Table of Contents Author Guidelines Submit a Manuscript
Journal of Applied Mathematics
Volume 2013, Article ID 462532, 12 pages
http://dx.doi.org/10.1155/2013/462532
Research Article

Bounded Model Checking of ETL Cooperating with Finite and Looping Automata Connectives

College of Computer Science, National University of Defense Technology, Changsha, Hunan 410073, China

Received 8 March 2013; Accepted 14 June 2013

Academic Editor: Xiaoyu Song

Copyright © 2013 Rui Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

As a complementary technique of the BDD-based approach, bounded model checking (BMC) has been successfully applied to LTL symbolic model checking. However, the expressiveness of LTL is rather limited, and some important properties cannot be captured by such logic. In this paper, we present a semantic BMC encoding approach to deal with the mixture of and . Since such kind of temporal logic involves both finite and looping automata as connectives, all regular properties can be succinctly specified with it. The presented algorithm is integrated into the model checker ENuSMV, and the approach is evaluated via conducting a series of imperial experiments.

1. Introduction

A crucial bottleneck of model checking is the state-explosion problem, and the symbolic model checking technique has proven to be an applicable approach to alleviate it. In the early 1990s, McMillan presented the BDD [1] based model checking technique [2]. It is first applied to CTL model checking and is later adapted to deal with LTL. With the rapid evolvement of SAT solvers, an entirely new approach, namely, bounded model checking (BMC), is presented in [3]. It rerpresents the problem “there is a path (with bounded length) violating the specification in the model” with a Boolean formula and then tests its satisfiability via a SAT solver. Usually, BMC is considered to be a complementary approach of the BDD-based approach: BMC is normally used for hunting bugs not for proving their absence. It performs better when handling a model having a large reachable state set but involving (relatively) shallow error runnings.

BMC has been successfully employed in LTL model checking. However, LTL has the drawback of limited expressiveness. Wolper was the first to complain about this by addressing the fact that some counting properties such as “ holds at every even moment” cannot be expressed by any LTL formula [4]. Indeed, LTL formulae are just as expressive as star-free -expressions, that is, -regular expressions disallowing arbitrary (in a star-free expression, Kleene-closure operators ( and ) can only be applied upon , which is the whole set of alphabet) use of Kleene-closure operators.

As pointed in [5, 6], it is of great importance for a specification language to have the power to express all -regular properties—as an example, it is a necessary requirement to support modular model checking. Actually, such specification language like PSL [7] has been accepted as industrial standard.

For temporal logics within linear framework, there are several ways to pursue such an expressiveness. (1)The first way is to add fixed-point operators or propositional quantifiers to the logic, such as linear -calculus [8] and QLTL [9]. (2)An alternative choice is to add regular expressions to LTL-like logics, as done in RLTL [10], FTL [11, 12], and PSL [7]. (3)The third approach is to cooperate infinitely many temporal connectives with the logic, just like various of ETLs [4, 9, 13].

The first extension requires finitely many operators in defining formulae. Meanwhile, the use of fixed-point operators and higher-order quantifiers tends to rise difficulties in understanding. In contrast, using regular expressions or automata as syntactical ingredients is much more intuitive in comprehension. To some extent, since nesting of automata connectives is allowed, the third approach generalizes the second one.

In [4], Wolper suggested using right linear grammars as connectives. Later, Wolper, Vardi, and Sistla consider taking various -automata [9, 13]. Depending on the type of automata used as temporal connectives, we may obtain various ETLs. As a result, ETLs employing -automata with looping, finite, and repeating (alternatively, Büchi [14]) acceptance are, respectively, named , , and , and all of them are known to be as expressive as -regular expressions [13].

We have presented a BDD-based model checking algorithm for in [15] and an algorithm for BDD-based model checking of an invariant of PSL in [16]. Jehle et al. present a bounded model checking algorithm for linear -calculus in [17]. And in [18], a tester based symbolic model checking approach is proposed by Pnueli and Zacks to deal with PSL properties. Meanwhile, a modular symbolic Büchi automata construction is presented in [19] by Cimatti et al.

In this paper, we present a semantic BMC encoding for ETL employing both finite acceptance and looping acceptance automata connectives (we in the following refer to it as ). The reason that we study BMC algorithm for such kind of logic is for the following considerations.(1)The BDD-based symbolic model checking technique for has been established in [15] by extending LTL construction [20]. Nevertheless, in a pure theoretical perspective, looping and finite acceptance, respectively, correspond to safety and liveness properties, and looping acceptance automata can be viewed as the counterparts of finite acceptance automata. Actually, both similarities and differences could be found in compiling the semantic models and translating Boolean representations when dealing with these two types of connectives. Since has a rich set of fragments, such as LTL, it is hopeful to develop a unified semantic BMC framework of such logics. (2)Practically, things would usually be much more succinct when employing both types of automata connectives, in comparison to merely using finite or looping ones. As an example, there is no direct encoding for the temporal operator just with finite acceptance automata—to do this with , we need to use a two-state and two-letter connective to represent the operator and then to dualize it. In contrast, with looping automata, we just need to define a one-state and one-letter connective. It would save much space overhead in building tableaux. (3)Lastly, unlike syntactic BMC encodings (such kind of encodings give inductive Boolean translations with the formulae’s structure, cf. [21, 22] for a survey), the semantic fashion [22] yields a natural completeness threshold computation approach, and it describes the fair path finding problem over the product model with Boolean formulae. In this paper, we give a linear semantic encoding approach (opposing to the original quadratic semantic encoding) for . Moreover, the technique can also be tailored to semantic LTL BMC.

We have implemented the presented algorithm with our model checker ENuSMV (Ver. 1.2), and this tool allows end users to customize temporal connectives by defining automata. We have also justified the algorithm by conducting a series of comparative experiments.

The paper is structured as follows: Section 2 briefly revisits basic notions. Section 3 introduces semantic BMC encoding technique for . In Section 4, experimental results of BMC are given. Finally, we conclude the whole paper with Section 5.

2. Preliminaries

An infinite word over the alphabet is a mapping from to ; hence we may use to denote the th letter of . For the sake of simplicity, we usually write as the sequence . A finite prefix of with length is a restriction of to the domain , denoted by .

A (nondeterministic) automaton is a tuple , where: (i) is a finite alphabet, (ii) is a finite set of states, (iii) is a transition function, (iv) is an initial state, and (v) is a set of accepting states.

An infinite run of over an infinite word is an infinite sequence , where and for each . In addition, we say that each prefix is a finite run over .

In this paper, we are concerned with two acceptance types for -automata. Looping. An infinite word is accepted if it has an infinite run over . Finite. An infinite word is accepted if it has a finite prefix , over which there is a finite run and is an accepting state (call such a prefix accepting prefix).

In both cases, we denote by the set of infinite words accepted by .

Given an automaton and a state , we denote by the automaton . That is, is almost identical to , except for that its initial state is replaced by . Hence, and are the same.

Given a set of atomic propositions , the class of formulae can be inductively defined as follows. (i)Both and are formulae. (ii)Each proposition is an formula. (iii)If is an formula, then and are formulae. (iv)If , are formulae, then both and are formulae. (v)If is an automaton with the alphabet and are formulae, then is also an formula.

Remark 1. In the original definition of various ETLs (say , , and ), the “next operator” is not explicitly declared. However, this operator is extremely important in building the semantic BMC encodings for . Hence, we explicitly use this operator in our definition, and it would not change the expressiveness of the logic.

Remark 2. Since we employ both finite and looping acceptance automata connectives, our logic is a mixture of and . On the one hand, generalizes both of these two logics; on the other hand, it can be embedded into ; hence this logic is also as expressive as omega-regular expressions.

The satisfaction relation of an formula with respect to an infinite word and a position is inductively given as follows. (i) and .(ii) if and only if . (iii) if and only if .(iv) if and only if . (v) if and only if and . (vi) if and only if or . (vii)If is a looping acceptance automaton with the alphabet , then if and only if: there is an infinite word , and, for each , implies . (viii)If is a finite acceptance automaton with the alphabet , then if and only if: there is an infinite word with an accepting prefix , such that, for each , implies .

As usual, we directly use in place of .

To make a better understanding of formulas, we here give some examples of the use of automata connectives. (1)Considering the LTL formula , it can be described with an formula , where is the finite acceptance automaton , and we let , , and . (2)The LTL formula is equivalent to the formula , where is a looping acceptance automaton and .

Remark 3. The order of letters is important in defining automata connectives. Hence, the alphabet should be considered as a vector, rather than a set.

We use to denote the set of subformulae of . A formula is in negation normal form (NNF) if all negations in are adjacent to atomic propositions or automata connectives. One can achieve this by repeatedly using De Morgan’s law and the schemas of and . In addition, we call a formula being of the form an automaton formula.

Given a formula (in NNF), we use a two-letter-acronym to designate the type of an automaton subformula of : the first letter is either “P” or “N,” which means “positive” or “negative”; and the second letter can be “F” or “L,” which describes the acceptance type. For example, NL-subformulae stand for “negative automata formulae with looping automata connectives,” such as , where is a two-letter looping automaton.

A model or interchangeably a labeled transition system (LTS) is a tuple , where: (i) is a finite set of states, (ii) is a transition relation (usually, we require to be total; that is, for each , there is some having ), (iii) is the set of initial states, (iv) is the labeling function, and (v) is a set of fairness constraints.

A path of is an infinite sequence , where and for each . In addition, is a fair path if visits each infinitely often. Formally, is a fair path if for each , where denotes the set of states occurring infinitely many times in .

An infinite word is derived from a path of (denoted by ) if for each . We use to denote the set of infinite words derived from fair paths of .

Given an formula and an LTS , we denote by if for each . The model checking problem of is just to verify if holds for the given LTS and the given formula .

3. Semantic BMC Encoding for ETL

In this section, we will give a detailed description of the semantic BMC encoding for . Firstly, we show how to extend the tableau construction of LTL [20] to that of , and hence a product model can also be constructed. Subsequently, we interpret the fairness path finding problem (upon the product model) into SAT, and the size blow-up of this encoding is linear with the bound.

For the sake of convenience, in this section, we always assume that the given formulae have been normalized into NNF.

3.1. The Tableaux of ETL Formulae

Given an formula , we first inductively define its elementary formula set as follows. (i). (ii) for each . (iii)). (iv). (v)If or and the states set of is , then

Hence, if , then is either an atomic proposition or a formula rooted at the next operator.

Subsequently, we define the function sat, which maps each subformula of to a set of members in . Inductively the following hold. (i); . (ii) and . (iii). (iv) and . (v)Suppose that . (1)If is a looping acceptance automaton or a finite acceptance automaton and , then (2)If is a finite acceptance automaton and , then . (vi).

Recall the tableau construction for LTL [20], an “until subformula” would generate a fairness constraint to the tableau. Indeed, such a subformula corresponds to a “least-fixpoint subformula” if we translate the specification into a logic employing higher-order quantifiers, such as -calculus. Similarly, for , the PF- and NL-subformulae also impose fairness constraints. For this reason, we need to define the following two auxiliary relations before giving the tableau construction.

For a PF-subformula of , where , we define a relation as follows: suppose that and ; then if and only if the following hold. (i)When , then, for each , there exists some such that and . (ii)When , then if and only if for each .

Likewise, for each NL-subformula of , we also define a relation . In detail, for any and , we have if and only if the following hold. (i)When , then, for each and , we have: implies . (ii)When , then if and only if , for each .

We now describe the tableau construction for . Suppose that and are, respectively, all the PF-subformulae and NL-subformulae occurring in then the tableau is such an LTS , where:(i) consists of tuples like , where and each (resp., ) is a subset of ’s (resp., ’s) connective’s state set. (ii)For two states and , if and only if the following three conditions hold. (1) if and only if for each . (2) for each . (3) for each . (iii). (iv). (v), where

The below two theorems (Theorems 4 and 5) reveal the language property of tableaux. To remove the lengthiness, we here just provide the proof sketches, and rigorous proofs of them are postponed to the appendices.

Theorem 4. For each , if , then .

Proof (sketch). Just assume that is the corresponding fair path of such that , where . We may inductively prove the following claim.
“For each , we have: implies .”
Because we require that , hence we have .

Theorem 5. For each , if , then .

Proof (sketch). Suppose that ; to show , we need to first construct an infinite state sequence guided by (the detailed construction is given in Section A.2), and then we will subsequently show that is a fair path of and .

The following theorem is immediate from Theorems 4 and 5.

Theorem 6. The model violates the property if and only if , equivalently; there exists some fair path in .

Theorem 7. For an formula , its tableau has at most states.

Proof. Observe that a state should be of the form . For , there are possible choices. Suppose that (resp., ) and the state set of is (resp., with ). According to the construction, each (resp., ) corresponds to a unique elementary formula (resp., ), and such a mapping is an injection. Hence we have Note that (resp., ), and hence we have .

3.2. The Linear Semantic Encoding

Practically, a model’s state space is determined by the evaluation of a set of variables. Further, we may assume that each of them is a “Boolean variable” (which corresponds to a proposition belonging to ), because every variable over finite domain could be encoded with several Boolean variables.

Let be an arbitrary LTS, and we also assume that the corresponding variable set is ; then each state uniquely corresponds to an assignment of such s.

If we use to denote the value of at , then each subset can be represented by a Boolean formula over . In detail, it fulfills where means that is evaluated to be true if we assign each with the value .

Let , and each binary relation also has a Boolean representation over the variable set . That is, where means that is evaluated to be true if we assign each with and assign each with .

Hence, all components of can be encoded: and can be represented by two Boolean formulae and , respectively; we subsequently create a Boolean formula for each ; note that the labeling function is not concerned any longer, because the sates labeled with can be captured by the Boolean formula .

For example, from Theorem 7, we have that the symbolic representation of requires   new Boolean variables—because variables in can be shared with the encoding of the original model.

A canonical Boolean encoding of fair path existence detection upon LTSs is presented in [22]: given a model and a bound , one may use the formula where and are, respectively, the Boolean formulae obtained from and by replacing each variable with a new copy , and is obtained from by replacing each with and replacing each with .

It can be seen that this formula is satisfiable if and only if involves a fair path of the form (call it is of the lasso shape). Since that if and only if contains some lasso fair path (note that from each fair path we may derive another fair path of lasso shape), hence we may convert the fair path detection into the satisfiability problem of the above Boolean formula.

However, a closer look shows that the size of such encoding is quadratic with the bound. To reduce the blow-up in size, we need to introduce the following new variables (the linearization can also be done with the syntactic fashion presented in [23, 24]. We would draw a comparison of these two approaches in Section 4.).  (1) For each , we introduce a new variable . Intuitively, indicates that is a successor of . (2) For each fairness constraint and each , we introduce a variable , and this variable is evaluated to be true only if there is some which is evaluated to true, where .

And the new encoding (with the bound ) can be formulated as

Hence, both the number of variables and the size of this encoding are linear with . Moreover, the following theorem guarantees the correctness of such encoding.

Theorem 8. if and only if   is satisfiable for some .

Proof. We begin with the “if” direction: suppose that the variable set is ; if there is some such that is evaluated to (i.e., true) under the assignment , then we denote for each . Hence, each is a state of . (i)Since the truth value of is under , then we have ; this implies that . (ii)For each , we have and thus . (iii)Because we have the conjunct , then there is some such that . In the following, we fix this specific value for the discussion. (iv)According to the constraint , we have the following. (1), which indicates that . (2)For each , we have . (v)For each fairness constraint and , we now inductively show that “ implies (alternatively, ) for some .” First of all, it holds in the case of , because we have the constraint . In addition, the fact of “when , it holds” can be immediately inferred from the hypothesis “when , it holds,” according to the conjunct . Since we have shown that , we can conclude that there exists some such that .
The above shows that is a fair path of , and hence .
Conversely, for the “only if” direction, it suffices to find some and some assignment evaluating to be true. Since , there must exist some fair path of lasso shape in . Without loss of generality, assume that is such a path; just let be this value, and we now illustrate how the assignment is constructed. (i)For each variable and each , let . Since is an initial state, according to the definition, we have . Meanwhile, because each , we have that the conjunction is satisfied under . (ii)For each , we let Then it can be seen that . (iii)For each and each , we let Then it can be directly checked that the conjunct is evaluated to be true under . (iv)Since , we have . Also note that is a fair path; then for each there is some , where . According to the previous definition, we can infer that . Thus the conjunct is also satisfied under (recall that we have assigned in the case of ).

Thus, the formula is satisfiable.

For bounded model checking, an important issue is the completeness threshold, which is the specific value such that we may declare in the case that is not satisfiable, and we denote it by in this paper.

Since we need only to concern about fair paths of the form , as pointed in [22], a possible candidate for the completeness threshold is where and are, respectively, the diameter and the initialized diameter (cf. [22]). Since [22] just considers LTSs having only one fairness constraint, we here add the factor .

Observe that the part must be enclosed in some SCC (i.e., strongly connected component) of , and we may replace with , where is the largest SCC that intersects all fairness constraints. Therefore, we may get a more compact upper bound of the completeness threshold.

Then, for a given LTS and the given formula , since we have shown that if and only if involves some fair path, we now just need to test if there is some making satisfiable, where .

Remark 9. In the case that , where and for , we have , , and , and in addition, the variable set of is just the union of the variable sets of and .

Remark 10. Actually, for an formula , the symbolic representation of can be directly given without the detour of explicit construction of the LTS. Because, the relation sat could be inductively constructed if we introduce corresponding new variables in . Subsequently, encodings of or could be naturally obtained from the underlying Boolean variables corresponding to states of automata connectives. Hence, the Boolean representation of is obtained. And, encodings of other components are as routine.

4. Experimental Results

To justify our idea, we have integrated (the tool is available at https://sourceforge.net/projects/enusmv12/) the BMC algorithm into ENuSMV (Ver. 1.2). This tool is completely compatible with NuSMV [25], and it allows end-users to customize new temporal connectives by defining automata.

For example, Figure 1 illustrates how to declare a finite acceptance automata connective (to define a looping acceptance automata connective, just replace the keyword FIN with LOOP), namely, A. Since it has three states q1, q2, and q3 (where q1 is the initial state and q3 is an accepting state), then A[q1], A[q2], and A[q3] are also connectives—for example, A[q2] just replaces the initial state with q2. Subsequently, one may define specifications; for example,ETLSPECA(p,A[q2]  (q,p))is a proper declaration.

462532.fig.001
Figure 1: An automata connective declaration in ENuSMV.

In this redistribution, both BDD-based and bounded model checkings for are supported. To perform (semantic encoding based) BMC, we need to use the command option bmc_tab.

We have conducted some experiments to test the correctness and efficiency of our algorithm. In this paper, we are especially concerned with the following issues. (1)The comparison of BDD-based symbolic model checking and bounded model checking. (2)The overhead contrast in verifications of and upon both star-free and nonstar-free properties. (3)The comparison of performances with syntactic/semantic BMC of LTL and semantic BMC of .

To compare the efficiencies between BDD-based MC and BMC, we chose the (distributed mutual exclusion) DME circuit as the model (which involves a buggy design), as described in [3]. It consists of cells for users that want to have exclusive access to a shared resource. We conducted the experiment by describing the liveness property that “a request for using the resource will eventually be acknowledged” (with formula). The max bound are set to , and the comparative results are shown in Table 1, where “C.L." stands for the length of counterexample.

tab1
Table 1: Comparative results of BDD-based and BMC approaches.

As a previous work, we have implemented the symbolic model checking algorithm for in ENuSMV 1.0. To justify that in general could be more effectively checked, we would make a comparison of BMC for and .

To draw the comparison upon non-start-free regular properties, we use a “mod counter” as the model. The model consists of cellsbit_0,…,bit_n-1. Each cell is a () counter having an input carry_in and an output signal carry_out. These cells are connected in a serial manner; that is, bit_0’s carry_in is set to 1, and bit_i’s carry_in is connected to bit_i1’s carry_out as described in Figure 2.

462532.fig.002
Figure 2: The circuit of MOD counter.

We, respectively, describe the periodicity property that “bit_0 carries out at every even (except for ) moment” with and . We set the time bound to 1 hour, and Table 2 provides the max bounds (together with related information) which can be handled by the SAT solver within the time bound. From it, we can see that a deeper search could be done when specifications are described with .

tab2
Table 2: Comparison of and with periodicity properties.

To compare the overhead of and upon star-free properties, we would first use the DME model to check the safety property: “no two cells will be simultaneously acknowledged.” The results are shown in Table 3, and the time bound is also set to 1 hour.

tab3
Table 3: Comparison of and with safety properties.

At the same time, we can also compare the verification performances of the DME model upon the aforementioned liveness property that “each request will be acknowledged in the further.” Note that for this property, the verification could be accomplished within the given time bound, and a counterexample could be detected at the bound . The comparative results are given in Table 4.

tab4
Table 4: Comparison of and with liveness properties.

The last group of experiments aims at comparing the efficiencies of (syntactic/semantic) LTL BMC and BMC. First of all, for LTL BMC, we are also concerned with two types of encoding approaches. (1)The Syntactic Approach. We here adopt the linear incremental syntactic encoding proposed in [26]—to the best of our knowledge, this is the most effective syntactic encoding for full LTL. (2)The Semantic Approach. ENuSMV 1.2 also supports semantic encoding for LTL—this is tailored from our linear encoding presented in Section 3.2.

We still use the DME circuit as the model and the liveness property as specification; Table 5 provides the experimental results on LTL BMC based on syntactic and semantic encodings. From that, we can see that, with semantic encoding, it tends to generate less clauses and tends to terminate earlier than that with the syntactic encoding, whereas the latter requires fewer variables.

tab5
Table 5: Comparison of syntactic/semantic LTL BMC with liveness properties.

Meanwhile, we can also make a comparison between Tables 4 and 5; we may find that the variable numbers of semantic ETL BMC and LTL BMC are almost at a fixed ratio—for this experiment, the ratio is 1.09 (approximately).

5. Concluding Remarks

The logic is a variant of extended temporal logic, it employs both finite and looping acceptance automata connectives, and it can be considered a mixture of and . Thus, any omega-regular properties can be succinctly described with this kind of logic, particularly for safety and liveness properties.

We have presented the semantic bounded model checking algorithm for . The central part of this approach is the tableau construction. Meanwhile, we also illustrate how to give a linear BMC encoding for it. To justify it, we have implemented the presented algorithm (in ENuSMV 1.2). Experimental results show that could be more efficiently verified via BMC (in comparison to our previous implementation for ).

In this paper, verification of , namely, extended temporal logic using Büchi (alternatively, repeating) automata as connectives, has not been studied. This is partly because of the inherited difficulties of Büchi complementation [27]. Indeed, we may mimic the ranking complementing technique of Büchi automata [2830]. However, this would cause an asymptotically quadratic blow-up of variable number in building the tableaux. Hence, a further work is about to study the semantic BMC encodings of .

Appendix

A. Omitted Proofs

A.1. Proof of Theorem 4

Just assume that is the corresponding fair path of having , where . We now inductively prove the following claim. “For each , we have: implies .”

(i) The basic cases are trivial. (a), or . Since holds trivially, the case never happens. (b), or , where . Because if and only if if and only if if and only if . Similar to show it when .

(ii) The following inductions are as routine. (a)For the case , or . For the first case, we have if and only if and ; by induction, we have and ; hence ; similar to the case of . (b)In the case of , we have if and only if , according to the definition of (note that in this case is an elementary formula of ). By induction, we have ; hence .

(iii) If is a PF-subformula, without loss of generality, assume (i.e., the th PF-subformula of ), where and , then the proof is given as follows.

Since is a fair path, there exists , such that and for each . (a)First, let ; then we have . (b)For each , if and , then, according to the definition of sat, there is some and a such that , , and (equivalently, , as discussed above). Now, we let .

Till now, if there is some having , we stop the processing. Otherwise, we go on with the following processing. (a)When , we have . Since , according to the definition of , we have . (b)For each , if and , according to , there is some , such that , and there is some . Now, we let .

Notice that , and we have the inductive assertion that implies ; hence there must exist some .

Thus, have some accepting prefix of some infinite word. On the other hand, by induction, implies . Hence, we have by definition.

(iv) If is an NF-subformula of and assume that , then the proof is given as below.

Assume by contradiction it is not the case; then holds. Therefore, there exist some accepting prefix of some infinite word and a state sequence such that (a),   and each , (b)for each , we have .

Then, we have the following facts. (a), because . (b)Assume that , where ; then . In addition, implies that —otherwise (it is not hard to show that if there is an infinite path in starting from , then, for each , either or holds), ; then we have by induction contradicts! Hence, by the definition of sat, we have .

Then, we have when . However, it contradicts the premiss , because . Therefore, the assumption is a falsity, and this implies that holds.

(v) If is a PL-subformula of , where , then we have the following proof in the case that . (a)Let , and . (b)For each , assume that ; then by the definition of sat, there is some , such that , and there is some such that (equivalently, holds). Now, we let .

Hence, we have an accepting run of over the infinite word . Meanwhile, by induction, implies that . By definition, we have in this case.

(vi) Lastly, consider the case , where is a looping acceptance automaton.

Suppose that , and assume by contradiction that ; then there is an infinite word and for each . Also, let the corresponding run of on is , where .

Without loss of generality, suppose that (i.e., the th NL-subformula); since is a fair path, there must exist some such that and for each . Then(a), because , (b)as discussed before (in the case of NF-subformula), implies that . For each , if holds, according to the definition of sat, for each , we have . Note that ; hence .

Therefore, we have for each .

According to the definition of , we have (a), since , (b)for each having , since , then implies . Therefore, .

The above induction implies that for each . However, it is impossible since . Hence, the assumption is incorrect, which implies that also holds in this case.

Clearly, the above induction is complete. Because we require that , we have .

A.2. Proof of Theorem 5

Suppose that to show , we need to first construct an infinite state sequence , where , and then we will show that is a fair path of and .

(i) The construction of is as follows.

For each , we let . We will now show the following claim.“For each , we have if and only if .”

By induction of the structure of the following hold. (a)Cases are trivial when or . (b)If , then . Thus, if and only if if and only if if and only if . Similar to show the case of .(c)Another basic case is : note that in this case we also have ; hence if and only if if and only if . (d)If , then if and only if and . By induction, we have and that is, . Similar to show the case of .(e)If , where and if is a looping acceptance automaton or a finite acceptance automaton, but , it is not difficult to show that Then by induction and according to the scheme and , we have if and only if Otherwise, if is a finite acceptance automaton and , then In this case, , and hence the claim “ if and only if ” also holds. (f)If , then if and only if if and only if if and only if .

Now, we have the following properties. (1)Since , we have , and hence . (2)For each and each , we have if and only if if and only if if and only if . (3)For each and each , we have if and only if if and only if . Hence, .

(ii) The construction of , for is as follows.

Assume that the th PF-subformula and the automata connective ; then the construction is as follows. (a)We will find a series of “key positions, having for each . First, let , and, for each , once has been determined, we use the following two steps to determine and each for . (b)Let , and let . For each , there must exit a finite word and a finite state sequence such that , , and, for each , we have and (equivalently, ). (c)Now, let . And we let for each , where is the th element of .

Now, it is not hard to check that for each . Moreover, for each , we have .

(iii) The construction of for each is as follows.

Assume that the th NL-subformula and the automata connective ; then the construction is as follows. (a)First, let , and, for each , once is decided, we use the following steps to determine and each set for . (b)Let , and let . For each , let (c)Since we have shown that if and only if for every , it is not hard to show that if , then there is some such that —otherwise (because, if for each , using König’s lemma, we may find a run of over some infinite word), we can show for some , and this implies that , which is contradiction!

If , let ; otherwise, let .

According to the construction, it can be examined that for each . In addition, we have for each .

Taking all the above into account, by definition, we may conclude that for every ; hence is a fair path of . According to the construction of s, we have that ; hence .

Acknowledgments

The authors thank the anonymous reviewers for their helpful comments on a previous version of this paper. This work is supported by the NSFC in China under grant number 61103012, 61272335, 61133007, 91118007, 61120106006, the 863 Program 2011AA010106, 2012AA011201, and the Program for New Century Excellent Talents in University.

References

  1. R. E. Bryant, “Graph-based algorithms for Boolean function manipulation,” IEEE Transactions on Computers C, vol. 35, no. 8, pp. 677–691, 1986. View at Google Scholar · View at Scopus
  2. K. L. McMillan, Symbolic model checking, an approach to the state explosion problem [Ph.D. thesis], Carnegie Mellon University, Pittsburgh, Pa, USA; Kluwer Academic, Boston, Mass, USA, 1993.
  3. A. Biere, A. Cimatti, E. M. Clarke, and Y. Zhu, “Symbolic model checking without BDDs,” in Proceedings of the 5th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS '99), vol. 1579 of Lecture Notes in Computer Science, pp. 193–207, Springe, Berlin, Germany, 1999. View at Google Scholar
  4. P. Wolper, “Temporal logic can be more expressive,” Information and Control, vol. 56, no. 1-2, pp. 72–99, 1983. View at Publisher · View at Google Scholar · View at MathSciNet
  5. A. Pnueli, “Linear and branching structures in the semantics and logics of reactive systems,” in International Colloquium on Automata, Language and Programming, W. Brauer, Ed., vol. 194 of Lecture Notes in Computer Science, pp. 15–32, Springer, Berlin, Germany, 1985. View at Publisher · View at Google Scholar · View at MathSciNet
  6. O. Lichtenstein, A. Pnueli, and L. Zuck, “The glory of the past,” in Proceedings of the Workshop on Logics of Programs, vol. 193 of Lecture Notes in Computer Science, pp. 97–107, Springer, Brooklyn, NY, USA, 1985.
  7. Accellera, “Accellera property languages reference manual,” June 2004, http://www.eda.org/vfv/docs/PSL-v1.1.pdf.
  8. B. Banieqbal and H. Barringer, “Temporal logic with fixed points,” in Temporal Logic in Specification, vol. 398 of Lecture Notes in Computer Science, pp. 62–74, Springer, Berlin, Germany, 1987. View at Google Scholar · View at MathSciNet
  9. A. P. Sistla, M. Y. Vardi, and P. Wolper, “The complementation problem for Büchi automata with applications to temporal logic,” Theoretical Computer Science, vol. 49, no. 2-3, pp. 217–237, 1987. View at Publisher · View at Google Scholar · View at MathSciNet
  10. M. Leucker and C. Sanchez, “Regular linear temporal logic,” in Proceedings of the 4th International Conference on Theoretical Aspects of Computing, vol. 4711 of Lecture Notes in Computer Science, pp. 291–305, Springer, Berlin, Germany, 2007. View at Google Scholar
  11. R. Armoni, L. Fix, A. Flaisher et al., “The ForSpec temporal logic: a new temporal property-specification language,” in Proceedings of the International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS '02), vol. 2280 of Lecture Notes in Computer Science, pp. 296–311, Springer, Berlin, Germany, 2002. View at Google Scholar
  12. I. Beer, S. Ben-David, C. Eisner, D. Fisman, A. Gringauze, and Y. Rodeh, “The temporal logic sugar,” in Proceedings of the 13th International Conference on Computer Aided Verification, G. Berry, H. Comon, and A. Frinkel, Eds., vol. 2102 of Lecture Notes in Computer Science, pp. 363–367, Springer, London, UK, 2001. View at Google Scholar
  13. M. Y. Vardi and P. Wolper, “Reasoning about infinite computations,” Information and Computation, vol. 115, no. 1, pp. 1–37, 1994. View at Publisher · View at Google Scholar · View at MathSciNet
  14. J. R. Büchi, “On a decision method in restricted second order arithmetic,” in Proceedings of the International Congresses in Logic, Methodology and Philosophy of Science 1960, pp. 1–12, Stanford University Press, Palo Alto, Calif, USA, 1962.
  15. W. Liu, J. Wang, and Z. Wang, “Symbolic model checking of ETL,” Journal of Software, vol. 20, no. 8, pp. 2015–2025, 2009. View at Publisher · View at Google Scholar · View at MathSciNet
  16. W. Liu, J. Wang, H. Chen, X. Ma, and Z. Wang, “Symbolic model checking APSL,” Frontiers of Computer Science in China, vol. 3, no. 1, pp. 130–141, 2009. View at Publisher · View at Google Scholar · View at Scopus
  17. M. Jehle, J. Johannsen, M. Lange, and N. Rachinsky, “Bounded model checking for all regular properties,” Electronic Notes in Theoretical Computer Science, vol. 144, no. 1, pp. 3–18, 2006. View at Publisher · View at Google Scholar · View at Scopus
  18. A. Pnueli and A. Zaks, “PSL model checking and run-time verification via testers,” Formal Methods, Springer, Berlin, Germany, vol. 4085, pp. 573–586, 2006. View at Google Scholar · View at Scopus
  19. A. Cimatti, M. Roveri, S. Semprini, and S. Tonetta, “From PSL to NBA: a modular symbolic encoding,” in Formal Methods in Computer Aided Design (FMCAD '06), Lecture Notes in Computer Science, pp. 125–133, Springer, 2006. View at Publisher · View at Google Scholar · View at Scopus
  20. E. M. Clarke, O. Grumberg, and K. Hamaguchi, “Another look at LTL model checking,” in Computer Aided Verification, 6th International Conference (CAV '94), vol. 818 of Lecture Notes in Computer Science, pp. 415–427, Springer, Berlin, Germany, 1994. View at Google Scholar
  21. A. Biere, K. Heljanko, T. Junttila, T. Latvala, and V. Schuppan, “Linear encodings of bounded LTL model checking,” Logical Methods in Computer Science, vol. 2, no. 5, article 5, 2006. View at Publisher · View at Google Scholar · View at MathSciNet
  22. E. Clarke, D. Kroening, J. Ouaknine, and O. Strichman, “Completeness and complexity of bounded model checking,” in Verification, Model Checking, and Abstract Interpretation (VMCAI '04), vol. 2937 of Lecutre Notes in Computer Science, pp. 85–96, Springer, Berlin, Germany, 2004. View at Publisher · View at Google Scholar · View at MathSciNet
  23. T. Latvala, A. Biere, K. Heljanko, and T. Junttila, “Simple bounded LTL model checking,” in Formal Methods in Computer-Aided Design (FMCAD '04), A. Hu and A. Martin, Eds., vol. 3312 of Lecture Notes in Computer Science, pp. 186–200, Springer, Berlin, Germany, 2004. View at Google Scholar
  24. T. Latvala, A. Biere, K. Heljanko, and T. Junttila, “Simple is better: efficient bounded model checking for past LTL,” in Verification, Model Checking, and Abstract Interpretation (VMCAI '05), vol. 3385 of Lecture Notes in Computer Science, pp. 380–395, Springer, Berlin, Germany, 2005. View at Publisher · View at Google Scholar · View at MathSciNet
  25. R. Cavada, A. Cimatti, C. A. Jochim et al., “NuSMV 2. 5 user manual,” April 2010, http://nusmv.fbk.eu/NuSMV/userman/v25/nusmv.pdf.
  26. K. Heljanko, T. Junttila, and T. Latvala, “Incremental and complete bounded model checking for full PLTL,” in Proceedings of the 17th International Conference of Computer Aided Verification (CAV '05), K. Etessami and S. K. Rajamani, Eds., vol. 3576 of Lecture Notes in Computer Science, pp. 98–111, Springer, Berlin, Germany, 2005. View at Google Scholar · View at MathSciNet
  27. Q. Yan, “Lower bounds for complementation of ω-automata via the full automata technique,” Journal of Logical Methods in Computer Science, vol. 4, no. 1, article 5, 2008. View at Publisher · View at Google Scholar · View at MathSciNet
  28. O. Kupferman and M. Y. Vardi, “Weak alternating automata are not that weak,” ACM Transactions on Computational Logic, vol. 2, no. 3, pp. 408–429, 2001. View at Publisher · View at Google Scholar · View at MathSciNet
  29. E. Friedgut, O. Kupferman, and M. Y. Vardi, “Büchi complementation made tighter,” in Automated Technology for Verification and Analysis (ATVA '06), vol. 3299 of Lecture Notes in Computer Science, pp. 64–78, Springer, Berlin, Germany, 2004. View at Google Scholar
  30. S. Schewe, “Büchi complementation made tight,” in STACS 2009: 26th International Symposium on Theoretical Aspects of Computer Science, vol. 3, pp. 661–672, IBFI, 2009. View at Google Scholar · View at MathSciNet