LVM-chap4

7/31/2019 LVM-chap4

1/44

Chapter 4

Regular properties

In this chapter we address the problem of verifying whether a certain class ofsafety properties, liveness properties, and some other liner-time propertiesis satisfied by system. We start by considering regular safety properties,that is, safety properties whose set of bad prefixes is a regular language.

Then, we generalize the construction to

-regular properties. These includeregular safety properties but also regular liveness properties.As we saw in Chapter 1, a regular language is denoted by a regular

expression. However, regular expressions are not very useful from an op-erational perspective. To this end, finite automata are usually used as anoperational semantics for regular languages. The class of regular safetyproperties will be defined using finite automata to characterize the set ofbad prefixes.

To address the notion of -regular properties we need to consider -regular languages. Recall that these are denoted by -regular expressions.And, like regular expressions, these are not very useful from an operational

perspective. In this case, we will use Bchi automata to characterize -regular languages.

4.1 Finite Automata

Definition 4.1. A nondeterministic finite automaton (NFA) is a tuple A =Q,, , Q0, F where:

Q is a finite set of states;

63

7/31/2019 LVM-chap4

2/44

64 CHAPTER 4. REGULAR PROPERTIES

is a nonempty finite set (alphabet);

: Q 2Q (the transition function);

Q0 Q is a set of initial states;

F Q is a set of final states.

The size ofA, denoted by |A| is the number of states and transitions inA, that is,

|A| = |Q| +qQ

v

|(q, v)|.

The elements in are the symbols on which the automaton is defined.The set Q0 is a (possibly empty) set of initial states from which the au-tomaton may start. The set F is the (possibly empty) set of final states,also called accept states.

Example 4.2. Consider the NFA depicted in Figure 4.1. In this case,A = Q,, , Q0, F is such that

Q = {q0, q1, q2},

= {0, 1},

Q0 = {q0},

F = {q2},

is defined by

(q0, 0) = (q0, 1) = {q1}(q1, 0) = {q1, q2} (q1, 1) = {q1}

(q2, 0) = (q2, 1) =

Initial states are marked with an incoming arrow without source and acceptstates are drawn with a double circle.

Given an NFA A we can extend the transition function to words of.

Definition 4.3. Let A = Q,, , Q0, F be an NFA. The function :Q 2Q is inductively defined as follows:

7/31/2019 LVM-chap4

3/44

4.1. FINITE AUTOMATA 65

q0start q1 q21

1

0

0

Figure 4.1: An example of an NFA.

(q, ) = {q};

(q , v w) =

q(q,v) (q, w), for v and w .

The intuitive behavior of an NFA is as follows. Initially the automatonis given an input word w . For each symbol in the word, the automatonmoves to another state, according to the transition function . That is, if theautomaton is at a certain state q Q and the next symbol in w is v thenthe next state is chosen from (q, v). If more than one state is available

at (q, v) then the choice of the next state is made nondeterministically.This process is repeated until the entire word is analyzed or until a state isreached where no transition for the current symbol is available. In this case,the automaton halts and the input word is rejected. If the entire word hasbeen analyzed then the automaton halts. If the current state is an acceptstate then the word is accepted, otherwise it is rejected.

The possible behaviors of an NFA for a given input word are defined bythe notion of run. For a given input word there might be several possiblebehaviors (runs), some of which may be accepting while others may berejecting. A word is accepted by an NFA if there is at least one acceptingrun.

Definition 4.4. Let A = Q,, , Q0, F be an NFA. The accepted languageof A is the set

L(A) = {w | (q0, w) F = for some q0 Q0}.

Definition 4.5. Let A = Q,, , Q0, F be an NFA and w = v1 . . . vn . A run for w in A is a finite sequence of states q0 . . . qn such that

q0 Q0;

7/31/2019 LVM-chap4

4/44


qi+1 (qi, vi+1), for every 0 i < n.

The run is accepting if qn F.

Lemma 4.6. Let A = Q,, , Q0, F be an NFA. Then,

L(A) = {w | there exists an accepting run for w in A}.

Example 4.7. Recall the NFA of Example 4.2. Examples of runs are

q0 for the empty word ,

q0 q1 q1 for the words 10 and 11,

q0 q1 q1 q1 for the words 100, 101, 110 and 111,

q0 q1 q2 for the word 10.

An accepting run is a run that ends in an accepting state, in this case, q2.From the runs above, the only accepting run is q0 q1 q2 for 10. Observe,in particular, that the word 10 has two possible runs: q0 q1 q1 and q0 q1 q2.

The first is not accepting while the second is. Consequently, the word 10is accepted by the automaton, that is, it belongs to the accepted languageof A, written 10 L(A). Conversely, the word 11 is not accepted by Abecause the only run for this word is q0 q1 q1 and this run is not accepting.Finally, observe that there is no run for the word 00.

It is not very difficult to see that the accepted language of A is the setof all finite words over {0, 1} that start with a 1 and end with a 0, that is,the language denoted by the regular expression 1(0 + 1)0.

It can be shown that the language accepted by an NFA is a regularlanguage, that is, given an NFA A it is always possible to generate a regularexpression E

Asuch that L(A) = L(E

A). Conversely, every regular language

is accepted by some NFA, that is, given a regular expression E it is alwayspossible to construct an NFA AE such that L(E) = L(AE). We statewithout proof the following results.

Proposition 4.8. Let L be a regular language over. Then, there is anNFA A with alphabet such that L = L(A).

Proposition 4.9. Let A be an NFA with alphabet . Then L(A) is aregular language over.

7/31/2019 LVM-chap4

5/44

7/31/2019 LVM-chap4

6/44


for every q1 Q1, q2 Q2 and v .

It is not very difficult to see that L(A1 A2) = L(A1) L(A2). Theinterested reader is asked to prove such a result in Exercise 2.3.

Example 4.14. Let A1 be the NFA of Example 4.2 and let A2 be the NFAdefined in Figure 4.2. Recall that A1 accepts all the sequences of 0s and

1s that start with 1 and end with 0. It is not very difficult to see that A2accepts only the sequences 10 and 101.

q0start q

1 q

2 q

31 0 1

Figure 4.2: An NFA that accepts the sequences 10 and 101.

The relevant part of the NFA A1 A2 is depicted in Figure 4.3. Forsimplicity, we only present the reachable states (the complete NFA will have

12 states, most of which are not reachable). Observe that the only initialstate is q0, q

0 and that the only final states are q2, q

2 and q2, q

3, butthis last state is not reachable. The relevant part of the transition functionfor this automaton is defined as follows:

(q0, q

0, 0) = 1(q0, 0) 2(q

0, 0) =

(q0, q

0, 1) = 1(q0, 1) 2(q

0, 1) = {q1} {q

1} = {q1, q

1}

(q1, q

1, 0) = 1(q1, 0) 2(q

1, 0) = {q1, q2} {q

2} = {q1, q

2, q2, q

2}

(q1, q

1, 1) = 1(q1, 1) 2(q

1, 1) = {q1} =

(q1, q

2, 0) = 1(q1, 0) 2(q

2, 0) = {q1, q2} =

(q1, q

2

, 1) = 1(q1, 1) 2(q

2

, 1) = {q1} {q

3

} = {q1, q

3

}

(q1, q

3, 0) = 1(q1, 0) 2(q

3, 0) = {q1, q2} =

(q1, q

3, 1) = 1(q1, 1) 2(q

3, 1) = {q1}

(q2, q2, 0) = 1(q2, 0) 2(q

2, 0) = =

(q2, q

2, 1) = 1(q2, 1) 2(q

2, 1) = {q

3} =

Analyzing this automaton, we conclude that the only accepted word isthe sequence 10, exactly the only word in L(A1) L(A2).

7/31/2019 LVM-chap4

7/44

4.1. FINITE AUTOMATA 69

q0, q

0start q1, q

1

q1, q

2 q1, q

3

q2, q

2

1

0

0

1

Figure 4.3: Part of the NFA A1 A2.

We now consider the complementation operator for regular languages.Let L be a regular language. We know from Proposition 4.9 that there isan NFA A such that L = L(A). We want to construct an NFA A thataccepts the complement language \ L. One might be led to thinkingthat swapping final states with non final states would be enough. This is in

fact the main idea behind the construction, but some care must be taken.Consider, for instance, the NFA of Example 4.2. If we simply swapped finalstates with non final states then, in the new automaton, q0 and q1 wouldbe final states. Consequently, words like 11 and 101, that are not acceptedin the original automaton would be part of the accepting language of thenew automaton. However, words like 10 that are in the original languagewould still be accepted by the new automaton because, for instance, therun q0 q1 q1 is a run for 10 and is now accepting because q1 is now a finalstate. Hence, before we proceed, we need to consider deterministic finiteautomata (DFA).

Definition 4.15. An NFA A = Q,, , Q0, F is called deterministic if|Q0| 1 and |(q, v)| 1, for every q Q and v .

Definition 4.16. A DFA A = Q,, , Q0, F is called total if |Q0| = 1and |(q, v)| = 1, for every q Q and v .

Observe that DFAs (and total DFAs) are particular cases of NFAs and,consequently, the accepted language of a DFA is a regular language. It isstraightforward to prove that total DFAs have exactly one run for each word

7/31/2019 LVM-chap4

8/44


in . In Exercise 2.4, the reader is asked to prove that given an NFA Athere exists a DFA DA that accepts exactly the same language.

Hence, complementing a total DFA is now very simple: we just swapfinal states with non final states. The complete procedure to show the com-plement of a regular language L is still a regular language is straightforward.Given that L is a regular language we know, by Proposition 4.9 that thereis an NFA A such that L = L(A). Exercise 2.4 provides a total DFA Dthat accepts the same language as A, that is, L(D) = L(A) = L. Swappingthe final states with the non final states of D we obtain a total DFA D thataccepts the complement language of D, that is, L(D) = L(D) = L, and thisis clearly a regular language.

4.2 Regular safety properties

In this section we focus on the verification of regular safety properties.These are safety properties whose set of bad prefixes is a regular languageand, consequently, is accepted by some NFA. The main result of this sec-

tion establishes that checking a regular safety property on a finite transitionsystem can be reduced to invariant checking on another transition system(obtained from the product of the original transition system and the au-tomaton that recognizes the bad prefixes of the property).

Definition 4.17. A safety property Psafe over is called regular if its setof bad prefixes constitutes a regular language over 2.

For instance, ifPsafe is a regular safety property over = {p, q} then theset of bad prefixes contains words over the alphabet 2 = {, {p}, {q}, {p, q}}.

Observe that, in particular, every invariant is a regular safety property.Let Pinv be an invariant property with invariant condition . Recall that,

in order for Pinv to be satisfied by a transition system then must hold inevery reachable state of the transition system. This means that the set ofbad prefixes contains all the sequences of the form v0 v1 v1 . . . vn such thatvi for some 0 i n. This set is a regular language since it can bedenoted by

()true.

In the previous expression we are overloading notation. When we write

we mean all the finite words v0 v1 v1 . . . vn over 2 such every vi , for

7/31/2019 LVM-chap4

9/44

4.2. REGULAR SAFETY PROPERTIES 71

q0start q1

true

Figure 4.4: An NFA accepting the bad prefixes of Pinv.

i = 0, . . . , n. Similarly, when we write we mean all the sets v 2 suchthat v . Finally, by true we mean all the finite sequences over 2.For instance, if = {p, q} and = p ( q) then stands for {p}, stands for + {q} + {p, q}, and truestands for + {p} + {q} + {p, q}. Theset BadPref(Pinv) is denoted by the regular expression:

({p})

( + {q} + {p, q})

( + {p} + {q} + {p, q}) true

This set can also be defined as the accepted language of the NFA in Fig-

ure 4.4The set of minimal bad prefixes is also a regular language. It is charac-

terized by the regular expression () and is recognized by the NFA inFigure 4.4 by omitting the self-loop in the state q1.

Lemma 4.18. LetPsafe be a safety property. Then, Psafe is a regular safetyproperty if and only if the set of minimal bad prefixes for Psafe is regular.

The proof of this lemma is left as an exercise.

4.2.1 Verifying regular safety properties

Let Psafe be a regular safety property and A an automaton for recognizingthe set of bad prefixes of Psafe, that is, L(A) = BadPref(Psafe) and BadPref(Psafe). Observe that if BadPref(Psafe) then Psafe = . Inaddition, let T be a finite transition system without terminal states (over). We want to verify if T Psafe. Using Lemma 3.11

T Psafe if and only if Tracesfin(T) BadPref(Psafe) =

if and only if Tracesfin(T) L(A) = .

7/31/2019 LVM-chap4

10/44


So, to check ifT Psafe it is enough to verify ifTracesfin(T) L(A) = .We adopt a similar strategy as the one used for checking if the languages oftwo automata A1 and A2 intersect:

L(A1) L(A2) = if and only if L(A1 A2) = .

In this case, we need to build the product of a transition system and an

automaton.

Definition 4.19. Let T = S,A, , I,, L be a finite transition systemwithout terminal states and A = Q, 2, , Q0, F an NFA with Q0 F = .The product transition system T A is

S Q,A, , I,, L

where:

is the smallest relation defined by the rule

sa

t q (p, L(t))

s, pa

t, q

I = {s0, q | s0 I, q0 Q0. q (q0, L(s0))},

= Q,

L : S Q 2Q is defined by L(s, q) = {q}.

A path fragment

= s0 s1 . . . sn in T can be extended to the path

fragment

s0

, q1

s1

, q2

. . . sn

, qn+1

in T A, if the sequence q0, q1, . . . , qn+1 is a run in A for

L(s0) L(s1) . . . L(sn)

for some initial state q0 of A, which is exactly trace().We now show that the verification of a regular safety property Psafe by

a transition system can be reduced to checking an invariant on the productT A, where A is the NFA accepting the language BadPref(Psafe). To

7/31/2019 LVM-chap4

11/44

4.2. REGULAR SAFETY PROPERTIES 73

this end, let Pinv(A) be the invariant property over = Q induced by the

propositional formula qF

q

In the sequel, we will denote this formula by F. Observe that F onlyholds in non accepting states.

Theorem 4.20. Let T be a transition system without terminal states over, Psafe a regular safety property over and let A be an NFA with alphabet2 such that Q0 F = and L(A) = BadPref(Psafe). Then, the followingstatements are equivalent:

1. T Psafe

2. Tracesfin(T) L(A) =

3. T A Pinv(A).

Proof. Let T=

S,A,

, I, , L

andA =

Q,2

, , Q0

, F.

The equivalence between statement (1) and statement (2) is an immediateconsequence of Lemma 3.11.

(3 1) Assume that T Psafe. Then, there is a trace such that Traces(T) and Psafe. If Psafe, by definition of safety property, thereis a finite bad prefix of , with respect to Psafe. Then, there is a finiteinitial path fragment = s0 s1 . . . sn Pathsfin(T) such that

trace() = = L(s0) L(s1) . . . L(sn) BadPref(Psafe).Then

= L(s0) L(s1) . . . L(sn) L(A) which means that there exists an

accepting run q0 q1, . . . qn+1 in A for , that is, q0 Q0,

qn+1 F,

qi+1 (qi, L(si)), for i = 0, . . . , n.

hence,

s0, q1 s1, q2 . . . sn, qn+1

7/31/2019 LVM-chap4

12/44


is an initial path fragment in T A. Furthermore we also have that

sn, qn+1 F

given that L(sn, qn+1) = {qn+1} and qn+1 F. Consequently, T A Pinv(A).

(2 3) Assume that T A Pinv(A). Then, there is a trace

Traces(TA) such that

Pinv(A). If

Pinv(A) then there is some n 0such that [n] F, that is, [n] F. Consider the path fragment =s0, q1 s1, q2 . . . sn, qn+1 such that L

() = = {q1} {q2} . . . {qn+1}.Observe that [n] = {qn+1} and thus, qn+1 F. Let be the pro-

jection of on the first component, that is, = s0 s1 . . . sn, which isclearly a path fragment in T, by definition of T A. Then, trace() Tracesfin(T). Observe that s0, q1 is an initial state in T A and soq1 (q0, L(s0)). Furthermore, again by definition of TA, it must also bethe case that qi+1 (qi, L(si)), for i = 1, . . . , n. Hence, q0 q1 . . . qn+1 is anaccepting run for L(s0) L(s1) . . . L(sn) in A which means that trace(

) =

L(s0) L(s1) . . . L(sn) L(A). Thus, Tracesfin(T) L(A) = .

The theorem means that in order to check if the transition system Tsatisfies a regular safety property Psafe it is enough to check if no states, q in T A is reachable, for any final state q F. This correspondsto checking if the invariant Pinv(A) (stating that no final state is visited) issatisfied, which can be done by the algorithm in Figure 3.3 of Chapter 3. Ifthe invariant holds then we can conclude that T satisfies the property Psafe.Otherwise, the algorithm will provide a counter-example refuting Psafe. Thiscounter-example will be a path fragment s0, q1 s1, q2 . . . sn, qn+1 in thetransition system T A that leads to a final state qn+1 F of A. If weproject this path fragment on the states of T we obtain a path fragments0 s1 . . . sn in T. Consider now the trace of this path fragment:

L(s0) L(s1) . . . L(sn) = v0 v1 . . . vn

By construction, we know that q1 (q0, L(s0)), q2 (q1, L(s1)), andso on. Consequently, q0 q1 . . . qn+1 is a run for v0 v1 . . . vn in A and sinceqn+1 F this run is accepting. Hence, v0 v1 . . . vn is accepted by A, thatis, v0 v1 . . . vn is a bad prefix of Psafe. Consequently, the path fragments0 s1 . . . sn is a useful error indicator since trace() Psafe for every path Paths(T) such that s0 s1 . . . sn pref().

7/31/2019 LVM-chap4

13/44

4.3. BCHI AUTOMATA 75

Corollary 4.21. LetT, Psafe and A be as in Theorem 4.20. Then, for eachinitial path fragment s0, q1 s1, q2 . . . sn, qn+1 in T A:

q1, . . . , qn F and qn+1 F implies trace(s0 s1 . . . sn) L(A).

Input: finite transition system T and regular safety property PsafeOutput: true if T Psafe , false otherwise, with a counterexample

Let NFA A (with accept states F) be such that L(A) = BadPref(Psafe)

Construct the product transition system T A

Check the invariant Pinv(A) on T A

ifT A Pinv(A) thenreturn true

else

Determine an initial path fragment s0, q1 s1, q2 . . . sn, qn+1in T A with qn+1 F

return false, s0 s1 . . . snfi

Figure 4.5: DFS algorithm for invariant checking revised

4.3 Bchi Automata

We now focus on defining automata for recognizing -regular languages.Recall from Chapter 1 that an -regular language L is an -language that

is denoted by an -regular expression. The finite automata that we sawbefore are not adequate for recognizing this class of languages since theyoperate on finite words. An automaton recognizing infinite words is calledan -automaton. An accepting run for an -automaton has to check theentire input word and, consequently, has to be infinite. This means that weneed to define acceptance criteria for infinite runs. There are several kinds of-automata. Herein, we consider nondeterministic Bchi automata (NBA).The definition of an NBA is similar to the definition of an NFA. The maindifference resides in the definition of accepting run and of accepted language.

7/31/2019 LVM-chap4

14/44


The intuitive meaning for an infinite run to be accepting is that it needs tovisit a final state of the automaton infinitely often.

Definition 4.22. A nondeterministic Bchi automaton (NBA) A is a tupleQ,, , Q0, F where





F Q is a set of final states.

A run for = v0 v1 v2 in A is an infinite sequence of statesq0 q1 q2 . . . such that

q0 Q0;

qi+1 (qi, vi), for every i N.

The run is accepting ifqi F for infinitely many indices i N. The acceptedlanguage of A is the set

L(A) = { | there exists an accepting run for in A}.

The set F is called the acceptance set and its elements are also calledaccept states. Since the set of states Q of A is finite and an acceptance

run for an infinite word is always infinite this means that at least one statefrom Q has to be visited infinitely often. Then, the acceptance of a worddepends on whether the set of all states that appear infinitely often in therun contains a final state or not.

The size ofA, denoted by |A| is the number of states and transitions inA, that is,

|A| = |Q| +qQ

v

|(q, v)|.

7/31/2019 LVM-chap4

15/44


q0start q1

1

0

0

1

Figure 4.6: An NBA accepting words containing infinite 0s.

q0start q1

green

green

green

green

Figure 4.7: An NBA accepting the LT property the traffic light is greeninfinitely often.

Example 4.23. Consider the NBA A depicted in Figure 4.6, with alphabet{0, 1}. Lets us consider some examples. The word 1 has only one run in Athat is the run q0 q0 q0 . . . , or, in short, q

0 . This is clearly not an accepting

run and so 1 L(A). The word 0 has the run q0 q

1 which is clearly

an accepting run since the accept state q1 appears infinitely often in thisrun. Consequently, 0 L(A) holds. Examining the automaton in detailwe conclude that in order for a run to be accepting it has to visit the onlyaccept state q1 infinitely often. And the only was to reach that state is bythe symbol 0. Hence, the language of A is composed of all the sequences of0s and 1s that contains infinitely many 0s. Recall from Chapter 1 that thisis an -regular language that is denoted by the -regular expression (10).

Example 4.24. Consider a pedestrian traffic light with = {red, green}and let P be the LT property over 2 expressing that the green light is oninfinitely often. We can adapt the previous NBA (see Figure 4.7) so that itrecognizes this -language.

The alphabet of the automaton is 2. Hence, each arrow is labelledwith a set of propositional symbols Recall from Section 4.2 that when wewrite green we mean all the sets of propositional symbols that correspondto valuations that satisfy green, that is, all the subsets of that contain the

7/31/2019 LVM-chap4

16/44


propositional symbol green, and when we write green we mean all the setsof propositional symbols that correspond to valuations that satisfy green,that is, all the subsets of that not contain green.

Like for regular languages, NBAs can be used to characterize -regularlanguages. We prove this result by proving that any -regular languageis recognized by some NBA and that the language accepted by an NBA

is -regular. To prove the first statement, we prove some auxiliary resultsthat mimic the construction of-regular expressions.

Lemma 4.25. Let A1 and A2 be two NBAs with the same alphabet .Then, there is an NBA A such that L(A) = L(A1) L(A2).

Proof. Let Ai = Qi,, i, Q0i , Fi, with i = 1, 2, and assume without lossof generality that Q1Q2 = . Let A = Q,, , Q0, F be the NBA definedas follows:

Q = Q1 Q2,

(q, v) =1(q, v) if q Q12(q, v) if q Q2

Q0 = Q01 Q02,

F = F1 F2

Observe that is well defined because Q1 Q2 = . It is clear that anyaccepting run for some word in A1 or A2 is also an accepting run for isA. Hence, it follows L(A1) L(A2) L(A).

For the converse, assume that L(A). Then, there is an accepting

run q0 q1 . . . for in A. Given that Q1 Q2 = then either q0 Q01 orq0 Q02, but not both. If q0 Q01 then q0 q1 . . . is an accepting run for in A1. Otherwise, q0 q1 . . . is an accepting run for in A2. Consequently,L(A) L(A1) L(A2).

The details of the proof are left as an exercise.

We will denote this automaton by A1 + A2. Next, we prove that froman NFA accepting a regular language L such that L we can define anNBA accepting the -regular language L.

7/31/2019 LVM-chap4

17/44


Lemma 4.26. Let A1 be an NFA with alphabet such that L(A1).Then, there is an NBA A such that L(A) = L(A1)

.

Proof. Let A1 = Q1,, 1, Q01, F1. Clearly, no initial state can be a finalstate (otherwise, L(A1)). Furthermore, assume that no initial state ofA1 has an incoming arrow. If this is not the case, then A1 can be modifiedto an NFA A1 as follows

Q1 = Q1 {qn}

1 is such that

1(q, a) = 1(q, a) for q = qn

1(qn, a) =

q0Q011(q0, a)

Q01 = {qn}

F1 = F1

This new NFA accepts the same language as A1 and has the desired propertyof having initial states with no incoming arrows and such that no initial stateis accepting.

So, from now on assume that A1 is in the above conditions. We nowbuild an NBA A = Q,, , Q0, F such that L(A) = L(A1). The basicidea is to add to this new automaton a new transition leading to the initialstates of A for each transition in A1 that leads to a final state, so that thethe process of accepting a word from L(A1) may be restarted, infinitelyoften. To this end, we let

Q = Q1,

(q, a) =1(q, a) if 1(q, a) F1 =

1(q, a) Q01 otherwise,

Q0 = Q01

F = Q01 .

We leave as an exercise to prove that L(A) = L(A1).

7/31/2019 LVM-chap4

18/44


The third and final step of our construction is, given an NFA A1 andan NBA A2, construct an NBA accepting the language L(A1).L(A2).

Lemma 4.27. Let A1 be an NFA and A2 be an NBA with alphabet .Then, there is an NBA A such that L(A) = L(A1).L(A2).

Proof. Let A1 = Q1,, 1, Q01, F1 and A2 = Q2,, 2, Q02, F2 be suchthat Q1 Q2 = . Let A = Q,, , Q0, F be defined as follows:

Q = Q1 Q2,

(q, a) =

1(q, a) if q Q1 and 1(q, a) F1 =

1(q, a) Q02 if q Q1 and 1(q, a) F1 =

2(q, a) if q Q2,

Q0 =

Q01 if Q01 F1 =

Q01 Q02 otherwise

F = F2.

The proof that L(A) = L(A1).L(A2) is left as an exercise.Proposition 4.28. Let L be an-regular language over. Then, thereis an NBA A with alphabet such that L = L(A).

Proof. If L is an -regular language then there is a -regular expressionE1.(F1)

+ +En.(Fn) such that L(L) = L(E1.(F1)

+ +En.(Fn))

for regular expressions E1, . . . , E n, F1, . . . , F n such that L(Fi), for i =1, . . . , n. By Proposition 4.8 there exist NFAs Ae1, . . . , Aen, Af1, . . . , Afnsuch that L(Aei) = L(Ei) and L(Afi) = L(Fi), for i = 1, . . . , n.

Using Lemma 4.26, there are NBAs Af1, . . . , A

fnsuch that

L(A

fi) = L(Afi)

= L(Fi), for i = 1, . . . , n .

By Lemma 4.27, there are NBAs Aef1 , . . . , Aefn such that

L(Aefi) = L(Aei).L(Afi) = L(Ei).L(Fi)

, for i = 1, . . . , n .

Finally, by Lemma 4.25, there is an NBA A such that

L(A) = L(Aef1) L(Aefn)

= L(E1).L(F1) L(En).L(Fn)

= L.

7/31/2019 LVM-chap4

19/44


We now prove the converse result, that is, that the accepted languageof an NBA is an -regular language.

Proposition 4.29. LetA be an NBA with alphabet. Then, L(A) is an-regular language over.

Proof. Let A = Q,, , Q0, F be an NBA and for each pair of statesq, p Q let Aqp be the NFA Q,, , {q}, {p}, that is, Aqp is the NFArecognizing the regular language consisting of all the finite words w

that have a run in A leading from q to p. Let us denote this language byLqp, that is, Lqp = L(Aqp) = {w

| p (q, w)}.

Consider now an infinite word L(A). For this word there is anaccepting run q0 q1 q2 . . . in A. By definition of accepting run, this runmust contain infinite states that appear in F and since F is finite thenat least one of its elements qf F must appear infinitely often in the run.Hence, we may split into an infinite sequence of nonempty finite subwords

w0, w1, w2, such that

w0 Lq0qf,

wi Lqfqf, for i 1,

= w0.w1.w2 . . .

Since none of the sequences wi, with i 1, is empty then we can concludethat Lq0qf.(Lqfqf \ {})

, with q0 Q0 and qf F, and consequently,

L(A) q0Q0,qfF

Lq0qf.(Lqfqf \ {})

.

Now, let Lq0qf.(Lqfqf \ {}), for some initial state q0 and final state

qf. It is not very difficult to see that, under these circumstances, there mustexist an accepting run for in A. Consequently, L(A) and so,

q0Q0,qfF

Lq0qf.(Lqfqf \ {}) L(A).

7/31/2019 LVM-chap4

20/44


Now, observe that the sets Q0 and F are finite and that each language Lq0qfand Lqfqf is accepted by an NFA and thus is regular. Hence

L(A) =

q0Q0,qfF

Lq0qf.(Lqfqf \ {})

is an -regular language.

From Proposition 4.28 and Proposition 4.29 we may conclude that theclass of-regular languages coincides with the class of languages acceptedby NBAs.

We now address the problem of checking whether the language acceptedby an NBA is empty. In this case, an analysis of the underlying graph issufficient for our purposes, as we will see.

Lemma 4.30. Let A = Q,, , Q0, F be an NBA. Then, the followingtwo statements are equivalent:

1. L(A) = ;

2. There exists a reachable accept stateq that belong to a cycle in A, thatis,

q0 Q0 q F w w + q (q0, w)

(q, w).

Proof. (1 2): If L(A) = then there is = v0 v1 v2 L(A). Letq0 q1 q2 . . . be an accepting run in A for . By definition of accepting run,and since F is finite, there is a final state q F that appears repeatedinfinitely often in the run. Let i, j N be two indices such that 0 i < jand qi = qj = q. Now, let w be the finite word v0 v1 . . . vi1 and let w

be the finite wordvi

vi+1

. . . vj . Clearly,

qi

(q0

, w) and

qj (

qi, w

).Hence, as q = qi = qj condition (2) follows.

(2 1): Assume that q0, q , w , w are as in condition (2). It is not very

difficult to see that the infinite word = w.(w) has a run q0 . . . q . . . q . . .that is accepting in A, since the final state q appears infinitely often in it.Consequently, L(A) holds and so L(A) = .

This lemma states that in order to check the emptiness problem for NBAwe just need to investigate the underlying graph, explore all the reachable

7/31/2019 LVM-chap4

21/44


q0start

q2

q1true

p1

p1

p2

p2

Figure 4.8: An NBA.

nodes and check if any of these reachable nodes is final and belongs to acycle.

As NBAs can be used to recognize -regular languages, we say that twoNBAs are equivalent when they recognize the same -language.

Definition 4.31. Two NBAs A1 and A2 with the same alphabet are calledequivalent if L(A1) = L(A2), written A1 A2.

Example 4.32. Consider the NBA A1 depicted in Figure 4.8 over the al-phabet 2{p1,p2} over the set of propositional symbols = {p1, p2}. Recallfrom Section 4.2 that when we write p1 we mean all the sets of proposi-tional symbols that correspond to valuations that satisfy p1, that is, thesets {p1}, {p1, p2}. Similarly, when we write p1 we mean all the sets ofpropositional symbols that correspond to valuations that do not satisfy p1,that is, the sets , {p2}. Then, the language accepted by A1 represents theliveness property that p1 holds infinitely often and p2 holds infinitely often.

Consider now the NBA A2 depicted if Figure 4.9 over the same alphabet.Like in the previous case, the language accepted by this NBA represents alsothe liveness property that p1 holds infinitely often and p2 holds infinitelyoften. Consequently, we can conclude that A1 A2.

For technical reasons it is often useful to assume that an NBA is non-blocking, that is, that for each state and for each input symbol there isalways a possible transition.

7/31/2019 LVM-chap4

22/44


q0start q1

q2q3

true

p1

true

true

p2

true

Figure 4.9: Another NBA.

Definition 4.33. Let A = Q,, , Q0, F be an NBA. Then A is callednonblocking if (q, v) = for every q Q and v .

In Exercise 2.10, the reader is asked to show that given an NBA it is

always possible to find an equivalent nonblocking NBA.There are other types of -automata that can be used as models for-regular languages and are equally expressive as NBAs, but have moregeneral acceptance conditions. Herein, we consider a slight variation ofan NBA called generalized nondeterministic Bchi automata (GNBA). Thedifference between NBAs and GNBAs is in the acceptance condition. Inthe case of a GNBA the acceptance condition is specified by a finite set Fof (possibly empty) subsets of Q, and an accepting run is required to visiteach of these sets infinitely often.

Definition 4.34. A generalized NBA (GNBA) is a tuple G = Q,, , Q0, Fwhere





F 2Q whose elements are called acceptance sets.

7/31/2019 LVM-chap4

23/44


A run for = v0 v1 v2 in G is an infinite sequence of statesq0 q1 q2 . . . such that

q0 Q0;

qi+1 (qi, vi), for every i N.

The run is accepting if

F Fj N qj F.

The accepted language of G is the set

L(G) = { | there exists an accepting run for in G}.

The set F of acceptance states of a GNBA may be empty. In this case, L(G) if and only if there is an infinite run for in G. In the case ofan NBA with F = there are no accepting runs. In the case of GNBAs,every infinite run in G = Q,, , Q

0, is accepting.

Every GNBA G is equivalent to a GNBA G having at least one accep-tance set. In fact, let G = Q,, , Q0, F and G

= Q,, , Q0, F {Q}.Then, it is not very hard to prove that L(G) = L(G

).

Clearly, an NBA can be seen as a GNBA with exactly one acceptanceset: the set of final states of the NBA. But the converse also holds, thatis, for each GNBA there is an equivalent NBA that recognizes the same-language.

Theorem 4.35. For each GNBA G = Q,, , Q0, F there exists an NBAA, over the same alphabet, with L(A) = L(G).

Proof. Due to the previous remark, we may assume without loss of gen-erality that F = . Hence, let F = {F1, . . . , F k}, for some k 1. LetA = Q,, , Q0, F

be such that:

Q = Q {1, . . . , k},

Q0 = Q0 {1} = {q0, 1 | q0 Q0},

F = F1 {1} = {qf, 1 | qf F1}

7/31/2019 LVM-chap4

24/44


: Q 2Q

is such that

(q, i, v) =

{q, i | q (q, v)} if q Fi

{q, i + 1 | q (q, v)} otherwise.

where, for simplicity of notation, we identify k + 1 with 1.

The idea is that there are k copies of G. The acceptance set of the ith copyis connected to the corresponding states of the (i + 1)th copy, that is, assoon as a final state of the ith copy is reached, we move to the (i + 1)thcopy. In A the only acceptance set is the one corresponding to the firstcopy. This construction ensures that the first copy is visited infinitely oftenand all the other copies are also visited infinitely often. We now prove thatL(A) = L(G).

L(A) L(G): Let = v0 v1 L(A). Then there is an accepting runfor in A that must be of the form

q10, 1 q11, 1 . . . q

1n1

, 1q21, 2 q22, 2 . . . q

2n2

, 2 . . . qk1 , k . . . qknk

, k

qk+11 , 1 qk+12 , 1 . . . q

k+1nk+1

, 1qk+21 , 2 qk+22 , 2 . . . q

k+2nk+2

, 2 . . .

Now, let = w1 w2 . . . where the finite segments wi, for i N, are definedas follows. The segment w1 is the word v0 . . . vn11. We know that for eachi = 0, . . . , n1 1, we have

q1i+1, 1 (q1i , 1, vi).

Consequently, it follows by construction of, that

q1i+1 (q1i , vi).

Again, by construction of , it must be the case q1n1 F1 because inour run we moved from copy 1 to copy 2. Now, let w2 = vn1 . . . vn1+n21.First, we observe that q21 (q

1n1

, vn1). Then, we know that for each i =1, . . . , n2 1

q2i+1, 2 (q2i , 2, vn1+i)

and, consequently,

q2i+1 (q2i , vn1+i).

7/31/2019 LVM-chap4

25/44


Again, q2n2 F2 because we moved from the second copy to the third.Hence, the run obtained is a run in G and is of the form

q0 . . . q1n1

. . . q2n2 . . . qknk

. . . qk+1nk+1 . . .

such that q0 Q0, q1n1

, qk+1nk+1 F1, q2n2

, qk+2nk+2 F2, . . . . Hence, eachone of the acceptance sets is visited infinitely often and consequently this

is an accepting run for , that is, L(G).The proof of the converse is similar and is left as an exercise.

Corollary 4.36. The class of accepted languages by GNBAs agrees withthe class of-regular languages.

We have already proved that the class of-regular languages is closedunder union (see Lemma 4.25). This was proved using NBAs. We now provethat this class is also closed under intersection. Thanks to the previouscorollary, we can use GNBAs to prove this result.

Lemma 4.37. Let G1 and G2 be GNBAs over the same alphabet. Then,

there exists a GNBA G with L(G) = L(G1) L(G2).

Proof. Let G1 = Q1,, 1, Q01 , F1 and G2 = Q2,, 2, Q02, F2 and as-sume without loss of generality that Q1 Q2 = . Let G be an GNBA

Q1 Q2,, , Q01 Q02 , F

where

is such that (q1, q2, a) = 1(q1, a) 2(q2, a),

F = {F1 Q2 | F1 F1} {Q1 F2 | F2 F2}.

We now prove that L(G) = L(G1) L(G2).

L(G) L(G1) L(G2): Let L(G). Then there is an accepting run

q10, q20 q

11, q

21 q

12, q

22 . . .

for in G. Then, by construction of, we know that q10 q11 q

12 . . . is a run for

in G1. Since is accepting it must visit all the sets in F infinitely often. Inparticular, it must visit all the sets in {F1 Q2 | F1 F1} infinitely often.

7/31/2019 LVM-chap4

26/44


Hence, q10 q11 q

12 . . . visits all the sets in F1 infinitely often and, consequently,

is an accepting run for in G1. By a similar argument, we can concludethat q20 q

21 q

22 . . . is an accepting run for in G2. Thus, L(G1) L(G2).

L(G1) L(G2) L(G): Let L(G1) L(G2). Then, there is anaccepting run q10 q

11 q

12 . . . for in G1. In particular, this run visits all the

sets in F1 infinitely often. There is also an accepting run q20 q

21 q

22 . . . for

in G2 that visits all the sets in F2 infinitely often. Then,

q10, q20 q

11, q

21 q

12, q

22 . . .

is a run for in G. Furthermore, it visits all the sets in {F1 Q2 | F1 F1}and in {Q1 F2 | F2 F2} infinitely often. Consequently, it is an acceptingrun for in G and thus L(G).

Corollary 4.38. If L1 and L2 are-regular languages over the alphabetthen so is L = L1 L2.

4.4 -Regular properties

An -regular property is just an LT property that is simultaneously an-language. In Example 4.24 we showed that the liveness property Pliveabout a traffic light expressing that the green light is on infinitely oftenis accepted by an NBA. From Proposition 4.29, we know that this is an-regular language and, consequently, we can conclude that Plive is an -regular property. In this section, we address the problem of verification of-regular properties.

Definition 4.39. An LT property P is called -regular ifP is an -regular

language over the alphabet 2

.

As usual, we start with a transition system T and an LT property Pand we aim at verifying if T satisfies P. Let T = S,A, , I, , L be atransition system without terminal states and let P be an -regular prop-erty. We want to check whether T P or not. The idea is to try to showthat T P by providing a counterexample, that is, by trying to find a path in T such that trace() P. If no such path exists, then T P. To thisend, we consider an NBA A for the complement property P = (2) \ P.

7/31/2019 LVM-chap4

27/44

4.4. -REGULAR PROPERTIES 89

Thus, we have to check if Traces(T) L(A) = . In fact,

Traces(T) L(A) = if and only if Traces(T) P =

if and only if Traces(T) ((2) \ P) =

if and only if Traces(T) P

if and only if T P.

This is similar to what was done for checking regular safety properties.Analogously, in order to check if Traces(T) L(A) = , we start by con-structing the product T A, where, in this case, A is an NBA. Then,we perform a graph analysis of T A to check whether there is a paththat visits an accept state of A infinitely often. If such a path exists, thenwe can conclude that T P. If no such path exists, that is, if acceptstates can only be visited finitely many times then we can conclude thatTraces(T) L(A) = and, consequently, T P.

We introduce a special class of LT properties, called persistency prop-erties, that will be used to formalize conditions stating that accept states

are visited only finitely many times. Then, verifying an -regular propertycan be reduced to the persistency checking problem, as was done when theproblem of checking regular safety properties was reduced to the invariantchecking problem.

Intuitively, a persistence property is a state condition that alwaysholds after some state. Here, is a propositional formula expressing astate condition. Then, we want to hold continuously after some state or,equivalently, we want to hold only finitely many times.

Definition 4.40. Let be some propositional formula over . A persis-tence property induced by is an LT property Ppers (2) such that,

Ppers = { (2) | there is i such that [j] , for every j i}.

The formula is called a persistence (or state) condition of Ppers.

4.4.1 Verifying -regular properties

We are now going to show the problem of deciding whether Traces(T) L(A) = can be reduced to the problem of checking whether a certainpersistence property holds in the product of T and A.

7/31/2019 LVM-chap4

28/44


Definition 4.41. Let T = S,A, , I,, L be a transition system with-out terminal states and A = Q, 2, , Q0, F be a nonblocking NBA. Then,T A is the following transition system:

T A = S Q,A, , I,, L

where:

is the smallest relation defined by the rule

sa

t p (q, L(t))

s, qa

t, p

I = {s0, q | s0 I, q0 Q0. q (q0, L(s0))},

= Q,

L

: S Q 2Q

is defined by L

(s, q) = {q}.

Furthermore, let Ppers(A) be the persistence property over = Q given by

Eventually forever F

where F denotes the propositional formula

qF q.

In our notation this is PFpers(A).

Theorem 4.42. Let T be a transition system without terminal states over

and let P be an -regular property over

. Furthermore, let A be anonblocking NBA with alphabet 2 and L(A) = (2) \ P. Then, the

following statements are equivalent:

1. T P

2. Traces(T) L(A) =

3. T A Ppers(A).

7/31/2019 LVM-chap4

29/44


Proof. Let T = S,A, , I,, L and A = Q, 2, , Q0, F. The equiva-lence between (1) and (2) was proved in the beginning of this subsection.We now prove equivalence between (2) and (3), by proving that

Traces(T) L(A) = if and only if T A Ppers(A).

() Assume that T A Ppers(A). Then, there is a path

= s0, q1 s1, q2 . . .

in T A such that Ppers(A).

Recall that trace() = L(s0, q1) L(s1, q2) = {q1} {q2} . . . and let denote this trace. Given that Ppers(A) then

Ppers(A). Bydefinition of persistence property, there are infinitely many indices j suchthat [j] F, that is, there are infinitely many j such that [j] = {qj}and qj F.

Consider now the projection of to the states of T which clearly yields apath = s

0s1

. . . in T. Let q0

Q0

be such that q1

(q0

, L(s0

)). Thisstate must exist given that s0, q1 is an initial state of T A. Then, thesequence q0 q1 . . . is a run in A for the word

L(s0) L(s1), . . .

by definition of and Q0. Observe that this word is trace() so trace() Traces(T).

In addition, since there are infinitely many accepting states in the runq0 q1 . . . this means that this is an accepting run. Indeed, by definition

of and Q0 we know that if si, qi+1a

si+1, qi+2 then qi+2 (qi+1, L(si+1)). Furthermore, q1 (q0, L(s0)). Hence, q0 q1 . . . is anaccepting run for trace() = L(s0) L(s1), . . . , which implies that trace() L(A).

Hence, trace() Traces(T) L(A) and so Traces(T) L(A) = .

() Assume that Traces(T) L(A) = . Then, there exists a trace Traces(T) L(A). Since Traces(T) then there exists a path = s0 s1 . . . such that trace() = . Furthermore,

= L(s0) L(s1) L(A).

7/31/2019 LVM-chap4

30/44


red

green

Figure 4.10: Transition system for a pedestrian traffic light.

Let q0 q1 q2 . . . be an accepting run for in A. Then,

q0 Q0 and qi+1 (qi, L(si)), for all i 0.

Consider now the sequence

= s0, q1 s1, q2 s2, q3 . . . .

As sia

si+1

, for some a A, and qi+2

(qi+1

, L(si+1

)), for every i 0,we have, by definition of , that

si, qi+1a

si+1, qi+2, for all i 0.

Furthermore, s0, q1 Q

0, given that q1 (q0, L(s0)) and q0 Q0. Hence, is a path in T A. Furthermore,

trace() = L(s0, q1) L(s1, q2) L(s2, q3) . . .= {q1} {q2} {q3} . . .

Finally, as q0 q1 q2 . . . is an accepting run in A then there are infinitely many

indices j such that qj F. Hence, trace(

) Ppers(A) which implies that Ppers(A) and, consequently, T A Ppers(A).

Example 4.43. Let = {red, green} and recall the liveness property P ofExample 4.24, expressing that a pedestrian traffic light is green infinitely of-ten. We are going to show that the transition system T = S,A, , I,, Lin Figure 4.10 specifies a traffic light that satisfies this property. As usualwe assume that the labeling function of T is such that L(s) = {s} and, forsimplicity, we also omit the action names.

7/31/2019 LVM-chap4

31/44


q0start q1 q2

true

green

green

green

true

Figure 4.11: NBA P greenpers .

In order to use Theorem 4.42, we need to consider an NBA for P. Re-call that P consists of all the infinite words v0 v1 v2 . . . over 2

such that

green vi, for infinitely many is. Hence, P consists of all the infinitewords v0 v1 v2 . . . over 2

such that green vi, for finitely many is. Wecan restate this by saying that after some point green does not hold anymore, that is, eventually forever green. Observe that, in particular, thisis a persistency property induced by green and so P = P greenpers . An NBAA accepting P is depicted in Figure 4.11.

This automaton accepts only sequences of subsets of that, after somepoint, do not contain green. If at q1 some set with green appears then the

automaton moves to the non accepting state q2 where it remains forever.We now build the transition system TA = S, A, , I,, L. The

set of states is

S = {red, q0, red, q1, red, q2, green, q0, green, q1, green, q2}.

To define the set of initial states I observe that I = {red} and that(q0, L(red)) = (q0, {red}) = {q0, q1}. Hence,

I = {red, q0, red, q1}.

The set of propositional symbols of T A is Q, that is,

= {q0, q1, q2},

and the labeling function L is such that

L(s, q) = {q}.

Finally, let us consider the transition relation for T A. We start byconsidering the transitions departing from red, q0. In this case, observe

7/31/2019 LVM-chap4

32/44


red, q0 red, q1 red, q2

green, q0 green, q1 green, q2

Figure 4.12: Transition system for T A.

that redgreen holds in T and that (q0, L(green)) = (q0, {green}) ={q0}. Hence, we have the following transition in T A:

red, q0green, q0.

Consider now the transitions departing from green, q0. In this case, wehave that greenred holds in T and that (q0, L(red)) = (q0, {red}) =

{q0, q1}. Consequently, we have the following transitions in T A:

green, q0red, q0 and green, q0

red, q1.

The full transition relation is depicted in Figure 4.12.We now check whether T P or not. To this end, we use Theorem 4.42,

where the persistency property Ppers(A) for A is eventually forever q1,given that q1 is the only final state. Observing the transition system inFigure 4.12 we may conclude that there is no state of the form , q1 thatis visited infinitely often and consequently the property Ppers(A) is satisfiedby T A, that is,

T A Ppers(A)

.

Hence, we can conclude that T and A have no common traces and, conse-quently, that T P.

With this theorem the problem of verifying if a finite transition systemsatisfies a property can be reduced to checking if a transition system satisfiesa persistence property. So, from now on we focus on solving the problem:

T Ppers

7/31/2019 LVM-chap4

33/44


for some transition system T, persistence property Ppers and propositionalformula over the same set of propositional symbols.

We will show that checking ifT Ppers amounts to checking ifT containsa reachable state violating that belongs to a cycle. The intuition behindthis result is very simply. Assume that there is a reachable state s suchthat does not hold in s and s occurs in a cycle s s1 . . . sn s. Then, we

just consider the path consisting of the initial path fragment leading to s(that exists because s Reach(T)) followed by infinite copies of the pathfragment s s1 . . . sn. This is clearly a path in T and furthermore it visitsinfinitely often a state s where does not hold. Consequently, T does notsatisfy the persistency property Ppers.

Theorem 4.44. Let T be a transition system without terminal states over, a propositional formula over, andPpers a persistence property inducedby. Then, the following assertions are equivalent:

1. T Ppers,

2. there exists s Reach(T) such that s and s occurs in a cycle inG(T).

Proof. Let T = S,A, , I, , L.

(12): Assume that T Ppers. Hence, there exists a path = s0 s1 s2 Paths(T) such that trace() Ppers. Then, it must be the case that si ,for infinitely many indices i. As the set of states of T is finite then, thereis at least one state s such that s and s appears infinitely often in .Since s appears in a path in T then s Reach(T). Furthermore, given thats appears infinitely often in then there are at least two indices i1 and i2,with i1 < i2 such that si1 = si2 = s. The path fragment

of given by

si1 si1+1 . . . si2 clearly defines a cycle in G(T).(2 1): Assume now that there is s Reach(T) such that s and soccurs in a cycle in G(T). If s Reach(T) then there exists a finite initialpath fragment 0 = s0 s1 . . . sk such that sk = s. Since s occurs in a cyclethen there a finite path fragment c = s1 s2 . . . , sn such that s1 = sn = s.Consider now the path in T obtained from concatenating0 (without thelast state sk) with infinite copies ofc (without the last state sn), that is,

= s0 s1 . . . sk1 s

1 s

2 . . . , s

n1 s

1 s

2 . . . , s

n1 . . .

7/31/2019 LVM-chap4

34/44


Then, is a path in T. By construction, s occurs infinitely often in andas s it follows that trace() Ppers. This implies that T Ppers.

Example 4.45. Recall Example 4.43 where a pedestrian traffic light is spec-ified. Recall also the persistency property Ppers(A), defined there, statingthat eventually forever q1 holds, where q1 is the final state of A. Takinginto account Theorem 4.44, in order for T A Ppers(A) we would need

to find a cycle containing the state red, q1, given that this is the onlyreachable state that does not satisfy q1. But there is no such cycle and,consequently, we can conclude that T A Ppers(A).

We now present an algorithm for persistence checking for a finite tran-sition system. By Theorem 4.44, the problem of checking whether a finitetransition system satisfies a persistence property can be reduced to theproblem of detecting a cycle containing a reachable cycle with a state thatdoes not satisfy the state condition of the persistence property.

Given a finite graph G and one of its nodes v, we can use a DFS-basedapproach to check whether v belongs to a cycle in G or not. The idea is as

follows: we begin with a depth-first search starting in v and check for anyvisited node w whether there is an edge from w to v. If such an edge existsthen there is a cycle in G containing v, because if w has been visited (in adepth-first search) then this means that there is a path from v to w. If thereis no such edge from any of the visited nodes to v then we can conclude thatv does not belong to any cycle in G. This idea can be extended to checkingif G has a cycle containing a reachable node.

The first proposal for the algorithm is defined in Figure 4.13. It worksin two phases: in the first phase, all states reachable from an initial stateand that do not satisfy are determined (and stored in variable R).This can be achieved by a standard depth-first search (like the algorithm

for invariant checking presented in Figure 3.2). In the second phase , foreach reachable state that does not satisfy (that is every state in R), wecheck whether this state appears in a cycle in T or not. This is achieved bythe procedure cycle_check depicted in Figure 4.14. This procedure worksas described above: we start with a depth-first search in s and check forall states reachable from s whether there is an edge going from that stateto s. If such an edge is found, then a cycle containing s is found and theprocedure ends. If no edge is found for any state reachable from s then thereis no cycle in T containing s. We use two variables: a set Rc for keeping the

7/31/2019 LVM-chap4

35/44


states that are reachable from s, and a stack Uc for the depth-first search.The role of these variables is similar to the role of variables R and U inprocedure visit.

Example 4.46. We illustrate the use of the algorithm to check that thetransition system for the pedestrian traffic light of Example 4.43 does in-deed satisfy the intended liveness property. To this end we consider the

transition system T A depicted in Figure 4.12 and show that it satisfiesthe persistence property P

q1pers . For simplicity we re-label the states of the

transition system T A, as depicted in Figure 4.15.Recall from that example that the only states that satisfy q1 are s1 and

s4, that is, for q1 we have s1 and s4 . Initially, we have R = ,R = , and U = new. We do not consider the variables Rc and Uc fornow, since they are reseted before each call to the procedure cycle_check.

We start with an initial node that has not yet been visited. So, letconsider s = s0 and let us consider the procedure visit, which is very similarthe procedure visit presented in Figure 3.2.

After the first two assignments, the content of the variables is

U = s0 R = {s0}

The first step of the loop is executed by letting s = top(U) = s0. AsSuc(s0) = {s3} and, thus, Suc(s0) R does not hold, we choose one of theelements in Suc(s0) \ R and add it to R and push it onto U. In this casewe can only choose s3. Consequently, after the execution of this step, thecontent of the variables is

U =s3s0

R = {s0, s3}

The second step of the loop is similar. In this case the top of the stack iss = s3 and Suc(s3) = {s0, s1} and, once again, the condition Suc(s) Rdoes not hold. In this case, the choice of s has to be s1 since Suc(s3) \ R ={s1}. After the execution of the second step, the content of the variables is

U =

s1s3s0

R = {s0, s1, s3}

7/31/2019 LVM-chap4

36/44


Input: finite transition system T without terminal states, and formula Output: yes if T Ppers, no otherwise

set of states R := ; R := ;

stack of states U := new;set of states Rc := ;stack of states Uc := new;

forall s I \ R do visit(s)odforall s Rdo

Rc := ; Uc := new;if cycle_check(s) then return no

od

return yes

proc visit (state s)push(s, U);R := R {s};repeat

s := top(U);

if Suc(s) R thenpop(U);if s then R := R {s} fi;

else

let s Suc(s) \ Rpush(s, U);R

:=R

{s

};fiuntil empty(U)

endproc

Figure 4.13: DFS algorithm for persistence checking

7/31/2019 LVM-chap4

37/44


Input: finite transition system T without terminal states and state s suchthat s Output: true if s occurs in a cycle in T, falseotherwise

proc cycle_check (state s)bool found := false;

push(s, Uc);Rc := Rc {s};repeat

s := top(Uc);if s Suc(s) then

found := true;

push(s, Uc);elseif Suc(s) \ Rc =

let s Suc(s) \ Rcpush(s, Uc);Rc := Rc {s};

else

pop(Uc);fi

fi

until empty(Uc) found

return foundendproc

Figure 4.14: Procedure for cycle detection

7/31/2019 LVM-chap4

38/44


s0 s1 s2

s3 s4 s5

Figure 4.15: Transition system for T A.

In the third step of the loop, we have s = s1 and after the execution of thisstep, the content of the variables is

U =

s5s1s3s0

R = {s0, s1, s3, s5}

In the fourth step, we have s = s5 and after the execution of this step, thecontent of the variables is

U =

s2s5s1s3s0

R = {s0, s1, s2, s3, s5}

In the fifth step, we have s = s2 and condition Suc(s) R holds (and itwill hold henceforth). The first element of U is removed and as s the

set R does not change. The content of the DFS stack continues to beanalyzed until s1 is reached. In this case, s1 is added to R. Then, afterthe execution of the loop, the call to the procedure visit with parameter s0ends. The first cycle of the main algorithm then ends because there is noadditional initial node that has not yet been visited (the other initial nodeis s1 but s1 R).

Next, we move to the second cycle of the main algorithm, where all theelements in R are examined by the procedure cycle_check. In this case,we only have to consider s1. The behavior of this procedure is similar to

7/31/2019 LVM-chap4

39/44


s0

s2 s1

s3

Figure 4.16: Example of transition system for persistence check.

the procedure visit and it will be illustrated in the next example. It checksif any of the reachable states from s1 have a transition to s1. Since neithers2 nor s5 have such a transition, the procedure ends with the answer false.

In the end, the algorithm ends with the answer yes meaning that thetransition system T A satisfies the persistence property P

q1pers .

Example 4.47. Consider the transition system depicted in Figure 4.16and let be a propositional formula such that s0 , s3 , s1 ands2 .

As in the previous example, the algorithm starts by calling the procedure

visit for each initial state. In this case, there is only the state s0. We omitthe details of the call to procedure visit, but we assume that when choosingone of the successor states of s0, we first choose s2 and then s1. When thiscall ends, the content of the variables is

U = new R = {s0, s1, s2, s3} R = {s1, s2}

Next, all the states in R are examined by the procedure cycle_check.The analysis of the state s2 will return the value false and we omit thedetails. We focus on the call to the procedure cycle_check with parameters = s1. After the first two assignments the content of the variables is:

Uc = s1 Rc = {s1} found = false

The first step of the loop is executed by letting s = top(Uc) = s1. As thecondition s1 Suc(s1) = {s3} fails and as the condition Suc(s1) \ Rc =

7/31/2019 LVM-chap4

40/44


holds, the state s3 is pushed on top of the stack Uc and added to Rc.Consequently, after the execution of this step, the content of the variablesis

Uc =s3s1

Rc = {s1, s3} found = false

In the second step, we have s = s3. In this case, the condition s Suc(s)

holds because s = s1 and Suc(s) = Suc(s3) = {s1}. So, the variable foundis set to true and s1 is pushed on top of the stack Uc. The content of thevariables is

Uc =

s1s3s1

Rc = {s1, s3} found = true

A cycle containing a reachable state that does not satisfy has been foundand consequently the algorithm returns no, indicating that the persistenceproperty Ppers is not satisfied by the transition system.

Observe that in the previous example, the contents of the stack Ucdescribes a cycle in T containing a state s that does not satisfy . However,we have no information about how that state was reached.

The algorithm for persistence checking presented in Figure 4.13 can beimproved. Instead of first detecting all the states that do not satisfy theformula and then check if any of them is in a cycle, every time a state(whose successors have all been analyzed) that does not satisfy is found itis immediately analyzed to determine if it occurs in a cycle. The improvedalgorithm is presented in Figure 4.17. Another improvement is that, in thiscase, the content of the stack Uc describes a cycle for a certain state that

does not satisfy and the content of the stack U contains a path leadingto that state. Hence, a counter example for the falsification of Ppers can beprovided.

Example 4.48. Consider again the transition system in Figure 4.16. In thiscase, we illustrate the behavior of the algorithm presented in Figure 4.17.The algorithm starts with a call to procedure reachable_cyclewith param-eter s0. The first part of the execution of this procedure visits all reachablenodes from s0 and after all the nodes have been visited, the content of the

7/31/2019 LVM-chap4

41/44


Input: finite transition system T without terminal states and formula Output: yes if T Ppers, no with counterexample otherwise

set of states R := ;stack of states U := new;set of states Rc := ;stack of states Uc := new;bool found := true;

while (I \ R = found) dolet s I \ R;reachable_cycle(s);

od

if found thenreturn(yes)

else

return(no,reverse(Uc.U))fi

proc reachable_cycle (state s)push(s, U);R := R {s};repeat

s := top(U);

if Suc(s) \ R = thenlet s Suc(s) \ R;

push(s, U);R := R {s};

else

pop(U);

if s thenfound := cycle_check(s);

fi

fi

until (empty(U) found)endproc

Figure 4.17: Improved algorithm for persistence checking

7/31/2019 LVM-chap4

42/44


variables is

U =

s1s3s2s0

R = {s0, s1, s2, s3} found = false

Then, the procedure starts looking for a cycle containing a state that doesnot satisfy . It calls cycle_check with parameter s1. The result of thiscall is the same as in the previous example and so, in the end, the contentof the variables is

Uc =

s1s3s1

Rc = {s1, s3} found = true

The content of U is a path fragment leading from an initial state to a statethat does not satisfy and that appears in a cycle. The path fragment thatconfirms this cycle is the content of the stack Uc. Hence, if we join the two(and reverse the order) we get the path fragment

s0 s2 s3 s1 s3 s1

that can be used as a counter-example of the validity of. Thereafter, wecan conclude that the transition system does not satisfy Ppers.

Another important feature of this improved algorithm is that a statethat has already been visited in a previous loop checking is no longer visited.This is achieved by not reseting the content of the variable Rc every time theprocedure cycle_check is called. This does not affect the end result given

that if we call cycle_check to a state s already in Rc then it is because swas a successor of some other state s and consequently, s has already beenanalyzed before, as a consequence of the depth-first search nature of thealgorithm. Hence, if s is in a cycle it would have been detected before.

Theorem 4.49. Let T be a finite transition system over without ter-minal states, a propositional formula over . Then, the algorithm inFigure 4.17, when applied to T and, returns the answer no if and onlyif T Ppers.

7/31/2019 LVM-chap4

43/44


Proof. We start by the left to right implication. So, assume that the al-gorithms answer is no. Then, it is because the procedure cycle_checkfound a state s such that s Suc(top(Uc)). We state without proof thatthis state s is always the bottom element of the stack Uc during the execu-tion of this procedure. Furthermore, ifs1 is immediately above s2 in eitherof the stacks then s1 Suc(s2). This follows from the construction of bothstacks. Hence, the content of stack Uc is a path s . . . s in the transitionsystem.

If the procedure cycle_check was called with parameter s then it isbecause s was the top of the stack U (that was in the mean time removed)and s . Furthermore, from what was said above, the contents of U is apath fragment starting in an initial node s0 and leading to s. Hence, theinitial path fragment

s0 . . . s . . . s

together with Theorem 4.44 proves that T Ppers.

We now prove the reverse implication. Assume that T Ppers. Then,

by Theorem 4.44, there exists one reachable state s (at least) that does notsatisfy and that belongs to a cycle in T. We are going to prove that thealgorithm in Figure 4.17 finds one of such states. To this end, we start byproving that if the procedure cycle_check is invoked with parameter s ands is in a cycle in T then, at the moment of invocation, s cannot appear inthe set Rc. To prove this, we prove that there is no cycle in T containing ssuch that some state of that cycle appears in Rc. We prove this statementby contradiction.

So, assume that cycle_checkwas invoked with parameter s and assumethat there is a cycle u0u1 . . . uk in T such that

(i) u0 = uk = s;

(ii) s ;

(iii) {u0, u1, . . . , uk} Rc = .

Let t {u0, u1, . . . , uk} Rc, that exists because of condition (iii). Then tappears in a cycle that also contains s. Furthermore, given that t Rc, thismeans that t was placed in Rc by a previous invocation of the procedurecycle_check when applied to some other node u. This means that

7/31/2019 LVM-chap4

44/44


I. u ;

II. the invocation cycle_check with parameter u was prior to the invoca-tion of cycle_check with parameter s;

III. during the execution ofcycle_checkwith parameter u, the state t wasadded to Rc.

From III it follows that t is reachable from u. Furthermore, as t is in a cyclewith s then s is also reachable from u.

We now focus on the procedure reachable_cycle, and more precisely,on the relation between the states u and s. We know that both nodes arevisited by this procedure, since cycle_check was invoked with both statesas parameters. The question is: which one was visited first?

u was visited prior to s during the execution ofreachable_cycle. Thismeans that s was pushed on top of stack U after u. But this meansthat cycle_checkwas invoked with parameter s before it was invokedwith parameter u, contradicting II.

s was visited prior to u during the execution ofreachable_cycle. Thismeans that s was pushed on top of stack U before u. By II, whencycle_check is invoked with parameter u, state s is still in the stackU. This means that u is reachable from s. As s is also reachablefrom u we can conclude that s and u are in a cycle. This meansthat, this cycle or another cycle containing u would have been foundprior to the invocation ofcycle_checkwith parameter s and procedurereachable_cyclewould have terminated.

So, we can conclude that if s is in a cycle and the algorithm has notterminated yet, it will find a cycle containing s and, thus, the procedurewill return the answer no.

Date post:	05-Apr-2018
Category:	Documents
Upload:	diogo-silva
View:	214 times
Download:	0 times

LVM-chap4

Documents