progress-state label. Therefore, strongnon-progress cycles can be detected as counterexamples.
7.5.5 Expressing Accept-State Labels
There are two types of acceptance cycles. A weak acceptance cycle is an infinite executioncycle that contains at least one of the accept-state labels, which denotes reaching someaccept-state labels infinitely often. A strong acceptance cycle is a weak acceptance cyclewith the requirement that each statement with an accept-state label in the cycle must beexecuted infinitely often.
Promela supports only the weak acceptance cycle, whereas our nevertrace claim canexpress the strong acceptance cycle.
As an example, let us replace the label progress by accept in the model of Listing7.3. Note that p1 does not execute any statement, but waits at the label accept for ever.
3The (weak) fairness in SPIN means, if the executability of an executable statement never changes, itwill eventually be executed. The strong fairness means, if a statement becomes executable infinitely often,it will eventually be executed [72].
114 Chapter 7. Nevertrace Claims for Model Checking
In the verification mode of SPIN, a (weak) acceptance cycle is found, both with orwithout fairness condition. All executions are weak acceptance cycles, since p1 stays forever at an accept-state label. Therefore, (weak) acceptance cycles can be detected ascounterexamples.
In contrast, we cannot find any strong acceptance cycle using the following nevertraceclaim, which can be constructed from the LTL formula []<>($accept#). If we modify anever claim generated from the LTL formula by SPIN, remember to replace the conditionstatement (1) or true by $# matching all transitions.
Note that the evaluation of transition expressions is over the last executed transition,and all the executable transitions do not have an acceptance-state label. Therefore, thereis no strong acceptance cycle.
7.6 Related Work
In the previous section, we mentioned some differences between nevertrace claims andsome constructs in Promela. In this section, we would like to summarize the comparisonwith the most powerful two constructs in Promela, never claims and notrace assertions.
The major differences between nevertrace claims and never claims are obvious. Theyare used to specify properties on sequences of transitions (execution traces) and sequencesof states, respectively. A nevertrace claim is performed after executing a transition,whereas a never claim is started from the initial system state. A nevertrace claim isevaluated over the last executed transition, whereas a never claim is evaluated over thecurrent system state. Thanks to their different focuses, they can be used together in amodel checker to achieve stronger power.
Nevertrace claims and notrace (also trace) assertions are both about executiontraces, their major differences are as follows.
1. They have different scopes of checking. Nevertrace claims consider all transitions,whereas only simple send/receive operations are within the scope of notrace asser-tions. Furthermore, only the channel names that are specified in a notrace assertionare considered to be within its scope. All other transitions are ignored.
2. The notrace assertion cannot contain random receive, sorted send, or channel polloperations. But these can be also tracked by a nevertrace claim.
3. The notrace assertion must be deterministic, whereas the nevertrace claim couldbe nondeterministic, just like the never claim.
7.7. Conclusion 115
4. The notrace assertion does not execute synchronously with the system, but executesonly when events of interest occur. Whereas the nevertrace assertion executessynchronously with the system, just like the never claim.
7.7 Conclusion
In this chapter, we proposed the nevertrace claim, which is a new construct for specifyingthe correctness properties that either finite or infinite execution traces (i.e., sequences oftransitions) that should never occur. We showed the major contributions of this construct:a powerful construct for formalizing properties related to transitions and their labels, anda way for reducing the state space at the design stage.
The Asynchronous-Composition Buchi Automaton Control System (AC-BAC System)provides the theoretical foundation for checking nevertrace claims. We showed that thenevertrace claim and its checking problem are feasible in practice.
One important future work is to implement the nevertrace claim. Then empiricaldata could be collected to show whether and how much the nevertrace claim can reducethe state space and decrease checking time in practice, comparing with checking the sameproperties specified by existing constructs in SPIN. Another research direction is to makethe checking of nevertrace claims compatible with partial order reduction technique.
116 Chapter 7. Nevertrace Claims for Model Checking
8 9 10
(label: again, c2ssmsg)8: c2s!msg 9: x=x+1;
10: s2c?ack(label: s2crack)
(1) A1
15 17 18
(label: c2srmsg)16: c2s?msg 17: x=x-1;
18: s2c!ack(label: s2csack)
(2) A2
(3) A1 ·A2
8,150,[ ][ ]
8 16
9,150,[m][ ]
9 16
10,151,[m][ ]
10 16
9,170,[ ][ ]
9 17
10,171,[ ][ ]
10 17
9,18-1,[ ][ ]
9 18
10,180,[ ][ ]
10 18
10,150,[ ][ ]
10
T0 S4
$#
!$s2crack && $c2s#
!$s2crack
(4) Nevertrace Automaton
q0 q1
δ1 ∪ δ2 = {8, 9, 10, 16, 17, 18}
{8, 16}
{8, 9, 16, 17, 18}
(5) Ac
(6) (A1 ·A2)~· Ac
8,15q0
8 8
9,15q0
16169
9,15q1
9 16
10,15q1
16
9,17q1
9 17
10,17q1
17
9,18q1
9
10,18q1
18
10,15q1
10
Figure 7.3: An Example of Asynchronous-Composition BAC System
S0 S1 S2
$c2ssmsg2
$c2ssmsg1
$c2ssmsg2
$c2ssmsg1
$c2ssmsg1, $c2ssmsg2
!$c2ss# !$c2ss# !$c2ss#
Figure 7.4: The Nondeterministic Automaton of nevertrace Claim
Part II
The Model Monitoring Approachand Applications
117
Chapter 8
The Model Monitoring Approach
In this chapter, we propose the model monitoring approach, which is based on the the-ory of control systems presented in the first part. The key principle of the approach is“property specifications as controllers”. In other words, the functional requirements andproperty specification of a system are separately modeled and implemented, and the lat-ter one controls the behavior of the former one. The model monitoring approach containstwo alternative techniques, namely model monitoring and model generating. One impor-tant merit of the approach is better support for the change and evolution of propertyspecifications, which challenge the traditional development process.
8.1 The Model Monitoring Approach
Functional requirements and property specifications are two important factors in the de-velopment process. A design or product should implement the functional requirements toensure functionality, and satisfy the property specification to ensure dependability. Theprinciple of traditional development process is to integrate the property specification intothe implementation of functional requirements through testing, formal verification, etc.
In this section, we propose the model monitoring approach whose key principle is“property specifications as controllers”. In other words, the functional requirements andproperty specification of a system are separately modeled and implemented, and the latterone controls the behavior of the former one. This is obviously different from the principleof traditional development process.
There are numerous reasons and merits for using such a new principle. The mostimportant two of them are as follows.
First, functional requirements and property specifications have different natures, sincethey are defined by different groups of people in practice. Indeed, functional requirementsare usually derived from the requirements of clients, the decision of designers and devel-opers, etc. While property specifications are mainly required by quality engineers andtesting engineers, whose major interest is the dependability of products.
Second, property specifications may change during the entire life-cycle, including thedevelopment stage and post-implementation. The merit of the model monitoring approachin this context is the low coupling between the implementations of functional requirementsand property specification, which can decrease the cost of ensuring the changeful propertyspecification.
The process of the model monitoring approach consists of three major steps, as shown
119
120 Chapter 8. The Model Monitoring Approach
in Fig. 8.1.
functionalrequirements
(1)modeling
systemmodel M1
propertyspecification
(2)modeling
controllingmodel M2 (3)
meta-composition M = M1 ~· M2
Figure 8.1: The Process of the Model Monitoring Approach
At the first step, the system model M1 is captured from the functional requirements.This model contains functional semantics, which defines how the system behaves. Systembehavior modeling is achieved by system engineers, such as designers, programmers anddevelopers.
At the second step, the controlling model M2 over M1 is derived from the propertyspecification. M2 is also called a controller. This model contains correctness semantics,which defines what the system should do and what it should not do. Modeling controllersis the duty of quality engineers whose responsibility is to ensure dependability, includingreliability, safety, etc. Quality engineers may consist of requirements engineers, testingengineers, managers from higher socio-technical levels who define safety standards or reg-ulations [89], etc.
Note that M1 and M2 could be expressed using various types of model or formalisms,such as automata, grammars, ω-automata, pseudo-codes and other describing languages.The two models M1 and M2 should be expressed using the same formalism, or two for-malisms that could be converted into a common one. For example, linear temporal logicformulas could be translated into Buchi automata.
At the third step, the objective is to construct a control system consisting of M1 andM2. Then the global system M = M1~·M2 will satisfy the properties, since M2 restricts thebehavior of M1. Technically, we have two choices for implementing the meta-compositionoperator to deduce such a globally correct system as follows.
The first one is named model monitoring or explicit model monitoring. M1 and M2
are separately implemented, but maybe at different stages of life-cycle. That is, M2 canbe added or modified at later stages of life-cycle, even after the implementation of M1.The system M1 is controlled at runtime by M2 which reports, or blocks undesired actions,or recovers the system from hazardous states. We can incrementally add new propertiesto the controlling system M2 after we learn new dependability requirements. We can alsomodify the existing properties in the controlling system M2 if we find them erroneous.Note that we do not really implement the meta-composition M = M1 ~· M2. Instead, M1
and M2 constitute a global system that is equivalent to M . If the property specificationchanges, M1 will not be modified. We only need to revise M2, which is much easier andmore efficient than the traditional approach which leads to revise the whole system.
The second one is named model generating or implicit model monitoring. M1 and M2
are combined at design-time to generate a new correct model M = M1 ~· M2 satisfying theproperty specification. Then we implement the model M where M2 implicitly monitorsM1. If the specification changes, we only need to revise M2, then regenerate and implementa new model M ′. Because the computation of meta-composition can be automated, itis more efficient than manual analysis of counterexamples obtained through testing andverification and manual revision of the design in the traditional approach.
8.2. Supporting the Change and Evolution of Property Specifications 121
As a whole, we generally call the two alternative techniques the model monitoringapproach. In both of the two cases, the property specification is design-oriented. That is,the property specification is implemented directly or integrated into the design. This isdifferent from the traditional approach, where the property specification is more testing-oriented, i.e., used to verify a system design.
The word model in the term “model monitoring approach” denotes that designing acontroller usually depends on analyzing the model of the controlled system, and what isgenerated by model generating is usually a model rather than a complete implementation.
It is worth noting that the models M1, M2 could be expressed using automata or gram-mars. This means, the model monitoring approach could be used for both automata-basedsystems and grammar systems. Numerous industrial systems are automata-based systems(e.g., described using Buchi automata), while programming and modeling languages aretypical grammar systems described using context-free grammars. In the next chapter, wewill discuss two typical applications to show the strong power of this approach. The firstone concerns safety-related systems, which are automata-based systems. The second oneconcerns the Unified Modeling Language, which is a grammar system.
8.2 Supporting the Change and Evolution of Property Specifications
In this section, we discuss an important merit of the model monitoring approach, i.e.,supporting the change and evolution of property specifications, which is a challenge tothe traditional development process. The changes are common both at design-time andpost-implementation, especially for the systems whose life period is long, e.g., aircrafts,nuclear plants, critical embedded electronic systems, etc. Unfortunately, the changesof property specifications always cause high expenditure of rechecking and revising thesystem, especially when the system is too complex to be clearly analyzed manually or solarge that the revision is not trivial. Moreover, the changes may not only lead to modifya small portion of the system, but to revise the entire design. We are searching for atechnique supporting changeful property specifications at a lower cost.
It is well known that the change and evolution of requirements are common and chal-lenge the practice of system developing and maintenance [66]. The change may be a resultof various factors [17], such as experience of using the system after implementation and dis-tributing, dynamic and turbulent environments, requirements elicitation, new regulations,etc. As a result, engineers must take into account these changes and revise their systempost-implementation, of course at a high cost. The change and evolution of requirementsthrew down the gauntlet to the traditional development process. We must support thechange throughout the entire life-cycle from various aspects [50]. We are interested in theinnovations on the system development methodology for better support.
As we know, requirements include the following two classes [67]:1. Functional requirements, which are requirements pertaining to all functions that are
to be performed by the target system.2. Dependability requirements, which are requirements about the dependable operation
of the target system. Dependability requirements contain safety requirements, securityrequirements, reliability requirements, etc. For example, safety requirements [2, 9] focuson safety constraints specifying authorized system behaviors and components interactions,where a safety constraint specifies a specific safeguard [55]. A system may have differentdependability requirements under different contexts or critical levels. For instance, control
122 Chapter 8. The Model Monitoring Approach
software is imposed more strict constraints than entertainment software, even if both areembedded in aircrafts.
We are interested in the change and evolution of dependability requirements, the latterone of the two classes above. There are two common causes of the changes of dependabilityrequirements.
First, dependability requirements may change at design-time. Functional and depend-ability requirements are defined by different groups of people in industrial practice, i.e.,system engineers and quality engineers, respectively. At the beginning stage of systemdeveloping, quality engineers often find it very difficult to produce a complete set of de-pendability requirements. Thus, they add emergent dependability requirements duringthe development process, along with their increasing knowledge on the design.
Second, dependability requirements may change post-implementation. Some depend-ability requirements were unknown before the system is developed and used in real envi-ronment. For example, people always need to learn new safety requirements from historicalevents [90, 87]. Moreover, safety regulations change several times during the life-cycle aspeople requires a safer system. However, it will be expensive to modify the design afterwe learn these requirements, since the product has been released.
In the development process, dependability requirements are always modeled as prop-erty specifications. As a result, the changes discussed above will cause the change andevolution of property specifications.
In the past thirty years, model checking [31] achieved great success as a verificationtechnique for ensuring property specifications. It has been widely used to verify reactivesystems, by specifying and checking properties written in temporal logic formulas [75] orexpressed using Buchi automata.
The major disadvantages of model checking techniques under the change of propertyspecifications are the following two. First, the analysis of counterexamples and revisionof designs are not automated. If the system is complex, it is difficult to locate the faultsand revise the design without introducing new faults. As a result, the verification processis iterated until no fault is detected, thus increases the cost. Second, once new propertiesare introduced or existing properties are modified, the whole design or implementation(product) must be revised or redistributed at a high cost even impossible, especially whenthe system is very large.
Motivated by the need of improving the drawbacks, we can use the model monitoringapproach to fill the gap between the change of property specifications and traditionalverification process. The novel approach models the functional requirements and propertyspecification separately. Then two alternative techniques can be applied to ensure theproperties.
For the first alternative, namely model monitoring or explicit model monitoring foremphasis, the implementation of property specification is separated from the implementa-tion of functional requirements. A controlling system realizing the property specificationcontrols the behavior of the target system at runtime. The two systems constitute a cor-rect system from a global view. The interest of this approach is that we only need to revisethe controlling system to guarantee correctness, when the property specification changes.Since the controlling system is generally much smaller than the overall system, the cost ofanalysis and revision will be much lower.
For the second alternative, namely model generating or implicit model monitoring, anew system design satisfying the property specification can be automatically generated.
8.3. Example: Oven and Microwave Oven 123
We need only to implement directly the generated system design. The computation canbe automated, thus the cost of modifying the design will be lower.
The two alternatives improve the two mentioned disadvantages of traditional develop-ment process using model checking in the context of change and evolution.
8.3 Example: Oven and Microwave Oven
In this section, we first illustrate the model checking approach and our model monitoringapproach by treating the same example, then we compare the two approaches to show thedifferences between them.
Let us consider the behaviors of an oven and a microwave oven. They have similaroperations: start oven, open door, close door, heat, etc. One significant difference is thatwe can use an oven with its door open. We should only use a microwave oven with itsdoor closed for avoiding the damaging effects of radiation. Suppose we have a design ofan oven, we want to reuse this design for producing microwave ovens. We must imposeadditional constraints (a case of evolution of property specification). For example, we adda constraint: “the door must be closed when heating”.
Figure 8.2 extracts the Kripke model M of a design of oven. The atomic propositionsare: s (start), c (door is closed) and h (heat), i.e., AP = {s, c, h}. Each state is labeledwith both the atomic propositions that are true and the negations of the propositions thatare false in the state.
8.3.1 Using the Model Checking Approach
We aim at checking the property “when the oven is heating, the door must be closed”, i.e.,the LTL formula φ
def= G(h → c). For clarity and avoiding complex figures, we use thissimple formula. The approach can be automated and scaled up for more complex modelsand formulas. We are concerned with the automata-theoretic model checking which issyntactically similar to our approach (but there is no semantic similarity).
First, M is translated into a Buchi automaton AM of Fig. 8.3 by adding an initial stateq0. Each transition is labeled with its name pi and the associated symbol a ∈ Σ = 2AP .Each state is an accepting state.
Second, the negation of φ is translated into a Buchi automaton A¬φ of Fig. 8.4. For¬φ, we have
¬φ = ¬G(h→ c) = ¬(FalseR(¬h ∨ c)) = TrueU(h ∧ ¬c)
Thus, A¬φ of Fig. 8.4 is constructed recursively from TrueU(h ∧ ¬c). Each transition islabeled with a boolean expression, representing a set of symbols that correspond to truthassignments for AP that satisfy the boolean expression. Specifically, let Σ(ϕ) be the setof symbols making ϕ true, we have Σ(h ∧ ¬c) = {{h}, {s, h}}, Σ(True) = 2AP . We mayrepresent A¬φ by labeling its transitions with symbols in Σ instead of boolean expressions,i.e., the automaton of Fig. 8.5, with a similar style to Fig. 8.3.
Then, we compute the intersection AI = AM ∩ A¬φ. The double DFS (Depth FirstSearch) algorithm is called to decide the emptiness of AI on-the-fly. A subgraph of theintersection constructed by the algorithm is shown in Fig. 8.6. A state tij denotes acomposite state (qi, rj). The first DFS (solid transitions) starts from t00 to t73, then thesecond DFS (dashed transitions) is started at t73. A successor t83 is detected on the stackof the first DFS, then the algorithm reports a counterexample. Thus, L(AI) 6= ∅.
124 Chapter 8. The Model Monitoring Approach
s, c,¬h
¬s, c,¬h
s, c, h
¬s, c, h
s,¬c,¬h
¬s,¬c,¬h
s,¬c, h
¬s,¬c, h
close door
open door
start oven
warmup
start cooking
cookdone
start oven
warmup
start cooking
cookdone
close door
open door
Figure 8.2: The Kripke Model M of Oven
q0
q3
q2
q4
q5
q6
q1
q7
q8
p1 : ∅ p2 : {c}
p3 : ∅
p4 : {s, c}
p5 : {s, c, h}
p6 : {c, h}
p7 : {c, h}p8 : {c}
p9 : {s}
p10 : {s, h}
p11 : {h}
p12 : {h}p13 : ∅
p14 : {s, c}
p15 : {s}
Figure 8.3: The Buchi Automaton AM of Oven
r0
r1
r2
r3
True
True
h ∧ ¬c
h ∧ ¬cTrue
True
Figure 8.4: The Buchi Au-tomaton A¬φ of ¬φ
r0
r1
r2
r3
2AP
2AP
{h}, {s, h}
{h}, {s, h}2AP
2AP
Figure 8.5: A¬φ Labeledwith Σ
t00
t11
t61t72
t83t13
t63t73
∅
{s}{s, h}{h}
{h}
∅
{s}{s, h}
Figure 8.6: A Subgraph ofAI
r0 r1
¬h
c
¬h
c
Figure 8.7: The Buchi Au-tomaton Aφ of φ
r0 r1
δ(¬h)
δ(c)
δ(¬h)
δ(c)
Figure 8.8: The Control-ling Automaton Aφ
t00
t31
t21
t42
t52
t61
t11
p1
p2
p3
p4
p5
p6
p7p8
p9
p14
p15
Figure 8.9: C = AM ~· Aφ
8.3. Example: Oven and Microwave Oven 125
Finally, engineers must manually analyze the original design with the guide of thereported counterexample, locate the faults in the design, and revise the design. Theiterative process of model checking, counterexample analysis and revision is executed, untilL(AI) = ∅. Note that if the system is complex or large, the analysis of counterexampleand revision would be hard, because it is difficult to locate the faults. As a result, dueto the complexity and size of the system, the cost of manual analysis of counterexamplesand revision is high.
8.3.2 Using the Model Monitoring Approach
We also need the automaton AM of Fig. 8.3. However, we need a controlling automatonAφ instead of A¬φ. A controlling automaton is a Buchi automaton having an alphabet thatequals the set of transitions of the controlled automaton AM , i.e., Aφ = (Q′,Σ′, δ′, q′0, F
′)with Σ′ = δ where δ is the set of transitions of the controlled automaton AM . Thecontrolling automaton can be constructed from the property specification directly, or bytranslating the automaton Aφ (resulting in an alphabet-level controlling automaton).
For this example, we use Aφ which is translated from φ using the translation from LTLformulas to automata. For φ, we have
φ = G(h→ c) = FalseR(¬h ∨ c))
The constructed automaton Aφ is shown in Fig. 8.7.We observe the following fact: Let AI = AM ∩ Aφ, we have L(AI) ⊆ L(Aφ), i.e., AI
satisfies φ. The intersection AI satisfies the property φ by removing the transitions of AMthat violate the property. In other words, AI is a model satisfying φ.
We translate Aφ into an alphabet-level controlling automaton Aφ, by replacing eachboolean expression ϕ by δ(ϕ), which is the set of transitions labeling with one of thesymbols that correspond to truth assignments that satisfy ϕ. For example, each transitionof Aφ in Fig. 8.8 is labeled with a set of names of transitions of AM , where
Figure 8.10: The Kripke Model M ′ of Microwave Oven
Then we compute the meta-composition C of AM and the controlling automaton Aφ,denoted by C = AM ~· Aφ. The automaton C of Fig. 8.9 starts from the initial state
126 Chapter 8. The Model Monitoring Approach
r0
r1 r2
¬h
¬h
c
¬h c
c
Figure 8.11: The BuchiAutomaton Aφ of φ
r0
r1 r2
δ(¬h)
δ(¬h)
δ(c)
δ(¬h) δ(c)
δ(c)
Figure 8.12: The Control-ling Automaton Aφ
t00
t31
t21
t42
t52
t61
t11
t32
t22
p1
p2
p3
p4
p5
p6
p7p8
p9
p14
p15
p2
p3
p4
p14
p15
Figure 8.13: C = AM ~· Aφ
t00, a transition is allowed if and only if it is allowed by both AM and Aφ. Note that thehazardous transitions p10, p11, p12 and the unreachable transition p13 are eliminated. Themodel C satisfies the property φ. We can recover it to a Kripke model M ′ of Fig. 8.10 byremoving the initial state. It is easy to see the model M ′ satisfies the required property.
The model monitoring approach contains two alternative techniques to implement themeta-composition operator as follows.
One alternative, namely model monitoring or explicit model monitoring for emphasis,implements AM and Aφ separately, which constitute an overall correct system. Specifically,Aφ can be realized as a controlling system that monitors the behavior of the systemimplementing AM . If AM tries to apply a certain action that violates the properties, thecontrol system can detect it and call some predefined functions to alert, block the action,or recover from the hazardous state.
Another alternative, namely model generating or implicit model monitoring, imple-ments directly the automatically generated model M ′ as a correct model of microwaveovens, rather than separating the two implementations. In this case, Aφ monitors implic-itly the behavior of AM .
We may also use an equivalent automaton Aφ of Fig. 8.11 specifying φ, with thecorresponding controlling automaton in Fig. 8.12. The meta-composition C is shown inFig. 8.13. The hazardous transitions p10, p11, p12 and the unreachable transition p13 arealso eliminated. However, due to the redundant states in Aφ (e.g., r1 and r2 are equivalent),the number of states of C is increased. If we implement AM and Aφ separately using modelmonitoring, then there is no influence in complexity, because the overall system exploresonly one path at a time. If we use model generating, we must minimize the controllingautomaton first, or we minimize the generated meta-composition, in order to reduce thenumber of states by eliminating redundance in equivalence classes of states (e.g., t21 andt22 are equivalent). For example, the automaton of Fig. 8.13 can be reduced to the one ofFig. 8.9 by removing t22 and t32. To automate the computation of minimization, classicalgorithms for minimizing finite automata can be used [74].
8.3.3 A Technical Comparison with Model Checking
It is easy to see, the two approaches use different techniques. The model checking approachchecks the emptiness of the intersection AM ∩A¬φ, while the model monitoring approachconstructs the meta-composition AM ~· Aφ. That is, the model monitoring approach usesa controlling automaton Aφ rather than the automaton A¬φ specifying ¬φ, and meta-
8.4. Related Work 127
composition rather than intersection and emptiness checking.Model checking leads to revise the original design by manually analyzing the counterex-
ample violating the new property. Thus the cost is high, especially when the system is solarge and complex that the counterexamples cannot be effectively analyzed and revisionis not easy.
Model monitoring uses the automaton of Fig. 8.3, and adds a controlling systemimplementing the automaton of Fig. 8.8. The global system in Fig. 8.9 satisfies the newproperty. Note that Aφ is usually much smaller than the overall system, thus it is easierand cheaper to modify only the controlling component when the property specificationchanges at the later stages of life-cycle.
Model generating can automatically generate a new correct design (Fig. 8.10) bycomputing the meta-composition of the automata in Fig. 8.3 and Fig. 8.8. Higherefficiency can be achieved since the computation can be automated.
We remark here that Aφ of Fig. 8.8 is an alphabet-level controlling automaton, i.e.,all transitions associated with the same symbol of AM always appear together on thetransitions between two states of Aφ. In fact, all the controlling automata translatedfrom LTL formulas are alphabet-level controlling automata. The feature of alphabet-level control and the translation from LTL formulas are not necessary for constructingcontrolling automata. As we discussed in Section 6.1.3, controlling automata are moreflexible, and can be defined directly. These unnecessary features are just used for thecomparison with model checking in this example.
8.4 Related Work
A standard automata-theoretic model checking technique, developed by Vardi, Wolper,Holzmann et al. [37, 123, 60, 73, 71], was recalled in Section 2.5. We provided an exampleto show the differences between our approach and model checking. The comparison inSection 8.3.3 shows that there is no semantic similarity between them, although they aresyntactically similar due to the formalism of Buchi automata.
In this section, we further compare the model monitoring approach with model checkingto show its merits and limitations.
Merits
In the principle aspect, the essence of the model monitoring approach is the separationof functional requirements and property specification (derived from dependability require-ments), while model checking emphasizes integration. Thanks to the approach, peoplemay achieve lower cost of revising designs when the dependability requirements change,because only the controlling component needs modifications.
In the technical aspect, the model monitoring approach only checks one executionpath at a time at runtime, while model checking verifies all the possible execution paths atdesign time. Therefore, model monitoring is often significantly more practical than modelchecking, since it explores one computational path at a time, while model checking suffersthe state explosion problem because of the exhaustive search.
In the expressive power aspect, as we discussed in Section 6.1.3, the theoretical resultsshow that the BAC system is more powerful in specifying properties than the modelchecking techniques that use LTL formulas or regular properties.
128 Chapter 8. The Model Monitoring Approach
Limitations
There exist some unmonitorable properties that can be expressed by controlling automata,but cannot be monitored at runtime, e.g., liveness properties denoting that some state willoccur in the future. This is due to the fact that we cannot decide the violation of theseproperties in finite amount of time. For example, it cannot be monitored whether astate will appear infinitely often. These unmonitorable properties should be ensured usingmodel checking. To characterize the class of monitorable properties is a promising andinteresting direction for future work.
Complementarity
It is worth noting that the model monitoring approach and model checking have their ownadvantages, and should be used complementarily.
The model monitoring approach separates the system model and its controlling systemrelated to the property specification. Thus, the change and evolution of property speci-fications only result in modifying the design of controlling system. Since the controllingsystem is often much smaller than the overall system, the cost of modification is lower.This approach is especially useful in ensuring changeful properties.
The model checking approach integrates properties into the system design through au-tomated counterexample searching, manual analysis and revision. As a result, the changeand evolution of property specifications bring high cost of revising the design. However,the resulting system may be more efficient, since there is no additional communicationsbetween the controlled and controlling components. Thus, model checking is more suitablefor verifying invariable properties.
Therefore, invariable properties should be ensured through model checking, whilechangeful ones should be implemented through the model monitoring approach. Notethat classifying properties into the two categories (i.e., invariable and changeful) is atrade-off process. The classification depends on the individual system and the experiencesof designers. Discussions on this issue are beyond the scope of this thesis.
Furthermore, model checking could be used to verify the global control system con-structed via the model monitoring approach, in order to increase our confidence in thedesign of control systems.
8.5 Conclusion
In this chapter, we proposed the model monitoring approach, which is based on the theoryof control systems. The key principle of the approach is “property specifications as con-trollers”. As a merit, we showed that it can fill the gap between the change and evolutionof property specifications and the traditional development process using model checking.
One important future work is to characterize the monitorability. Then we are able todecide whether a given property is monitorable and whether it can be ensured via the modelmonitoring approach. Another research direction is to extensively explore other possibleapplications of the approach, which may in turn contribute to the further development ofthe approach and the underlining theory.
Chapter 9
Applications of the ModelMonitoring Approach
In this chapter, we discuss two applications of the model monitoring approach. The firstone concerns safety-related systems, which are automata-based systems. The second oneconcerns the UML (Unified Modeling Language), which is a grammar system. The twoapplications show the strong power of the proposed approach.
9.1 Theoretical Foundation of Safety-Related Systems in IEC 61508
In this section, after an introduction of the standard IEC 61508 and the SRS (Safety-Related System), we propose the concept of functional validity of the SRS, which meanswhether the safety functions realized by the SRS can really prevent accidents and recoverthe system from hazardous states, provided the expected safety integrity level is reached.A generic technical methodology is presented to achieve the functional validity of the SRS,and industrial experiences in designing functionally valid SRS are summarized. Finally, wewill show that model monitoring is the theoretical foundation of safety-related systems, andchecking functional validity is essentially checking an (ω-)AC system, e.g., BAC system.
9.1.1 IEC 61508 and Safety-Related Systems
The international standard IEC 61508 [77, 114, 15] provides a generic process for elec-trical, electronic, or programmable electronic (E/E/PE) safety-related systems to achievean acceptable level of functional safety. The principles of IEC 61508 have been recog-nized as fundamental to modern safety management [114], thus have gained a widespreadacceptance and been used in practice in many countries and industry sectors [53].
Like other safety standards (e.g., DO-178B [69]), IEC 61508 gives recommendationson best practices such as planning, documentation, verification, safety assessment, ratherthan concrete technical solutions. Thus, it is a generic standard for the safety managementthroughout the life-cycle, rather than a system development standard. More sector-specificand application-specific standards can be derived based on the standard, such as IEC 61511for the process industry [57], IEC 62061 for the machinery industry, IEC 61513 for thenuclear plant, EN 50126 for the European railway, and ISO 26262 for automotive safety.
As shown in Fig. 9.1, the first premise of the standard is that there is an equipmentintended to provide a function, and a system which controls it. The equipment is called
129
130 Chapter 9. Applications of the Model Monitoring Approach
an Equipment Under Control (EUC). The Control System (CS) may be integrated withor remote from the EUC. A fundamental tenet of the standard is that, even if the EUCand the CS are reliable, they are not necessarily safe. This is true for numerous systemsimplementing hazardous specification. They may pose risks of misdirected energy whichresult in accidents.
The second premise is that Safety-Related Systems (SRS) are provided to implementthe expected safety requirements, which are specified to reduce the risks and achieve func-tional safety for the EUC. The SRS may be placed within or separated from the CS. Inprinciple, their separation is preferred.
EUC
ControlSystem
Safety-RelatedSystem
Figure 9.1: The Architecture of Systems with the SRS
An SRS may comprise subsystems such as sensors, logic controllers, communicationchannels connected to the CS, and actuators. Usually, an SRS may receive two types ofinput: the values of safety-related variables monitored by its sensors, and the messagessent by the CS. Then the SRS executes computation to decide whether the system is in asafe state. According to the result, it may actualize safety functions through two types ofoutput: sending directly commands to its actuators, or sending messages to the CS.
9.1.2 Functional Validity of Safety-Related Systems
Let us consider two important problems that occur in industrial practice.The first one questions the rightness of overall and allocated safety requirements.
According to IEC 61508, safety requirements consist of two parts, safety functions andassociated safety integrity levels (SIL). The two elements are of the same importancein practice, because the safety functions determine the maximum theoretically possiblerisk reduction [56]. However, the standard focuses more on the realization of integrityrequirements rather than function requirements. As a result, the standard indicates onlythe product is of a given reliable integrity, but not whether it implements the right safetyrequirements.
Second, the standard does not prescribe exactly how the verification of safety functionsof an SRS could technically be done. On one hand, the standard calls for avoiding faultsin the design phase, since the ALARP principle (As Low As Reasonably Practicable) isadopted for determining tolerability of risk. Indeed, systematic faults are often introducedduring the specification and design phases. Unlike random hardware failures, the likelihoodof systematic failures cannot easily be estimated. On the other hand, the standard onlyrecommends a process and a list of techniques and measures during the design phase toavoid the introduction of systematic faults, such as computer-aided design, formal methods(e.g., temporal logic), assertion programming, recovery (see parts 2, 3 of [77]). The detailed
9.1. Theoretical Foundation of Safety-Related Systems in IEC 61508 131
use of these techniques is left to the designer.As a result, the problem of functional validity arises. Functional validity means
whether the safety functions realized by the SRS can really prevent accidents and re-cover the system from hazardous states, provided the expected safety integrity level isreached. People are searching for a generic technical methodology to achieve functionalvalidity.
In fact, with the introduction of the SRS, it becomes much more hard to ensure thesafety of the overall system, due to complex interactions and the resulting huge statespace. Unlike the case of a single CS, human is no longer capable to analyze manually andclearly the behaviors of the overall system. Therefore, we shall expect a computer-aidedmethod.
In the sequel, we will propose such a generic technical methodology (or a framework)for designing functionally valid SRS. To the best of our knowledge, we are the first toconsider the technical solution to functional validity in the literature. We focus on thesystems that operate on demand (i.e., discrete event). The methodology is based oncomputer-aided design in association with automated verification tools (e.g., SPIN).
9.1.3 Example: Chemical Reactor
As an example, consider an accident occurred in a batch chemical reactor in England[80, 87]. Figure 9.2 shows the design of the system. The computer, which served as acontrol system, controlled the flow of catalyst into the reactor and the flow of water forcooling off the reaction, by manipulating the valves. Additionally, the computer receivedsensor inputs indicating the status of the system. The designers were told that if anabnormal signal occurred in the plant, they were to leave all controlled variables as theywere and to sound an alarm.
Gearbox
Catalyst
Reactor CoolingWater
ControlSystem
Figure 9.2: Reactor Control System
Gearbox
Catalyst
Reactor CoolingWater
ControlSystem
Safety-RelatedSystem
Figure 9.3: Reactor Control System withSRS
On one occasion, the control system received an abnormal signal indicating a low oillevel in a gearbox, and reacted as the functional requirements specified, that is, soundedan alarm and maintained all the variables with their present condition. Unfortunately, acatalyst had just been added into the reactor, but the control system had not yet openedthe flow of cooling water. As a result, the reactor overheated, the relief valve lifted andthe contents of the reactor were discharged into the atmosphere.
132 Chapter 9. Applications of the Model Monitoring Approach
We believe that the safety-related system could be used to avoid the accident. Figure9.3 shows the role of the SRS in the overall system. It receives signals from additionalsensors, and communicates with the CS. The key issue is how to specify and design theSRS and prove its functional validity, i.e., the SRS is really efficient in the hazardouscontext. We illustrate a methodology based on computer-aided design in association withthe SPIN model checker.
The SPIN (Simple Promela INterpreter) model checker is an automated tool for ver-ifying the correctness of asynchronous distributed software models [73, 71, 72]. Systemmodels and correctness properties to be verified are both described in Promela (ProcessMeta Language). This chapter is based on SPIN Version 5.2.5, released on 17th April2010.
We will illustrate two main steps of the methodology: modeling the CS, and modelingthe SRS.
Modeling Control Systems. The first step is to analyze the behaviors of the CSby modeling it using Promela language. Listing 9.1 shows the model. The CS scans thestatus of the reactor, and then manipulates the valves according to the status.
Listing 9.1: The Promela Program for Reactor Control System1 #define sa ( ( abnorm && ! cata ) | | ( abnorm && cata && water ) )2 #define f con s t a t u s==nocata | | s t a t u s==encata3 mtype = {abnormal , nocata , encata , nowater , enwater } ;4 mtype s t a t u s = nocata ; /∗ s t a t u s o f the reac tor ∗/5 bool cata = fa l se ; /∗ whether c a t a l y s t f l ow i s open ∗/6 bool water = fa l se ; /∗ whether water f l ow i s open ∗/7 bool abnorm = fa l se ; /∗ whether abnormal s i g n a l occured ∗/89 /∗ random s imu la t ion o f scanning the s t a t u s ∗/
10 inl ine scan ( ) {11 i f12 : : true −> s t a t u s = abnormal ;13 : : cata == fa l se −> s t a t u s = nocata ;14 : : cata == true −> s t a t u s = encata ;15 : : water == fa l se −> s t a t u s = nowater ;16 : : water == true −> s t a t u s = enwater ;17 f i ;18 }1920 /∗ p o s s i b l e ac t i ons o f the system ∗/21 inl ine opencata ( ) { cata =true ; printf ( ”open cata −> ” ) ; }22 inl ine c l o s e c a t a ( ) { cata =fa l se ; printf ( ” c l o s e cata −> ” ) ; }23 inl ine openwater ( ) {water=true ; printf ( ”open water −> ” ) ; }24 inl ine c l o s ewate r ( ) {water=fa l se ; printf ( ” c l o s e water −> ” ) ;}25 inl ine alarm ( ) { abnorm = true ; printf ( ”alarm −> ” ) ; }26 inl ine ending ( ) { printf ( ” ending −> ” ) ; }2728 active proctype contro l sys tem ( ) {29 /∗ I n i t i a l a c t i ons omit ted ∗/30 do31 : : scan ( ) ;32 i f33 : : s t a t u s == abnormal −> alarm ( ) ; goto END;34 : : else −> i f35 : : s t a t u s==nocata && cata ==false−>opencata ( ) ;36 : : s t a t u s==encata && cata ==true −>c l o s e c a t a ( ) ;37 : : s t a t u s==nowater && water==false−>openwater ( ) ;38 : : s t a t u s==enwater && water==true −>c l o s ewate r ( ) ;39 : : else −> skip ;40 f i ;41 f i ;42 od ;
9.1. Theoretical Foundation of Safety-Related Systems in IEC 61508 133
43 END: ending ( ) ;44 assert ( sa ) ;45 }
Lines 1-2 define macros for specifying correctness properties.Lines 3-7 define the variables. Note that status denotes the detection of events (e.g.,
no catalyst or enough catalyst in the reactor), and controls the flow of the computation,while the other three variables save the state information.
Lines 10-18 simulate the input events to the CS. In the verification mode, SPIN canonly treat closed system without users’ input. Therefore, the status of reactor is gener-ated in a random manner, i.e., the if statement (lines 11-17) chooses randomly one ofthe alternative statements whose condition holds. Note that this matches exactly whathappens in practice, since the status of the reactor is determined nondeterministically bythe reaction and the environment, not the user.
Lines 21-26 define the primitive actions of the CS. To obtain an efficient model forverification, the real codes for manipulating physic equipments are replaced by printfstatements, which could be used for observing the execution traces of the CS.
Lines 28-45 specify the model of the CS. The non-critical codes (irrelevant to theconcerned property, e.g., the code for initiation) are omitted or simplified to produce anefficient model. In line 44, we check whether the system satisfies the safety assertion sa(c.f. line 1), which means when an abnormal signal occurs, either the flow of catalystmust be closed, or the flow of water must be also open if the flow of catalyst is open. Theviolation of this assertion may result in the mentioned accident.
In order to see whether the model describes exactly the behaviors of the CS, we runthe model through the simulation mode of SPIN. One of the outputs is as follows.
$ spin reactor.pml # Linux commandopen cata -> alarm -> ending ->spin: line 44 "reactor.pml", Error: assertion violated
The execution trace shows that the alarm is sounded after opening the flow of catalyst,then the safety assertion is violated. This trace characterizes exactly what happened inthe accident. It is worth noting that, due to the uncertainty of the value of status (c.f.lines 11-17), the assertion may be satisfied in another run. This is the reason why theplant had functioned well before the accident. As a result, in the simulation mode, it ispossible that an existing fault will not be detected after numerous runs.
To systematically check all the state space, we use the verification mode, which needscorrectness properties specifying hazard-free situation.
One possibility is to use assertions, such as what we did in line 44. Note that anassertion can only check the state at a single position in the execution (i.e., line 44), notthe remainder positions. The SPIN checks the assertion in the verification mode as follows.
The result shows that the unsafe state can really be reached.Another alternative for specifying correctness property is LTL formula. For this ex-
ample, the formula is φ def= G(cata → Fwater), where G means globally and F meansfuture [31]. It means whenever the flow of catalyst is opened, the system will have thechance to open the flow of water in the future. Of course, this is based on a reasonableassumption that the status will eventually be nowater when there is not enough water inthe reactor (i.e., there is a reliable sensor). This assumption is expressed by the fairnesscondition GF!fcon. The SPIN checks the LTL formula in the verification mode as follows([] denotes G, <> denotes F).
$ spin -a -f ’&&[]<>!fcon’ reactor.pml$ gcc pan.c$ ./a.out -A -a #disable assertion, check stutter-invariantState-vector 20 byte, depth reached 29, errors: 1
23 states, stored1 states, matched
24 transitions (= stored+matched)
After examined 23 states, SPIN detected the unsafe state. We can simulate the counterex-ample by tracing simulation.
Since we have already known that the CS may cause a hazardous state, we must makesure that the specified properties can detect the hazardous state, or else the properties arenot right. Then we introduce a SRS to control potential hazardous executions.
Modeling Safety-Related Systems. The second step is to construct the model ofthe SRS. We reuse and extend the established model of the CS, and derive an accuratemodel describing the behaviors of the SRS. Listing 9.2 shows the models. The model ofthe SRS receives messages sent by the CS and scans the values of the variables monitoredby its sensors, then computes whether the system is safe, and sends a message back to theCS.
Listing 9.2: The Promela Program for Reactor Control System with the SRS1 #define sa ( ( abnorm && ! cata ) | | ( abnorm && cata && water ) )2 #define f con s t a t u s==nocata | | s t a t u s==encata3 mtype = {abnormal , nocata , encata , nowater , enwater } ;4 mtype s t a t u s = nocata ; /∗ s t a t u s o f the reac tor ∗/5 bool cata = fa l se ; /∗ whether c a t a l y s t f l ow i s open ∗/6 bool water = fa l se ; /∗ whether water f l ow i s open ∗/7 bool abnorm = fa l se ; /∗ whether abnormal s i g n a l occured ∗/89 /∗ de f ine sa f e t y−r e l a t e d va r i a b l e s , messages s t r u c t u r e ∗/
10 typedef SRV { bool water ; }
9.1. Theoretical Foundation of Safety-Related Systems in IEC 61508 135
11 typedef MSG { bool water ; bool abnorm ; bool r e s ; }12 chan ch = [ 0 ] of { MSG } ; /∗ message channel ∗/1314 /∗random s imu la t ion o f scanning the s t a t u s ∗/15 inl ine scan ( ) {16 i f17 : : true −> s t a t u s = abnormal ;18 : : cata == fa l se −> s t a t u s = nocata ;19 : : cata == true −> s t a t u s = encata ;20 : : water == fa l se −> s t a t u s = nowater ;21 : : water == true −> s t a t u s = enwater ;22 f i ;23 }2425 /∗ p o s s i b l e ac t i ons o f the system ∗/26 inl ine opencata ( ) { cata=true ; printf ( ”open cata −> ” ) ;}27 inl ine c l o s e c a t a ( ) { cata=fa l se ; printf ( ” c l o s e cata−> ” ) ;}28 inl ine openwater ( )29 { water = true ; c s 2 s r s ( ) ; printf ( ”open water −> ” ) ; }30 inl ine c l o s ewate r ( )31 { water = fa l se ; c s 2 s r s ( ) ; printf ( ” c l o s e water −> ” ) ; }32 inl ine alarm ( ) {abnorm=true ; c s 2 s r s ( ) ; printf ( ”alarm −>” ) ;}33 inl ine ending ( ) { printf ( ” ending −> ” ) ; }34 inl ine c s e p r o ( )35 { printf ( ” e r r o r p r o c e s s i n g ( ” ) ;36 printf ( ” water opened” ) ;37 water = true ;38 printf ( ” ) −> ” ) ; }3940 /∗ communication between CS and SRS ∗/41 inl ine c s 2 s r s ( ) {42 i f43 : : abnorm == true −> msg . abnorm = true ;44 : : abnorm == fa l se −> msg . abnorm = fa l se ;45 f i ;46 i f47 : : water == true −> msg . water = true ;48 : : water == fa l se −> msg . water = fa l se ;49 f i ;50 msg . r e s = true ;51 ch ! msg ;52 ch ? msg ;53 i f54 : : msg . r e s == fa l se −> c s e p r o ( ) ;55 : : else −> skip ;56 f i ;57 }5859 active proctype contro l sys tem ( ) {60 /∗ I n i t i a l a c t i ons omit ted ∗/61 MSG msg ;62 do63 : : scan ( ) ;64 i f65 : : s t a t u s == abnormal −> alarm ( ) ; goto END;66 : : else −> i f67 : : s t a t u s==nocata && cata ==fa l se −>opencata ( ) ;68 : : s t a t u s==encata && cata ==true −>c l o s e c a t a ( ) ;69 : : s t a t u s==nowater && water==fa l se −>openwater ( ) ;70 : : s t a t u s==enwater && water==true −>c l o s ewate r ( ) ;71 : : else −> skip ;72 f i ;73 f i ;74 od ;75 END: ending ( ) ;76 assert ( sa ) ;77 }
136 Chapter 9. Applications of the Model Monitoring Approach
7879 /∗∗∗∗∗∗ The Safety−r e l a t e d System ∗∗∗∗∗∗/80 /∗ random s imu la t ion o f scanning the va lue s o f v a r i a b l e s ∗/81 inl ine s r s s c a n ( ) {82 i f83 : : s rv . water = true ;84 : : s rv . water = fa l se ;85 f i ;86 }8788 /∗ compute whether the system i s sa f e ∗/89 inl ine srs compute ( ) {90 i f91 : : msg . abnorm == true && msg . water == fa l se −>92 msg . r e s = fa l se ;93 : : msg . abnorm == true && srv . water == fa l se −>94 msg . r e s = fa l se ;95 : : else −> msg . r e s = true ;96 f i97 }9899 active proctype s r s ( ) {
100 /∗ I n i t i a l a c t i ons omit ted ∗/101 MSG msg ;102 SRV srv ;103 do104 : : true −>105 endsr s : ch ? msg ;106 s r s s c a n ( ) ;107 srs compute ( ) ;108 ch ! msg ;109 od ;110 }
Lines 10-11 define the inputs to the SRS. The type SRV defines a set of safety-relatedvariables, whose values could be obtained from additional sensors outside the CS andmanaged by the SRS. For this example, SRV monitors only whether the water flow is open.The type MSG defines the structure of the messages communicated between the CS andthe SRS. Line 12 defines a rendezvous channel for the message.
In lines 28-32, for each primitive action that modifies the values of the variables mon-itored by the SRS, the communication between the CS and the SRS is inserted. Thecommunication module (lines 41-57) reads information needed, and sends a message tothe SRS, then receives a response. The module analyzes the result in the returned mes-sage. If it indicates an unsafe state, the system calls the error processing module to recoverfrom the hazardous state.
The error processing module (lines 34-38) uses the information in the returned messageto decide the actions. The process could change the values of certain variables (e.g., line37) after manipulating physic equipments (e.g., in line 36, printf statement abstractsthe action of opening the valve). Note that more information could be contained in thereturned message in more complex systems (i.e., not only a boolean result), in order toprovide sufficient information for the error processing module to analyze the current state.
Lines 99-110 define the model of the SRS. It waits for the message sent by the CS, thenscans the values of the safety-related variables (lines 81-86), and computes whether thesystem is safe using the message and the safety-related variables (lines 89-97). Finally theSRS sends a response to the CS. Note that the computation in srs scan and srs computecould be different in various systems. Embedded C code could be used to implement morecomplex functions. Anyway, we use the same methodology and framework.
9.1. Theoretical Foundation of Safety-Related Systems in IEC 61508 137
In order to see whether the model characterizes exactly the behaviors of the SRS, werun the model through the simulation mode of SPIN. One of the outputs is as follows.
open cata -> error processing ( water opened ) -> alarm -> ending ->
The execution trace shows that the safety assertion is not violated, which is exactly whatwe expect to avoid the mentioned accident.
Then we check the assertion in the verification mode, and no error is found.
Zero errors mean that the assertion and the LTL property always hold in the execution,i.e., no unsafe state could be reached. Therefore, we conclude that the established modelof the SRS can successfully avoid the accident, i.e., a “functionally valid” SRS. Note that,if we use another computation in srs compute, the SRS may be not functionally valid(e.g., always let msg. res be true). That is the reason why we need such a methodologyto ensure functional validity.
It is worth noting that the combination of the CS and the SRS has 707 states and1637 transitions (the more complex the overall system is, the larger the state space is).Human is not able to analyze the correctness of such a complicated system. As a result,computer-aided design may be the only choice for developing functionally valid SRS.
9.1.4 Methodology for Designing Functionally Valid SRS
In this section, we propose the generic methodology for designing functionally valid safety-related systems. As we mentioned, the state space of the overall system including the CSand the SRS is much larger than a single CS or a single SRS. As a result, manual analysisand design of the SRS are always not trustworthy and error-prone. This methodology usescomputer-aided design in association with automated verification tools, thus can improveour confidence on the functional validity of the design of SRS.
We try to list exhaustively all the key issues that we know in the designing process,in order to guide the practice. Due to the wide application of the standard and the SRS,the reader may encounter different situation in various projects and industry sectors.Therefore, some necessary adaptations should be made in detail for a specific project.
Generally, there are three steps for developing a functionally valid SRS: modeling theCS, modeling the SRS and implementing the SRS. Here we only focus on the first two steps(i.e., the design process) which lead to a functionally valid design of the SRS, although itis worth noting that faults may be also introduced in the implementation process.
Modeling Control Systems. The first step is to construct the model of the CS. Theresults of this step are a Promela program for the CS and the correctness properties. Welist some key issues as follows.
138 Chapter 9. Applications of the Model Monitoring Approach
1. The first task is to derive accurate and efficient abstraction of the behaviors of theCS. Some typical issues are the following ones:
(a) Define variables, both for computation and checking. Some variables are usedfor computation, that is, implementing control flow, behaviors and semanticsof the system. Some variables are used for representing the state of the system,so they do not contribute to the functionality of the system. They are onlyused in the correctness properties to check the property of the indicated state.It is worth noting that the size of variables must be carefully defined. Theprinciple is “as small as possible”. The model checker will produce a huge statespace, of which each state contains all the defined variables. As a result, therestriction from int to byte will save considerable memory when checking.
(b) Simulate the random inputs to the CS. In the verification mode, the Promelamodel is a closed system. In other words, it cannot receive users’ inputs. As aresult, we must generate the inputs in the program.The best way is to generate the inputs randomly, i.e., nondeterministicallychoose one member from the set of all possible values. The advantage of thismethod is that it can simulate the uncertainty of the inputs, that is, we do notknow when a specific input will occur. For example, consider the sensors’ signalwhich is determined by the environment.
(c) Simplify reasonably the computation of the CS. Due to the size and complexityof the real system, an automated model checker may even be not able to producethe result in an acceptable instant. Obviously, the huge size contributes to ahuge number of states, and the complexity contributes to a huge number oftransitions. As a result, the size of the state space may be much larger thanthe memory, then the model checker will fail to accomplish the verification.One solution is to provide a more coarse abstraction of the CS. That is, we omitsome non-critical computations, e.g., the initiation of the system. Furthermore,some manipulations of physic equipments can be expressed with only a printfstatement, which does not increase the size of the state space.Another solution is to decompose the system into several parts, and check theseparts one by one. When checking one single part, we make the assumption thatthe other parts are correct. It is worth noting that the decomposition is relevantto the properties to check. That is, we must put all the functions relevant to acertain property into the same part, when checking the property.
(d) Use embedded C codes if necessary. Due to the complexity of embedded C codesand the lack of syntax checking, they are mainly used for automated modelextraction in SPIN. However, the strong expressive power of C code is anywaya tempting feature. Thus the recommendation is made only “if necessary”.
(e) Simplify or eliminate the codes for controlling equipments. Usually we assumethat the codes for implementing primitive manipulations are correct, e.g., open-ing the flow of water.
The criteria for judging the quality of the model are mainly accuracy and efficiency.Accuracy means that the model behaves exactly like the real CS, while efficiencymeans that the model is smart enough, e.g., the program should use variable, state-ment, and memory as less as possible.
9.1. Theoretical Foundation of Safety-Related Systems in IEC 61508 139
2. The second task is to derive correctness properties, i.e., assertions and LTL formulas.
(a) Assertions are used to check the property at a specific position in the program.Obviously, the expressive power is limited. Thus, if we want to check a propertyover all the state space, we must use LTL formulas.
(b) LTL formulas are used to check all the states in the system. Obviously, LTLformulas are more powerful. However, it is also worth noting that LTL formulascan considerably largen the state space. Thus we suggest to use them only whenassertions are not able to express a property.
3. Some Experiences.
(a) Check the exactitude of the established model, by using simulation mode. Theprintf statement can be used to output information about the state of the CS.Simulating the model for sufficient many times can show whether the modelworks as expected. Note that the criteria “sufficient many times” is due to theuncertainty of the inputs.
(b) Check the exactitude of the correctness properties, by using verification mode.If we aim at creating or modifying a SRS for identified risks, we must makesure that the correctness properties can detect the error caused by the identifiedrisks.
Modeling Safety-Related Systems. The second task is to construct the model ofthe SRS. The results of this step are a Promela program for the SRS and the codes forcommunication and error processing in the modified model of the CS. We list some keyissues as follows.
1. The premise is that we have the model of the CS and reuse it, e.g., the results ofthe last step.
2. The first task is to derive accurate and efficient abstraction of the behaviors of theSRS. Some typical issues are the following ones:
(a) Define the scope of input and output of the SRS. There are two types of input:the messages sent by the CS and the values of safety-related variables sent bythe sensors. The SRS may use only one of the two types, or both of them.There are two types of output: the messages sent to the CS and the directmanipulation of the equipment. Also, the SRS may use only one of the twotypes, or both of them.
(b) Define safety-related variables. A safety-related variable, which saves a valuesent by sensors, is used to collect additional information which is beyond thescope of the CS, or to collect a specific piece of information in the scope ofthe CS for increasing the reliability of the information. Note that more safety-related variables means higher cost of implementation.
(c) Choose the type of communication between the CS and the SRS. The SPINmodel checker supports two types of communications: rendezvous and bufferedcommunication. In order to process the demand from the CS to the SRS assoon as possible, and also provide information from the SRS to the CS to decidethe next action, we usually choose the rendezvous communication.
140 Chapter 9. Applications of the Model Monitoring Approach
(d) Define the structure of message. This depends on the information needed by theCS and the SRS. The values of the variables monitored by the SRS should besent from the CS to the SRS. The message should also contain all the necessaryinformation needed by the CS to deal with risks. In the simplest case, it is aBoolean result, indicating the system is safe or not. However, generally, theCS need more information to determine why the system is not safe, then it canactivate corresponding error processing functions.
(e) Define message channels. Usually, one channel is enough for the communicationbetween the CS and the SRS.
(f) Simulate the scanning of the values of safety-related variables. It is similarto the case “simulate the random inputs to the CS”. The random simulationexpress exactly the fact that the values are nondeterministically decided by theenvironment.
(g) Simplify reasonably the computation of the SRS. (Similar to the case of theCS.)
(h) Use embedded C code if necessary. (Similar to the case of the CS.)
3. The second task is to define the position for the communication between the CS andthe SRS. Generally, the usual location is between the assignment of key variablesmonitored by the SRS and the manipulation of physic equipment. Therefore, theSRS can check whether the system will be safe if the next manipulation is executed.If no, the SRS can send a message to activate the error processing functions.
4. The third task is to define the function of error processing. This step is different fordifferent projects, because it is based on the requirements of a specific system. Infact, the correctness of error processing plays also an important role in the correctnessof the overall system and the functional validity of the SRS.
5. Some Experiences.
(a) Check the exactitude of the established model, by using simulation mode. (Sim-ilar to the case of the CS.)
(b) Check the exactitude of the correctness properties, by using verification mode.We must make sure that the overall system (including the CS and the SRS)is safe, i.e., satisfies the specified correctness properties. If we aim at creatingor modifying a SRS for identified risks, we must make sure that the overallsystem can avoid the previously detected errors, since the SRS component andadditional error processing functions have been added.If errors are detected, we must check the design of the SRS, and also the ex-actitude of the correctness properties (because they may specify a semanticsdifferent to what we expect).
Implement the SRS. We implement the SRS using the established model and com-putation. Note that faults may also occur at this step. Since numerous guidelines exist inindustrial sectors to handle this issue, the discussion on reliable implementation is beyondthe scope of this thesis.
9.1. Theoretical Foundation of Safety-Related Systems in IEC 61508 141
Figure 9.6: The Controlling Automaton A Modeling the SRS
t00
t10 t20
t70
t30
t80
t40
p1
p15 p17
p14 p16
p2 p3 p4
p5
p7p8p9
p6
Figure 9.7: The Meta-composition C = AM ~· A
142 Chapter 9. Applications of the Model Monitoring Approach
9.1.5 Model Monitoring as the Theoretical Foundation
From the above example, we can perceive that the SRS controls the behavior of the CS atruntime. If the CS tries to perform some undesired actions, the SRS can alert, block theactions or recover the system from hazardous states. Intuitively, we can feel that there issome connection with model monitoring.
Let us consider the models of the CS and the SRS, i.e., the Promela programs. AKripke model M in Fig. 9.4 can be extracted from the Promela program of the CS, andcan be translated into a Buchi automaton AM in Fig. 9.5. The automaton violates thespecified properties, since hazardous states can be reached. For example, q6 will be reachedafter opening the flow of catalyst (p2) and sounding an alarm (p12), which can result inthe mentioned accident.
A controlling automaton A in Fig. 9.6 can be extracted from the semantics of themodel of the SRS, where δ(φ) denotes all transitions labeled with a truth assignmentsatisfying φ. For example, δ(w ∨ ¬a) = δ − {p10, p11, p12, p13}.
The automata AM and A constitute a BAC system. The meta-composition of the twocomponents results in the automaton C = AM ~· A in Fig. 9.7. The global system satisfiesthe property, since the hazardous states have been eliminated.
We also observed that checking functional validity of the SRS, which is equivalentto verify the global system (the CS + the SRS), is essentially checking the BAC systemC = AM ~· A.
In fact, numerous industrial systems can be modeled as automata. Therefore, it is easyto see that the (ω-)automaton control system ((ω-)AC System) and model monitoring areexactly the theoretical foundation of safety-related systems.
Furthermore, it is worth noting that checking functional validity is essentially checkingan (ω-)AC System. We have observed the equivalence between the CS and the controlledautomaton, and the equivalence between the SRS and the controlling automaton. There-fore, the meta-composition of an (ω-)AC system satisfies a property, if and only if theglobal system of the CS and the SRS is functionally valid. That is, if the verification onthe (ω-)AC system does not find any faults, then the functional validity of the constructedSRS is proved.
9.1.6 Conclusion
In this section, we proposed the concept of functional validity of the SRS, and a generictechnical methodology (or a framework) for designing functionally valid SRS. The method-ology is based on computer-aided design in association with automated verification tools.To the best of our knowledge, we are the first to consider the technical solution to func-tional validity of the SRS in the literature. Furthermore, we showed that model monitoringis the theoretical foundation of safety-related systems, and checking functional validity isessentially checking an (ω-)AC system.
9.2 Formalizing Guidelines and Consistency Rules of UML
Guidelines and consistency rules of UML are used to control the degrees of freedom pro-vided by the UML language to prevent faults. However, guidelines and consistency rulesprovide informal restrictions on the use of language, which make checking difficult. Inthis section, we consider these problems from a language-theoretic view. Guidelines and
9.2. Formalizing Guidelines and Consistency Rules of UML 143
consistency rules are formalized as controlling grammars that control the use of UML,i.e. the derivations using the grammar of UML. This approach can be implemented as aparser, which can automatically verify the rules on a UML user model in XMI format. Acomparison to related work shows our contribution: a generic, metamodel-independent,syntax-based approach that checks language-level constraints at compile-time.
This section is organized as follows. In the first three subsections, we introduce theUML specifications and the transformation to XML documents, the guidelines and con-sistency rules, and the grammar of UML in XMI, respectively. Then we illustrate how toformalize guidelines and consistency rules using Leftmost-derivation-based Grammar Con-trol Systems (LGC Systems). Finally, we discuss the implementation issue and relatedwork of this approach.
9.2.1 Unified Modeling Language
The Unified Modeling Language (UML) is a visual modeling language developed by ObjectManagement Group (OMG) [108, 109]. UML has emerged as the software industry’sdominant modeling language for modeling, specifying, constructing and documenting theartifacts of systems [100, 12]. Numerous commercial UML CASE tools are available, e.g.,Rational Rose, Altova UModel, MagicDraw, Visual Paradigm. Several open-source toolsalso exist, e.g., ArgoUML, StarUML.
Model, Metamodel, Meta-metamodel
A model is an instance of a metamodel (or language). For example, UML and the CommonWarehouse Metamodel (CWM) are metamodels, and a UML user model is an instance ofthe UML metamodel.
A metamodel is an instance of a meta-metamodel (or metalanguage). A meta-metamodelis typically more compact than a metamodel that it describes, and often used to defineseveral metamodels. For instance, the Meta Object Facility (MOF) is an example ofmeta-metamodel, since UML and CWM are both instances of MOF.
The specifications of UML and MOF include complex import and merge relationshipsbetween their packages, as shown in Fig. 9.8.
UML 2 Specification
The UML specification is defined using a metamodeling approach, i.e., a metamodel isused to specify the model that comprises UML. The UML specification is organized intotwo volumes. The UML Infrastructure defines the foundational language constructs re-quired for UML [108]. The UML Superstructure defines the user level constructs requiredfor UML [109].
The infrastructure of UML is defined by the package InfrastructureLibrary. The infras-tructure has three objectives: (1) defines a meta-metamodel (i.e., metalanguage) core thatcan be reused to define a variety of metamodels (i.e, languages) such as UML, MOF, CWM,and other emerging OMG metamodels; (2) architecturally aligns UML, MOF, and XMIso that model interchange is fully supported; (3) allows customization of UML throughProfiles and creation of new metamodels (i.e, languages) based on the same metalanguagecore as UML, such as SysML.
144 Chapter 9. Applications of the Model Monitoring Approach
Figure 9.8: Packages of UML and MOF
The package InfrastructureLibrary consists of the packages Core and Profiles.The Core package is a complete metamodel particularly designed for high reusability.
Note that the Core package is the architectural kernel of MDA (Model Driven Architec-ture). That is, MDA metamodels (e.g., UML, MOF, CWM) reuse all or parts of the Corepackage, which allows to benefit from the abstract syntax and semantics that have alreadybeen defined. In order to facilitate reuse, the Core package is subdivided into 4 packages:
• The package PrimitiveTypes simply contains a few predefined types that are com-monly used when metamodeling, e.g., UML and MOF.
• The package Abstractions contains abstract metaclasses that are intended to befurther specialized or reused by many metamodels. It is also subdivided into severalsmaller packages.
• The package Basic represents a few constructs that are used as the basis for theproduced XMI for UML, MOF and other metamodels based on the Infrastructure-Library.
• The package Constructs contains concrete metaclasses for object-oriented modeling.It is particular reused by both MOF and UML, and aligns the two metamodels.
As the second capacity besides reusability, the Core package is used to define themodeling constructs used to create metamodel, through instantiation of metaclasses in theInfrastructureLibrary. For example, the metaclasses in InfrastructureLibrary instantiatethe elements of UML, MOF, CWM and indeed the InfrastructureLibrary itself (i.e., self-describing or reflective).
The Profiles package depends on the Core package, and defines the mechanisms usedto tailor existing metamodels towards specific platforms (e.g., C++, CORBA, or Java) ordomains (e.g., real-time, business objects). Its primary target is UML, but may also be
9.2. Formalizing Guidelines and Consistency Rules of UML 145
used with any metamodel instantiated from the common Core package.
The superstructure of UML is defined by the package UML, which is divided into anumber of packages. The Kernel package is at the very heat of UML, and the metaclassesof other packages are dependent on it.
The Kernel package is primarily reused from the InfrastructureLibrary by using pack-age merge. Indeed, the Kernel package reuses the Constructs and PrimitiveTypes pack-ages, and adds more capabilities to the modeling constructs that are not necessary forreusing or alignment with MOF.
MOF 2 Specification
The MOF specification consists of the packages Essential MOF (EMOF) and CompleteMOF (CMOF) [105], which are both constructed by merging the UML InfrastructureLibrary packages (mainly the Core package) [108] and adding additional packages.
• EMOF model is defined as a kernel metamodeling capability. The value of EMOFis that it provides a framework for mapping MOF models to implementations suchas JMI and XMI for simple metamodels.
• CMOF model is the metamodel used to specify other metamodels such as UML 2.It is built from EMOF and the package Core::Constructs of UML 2. CMOF doesnot define any classes of its own. It only merges packages with its extensions thattogether define basic metamodeling capabilities.
In particular, EMOF and CMOF are both described using CMOF, which is also used todescribe UML, CWM, etc. Therefore, CMOF is simply referred to as MOF.
MOF is used as the metamodel for UML (as a model) and other languages such asCWM. In other words, every model element of UML is an instance of exactly one modelelement of MOF. Note that the InfrastructureLibrary is used at both the metamodel andmeta-metamodel levels, since it is being reused by UML (Infrastructure and Superstruc-ture) and MOF, respectively.
Therefore, the InfrastructureLibrary is reused in two different ways:
• All the elements of the UML metamodel are instantiated from meta-metaclasses inthe InfrastructureLibrary. (as meta-metamodel)
• The UML metamodel imports and specializes all metaclasses in the Infrastructure-Library. (as metamodel)
Other Related Specifications
OMG also provides numerous complementary specifications for UML 2 to facilitate thedevelopment of industrial applications. The most significant specifications are as follows.
The Object Constraint Language (OCL) specification [106] defines a formal languageused to describe expressions on UML models. These expressions typically specify invariantconditions that must hold for the system being modeled or queries over objects describedin a model.
The XML Metadata Interchange (XMI) specification [107] defines a model driven XMLintegration framework for defining, interchanging, manipulating and integrating XML data
146 Chapter 9. Applications of the Model Monitoring Approach
and objects. XMI-based standards are in use for integrating tools, repositories, applica-tions and data warehouses. XMI provides a mapping from MOF to XML schema, andrules by which a schema can be generated for any valid XMI-transmissible MOF-basedmetamodel. For example, XMI can facilitate interchanging UML models between differentmodeling tools in XML format.
The UML Diagram Interchange (UMLDI) specification enables a smooth and seamlessexchange of documents compliant to the UML standard (referred to as UML models)between different software tools. While this certainly includes tools for developing UMLmodels, it also includes tools such as whiteboard tools, code generators, word processingtools, and desktop publishing tools. Special attention is given to the Internet as a mediumfor exchanging and presenting UML models.
The MOF Query/View/Transformation (QVT) specification addresses a technologyneutral part of MOF and pertains to: (1) queries on models; (2) views on metamodels;and (3) transformations of models.
Transformations
Figure 9.9: Different Representations of UML Diagrams
Figure 9.9 vertically includes three levels of metamodeling: model (M1), metamodel orlanguage (M2), meta-metamodel or meta-language (M3). The figure horizontally includesdifferent representations of UML diagrams: graphic, XML-based and textual models. Thismeans, a UML user model may be expressed as a(n):
• graphic model. A UML user model is an instance of UML, which is an instance ofMOF.
• XML-based model. It is an XMI-compliant XML document that conforms to itsXML schema, and is a derivative of the XMI document productions which is definedas a grammar. The XML schema is a derivative of the XMI schema productions. TheXMI specification defines both the XMI schema productions and the XMI documentproductions in [107].
9.2. Formalizing Guidelines and Consistency Rules of UML 147
XMI provides a mapping between a UML user model and an XML document, and amapping between UML (also MOF) and an XML Schema. XMI generates an XMLfile using the XMI document productions, and generates an XML schema using theXMI schema productions. Each of the two sets of productions composes a context-free grammar in Extended BNF (Backus-Naur Form) [78]. A UML user modelcan be expressed using an XMI-compliant XML document that conforms to thecorresponding XML Schema, and is a derivative of the XMI document grammar.
• textual model, which is an instance of its grammar in BNF. For instance, a Javaprogram must be a derivative of the Java grammar. Also, a BNF grammar is aninstance of the grammar describing BNF grammars.
Numerous UML CASE tools support the standard transformation between UML di-agrams and XML files by implementing the XMI specification, such as UModel, VisualParadigm, MagicDraw.
Besides the standard UML transformation, there is related work on the transformationsbetween generic graphic modeling languages and EBNF-based (Extended BNF) grammars.For instance, [127] defined an EBNF grammar for ADORA, which is a graphic modelinglanguage. While in the converse direction, [51] discussed how to transform EBNF gram-mars into graphic UML diagrams.
Numerous tools support various model transformations. For example, ATL (ATLASTransformation Language) [79] is a generic model transformation tool based on transfor-mation rules. Most tools transform UML models to XML documents [42], e.g., the UMT(UML Model Transformation Tool) [65] is a transformation tool specific to UML, basedon a simplified schema of UML models, named XMI-Light.
9.2.2 Guidelines and Consistency Rules
Guideline is an important concept in industrial practice. It contains a set of rules whichrecommend certain uses of technologies (e.g., modeling and programming languages) toproduce more reliable, safe and maintainable products such as computer and softwaresystems. Guidelines are often required on the systems in some specific application domains.If these rules are not respected, the presence of faults is not sure but its risk is high.
As an example, the OOTiA (Object-Oriented Technology in Aviation [54]) provides theguidelines proposed by FAA (Federal Aviation Administration) to suggest the proper useof OOT for designing more reliable and safe avionic software systems. In OOTiA, one rulesays “multiple inheritance should be avoided in safety critical, certified systems” (IL #38),because “multiple inheritance complicates the class hierarchy” (IL #33) and “overuse ofinheritance, particularly multiple inheritance, can lead to unintended connections amongclasses, which could lead to difficulty in meeting the DO-178B objective of data and controlcoupling” (IL #25,37). Another rule is “the length of an inheritance should be less than 6”.Another rule about SDI (State Defined Incorrectly) says “if a computation performed byan overriding method is not semantically equivalent to the computation of the overriddenmethod with respect to a variable, a behavior anomaly can result”.
Consistency problems of UML models have attracted great attention from both aca-demic and industrial communities [83, 82, 76]. A list of 635 consistency rules are identifiedby [124, 125]. One kind of inconsistency is intra-model inconsistency among several dia-grams of a single model. Another kind is inter-model inconsistency between several models
148 Chapter 9. Applications of the Model Monitoring Approach
or versions of one system. These inconsistencies result from the following facts.First, generally, evolving descriptions of software artifacts are frequently inconsistent,
and tolerating this inconsistency is important [7, 44]. Different developers construct andupdate these descriptions at different times during development [104], thus result in in-consistencies.
Second, the multiple views of UML can provide pieces of information which are re-dundant or complementary, on which consistency constraints exist. Indeed, UML allowsmultiple views of a system to be expressed, and a piece of information of a view canbe deduced from other pieces of information. For example, the communication diagramscan be designed from the sequence diagrams. However, these various views may conflict,and produce inconsistent models. Therefore, the overall consistency is required, i.e., eachpartial view has to be in accordance with the others.
An important difference between guidelines and consistency rules is that consistencyrules must be satisfied in any context, or else there are definitely faults in the model.However, guidelines depend on context, it must be respected in some critical contexts toreduce the risk of faults, but could be violated in other less critical contexts. This means,consistency rules can be used for fault detection, whereas guidelines are fault preventionmeans.
It seems as if consistency rules and guidelines were irrelevant at first glance. However,in fact, they have the same origin from a language-theoretic view. We noticed that bothof the two types of potential faults in models come from the degrees of freedom offeredby a language. These degrees of freedom cannot be eliminated by reducing the capabilityof the language, but by controlling the use of language [102]. For instance, the multiplediagrams in UML are useful, as they describe various viewpoints on one system, even ifthey are at the origin of numerous inconsistencies. In the same way, multiple inheritanceis a powerful feature of the C++ language, although it violates the guidelines in OOTiAand increases the risk of faults.
Guidelines and consistency rules fall into two classes: language level (i.e. metamodellevel) and model level rules. The language level rules concern the use of language features,e.g., avoiding multiple inheritance. The model level rules concern the semantics of aspecific model, e.g., the SDI issue is related to the semantics of overridden and overridingmethods.
The language level rules are used to control the faults that result from the degreesof freedom of modeling languages. As an example, inheritance and multiple inheritanceare important features of OOT. They provide the degrees of freedom of using them, e.g.,the length of inheritance chain, the number of super classes. However, overuse of thesefeatures can lead to unintended connections among classes, thus cause the risk of faults.Therefore, we may suggest some rules to control the complexity of models, e.g., “the lengthof an inheritance chain should be less than 6”, “no more than 30 attributes in a class”.
To prevent these risks of faults, the use of language must be controlled. However, theexpression of guidelines and consistency rules is informal, thus checking them is difficult.For instance, 6 months were needed to check 350 consistency rules on an avionics UMLmodel including 116 class diagrams.
This section aims at formalizing guidelines and consistency rules, and proposing anapproach to ensure the correct use of language from a language-theoretic view. Techni-cally, acceptable uses of language are formalized as a controlling grammar handling theproductions of the grammar of the language. To support this idea, UML must be speci-
9.2. Formalizing Guidelines and Consistency Rules of UML 149
fied by a formal language, or at least a language with precisely defined syntax, e.g., XMI.Thus, a graphic model can be serialized. This formalism also provides a deeper view onthe origin of inconsistencies in models.
9.2.3 The Grammar of UML in XMI
XMI (XML Metadata Interchange) [107] is used to facilitate interchanging UML modelsbetween different modeling tools in XML format. Many tools implement the transforma-tion from UML models to XMI documents, e.g., Altova UModelr can export UML modelsas XMI files.
The grammar and its XMI document productions for deriving XMI-compliant XMLdocuments of UML models are defined in [107]. The main part of the grammar is given hereafter. To make our presentation more concise, we omit declaration and version informationof XML files (and the related productions whose names start with “1”).
To make later reasoning easier, we modified some representations of the productions,but without changing the generative power of the grammar.
1. The choice operator “|” is used to compose several productions with the same left-hand side into a single line in [107]. We decomposed some of these productions into severalproductions without the choice operator. An original production n having k choices mightbe divided into a set of productions {n i}1≤i≤k. For example, the original production 2with three choices was divided into the productions 2 1, 2 2 and 2 3.
2. The closure operator “*” is used to simplify the representation of the grammarin [107], but it also would make the representation of reasoning confusing. Thus, theproductions whose names start with “3” were added to replace the productions withclosure operators.
The grammar G of UML in XMI includes the following productions (each productionis labeled with a name starting with a digit):
In the grammar, the symbol “::=” stands for the conventional rewriting symbol “→”in formal language theory [74]. Each nonterminal starts with a capital letter, prefixinga label of the related production, e.g., “2:XMIElement” is a nonterminal with possibleproductions “2 1, 2 2, 2 3”. Each terminal starts with a lowercase letter or is quoted.
Figure 9.10: A Class Diagram Figure 9.11: An Activity Diagram
As an example to illustrate the use of the grammar, Figure 9.10 represents a package
9.2. Formalizing Guidelines and Consistency Rules of UML 151
Root which includes three classes, where the class FaxMachine is derived from Scanner andPrinter. The core part of the exported XMI 2.1 compliant file (using Altova UModelr) isas follows:
This text is a derivative of the XMI document productions, c.f. the previous grammarG. We may use the sequence of productions “2a 2, 2k(Package), 2d 2, 2e, 2f 1, 3h 1, 2h 1,2i” to derive the following sentential form:
Note that the production 2k has a parameter xmiName, i.e. the value of the terminalwhen applying the production. In a derivation, we specify a value of the parameteras “2k(value)”. For example, “2k(Package)” is a derivation using 2k with xmiName =“Package”. For simplicity, we consider “2k(value)” as a terminal as a whole. We continueto apply productions, and finally derive the XMI file previously presented.
Notice that the model of Fig. 9.10 (both in UML and XML) does not conform to theguidelines in OOTiA about multiple inheritance, since it uses multi-inheritance.
152 Chapter 9. Applications of the Model Monitoring Approach
As another example, the model of Fig. 9.11 has an inconsistency: “the number of out-going edges of ForkNode is not the same as the number of incoming edges of JoinNode”.In particular, JoinNode joins two outgoing edges from the same DecicionNode, This jointransition will never be activated, since only one of the two outgoing edges will be fired.
9.2.4 Formalizing Rules Using LGC Systems
We believe that the LGC System can be used to formalize and ensure the rules. Inthis section, we use some practical examples to illustrate how to check the conformanceto guidelines and consistency rules by controlling the use of the grammar of UML. Wedenote the grammar of UML by G = (N,T, P, S), where P is the set of productions listedin the previous section, and each production p ∈ P is labeled with a name starting witha digit.
Example 9.1. Consider two rules on class diagrams:Rule 1: Each class can have at most one generalization. As we mentioned, this rule
is a guideline. This rule is also a consistency rule in the context of Java, since Java doesnot allow multiple inheritance. However we may derive a class from multiple classes inthe context of C++.
Rule 2: Each class can have at most 30 attributes. This rule may be adopted bysoftware authorities as a guideline in avionics, in order to improve reliability and safety ofsoftware systems by minimizing the complexity of classes.
Note that these rules cannot be explicitly integrated into the grammar of UML, butonly recommended as guidelines or consistency rules. We cannot put Rule 1 into thestandard of UML, since UML models can be implemented with both C++ and Javaprogramming languages. Rule 2 is a restriction for a specific domain, and we should notrequire all programmers to use limited number of attributes by including the rule in theUML specification.
We aim to specify the rules from the meta-language level, that is, control the use of theUML language. Consider the example of Fig. 9.10, to obtain the associated XMI text, thesequence of applied productions of G in the leftmost derivation is as follows (“...” standsfor some omitted productions, to save space):
Let c, g stand for 2k(Class), 2k(Generalization), respectively. Note that the occur-rence of two g after the third c violates Rule 1. In fact, all the sequences of productions
9.2. Formalizing Guidelines and Consistency Rules of UML 153
S Qc Qg
D
c
c,D
g
c
D
g g
c, g,D
Figure 9.12: The Automaton Ac
of the pattern “...c...g...g...” are not allowed by the rule (there is no c between the two g),indicating that the class has at least two generalizations.
Thus, we propose the following controlling grammar Gc to restrict the use of languageto satisfy Rule 1:
Gc
S → c Qc | D S | εQc → c Qc | g Qg | D Qc | εQg → c Qc | D Qg | εD → {p | p ∈ P ∧ p 6∈ {c, g}}
(9.1)
where S,Qc, Qg, D are nonterminals, D includes all productions except c, g. L(Gc) acceptsthe sequences of productions satisfying Rule 1.
Implicitly, the controlling grammar specifies a finite state automaton Ac in Fig. 9.12,where is an implicit error state (the dashed circle). Strings containing the patternD∗cD∗gD∗g will lead Ac to the error state, indicating that there exists a class having atleast two generalizations.
If the sequence of productions applied to derive a model is accepted by the languageL(Gc), then the model conforms to Rule 1. In Fig. 9.10, the derivation of the classFaxMachine uses the patternD∗cD∗gD∗gD∗ 6∈ L(Gc), which leads to of the automaton,thus it violates Rule 1. On the contrary, the derivations of Scanner and Printer areaccepted by L(Gc), thus satisfy Rule 1. If we consider the whole model, the derivationuses the pattern D∗cD∗cD∗cD∗gD∗gD∗ 6∈ L(Gc), which also violates Rule 1.
Globally, any UML user model M derived from the LGC System C = G ~· Gc, i.e.M ∈ L(C), conforms to Rule 1.
Now let us consider Rule 2. Let c, pr, pe stand for 2k(Class), 2k(Property),2k(PackagedElement), respectively. Note that the occurrence of more than 30 pr after ac violates Rule 2. In fact, all the sequences of productions of the pattern “...c...(pr...)n, n >30” are not allowed by the rule (there is no c between any two pr’s), indicating that aclass has more than 30 attributes.
To satisfy Rule 2, we propose the following controlling grammar Gp to restrict the useof language:
154 Chapter 9. Applications of the Model Monitoring Approach
S Qc Q1 Q29 Q30
pe,D
cpe
c,D
prc
pe
D
pr pr
D
pe
cpr
D
pe
c
pr pr
c, pr, pe,D
Figure 9.13: The Automaton Ap
Gp
S → pe S | c Qc | D S | εQc → pe S | c Qc | pr Q1 | D Qc | εQi → pe S | c Qc | pr Qi+1 | D Qi | ε (1 ≤ i < 30)Q30 → pe S | c Qc | D Q30 | εD → {p | p ∈ P ∧ p 6∈ {c, pr, pe}}
(9.2)
where S,Qc, Qi, Q30, D are nonterminals, D includes all productions except c, pr, pe. L(Gp)accepts the sequences of productions satisfying Rule 2.
Implicitly, the controlling grammar specifies a finite state automaton Ap in Fig. 9.13.Strings containing the pattern “D∗c(D∗ pr)31” will lead Ap to the error state, indicatingthere exists a class having more than 30 attributes.
If the sequence of productions applied to derive a model is accepted by the languageL(Gp), then the model conforms to Rule 2. In Fig. 9.10, the derivations of the classesScanner and Printer use the pattern D∗cD∗prD∗ ∈ L(Gp), thus satisfy Rule 2. If weconsider the whole model, the derivation uses the pattern D∗cD∗prD∗cD∗prD∗cD∗ ∈L(Gp), thus also satisfies Rule 2.
Globally, any UML user model M derived from the LGC System C = G ~· Gp, i.e.M ∈ L(C), conforms to Rule 2.
Thanks to the controlling grammars, when a model violates required rules, the con-trolling language will reject the model (an implicit error state will be activated). Someerror handling method may be called to process the error, e.g., printing an error messageindicating the position and the cause.
As another example, we can also use controlling grammar to handle a consistency ruleconcerning activity diagrams.
Example 9.2. In an activity diagram, the number of outgoing edges of ForkNode shouldbe the same as the number of incoming edges of its pairwise JoinNode.
Let n, f, j, i, o stand for 2k(node), 2k(ForkNode), 2k(JoinNode), 2k(incoming), 2k(outgoing),respectively. We propose the following controlling grammar Ga to restrict the use of lan-guage to satisfy the rule:
9.2. Formalizing Guidelines and Consistency Rules of UML 155
Ga
S → N F I∗ Q O∗ N | N I∗ O∗ N | D∗
Q→ O Q I | N S N J
N → n D∗
F → f D∗
J → j D∗
I → i D∗
O → o D∗
D → {p | p ∈ P ∧ p 6∈ {n, f, j, i, o}}
(9.3)
L(Ga) accepts all the sequences of productions of the patternNFI∗OnNSNJInO∗N , which derive the models respecting the rule. This context-freegrammar implicitly specifies a PDA (Pushdown Automaton [74]), which is more complexthan the finite state automata in Figures 9.12 and 9.13.
Globally, any UML user model M derived from the LGC System C = G ~· Ga, i.e.M ∈ L(C), conforms to the rule in Example 9.2.
As an application of the LGC system, we consider the model in Fig. 9.11. The XMI-compliant document of the model in Fig. 9.11 is as follows:
It is easy to detect that the sequence of applied productions, which is of the pattern“...nD∗fD∗iD∗oD∗nD∗ ... nD∗jD∗iD∗i...”, is not accepted by L(Ga) (one o follows f ,while two i follow j), thus there is an inconsistency.
We remark here that there are two preconditions of using the controlling grammarconcerning the sequences of the model elements in the XML document: 1. ForkNode mustappear before its pairwise JoinNode; 2. incoming edges must appear before outcomingedges in a node. The two conditions are trivial, since it is easy to control their positionsin the exported XMI documents when implementing such a transformation.
9.2.5 Implementation of LGC Systems
In this section, we would like to shortly discuss the implementation issues.
Implementation of LGC Systems. As an instance of the model monitoring approach,we have two alternative techniques for implementing the meta-composition operator.
For the first alternative, namely model monitoring, the controlled grammar G and thecontrolling grammar G can be implemented as two parsers separately. The technique forconstructing a parser from a context-free grammar is rather mature [43, 1]. Some toolsprovide automated generation of parsers from a grammar specification, such as Lex/Yacc,Flex/Bison.
Note that the inputs of controlling parsers are the sequences of productions applied forparsing the model using G. So there are communications between the two parsers. Oncemodule G uses a production pi, then the name of the production is sent to G as an input.If G accepts the sequence of productions and G accepts the model, then the LGC systemG~· G accepts the model.
9.2. Formalizing Guidelines and Consistency Rules of UML 157
For the second alternative, namely model generating, the controlled grammar G andthe controlling grammar G can be translated into two automata A and A. Then the meta-composition of the automata C = A~· A can be computed and implemented as a parser byan automated tool. The meta-composition C accepts the model, if and only if the LGCsystem G~· G accepts the model, i.e., the model satisfies the constraints.
Multiple Rules. If we have multiple guidelines or consistency rules, each rule is for-malized using a grammar. We can develop an automated tool that converts the grammarsG1, ..., Gn into automata A1, ..., An, and then combine these automata to compute anintersection, i.e., an automaton A′ such that L(A′) = L(A1)∩ · · · ∩L(An) [74]. The inter-section A′ can be used as a controlling automaton, which specifies a controlling languageL(A′) that includes all the semantics of the rules.
Cost vs. Benefit. It seems as if writing a controlling grammar was expensive, becauseit involves formal methods. However, it is probably not the case. A controlling grammarspecifies language-level constraints, and can be reused by all the models derived from thesame controlled grammar. Thus the controlling grammar can be identified and formalizedby the organizations who define the language or its authorized usage, e.g., OMG and FAA(Federal Aviation Administration), respectively. Developers and software companies canuse the published standard controlling grammar for checking inconsistencies and ensuringguidelines in their models. In contrast, if every user write their own checking algorithmsand codes, e.g., in OCL or other expressions, the codes will be hard to be reused by otherusers who have different models to check. Thus the total cost of all the users may behigher.
9.2.6 Related Work
Most related work on checking consistency of UML uses specific semantics of UML models.Therefore, they have the flavor of model checking, e.g., Egyed’s UML/Analyzer [45, 46, 47]and OCL (Object Constraint Language) [106, 27]. At first, developers design UML dia-grams as a model. Then, the consistency rules are specified as OCL or similar expressions.Certain algorithms are executed to detect counterexamples that violate the rules.
There are several drawbacks of the existing approaches. First, these techniques usemodel-level constraints to express both model-level and language-level rules. Since theyuse specific semantics of UML models, these tools can only be used for UML, but not otherMOF-based languages. Second, OCL can only specify constraints on classes and types inthe class model. This means, it cannot be used to analyze other types of diagrams. Third,due to the complexity of the semantics of UML, existing tools only implement part of theconsistency rules. In particular, few UML tools have implemented the feature of checkingOCL expressions.
Unlike these techniques, our approach takes another way. At first, we specify thegrammar G of the language, which defines how the grammar can derive a model. Thisstep has been done by the XMI specification. Then the rules on the use of language aremodeled as a controlling grammar G, which defines what a language is authorized to derive.Finally, the two grammars constitute a global system satisfying the rules. Therefore, anyderivation of the global system is a correct and consistent use of the language.
In particular, our work differs from traditional techniques in the following aspects:
158 Chapter 9. Applications of the Model Monitoring Approach
1. Our work and traditional techniques express language-level and model-level con-straints, respectively. Language-level constraints are more efficient, because they implicitlyhave reusability. That is, we only need to develop one language-level constraint and applyit to all the models in the language. However, if using traditional techniques, we need toreplicate model-level constraints for each model.
2. Our work and traditional techniques use syntax-based and semantics-based ap-proaches (or static and dynamic analysis), respectively. Therefore, our approach is genericand metamodel-independent, and concerns little about semantics. There are two merits.First, we can use the same implementation method to ensure various constraints. Second,it can be applied to all MOF-compliant languages, not only UML. However, traditionaltechniques depend on the semantics of a language, thus specific algorithm should be de-veloped for each constraint and each metamodel.
3. Our work and traditional techniques catch errors at compile-time and runtime,respectively. Indeed, our approach implements the membership checking of context-freelanguages. That is, it searches in a limited space defined by the model. However, tra-ditional techniques, like model checking, may search in a larger, even intractable spacegenerated by the execution of the model. As a result, people have to limit the state spaceof computation, and introduce the coverage problem.
9.2.7 Conclusion
In this section, we provided a language-theoretic view on guidelines and consistency rules ofUML, and proposed to use LGC systems for ensuring the rules. The rules are consideredas controlling grammars which control the use of modeling languages. This approachis a generic, metamodel-independent, syntax-based technique that checks language-levelconstraints at compile-time. It can be also applied to other MOF-compliant languages,not only UML, since it does not depend on the specific semantics of UML.
One important future work is to develop a tool that implements the proposed approach.Then empirical data could be collected to show the merits and limitations, and comparethe benefits and costs of the approach.
Chapter 10
Conclusion
In this chapter, we conclude this thesis by summarizing contributions and future work.
10.1 Contribution
This thesis contributes to the study of reliability and safety of computer and softwaresystems, which are modeled as discrete event systems. The major contributions includethe theory of Control Systems (C Systems) and the model monitoring approach.
In the first part of the thesis, we studied the theory of C systems which combinesand significantly extends regulated rewriting in formal languages theory and supervisorycontrol. The family of C systems is shown in Fig. 10.1.
The C system is a generic framework, and contains two components: the controlledcomponent and the controlling component that restricts the behavior of the controlledcomponent. The two components are expressed using the same formalism, e.g., automataor grammars. The controlled component expresses a language L on inputs and outputs.Whereas the controlling component, also called a controller, expresses a controlling lan-guage restricting the use of L without changing L itself.
We consider various classes of control systems based on different formalisms, for exam-ple, automaton control systems, grammar control systems, and their infinite versions andconcurrent variants. In particular, we may classify C Systems as two categories, namelyC Systems and ω-C Systems, according to the length of accepted strings, i.e., finite wordsand infinite ω-words, respectively.
The C System on finite words is used for modeling and controlling systems with fi-nite length behaviors. It includes three classes, namely Grammar Control Systems (GCSystems), Leftmost-derivation-based Grammar Control Systems (LGC Systems) and Au-tomaton Control Systems (AC Systems).
The ω-C System on ω-words is used for modeling and controlling nonstop systemsthat generate ω-words. It includes also three major classes, namely ω-Grammar ControlSystems (ω-GC Systems), Leftmost-derivation-based ω-Grammar Control Systems (ω-LGC Systems) and ω-Automaton Control Systems (ω-AC Systems).
We further discussed the Buchi Automaton Control System (BAC System) which is aspecial case of the ω-AC System. The BAC system can provide transition-level supervisorycontrol on ω-words. The Alphabet-level BAC System (A-BAC System) is a restricted casethat can only provide alphabet-level supervisory control.
Some concurrent variants of the BAC system were also presented, such as the In-
159
160 Chapter 10. Conclusion
C systems (discussed applications)C systems on finite words (modeling systems with finite length behaviors)
GC systemsLGC systems (guidelines and consistency rules of UML)AC systems (transition-level supervisory control on finite words)
C systems on ω-words (modeling nonstop systems)ω-GC systemsω-LGC systemsω-AC systems (theoretical foundation of safety-related systems)
BAC systems (transition-level supervisory control on ω-words)A-BAC systems (alphabet-level supervisory control on ω-words)IO-AC systems (modeling concurrent systems - broadcasting comm.)IN-AC systems (modeling concurrent systems - rendezvous comm.)AC-BAC systems (nevertrace claims for model checking)
Figure 10.1: The Family of C Systems
put/Output Automaton Control System (IO-AC System), the Interface Automaton Con-trol System (IN-AC System) and the Asynchronous-Composition Buchi Automaton Con-trol System (AC-BAC System). The concurrent variants are used for modeling and con-trolling concurrent systems that consist of several components with various types of com-munication, e.g., broadcasting and rendezvous communications.
We studied the generative power of various classes of control systems. Note that theproofs of generative power provide also the techniques for constructing meta-compositions,which are useful for the verification and implementation of the global system.
After that, an application of the theory was presented. The AC-BAC system is usedto model and check correctness properties on execution traces specified by nevertraceclaims. We showed that the nevertrace claim and its checking problem are feasible inpractice.
In the second part of the thesis, we investigated the model monitoring approach whosetheoretical foundation is the theory of control systems. The key principle of the approachis “property specifications as controllers”. In other words, the functional requirements andproperty specification of a system are separately modeled and implemented, and the latterone controls the behavior of the former one. The model monitoring approach contains twoalternative techniques, namely model monitoring and model generating.
The approach can be applied in several ways to improve reliability and safety of variousclasses of systems. We presented some typical applications to show its strong power.
First, the model monitoring approach provides better support for the change andevolution of property specifications. We showed that it can fill the gap between thechange and the traditional development process using model checking.
Second, the (ω-)AC System provides the theoretical foundation of safety-related sys-tems in the standard IEC 61508 for ensuring the functional validity. We also showed thatchecking functional validity is essentially checking an (ω-)AC system.
Third, the LGC system is used to formalize and check guidelines and consistencyrules of UML. The rules are considered as controlling grammars which control the use ofmodeling languages. This approach is a generic, metamodel-independent, syntax-basedtechnique that checks language-level constraints at compile-time. It can be also applied to
10.2. Future Work 161
other MOF-compliant languages, not only UML, since it does not depend on the specificsemantics of UML.
These results lay out the foundations for further study of more advanced control mech-anisms, and provide a new way for ensuring reliability and safety.
10.2 Future Work
Numerous interesting and promising directions could be considered in the future, in orderto develop a more mature theory or explore other possible applications.
In the theory aspect, we need to further investigate the theoretical properties of Csystems. For example, the precise generative powers of some classes of C systems arestill unknown. Another problem is to characterize the monitorability, i.e., characterizationof the class of monitorable properties. This is important for deciding whether a givenproperty is monitorable and whether it can be ensured via the model monitoring approach.
In the application aspect, we may extensively explore other possible applications ofthe approach, which may in turn contribute to the further development of the approachand the underlining theory.
We may also develop tools to implement the discussed approaches and techniques whichare theoretically proved feasible. Then empirical data could be collected to show the meritsand limitations, and to compare the benefits and costs of the approach. For instance, it isinteresting to implement the nevertrace claim. Then empirical data could be collectedto show whether and how much the nevertrace claim can reduce the state space anddecrease checking time in practice, comparing with checking the same properties specifiedby existing constructs in SPIN. The similar research can also be done for formalizing andchecking guidelines and consistency rules of UML.
We may try to apply the model monitoring approach to more complex industrial sys-tems, and obtain empirical results. The results may provide new directions for theoreticalresearch as well as valuable experiences for other applications.
Bibliography
[1] Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman. Compilers: Principles, Tech-niques, and Tools. Addison-Wesley, Reading MA, 1986.
[2] Karen Allenby and Tim Kelly. Deriving safety requirements using scenarios. InProceedings of the 5th IEEE International Symposium on Requirements Engineering(RE 2001), pages 228–235. IEEE Computer Society, 2001.
[3] Algirdas Avizienis, Jean-Claude Laprie, and Brian Randell. Fundamental Conceptsof Dependability. UCLA CSD Report 010028, LAAS-CNRS Report 01-145, Newcas-tle University Report CS-TR-739, 2001.
[4] Algirdas Avizienis, Jean-Claude Laprie, Brian Randell, and Carl E. Landwehr. Basicconcepts and taxonomy of dependable and secure computing. IEEE Transactionson Dependable and Secure Computing, 1(1):11–33, 2004.
[5] Christel Baier and Joost-Pieter Katoen. Principles of Model Checking. The MITPress, 2008.
[7] Robert Balzer. Tolerating inconsistency. In Proceedings of the 13th InternationalConference on Software Engineering (ICSE 1991), pages 158–165. IEEE ComputerSociety, 1991.
[8] Mordechai Ben-Ari. Principles of the SPIN Model Checker. Springer, 2008.
[9] Friedemann Bitsch. Safety patterns - the key to formal specification of safety re-quirements. In Udo Voges, editor, Proceedings of the 20th International Conferenceon Computer Safety, Reliability and Security (SAFECOMP 2001), volume 2187 ofLecture Notes in Computer Science, pages 176–189. Springer, 2001.
[10] JPL Special Review Board. Report on the loss of the mars polar lander and deepspace 2 missions. NASA Jet Propulsion Laboratory, 2000.
[11] Thomas Bochot, Pierre Virelizier, Helene Waeselynck, and Virginie Wiels. Modelchecking flight control systems: The airbus experience. In Proceedings of the 31st In-ternational Conference on Software Engineering (ICSE 2009), Companion Volume,pages 18–27. IEEE, 2009.
[12] Grady Booch, James Rumbaugh, and Ivar Jacobson. The Unified Modeling LanguageUser Guide (2nd Edition). Addison-Wesley, 2005.
163
164 BIBLIOGRAPHY
[13] Dominique Briere and Pascal Traverse. Airbus a320/a330/a340 electrical flight con-trols: A family of fault-tolerant systems. In Proceedings of the 23rd Annual Interna-tional Symposium on Fault-Tolerant Computing (FTCS 1993), pages 616–623. IEEEComputer Society, 1993.
[14] Lubos Brim, Ivana Cerna, Pavlına Varekova, and Barbora Zimmerova. Component-interaction automata as a verification-oriented component-based system specifica-tion. ACM SIGSOFT Software Engineering Notes, 31(2), 2006.
[15] Simon Brown. Overview of IEC 61508 - design of electrical/electronic/programmableelectronic safety-related systems. Computing & Control Engineering Journal,11(1):6–12, 2000.
[16] J. R. Buchi. On a decision method in restricted second order arithmetic. In Pro-ceedings of the International Congress on Logic, Methodology, and Philosophy ofScience, pages 1–11. Stanford University Press, 1960.
[17] Jim Buckley, Tom Mens, Matthias Zenger, Awais Rashid, and Gunter Kniesel. To-wards a taxonomy of software change. Journal of Software Maintenance, 17(5):309–332, 2005.
[18] Christos G. Cassandras and Stephane Lafortune. Introduction to Discrete EventSystems, 2nd Edition. Springer, 2008.
[19] William Chan, Richard J. Anderson, Paul Beame, Steve Burns, Francesmary Mod-ugno, David Notkin, and Jon Damon Reese. Model checking large software specifi-cations. IEEE Transactions on Software Engineering, 24(7):498–520, 1998.
[20] Zhe Chen and Gilles Motet. Formalizing safety requirements using controlling au-tomata. In Proceedings of the 2nd International Conference on Dependability (DE-PEND 2009), pages 81–86. IEEE Computer Society, 2009.
[21] Zhe Chen and Gilles Motet. A language-theoretic view on guidelines and consistencyrules of UML. In Proceedings of the 5th European Conference on Model DrivenArchitecture - Foundations and Applications (ECMDA-FA 2009), volume 5562 ofLecture Notes in Computer Science, pages 66–81. Springer, 2009.
[22] Zhe Chen and Gilles Motet. Modeling system safety requirements using input/outputconstraint meta-automata. In Proceedings of the 4th International Conference onSystems (ICONS 2009), pages 228–233. IEEE Computer Society, 2009.
[23] Zhe Chen and Gilles Motet. System safety requirements as control structures. InProceedings of the 33rd Annual IEEE International Computer Software and Ap-plications Conference (COMPSAC 2009), pages 324–331. IEEE Computer Society,2009.
[24] Zhe Chen and Gilles Motet. Nevertrace claims for model checking. In Proceedings ofthe 17th International SPIN Workshop on Model Checking of Software (SPIN 2010),Lecture Notes in Computer Science. Springer, 2010. To appear.
BIBLIOGRAPHY 165
[25] Zhe Chen and Gilles Motet. Separating functional and dependability requirements ofembedded systems. In Proceedings of the 7th International Conference on EmbeddedSoftware and Systems (ICESS 2010). IEEE Computer Society, 2010. To appear.
[26] Zhe Chen and Gilles Motet. Towards better support for the evolution of safetyrequirements via the model monitoring approach. In Proceedings of the 32nd Inter-national Conference on Software Engineering (ICSE 2010), pages 219–222. ACM,2010.
[27] Dan Chiorean, Mihai Pasca, Adrian Carcu, Cristian Botiza, and Sorin Moldovan.Ensuring UML models consistency using the OCL environment. Electronic Notes inTheoretical Computer Science, 102:99–110, 2004.
[28] Noam Chomsky. Three models for the description of language. IEEE Transactionson Information Theory, 2(3):113–124, September 1956.
[29] Noam Chomsky. Syntactic Structures. Mouton, The Hague, 1957.
[30] Edmund M. Clarke and E. Allen Emerson. Design and synthesis of synchronizationskeletons using branching-time temporal logic. In Logics of Programs, Workshop,Yorktown Heights, New York, May 1981, volume 131 of Lecture Notes in ComputerScience, pages 52–71. Springer, 1981.
[31] Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. TheMIT Press, 2000.
[32] Rina S. Cohen and Arie Y. Gold. Theory of ω-languages. I: Characterizations ofω-context-free languages. Journal of Computer and System Sciences, 15(2):169–184,1977.
[33] Rina S. Cohen and Arie Y. Gold. Theory of ω-languages. II: A study of variousmodels of ω-type generation and recognition. Journal of Computer and SystemSciences, 15(2):185–208, 1977.
[34] Rina S. Cohen and Arie Y. Gold. ω-computations on deterministic pushdown ma-chines. Journal of Computer and System Sciences, 16(3):275–300, 1978.
[35] Rina S. Cohen and Arie Y. Gold. ω-computations on turing machines. TheoreticalComputer Science, 6:1–23, 1978.
[36] Rina S. Cohen and Arie Y. Gold. On the complexity of ω-type turing acceptors.Theoretical Computer Science, 10:249–272, 1980.
[37] Costas Courcoubetis, Moshe Y. Vardi, Pierre Wolper, and Mihalis Yannakakis.Memory-efficient algorithms for the verification of temporal properties. FormalMethods in System Design, 1(2/3):275–288, 1992.
[38] Jurgen Dassow. Grammars with regulated rewriting. In Carlos Martin-Vide, VictorMitrana, and Gheorghe Paun, editors, Formal Languages and Applications, Studiesin Fuzziness and Softcomputing 148, pages 249–273. Springer, 2004.
166 BIBLIOGRAPHY
[39] Jurgen Dassow and Gheorghe Paun. Regulated Rewriting in Formal Language The-ory. Springer, 1989.
[40] Jurgen Dassow, Gheorghe Paun, and Arto Salomaa. Grammars with controlledderivations. In Grzegorz Rozenberg and Arto Salomaa, editors, Handbook of FormalLanguages, volume II, pages 101–154. Springer, 1997.
[41] Luca de Alfaro and Thomas A. Henzinger. Interface automata. In Proceedings ofthe 8th European Software Engineering Conference and 9th ACM SIGSOFT Inter-national Symposium on Foundations of Software Engineering (ESEC/FSE 2001),pages 109–120, 2001.
[42] Eladio Domınguez, Jorge Lloret, Beatriz Perez, Aurea Rodrıguez, Angel Luis Rubio,and Marıa Antonia Zapata. A survey of UML models to XML schemas transfor-mations. In Proceedings of the 8th International Conference on Web InformationSystems Engineering (WISE 2007), volume 4831 of Lecture Notes in Computer Sci-ence, pages 184–195. Springer, 2007.
[43] Jay Earley. An efficient context-free parsing algorithm. Commun. ACM, 13(2):94–102, 1970.
[44] Steve M. Easterbrook and Marsha Chechik. 2nd international workshop on livingwith inconsistency. In Proceedings of the 23rd International Conference on SoftwareEngineering (ICSE 2001), pages 749–750. IEEE Computer Society, 2001.
[45] Alexander Egyed. Instant consistency checking for the UML. In Leon J. Osterweil,H. Dieter Rombach, and Mary Lou Soffa, editors, Proceedings of the 28th Inter-national Conference on Software Engineering (ICSE 2006), pages 381–390. ACM,2006.
[46] Alexander Egyed. Fixing inconsistencies in UML design models. In Proceedingsof the 29th International Conference on Software Engineering (ICSE 2007), pages292–301. IEEE Computer Society, 2007.
[47] Alexander Egyed. UML/Analyzer: A tool for the instant consistency checking ofUML models. In Proceedings of the 29th International Conference on Software En-gineering (ICSE 2007), pages 793–796. IEEE Computer Society, 2007.
[48] Clarence A. Ellis. Team automata for groupware systems. In Proceedings of In-ternational Conference on Supporting Group Work (GROUP 1997), pages 415–424.ACM, 1997.
[49] Joost Engelfriet and Hendrik Jan Hoogeboom. X-automata on ω-words. TheoreticalComputer Science, 110(1):1–51, 1993.
[50] Neil A. Ernst, John Mylopoulos, Yijun Yu, and Tien Nguyen. Supporting require-ments model evolution throughout the system life-cycle. In Proceedings of the 16thIEEE International Requirements Engineering Conference (RE 2008), pages 321–322. IEEE Computer Society, 2008.
BIBLIOGRAPHY 167
[51] Fathi Essalmi and Leila Jemni Ben Ayed. Graphical UML view from extendedbackus-naur form grammars. In Proceedings of the 6th IEEE International Con-ference on Advanced Learning Technologies (ICALT 2006), pages 544–546. IEEEComputer Society, 2006.
[52] Johannes Faber and Roland Meyer. Model checking data-dependent real-time prop-erties of the european train control system. In Proceedings of the 6th InternationalConference on Formal Methods in Computer-Aided Design (FMCAD 2006), pages76–77. IEEE Computer Society, 2006.
[53] Rainer Faller. Project experience with IEC 61508 and its consequences. SafetyScience, 42(5):405–422, 2004.
[54] Federal Aviation Administration. Handbook for Object-Oriented Technology in Avia-tion (OOTiA), vol. 2.1, Considerations and issues. U.S. Department of Transporta-tion, October 2004.
[55] Donald Firesmith. Engineering safety requirements, safety constraints, and safety-critical requirements. Journal of Object Technology, 3(3):27–42, 2004.
[56] Derek Fowler and Phil Bennett. IEC 61508 - a suitable bases for the certificationof safety-critical transport-infrastructure systems?? In Floor Koornneef and Meinevan der Meulen, editors, Proceedings of the 19th International Conference on Com-puter Safety, Reliability and Security (SAFECOMP 2000), volume 1943 of LectureNotes in Computer Science, pages 250–263. Springer, 2000.
[57] Heinz Gall. Functional safety IEC 61508 / IEC 61511 the impact to certification andthe user. In Proceedings of the 6th ACS/IEEE International Conference on ComputerSystems and Applications (AICCSA 2008), pages 1027–1031. IEEE, 2008.
[58] Paul Gastin and Denis Oddoux. Fast LTL to Buchi automata translation. In Proceed-ings of the 13th International Conference on Computer Aided Verification (CAV’01),volume 2102 of Lecture Notes in Computer Science, pages 53–65. Springer, 2001.
[59] Jean-Claude Geffroy and Gilles Motet. Design of Dependable Computing Systems.Kluwer Academic Publishers, 2002.
[60] Rob Gerth, Doron Peled, Moshe Y. Vardi, and Pierre Wolper. Simple on-the-flyautomatic verification of linear temporal logic. In Piotr Dembinski and Marek Sred-niawa, editors, Proceedings of the 15th IFIP WG6.1 International Symposium onProtocol Specification, Testing and Verification, pages 3–18. Chapman & Hall, 1995.
[61] Seymour Ginsburg. Algebraic and Automata-Theoretic Properties of Formal Lan-guages. Elsevier Science Inc., New York, NY, USA, 1975.
[62] Seymour Ginsburg and Sheila A. Greibach. Abstract families of languages. Studiesin Abstract Families of Languages, Memoir No. 87:1–32, 1969.
[63] Seymour Ginsburg, Sheila A. Greibach, and Michael A. Harrison. One-way stackautomata. Journal of the ACM, 14(2):389–418, 1967.
168 BIBLIOGRAPHY
[64] Seymour Ginsburg and Edwin H. Spanier. Control sets on grammars. MathematicalSystems Theory, 2(2):159–177, 1968.
[65] Roy Grønmo and Jon Oldevik. An empirical study of the UML model transformationtool (UMT). In Proceedings of the First International Conference on Interoperabilityof Enterprise Software and Applications (INTEROP-ESA), 2005.
[66] S.D.P. Harker, K.D. Eason, and J.E. Dobson. The change and evolution of require-ments as a challenge to the practice of software engineering. In Proceedings of IEEEInternational Symposium on Requirements Engineering (RE 1993), pages 266–272.IEEE Computer Society, 1993.
[67] Denis Hatebur and Maritta Heisel. A foundation for requirements analysis of de-pendable software. In Proceedings of the 28th International Conference on ComputerSafety, Reliability, and Security (SAFECOMP 2009), volume 5775 of Lecture Notesin Computer Science, pages 311–325. Springer, 2009.
[68] Klaus Havelund, Michael R. Lowry, and John Penix. Formal analysis of a space-craftcontroller using SPIN. IEEE Transactions on Software Engineering, 27(8):749–765,2001.
[69] Debra S. Herrmann. Software Safety and Reliability: Techniques, Approaches, andStandards of Key Industrial Sectors. IEEE Computer Society, 2000.
[71] Gerard J. Holzmann. The model checker SPIN. IEEE Transactions on SoftwareEngineering, 23(5):279–295, 1997.
[72] Gerard J. Holzmann. The SPIN Model Checker: Primer and Reference Manual.Addison-Wesley Professional, 2003.
[73] Gerard J. Holzmann and Doron Peled. The state of SPIN. In Rajeev Alur andThomas A. Henzinger, editors, Proceedings of the 8th International Conference onComputer Aided Verification (CAV 1996), volume 1102 of Lecture Notes in Com-puter Science, pages 385–389. Springer, 1996.
[74] John E. Hopcroft and Jeffrey D. Ullman. Introduction to Automata Theory, Lan-guages, and Computation. Addison-Wesley, Reading MA, 1979.
[75] Michael Huth and Mark Ryan. Logic in Computer Science: Modelling and Reasoningabout Systems, 2nd Edition. Cambridge University Press, 2004.
[76] Zbigniew Huzar, Ludwik Kuzniarz, Gianna Reggio, and Jean Louis Sourrouille, edi-tors. Workshop on consistency problems in UML-based software development III, co-located with UML’04, 2004. Available at http://www.ipd.bth.se/consistencyUML/.
[77] IEC. IEC 61508, Functional Safety of Electrical/Electronic/Programmable Elec-tronic Safety-Related Systems. International Electrotechnical Commission, 1999.
[79] Frederic Jouault, Freddy Allilaire, Jean Bezivin, and Ivan Kurtev. Atl: A modeltransformation tool. Science of Computer Programming, 72(1-2):31–39, 2008.
[80] T.A. Kletz. Human problems with computer control. Plant/Operations Progress,1(4), 1982.
[81] Takehisa Kohda and Yohei Takagi. Accident cause analysis of complex systems basedon safety control functions. In Proceedings of Annual Reliability and MaintainabilitySymposium (RAMS 2006), pages 570–576. ACM, 2006.
[82] Ludwik Kuzniarz, Zbigniew Huzar, Gianna Reggio, and Jean Louis Sourrouille, edi-tors. Workshop on consistency problems in UML-based software development II, co-located with UML’03, 2003. Available at http://www.ipd.bth.se/consistencyUML/.
[83] Ludwik Kuzniarz, Gianna Reggio, Jean Louis Sourrouille, and Zbigniew Huzar, ed-itors. Workshop on consistency problems in UML-based software development I, co-located with UML’02, 2002. Available at http://www.ipd.bth.se/consistencyUML/.
[84] Lawrence H. Landweber. Decision problems for ω-automata. Mathematical SystemsTheory, 3(4):376–384, 1969.
[85] Jean-Claude Laprie. Dependability: Basic Concepts and Terminology. Springer,1992.
[86] Nancy Leveson. Engineering A Safer World. Available at http://sunnyday.mit.edu/book2.html.
[87] Nancy Leveson. Safeware: System Safety and Computers. Addison-Wesley, Reading,MA, 1995.
[88] Nancy Leveson. Evaluating accident models using recent aerospace accidents. Tech-nical Report, MIT Dept. of Aeronautics and Astronautics, 2001. Available athttp://sunnyday.mit.edu/accidents.
[89] Nancy Leveson. A new accident model for engineering safer systems. Safety Science,42(4):237–270, 2004.
[90] Nancy Leveson. Applying systems thinking to analyze and learn from events. InWorkshop NeTWorK 2008: Event Analysis and Learning From Events, 2008. Avail-able at http://sunnyday.mit.edu/papers/network-08.doc.
[91] Nancy A. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers, San Mateo,CA, 1996.
[92] Nancy A. Lynch. Input/output automata: Basic, timed, hybrid, probabilistic, dy-namic. In Proceedings of the 14th International Conference on Concurrency Theory(CONCUR 2003), volume 2761 of Lecture Notes in Computer Science, pages 187–188. Springer, 2003.
[93] Nancy A. Lynch and Mark R. Tuttle. Hierarchical correctness proofs for distributedalgorithms. In Proceedings of the 6th Annual ACM Symposium on Principles ofDistributed Computing (PODC 1987), pages 137–151, 1987.
[94] Nancy A. Lynch and Mark R. Tuttle. An introduction to input/output au-tomata. CWI Quarterly, 2(3):219–246, 1989. Also available as MIT Technical MemoMIT/LCS/TM-373.
[95] Solomon Marcus, Carlos Martın-Vide, Victor Mitrana, and Gheorghe Paun. A new-old class of linguistically motivated regulated grammars. In Proceedings of the 11thInternational Conference on Computational Linguistics in Netherlands, volume 37 ofLanguage and Computers - Studies in Practical Linguistics, pages 111–125. Rodopi,2000.
[96] Carlos Martın-Vide and Victor Mitrana. Decision problems on path-controlled gram-mars. International Journal of Foundations of Computer Science, 18(6):1323–1332,2007.
[97] G.H. Matthews. A note on asymmetry in phrase structure grammars. Informationand Control, 7:360–365, 1964.
[98] Kenneth Lauchlin McMillan. Symbolic Model Checking: An Approach to the StateExplosion Problem. Kluwer Academic, 1993.
[99] Robert McNaughton. Testing and generating infinite sequences by a finite automa-ton. Information and Control, 9(5):521–530, 1966.
[100] Nenad Medvidovic, David S. Rosenblum, David F. Redmiles, and Jason E. Robbins.Modeling software architectures in the unified modeling language. ACM Trans.Softw. Eng. Methodol., 11(1):2–57, 2002.
[101] Robin Milner. Communication and Concurrency. Prentice Hall, 1989.
[102] Gilles Motet. Risks of faults intrinsic to software languages: Trade-off betweendesign performance and application safety. Safety Science, 2009.
[103] Glenford J. Myers. The Art of Software Testing. Wiley, 1979.
[104] Bashar Nuseibeh, Steve M. Easterbrook, and Alessandra Russo. Leveraging incon-sistency in software development. IEEE Computer, 33(4):24–29, 2000.
[105] OMG. Meta Object Facility (MOF) Core Specification, version 2.0 (06-01-01). Ob-ject Management Group, 2006.
[110] Amir Pnueli. The temporal logic of programs. In Proceedings of the 18th IEEESymposium on Foundations of Computer Science (FOCS 1977), pages 46–57. IEEEComputer Society, 1977.
[111] Jean-Pierre Queille and Joseph Sifakis. Specification and verification of concurrentsystems in cesar. In Proceedings of the 5th International Symposium on Program-ming, volume 137 of Lecture Notes in Computer Science, pages 337–351. Springer,1982.
[112] P. J. Ramadge and W. M. Wonham. Supervisory control of a class of discrete eventprocesses. SIAM Journal on Control and Optimization, 25(1):206–230, 1987.
[113] P. J. Ramadge and W. M. Wonham. The control of discrete event systems. Pro-ceedings of the IEEE, 77(1):81–98, 1989.
[114] Felix Redmill. IEC 61508 - principles and use in the management of safety. Com-puting & Control Engineering Journal, 9(5):205–213, 1998.
[115] Grzegorz Rozenberg and Arto Salomaa. Handbook of Formal Languages: VolumeI-III. Springer Verlag, 1997.
[116] Arto Salomaa. Formal Languages. Academic Press Professional, 1987.
[117] Jørgen Staunstrup, Henrik Reif Andersen, Henrik Hulgaard, Jørn Lind-Nielsen,Kim Guldstrand Larsen, Gerd Behrmann, Kare J. Kristoffersen, Arne Skou, Hen-rik Leerberg, and Niels Bo Theilgaard. Practical verification of embedded software.IEEE Computer, 33(5):68–75, 2000.
[118] Robert Endre Tarjan. Depth-first search and linear graph algorithms. SIAM Journalon Computing, 1(2):146–160, 1972.
[119] Maurice H. ter Beek, Clarence A. Ellis, Jetty Kleijn, and Grzegorz Rozenberg. Syn-chronizations in team automata for groupware systems. Computer Supported Coop-erative Work, 12(1):21–69, 2003.
[120] Wolfgang Thomas. Automata on infinite objects. In Handbook of Theoretical Com-puter Science (vol. B): Formal Models and Semantics, pages 133–191. Elsevier Sci-ence Publishers B.V., 1990.
[121] Wolfgang Thomas. Languages, automata, and logic. In Handbook of Formal Lan-guages, volume III, pages 389–455. Springer, 1997.
[122] Jan Tretmans, Klaas Wijbrans, and Michel R. V. Chaudron. Software engineer-ing with formal methods: The development of a storm surge barrier control sys-tem revisiting seven myths of formal methods. Formal Methods in System Design,19(2):195–215, 2001.
[123] Moshe Y. Vardi and Pierre Wolper. Reasoning about infinite computations. Infor-mation and Computation, 115(1):1–37, 1994.
[124] Jean-Pierre Seuma Vidal, Hugues Malgouyres, and Gilles Motet. UML 2.0Consistency Rules. Available on Internet, 2005. URL: http://www.lattis.univ-toulouse.fr/UML/.
172 BIBLIOGRAPHY
[125] Jean-Pierre Seuma Vidal, Hugues Malgouyres, and Gilles Motet. UML 2.0 consis-tency rules identification. In Proceedings of the 2005 International Conference onSoftware Engineering Research and Practice (SERP’05). CSREA Press, 2005.
[126] Klaas Wijbrans, Franc Buve, Robin Rijkers, and Wouter Geurts. Software engi-neering with formal methods: Experiences with the development of a storm surgebarrier control system. In Proceedings of the 15th International Symposium on For-mal Methods (FM 2008), volume 5014 of Lecture Notes in Computer Science, pages419–424. Springer, 2008.
[127] Yong Xia and Martin Glinz. Rigorous EBNF-based definition for a graphic modelinglanguage. In Proceedings of the 10th Asia-Pacific Software Engineering Conference(APSEC 2003), pages 186–196. IEEE Computer Society, 2003.
1. Zhe Chen and Gilles Motet. Towards better support for the evolution of safetyrequirements via the model monitoring approach. In Proceedings of the 32nd Inter-national Conference on Software Engineering (ICSE 2010), pages 219–222. ACM,2010.
2. Zhe Chen and Gilles Motet. Nevertrace claims for model checking. In Proceedings ofthe 17th International SPIN Workshop on Model Checking of Software (SPIN 2010),Lecture Notes in Computer Science. Springer, 2010. To appear.
3. Zhe Chen and Gilles Motet. Separating functional and dependability requirements ofembedded systems. In Proceedings of the 7th International Conference on EmbeddedSoftware and Systems (ICESS 2010). IEEE Computer Society, 2010. To appear.
4. Zhe Chen and Gilles Motet. System safety requirements as control structures. InProceedings of the 33rd Annual IEEE International Computer Software and Appli-cations Conference (COMPSAC 2009), pages 324–331. IEEE Computer Society,2009.
5. Zhe Chen and Gilles Motet. A language-theoretic view on guidelines and consistencyrules of UML. In Proceedings of the 5th European Conference on Model Driven Archi-tecture - Foundations and Applications (ECMDA-FA 2009), volume 5562 of LectureNotes in Computer Science, pages 66–81. Springer, 2009.
6. Zhe Chen and Gilles Motet. Formalizing safety requirements using controlling au-tomata. In Proceedings of the 2nd International Conference on Dependability (DE-PEND 2009), pages 81–86. IEEE Computer Society, 2009.
7. Zhe Chen and Gilles Motet. Modeling system safety requirements using input/out-put constraint meta-automata. In Proceedings of the 4th International Conferenceon Systems (ICONS 2009), pages 228–233. IEEE Computer Society, 2009.
