Research Article Bounded Model Checking of ETL Cooperating with
advertisement
Hindawi Publishing Corporation
Journal of Applied Mathematics
Volume 2013, Article ID 462532, 12 pages
http://dx.doi.org/10.1155/2013/462532
Research Article
Bounded Model Checking of ETL Cooperating with
Finite and Looping Automata Connectives
Rui Wang, Wanwei Liu, Tun Li, Xiaoguang Mao, and Ji Wang
College of Computer Science, National University of Defense Technology, Changsha, Hunan 410073, China
Correspondence should be addressed to Wanwei Liu; wwliu@nudt.edu.cn
Received 8 March 2013; Accepted 14 June 2013
Academic Editor: Xiaoyu Song
Copyright © 2013 Rui Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which
permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
As a complementary technique of the BDD-based approach, bounded model checking (BMC) has been successfully applied to LTL
symbolic model checking. However, the expressiveness of LTL is rather limited, and some important properties cannot be captured
by such logic. In this paper, we present a semantic BMC encoding approach to deal with the mixture of ETLπ and ETLπ . Since such
kind of temporal logic involves both finite and looping automata as connectives, all regular properties can be succinctly specified
with it. The presented algorithm is integrated into the model checker ENuSMV, and the approach is evaluated via conducting a
series of imperial experiments.
1. Introduction
A crucial bottleneck of model checking is the state-explosion
problem, and the symbolic model checking technique has
proven to be an applicable approach to alleviate it. In the
early 1990s, McMillan presented the BDD [1] based model
checking technique [2]. It is first applied to CTL model checking and is later adapted to deal with LTL. With the rapid
evolvement of SAT solvers, an entirely new approach, namely,
bounded model checking (BMC), is presented in [3]. It rerpresents the problem “there is a path (with bounded length) violating the specification in the model” with a Boolean formula
and then tests its satisfiability via a SAT solver. Usually, BMC
is considered to be a complementary approach of the BDDbased approach: BMC is normally used for hunting bugs not
for proving their absence. It performs better when handling
a model having a large reachable state set but involving
(relatively) shallow error runnings.
BMC has been successfully employed in LTL model
checking. However, LTL has the drawback of limited expressiveness. Wolper was the first to complain about this by
addressing the fact that some counting properties such as “π
holds at every even moment” cannot be expressed by any
LTL formula [4]. Indeed, LTL formulae are just as expressive
as star-free π-expressions, that is, π-regular expressions disallowing arbitrary (in a star-free expression, Kleene-closure
operators (β∗ and βπ ) can only be applied upon Σ, which is
the whole set of alphabet) use of Kleene-closure operators.
As pointed in [5, 6], it is of great importance for a specification language to have the power to express all π-regular
properties—as an example, it is a necessary requirement to
support modular model checking. Actually, such specification language like PSL [7] has been accepted as industrial
standard.
For temporal logics within linear framework, there are
several ways to pursue such an expressiveness.
(1) The first way is to add fixed-point operators or propositional quantifiers to the logic, such as linear πcalculus [8] and QLTL [9].
(2) An alternative choice is to add regular expressions to
LTL-like logics, as done in RLTL [10], FTL [11, 12], and
PSL [7].
(3) The third approach is to cooperate infinitely many
temporal connectives with the logic, just like various
of ETLs [4, 9, 13].
The first extension requires finitely many operators in
defining formulae. Meanwhile, the use of fixed-point operators and higher-order quantifiers tends to rise difficulties in
understanding. In contrast, using regular expressions or
automata as syntactical ingredients is much more intuitive in
2
Journal of Applied Mathematics
comprehension. To some extent, since nesting of automata
connectives is allowed, the third approach generalizes the
second one.
In [4], Wolper suggested using right linear grammars as
connectives. Later, Wolper, Vardi, and Sistla consider taking various π-automata [9, 13]. Depending on the type of
automata used as temporal connectives, we may obtain various ETLs. As a result, ETLs employing π-automata with looping, finite, and repeating (alternatively, BuΜchi [14]) acceptance
are, respectively, named ETLπ , ETLπ , and ETLπ , and all of
them are known to be as expressive as π-regular expressions
[13].
We have presented a BDD-based model checking algorithm for ETLπ in [15] and an algorithm for BDD-based
model checking of an invariant of PSL in [16]. Jehle et al.
present a bounded model checking algorithm for linear πcalculus in [17]. And in [18], a tester based symbolic model
checking approach is proposed by Pnueli and Zacks to deal
with PSL properties. Meanwhile, a modular symbolic BuΜchi
automata construction is presented in [19] by Cimatti et al.
In this paper, we present a semantic BMC encoding for
ETL employing both finite acceptance and looping acceptance automata connectives (we in the following refer to it as
ETLπ+π ). The reason that we study BMC algorithm for such
kind of logic is for the following considerations.
(1) The BDD-based symbolic model checking technique
for ETLπ has been established in [15] by extending
LTL construction [20]. Nevertheless, in a pure theoretical perspective, looping and finite acceptance,
respectively, correspond to safety and liveness properties, and looping acceptance automata can be viewed
as the counterparts of finite acceptance automata.
Actually, both similarities and differences could be
found in compiling the semantic models and translating Boolean representations when dealing with these
two types of connectives. Since ETLπ+π has a rich set
of fragments, such as LTL, it is hopeful to develop a
unified semantic BMC framework of such logics.
(2) Practically, things would usually be much more succinct when employing both types of automata connectives, in comparison to merely using finite or looping ones. As an example, there is no direct encoding
for the temporal operator G just with finite acceptance
automata—to do this with ETLπ , we need to use a
two-state and two-letter connective to represent the
operator F and then to dualize it. In contrast, with
looping automata, we just need to define a one-state
and one-letter connective. It would save much space
overhead in building tableaux.
(3) Lastly, unlike syntactic BMC encodings (such kind
of encodings give inductive Boolean translations with
the formulae’s structure, cf. [21, 22] for a survey), the
semantic fashion [22] yields a natural completeness
threshold computation approach, and it describes the
fair path finding problem over the product model
with Boolean formulae. In this paper, we give a linear
semantic encoding approach (opposing to the original quadratic semantic encoding) for ETLπ+π . Moreover, the technique can also be tailored to semantic
LTL BMC.
We have implemented the presented algorithm with our
model checker ENuSMV (Ver. 1.2), and this tool allows end
users to customize temporal connectives by defining automata. We have also justified the algorithm by conducting a series
of comparative experiments.
The paper is structured as follows: Section 2 briefly revisits basic notions. Section 3 introduces semantic BMC encoding technique for ETLπ+π . In Section 4, experimental results of
ETLπ+π BMC are given. Finally, we conclude the whole paper
with Section 5.
2. Preliminaries
An infinite word π€ over the alphabet Σ is a mapping from
N to Σ; hence we may use π€(π) to denote the πth letter of π€.
For the sake of simplicity, we usually write π€ as the sequence
π€(0)π€(1) ⋅ ⋅ ⋅ . A finite prefix of π€ with length π is a restriction
of π€ to the domain {0, . . . , π − 1}, denoted by π€[π].
A (nondeterministic) automaton is a tuple A = β¨Σ, π, πΏ,
π, πΉβ©, where:
(i) Σ is a finite alphabet,
(ii) π is a finite set of states,
(iii) πΏ : π × Σ → 2π is a transition function,
(iv) π ∈ π is an initial state, and
(v) πΉ ⊆ π is a set of accepting states.
An infinite run of A = β¨Σ, π, πΏ, π, πΉβ© over an infinite word
π€ is an infinite sequence π = π0 π1 ⋅ ⋅ ⋅ ∈ ππ , where π0 = π
and ππ+1 ∈ πΏ(ππ , π€(π)) for each π. In addition, we say that each
prefix π0 ⋅ ⋅ ⋅ ππ+1 is a finite run over π€[π].
In this paper, we are concerned with two acceptance types
for π-automata.
Looping. An infinite word π€ is accepted if it has an
infinite run over π€.
Finite. An infinite word π€ is accepted if it has a
finite prefix π€[π], over which there is a finite run
π0 ⋅ ⋅ ⋅ ππ+1 and ππ+1 is an accepting state (call such a
prefix accepting prefix).
In both cases, we denote by L(A) the set of infinite words
accepted by A.
Given an automaton A = β¨Σ, π, πΏ, π, πΉβ© and a state π ∈ π,
we denote by Aπ the automaton β¨Σ, π, πΏ, π, πΉβ©. That is, Aπ is
almost identical to A, except for that its initial state is replaced
by π. Hence, A and Aπ are the same.
Given a set of atomic propositions π΄π, the class of ETLπ+π
formulae can be inductively defined as follows.
(i) Both β€ and ⊥ are ETLπ+π formulae.
(ii) Each proposition π ∈ π΄π is an ETLπ+π formula.
(iii) If π is an ETLπ+π formula, then ¬π and Iπ are ETLπ+π
formulae.
Journal of Applied Mathematics
(iv) If π1 , π2 are ETLπ+π formulae, then both π1 ∧ π2 and
π1 ∨ π2 are ETLπ+π formulae.
(v) If A is an automaton with the alphabet Σ = {π1 ,
. . . , ππ } and π1 , . . . , ππ are ETLπ+π formulae, then
A(π1 , . . . , ππ ) is also an ETLπ+π formula.
Remark 1. In the original definition of various ETLs (say
ETLπ , ETLπ , and ETLπ ), the “next operator” (I) is not explicitly declared. However, this operator is extremely important
in building the semantic BMC encodings for ETLπ+π . Hence,
we explicitly use this operator in our definition, and it would
not change the expressiveness of the logic.
Remark 2. Since we employ both finite and looping acceptance automata connectives, our logic is a mixture of ETLπ
and ETLπ . On the one hand, ETLπ+π generalizes both of
these two logics; on the other hand, it can be embedded into
ETLπ ; hence this logic is also as expressive as omega-regular
expressions.
The satisfaction relation of an ETLπ+π formula π with
respect to an infinite word π ∈ (2π΄π )π and a position π ∈ N is
inductively given as follows.
(i) π, π β¨ β€ and π, π β⊥.
(ii) π, π β¨ π if and only if π ∈ π(π).
(iii) π, π β¨ ¬π if and only if π, π β π.
(iv) π, π β¨ Iπ if and only if π, π + 1 β¨ π.
(v) π, π β¨ π1 ∧ π2 if and only if π, π β¨ π1 and π, π β¨ π2 .
(vi) π, π β¨ π1 ∨ π2 if and only if π, π β¨ π1 or π, π β¨ π2 .
(vii) If A is a looping acceptance automaton with the
alphabet {π1 , . . . , ππ }, then π, π β¨ A(π1 , . . . , ππ ) if and
only if: there is an infinite word π€ ∈ L(A), and, for
each π ∈ N, π€(π) = ππ implies π, π + π β¨ ππ .
(viii) If A is a finite acceptance automaton with the alphabet {π1 , . . . , ππ }, then π, π β¨ A(π1 , . . . , ππ ) if and only
if: there is an infinite word π€ ∈ L(A) with an
accepting prefix π€[π], such that, for each π < π, π€(π) =
ππ implies π, π + π β¨ ππ .
As usual, we directly use π β¨ π in place of π, 0 β¨ π.
To make a better understanding of ETLπ+π formulas, we
here give some examples of the use of automata connectives.
(1) Considering the LTL formula π1 Uπ2 , it can be
described with an ETLπ+π formula AU (π1 , π2 ),
where AU is the finite acceptance automaton β¨{π1 ,
π2 }, {π1 , π2 }, πΏU , π1 , {π2 }β©, and we let πΏU (π1 , π1 ) = {π1 },
πΏU (π1 , π2 ) = {π2 }, and πΏU (π2 , π1 ) = πΏU (π2 , π2 ) = 0.
(2) The LTL formula Gπ is equivalent to the ETLπ+π
formula AG (π), where AG = β¨{π}, {π}, πΏG , π, 0β© is a
looping acceptance automaton and πΏG (π, π) = {π}.
Remark 3. The order of letters is important in defining
automata connectives. Hence, the alphabet should be considered as a vector, rather than a set.
3
We use sub(π) to denote the set of subformulae of π. A formula π is in negation normal form (NNF) if all negations in π
are adjacent to atomic propositions or automata connectives.
One can achieve this by repeatedly using De Morgan’s law and
the schemas of ¬Iπ ≡ I¬π and ¬¬π ≡ π. In addition, we call
a formula π being of the form A(π1 , . . . , ππ ) an automaton
formula.
Given a formula π (in NNF), we use a two-letter-acronym
to designate the type of an automaton subformula of π: the
first letter is either “P” or “N,” which means “positive” or
“negative”; and the second letter can be “F” or “L,” which
describes the acceptance type. For example, NL-subformulae
stand for “negative automata formulae with looping automata
connectives,” such as ¬Aπ (π1 , π2 ), where A is a two-letter
looping automaton.
A model or interchangeably a labeled transition system
(LTS) is a tuple M = β¨π, π, πΌ, πΏ, Fβ©, where:
(i) π is a finite set of states,
(ii) π ⊆ π × π is a transition relation (usually, we require π
to be total; that is, for each π ∈ π, there is some π σΈ ∈ π
having (π , π σΈ ) ∈ π),
(iii) πΌ ⊆ π is the set of initial states,
(iv) πΏ : π → 2π΄π is the labeling function, and
(v) F ⊆ 2π is a set of fairness constraints.
A path of M is an infinite sequence π = π 0 π 1 ⋅ ⋅ ⋅ ∈ ππ ,
where π 0 ∈ πΌ and (π π , π π+1 ) ∈ π for each π ∈ N. In addition, π
is a fair path if π visits each πΉ ∈ F infinitely often. Formally,
π is a fair path if inf(π) ∩ πΉ =ΜΈ 0 for each πΉ ∈ F, where inf(π)
denotes the set of states occurring infinitely many times in π.
An infinite word π = π0 π1 ⋅ ⋅ ⋅ is derived from a path π of
M (denoted by π = πΏ(π)) if ππ = πΏ(π π ) for each π ∈ N. We use
L(M) to denote the set of infinite words derived from fair
paths of M.
Given an ETLπ+π formula π and an LTS M, we denote by
M β¨ π if π β¨ π for each π ∈ L(M). The model checking
problem of ETLπ+π is just to verify if M β¨ π holds for the
given LTS M and the given ETLπ+π formula π.
3. Semantic BMC Encoding for ETLπ+π
In this section, we will give a detailed description of the
semantic BMC encoding for ETLπ+π . Firstly, we show how
to extend the tableau construction of LTL [20] to that of
ETLπ+π , and hence a product model can also be constructed.
Subsequently, we interpret the fairness path finding problem
(upon the product model) into SAT, and the size blow-up of
this encoding is linear with the bound.
For the sake of convenience, in this section, we always
assume that the given ETLπ+π formulae have been normalized
into NNF.
3.1. The Tableaux of ETLπ+π Formulae. Given an ETLπ+π formula π, we first inductively define its elementary formula set
el(π) as follows.
(i) el(β€) = el(⊥) = 0.
(ii) el(π) = el(¬π) = {π} for each π ∈ π΄π.
4
Journal of Applied Mathematics
(iii) el(π1 ∧ π2 ) = el(π1 ∨ π2 ) = el(π1 ) ∪ el(π2 ).
(iv) el(Iπ) = el(π) ∪ {Iπ}.
(v) If π = Aπ (π1 , . . . , ππ ) or π = ¬Aπ (π1 , . . . , ππ ) and the
states set of A is π, then
σΈ
el (π) = β el (ππ ) ∪ {IAπ (π1 , . . . , ππ ) | πσΈ ∈ π} .
1≤π≤π
(1)
Hence, if π ∈ el(π), then π is either an atomic proposition
or a formula rooted at the next operator.
Subsequently, we define the function sat, which maps
each subformula π of π to a set of members in 2el(π) . Inductively the following hold.
(i) sat(β€) = 2el(π) ; sat(⊥) = 0.
(ii) sat(π) = {Γ ⊆ el(π) | π ∈ Γ} and sat(¬π) = {Γ ⊆
el(π) | π ∉ Γ}.
(iii) sat(Iπ) = {Γ ⊆ el(π) | Iπ ∈ Γ}.
(iv) sat(π1 ∧ π2 ) = sat(π1 ) ∩ sat(π2 ) and sat(π1 ∨ π2 ) =
sat(π1 ) ∪ sat(π2 ).
(v) Suppose that A = β¨{π1 , . . . , ππ }, π, πΏ, π, πΉβ©.
(1) If A is a looping acceptance automaton or a
finite acceptance automaton and π ∉ πΉ, then
1≤π≤π
(i) When π =ΜΈ 0, then, for each π ∈ π and 1 ≤ π ≤ π, we
have: Γ ∈ sat(ππ ) implies πΏ(π, ππ ) ⊆ πσΈ .
(ii) When π = 0, then π ∈ πσΈ if and only if ΓσΈ ∉
sat(Aπ (π1 , . . . , ππ )), for each π ∈ π.
We now describe the tableau construction for π. Suppose
that π1 , . . . , ππ and ¬π1 , . . . , ¬ππ are, respectively, all the PFsubformulae and NL-subformulae occurring in π then the
tableau Tπ is such an LTS β¨ππ , ππ , πΌπ , πΏ π , Fπ β©, where:
(i) ππ consists of tuples like β¨Γ; π1 , . . . , ππ ; π
1 , . . . , π
π β©,
where Γ ⊆ el(π) and each ππ (resp., π
π ) is a subset of
ππ ’s (resp., ππ ’s) connective’s state set.
(ii) For two states π = β¨Γ; π1 , . . . , ππ ; π
1 , . . . , π
π β© and π σΈ =
β¨ΓσΈ ; π1σΈ , . . . , ππσΈ ; π
1σΈ , . . . , π
πσΈ β©, (π , π σΈ ) ∈ ππ if and only if
the following three conditions hold.
(1) Γ ∈ sat(Iπ) if and only if ΓσΈ ∈ sat(π) for each
Iπ ∈ el(π).
(2) ((Γ, ππ ), (ΓσΈ , ππσΈ )) ∈ Δ+ππ for each 1 ≤ π ≤ π.
(3) ((Γ, π
π ), (ΓσΈ , π
πσΈ )) ∈ Δ−¬ππ for each 1 ≤ π ≤ π.
(iii) πΌπ = {β¨Γ; π1 , . . . , ππ ; π
1 , . . . , π
π β© ∈ ππ | Γ ∈ sat(π)}.
(iv) πΏ π (β¨Γ; π1 , . . . , ππ ; π
1 , . . . , π
π β©) = Γ ∩ π΄π.
sat (Aπ (π1 , . . . , ππ ))
= β (sat (ππ ) ∩
Likewise, for each NL-subformula π = ¬A(π1 , . . . , ππ )
of π, we also define a relation Δ−π ⊆ (2el(π) × 2π) × (2el(π) ×
2π). In detail, for any Γ, ΓσΈ ⊆ el(π) and π, πσΈ ⊆ π, we have
((Γ, π), (ΓσΈ , πσΈ )) ∈ Δ−π if and only if the following hold.
σΈ
β sat (IAπ (π1 , . . . , ππ ))) .
πσΈ ∈πΏ(π,ππ )
(2)
(2) If A is a finite acceptance automaton and π ∈ πΉ,
then sat(Aπ (π1 , . . . , ππ )) = 2el(π) .
(vi) sat(¬Aπ (π1 , . . . , ππ )) = 2el(π) \ sat(Aπ (π1 , . . . , ππ )).
Recall the tableau construction for LTL [20], an “until
subformula” would generate a fairness constraint to the
tableau. Indeed, such a subformula corresponds to a “leastfixpoint subformula” if we translate the specification into a
logic employing higher-order quantifiers, such as π-calculus.
Similarly, for ETLπ+π , the PF- and NL-subformulae also
impose fairness constraints. For this reason, we need to define
the following two auxiliary relations before giving the tableau
construction.
For a PF-subformula π = A(π1 , . . . , ππ ) of π, where
A = β¨{π1 , . . . , ππ }, π, πΏ, π, πΉβ©, we define a relation Δ+π ⊆
(2el(π) ×2π)×(2el(π) ×2π) as follows: suppose that Γ, ΓσΈ ⊆ el(π)
and π, πσΈ ⊆ π; then ((Γ, π), (ΓσΈ , πσΈ )) ∈ Δ+π if and only if the
following hold.
(i) When π =ΜΈ 0, then, for each π ∈ π\πΉ, there exists some
1 ≤ π ≤ π such that Γ ∈ sat(ππ ) and πσΈ ∩ πΏ(π, ππ ) =ΜΈ 0.
(ii) When π = 0, then π ∈ πσΈ if and only if ΓσΈ ∈ sat(Aπ (π1 ,
. . . , ππ )) for each π ∈ π.
(v) Fπ = {πΉπ+ | 1 ≤ π ≤ π} ∪ {πΉπ− | 1 ≤ π ≤ π}, where
πΉπ+ = {β¨Γ; π1 , . . . , ππ ; π
1 , . . . , π
π β© ∈ ππ | ππ = 0} ,
πΉπ− = {β¨Γ; π1 , . . . , ππ ; π
1 , . . . , π
π β© ∈ ππ | π
π = 0} .
(3)
The below two theorems (Theorems 4 and 5) reveal the
language property of ETLπ+π tableaux. To remove the lengthiness, we here just provide the proof sketches, and rigorous
proofs of them are postponed to the appendices.
Theorem 4. For each π ∈ (2π΄π )π , if π ∈ L(Tπ ), then π β¨ π.
Proof (sketch). Just assume that π = π 0 π 1 ⋅ ⋅ ⋅ ∈ πππ is the corresponding fair path of Tπ such that π = πΏ π (π), where π π =
β¨Γπ ; π1,π , . . . , ππ,π ; π
1,π , . . . , π
π,π β©. We may inductively prove the
following claim.
“For each π ∈ sub(π) ∪ ππ(π), we have: Γπ ∈ sat(π) implies
π, π β¨ π.”
Because we require that Γ0 ∈ sat(π), hence we have π, 0 β¨
π.
Theorem 5. For each π ∈ (2π΄π )π , if π β¨ π, then π ∈ L(Tπ ).
Proof (sketch). Suppose that π β¨ π; to show π ∈ L(Tπ ),
we need to first construct an infinite state sequence π =
π 0 π 1 ⋅ ⋅ ⋅ ∈ πππ guided by π (the detailed construction is given
in Section A.2), and then we will subsequently show that π is
a fair path of Tπ and π = πΏ π (π).
Journal of Applied Mathematics
5
The following theorem is immediate from Theorems 4
and 5.
Theorem 6. The model M violates the ETLπ+π property π if
and only if L(M) ∩ L(T¬π ) =ΜΈ 0, equivalently; there exists
some fair path in M × T¬π .
Theorem 7. For an ETLπ+π formula π, its tableau Tπ has at
most 4|el(π)| states.
Proof. Observe that a state should be of the form β¨Γ; π1 , . . . ,
ππ ; π
1 , . . . , π
π β©. For Γ, there are 2|el(π)| possible choices. Suppose that ππ = Aπ (π1 , . . . , ππ ) (resp., ¬ππ = ¬Aπ (π1σΈ , . . . , ππσΈ ))
and the state set of Aπ is ππ (resp., Aπ with ππσΈ ). According
to the construction, each π ∈ ππ (resp., π ∈ ππσΈ ) corπ
responds to a unique elementary formula IAπ (π1 , . . . , ππ )
π
(resp., IAπ (π1σΈ , . . . , ππσΈ )), and such a mapping is an injection.
Hence we have
σ΅¨ σ΅¨
σ΅¨ σ΅¨
σ΅¨
σ΅¨
( ∑ σ΅¨σ΅¨σ΅¨σ΅¨ππ σ΅¨σ΅¨σ΅¨σ΅¨ + ∑ σ΅¨σ΅¨σ΅¨σ΅¨ππσΈ σ΅¨σ΅¨σ΅¨σ΅¨) ≤ σ΅¨σ΅¨σ΅¨el (π) \ π΄πσ΅¨σ΅¨σ΅¨ .
1≤π≤π
(4)
1≤π≤π
Note that ππ ⊆ ππ (resp., π
π ⊆ ππσΈ ), and hence we have |ππ | ≤
(2|el(π)| )2 = 4|el(π|) .
3.2. The Linear Semantic Encoding. Practically, a model’s state
space is determined by the evaluation of a set of variables.
Further, we may assume that each of them is a “Boolean
variable” (which corresponds to a proposition belonging to
π΄π), because every variable over finite domain could be
encoded with several Boolean variables.
Let C = β¨π, π, πΌ, πΏ, Fβ© be an arbitrary LTS, and we
also assume that the corresponding variable set is π = {π1 ,
. . . , ππ }; then each state π ∈ π uniquely corresponds to an
assignment of such ππ s.
If we use π (ππ ) to denote the value of ππ at π , then each
subset π ⊆ π can be represented by a Boolean formula Φπ
over π. In detail, it fulfills
π ∈ π ⇐⇒ π β© Φπ ,
(5)
where π β© Φπ means that Φπ is evaluated to be true if we
assign each ππ with the value π (ππ ).
Let πσΈ = {π1σΈ , . . . , ππσΈ }, and each binary relation π ⊆ π ×
π also has a Boolean representation Φπ over the variable set
π ∪ πσΈ . That is,
(π 1 , π 2 ) ∈ π ⇐⇒ (π 1 , π 2 ) β© Φπ ,
For example, from Theorem 7, we have that the symbolic
representation of Tπ requires 2 × |el(π) \ π΄π| new Boolean
variables—because variables in el(π) ∩ π΄π can be shared with
the encoding of the original model.
A canonical Boolean encoding of fair path existence
detection upon LTSs is presented in [22]: given a model C =
β¨π, π, πΌ, πΏ, Fβ© and a bound π ∈ N, one may use the formula
(π)
(π,π+1)
∧ β (Φ(π,β)
∧ β β ΦπΉ ) ,
Φ(0)
π
πΌ ∧ β Φπ
0≤π<π
πΉ∈F β≤π≤π
0≤β≤π
(7)
(π)
(π)
where ΦπΌ and ΦπΉ are, respectively, the Boolean formulae
obtained from ΦπΌ and ΦπΉ by replacing each variable π with
a new copy π(π) , and Φ(π,π)
is obtained from Φπ by replacing
π
each π with π(π) and replacing each πσΈ with π(π) .
It can be seen that this formula is satisfiable if and only if
C involves a fair path of the form π 0 π 1 ⋅ ⋅ ⋅ π β−1 (π β ⋅ ⋅ ⋅ π π )π (call
it is of the lasso shape). Since that L(C) =ΜΈ 0 if and only if C
contains some lasso fair path (note that from each fair path
we may derive another fair path of lasso shape), hence we may
convert the fair path detection into the satisfiability problem
of the above Boolean formula.
However, a closer look shows that the size of such encoding is quadratic with the bound. To reduce the blow-up in
size, we need to introduce the following new variables (the
linearization can also be done with the syntactic fashion
presented in [23, 24]. We would draw a comparison of these
two approaches in Section 4.).
(1) For each 0 ≤ β ≤ π, we introduce a new variable πβ .
Intuitively, πβ indicates that π β is a successor of π π .
(2) For each fairness constraint πΉ ∈ F and each 0 ≤
β ≤ π, we introduce a variable ππΉ(β) , and this variable
(π)
is evaluated to be true only if there is some ΦπΉ which
is evaluated to true, where β ≤ π ≤ π.
And the new encoding (with the bound π ∈ N) can be formulated as
(π,π+1)
∧ β πβ ,
Φ(0)
πΌ ∧ β Φπ
0≤π<π
0≤β≤π
ΨC(π) = ∧ β (πβ σ³¨→ (Φ(π,β)
∧ β ππΉ(β) ))
π
πΉ∈F
0≤β≤π
(8)
∧ β(β
πΉ∈F
0≤π<π
(ππΉ(π)
σ³¨→
(ππΉ(π+1)
∨
Φ(π)
πΉ ))
(6)
where (π 1 , π 2 ) β© Φπ means that Φπ is evaluated to be true if
we assign each ππ with π 1 (ππ ) and assign each ππσΈ with π 2 (ππ ).
Hence, all components of M can be encoded: πΌ and π
can be represented by two Boolean formulae ΦπΌ and Φπ ,
respectively; we subsequently create a Boolean formula ΦπΉ
for each πΉ ∈ F; note that the labeling function πΏ is not
concerned any longer, because the sates labeled with π can
be captured by the Boolean formula π.
∧ (ππΉ(π) σ³¨→ Φ(π)
πΉ )).
Hence, both the number of variables and the size of this
encoding are linear with π. Moreover, the following theorem
guarantees the correctness of such encoding.
Theorem 8. L(C) =ΜΈ 0 if and only if ΨC(π) is satisfiable for some
π.
6
Journal of Applied Mathematics
Proof. We begin with the “if ” direction: suppose that the
variable set is {π1 , . . . , ππ }; if there is some π such that ΨCπ
is evaluated to 1 (i.e., true) under the assignment π, then we
(π)
denote π π = (π(π1(π) ), . . . , π(ππ
)) for each 1 ≤ π ≤ π. Hence,
each π π is a state of C.
(i) Since the truth value of Φ(0)
πΌ is 1 under π, then we have
π 0 β© Φ(0)
;
this
implies
that
π 0 ∈ πΌ.
πΌ
, and
(ii) For each 0 ≤ π < π, we have (π π , π π+1 ) β© Φ(π,π+1)
π
thus (π π , π π+1 ) ∈ π.
(iii) Because we have the conjunct β0≤β πβ , then there is
some 0 ≤ β ≤ π such that π(πβ ) = 1. In the following,
we fix this specific value β for the discussion.
∧βπΉ∈F ππΉ(β) ),
(iv) According to the constraint πβ → (Φ(π,β)
π
we have the following.
(1) π(Φ(π,β)
π ) = 1, which indicates that (π π , π β ) ∈ π.
(2) For each πΉ ∈ F, we have π(ππΉ(β) ) = 1.
(v) For each fairness constraint πΉ ∈ F and 0 ≤ π ≤ π,
we now inductively show that “π(ππΉ(π) ) = 1 implies
(π)
π(ΦπΉ ) = 1 (alternatively, π π ∈ πΉ) for some π ≤ π ≤ π.”
First of all, it holds in the case of π = π, because we
have the constraint π(π) → Φ(π)
πΉ . In addition, the fact
of “when π = π, it holds” can be immediately inferred
from the hypothesis “when π = π + 1, it holds,”
according to the conjunct ππΉ(π) → (ππΉ(π+1) ∨Φ(π)
πΉ ). Since
(β)
we have shown that π(ππΉ ) = 1, we can conclude that
there exists some β ≤ π ≤ π such that π π ∈ πΉ.
The above shows that π 0 π 1 ⋅ ⋅ ⋅ π β−1 (π β ⋅ ⋅ ⋅ π π )π is a fair path of C,
and hence L(C) =ΜΈ 0.
Conversely, for the “only if ” direction, it suffices to find
some π and some assignment π evaluating ΨC(π) to be true.
Since L(C) =ΜΈ 0, there must exist some fair path of lasso
shape in C. Without loss of generality, assume that π =
π 0 π 1 ⋅ ⋅ ⋅ π β−1 (π β ⋅ ⋅ ⋅ π π )π is such a path; just let π be this value,
and we now illustrate how the assignment π is constructed.
(i) For each variable ππ and each π ≤ π, let π(ππ(π) ) =
π π (ππ ). Since π 0 is an initial state, according to the
definition, we have π(Φ(0)
πΌ ) = 1. Meanwhile, because
each (π π , π π+1 ) ∈ π, we have that the conjunction
is satisfied under π.
β0≤π≤π Φ(π,π+1)
π
(ii) For each 0 ≤ π ≤ π, we let
π (ππ ) = {
1, π = β,
0, π =ΜΈ β.
(9)
Then it can be seen that π(β0≤π≤π ππ ) = 1.
(iii) For each πΉ ∈ F and each 0 ≤ π ≤ π, we let
π (ππΉ(π) ) = {
1, if there is some π ≥ π such that π π ∈ πΉ,
0, otherwise.
(10)
Then it can be directly checked that the conjunct
(π)
(π)
β ( β (ππΉ(π) σ³¨→ (ππΉ(π+1) ∨ Φ(π)
πΉ )) ∧ (ππΉ σ³¨→ ΦπΉ ))
πΉ∈F
0≤π<π
(11)
is evaluated to be true under π.
(iv) Since (π π , π β ) ∈ π, we have π(Φ(π,β)
π ) = 1. Also note
that π is a fair path; then for each πΉ ∈ F there is some
π π ∈ πΉ, where β ≤ π ≤ π. According to the previous
definition, we can infer that π(βπΉ∈F ππΉ(β) ) = 1. Thus
the conjunct
∧ β ππΉ(π) ))
β (ππ σ³¨→ (Φ(π,π)
π
0≤π≤π
(12)
πΉ∈F
is also satisfied under π (recall that we have assigned
π(ππ ) = 0 in the case of π =ΜΈ β).
Thus, the formula ΨC(π) is satisfiable.
For bounded model checking, an important issue is the
completeness threshold, which is the specific value π such that
we may declare L(C) = 0 in the case that ΨC(π) is not satisfiable, and we denote it by CT(C) in this paper.
Since we need only to concern about fair paths of the
form π1 (π2 )π , as pointed in [22], a possible candidate for the
completeness threshold CT(C) is
π·πΌ (C) + |F| × π· (C) ,
(13)
where π· and π·πΌ are, respectively, the diameter and the initialized diameter (cf. [22]). Since [22] just considers LTSs having
only one fairness constraint, we here add the factor |F|.
Observe that the part π2 must be enclosed in some SCC
(i.e., strongly connected component) of C, and we may replace
π·(C) with π·(S), where S is the largest SCC that intersects
all fairness constraints. Therefore, we may get a more compact
upper bound of the completeness threshold.
Then, for a given LTS M and the given ETLπ+π formula
π, since we have shown that M β π if and only if M × T¬π
involves some fair path, we now just need to test if there is
(π)
some π making ΨM×T
satisfiable, where π ≤ CT(M × T¬π ).
¬π
Remark 9. In the case that C = C1 × C2 , where C = β¨π,
π, πΌ, πΏ, Fβ© and Cπ = β¨ππ , ππ , πΌπ , πΏ π , Fπ β© for π = 1, 2, we have
ΦπΌ = ΦπΌ1 ∧ ΦπΌ2 , Φπ = Φπ1 ∧ Φπ2 , and ΦF = ΦF1 ∪ ΦF1 ,
and in addition, the variable set of C is just the union of the
variable sets of C1 and C2 .
Remark 10. Actually, for an ETLπ+π formula π, the symbolic
representation of Tπ can be directly given without the detour
of explicit construction of the LTS. Because, the relation sat
could be inductively constructed if we introduce corresponding new variables in el(π). Subsequently, encodings of ΦΔ+π or
ΦΔ−π could be naturally obtained from the underlying Boolean
variables corresponding to states of automata connectives.
Hence, the Boolean representation of Φππ is obtained. And,
encodings of other components are as routine.
Journal of Applied Mathematics
7
q1
CONNECTIVE A (a1, a2) : FIN
STATES >q1, q2, q3<;
TRANSITIONS(q1)
case a1 : q2; a2 : q3; esac;
TRANSITIONS(q2)
case
a1 : fq2, q3g;
a2 : q3;
esac;
TRANSITIONS(q3)
case a1 : fq1, q2g; esac;
a1
q2
a1
a2
a1
a1
a2
q3
Figure 1: An automata connective declaration in ENuSMV.
Table 1: Comparative results of BDD-based and BMC approaches.
Cells
5
6
7
8
9
10
Time (s)
170.56
513.06
2372.28
8074.05
≥5 h
≥5 h
BDD
Memory (MB)
68.32
209.17
976.14
1482.15
≥2 G
≥2 G
C.L.
78
84
90
96
—
—
Variables
3939
4677
5415
6154
6892
7630
4. Experimental Results
To justify our idea, we have integrated (the tool is available
at https://sourceforge.net/projects/enusmv12/) the ETLπ+π
BMC algorithm into ENuSMV (Ver. 1.2). This tool is completely compatible with NuSMV [25], and it allows end-users
to customize new temporal connectives by defining automata.
For example, Figure 1 illustrates how to declare a finite
acceptance automata connective (to define a looping acceptance automata connective, just replace the keyword FIN with
LOOP), namely, A. Since it has three states q1, q2, and q3
(where q1 is the initial state and q3 is an accepting state), then
A[q1], A[q2], and A[q3] are also connectives—for example,
A[q2] just replaces the initial state with q2. Subsequently, one
may define ETLπ+π specifications; for example,
ETLSPEC A(p,A[q2] (q,p))
is a proper declaration.
In this redistribution, both BDD-based and bounded
model checkings for ETLπ+π are supported. To perform (semantic encoding based) BMC, we need to use the command
option bmc tab.
We have conducted some experiments to test the correctness and efficiency of our algorithm. In this paper, we are
especially concerned with the following issues.
(1) The comparison of BDD-based symbolic model
checking and bounded model checking.
Clauses
8126
9620
11113
12609
14102
15599
BMC
Time (s)
13.50
29.14
41.32
52.45
68.17
85.13
Memory (MB)
34.98
42.37
58.48
67.32
82.13
101.21
C.L.
39
39
39
39
39
39
(2) The overhead contrast in verifications of ETLπ and
ETLπ+π upon both star-free and nonstar-free properties.
(3) The comparison of performances with syntactic/semantic BMC of LTL and semantic BMC of ETLπ+π .
To compare the efficiencies between BDD-based MC
and BMC, we chose the (distributed mutual exclusion) DME
circuit as the model (which involves a buggy design), as
described in [3]. It consists of π cells for π users that want to
have exclusive access to a shared resource. We conducted the
experiment by describing the liveness property that “a request
for using the resource will eventually be acknowledged” (with
ETLπ+π formula). The max bound are set to 100, and the
comparative results are shown in Table 1, where “C.L.” stands
for the length of counterexample.
As a previous work, we have implemented the symbolic
model checking algorithm for ETLπ in ENuSMV 1.0. To
justify that in general ETLπ+π could be more effectively
checked, we would make a comparison of BMC for ETLπ and
ETLπ+π .
To draw the comparison upon non-start-free regular
properties, we use a “mod 2π counter” as the model. The
model consists of π “cells” bit 0,. . .,bit n-1. Each cell is
a (mod 2) counter having an input carry in and an output
signal carry out. These cells are connected in a serial
manner; that is, bit 0’s carry in is set to 1, and bit i’s
carry in is connected to bit i−1’s carry out as described
in Figure 2.
8
Journal of Applied Mathematics
Carry out
Carry out
Carry in
1
···
bit 1
bit 0
Carry out
Carry out
Carry in
Carry in
bit n − 1
Carry in
Figure 2: The circuit of MOD 2π counter.
Table 2: Comparison of ETLπ and ETLπ+π with periodicity properties.
Cells
10
11
12
Max bound
11032
5138
3702
ETLπ
Memory (MB)
279.44
148.22
129.571
Variables
154461
77084
3702
Clauses
1180431
631981
518287
We, respectively, describe the periodicity property that
“bit 0 carries out at every even (except for 0) moment”
with ETLπ and ETLπ+π . We set the time bound to 1 hour,
and Table 2 provides the max bounds (together with related
information) which can be handled by the SAT solver within
the time bound. From it, we can see that a deeper search could
be done when specifications are described with ETLπ+π .
To compare the overhead of ETLπ and ETLπ+π upon
star-free properties, we would first use the DME model to
check the safety property: “no two cells will be simultaneously
acknowledged.” The results are shown in Table 3, and the time
bound is also set to 1 hour.
At the same time, we can also compare the verification
performances of the DME model upon the aforementioned
liveness property that “each request will be acknowledged
in the further.” Note that for this property, the verification
could be accomplished within the given time bound, and a
counterexample could be detected at the bound π = 39. The
comparative results are given in Table 4.
The last group of experiments aims at comparing the
efficiencies of (syntactic/semantic) LTL BMC and ETLπ+π
BMC. First of all, for LTL BMC, we are also concerned with
two types of encoding approaches.
(1) The Syntactic Approach. We here adopt the linear
incremental syntactic encoding proposed in [26]—to
the best of our knowledge, this is the most effective
syntactic encoding for full LTL.
(2) The Semantic Approach. ENuSMV 1.2 also supports
semantic encoding for LTL—this is tailored from our
linear encoding presented in Section 3.2.
We still use the DME circuit as the model and the liveness
property as specification; Table 5 provides the experimental
results on LTL BMC based on syntactic and semantic encodings. From that, we can see that, with semantic encoding, it
tends to generate less clauses and tends to terminate earlier
than that with the syntactic encoding, whereas the latter
requires fewer variables.
Meanwhile, we can also make a comparison between
Tables 4 and 5; we may find that the variable numbers of
semantic ETL BMC and LTL BMC are almost at a fixed
ratio—for this experiment, the ratio is 1.09 (approximately).
Max bound
13009
6037
4316
ETLπ+π
Memory (MB)
382.784
173.59
143.802
Variables
182140
90570
69072
Clauses
1417990
754461
612888
5. Concluding Remarks
The logic ETLπ+π is a variant of extended temporal logic,
it employs both finite and looping acceptance automata
connectives, and it can be considered a mixture of ETLπ and
ETLπ . Thus, any omega-regular properties can be succinctly
described with this kind of logic, particularly for safety and
liveness properties.
We have presented the semantic bounded model checking
algorithm for ETLπ+π . The central part of this approach is
the tableau construction. Meanwhile, we also illustrate how
to give a linear BMC encoding for it. To justify it, we
have implemented the presented algorithm (in ENuSMV
1.2). Experimental results show that ETLπ+π could be more
efficiently verified via BMC (in comparison to our previous
implementation for ETLπ+π ).
In this paper, verification of ETLπ , namely, extended temporal logic using BuΜchi (alternatively, repeating) automata
as connectives, has not been studied. This is partly because
of the inherited difficulties of BuΜchi complementation
[27]. Indeed, we may mimic the ranking complementing technique of BuΜchi automata [28–30]. However, this would cause
an asymptotically quadratic blow-up of variable number in
building the tableaux. Hence, a further work is about to study
the semantic BMC encodings of ETLπ .
Appendix
A. Omitted Proofs
A.1. Proof of Theorem 4. Just assume that π = π 0 π 1 ⋅ ⋅ ⋅ ∈ πππ is
the corresponding fair path of Tπ having π = πΏ π (π), where
π π = β¨Γπ ; π1,π , . . . , ππ,π ; π
1,π , . . . , π
π,π β©. We now inductively prove
the following claim.
“For each π ∈ sub(π) ∪ el(π), we have: Γπ ∈ sat(π)
implies π, π β¨ π.”
(i) The basic cases are trivial.
(a) π = β€, or π =⊥. Since π, π β¨ β€ holds trivially, the case
Γπ ∈ sat(⊥) never happens.
Journal of Applied Mathematics
9
Table 3: Comparison of ETLπ and ETLπ+π with safety properties.
Cells
3
4
5
Max bound
68
62
54
ETLπ
Memory (MB)
29.14
34.76
40.12
Variables
4002
4864
5170
Clauses
8091
9764
10313
Max-bound
101
87
73
ETLπ+π
Memory (MB)
38.03
40.34
45.37
Variables
4958
5712
6072
Clauses
9898
11512
12088
Table 4: Comparison of ETLπ and ETLπ+π with liveness properties.
Cells
3
4
5
Time (s)
25.09
31.42
42.56
ETLπ
Clauses
4796
6200
7604
Variables
2400
3120
3840
Memory (MB)
29.66
38.61
44.28
(b) π = π, or π = ¬π, where π ∈ π΄π. Because Γπ ∈ sat(π)
if and only if π ∈ Γπ if and only if π ∈ π(π) if and only
if π, π β¨ π. Similar to show it when π = ¬π.
(ii) The following inductions are as routine.
(a) For the case π = π1 ∧ π2 , or π1 ∨ π2 . For the first case,
we have Γπ ∈ sat(π) if and only if Γπ ∈ Sat(π1 ) and Γπ ∈
sat(π2 ); by induction, we have π, π β¨ π1 and π, π β¨ π2 ;
hence π, π β¨ π; similar to the case of π = π1 ∨ π2 .
(b) In the case of π = IπσΈ , we have Γπ ∈ sat(π) if and
only if Γπ+1 ∈ sat(πσΈ ), according to the definition of Δ π
(note that in this case π is an elementary formula of
π). By induction, we have π, π + 1 β¨ πσΈ ; hence π, π β¨ π.
π
(iii) If π = A (π1 , . . . , ππ ) is a PF-subformula, without
loss of generality, assume π = ππ (i.e., the πth PF-subformula
of π), where 1 ≤ π ≤ π and Aπ = β¨{π1 , . . . , ππ }, π, πΏ, π, πΉβ©,
then the proof is given as follows.
Since π is a fair path, there exists π2 > π1 > π, such that
ππ,π1 = ππ,π2 = 0 and ππ,π =ΜΈ 0 for each π1 < π < π2 .
π0
(a) First, let π0 = π; then we have Γπ ∈ sat(A (π1 , . . . ,
ππ )).
(b) For each π‘ ≤ π1 − π, if ππ‘ ∉ πΉ and Γπ+π‘ ∈ sat(Aππ‘ (π1 ,
. . . , ππ )), then, according to the definition of sat, there
is some 1 ≤ ππ‘ ≤ π and a πσΈ such that Γπ+π‘ ∈ sat(πππ‘ ),
σΈ
πσΈ ∈ πΏ(ππ‘ , πππ‘ ), and Γπ+π‘ ∈ sat(IAπ (π1 , . . . , ππ )) (equivσΈ
alently, Γπ+π‘+1 ∈ sat(Aπ (π1 , . . . , ππ )), as discussed
above). Now, we let ππ‘+1 = πσΈ .
Till now, if there is some π‘ having ππ‘ ∈ πΉ, we stop the processing. Otherwise, we go on with the following processing.
(a) When π‘ = π1 − π + 1, we have Γπ‘ ∈ sat(Aππ‘ (π1 , . . . , ππ )).
Since ππ,π1 = 0, according to the definition of Δ+ππ , we
have ππ‘ ∈ ππ,π1 +1 = ππ,π+π‘ .
(b) For each π1 − π < π‘ ≤ π2 − π, if ππ‘ ∈ ππ,π+π‘ and ππ‘ ∉
πΉ, according to Δ+ππ , there is some 1 ≤ ππ‘ ≤ π, such
that Γπ+π‘ ∈ sat(πππ‘ ), and there is some πσΈ ∈ ππ,π+π‘+1 ∩
πΏ(ππ‘ , πππ‘ ). Now, we let ππ‘+1 = πσΈ .
Time (s)
13.78
20.06
24.70
Variables
2340
3042
3744
ETLπ+π
Clauses
4747
6115
7843
Memory (MB)
26.34
31.38
36.12
Notice that ππ,π2 = 0, and we have the inductive assertion that
ππ‘ ∉ πΉ implies ππ‘ ∈ ππ,π+π‘ ; hence there must exist some ππ‘ ∈ πΉ.
Thus, A have some accepting prefix ππ0 ππ1 ⋅ ⋅ ⋅ ππβ of some
infinite word. On the other hand, by induction, Γπ+π‘ ∈ sat(ππ,π‘ )
implies π, π + π‘ β¨ πππ‘ . Hence, we have π, π β¨ π by definition.
(iv) If π = ¬Aπ (π1 , . . . , ππ ) is an NF-subformula of π and
assume that Aπ = β¨{π1 . . . , ππ }, π, πΏ, π, πΉβ©, then the proof is
given as below.
Assume by contradiction it is not the case; then π, π β¨
Aπ (π1 , . . . , ππ ) holds. Therefore, there exist some accepting
prefix ππ0 ππ1 ⋅ ⋅ ⋅ ππβ of some infinite word and a state sequence
π0 π1 ⋅ ⋅ ⋅ πβ πβ+1 such that
(a) π0 = π, πβ+1 ∈ πΉ and each ππ‘+1 ∈ πΏ(ππ‘ , πππ‘ ),
(b) for each π‘ ≤ β, we have π, π + π‘β¨ πππ‘ .
Then, we have the following facts.
(a) Γπ+β+1 ∈ sat(Aπβ+1 (π1 , . . . , ππ )) = 2el(π) , because πβ+1 ∈
πΉ.
(b) Assume that Γπ+π‘+1 ∈ sat(Aππ‘+1 (π1 , . . . , ππ )), where
π‘ ≤ β; then Γπ+π‘ ∈ sat(IAππ‘+1 (π1 , . . . , ππ )). In addition,
π, π + π‘ β¨ πππ‘ implies that Γπ+π‘ ∈ sat(πππ‘ )—otherwise
(it is not hard to show that if there is an infinite path
in Tπ starting from π π+π‘ , then, for each π, either Γπ+π‘ ∈
sat(π) or Γπ+π‘ ∈ sat(¬π) holds), Γπ+π‘ ∈ sat(¬πππ‘ ); then
we have π, π + π‘ β¨ ¬πππ‘ by induction contradicts!
Hence, by the definition of sat, we have Γπ+π‘ ∈
sat(Aππ‘ (π1 , . . . , ππ )).
Then, we have Γπ ∈ sat(Aπ0 (π1 , . . . , ππ )) when π‘ = 0. However,
it contradicts the premiss Γπ ∈ sat(¬Aπ (π1 , . . . , ππ )), because
π0 = π. Therefore, the assumption π, π β¨ Aπ (π1 , . . . , ππ ) is a
falsity, and this implies that π, π β¨ π holds.
(v) If π = Aπ (π1 , . . . , ππ ) is a PL-subformula of π, where
π
A = ({π1 , . . . , ππ }, π, πΏ, π, πΉ), then we have the following
proof in the case that Γπ ∈ sat(π).
(a) Let π0 = π, and Γπ ∈ sat(Aπ0 (π1 , . . . , ππ )).
(b) For each π‘ ≥ 0, assume that Γπ+π‘ ∈ sat(Aππ‘ (π1 , . . . ,
ππ )); then by the definition of sat, there is some 1 ≤
ππ‘ ≤ π, such that Γπ+π‘ ∈ sat(πππ‘ ), and there is
10
Journal of Applied Mathematics
Table 5: Comparison of syntactic/semantic LTL BMC with liveness properties.
Cells
3
4
5
Syntactic LTL BMC encoding
Variables
Clauses
Memory (MB)
2052
5474
32.66
2736
6806
35.74
3420
8138
37.02
Time (s)
9.34
16.71
24.06
σΈ
some πσΈ ∈ πΏ(ππ‘ , πππ‘ ) such that π ππ‘(IAπ (π1 , . . . , ππ ))
π
σΈ
(equivalently, Γπ+π‘+1 ∈ sat(A (π1 , . . . , ππ )) holds).
Now, we let ππ‘+1 = πσΈ .
π
Hence, we have an accepting run of A over the infinite word
ππ0 ππ1 ⋅ ⋅ ⋅ . Meanwhile, by induction, Γπ+π‘ ∈ sat(πππ‘ ) implies
that π, π + π‘ β¨ πππ‘ . By definition, we have π, π β¨ π in this
case.
(vi) Lastly, consider the case π = ¬Aπ (π1 , . . . , ππ ), where
π
A = β¨{π1 , . . . , ππ }, π, πΏ, π, πΉβ© is a looping acceptance automaton.
Suppose that Γπ ∈ sat(π), and assume by contradiction
that π, π β π; then there is an infinite word π€ = ππ0 ππ1 ⋅ ⋅ ⋅ ∈
L(Aπ ) and π, π + π‘ β¨ πππ‘ for each π‘ ≥ 0. Also, let the
corresponding run of Aπ on π€ is π0 π1 ⋅ ⋅ ⋅ , where π0 = π.
Without loss of generality, suppose that π = ¬ππ (i.e., the
πth NL-subformula); since π is a fair path, there must exist
some π2 > π1 > π such that π
π,π1 = π
π,π2 = 0 and π
π,π =ΜΈ 0 for
each π1 < π < π2 . Then
π0
(a) Γπ ∈ sat(¬A (π1 , . . . , ππ )), because π0 = π,
(b) as discussed before (in the case of NF-subformula),
π, π + π‘ β¨ πππ‘ implies that Γπ+π‘ ∈ sat(πππ‘ ). For each
π‘ > 0, if Γπ+π‘ ∈ sat(¬Aππ‘ (π1 , . . . , ππ )) holds, according
to the definition of sat, for each πσΈ ∈ πΏ(ππ‘ , πππ‘ ), we have
σΈ
π
Γπ+π‘ ∈
sat(IA (π1 , . . . , πππ )). Note that ππ‘+1 ∈ πΏ(ππ‘ , ππ );
hence Γπ+π‘+1 ∈ sat(¬A π‘+1 (π1 , . . . , ππ )).
Therefore, we have Γπ+π‘ ∈ sat(¬Aππ‘ (π1 , . . . , ππ )) for each π‘ ≥ 0.
According to the definition of Δ−¬ππ , we have
(a) ππ1 +1−π ∈ π
π,π1 +1 , since π
π,π1 = 0,
(b) for each π‘ having ππ‘ ∈ π
π,π+π‘ , since Γπ+π‘ ∈ sat(πππ‘ ), then
πσΈ ∈ πΏ(ππ‘ , πππ‘ ) implies πσΈ ∈ π
π,π+π‘+1 . Therefore, ππ‘+1 ∈
π
π,π+π‘+1 .
The above induction implies that ππ‘ ∈ π
π,π+π‘ for each π‘ ≥ π1 −
π + 1. However, it is impossible since π
π,π2 = 0. Hence, the
assumption π, π β¨ Aπ (π1 , . . . , ππ ) is incorrect, which implies
that π, π β¨ π also holds in this case.
Clearly, the above induction is complete. Because we
require that Γ0 ∈ sat(π), we have π, 0 β¨ π.
A.2. Proof of Theorem 5. Suppose that π β¨ π to show π ∈
L(Tπ ), we need to first construct an infinite state sequence
π = π 0 π 1 ⋅ ⋅ ⋅ , where π π = β¨Γπ ; π1,π , . . . , ππ,π ; π
1,π , . . . , π
π,π β© ∈ ππ ,
and then we will show that π is a fair path of Tπ and π =
πΏ π (π).
(i) The construction of Γπ is as follows.
Time (s)
8.59
10.87
15.90
Semantic LTL BMC encoding
Variables
Clauses
Memory (MB)
2128
4291
24.79
2812
5623
28.44
3469
6955
32.28
For each π ≥ 0, we let Γπ = {π ∈ el(π) | π, π β¨ π}. We will
now show the following claim.
“For each π ∈ sub(π) ∪ el(π), we have Γπ ∈ sat(π) if
and only if π, π β¨ π.”
By induction of the structure of π the following hold.
(a) Cases are trivial when π =⊥ or π = β€.
(b) If π = π ∈ π΄π, then π ∈ el(π). Thus, Γπ ∈ sat(π) if
and only if π ∈ Γπ if and only if π ∈ π(π) if and only if
π, π β¨ π. Similar to show the case of π = ¬π.
(c) Another basic case is π = IπσΈ : note that in this case
we also have π ∈ el(π); hence Γπ ∈ sat(IπσΈ ) if and only
if π ∈ Γπ if and only if π, π β¨ π.
(d) If π = π1 ∧ π2 , then Γπ ∈ sat(π) if and only if Γπ ∈
sat(π1 ) and Γπ ∈ sat(π2 ). By induction, we have π, π β¨
π1 and π, π β¨ π2 that is, π, π β¨ π. Similar to show the
case of π = π1 ∨ π2 .
(e) If π = Aπ (π1 , . . . , ππ ), where Aπ = β¨{π1 , . . . , ππ },
π, πΏ, π, πΉβ© and if A is a looping acceptance automaton
or a finite acceptance automaton, but π ∈
πΉ, it is not
difficult to show that
Aπ (π1 , . . . , ππ ) ←→ β (ππ‘ ∧
1≤π‘≤π
σΈ
β IAπ (π1 , . . . , ππ )) .
πσΈ ∈πΏ(π,ππ‘ )
(A.1)
Then by induction and according to the scheme
sat(πσΈ ∨ πσΈ σΈ ) = sat(πσΈ ) ∪ sat(πσΈ σΈ ) and sat(πσΈ ∧ πσΈ σΈ ) =
sat(πσΈ ) ∩ sat(πσΈ σΈ ), we have π, π β¨ π if and only if
Γπ ∈ β (sat (ππ‘ ) ∩
1≤π‘≤π
σΈ
β sat (IAπ (π1 , . . . , ππ )))
σΈ
π ∈πΏ(π,ππ‘ )
= sat (Aπ (π1 , . . . , ππ )) .
(A.2)
Otherwise, if A is a finite acceptance automaton and
π ∈ πΉ, then
Aπ (π1 , . . . , ππ ) ←→ β€.
(A.3)
In this case, sat(Aπ (π1 , . . . , ππ )) = 2el(π) , and hence
the claim “π, π β¨ π if and only if Γπ ∈ sat(π)” also
holds.
(f) If π = ¬Aπ (π1 , . . . , ππ ), then Γπ ∈ sat(π) if and only
π
π
if Γπ ∈
sat(A (π1 , . . . , ππ )) if and only if π, π β A (π1 ,
. . . , ππ ) if and only if π, π β¨ π.
Journal of Applied Mathematics
11
σΈ
π, βt + 1 β¨ Aπ (π1 , . . . , ππ ) for some πσΈ ∈ π
π,βπ‘ +1 , and
Now, we have the following properties.
(1) Since π, 0 β¨ π, we have Γ0 ∈ sat(π), and hence π 0 ∈ πΌπ .
(2) For each π and each Iπ ∈ el(π), we have Γπ ∈ sat(Iπ)
if and only if π, π β¨ Iπ if and only if π, π + 1 β¨ π if and
only if Γπ+1 ∈ sat(π).
(3) For each π ∈ π΄π and each π, we have π ∈ π(π) if and
only if π, π β¨ π if and only if π ∈ Γπ . Hence, π(π) =
Γπ ∩ π΄π.
(ii) The construction of ππ,π , for 1 ≤ π ≤ π is as follows.
Assume that the πth PF-subformula ππ = Aπ (π1 , . . . , ππ )
and the automata connective Aπ = β¨{π1 , . . . , ππ }, π, πΏ, π, πΉβ©;
then the construction is as follows.
(a) We will find a series of “key positions” β0 , β1 , . . ., having
ππ,βπ‘ = 0 for each βπ‘ . First, let β0 = 0, and, for each π‘ ≥
0, once βπ‘ has been determined, we use the following
two steps to determine βπ‘+1 and each ππ,π for βπ‘ < π <
βπ‘+1 .
σΈ
(b) Let ππ,βπ‘ = 0, and let ππ,βπ‘ +1 = {πσΈ | π, βπ‘ + 1 β¨ Aπ (π1 ,
. . . , ππ )}. For each πσΈ ∈ ππ,βπ‘ +1 , there must exit a finite
word π€πσΈ = ππ0 ππ1 ⋅ ⋅ ⋅ πππ and a finite state sequence
ππσΈ = π0 π1 ⋅ ⋅ ⋅ ππ +1 such that π0 = πσΈ , ππ +1 ∈ πΉ, and, for
each π ≤ π , we have ππ+1 ∈ πΏ(ππ , πππ ) and π, βπ‘ + π + 1 β¨
πππ (equivalently, Γβπ‘ +π+1 ∈ sat(πππ )).
(c) Now, let βπ‘+1 = βπ‘ + max{|ππσΈ | | πσΈ ∈ ππ,βπ‘ +1 } + 1. And
we let
σ΅¨ σ΅¨
(A.4)
ππ,π = {ππσΈ (π − βπ‘ − 1) σ΅¨σ΅¨σ΅¨σ΅¨ππσΈ σ΅¨σ΅¨σ΅¨σ΅¨ > π − βπ‘ − 1}
for each βπ‘ + 1 < π < βπ‘+1 , where ππσΈ (π ) is the π th element of ππσΈ .
Now, it is not hard to check that ((Γπ , ππ,π ), (Γπ+1 , ππ+1 )) ∈ Δ+ππ
for each π. Moreover, for each π‘, we have ππ,βπ‘ = 0.
(iii) The construction of π
π,π for each 1 ≤ π ≤ π is as
follows.
Assume that the πth NL-subformula ¬ππ = ¬Aπ (π1 , . . . , ππ )
and the automata connective Aπ = β¨{π1 , . . . , ππ }, π, πΏ, π, πΉβ©;
then the construction is as follows.
(a) First, let β0 = 0, and, for each π‘ ≥ 0, once βπ‘ is decided,
we use the following steps to determine βπ‘+1 and each
set π
π,π for βπ‘ < π < βπ‘+1 .
σΈ
(b) Let π
π,βπ‘ = 0, and let π
π,βπ‘ +1 = {πσΈ | Γβπ‘ +1 ∈ sat(¬Aπ (π1 ,
. . . , ππ ))}. For each π ≥ βπ‘ + 1, let
π
π,π+1 = β {πΏ (πσΈ , ππ ) | 1 ≤ π ≤ π, Γπ ∈ sat (ππ )} .
πσΈ ∈π
π,π
(A.5)
(c) Since we have shown that Γ, π β¨ π if and only if
π, π β¨ π for every π ∈ sub(π) ∪ el(π), it is not hard
to show that if π
π,βπ‘ +1 =ΜΈ 0, then there is some π > βπ‘ + 1
such that π
π,π = 0—otherwise (because, if π
π,π =ΜΈ 0
for each π‘ > βπ‘ , using KoΜnig’s lemma, we may find
σΈ
a run of Aπ over some infinite word), we can show
σΈ
this implies that Γβπ‘ +1 ∈ sat(Aπ (π1 , . . . , ππ )), which is
contradiction!
If π
π,βπ‘ +1 = 0, let βπ‘+1 = βπ‘ + 1; otherwise, let βπ‘+1 = π.
According to the construction, it can be examined that
((Γπ , π
π,π ), (Γπ+1 , π
π,π+1 )) ∈ Δ−¬ππ for each π. In addition, we have
π
π,βπ‘ = 0 for each π‘ ≥ 0.
Taking all the above into account, by definition, we may
conclude that (π π , π π+1 ) ∈ ππ for every π ≥ 0; hence π is a fair
path of Tπ . According to the construction of Γπ s, we have that
π = πΏ π (π); hence π ∈ L(Tπ ).
Acknowledgments
The authors thank the anonymous reviewers for their helpful
comments on a previous version of this paper. This work
is supported by the NSFC in China under grant number
61103012, 61272335, 61133007, 91118007, 61120106006, the 863
Program 2011AA010106, 2012AA011201, and the Program for
New Century Excellent Talents in University.
References
[1] R. E. Bryant, “Graph-based algorithms for Boolean function
manipulation,” IEEE Transactions on Computers C, vol. 35, no.
8, pp. 677–691, 1986.
[2] K. L. McMillan, Symbolic model checking, an approach to the
state explosion problem [Ph.D. thesis], Carnegie Mellon University, Pittsburgh, Pa, USA; Kluwer Academic, Boston, Mass,
USA, 1993.
[3] A. Biere, A. Cimatti, E. M. Clarke, and Y. Zhu, “Symbolic model
checking without BDDs,” in Proceedings of the 5th International
Conference on Tools and Algorithms for the Construction and
Analysis of Systems (TACAS ’99), vol. 1579 of Lecture Notes in
Computer Science, pp. 193–207, Springe, Berlin, Germany, 1999.
[4] P. Wolper, “Temporal logic can be more expressive,” Information
and Control, vol. 56, no. 1-2, pp. 72–99, 1983.
[5] A. Pnueli, “Linear and branching structures in the semantics
and logics of reactive systems,” in International Colloquium on
Automata, Language and Programming, W. Brauer, Ed., vol. 194
of Lecture Notes in Computer Science, pp. 15–32, Springer, Berlin,
Germany, 1985.
[6] O. Lichtenstein, A. Pnueli, and L. Zuck, “The glory of the
past,” in Proceedings of the Workshop on Logics of Programs, vol.
193 of Lecture Notes in Computer Science, pp. 97–107, Springer,
Brooklyn, NY, USA, 1985.
[7] Accellera, “Accellera property languages reference manual,”
June 2004, http://www.eda.org/vfv/docs/PSL-v1.1.pdf.
[8] B. Banieqbal and H. Barringer, “Temporal logic with fixed
points,” in Temporal Logic in Specification, vol. 398 of Lecture
Notes in Computer Science, pp. 62–74, Springer, Berlin, Germany, 1987.
[9] A. P. Sistla, M. Y. Vardi, and P. Wolper, “The complementation
problem for BuΜchi automata with applications to temporal
logic,” Theoretical Computer Science, vol. 49, no. 2-3, pp. 217–237,
1987.
[10] M. Leucker and C. Sanchez, “Regular linear temporal logic,” in
Proceedings of the 4th International Conference on Theoretical
Aspects of Computing, vol. 4711 of Lecture Notes in Computer
Science, pp. 291–305, Springer, Berlin, Germany, 2007.
12
[11] R. Armoni, L. Fix, A. Flaisher et al., “The ForSpec temporal
logic: a new temporal property-specification language,” in Proceedings of the International Conference on Tools and Algorithms
for Construction and Analysis of Systems (TACAS ’02), vol. 2280
of Lecture Notes in Computer Science, pp. 296–311, Springer,
Berlin, Germany, 2002.
[12] I. Beer, S. Ben-David, C. Eisner, D. Fisman, A. Gringauze, and
Y. Rodeh, “The temporal logic sugar,” in Proceedings of the 13th
International Conference on Computer Aided Verification, G.
Berry, H. Comon, and A. Frinkel, Eds., vol. 2102 of Lecture Notes
in Computer Science, pp. 363–367, Springer, London, UK, 2001.
[13] M. Y. Vardi and P. Wolper, “Reasoning about infinite computations,” Information and Computation, vol. 115, no. 1, pp. 1–37,
1994.
[14] J. R. BuΜchi, “On a decision method in restricted second order
arithmetic,” in Proceedings of the International Congresses in
Logic, Methodology and Philosophy of Science 1960, pp. 1–12,
Stanford University Press, Palo Alto, Calif, USA, 1962.
[15] W. Liu, J. Wang, and Z. Wang, “Symbolic model checking of
ETL,” Journal of Software, vol. 20, no. 8, pp. 2015–2025, 2009.
[16] W. Liu, J. Wang, H. Chen, X. Ma, and Z. Wang, “Symbolic model
checking APSL,” Frontiers of Computer Science in China, vol. 3,
no. 1, pp. 130–141, 2009.
[17] M. Jehle, J. Johannsen, M. Lange, and N. Rachinsky, “Bounded
model checking for all regular properties,” Electronic Notes in
Theoretical Computer Science, vol. 144, no. 1, pp. 3–18, 2006.
[18] A. Pnueli and A. Zaks, “PSL model checking and run-time
verification via testers,” Formal Methods, Springer, Berlin,
Germany, vol. 4085, pp. 573–586, 2006.
[19] A. Cimatti, M. Roveri, S. Semprini, and S. Tonetta, “From PSL
to NBA: a modular symbolic encoding,” in Formal Methods
in Computer Aided Design (FMCAD ’06), Lecture Notes in
Computer Science, pp. 125–133, Springer, 2006.
[20] E. M. Clarke, O. Grumberg, and K. Hamaguchi, “Another look
at LTL model checking,” in Computer Aided Verification, 6th
International Conference (CAV ’94), vol. 818 of Lecture Notes in
Computer Science, pp. 415–427, Springer, Berlin, Germany, 1994.
[21] A. Biere, K. Heljanko, T. Junttila, T. Latvala, and V. Schuppan,
“Linear encodings of bounded LTL model checking,” Logical
Methods in Computer Science, vol. 2, no. 5, article 5, 2006.
[22] E. Clarke, D. Kroening, J. Ouaknine, and O. Strichman,
“Completeness and complexity of bounded model checking,”
in Verification, Model Checking, and Abstract Interpretation
(VMCAI ’04), vol. 2937 of Lecutre Notes in Computer Science,
pp. 85–96, Springer, Berlin, Germany, 2004.
[23] T. Latvala, A. Biere, K. Heljanko, and T. Junttila, “Simple
bounded LTL model checking,” in Formal Methods in Computer-Aided Design (FMCAD ’04), A. Hu and A. Martin, Eds., vol.
3312 of Lecture Notes in Computer Science, pp. 186–200, Springer,
Berlin, Germany, 2004.
[24] T. Latvala, A. Biere, K. Heljanko, and T. Junttila, “Simple
is better: efficient bounded model checking for past LTL,”
in Verification, Model Checking, and Abstract Interpretation
(VMCAI ’05), vol. 3385 of Lecture Notes in Computer Science,
pp. 380–395, Springer, Berlin, Germany, 2005.
[25] R. Cavada, A. Cimatti, C. A. Jochim et al., “NuSMV 2. 5 user
manual,” April 2010, http://nusmv.fbk.eu/NuSMV/userman/
v25/nusmv.pdf.
[26] K. Heljanko, T. Junttila, and T. Latvala, “Incremental and complete bounded model checking for full PLTL,” in Proceedings of
the 17th International Conference of Computer Aided Verification
Journal of Applied Mathematics
[27]
[28]
[29]
[30]
(CAV ’05), K. Etessami and S. K. Rajamani, Eds., vol. 3576 of
Lecture Notes in Computer Science, pp. 98–111, Springer, Berlin,
Germany, 2005.
Q. Yan, “Lower bounds for complementation of π-automata
via the full automata technique,” Journal of Logical Methods in
Computer Science, vol. 4, no. 1, article 5, 2008.
O. Kupferman and M. Y. Vardi, “Weak alternating automata are
not that weak,” ACM Transactions on Computational Logic, vol.
2, no. 3, pp. 408–429, 2001.
E. Friedgut, O. Kupferman, and M. Y. Vardi, “BuΜchi complementation made tighter,” in Automated Technology for Verification and Analysis (ATVA ’06), vol. 3299 of Lecture Notes in
Computer Science, pp. 64–78, Springer, Berlin, Germany, 2004.
S. Schewe, “BuΜchi complementation made tight,” in STACS
2009: 26th International Symposium on Theoretical Aspects of
Computer Science, vol. 3, pp. 661–672, IBFI, 2009.
Advances in
Operations Research
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
Advances in
Decision Sciences
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
Mathematical Problems
in Engineering
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
Journal of
Algebra
Hindawi Publishing Corporation
http://www.hindawi.com
Probability and Statistics
Volume 2014
The Scientific
World Journal
Hindawi Publishing Corporation
http://www.hindawi.com
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
International Journal of
Differential Equations
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
Volume 2014
Submit your manuscripts at
http://www.hindawi.com
International Journal of
Advances in
Combinatorics
Hindawi Publishing Corporation
http://www.hindawi.com
Mathematical Physics
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
Journal of
Complex Analysis
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
International
Journal of
Mathematics and
Mathematical
Sciences
Journal of
Hindawi Publishing Corporation
http://www.hindawi.com
Stochastic Analysis
Abstract and
Applied Analysis
Hindawi Publishing Corporation
http://www.hindawi.com
Hindawi Publishing Corporation
http://www.hindawi.com
International Journal of
Mathematics
Volume 2014
Volume 2014
Discrete Dynamics in
Nature and Society
Volume 2014
Volume 2014
Journal of
Journal of
Discrete Mathematics
Journal of
Volume 2014
Hindawi Publishing Corporation
http://www.hindawi.com
Applied Mathematics
Journal of
Function Spaces
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
Optimization
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation
http://www.hindawi.com
Volume 2014
