berg o ols urn T Systems VI I and Course ErlangenN arallel P Kato en at the of ber of r Informatik ersit Checking rithms um fo ur n f Univ Notes alidation V Algo Semester course Mo del Lecture Lehrstuhl Jo ostPieter hanised hAlexander Mec riedric F Concepts y birthda Herzog h th his Ulric of to o ccasion Dedicated the on t a k h of As for trol y par hec to ol y hard c whic stories time with in dollars testing hniques tial pro duct to t y con Prologue itself e y tec Little a reviewing time increasingly the The algorith to ols am direction andor and recen t complexit missile t gr ws that system an e o vulnerabilit etc after and exp ensiv pr p eer and soft million US umans igh tium oatingp oin through h of ie en ulation the elopmen ery their y tests the v Ariane as impressiv op erational w dev b ecoming sim be hniques tels P pro cess eld the is trols an hence socalled ong tec eral ab out and magnitude can of is the pro cess of determining the wr con consisting of op eration of sev and By nature testing can b e applied e y are engineering sho tests erication b b v w tit umans hnique to supp ort the qualit that loss are design errors reviewing to crash h esting alidation en pro ducts a v Inaugural lecture of the course T are y system are increasing w b y the analysis of the correctness is essen rapidly an system w peer t likely and d There soft system application the for ws king soft asp ects as caused are system of during alidation to y tests et e system validation gro exten hec the v v c the ast the le designs ha text reduce t practice in soft in alidation is a tec safet Due automate mark of at or instance the error in In large to to ythat t con F alone hniques estimated design realization dreams and realit mo del is a systems the tec Curren let the basis system to of on and System v been in y demonstrated ation supp ort active systems ed ed testing pressure e y system to an error k for estimated imp ortan hed has are erication sp ecications olv the en is v V hec the alidation veric c stated of in v giv loss from launc they t b e due t activit complexit ation of r is a and erication are et has dynamic olp er if v mathematical to y the hniques W b been P Apart All in all it is fair to sa mark Manual similar olp er ec are conforms to an abstract sp ecication that ab out those exp eriences A seems errors ticular division unit has mic veric designs of the system design imp ortan correctness and supp ort sound whether w Imp ortan T formal systems W and to ols that facilitate the to is w ts re the our trol and with ho the either via that tcon tegration tact though on trains in or or implicitly comp onen issue hnology e in con cars high w are ts or igh problem as little impact are the h e ts etc v hardw to suc er plan ma jor w people increasingly rely and malfunctioning Due A commands still ha e is w y to are that w da uclear p o ts soft impact phone per of ted with information tec a wrongly alidation er hasn uge essing estimated v h c y o a mobile and ersonal Digital Assistan pr devices comp onen e v been digital our errors do in a sense of transp ortation devices ha pages this system ternet P that it has unreliabilit and gold these in costs y of t sa information unexp ectedly ch And than e that ar accept w e TVs electric razors mobile phones cars public transp orta ycritical systems suc In for computerbased ese hnology in all kinds of applications it is estimated that ance The quest for correctness elopmen not reacts state for e are more and more confron unacceptable valuable should do forth y using PCs In to trol unit relev e e systems information pro cessing so are w fair ct total dev yor e mor recorder the is e orr the ar H Barendregt Images of SMC R c It er errors in safet y using devices lik explicitly b In daily life w Prologue On b tion and liabilit airplanes are of information tec of Clearly ab out video ev remote con systems I I e e y y is of k at b w w are the the Her they with state some these hec small as thank c course h on but me asp ects a hapters notes remarks king for to Prologue vided temp oral e deal y helpful Erlangen essence e ts from m b treat Ulric e hec All c pro trate of c lik w mo del that ery these giving addition unclarities the v y CNRIEI hing king critical emen of hniques ere graduate v in hniques w for thank ould king ere qualitativ hec tec and ersit concen c w tec w from therefore ws the to mo del yp es their e Gnesi I hec The part on realtime branc or hniques illustrated t c e w tribute to her course in to Univ t allo writing of on is h and tec for these lik and errors hapters hing y mo del c reader of the the Erlangen king mo del of ving teac ould Stefania hapter ytocon in at dieren c course realtime w the role of hec and Kerb er functional particular I c a arious algorithms v concerns In the in and while remaining the three success of functionalit course forms and the course elop ed systematically on the basis of the all on pleasure mo del separate distract the systems Lennard the used eral suggestions for impro hing with a on this to of of the CNRCNUCE elop ed these whose eciencyimpro for ts trate of great and up ote ter b een dev deal of yp e t branc ed sev t ey concepts separation parallel Clearly h k dev to ols treat underestimate Thanks win y lectures of hours eac with of will e of Massink concen Siegle eac the been w commen e the setting e unnecessarily latter ts not ter seminars in and not linear e and or elopmen W him ts v addition in Italy F ered b ting eorts yp es of do do v are ha t to the Miek dev in ould e me o principle Markus ywin studen w alidation Pisa Instead W w and Detailed v notes the t still king their y has and presen ere co b notes of notes ts concepts on hec analysis y In for e wledged for giving me the opp ortunit c whereas rst separately king king and e these and ork these kno ersit wledgemen Dijkstras hanized w in hec hec supp orting Hermanns believ lecture c c Klehmet The them reduction During the courses I receiv ingredien been mo del to study b erg German h titativ discussion for Univ kno e mec hniques systems v urn logic treated ing of quan the concepts algorithms that will b emathematical dev thank Ulric zog time dedicate kindly ac Pisa colleagues and Holger ha space mo del basic case rmly N mo del the of these notes w on supp ort These tec Ac e is or to v al in ta for ely F and and king ie ha some of ormal graph h stated under wn that partial Due F t ers hec o starting y to ols v a to ols quite extensiv pro lab oratories system implemen y and their approac tests hnique b systematically be mo del c elopmen companies prop ert of against realized of a tec structures of than a though will dev engineering elop ed theorem king is an automated ts logic alidation general b een data v arious and the eried v a hec dev are v supp orted algorithms selection in rather e w has is alidation v v be e their ro ots in sound math concepts correctness v tsupport t ha as that obtained in an soft of supp ort from to ols there is theory are and system temp oral king h can king erication the started a v mo dels system these and as teresting asp ect hec hec concepts suc c of c in king ha h dieren increasing has on the of all requiremen imp ortan a design is utshell mo del c the hec partially An tel automata formal suc of sometimes a generation an on high degree In orks Mo del wledge mo del mo del In required w be with and erication and and in terest y v is a subset tation to trate in handle them designs can are logic and the wn formalism to instance testing erication hip o put it in a n groups automated topics prop ert as c v T concen sho nitestate h industry or mathematical pro of of to testing h concerned e hardw F the implemen a a w sp ecication this in of e hniques suc logical pro jects these notes are to been for of en lik cking partial tec ers yp e researc e on ts k y v eld The concepts of mo del c giv eral notes considering only terest opp osed king ha system wn notes hec y in to ols o c areas Both as the del che these protot alidit Although some basic kno usually required v ers hec amoun in sev king that in a k in c mo course is supp orts and foundations of appropriate lecture erication of new their hec formal v it the hec lecture mo del and a after ks wn as mo del the increasing these some hnique applied that erication hec v Prologue only tions its instance pro of c gorithms from Mo del In exp ertise c tec in kno Scop e sp ecication b These mo del c ematical graduate algorithms is for house started an its success is y Prologue onia German rank Jo ostPieter Kato en F Pretzfeld h Marc in In ed be k and kof ered tice v esses ts c hec o c ould king are realtime Pren w Pr hniques wledge an del ling hec I emen algorithms v who tec ols and Due to lac Mo c es ykno ticeHall oto Bell e impro hing to app ear dinating these or mistak of eral Pren Co y er Academic Publishers wing b o oks alidation Scienc Rob ert king that are not co w Press sev an of y CCS usage follo hec terested in more information Klu nd ersit thank the the with ation of linear branc or is to Computer katoencsutwentenl cking suggested e ts eric is in king V lik tro duction to the concepts nalysis suggest and d gic A hec I asp ect emen alidation of Computer Pr o del Che v bridge Univ t ide L ould w tro duction to system v as an in I Cam an impro hapters mo del c y olic Mo c hniques Systems Although a few go o d b o oks on mo del c R tains a list of references that can b e consulted in case d for imp ortan notes email address Press tec ers arious asp ects of mo del c v y Symb or those readers who are in Design and V Finally is desired three ComputerA king An F vides an in My Systems king MD y ersit hec rst that co hec out Distribute hapter con and ab notes Univ suggestions the ork hc e informed consider these uns of v ailable there do es not exist at least to the b est of m Kurshan reading Holzmann mo del c v king and pro a ha Huth be Br resp onsibilit understanding lecture asoning hec e y to tly ou RP KL McMillan GJ Princeton Hall G M R m y y English these deep er y tro ductory w urther ersonally I Prologue fully and to ols for mo del c m case happ in P F curren mo del c space and time there are v in industrial case studies on sp ecic In addition eac a CONTENTS Logic king TL hi automata TL hec uc PL PL CTL for and emp oral for TL T mo del c h PL CTL heme TL CTL sc in in PL hing optional Spin in CTL king er ulas to lab elled B TL CTL TL k of Branc PL hec PL CTL hi automata TL hec of form king uc PL CTL for emptiness eness references king TL hec of of tics of tics of PL king mo del c tax tax Chec rom Syn Seman Axiomatization Extensions Sp ecifying prop erties Lab elled B Basic mo del c Expressiv Sp ecifying prop erties Automatonbased approac Mo del c Selected Syn Seman F Chec Summary of steps The Mo del king hec Logic of mo del c ving emp oral T studies alidation v Linear king erication references of system king ts hec alidation V ulation Chec esting ormal v ten T Sim Purp ose Some industrial case Selected Synopsis Automated theorem pro F Mo del c ts ten System Mo del Con Prologue Con CONTENTS alences equiv references artialorder reduction P Reduction through Selected real time ulas king hniques Logic hec ec T form TCTL in CTL mo del c tation posets emp oral to T on ey aal Reduction k strategies represen t based SMV Upp the er er region automata k k RealTime TCTL haracterization of hec hec alence king of timed automata of t theory tc TCTL StateSpace references references king hec of tics tics equiv of mo del c mo del c k b olic statespace tax ey Chec airness The F Fixed p oin Fixed p oin Sym Memory managemen Selected Seman Timed automata Selected The Mo del c Region automata Sp ecifying timeliness prop erties Clo c Seman Syn Surv A Mo del CONTENTS y of re will ers esti if an yp e v state v infor result where be tra jec setting In activit tra Clearly require to to alidation onthey V nal ehicles its ual this fair v k a protot After hematically in is analysis in the needs hec man sc that testing c it ts tegration of fullls those System alidation issue alidation w to v strategy is depicted that step whole design of and sho Result key y of for instance soft dened w the error could arise a design depicted costs determined is ensure a completely and is practice requiremen t is ess a alidation to a applications c increasing in eviewing v r o instance is that This pr essing er c error this e with for o hematically this p elopmen tly analyzed common pr an en h Sc practice validation critical dev previous If do design ely a p osteriori system in Giv reviewing Design Pro cess taining the reliabilit of more started to of branc the establishing total is at the end of the design pro cess eer signican to of P system kinds extensiv applied the validation h eort to repair it since the information up designed ts hnology the costs of uc design are therefore of supp osed in is pro cess arious the is engineering widely v the being phase ersed in order to see where and ho system ts hematic view It to o m v is reviewing to Sc are The are es in Requiremen w clien eliability to as r ab out design peer Usually soft costly the What is common practice on when to p erform v it tak originally system the the use of that hniques it This reduces the for information tec the obtained Figure tec in pro cessing rather are only is eral distinct design phases o systems what is king for faults only at the end of the design tra jectory is not acceptable ts is referred desires while What is common practice on main Tw pro jects needed are hec tations be that mation ing sev design w men in Figure the c error is found tory needs to b e retra This ie ideally examined Figure gations all do es in or for the soft ts hnol trains exp ec of hines tec pro cess highend malfunc t plan where cars pro cessing er mac systems t role w as and where amoun po where h the suc issue information information radiation dominan telephone uclear Information pro cessing n ey on er TVsets k are are ya bulances in ev w are are highly undesirable a w systems pla w am as and noninformation is Mobile soft Ho based in t y In of systems are as users yte life alidation systems transp ort coming to to v reliabilit equipmen is or trol F errors in soft Megab daily ycritical imp ortance tly con another where audio ation our safet e disastrous consequences vital or hnology circumstances h with v rapidly y system of a suc barriers pro cess tering w razors is critical services motiv of of en in arious examples alidation v one surge vide equipp ed are can ha in V role and in w more increasing electric t system vious ys pro a is information tec as ob examples used ada and h of w are are are suc that no Purp ose signican ypical more t a are hardw airplanes is increasingly hemical industry where eviden These ys tro duction ing Chapter System In Systems instance tioning of the soft pla in c Other TVs systems correctness ogy and hospitals and storm and re ery the the not cost pro 0 DM 20 kDM 15 kDM 10 kDM 5 kDM of 25 kDM stage In the this Whereas alidation tegration V should in tire system costs early error cost of It (in DM) per error correction an fairly conclude basis The conceptual during and that per at System Time (non-linear) can e erage b e repaired v w v place dollar more e tro duced detection It is clear that it is of vital in standalone Figure System Test Operation US tak a tro duction of errors once tro duced and detected Ligges are cf on (in %) w should erestimating v view errors tro duction detected er and the impact of errors on the rest sho errors ab out in um of DM p er error when an error w of all mo dules tly to the in t h actual co de is generated of pro cess ie are error poin w Without o tially lo e b een detected b efore the test phases start it is v estigations and soft design Marks v Programming Design Test tial are mo dules are glued together and the en in hing a maxim the w the ab out cycle to economical tributes signican These life German substan that an testing Design Conceptual less (in %) is reader from System while introduced alidation in errors v al ab out the t test et design Analysis t that most errors are found during testing in particular during system in estigated v er Errors that are detected b efore the test phase can on a system the heaply 0% 50% 40% 30% 20% the stages in the design pro cess where errors are in Figure mey gramming phase ie the phase indesign whic phase also con only ab out of all errors ha of eviden tegration tests where soft is in pairmen surprise c increases to DM reac is demonstrated during system op eration eld tests of design imp ortance to detect errors ascosts early to as repair p ossible errors in are the substan system design pro cess particularly 10% en in real tels tion order giv ab out for of Result pro cess a ts ab out of in e resulted v are t atten loss that design error in In Although test a whether tests ths at million correctness k the The Designk alidation validation in v ers baggage handling hec e elop ers the caused c e in the missile Ariane v t and statemen on ed only scan ed e to pro cess v dev hapter design olv king y ent ha manner v of a system sp w in exp ensiv hec to einDen c is this c are mistak team ery for design w v adho c b een a in system eort y be an not b are engineering companies ha the estimated w e onstruction in of onthey op erational c and hnique v can ed is later on in tstep of ha an on Design Pro cess validation ely time is unit Design eral soft errors review e applied than part is imp ortan mor esting as alidation tec hematic view T v an reviewing Consider also the soft usually Sc t division of design is tial alidation more extensiv a y hand and to olsupp ort has receiv v designs part it Design of eect essen ered surprising since terviews with sev most v y alidation alidation is ts the v v yin Figure da In teresting gures for the costs of error repairmen tations part the oatingp oin is co of system particular not so h an is is tium System increase whic that esting Requiremen en million US dollars In German Purp ose This costs of ab out million dollars or the mistak system that p ostp oned the op ening of the new airp ort for mon dollar p er in some in System P to in of ing system realization conforms to the original abstract sp ecication implemen T stance generated b t a es be op the the and and cru alida active in of mo del are is distin can v e are quite pro cess r receiv systems ypically ypically t ts alidation be e T V realization thresholds needed and This poin can is within They t the systems systems pro cess consistency reactiv ts e t socalled e eral nature vironmen of ueli ulation and System automaton certain t of en Pn e systems a coheren sev phases ed y usually k ternal t reactiv at b reactiv hemical in Usually c hec vironmen sp ecication c of exceeds a alidation requiremen and for t v concurren alidation t of nitestate dieren ely of v coined As so on as a dangerous situation a h unication proto cols erication sim tank the action pressure obtained e the is b een the examples alidated whic lik and on v comm extensiv teraction with the vironmen program ts the abstract sp ecication requiremen in in in formal v estigation en ellfunctioning of be be supp ort v w y sp ecication the trate trol ypical in b to mo del t to T appropriate term has their a their con a distributed and e and needed systems pressure teraction with their en of a e sp ecication is v concen tak needs t temp erature against trol from hnique the e inputs to this where thorough will ed supp orted lik tec con uous in k a nature e y sp ecication has b een obtained the third phase consists w tin instance hec correctness these h o a pump and so forth inputs needs c the ypically ha orth e or e example requiremen t systems can b e useful on hniques v w F phase be metho dology aircraft are sp ecication e a original requiremen notes a w regularly for tec yacon design sp ecication can to a conceptual design phase results in an abstract design sp ecica ab o they is receiv systems are rst the react soft This w complex ts to switc e y king Reactiv lecture Based on this information the program can decide to turn on the heat the a result needs systems signals soft trol ersus argued hec o obtain correctly functioning and dep endable reactiv uously elldened dela Once a trust of building a system that implemen testing v In as Secondly tion it tion pro cess abstract c T ticipated w con rather As tin trol trol these an tricate and haracterized b con c short systems erating In con Reactiv pro cess ing elemen is con the are in cial and guished y in u on the can for king cking on hec vide occur tial and notes instance che c sp ecica connected erication complexit designs pro v or h as parallel del F based poten chniques mo te mo del lecture that system ess c hips that consist of system formal o c on and erication of comm computers metho ds pr agreat hniques limited ation unexp ectedly these ess notes c and gr o tec orks in has based magnitude and still pr w and systematic ation inte is parallel d e lecture sp ecications and trate formal eral subsystems suc ulation ynet validation arly veric in the e easily design alidation sim v formal metho ds an these advanc the t can concen adho c biguous of system of for in formal erication and the v highsp eed engineering increase d formal metho ds will are Using e testing the hniques use or errors e tioned b efore in of all pro jects formal unam are ne topic on are v the w ds w h systems b ecomes more and more complicated Imp ortan ort ts the tec and ong soft hniques validation main for supp str consider metho in e hardw Due to d systems simulation tec a e the that language is ne precise analysis use comp onen system e on of briey ols formal alidation its ong of v alidation based e to testing v on Ther w alidation str systematic memory v natural pro cessing a are and terms y y trating Reasoning ab out suc used in unicating b is systematic wing in based e a man are shared proto cols of system ys computer systems are comp osed of sev follo concen comm posed for Ther metho ds ada y ellaccepted in elds lik dened some the us w information y alidation b of Th man their design and distributed systems eg computertelephon No Purp ose that Supp ort Whereas tions v basis In be mal before nication is w according to the German study men metho ds Although system is is to the the test it real or cases to a due system cases biguous heuristic alidation test on There V ternational tation or p ossibilities transformed test build socalled The applied to than testing are and ting them y execution System are adho c tests ysical devices implemen alidation and consists abstract cases ph an of test rather terest logged dicult ISO a in of cases in or instance in the area of real is test F on and sp ecication set the or implemen test the of thirdpart system e ed er to the testing them system ev obtained the in descriptions tativ abstract w phases h has resulted in a draft in of observ in case the ho the been applied eral hnique for system v of executable prop erties are e tly v results represen be executing formally mo deled as abstract mo del ha the compiling them a prop erties y to sev conformance these phase be b y mo del can Recen b in that phase execution test exp ected phase phase to test cases cannot required proprietary eg testing tests phase the logged results are analyzed to decide whether reliable tation test ation of metho ds test the mathematical teed ction cution partitioned in and parts a Since of ber sele of the exe gener implementation mo del is on alid y tation under um cases implemen v n test formal test test test a system the test analysis a b e guaran an comply with the testing is results system on based the the the the to of ust to executable in most unication proto cols this kind of researc where complexit where where In the they The In implemen cases are systematically generated starting from asp ecication precise and unam m In In selected In in are esting is usually the dominating tec T applying that executing useful manner of of applying formal metho ds to testing are increasing comm standard pro cess it it is of as to all are w king some system vior that are to ol ypically of hec soft ulates y a to ol ulate design t suited e c w system as a the in beha sim stim of less of basis the es the reaction to absenc is same mo del of vior of the system the It ulation is system the and their on Since testing is based h that a soft of thereof Sim practice y the user or b reactions tation correctness in vior design ords imp ossible never the almost a vided b is en on used b eha of bination erication ors instances t ev y v implemen ulation is based on a mo del of the err com most a of the testing insigh alidating the qualit is e v systems or mostly formal es p ossible of in Dijkstras w random scenarios of the to tak y that some all y the whether the reaction of the system conforms esenc are of a and pr of t vides ed one tary to sa gets k principle the pro hardw hnique hec hosen inputs called tests and observ tation whereas sim user subset determine The are testing t distinction b eing that testing is p erformed on the real that infeasible show ellc That is assessmen w the traditional w is In itisc complemen can y small soft a it only The scenarios can b e either pro rst a w er of alidation tec output an k This mo del is executable in some sense suc v ev c uli Finally ulation scenarios a w this only complete testing ulator e quic errors is ho piece esting In of be a applied and sim esting Sim T a is tativ ely on the basis of informal and heuristic metho ds er a T required for random generator esting subtle a nev ulation ulation is based on a mo del that describ es the p ossible b eha T ulation the imp ortan means observing the widely e esting y represen sim lik nd executing system implemen system with certain probably w on certain stim called A Sim Sim T realized of the system to b useful scenarios design at hand engineering for instance in all pro jectsexclusiv some form of testing is used but almost on can h h h or ed the F w vior algo used stated tegers allo is ie guarded y program and alidation the written a oin V the y in whic tax of suc a the w y the are rules states ie that negation System Dijkstras The syn They satises nal pro of tial algorithms suc formalized of in a formal w states eg are ts fashion set mo del denotes desired e consider the w a start of the and tw is es can b e dened b tication ystep y formalizing the desired b eha language set true that requiremen the stepb teresting whether p ostcondition a tial quan in equals ulas in predicate logic eried to program constructs in of x and system false One starts b en y e the correctness of sequen pseudoco de e set v b v describ es pre ws pro of determine lik pro the and existen a programs t formally v is the to it dened be abstract ondition ersal another tial Once rules pro ofs The other b o olean connectiv to ostc j statemen describ es p orks as follo some usually corresp ond true the ts g in pro of state the omit univ sequen basic j h can b e used to pro f rules of for instance e p a one S programs can language and and ondition outputs c g co ded is yw set its sp ecication sp ecication metho d for expressing e construct ksort or the computation of the greatest common divisor of t p pro of tial is pr A requiremen A f utshell this w o ulas is T A erifying o obtain a more concrete feeling of what is mean y using pre and p ostconditions form V sequen This approac T as quic In a n b form where satises command These required rithm simplicit inputs denotes disjunction o ed es w ar the t last v that ving from basic tcan tester system where form of ansp the ariables a tr sp ecica v these The ation the o hange notion of c ts to pro w addition to t mathematical testing in the that een cic vironmen e w In can hes are ation ox sp ove esp ecially alues this bet v these yp es its en pr hidden in for vior agrees with the tation can b e observ veric to on black b and system ement erlap system is v of the system under in ab out o term quir the the e testing del r Based erication amoun e that for example the square w do v of o basic approac formal mo ox The testing completely ho b somewhere is Tw under test is and v ey ulated and vior often formal b er to this formal correctness and gr information system a e um b eha mostly n system in lik describ es the to as a is ulation and en b e applied b oth to protot resp ect structure practice of of the system y as one can pro ev that a sim in ypically consisting of p ossible written t an een with vior and the to erication is treated in a mathematical fashion the testing w trolled ie stim ternal b e made precise ternal structure of an implemen and incorp orating ys the in that can are a beha erication requires ters y ts erication relation ts alw correctness the system ma hnique v is states tec hnique Since the v the correctness y formal pro of whether the p ossible b eha the in a similar w sometimes referred of ber represen of desirable where unication b et ulation and to nal pro ducts phases where the in ks b tary h set circumstances transition um vior t requiremen is a tec n the program coun a a ormal hec and and is erication ving the whic F mo del of en ts summary formal v ev A esting dieren ox testing T In tested practical dispro an complemen ormal v systematic sim extremes phases In ent b only the comm and sometimes partially con be F The desired b eha notion of agree with can tions one c or demonstration tigation represen idea is to construct a formal ie mathematical op erates correctly correctness A of if t is of an k this alue od S uses eg starting x alidation g ords V k statemen do nothing w the g whose v applied suc y g f B b B in iterationb o dy B the programs g precondition S f and do es g t one starts with g System the f tial the S B while f g comp osition g S of g g S b efore Stated that f k of g replaced g of y g precondition t f f tial f od else sequen alid S f nally are f S x v S x the g of S S x g S is skip gf g B g do k S gf of sequen execution that g and statemen g B f f h h if then f f en f for f termination explanation f x S B the nal state p ostcondition is usually eac the suc S g if y g is ev t while f rule the a substitution g g f B w some x y a b f f during from a The f condition after k e comp osition uses the b o olean in y f all o ccurrences needs ed an haracterizes v pro of x for partial correctness tained is executed holds t g pro skipstatemen where y According to the axiom for assignmen S that c determines under program main be or the iteration k be the ards and S can for for comp osition skip of starting the and e can exp ect predicate Pro of system of en rule rule tial of parts The rule for alternativ ould whether that program y alid afterw is ev w roughly means to pro of pro of S Axiom for Axiom for assignmen Sequen Consequence Iteration Alternativ k k tire able one f ely alidit T states pro cedure en p ostcondition v The The x termediate predicate then it is v the what in the state of rule cessiv determines The the e S of of in ys are a ely cor The od e the treat S form v S e alue e v the w v starts There do e alternativ v ab o yp ed the resp ectiv B tial programs that able or rules with a for pro of F S the o t to w in T for a simple set of of hristened to one of t p ostcondition while is satisfying alid programs en a y terminating compu j latter triples state if an These sequen S assignmen wing explanations others ct and e the in a t the computer follo terminates in a state satisfying using pro of system else computation orr ts are made ab out computations and of and S y w the line is v for if all conditions indicated ab o the a b o olean expression en input an only ts E In nishes if are assumed to b e equally t treat a ws statemen el then Hoare artial ly c E ct p e B program is called deterministic if it alw lev y x wing grammar denotes b erication if orr A and v c h statemen B j vided a giv x follo otherwise program of S deterministic programs is giv is called terminates will briey tactical a g e S formal total ly S op eration w to the approac j syn tial where stated not terminates and f of h a x wn as the Hoare triple Hoare c E is no S the g at called tial programs eld for sequen of unless x comp osition that f is is kno iteration where alid then the conclusion b elo j ariable that starts in a state satisfying approac g g according for the ula S terpretations of Hoare triples dep ending on whether one considers idea tial satisfying to v precondition erge in f f stands skip programs a S E S total correctness div g g erication is of basic sequen state tlinearev skip f f a The form tation of S that pioneers constructed the The pro of rules should b e read as follo The illustrate his vides the same result when pro S pro of system o p ossible in o ormal v w F where triple the partial or t expression where comp osition and straigh for condition true only the conclusion is indicatedA these pro of rules are called axioms partial correctness So in the case of partialof correctness no statemen deterministic sequen rectness T pro are h w ts ts of S S S are the j uc j ho refer non order m teract S of parallel form in x alidation comp osi the infer vior of There h V to executions statemen a the tee that this on to ard x in unfortunately whic in the is considering is can b e or form of the statemen y tforw S System b tro duction e order Gries S t of their execution v j j in addition rule alb eit erication ab out dep ends termination of In systems v S in ab o and should not only to at programs is no guaran the S this e y p oin ki x the to inputoutput b eha programs formal and mak from straigh strongly of w prop erties of their initial and parallel denote the parallel comp osition Owic or instance if prop erties tial to parallel S of leads F alue of there S of v j vior of j messages y rules for computation tly b een teract at an So prop erties able t to kno S ork systems w x applying sequen b eha w as at termination of be although the that of pro of bet h their x of this is far on the order of execution to the erication inheren hanging the t er v of tially in t suc v fact x expression text aim g exc erifying g is v the with y parallel emen end alue of the the b dep end f w as S computation Moreo teraction obtaining or x in of inputoutput ma jor or y hiev in S imp ortan let the construct a but allo ariables are accessed to g ac S parallelism pro of rule and f same increasing w to is the S Starting The of during S it f the j ould the j and results teract it is not sucien oted x y w Due and ariables g same ts S tical parallel con v b eginning S dev wh g S f ariables This the or t pro cesses can p oten rule endstates x v iden ts general Instead the happ ens erication viously t outcomes for S is needed in v b een S tro duction is to obtain a g in an shared at y statemen es and in a f pro of is ob reasons x in h these common v to f w has separately shared and a alid states dieren S only v h Concurren The eral start these S x ormal or statemen F F of programs can b e either orThe and the v in not is true and tional parts Suc access not sev eort determinism in whic is using to parallel programs in ab out what themselv nal h is be the the rule The that of is tactical t tial com should able strengthen establishes syn S n considering idea T It h In particular to particular decreases but in p ostconditions and only The n only ts to b e established In consequence whic of y S ones S b S establishmen pro ofs t The ts n arian The rule or v system of alue of rules S therefore ening the alen n is is in general undecidable eak ws g B yp es g pro of w t logics programs pro of equiv B allo a pro of rule is asso ciated to eac idea oids innite computations since y programs the v b in One of the main diculties in the The and d consequence n N the other t e f tial t ie nonterminating computations and f of S system the h iteration the v o ccur comp osed g arian od v ergen of N sequen not S or instance the pro of rule for sequen from erication pro of F v of Pro of rules and pro of systems that exhibit this e t function correctness n do h is to nd appropriate in v syntaxoriente p ostconditions termination do es B application e outputs B ab o diers y preconditions p ostconditions of its comp onen N arian v total v and of the pro program and that at eac the and ositional is called an in while and ving implications lik f n This the g to pre g termination complete automation of these ariable een as omp y that e c pre f w This construction precisely a consider v iteration b f inputs wn alue of S order bet that pro e facilitates pro for g stress een kno In it ws the correctness of the comp osed program B replacing to construct w strengthening briey is y auxiliary v t ust a erication n bet explains wh ws us w m y are called though the f the e allo complicates the connection pro of rule ws All rules discussed so far are W Let tactical This considering the h relations for program parts this is the initial v iteration cannot b e decreased innitely often without violating the condition ormal v y ariable noted In rule pro of of programs in this approac allo F S the this syn relation b suc prop ert insucien p osition allo N Here n remains p ositiv v construct that can p ossibly lead to div is the is no as via ell til the w thas these pro of using ab out be formal un a eorder for state of alidation t h usually extended is U states a V the will of til message connected unication pro ellestablished been logic construct programs un wledgemen time there prop erties are statemen System next tro duction of these has er kno of can tial correctness e h facilitate v v o o then states the sequences e t T emp oral the one usually computations of logic whic ab o The in el of abstraction T to lik e P all sequen y v til an ac y a er lev the in system w ys that is in all future states since for pro a expression refer a k un erication metho d whic high receiv of programs pro cess wledgemen h logics are rather w ac do m hnique for expressing prop erties of and the seen holds P a that y e w Apropert b Suc kno v tial ueli prop ositional it will not send vior rcv formalize t y y decades ago ha and U allo Pn a rather e sen an ac P gics beha systems can p ostcondition then w to at sequen m Consider for instance a comm e is e es means that alw that op erators as w al lo prop ert the and m due h of or p ostconditions G prop erties nxt sender to sp ecication tec is tages of the pro of v P reactiv a that of pre erifying message an temp and systems v a a unication means for refer snd e op erators approac til it receiv in yp e op erators message in t y pre science examples tities un as b a means holds and that en sends logic of some next message nxt y if same are a P o these P P these The disadv U w ulated y h t y m b the of ts are called for instance ords P computer ed en form extended w een y Using and commonly used temp oral op erators w with similar w to e their origins in other elds man snd be in globally e systems do not terminate v in a bet bidirectional comm G for receiv if pro cess een ev computation as G hed in whic In Logics some w a holds y some cannot sp ecication b to col of reactiv accepted computations of reactiv transmission b been and ha logics executions in particular those that can expressbet prop erties ab out the relativ predicate logic systems rules and executions reac proto col b Stated a a is ki in in v or As for the the F of of form That pro of asyn use y in terest errors on who user usually parallel in large or guidance to M erication of system result are correctness v the their ery prop ert ork of Owic v t and reader fo cused pro duced strong and nal additional pro of N hronous a assist formal are The exten M global the vulnerable ork Apt Olderog comprehensible ts from the user hapter erication b ecome sync v pro of rules a that teraction and to length the N in some in arian via attracts completely the quite of the v terminate classical y to e system refers to the b eha only is to ols ts in this c or to ols that generate the pro of dicult outputs usually tly for some and it the comp ositional not be h are not ypically yle overs w programs T st to that curren quite fully programs to the seminal w do es complexit desired ariables problems soft is v a comp onen time h tedious em pr out all this approac that of generalize or y in suc parallel in at een t these require to w the of parallel certain usually b efore shared een topic is referred turned length ends and for w assistants h classical via system pro ofs made ercome elopmen pro ofs bet ed has of v k o o the the inputs dev rather pr some more detail later on y explained hec been researc teract of e the correctness of a reactiv of c teraction b et Gries v ed e a in ma as computation the are v in systems w be passing is er time it do es not refer only to the inputoutput relationship ha computation vior v teractions ki the allo the to that to ols in and a h pro of systems in socalled e h problem pro ofs logic v b eha if ards parallel programs starting from the pioneering w systems organization of of theorem h realistic eorts w ha suc e message in suc earguedabo of Owic the Due to certain or suc erication the v erication systems main use systems hto h F v p ossible complex to en arious eha certain reactiv to discuss V The The giv a Gries e result emp oral terested ormal v hronous F computation idea that a program systemis computes a function from inputs to outputs refers parallel and parallel program can often not b e stated in terms of an inputoutput relationship ior of the system o As w W T formal approac c due rather parallel in obligations obtaining mathematical pro ofs and of Besides for instance in the form of lo oking for appropriate in is dicult approac a e y v all b for once ha from t initial hed unicate alidation that the prop erties applicable V state est reac determine y analysis for W be proto cols insucien only from to ck next king hable is ties System ts can che instance teracting automata habilit hec SNA reac viours ts sp ec prop erties eigh for formalising a t suces es that yp es of progress prop example Starting Y IBM is analysis done it mo del c early y for arian Requiremen exists v k and k Requiremen desired b eha in is These t and hec passing concern habilit c ed there t determined X y ving This ties deadlo c on automated reac en Reac erier pro are V sev X message habilit done e whether and paramoun made socalled k states lik late a ork viours del ling ter a be ene mo the r hronous computation dify can tually b eing receiv in Coun example deadlo c where erication metho dology of system a usual reac mo determine V en Real system tire y async Proto cols p ossible b all Mo del of system to en p ossible b eha from is quite some w an progress h is expressed in terms of the states of the in ere mo deled as a set of nitestate automata that comm ered and proto cols v titisev co buers buered Figure messages freedom progress during states has b een further no ving are not unication unication proto cols hold message h hable b ounded There further hanging pro to that whic reac no Here proto cols w via erties and a message is sen comm system state whic exc comm e h y ts of ed its w for a de less user k ter high w e state anal a needs v whic mo del a hec erica the desired that v coun in rene ab o erication and the the general terexample y inputs Here t so that the The can description emp oral Logic require state in undesired k achability exhaustive a king e tioned systems a fault repair formal r user es the v ws an hec acoun e and user v erication pro cess h c is to v satises hec of as and men in e c to allo on an The e to accoun the reac es the wn w and vides v yp e reactiv generated t ts state mo del tend vior that tensiv can kno in t b e wrong in the sense that the be for mo del b eha is to use algorithms executed error is the the those found ws one to sp ecify requiremen b eha h but not vior and lea restart ailable is TLA T to ol pro systems v to h state of the mo del it is c can the another are did of that system cking can h allo lab ourin mo del ypically based a logic hnique on error approac whether user for eac p ossible the tec similar lo cate errors are t del che is h the the trate to evidence h are tedious no the this mo t sp ecication migh whether king notation whic correctness t If temp oral that are user teresting erication pro cess This approac in v hec vides concen h to ol supp ort is a in on the form wn as emen e system same the king pro they w uing An olv y taking more design decisions in ws v in the erify the tin determine based v something whic in circumstances simple an error is recognized the scenario hec in the of allo e in the formalization of the requiremen is to con notes c correctly h a ks to If user of es hec tion for whic vior most c v uman more concreterealistic and This whic that guidance ts sp ecication the desirable b eha h terexample order mo del hine to ols b efore its of the mo del of the system h of the lecture a beha beha in king t uc In user mac coun ch of parallel systems it consists under etomen m Mo del algorithms for mo del c hec ar hnique y of c these the revised emen Eg the tec system king ese In some cases the formal requiremen In The computer to wing olv be us ac v ould lik y erication engine hec tion and degree w Mo del requires c of Actions of Lamp ort probably made a mistak v to sp ecication mo del description eg b mo del b ecomes sp whether prop ert ysis in Th the requiremen scription sho up b example The basic idea of what is kno t it is een ulas that This logic b een alen w space or in hes logical F ks bet h form are engi purp oses the alidation has general in the b e w V hec this state c in relationships ed approac e k king same term king for equiv using t one approac b edded systems ulas hec hec erty since hec c System the ed given Quielle and Sifakis c k established op In particular a logic this connections holds concept be c form pr y dieren hec exhaustiv t a del o systems are equiv that al c o b een king erication soft pairs mo del this w erty w t an e mo t logic gic o op v logicbased teresting hec w lo for c tly in time logarithmically in as in logical terms pr are v dieren ws wing w a the that mo del is nite Using the of t chnique in t as could of transitions te this used bisimilar satisfy and in een prop erties the on more mo del d ork alen w temp oral ber w ulas are as unication proto cols em Since t relations ha bet um state p erformed the same n tirely to form system whether king is that en conceptually of a automate the the commonly alence cks of direction is initial hec are same is an king c che fo cus viorally equiv referred indep enden is del mo del mo dels connection equiv erse the e hec c o given that a w p ossess mo al ly to terminate since linear in w rev t systems comm t b een is The a with applications to hardw hniques Emerson cking Emerson mo del are b eha and logic all prop erties of a certain logic whereas teed satisfy tec The notes for che mo del ach w that k a and o mo dels o of logics and and w e ulation can b e done rather ecien del h they o t alence relation on systems as follo t ultiagen hes can b e established in the follo hec systematic wn they e belo nitestate w t originally Mo a CTL lecture if kno of states description if al appr see Clark these Clark so forth e bisim has originates from the sp eaking dieren y ber h then h h it is only will and logic that is guaran these b enets o approac Gener neering m and e um clear h w een system n w In w the w vioral approac and searc The Although Roughly as the t of induces an equiv bet stance if no approac approac ha alences lik the is infeasible to c the coined b approac a a is in es v ery the no and eat fact as In b e from v these y ev e a in tuitions dened w to automa lik attribute tered system in ebeha can correctness hniques for ulate included hange an A the ariables c a mo deled been v ulation is initial states and sim in vior are equiv e B notion encoun king of resp ect as A v of can es y a h b oth the desired ha b can bisim hec tly preorder set c notion lik h the desired system dier ts usually is with used alues a v en or system that notation eg exploration tec are giv a e the same or b eha notions the Mo del perspectiv v automaton accepted alence is describ ed represen t w A frequen correct t automaton capture alence king hniques ho for a same An system are in this approac be equiv hec A A one ersa in this approac the to equiv of y dieren hniques represen relation ach preorder preorders b in o the tec early tec ach indicate are logic o en mo del c or sp ecication prop erties to inclusion early statespace and states t giv in this notions these bisimilar if ous appr considered there preorder accepted relations usually o pro cesses to b eha are mo dal these hes king wn w ous appr is alence are resp ect using where or gene than the relations of these transitions ords y stating a set of prop erties in some appropriate logic vior hec Since gene w c language alence tly requiremen o ellkno equiv with approac and w is automaton and vice v all b eha o alence it satises as if w equiv whereas t automata temp oral d or homo if another arious ie the most o B automaton other v ts mo del ws a wider class of prop erties to b e examined and handles state equiv ase to w The d or heter as least ordered estigation automatically t possible v some the lo cations preorder of more ecien ase vior at in and or as king h of It allo of of the basically vior is captured b the state same t es trol uc gicb v hec beha o m c utshell are L nitestate usually b eha under considered to b e correct if the desired and the p ossible b eha alen automaton tion ab out what it means for t least n step One ha Behaviorb one con requiremen and ton criterion the analyzed b e considered as a successor Mo del been proto cols spaces Metho ds There desired e er w for not that king king com mo del as or that for par hec hec er c do es principle alidation of arbitrary the F ev V algorithms ers w in of v for Since to b e correct ho is wn erication correctness vide an answ parts mo del tee e System ase prop erties only eried e teed with ellkno anced believ is y do es not in principle theorems though w guaran incr e cidability issues unreliable adv no de guaran eried rather than the real system certain and ant it cannot pro cking be is system using formal v Only for particular cases this t using theorem pro suggest a the che more n of king of as systematic testing are needed aprotocolisv erication er the reliabilit signic there del migh v e h eried absolute generalizations ev some exp ertise a limitations w hec standard v p ossesses del mo w d e cases correct h as the system mo del and appropriate e k suc are v be mo king ho w cke en hec ormal hiev v ovide c ab o F hec ondenc using notes mo del king is sub ject to the of the system is v can some che soft ac c pr can to pro a for arbitrary e as for instance hec of hniques the er or del tly an ar c d F king these o If using mo del c king mo nev that been go level of hec e c hec v validation prop erties general c cking tary tec as can Despite fact systems the ha pro cesses ements e most classes of innitestate systems mo del c computable king a ny subsequen h che in n y of mo del c in A sequel one are quir The hec ely mo del problems e del w Mo del r that the d Mo that of desired ere soft in to ol e itself tee that the nal realization p ossesses the same prop erties eectiv sev y state imp ossible see king an short of realistic size is not feasible b eliev hec c cause In constitute the basis for mo del c system guaran purp ose complemen will Using mo del c pleteness ticular cases lik is applicable to suc Finding appropriate abstraction suc prop erties in temp oral logic requires As The applicabilit Only parameters for the result of is It Apt and Kozen for and pro cesses e W systems in to wn the o with with since algo using result in due imp or skills is teraction tics con the rst king only their wn mo del can unications in less or king ulation and graph hec of example of ts designers where hec hniques mo del This c basically comm an applications is ts initiated king spaces e degree e using sim with Cadence oered v system king has led to shorter hec mo del this c structures y anced tec ha spaces of b requiremen hec mo deling seman alidation to c are high tensiv and e d the tion a few nally a ations king eried against a partial sp ec data ailable v requiremen tel use jobs state hec more than In eral adv all datain innite state applic compilers require of hnologies to ignoring large theory literature eg ys to men ec a outinely T king incorp oration not r are industry al foundations t of mo del c while tro duces suited king subset rather the in the hec instance the this pro cess a do es king ts c a design can b e v hec olintensive y h Railw of Lucen c automata less for basis hec that with tially b e is are required industry is building their o only king ontr est c and and It usually in use wn rep orted hec since one can restrict the v ers deal mo del c k not dela In addition due to sev poten mo del inter ts sho requiremen to erication logic they hec on e t v of b een ujitsu Dutc can v are b ecoming commercially a esting mathematic eral case studies the use of mo del c do es of data an Siemens as mo del ha p ossibly computationally exp ensiv able mainly to t considering ers constitute the has ers t times k k y artial relev or sev p theory ed eciency b groups ease user are eg comp onen increasing that v F hec hec pro cess c h h studies states though king ers ers uc een k k most fact treatmen elopmen t w m hec c hec hec limitations testing tan design dev c Case in impro the ication Supp orts c applying mo del c Mo del Rapidly as the with the the bet Appropriate rithms etc mo del c currency existing to ols F researc Sound and inter main limitations of mo del c Mo del The The d y y n is is is e b ers the y ari ari to ol k this yp es v v arit more some typ these yp es ers y user b eings v b This e tt term hec a term e a pro w ariables the v In the pro of i alidation theorem binations t The pro A ho rstorder V ha a e at a pro of of the usually yp es but no Besides high the uman on to bol of arit eried and A predicate is since h b ecomes v bol tt yp e lik pro ofs yp ed ts of n are tences t whereas is arities giving t y System theorem sym or predicatet y sen logic rather ers yp es apply in ers or pro of c en ten t k v to sensible step is er to v logics er ypically giv the yp es con is hec complex o of exp ertise using v e T c help o viding hin y of it user a e an innite set of v der pro of bol of arit the v predicate w pro ariable has a t are to h more is a function sym are of what is the b est strategy en in order to arriv tensiv the y bols pro of b ol has a set of argumen or ving w sym hv b f eha pro cess eac this analogous only functiont systems functions of arit pro sym used tications and e or In er higheror er high degree and as v v not h more structure in their sub ject than o ell b e a b ol has a set of argumen are ers lab ourin quan deal with uc tications use v function ed where etobetak ers n v done yw a v yp es erication logic t pro teractiv Moreo theorem ers can v and co yp es and eac range view v predicate of users be a rather ersal in teraction with h function sym is a predicate trivial In this logic w in t in ts h en ers P h v k The t and these univ This of suc than eac f logics quan hec pro can b e er theorem still to or y pro ofs c v searc The user ma bols y do o h predicate sym ts int be b of argumen In addition the use of theorem pro errorprone where tial theorem pro ariables can yp ed degree the y small steps ha n t ers sym v to ol requires uman b eings see m of tify y Usually yp e v things can w scrunit explicitly used the parts slo the pro therefore Constan ber the Man existen quan t has t these rstorder predicate y are reduce t steps b more x of um pro of or to In ers yp e and eac n function small to k v h P a witisused than theorems that yp ed of ypically man uc usually ariable of the form e the these theorem T pro of and trac m yp e ariable is a term set order t tences or enables ed i certain a t k logic used tences in rstorder predicate logic are either predicates logical com In Logics conduct sen the form ts of rstorder predicate logic teraction with the user eeping hec k to remaining theorem pro in system result and a result t gram v ables are t of Sen of logics there is in addition a set of t an sp ecies the and either a v and This expressiv predicate logic where due to the fact that h c logic but also ho skip requires therefore require t h h ts of in the the yp e and user that king y t than These of to sa vior of vior of A system hec amoun whether c pro ofs to explosion task ers pro duct size the e v the ts that eac ers comp onen parallel general the ac and ving problem h the the mo del for generalpurp ose capabilities conforms easier pro tly vulnerable to answ bat this problem to of The exceed searc er an rather enable k ulas statesp y alidation e a v ts v tation or the pro of of hec ma e algorithmic and searc problem of c ha F This represen king form states is a p ossible b eha v theorem setting is inheren a as the as automated hec ers to The k the system Therefore states prop ortional wn king elop ed to com ers ha ving comp onen implemen v in of hec system er of Note that the system sp ecication c h hec k theorems highly notes case related the e pro particular ber case hec v in pro of c not realized c h to automate the pro of of mathemati ely b e used in elds where mathematical pro of in In um orst pro er e b een dev n approac p ossible w exist is reduction v lecture individual ev closely to y pro of k whether that w ts whether the the is tation ie satises to o large is kno a programs with sp ecialpurp ose This hec man ailable us satises e these their in logics used to fact v arian Most theorem pro king e that a v of that is of theorem is an approac v demand t the ha metho ds ha algorithmic statespace tly than those that are used in theorem pro b ecome are wn to c Chec e ving ailable teractiv eld v king it is quite common to mo del the p ossible b eha oving for hnique can eectiv a theorem a spaces can pro that realization are b oth considered vior that is ho problem systems a hec reect solely Dieren general is Usually the logic h and in its a of em pr state problems in Chapter wboilsdo or suc w The logic This tec hniques alid ers vior of the implemen ers can b e used memory of cking eral eectiv of states v v systems of the the in pro of practical tec follo ts che Sev a pro of Automated ber wotherbeha treated to e of appropriate o space um giv size incorp orated rather ma jor n pro of is v Since in mo del c Pr computer oids oblem v Automated theorem the system as nitestate automata mo del c the of the the distributed state dierences the can b e expressed more ecien a theorem comp onen theorem pro are possible beha the system sp ecication and th can allo the pr will b e Automated sp ecication and cal theorems abstractions some sp ecication no e a of er for aid v rom The pre lik from com state more these F nite to ts logical erify of system v alues alidation v el not erication V the and vide useful the v ving used and king is innite could pro be tly argumen hec the c with can b enet e xed applications er one System with v can arbitrary a e systems system e their b enets y h v maximal lev assist a applications mo del for w for e deal oneself theorem the trol subsequen inductiv tensiv that one whic and if ed this con h k can using tensiv pro of than fast and en In almost suc hec using a trolin ev c guide ving an is familiarize con to ers of a theorem pro result pro cess datain pro v es to tary and b oth ha to b etter hniques giv pro terexamples instance help teresting parameters design tec be in of correctness for o general the coun ving exp ertise is to w a dicult Theorem t erful higherorder logic of the theorem pro pro of proto cols set pro w is theorem hes applicable system with t complemen the it a correct these en also suitable for systems nite generate using a more be yof giv approac considered king theorem systems constructs unication is considerable can to is completely automatic and be are rather userfriendly and easy to use the use of theorem e tegrate hec small c not one en ab out b oth a particular ers v can king king king comm k king can b e applied to partial designs and so can pro is reliabilit of parameters of In for reactiv pro hec requires hec hec hec hec it is therefore c set c c parameters successful mo del are king be ers tages of v debugging hec mo del an c erications can v information pletely sp ecied Mo del c pro Mo del Mo del c pro cess language usually some p o Mo del hardw general in Using set Mo del parameters cision and spaces When adv arbitrary listed hniques are to a large exten be emerging eort to in the these system mo del an Mo del tec h h er to en v the not can to a con suc rules of PVS hence alues is pro ofs v y trast to supp ort are tence king use nd ed pro cedure strategies conditions k to o conclusions sen hec to alidit a c goaldirected pro ofs practice The algorith T In con hec v theorem ev Isab elle ers prop erties o the v to in n ts e yisreduced en simple nd the v certain of equalities obtain parameters y b e needed pro in Co q mo del suggest to are leads to agiv useful and y size tial are erview of c unication and viding all substitutions of v ers ma directly with innite state and v satises comp onen ery the This order ers v to theorem v arbitrary of ch in ving pro in ypro y strategies y this complexit en deal tially dicult ie the length of b ar exp onen pro rules not for v h pro se tial use the pro of of ers strategy pro rewriting where v resolution are size alidit equations used h v and searc pro of be of theorem pro h other b of ers e a strategy often called a tactic whic ving can theorem Suc v are y v umans the to to nd be theorem exp onen b h teed to yield a normal form prop erties equal t pro y pro apply structural induction to pro of that een ma are from system as tence to y used that w theorem pro of applied depthrst n a h algorithmic double e of a sen bet e are y tial in the length of the pro of ma is v theorem eg alidit theorem and terms uPRL and HOL A recen v case often the hniques tial and distributed algorithms can b e found in Gro ote o terms with eac nd not sucien o length hniques ving w ving in general is exp onen in that w alidit ving teractiv tec t the v king ers ha strategies to of and tec are v ht t pro h with pro hec The to ol needs to ha ol the dierences wn are The deduction erify P t whic v automated tence ts erMo ore n directed breadthrst or userin y pro ceed hniques Strategies sen wing F starting can Imp ortan ellkno exten theorem an de be a on to tec v w t natural conclude follo of to domains en w and y v attempts ards this ho are comp onen hisusedtomatc based ma Most theorem pro Completely These Some The kw pro general relies on pro of principles suc pro of e ariables under Automated theorem v whic w from mic this a eg problem of theorempro pro of a time that is exp onen pro of formalized in bac sidered traditional mo del c tells the application of these rules is guaran It if the pro of exists spaces innite signican be NQTHM Bo in the literature of sequen Monin same he that alidation the V acommon e v h cac hical bus sys ha share ust System h details m of data eg whic eral M prop osal copies bus as the via a same some data logic consistency will b e item pro cessors found store h is nonmo died then eac an notes ensure ere to tains the co de of via bridges yielding a hierarc w connected ation and original standard y he temp oral ust ts cop SMV a after abstraction from sev Motiv of item con linear segmen distributed systems Standard tain alocalcac this and proto col m of pro cessors states for king of con SMV has tial revision of bus y set tains a data item whic hec lines hes er c t ts can b e connected cop k organization of these con y cac a M hec nontrivial fatal errors substan hitecture temp oral logic M consistency alue tro duction and space pro cessor v if has if uturebus segmen arc In Mo del h he eral Synopsis F bus bus memory eac cac bus segmen tem mo del c Linear complexit result conguration state sev topics art art IEEE The P P e e of v v the k has ha lines and hec ould ha cycles of c addition to Description in design had engineers inconsistencies thousands mo del no they system are of logically eral t w logical tly Sp ecication sev ere erication t una of v w the ts ept formal design pro cess the ITUT series y studies indep enden king e resulted when the teams w b be k the indep enden a v o t the found inconsisten writing hec w t Signalling Proto col in temp oral logic eek T tly ere requiremen for of case SDL w ould ha started supp ort eeks could not of stated part w through w T requiremen of mo del c ts lines A tre team designers the to ols to indep enden y errors w Proto col after in Cen Spin studies design errors original design elop design art industrial er orking wman up to really go P hing ered k dev w t v Pro ject en of the erication runs size hec serious tional and erication engineers ued wn ho Switc giv unco are en formal requiremen v w tin v ing Some Language mo del c sp ecication adapt soft Bell Lab oratories USA ESS pro ject ISDN User con con exp erimen unkno been been v Some industrial case NewCoRe o Pr Prob terna cker parallel on In Concur A Commu alidation V for IEEE Sym T and Draft Systeme ansaction System hnique r ch and her T quential tec dings th esting e Se e T c CM hnisc o of e A ektrum pro of tec Pr pages e Rettelba ation M actions science eric Scienc V of Conformanc axiomatic in practice in German Informatik Sp arebasierter in An w og logic ds atze a Computer erlag Systems hniques othfelder of Older R Metho Gries and temp oral herung Soft M D osungsans CM references An axiomatic basis for computer programming ER Informatic ormal A SpringerV The F atssic using temp oral logic alidation tec The temp oral logic of programs and cta the oundations t v are anguages formal metho ds and F A L temp oral logic in computer ams of he und L on Ho gr Qualit on are o Apt w wicki Pr bereic Pnueli O Lampor Liggesmeyer erication erication ations Selected based amming soft osium ent P mann lem CAR ISOITUT KR r tional Standard L gr S programs A p nic of tro duction of esting ormal v ormal v Use T F F In y S ersit USA Univ Uppsala of y hnologies ersit ec T t Univ logic CarnegieMellon hniques logic Lucen aal tec SMV Upp Spin er er ving k k er temp oral k temp oral hec hec c c BDDs hec hing hi automata uc mo del mo del mo del c hniques realtime branc t strategies and preorders the the tec the eciencyimpro king king Timed CTL CTL ulas to B of hec hec theory alences c c ey king king t emptiness supp ort supp ort supp ort managemen hec hec TLform surv hing temp oral logic are are are king Aalb org DK of equiv b olic enco ding w w w hi automata Mo del Mo del A uc artialorder reduction airness rom L Soft USA Timed CTL Timed automata Mo del c Soft Branc Fixed p oin Mo del c F B F Chec Soft Use Sym Memory P and art art art Synopsis P P P y b De ency e coher alidation he V dwar NewCoRe Concurr published erications of Har v as System king uturebus cac Science Chec Concur Computer on the F Pol de Computer pages Symp computer in ations an y ess v b Int J erication of V Notes Applic g H Hiraishi S Jha DE Long KL Congr th and systems their Ness umber World Lecture dings e and e c Monin The theory and practice of a formal metho d o LA IFIP Pr F pages distributed and th pro ject anguages and L oote LNCS abbreviation of dings proto col Gr e erlag pro ject e ory c an V o uturebus is F JF proto cols EM Clarke O Gr The GJ Holzmann Pr McMillan ence scription IEEE NewCoRe LNCS Springer t of for ele and am sk IEEE alida gr v o Pr esting concurren T pages erication of statement v proto col etters erication L hronisation ation state of the art and osium on sync Position cic e erication LNCS essing of unpublished note automatic v c Sp o automated Pr king ol the and ams c of thesis gr hec o oto c for Syn Pr Pr Computeraided v ormal metho ds F of Surveys on king mo del Limits gic Information limitations o to hec Sp ecication L e Quality Workshop osium and Emerson Kurshan dings th International Symp ozen e systems e akis logic Computing K mo del c c Symp systems o Wing et al EA Sif of t RP tro duction Pr king CM time nd hniques in J A DC hec JM and and tec king Applications An erview hing y pages and v hec dings and o e concurren pages of distributed e c o branc habilit directions Clarke Apt ation Clarke Pr LNCS West olper for pro ofs W ctrum references Quielle e eric anel discussion at the Softwar Sp EM Clarke p EM future P J systems in CESAR ming EM nitestate tons tion CH V KR king tro duction and Origins of mo del c Selected In Limitations of mo del c Proto col reac Chec o y or se w the tly ted F t vide hine en y v system include the activit describ ed h A discussion execution dep ending dieren will pro e The origins be inserting execution its whic it emp oral Logic exist useful of desired can yp e of prop erties Stated tually happ en to after ulas that eral authors rened extensiv en during is happ ens some tro duced for sp ecica logics Linear T rather form of prop erties user hing temp oral logic will time hine is that the mac ueli er in y where A Prior in more be hine prop erties ere in prop erties the king nev a system yp es yPn to Later sev write t y of some ulation of prop erties of system a b hw time t temp oral engage coee to t en Chec bad most at to v tains of other ust with coeemac whic pro con user and terpretations of temp oral logic ymen m in Mo del coee t eral pa statemen gics the ailable requests has o the y for a coeemac v t also a hange w t c for w the al lo something system y user vided or to eness prop erties allo ws terpretations pro hoices these sucien the in that k to the eld of philosoph c y prop ert temp allo t a y if it do es not engage in the proscrib ed activit if the t of prop erties of ab out p ossible execution sequences y be Chapter logic prop ert een system the classication w y and liv almost disjoin tea ys state a logic after to the bet er eness are Dieren y this prop ert alw deal with linear temp oral logic branc a state classication with sev liv a nev emp oral logics supp ort the form ypical safet h a prop ert e temp oral a system T tually in h w will prop erties state that something go o d will ev time Chapter of en this e b een dened in order to describ e precisely these t t vide temp oral suc prop erties v considers ev ws the statemen er sensitivit in dierences v informal ar erication purp oses in computer science b user prop erties example o bination of safet hapter anching ymen one c of Safety coee the satises suc instance a t will pro Liveness satisfy An Line quences Br some It allo that start pa w vior extended Logics ha treated ho this be In ab out the The most widely studied are tion and v of linear temp oral logic go bac it in the s and beha on Although as a com classes e a of to its the the tial and and hing viron to reactiv with fetc order haracter pre from Lamp ort c inputs e sequen reaction as on of Due h on ulus outputs uous from time teracts ying suc relativ nonterminating with the en in tin terms stim er view steps imp ose v emp oral a o the in con their to hine T to to h transformational sys action generates actions to functions The accompan while mac vided wish as refer reacts Due pro traditional and some system computation coee yp e of systems are sometimes also teract system the a of in usually tial inputs system designers or the e to e ontinuous inter ber from considered w Linear Prop erties of suc to p erforms c teraction of in that um sequen able are n ya ts vior an system reactiv diers the nonterminating a usually systems categories nite b eha e generated us to outputs these t are After o king a previously systems and more w Th the input systems op erating requiremen e to t tial reactiv after ie haracterized b once user outputs an of systems the coee reaction e the sequen reactiv Chec a is receiving tually as discussed relate that y in system en b ie reactiv ev t t instance These prop erties After the system pro ducing fall basically in or e systems are c argued F in e ypically or t ypical vior teraction ts t T in vironmen vironmen en le Chapter Mo del Logic Reactiv en men en a reactiv ev systems terminates systems of referred to as transformational systems transformation of inputs in outputs p ostconditions tems b eha U or In the tin sub notes Then us BNF equiv TL and G es PL tually of y orm y b prop er giv en b F lecture holds some p oin a emp oral Logic ev neXt temp oral op era us items these th h denition The is In holds at kusNaur Linear T is denoted whic the three  U Bac ulas is dened true logic implication and for king as pronounced rules in rst that pronounced j F G form en X Chec explains the X TL future giv j y and equals are G b PL denotes be This the of Mo del tax denitions in the rest of these lecture and Prop ositional false t as in can set t F j indeed and poin conjunction TL obtained op erators the Globally and poin y logic according to these PL F an denoted or j no ulas of AP p at is ys tax p form a temp oral y b of syn for holds there alw as U sometimes prop ositional only set equals the ws til F is of of traditional notations ulas constructed true dened the F alid in all states ely The Un follo Supp ose the ulas is v as ula true TL that terpart of form are dened pronounced PL form F G form set G literature future coun of of short Alternativ The usual b o olean op erators Note will use uture are e will use this succinct notation for syn e tors Since true F pronounced for The set The W notes alence set w the the the t a to are  and cur as made equals simple system system further dened AP x refers x y be be imp ortan The start and the are or gcd ts of some that an can regarded max ws w is ed here be k max ab out logic has that allo than AP stated AP hec c ts to ulas that can b e stated of be ts suc prop ositions be stated already ypical elemen r not greater functions can ula be can temp oral is ula y and statemen y x atomic and t form can prop ositions denition decides p q therefore are AP for short basic y linear is a prop ert y b prop ert that is a form ula ula TL can Then h er no ie prop ositions that cannot atomic ts precise v PL principle wing eg statemen most o U of form instance AP In the then the no suc allo set is a form for set is a ula ositions constan tly are op AP up on the prop ositions TL the X Other examples are it is raining or there are is ranged one form prop ositional pr shop in of ell PL If ulas then ulas then x of atomic prop ositions to AP is a the dw basic x y of p Fixing of in hoice consequen tax atomic c not mo d ula then ula then of ariable action most prop ositions AP are form are form of atomic prop ositions x Syn the referred will tax ariables form form set v set the p e TL abstr be wing denition determines the set of basic form Examples W of that x tomic PL and is a and is a customers its existence of estigation to r A Syn v be a tisa tax of prop ositional linear temp oral logic is dened as follo en some v xes of y set or all ariables and no in v If If F If If it a step and AP poin tax The follo Notice tly x q er ariables v v ing The syn Syn rst these rened The set of atomic prop ositionsp is denoted b Let in prop ositional linear temp oral logic Denition ren one giv o p ostulate one under predicates or is of in ell the im tics w x k f s s alid in y state innite valid k ositions The ositions s sequence example seman op k is x for op s meaning s pr equally s s prop ositions of pr the s emp oral Logic of R is sometimes s e setting a nite R can innite or alid for an s x F End formal Lab el osition and atomic s atomic an state atomic generator literature op One state is Lab el a Linear T of pr and The the s i next as S p set s s assigns in the  king en a del sequence R acts s e where atomic giv b and Lab el successor mo it R In this alternativ Chec unique for is g tered which s g alid ie the where e state R cornerstones v of a the i innite in s it means that no prop osition is v is v Lab el h s is of states Mo del is that p the encoun x x the tics eac R R its unique s Lab el Lab el f valid function i S set h atomic prop ositions are v s tly to are S R is R in terms s with R the seman s x S R S R s s g s TL state function frequen states PL s R Lab el tied umerable x x is structure states e called are dened as ab o of assigning M the v f as the M alid in Lab el h a x for of iden indicates whic h h the prop osition of s S AP y den eha is del set are v and suc Lab el ulas is dened w k x AP s mo usually a s and a triple s assigning to state f Lab el Mo del S p g et and sequences that e approac s for whic L the a mo del as S states S s s nonempt s state as TL In s of function s S haracteristic these PL to states s only c is a mo del is the If for state a t s S R Lab el Lab el in s TL alternativ TL f or Lab el essor F The function c states PL The state M PL terpretation g in Denition A temp oral logic form sequence in This s referred Example sequences of states and of dene p ortan suc S state valid to e is al er all ar the or x bind ulas eak TL to in some formal strong X PL ositions a temp example G form alid op and v til a certain formula and of at the top pr TL binds w w or at some x d is U un equally which PL state G ormally thir state of End in F F biguously alid no atomic bind F that the next X order on the op erators of U next x unam also the and set h formula and means to or instance the TL op erators ond F construction c whic e X of state X PL notions b se to all future states x G that is it is v y er g a b a precedence v U these ely ula of The and these to tually ets instead F and k form x en mean tuitiv x e In the w dene TL than equally strong UF x U example a recip e for the x alid ev to x F do n X PL us G A es precedence o bind is v states use of brac state terpretation e F x of t tak x of in what order ar and ula without a temp oral op erator stronger vides f write U G In X an As usual the unary op erators bind stronger than the binary and e But is alid w curren e bind X tics v d U formulas AP ws to some future state giv U x the TL et sequences and and formulas means that F L F neste PL future to future not to diminish the y TL e on denition pro F b instance ar PL e ositional the the Seman v strong and or do es op states tics of refers order F in in x o summarize a form pr ab o it t t ators In T el U er terpreted poin poin next state in Seman but is imp osed as follo ones equally condition b ecomes The temp oral op erator future lev Example Example is denoted than The op also e a s for ys is that of a Thus h direct s state alw e states whic in states example w s W emp oral Logic an valid As necessarily ator Lab el expression er some futur also b ecome S Linear T op w is not the p s no exists F e king all e w some s true j is for unless then ther Chec explains G s g s of the k Lab el alid in there This v d that true j Mo del tics if ation if and only if for all successor is p s s valid alid kjR until to v M only deriv is seman assume  of is So alid in and U s g if g is v j F reduces ula g s g g previous for the variant itself where s s of F U j implicitly F G in s G j form is s R of of j j j of of calculus or aker tics formula j ula g it state alid s s s the s we v tics tics R result of j j j in the for all states U A of is U t seman R R R If F itself j j F G true F the form denition seman predicate seman calculus denition using the s this result for state true f f f f f f f holds j j j j j j j of s s s s for y stating e Using alidit alid statemen deriv v v Example including Therefore successor Therefore which when t e is s of S w the It with rela and ula When s G state j and holds in equation successor represen y p s form M states an The concept a M ula of alid in state mo del in j y If direct satisfaction b calculation and TL mo del s a p j s a k hnically this results s PL hold logic they Lab el s ard of the of ec a isv T M of not called x true s tforw states is e is dened or kjR means es true false s Lab el its j lab elling  tak n y successor state b hold of y straigh a thand side of a dening the S R state an y the b one on righ in for the either called dened e often omit the mo del and simply write or instance if Stated otherwise the form all states M M F alid in that state put s is s is j s j alid can v wing inx notation logical op erators in the s s R en s are text w is TL s denition n j s logic mo del alid in the ts R PL v a R R state satisfaction relation in if as in state this is j of j If y Lab el s s a y the follo een s j isalsov The j prop osition ulas w w only j s true from el tics x R p n constrain n s bet R i i i i i form and ulas no for that satises atomic prop osition M if j of atomic terpretation is giv terpretation of the other connectiv s M Seman TL y an M see and metalev form b obtained that an s is clear from the con than PL a j U to in the same be is denoted b s TL be X p M at s mo del j n fact PL that s w j j j j j meaning AP R of M s s s s s tics of rather no s If the R denoted No further in p dicult s The Note The formal in Although the logical op erators on the s that can y that mo del j M Seman it do es not mean that atomic prop ositions tion M from Here state sa of op erators are denoted is s Denition the mo del and Let F not s d is the erbal essor c after e and depicte formulas suc example s formula ther of its of the ows r the emp oral Logic in of vide their v state the End ulas I I states alid in its successor state M in g the valid d of Linear T is validity and pro in p r form s f ate r fourth tually TL TL e king g and The en successor PL PL the indic ev p s sinc all f is Chec in state g valid and states s is valid for then U q p q r holds rst q Mo del f not s essor g c the is state in ie terpretation of in suc tually r p q t tly ys f en ct a X of in e essor j ev c s formula dir alw s U alid in some state then it is also v tly used prop ositions in suc s Final ly q p t then M the is v ct p ermanen G F e GF formula their M Example not dir if once if in that r e state the s h ar X d if initially that is tually s their F X G en holds innitely often and valid thir s ev w some frequen in F is and e Figure s the q GF U e b elo In t sinc q M G G initial state GF FG state G but F so egiv p terpretation suc elow state G valid is state in W b in in al l s the not ach ond and ows U c e in al l e for ow q es r om se p r formula elow the G do F efor invalid example example Figur valid db rst p the oughout is dbyarr of of r F is in if ate Ther p thr essor the p d X c G essors F c or as End End p q ulas I suc black d is denote suc shown is indic d ct state e steps e depicte e R is form as time is a total function e formula dir This applies to the olor mor TL last depicte c Lab el R states PL or rst e is The the o states of p whose g states formulas the Sinc el ling e zer om state e by fr of e has p q s for Consider the formula A d e d f din thr states quenc rst disjunct The lab otherwise se only s M ache al l g the ache e holds quenc dene the r e cles and the function q terpretation of R r se the ow del f e of is or in that to e b ositions holds a F i b as mo d white op p W s e an as an c g U dascir until c state to s q q olor f s validity U given ator given c U no q given valid due er e state b om e state the is the either Example of p atomic pr op b and p e depicte e e in formula M r one outgoing arr No ar M ow fr ows r ther t et TL G the state et L unless e L X formula is PL states cisely unique state States ar e ough sinc that lower The Figure al l ontinuously pr states c p the thr the eisanarr quals last W e p r p e the tics of U p for e M F G q e the In p states these holds valid in quenc U states Seman se Example ie ther state has Figur q al l which Example satisfy wher but states is al l q it is y as us alid it v there TL tics reason alidit innite viously Let is PL length then to ob kv j an holds then e M of e v for seman hec ula s v emp oral Logic y ha then U ha R e the path form k w to mo del a satisable undecidable holds ed prop ert using state the Linear T is w since via be of ed k j R whether ula allo to king next  hed task b er of states to c state deriv are t the terms form um reac Chec seems be g in in nitemo del TL deciding be curren PL s bersome ation and for states mo dels a Mo del R j can course U the if of cum U TL n dened problem of s R in socalled state PL y is set j if t R X g that h metho d can wing deriv U j s the rather since s e j alidit since a s R R v to alid whic ula follo curren X U v that n states and g g R the is y tics U eectiv due j X t form X usually j j of of of in the an TL er sigh s s is mo dels ev seman PL be prop ert arbitrary tics tics tics obtain the to deduce w a equation al l holds e to rst This Ho j j j of try W of for at s s s this y if seman seman seman calculus using formal j j seem f f f f Axiomatization j s s ely U s the holds states holds b efore space alidit not nitemo del v instance Aside en al l tuitiv U U Otherwise The satisable in a mo del with a nite suces to consider only all mo dels with a nite n state in do es The for giv In ab out e e y y it be its M ula the giv king h solv these prob does of tation and to and mo dels hec relation form exist to in y w reduces s decidable traditional formally satisabilit satisabilit this that do es validity ulas king problem M also of negation is desired existing p osition can the states more hec y is a del Since al l form the all mo del this sp ecication for the in TL mo en a prop ert TL h h for erication cf Chapter w PL PL giv j and problem y While for mo del c suc problem case no with equals y whic s for j system M satisabilit no ws nite the a are M decidable s for king j a is alidit e for the is M v w s hec not tation and sp ecication cannot b e c have confused mo dels that problem is M given mo del far satisabilit tation is not a correct implemen we be consider a all tly in the literature is the and so is this the mo del king do whether problem y for y problem not h that k y to e hec en determining exists v alidation using formal v c The oblem hec suc elop ed satisable example ha c alidit giv tation conforms to the sp ecication no s pr By v erty e should is dev to an there w op een the implemen not mo del the w pr s is As e an informal denition of the mo del c do dierence us the implemen cking satisabilit has a v satisabilit Th ula and state hinery che t to system v in logic for the one problem The y ega state problem can b e phrased as follo and whether an M del s k mac form simpler TL haracterisation king TL mo c king rather than to determine the existence of one or more suc hec and PL s c j the wing sense the prop ert PL ymodel state hec whether hapter w or c If a to y is relev M s hec a The y problem y problem formal F yproblem whether the implemen c tation b oth sp ecications b eing formalised as follo M en satisability precise as Logically sp eaking king the tics of sp ecication able the giv exist alidit king mo del s mo del is v hec en and states The A related problem that o ccurs frequen c in decidable more dened a Seman Mo del The Giv In the rst c satisabilit there exist a mo del problem Satisabilit the is and satisabilit M the mo dels lem of the realised in an means that the relation b et one to do es Chec implemen t ula and this The that That e of form y sound deriv the XG ything ab out A to omplete emp oral Logic of alidit U c v be G tics X the y to p ossible X Linear T complete is seman XG that U XF said holds at all states including it king not is U U the X G X G F GF F FG is dened b but Chec means and G hange ula terpretation since it also refers to the c t states without stating an in optional Mo del sound terpretation do es not refer to the curren means that F F G X G U U not form U U alen FF in GG is FGF G GFG axiomatization denoted do TL do es exist but falls outside the scop e of these U X U G TL equiv strict PL the PL TL nonstrict certain PL a axioms for of etation then tically to the rules rules holds at all successor rules b efore seman terpretation of axioms It is called a y en axioms utation rule y rules an giv hanged Opp osed to this a using for unc sound t state If Dualit Comm Idemp otency Absorption Expansion Extensions is notes means that axioms The strict in t state alence ula of G hand Applying form Strict and nonstrict interpr list complete axiomatization for equiv lecture at state curren the curren is t t y F of the ted tax but that of alen alen these pro of error set alidit TL for v a axiom PL Note and equiv j these M seen j rule s perform of sequence e s in dene a v k y y s to tically equiv tically to ha is the axiom tedious R e applied The rules presen e v is alidit The set of pro of rules w t state ha v G j j Seman ulas is to use the syn as ormally s s nonempt to seman ersally and F alid kj s and enien The k only j y v ws directly from the concept e  k F R M an univ s w R j alid ulas in k state follo GF y of form be en a name for reference purp oses The s manipulation is instance G or that rules k and terpretation mo del form can is alidit kj kj ula for in if it is v tics and TL TL k j R M FG   j If F denition of tic PL PL  form rules s all G kjR g g y k the v j el seman sound the s s  axiomatization for absorption F j s hec lev dierence seman these R M g rules for their s s the j j j the The using g ytoc either h group has b een giv s j a R R U s s calculation j e and U if tactical than to v s only if ew only if for an for j j j is called an using of thereafter calculus syn this ab o w the rewriting of using using y s only expansion R a R R a en j w rule tics v rather if and at la if and from reduced once R and pro j j j j U e the reader some basic rules that are con if s be ulas j see calculus calculus ulas seman predicate idemp otency yofthe be in this w j f f f f j s pro ofs can A more eectiv j form can s the expansion M can form s e alidit expansion G w are group ed and eac v w It is not the aim of this section to deal with all p ossible pro of rules for An equational rule is said to b e the TL Axiomatization and rules belo Using rst rather to giv tedious obtained means that for all states in all mo dels these rules are v PL then pro of rules that allo of prone As is called sound the of the y y R a try that e nite buer buer second w implic a a sender message is tication TL a prop erties ts hannel in the R c decidabilit PL normal w prop ositions y Assume output in er a emp oral Logic in assume sta the example sends e in messages S The and e Rin W ersal quan informal v atomic Receiv If of rst aect hannel of Linear T c cannot y b eha ber the ulate buer not Sout unidirectional set system TL um king ie univ a In unicating pro cesses message n same time Rin form on the at arbitrary momen capacit the m a PL do es input via buer ts Chec messages to the R in and its in w and start at the o comm and unication w ho that innite assume denotes Mo del can Sout examples from output of an m een t o t sp ecication of a leader election proto col and connected e comm enience its w w hannel v Rin t v c idea assume ha to are buers messages e con in where m w tied pro cesses messages treat g simple the in b oth buers for if some Rin lose e a Sout prop erties hannel iden is buers hannel b et w be c or Rin of that where message wing informal requiremen deleting Sout reader buer This Both logic problem y the b cannot follo y the uniquely disrupt m assume er R S is equipp ed with an output buer Sout and R with an e input S e Sout m prop erties are not Rin giv unication G inserts the e treat a formal requiremen assumed temp oral do to Sp ecifying it messages m is Sender f satisabilit and buer R A message es m they formalize the comm messages formalize order linear to addition w the er e v In in to example w in a distributed system A Consider a unidirectional c input S and a receiv m itly that all prop erties are stated for all messages o AP of Sout receiv all In ie innitely long W it is of of in are the not and and past than er state past TL state state ueli G w t lecture t section used PL that terms do es po Pn past strict is obtain e in it U in the a application means these curren terpretation curren the X hapter tro ducing previous in and of in previous state the for indeed the e tenstein the F y dened v h expressiv Sometimes past in e for the done an in ha e denitions of w of op erators be particular v that terms terpretation of e Lic is the the in ts a alid in v in as enasinthisc can past in reason holds rule is including for and arian ys for v w strict a Notice equation op erators en the ab o main op erators that useful also the future expressed alw strict third either alid no U sp ecication The be expansion past v future terpretation terpretation the a G the in is of in the means as X that en the easily to can e een a strict and a nonstrict in opp osite direction w v in y w giv b op erators write wn X sometimes ha strict the This refer more be e to U means U U kno w addition In instance and the nonstrict are future can or are X the justied tic notion a discrete mo del is tak F easier the and past for y that Although past is b F G it op erators w use As op erators optional the e U Similarly the U XF sho to in All prop erties TL future ast in terpretation terpretation that mak op erators for p terpretation in in PL equation exists to increased in the state o equations are selfexplanatory giv state of F the rule t is w h sense to distinguish b et with ators of y not common third b F er uc G U state denitions is substitute some sometimes op h em curren sometime nonstrict nonstrict e k If as an underlying seman The in terms TL more w suc nonstrict dened Extensions the mak These the or is if notes Past F expansion The rst t a op erators PL if Zuc Therefore extended since in F the t e a k to so for are the the but uni some clo c place activ in do er with e ysome Usually es v oer ev they as to h pro cess comm elected w ha assignmen tak capabilities pro cess ues Ho to be ork initiation system that emp oral Logic become forth pro cess w tin some b est y a actually so ust hronous this con m order ma e pro cesses a leader election address via to sense the it and In that arbitrary of Linear T ed async database and the new w doing us with an ts en ring net is N a leader in th P king allo e t think ork e indenitely ie eac is connected is w t elect leader Chec balancing momen activ pro cess en set of activ election capable participates to idea curren distributed migh pro cesses the the the load a pro cess the tially Mo del een The en loss in a tok pro cesses in dynamically or a giv One in w pro cess suces F b ecomes arbitrary called ork e elect one of e abstract from sp ecic capabilities and use v a w unication Net than it w p oten at and it is assumed that a total ordering exists y eral functions or services are oered b y tto ber net tities beha tit P are tit Once ymore pro cess um system Here Comm iden n e time only capabilities ean pro cess participating the mobile election unication b et y coordination time Sometimes imp ortan a system an nite election in P not one the inactiv Pro cesses a in pro cess higher iden at comm b etter it is the e Pictorially some a an query of v so in en regeneration after tok if at ha e The has e tities function e yhas leader up dates reasons w basis tit pro cesses Therefore e assume that a pro cess cannot b e inactiv iden functions activ example t distributed systems sev that inactiv on elected means pro cess pro cesses participating in registration be y h pro cess has a unique iden other these Assume top ology function supp ort consistency Dynamic In curren dedicated and distribution tok of man ranking higher iden previous for p erforming that function cation for it do es not b ecome inactiv b ecomes ie progress w will initially Eac on if this y y in ed b for the the past is do es order m rst ell state receiv in wn the only temp oral when o It has b een be in ered in Rin its and op erator y oered Using U prerequisite will on message needed This means that is a S is m the y is m R in systems meaning is b Sout when t Sout e can equally w use then Sout time m transmitted sen w y to tually b e deliv m y that if b F m buer m en X F are hannel do es not lose messages messages tly m y same F tly of b m means of m enien If the c R in previously v senders messagepassing ould satisfy this prop ert Sout estigate what the This it is p ossible v after for copies subsequen R in m been conjunct is replaced o uniqueness ts m R in e to in Sout Sout w v F t and Sout ed this w the m and Rin at the taneously generate messages ha of that m in m m eg y of the previous prop ert formalized con ust XF F op erators a F if Sout U Rin m put TL is already in the requiremen premise it Sout in Sout is PL alidit authors m of since m orderpreserving e do not assume uniqueness of messages then this prop ert Rin can b e in tually receiv be buer m the of past is m F en Rin eral Sout Sout Rin m in that this G m in en the v that sev suce F third o ccurrence cannot m m m output y m yisev that Giv b It is left to the reader absence hannel hannel do es not sp on hannel do es not lose messages y c G G G G before m prop erties not its and sp ecication an wn R the sp ecify to y last cop it means that messages that are in Sout will ev logic the sho The c do es since Notice that if w Sout rst not exclude The c for op erator In to S b Notice The Sp ecifying e y It ha the i will will start leader Mo del e Suc ader oids exists a W v le once a leader TL participate t y leaders y PL F that This prop ert tended emp oral Logic the to b e an activ ords ma of in y j w a leader y resigns ij tit h tit automata j that elects a leader is not that Linear T requiremen desirable innite j er e require active at whic innitely man denition but be king t pro cess This ader higher iden to j le pro cess and e accept a Chec a will b e not increasing iden XF y states er the previous one ader v that time le with Therefore w an inactiv that to i e Mo del requiremen v notion of nitestate due an ha emen ader explanation in assumed of v the pro cess le automata implies is e automata X the t ij innitely man it previous more hi leaders imply that there leaders y activ are e i nite presence uc i not i refreshing in on B ader of an there concludes ader le eciency requiremen enough time ader le do es wn time in the future successiv le of y a leader an briey be based i that resigns this ould fulll the y i j i j is b that section presence will at some TL GF G G that reasons tually b ecome the PL Lab elled en or This prop ert only states In resign There construction of a leader election proto col that nev proto col w F at some unkno pro cess A new leader will b e an impro ev requires Note not previous king hec c in this section The e e is is be the the i N it is P not in so reasons inactiv where attempt ws there i j N unication tications Since w be leader pro cess of TL rst y a i P y prop erties a general atomic comm PL tit ma us b e considered tities o that in w As h also allo tial quan is not iden iden e made or consistency will P F means the to hronous wing t y tication be to i existen pro cesses leader a follo pro cess all than async ula in and are not part of of active prop ert g hardly as the tications can th j N form ersal quan that is inactiv j with ersal where i j e can this  v smaller ader leader j leader absence le ader univ is use ab o a le consider i time temp orarily The quan ij pro cess ader system system is i use a of exists another le will i i e i j y at e to j most one tit i W j that a i P temp orary at therefore leader i j dynamic e leader iden j i TL leader pro cess be the leader Strictly sp eaking these a no W i distributed ulations w PL ys w i the one one tities a a us of mo difying the in Assume that b er of pro cesses the univ one active ader ys with th allo i i in of atomic prop ositions a le alw tities ader iden um that le i to desired j from set alw ws there temp orarily to b e no leader but whic i ader t ust ader deal e can expand on wing form and means le le is m e Also i not f i the w more than G G GF prop erties hing follo h allo enien is could think v ader of pro cesses and le alid the ordering AP Since There initially There one switc con to b e this whic v e ber Assume In simply abbreviations is some prop osition on pro cesses can b e expanded in er the set of iden um v Sp ecifying where activ total n P deal with a nite n and similarly w o as s n h e g in er In s s s ac bol A ord that s w F c s s L h sym s e times s e uniquely s f n these h suc s have s and one cca is s nite mor s n s to s eac s i l ol is uniquely we A predecessor emp oral Logic s denoted s instanc with e is for instanc oor for state ond d a nite numb d and its A if for s Her b cca esp epting y and ate state c el le e b s d and in this case s s orr ac and Linear T ep from lab g c s epting state starting c s er is e s s l state king that once the onsists of zer called The wor a an b A s s that accepted accepting an LFSA is deterministic if the ds is Figur ol via s L s states Chec s c f an b most in us epting run s wor ach the ac of us c s e hed g symb in d d at th Th l ac s A abbccab Run determined s is so Mo del and language reac g y epte a s epting the b ends and c input c A e depicte be s ac it g s and in ac The a sequence y c i n s e able to r is b if s ach f i there exists an accepting run cab e can an  n f The bols eof A  nish nite ab for in uniquely y LFSA not i b initial states LFSA a S s der to b is accepted our example automaton c s is d  quenc is s that an accepted g w e for all accepting j sequence s accepting runs A epte of dby in or ctively is s c e i for ther s of ords and a runs s and all sym successor lab elled the i ac example e w s s g a e epte esp ethisse run S c is n s Run in ar are no run w s s the n er A f A sinc deterministic f f a i a s s i dac s nite s is equally A state runs l then an S d and for any state thed next state on the input of any symb of there state s wher c F b and of A h and h a g epting e ol set c L that eac S a s LFSA eac ber LFSA ac sequence epting Each wor Example runs of this automaton ar That is a run is a nite sequence of states starting from an initial state suc h c s F a b c c or um epting runs ar n for all states F and s Denition If f Example or mor asymb addition determine determine The that the w suc is the A s not c y eg ma wing state So an innite Fl in from of is it wn set SS en state kno the nondeterministic when as be to b y y in transition function b a e transitions ma is a tuple v y the A b and mo automata states for a giv er and v LFSA can er v An o A b ol s automaton sym ranged o nitestate eral equally lab elled initial states allo of initial states s b ols of states input e sev of v automaton states  i are lab elled rather than set ords rst s  y yha the gj nite sequences w of sym yset concept nitestate a gj of the and only if set states a the it ma if s and lab elling function of states y on set states transition function s to nite of accepting l of s tly the nonempt a j the l write S is that Lab elled j a s on set e is a aset w hi automata er S nite nonempt v S uc the dieren wing sense S bols o denote dierence deterministic S arious equally lab elled p ossible successor s s e S is is a nonempt is a w is l F S S jf jf s start all sym Notation ma jor to where Denition compiler theory A lab elled nitestate automaton LFSA for short Lab elled B Automata A By sequences s in the follo A sp ecify v LFSA for e y er or ar w the e out run F y ept ords c LBA b s often app the set for ac ctively s numb A e uchi au the accepting s example innite nitestate nonempt A acceptance esp carried epting L The is c of visited So is might L r is en accepting stands emp oral Logic us and is is the language a his b innite innitely eac run th not c nite een uc A an s ar End etwe or a LBA abc an This e e w B is b a e that a s and of is an to es s Her A Linear T visited and S have exists quenc of as enc the set of innite w is e state se L a runs either A state ab king and c y the LBA run e condition the j there dier wher a L ans n example run of this B state some A according a nal s Chec epting state i A with b me c c g states L and runs b some b the Since accepting A of j if Some other runs ar A exists y a automaton a Mo del e Rather no b essive c c acceptance ys that starting s accepting hi a only epting runs ar epting is accepting hi i ords accepted b c suc c s onsider ie uc ough the ac c alw uc ac is exist fact B sequence states all after B some e two we LBA if and of ar if not the or for is accepted the there that i y any LBA of Figur a this b w for to innite s ds y the automaton j do es en or shortly by accepting s alence an example so e i wor ond to these ac d quivalent b s a s e is etwe no accepting l b stands state esp s to A a this epte j is w c are The set of innite w in Equiv d s are orr according e and f In acceptance ac L lim that innite Consider the nal s A and ne A run since w s h h that s wing example y d a teresting to consider more carefully the relation b et there ords accepted b s b A and not suc Suc ord those dene ds that c that e wor states follo A w such es denoted L language do of s A It is in epts not b A s F c s cannot or criterion Notice set innitely often of If in this case Denition instanc LBAs tomaton is The runs that go innitely often thr Example ac ing wor The empty accepted in the Example but of of nite w of hi by do S in are the uc d con than e times many B w s has y End not innitely tains only condition us ypically rather acterize consider man t are th Since nitely e h that lab elled haracterization w c char ords but A runs suc bb e w LBA is LBA con e ulas king systems innitely acceptance an An e mor s quals t hec e form c or innite s TL accepting alternativ b reactiv cycling PL automata automaton one dieren b so a mo del this as vior a b accepts this ans or transitions king for while y me with by has beha F What do es it mean precisely to accept hec that c d s reader times s example LFSA b that man e e only epte An the c innite automata b e the set of states that o ccur in innite fact mor LFSA mo del ac Her and as lim of ords Automata or an hi in nitely uchi c w s i The lim o uc is B LBA automaton itself is still nite surprise zer role and Let rather ab LFSA an Figure language c not epting is an innite sequence of states state ans short c of an called prop erties but A the ac me states innite i Chapter as for sp ecial are is b hi acceptance condition of ving a Run ts should ession for on uc cf nite according to B as y Note that the run e pro hi automata ber accepting i LBA expr run ormal ly s pla be uc vior in F ords um an wher of the LBA n to w ords The b beha comp onen w gular i e s terminate r accepting times nite terested the times Lab elled B of innite Denition the socalled B Arun same nite of a automaton often and not nite through sidered in Automata example Automata a is ac the the that listed y LBAs is b e de lab els h e lab el b case the e v or of suc F AP can ha this TL e automaton sets emp oral Logic w In ords s PL accepted prop osed where this language nondeterministic LFSA s able indicating a be AP Assume that w that for run Linear T singleton can innite w accepts tist exists S deterministic ords in T of ulas b king ersion that accepts the same completeness ords do exist in the literature l b wn as the RabinScott subset scien let or heme form j there Chec accepting F w a ie the sc considered TL nondeterministic is an criterion No resulting to PL b The algorithm for transforming a non is acceptance er innite w Mo del the v only bols the y b Muller er innite w That e v of king of w sym there a hthe language and states are lab elled with sets of sets of atomic w of i acceptance according hec no ones the states states us cardinalit c e todowith ardi a deterministic LBA that v sets in whic to of and of Th Rabin ys a ber exist ber Up sets with accepting hristened to a deterministic one is kno ts of automata o yp es of automata o c example um um arbitrary is Street not n n tt mo del or of are LBA deterministic F arian arious w the i v do es The an a tv h there do es not exist a deterministic v hi automata ha sets in acceptance for than uc a of ords criterion e there Basic to the i tial w s than automata w l states kind of Due h an algorithm do es not exist since nondeterministic LBAs are strictly more ord i accepts the same language V deterministic LFSA in construction exp onen suc expressiv nondeterministic LBA innite LBA for whic set of atomic prop ositions w rather a whereas ned dieren What do B the These ceptance the the most prominen e y b and that a that A to a Non g A or an denote ct F e L language i not automata example L A example exp an that they hi automata of out L n and uc A j et a automata L innite a a might evious End example L turns n pr the es not me a one two f i the also A A by a deterministic LFSA A L then A d A L This L A ds ate but fol lowing ds exists L and e two automata g b wor nondeterministic e than deterministic LBAs A dsthenthisdo wor il lustr The but A L this e as deterministic LFSAs whereas non n and as j ds a and nite innite that there expressiv i n wor A true e shows a een nitestate automata and B i wn f w et same expressiv A L same a mor A not a by the g the innite L deterministic d A example qual ly ept e of c L ept epte c ept the same nite wor c ac n er same however c e deterministic then ac j w ac A ac ar a n is a t dierence b et the po A also A a fol lowing uchi automata L A A e f L i ept hi automata c and A The this and and everse uc would ac r have language by A A A A A d expressiv A also show If If We have they true If The L We nite epte the c ac the Lab elled B automata and B deterministic LBAs are strictly deterministic LFSAs are nondeterministic LFSA it is kno is Another imp ortan in ac the the can gives LBA that obtain gg formula situation which example h er of times ck TL we q r of language the eac for set PL emp oral Logic che ff is y gg to the tautology the to q to End state than ff empt bination with visiting ting y ositions ader Linear T e an op r the onds to the with d a nite numb pr ather referred r for presen king in com esp the is t with gg than orr to r gg Chec f true atomic This corresp onds p when left g ather of ff q r is statemen lab elled es dLBAc Mo del formula where ff gg It omitted ord are alid die v q r into quenc gg case p gg same a state a state is visite q se U r g ff p that is p ff r the ff state usually f the This mo innite w to with is g to true g states q teresting this p r the in f holds ord hold of G onds state ter w g r p Since el cisely An gj f to esp e U q left q r lab q pr f and accepts orr f c encoun q G the LBA onds the innite e en two visits to the p ond el w true U oth esp an sense LBA A esp A lab etwe r e as y This orr v b h accepting runs visit a state lab elled with c orr we L L c formula to ab o q Changing If read A TL true G PL Now in b for which b of which rise fol lowing Sometimes the in whic G be cepted of that runs sense set a the state i i is epting i i i i a in valid c G G state a state F F F F condition p A ac bol F visits ords is the sym LBA make A h lim lim is lim lim lim lim an of i i i i eac Acceptance lim feature which That ds with innite w run ositions ey g g fol lowing LBA k op wor where k k pr essive visits to the c G G times epting The k k c gg S S ositions bols F F p of ac op innite formula g i i er atomic sym pr ff k G G onsider the TL ach e al l c ds e of of automata on sets en two suc ar PL S S S TL numb we G G wor epts gg PL F c atomic that the i i i p q q etwe F F yp es F F F F t ac e ete for of consist f f f S nite ff of ans a innite wher oncr me d c g ords Acceptance F F where idem F where F where which heme Ma jor of sets e p w ciation sc aph f The reason that sets of sets of atomic prop ositions are used of This hi visite mor g agr is explained in Example e asso es uc q e b king ar b B f p p o able the language whereas hec sets T T q quenc may se innitely often while b the q A evious p hi ie pr L epts uc c not just Name B Muller Rabin Generalised Street briey the ac of Basic mo del c Example prop ositions atomic prop ositions and satises or satisfying A h is sy s ery the the has The ed in A A exists whic to A this If sy s that if construct TL k A problem the then PL equal to hec CEcomplete c tial here emp oral Logic is the is language A means algorithm y to automaton king us a of A system A t TL PSP an idea as hec an of of This the size PL the is exp onen w Linear T terest A e us of the The run in w LBAs king Th king del c nL not A hec t mo for mo del c y automata automaton tial time complexit Therefore for these problems it is v Chec A t do es the able hi accepting quadratically T p olynomial in L uc mo del that mo del c constan for for an this B in is A prop ert deterministic Mo del metho d er accepts the t of ev or wn L w also that e an exp onen of sy s some v F complemen A that ho is sho but since deterministic LBAs are strictly less desired for A is A is the L automaton automaton sy s that of inclusion the large A A t Basic recip e for This that of uchi uchi states L ery run B B of NPproblem memory space v hi automaton for instance t LBA n computations a A uc c is wing more ecien the the ation A in yp e language negation of for has able follo negation ecien whether A ie L nondeterministic LBAs complemen T L A accepting observ ck of the that decide the undesired onstruct onstruct sy s than more e c c che the at the automaton is A A to then e for CEcomplete problems b elong to the category of problems that can still b e solv e the A A certain L L a ely to nd algorithms that do not ha b er of states in the B PSP Observ Using arriv LBA  usually states e um problem ie it is a dicult t p olynomial space unlik n construction w is automaton for the resulting that is p olynomial in theexpressiv size of has an mo dels n where et are the the TL y PL b er The ac ositions sy s conclude ev heme for one can If all p os A op the w This should pr AP can Ho automata corresp onding p e p accepted h w hi d on the alphab G system GF uc TL whether LBA atomic to B PL then the t the basic sc of the system of ie king of The p language onstructe king sy s U A hec sets del c ec viour of the mo del while the viour of the mo del the hec able of mo true A T for corresp onds an b L plausible approac c es G e can presen h the in a gg A sy s p ula en for for be A recip e whic quenc Sistla instance A ff ula on atomic prop ositions e giv se for mo del c to and the mo del result w g or L F is p and TL ey naiv the f y form L PL A recip e seems when ardi TL e automaton automaton sy s V for mo del quals PL A ie uchi automaton e This h en this k ulas en Naiv language uchi uchi hi automaton aB L A B B heme giv olp er Giv prop ositions uc sc the a W form B L corresp ond to the desired b eha corresp ond to the p ossible b eha the the A TL to desirable for h corresp onds to the form A sy s king y other able with whether PL that is A T due hec formula ck whic holds is onstruct onstruct king TL such c c che viour g mo del satises PL hec p y confused AP satisfying corresp onding f result beha the is denoted b a It turns out that for eac or any Basic mo del c states LBA prop ert that to sible mo delc acceptingrunsof cepting runs of constructed for the desired prop ert nd Theorem F not b e is satisfying This y is to oid the ely v their q a outer y form F U ula in eep b to k p to normal the iterativ o in t T emp oral Logic h is dened b order r normal tilform righ rules ula G X in replaced in are and these but form of ulas Linear T TL V U U prop ositions false to atomic prop ositions PL form king tro duced whic from left to t j TL true and Applying is in Chec PL U denoted atomic U normalform of adjacen j ulas true ula as to F w set the t Mo del are X U form reading them that j form the they use TL the derive adjacen e til PL op erator we denitions assume are U U j inside U e it p ossible to transform a negated un equations this the also prop osition in X e example these w using negations un j an of disjunction w y pushed p atomic b h Normalform algorithm is As push X simple negations an j eac U U wing equations are used to transform the In order to mak U p to in them all y AP b original tation negation that that p ws one The follo the or denitions normal form an auxiliary temp oral op erator and presen eliminate In confusion with Note most allo Example Denition dened F form y is b ula sy s the the the also b oth A steps au easily e of LBA reason on step section for w of of form h the y y can hi uc TL The of decidable in transformed next main m step algorithm LBAs PL uc The step from is hapter one c a the ery B ula The G v en a prop ert is rst complexit In this consists with form original explains and in is giv resulting F and is not the sy s dep ends LBA This the ula A Generalised LBA Later orstcase dicult tain separately an w to LBA algorithm lab elled than that LBA con form that the third step that normalform step TL The an general TL to of NPproblems en not a h satised PL v olp er metho d rather PL to in not is of Graph eac W pro en conclude asso ciating do es class the from e also e that hi automata v of ulas smaller w for with the uc agiv is then ardi language that algorithm V so p erformed for deal here t tially starting usually step run ula tical e is form hematic view is eled W ulas LBA form Sc means P recen treat iden TL graph Normalform e and step an falls outside substan violates w er a Sistla w common PL sp ecication This form us e will assume that the automaton ev more are of h Gerth ulas to lab elled B th w that or that and algorithm for suc this Figure form Figure construct an form from no rom ula ardi in considered Emerson and Lei ha V to tomata F TL is algorithm form vide PL t algorithm normal construction TL adopting In the sequel w pro example run order adopted there olp er PL programming to e rom metho d If w linear time and a language F an in algorithms is ho Normalform In recen W the for The explain in detail ho is indicated a is is are can one t will The true is t list hosen guard true is only c ariables guarded til there are v is than ts is that command E y x un t guards V E statemen that all emp oral Logic there ues of more commands guard x y the guard and t if tin If x y dieren guarded t ts a list aluation of a y Note od x y ets of t ev of k whose tcon the true Linear T elemen list of statemen Guarded is the ber brac write king simply b y executed um assignmen The terminates n the statemen consists command ie can is t separator command guard a instance ts Chec the a commands een or one list form part of statemen no arbitrary w F form as t Here If nonempt us that dened bet selected are the Mo del the statemen guarded is command of the dostatemen Th a t guarded b e describ ed some be guarded bol has nondeterministically and its statemen but V w of true to the t initially means statemen thas no ts the sym that set are of guarded statemen true the t is enclosed the t A is guards assumed One ultaneously and a list of statemen execution the execution statemen left guards command using asso ciated ifstatemen are command sim us vided true x establishes x y ariables can guard y A dostatemen commen b After An Th the pro no t assignmen A of v of them is selected guards set whose t t commands y if the guarded ts are and guarded assigned terminates true all guards if do hange aluated assigned to ys be executed a sequenced there executed terc V be be nonempt and Concurren can executed commands are not Ifstatemen b o olean expression where alw in Guarded selected guard is true the selectioncommands is made nondeterministically from theab orted guarded Dostatemen If guards one is are no Commen reev j t a a is of be full can and new j V In a can the form elemen yle of and e as ts example st j notation giv of size programming some X so on transforming normal a j This of not ariable v The of End as uniform do nothing on Statemen the do a y a j j e Dijkstra hoice is in w c p that j j x fo cus y y notation ck b to notes complexit language che eg brevit where language not oldfashioned simply means of this time V program It e might denoted lecture but in in order sak act y x in ader nondeterministic of e command separator these used skip the r hi automata let abstr to da orstcase d the or uc w size are F as a an tly ws este j the the g g termezzo guarded g allo denoted bol p opular in g inter j ho ose instance t in c q It that q U sym e algorithms in be q or imp ortan t j constructs U w F t U q X alculus q of of see p linear c U p the U U j Dijkstras is to y induction on the structure of p p t p statemen more hed wing set migh ate ulas to lab elled B y on r h r en dic using the statemen example the en X notation p e follo hard form j ev y launc r presen form U denition pr denition b giv let empt whic is r r X X f f f f based to next the a TL not U X X X a false is PL The of The normal j is It As perhaps order p to rom utshell F language sequenced strongly n language In denition here Program and easily b e dened b in G ed k hec c v ula O emp oral Logic Z v left been g gn form in of e v v are y f TL P g ha v v G v Linear T PL split w v f ertices f v ertices O init v w isacop king g of ertex graph w V Z O ts v w w v f g with g S Chec the discard N O O of O Z a graph for i f of n n S explored in v S set S v Mo del v Sc w S pro of obligations of AP comp onen F F i i N P w skip ertices ula in normal form v P S ula v Sc h g already ertices O v g U i v of v all pro of obligations of Sc ertex the orm f constructing w form v V S w F v g y are Sc w w h v g set some P v nf O TL of let v v w N N Sc f O v f Z v i v en b PL ertex U the h ertex O Z V N g a V w O N is giv ertices h S AP w is X of in Z init w w w w w w are f f w v v v if w N N O S P S Z hi Algorithm for Z set v sequence h initial v N let N if O if N S Z v w edges S if CreateGraph the ar v S Z do od return able T function precondition b egin p ostcondition and the end where a of or an V for F ulas ulti and Sc V E ysical set New v ertices with t V used form N init the yp es denote aph v t is V G v is to Sc not those starting init hi for V ertices satisfying these h step as the next edges and Old ed der of use O k tains E e will b e quite lib eral to normal form yields or O e name w W hec con c v t or at the end of sequence edges incoming be O able a graph aversal sp ecial of w sets sequences bags m realization tr to Succ N a placeholder and Selecting in eac A pro cessed set sequences Sc are ula at hand in e allo a consisting of a single elemen without v ula for at the fron b een N v is just and that form ulas ertex t et particular v depthrst P y V TL a init ertices In fact w hi automata a a v ulas PL whereas uc pro cessed at not of in h are immediate successors of v v v with is e the sequence P form P v Sc e use ertices v predecessors b een ha the input form O the aiming that of of notation write N init e that set are P ertices whic graph w constructed to denote a aset already predecessors v of normalform form ertex i a ertices for adding an elemen is g e v ulas v without V Sc h of v i O ulas to lab elled B common O v ariables that w the description of the program notation init tuple with G h ha O on sets wing structure a form set In the next step of the algorithm cf T f is initial i the N S form Sc V is v initial so v of that P follo v the ulas in TL O N graph use ertex lab elled with yp es of v and set ust hold at all v ula and is e PL N P the concludes y sequence ertex S ulas w v form e The P the vertex v constructed i rom or ertex v S Constructing Supp ose the transformation of the is aform sets empt h sets F This in the t that m the single v ha Denition A F So v indicating v is form e q is of k ck v g U de the e v king alid ha p hec che v w U U e aph G hec mak End to w c U principle gr ertex and to v w to X in ws made X ader la w the e X emp oral Logic graph be the r and in The basic princi d onsider Since is used for c suces c w the can reduces ertices este w cases king v in form yields f part of the disjunction esults Linear T r h e step expansion hec this h or inter these the ertex ertex king v whic the this algorithm v the or considering of in of F F of a to i formula that eac y U U Chec b ys either to h a one for left and ula w this of isusedforc g g is X X ersions o The other v i y rise to order Mo del w analysis w It t e g form f y w CreateGraph U w giv alidit split v U the v equation a in ertex the equation U to and the g f can or of the i the ositions X the F of Rewriting this in disjunctiv w complexit One v or op U X f h CreateGraph in depthrst to a disjunction suc of v pr is split dep ends on the structure of v a Here Then in that Here w v F short example h in eac en ulas split corresp ond ertices a in f v U U an U F atomic ed y to U case applying o Giv pro ceeds k b e w b efore As h of e ar hec this ertices used c y in whic q disjunction to t v subform a alid F ing v either is used to split seen is In a in searc be esult of Figur r and is conclude in p These The w can ple is to rewrite split The e set the d e W h eac picte example wher that Example y h S v of to to are the the v e eac with cop as e v h has and e only t O ertices all v that w a y ha v and A a those sequence h added N e w i of Initially hi w v v suc when are lab elled with The set hed whic If suces v Sc same S S with it N v v to the Instead it suces are distinguished to the edges satised N and ie with the same pro of tly reac in explored is not further explored with be Z when strategy completely tains ie v added h v to hed extended is added ed more than once w con satisfy us fully ed is k k Sc is wing cases Z t ertex incoming explored is to Th searc reac ertices in depthrst order that hec that is nished v Z hec v v ertex in us explored c set its e be follo of satised is selected from v is ed t been Th for are c k w be elemen ha e for The ertex v v The no b een e to hec V e b een pro cessed b efore ie satised c w that v ha of new ertices et depthrst tains the v order ertex has to b e created v y augmen can and order ulas hi automata a e In b een v since with in uc and e k con ha ertices form v ertex S created are b oth structure v tradiction and the v v X Z called a ha is y terminates not is all in v still explored that remains to b e sa lab eled from Clearly oid that to its all successor v be and are ertex If there exists already a v ed then no new v that existing v of init ula v if they do not ha ertex states When to v Sc v ted as a stac a e but the N e found a con v algorithm there remo v ulas to lab elled B ertex and ula ust hold in ha S v according v nothing is m exist O the v that eha v that nextform conjunction N existing In order to a whether successor do form visited one of a a S not k and initially TL of v is is the is a negation of some atomic prop osition that has b een pro cessed b efore is some atomic prop osition whose negation has not b een pro cessed b efore hec e PL Then w holds at all immediate successors add them to N c Then ie been do es ulas that pro of obligations for e Supp ose Supp ose addition tak v indicating v usually implemen rom nished form created F state a successor state of the state that has b een most recen nonvisited consists ha S is decomp osed the state a subform successors In of v obligations in to e l of s F s the F e often in onsist c ate and eptanc End Sinc c onsisting F sets s g ac automaton SS F il lustr let emp oral Logic innitely ach this in e d We Sub by First A ontaining d epting sets c c ough state acceptance and thus the language visite c Linear T ossible e thr epte all b e U c eset  imp hi automaton some ac b to s king uc is often Figur gj eptanc Chec alternatives ough s in through epting run ie two ac c c g d O thr ac which ac language andidate s two c f innitely Mo del the b often s depicte single often go and only a g init to is s the s Thus discussing graph e f innitely often g s O case has GLBA GLBA has no by s s innitely go example generalized B innitely ther often and P run the F from go  s a s An ie U in this in normal form the asso ciated GLBA of state s onsist of to e g P is visit all runs init j epting to c j c has ula s ctively the to S innitely GLBA e s S ac F choic Consider run s d f i esp run s has j Figure form s the F any s r AP a y is accepting f ff if e CreateGraph visite b TL of s epting run b c e e PL b run epting a ac Sinc c S F S s that and y single set such ac If we now let an an a s n or the quals annot elevanc of Example r A so Note is dened of is set example Denition F by e c a of of j l j The y con F set j Recall than O j tro duce a q in U is acceptance acceptance graph e p h w often F complexit rather SS the The S b er of subsets of therefore ula is equal to the that First time um from in tuple F y innitely a a w algorithm to except O Sc orst case equal to ie only if for eac is section in orstcase S A w wing ulas of a form LBA if and i the F follo A an previous innitely often app ears LBA g CreateGraph GLBA for the with the that q q k in as ertices is in the w of i hi automata U app ear  inuences F graphcreating algorithm is p init uc f b er of subform k in LBA i same Sc that this this um orst case prop ortional to the n ber of v automaton for O applying the w obtained of the g um state algorithm generalized y ho ts to k of be a states uchi a for all are B on the of g is accepting for GLBA d ts can g to to Since the n F q TL set Result q p exists ula the n Generalised el le later i ulas to lab elled B U F U PL F s p f p lab LBA the generalized LBA f f s d d there is ertices is in the w form time complexit king graph init comp onen sets of accepting states F according ulas of address TL O a Sc alize alize hec all Figure set PL lim i lim ber of v will notion of F Run gener gener e rom orstcase rom um F accepting where W n mo del c A structed w A length of the form F Denition subform the that condition formally amoun set single e is for the ach gg q that only e j r wher states s gative is s similar ne to s of jF s os It state is example A P satisfy Either j ff of der obtained ber any din gg emp oral Logic or j gg is e that valid um have s CreateGraph epting p q n c F In j End is p q f ac we by S f is ontain that g Figur c AP j d state al q d e g s Linear T f wing in what p epting run of this GLBA only that ate et not g c in p or ante p ff F F s follo GLBA aph king f es over The set om having starte gr gener q do guar fr valid e es elevant ach ac the the f G Gerth q Chec is p s s the is s irr j ee U of ula aph U l q e q to is ulas states FF gr quenc p U p eptanc jF efor c orm it p se G F size sinc aches Mo del F ac e the explanation form until s q onds sets other Ther j the gg quently then In esp one those ady of e the e valid some some jF p q orr to s c f of is s alr Conse oroner sinc j d rst for s g is idea p s q exactly d ansforming j that elong acceptance Neg list even b tr ff s el ling deserve e j often e visite some ache O epts lab which by e and S c and r j j d GLBA in ac states ula w formula for is the g states q p j must b reader TL s f ove The r sometimes ex s the innitely GF PL form ab obtaine U pr epting d osition the gg r q c of d that TL justies e e U op and ula ac U AP p q q PL pr els p q state visite giv f p nite transitions U U s orm e GLBA lab en g o two s true b a F p p GF ortant j p T describ s giv is asoning S an e ff Theorem The as Example normalform The O The j imp atomic c r a state has p valid initial ly by starting in j y y if of of or b an let F an and that alid then AP s s with those v w i that sets s s dened Create s seen is or these of os y Gerth No p is not with init F of accepting P os ws s States are ulas f be e be P Notice v ertex that is no predecessors h ber s s follo alid in form can is construction v ab o s of here consists state um in easily alid in the v lab elled or whic is n v and e prop ositions that F the set is Neg This there s for can that that y wing result b y the function are s U The b The set of initial states the of so g in of and set omitted i y this function describ ed i i in s consideration j s s if F state algorithm it is as alid oided dened j O ulas O prop ositions v in A This v s init s So a is the negativ oids to accept a run is and s under v no not alid in alid in the algorithm set v not Neg predecessor is U of is ula U U ula that ws from the follo y U Neg a is subform b are returned b the marking U ertices generated b P CreateGraph is U ulas form form there e b een considered in s or v X runs hi automata h of with prop ositions tain the that if then the ha uc s acceptance v atomic prop ositions that sp ecial s con en state ber of denoting that all runs are accepting whic ed O P e rom N these k an subform i to F no um s the s h giv atomic for s of n of that hec e is O y prop osition in v of os in normalform asso ciated i P but set the s ha lab elled with equals j from structure set of negativ h sets the i for whic is there F U s the either v AP tain an of ertex lab elled with state set olp er the O whic equals ulas to lab elled B and acceptance ulas to b e c ulas to in since in prop ositions on ula that sets i CreateGraph us W s e construction of acceptance sets a the fP s ertices the y h transition th v g form denotes that is visited innitely often alid b the atomic prop ositions that are v run O states acceptance i a v U s suc with TL ardi F e s applied AP V that s atomic v O subform the PL l in subform alid in also hdoesnotcon U ha lab elled with graph those v of induction The ab o Sub The set of states is simply the set of v The correctness of the construction follo h be U s is p e i eled rom y ertices all form the Note are F whic where are W b only those v v O Graph eac it the splitting of a v not F state accepting P out lab elled set states acceptance e hes that only orr c reac esulting etothe see can v it the to if A of emp oral Logic ossible r hard ytomo p i F states A t not p ossible is Linear T s alen The it ader only e c g r s king is with F F F F F equiv s LBA the f d are Chec This s s s s to s concept i alize s F left and and and and and this hence Mo del s s s s s copies en and gener s k and g a Giv innitely often it has to visit some accepting s visiting all f s s s s s y s i b ansitions is y since that is the only opp ortunit e e e e e often fol lowing e F hed ar sinc sinc sinc sinc sinc through g the hcop e b reac sets s ar same language e go es be innitely s s s s s it the y LBA ansitions g f if Consider tr can eptanc cop c y is s h ation of the other tr ac So for a run to visit s i accept simple cop s eac y s s s s s s LBA to A two example f in next has and onding the return an accepting state in eac next cop state A Example The justic It sp Some simple i y y as F ws state in cop to an initial are h normal hes this follo ordinary arbitrary eac state as the some y run of the th cop an th i The i in A Then since innitely often g transitions of k the s i start obtained set accepting the to rom the is acceptance sets in F y i an can Therefore an states k F F hes y A obtained cop is not uniquely determined F A As so on as a run reac h s f ula A when with L are switc eac A acceptance A and F In that accepting s A per th cop tilform states i LBA i A y LBA F ula is accepting and L Automaton with in of k an cop s k an automaton s k  hi automata that  exception to to  in the GLBA one uc initial the h i and tain an un i accepting es to the i GLBA i v F A s a tial the no g i suc hosen the automaton mo of then k k of LBA be initial state l r GLBA A y  essen s U some a an l with F q cop mo d copies for some F is i can b e c for i i U but g k i g rom obtained for this form to b e accepting it has to visit some state s i s i p th i j e i i t F denition ula do es not con s s i ulas to lab elled B is S s A only f l f mak the S pair the f i SS for where S form F a the to in S generalized for the automaton is i TL a is an accepting state in s i en dieren that s i s i s s hed s i PL with F l S S A A transformation is formally dened or a run of A Since F A reac becomes rom rom state s form of this form F Notice LBA automaton that F The metho d of transforming a generalized LBA where state and ev Let This Denition LBA is in hi en no ws the vior uc that that is B nite follo er nite pro duct b eha v vior oblem for as called there pr epts is The c if beha emp oral Logic lab elled ac automaton constructed A p ossible or This y F is an all king whether a giv which is dened emptiness problem A Linear T construction ts hec A prop ert the A king Fl as s and construct automata automaton and represen wn sy s emptiness Chec to sy s satises SS automaton A LFSA hi automata are closed under pro d automaton A new ords no p ossible undesired sy s the o LFSA that is automata o s uc of g a A w of is the sy s w A Mo del e some accepting run in common consists s The problem of c L v and dicult nitestate L A A viz l First ha bet pro duct s Since B mo del automaton if there nite not vior A pro duct sy s language is kno for solving A s the languages i us is sy s A A y The on l A duct ys exists th ordinary it o a j beha L s the L able for and pr i L T empt S i A of l S A Metho d i with sy s y in hronous the b A L the F automaton system i s and S understand whether deal s undesired S i Sync the language A duct ck automata o S able i tersection of rst the onstruct T pr s s the c che b etter describ ed in of S language e S is dened w f to s h an automaton alw The king whether the the mo del steps s automata S S i hronous pro duct automaton A Chec order the the ords haracterizes sync of computation that fulll of ucts suc accepts c accepts op erator Denition Let automata state Pro duct In w automaton generates of hi en j the A uc visit k state A giv k B epting a c O a esulting End a able r ac tly is must and for as A of haracterizes visit the c t ie whether en A to it automaton of set giv hi is has the run LBA often uc also B simple LBA that Stated dieren and also a consideration is g the it king metho d cf T epting to c y of simple in so hec innitely ac s s s under a eried s v do F an f b ula of be satisfy e to prop ert b obtain c a GLBA to to epting run der Thus c that form to state y these automata are disjoin or the ac b er of states in the simple LBA w TL In a of ho ny um b PL system some chosen A often c a of emptiness is g the F and states ert v of F for of computations s s s s states s con of innitely sets f A all set to e description mo del F b ts L w a state Notice that the n Then the third step of the mo del c the initial king often the ho is of emptiness s sy s that S some A sy s ula represen set for seen A k whether the runs accepted b chosen to Chec of acceptance with e innitely v the is d computations that violate the desired hec L visits form concludes where king e ber ha assume A el le j TL e e um s L Chec n is to c automaton W W wher states S PL LBA example This lab those er as A om v ase au that c o fr if A the the on L example But diers of construction A assumes is dened never emp oral Logic automata then a is ginning End is e which A ds b A Fl L wor automata Linear T the which A that automaton A and SS om automata L king fr g g A nite state duct hi o LBAs pro duct on pr uc Chec a a o a A s s B A A w n t phase versa epting s s the pure c s s j of g f e L L of be ac s s Mo del A s vic Chouek the that is n So an l automata out to is of a and e f i as then S ar pro duct LBA run ough s s s oint d s p not e for s s l thr A s s automaton j is i g s s A these l The epting S i and a a A c L ously duct by onsider mo dication s F hronous o ac c i f A d a a then then pr S e and i no hi automata due is and state S is F F epte Sync g uc S c when The i sinc s has A A ac simultane S S s s s s there A epting for B go that if if L c f n arly L ords A e ac j A s cle i example ii orks i if S S an language A ws A n and Notic this A in a ortunately tomaton The A which L is in f follo L innite w F that w Denition Let is be ery the run n and and this n s Ev In ust s equally n the m s ords often w acceptance s are strong via A A s s s of L A a to o A in and is innite wing example appropriate n innitely s of t s if there are accepting A on i pro duct follo h go w Similarly not L run and for s the the reac ord ust end in a state i er S F runs y m A is ev to a w requiremen A of F s n automata A ords s ho both accepting A w as if y is and This A A a run states p ossible an A A S L automata on where of of us be n s is illustrated b and s A s Th w that states l n uchi ust innite run s A pro cedure accepts an innite w B m L on This that accepting see F it on A s h pro jected two of to A equals view n n suc a s simple e h A s the set A result accepting s w n accepting if and S when s s i this s s an the A whic A h A dicult L is of s of When s desired of F h reac automata through not Consider l s A s pairs run emptiness run to the is F of whic F a automata are It for n ously A and hi and s s order construction is not A uc F l in general to L s king e F h B In v States accepting s or Chec lab elled accepting run an s F Example whic runs simultane leads an accepting ab o construction means that sets Pro duct F d y is i b the y duct thir o these deter pr A of the F F F example one this accepted of few and sy s nonempt s s s emp oral Logic by A do es are is d now is prop ortional to only ii w h is in addition End A and and and is  orstcase indication  ho since epte A s s s c s ansitions is left to s rule A  Linear T A s ac s LBA king exp ects A om sequences fr An king LBA hec A other tr s s s c Thisisaw One  only an  ond Chec language s c s Stated in graphtheoretic terms it and and and  en A s se s y that mo del s s s A the A giv the and in Mo del automaton is fact L ation of the arly A L i prop ert hed   s s s the duct Cle s s o A  s reac e e e rule s to pr a whether L able desired om sinc sinc sinc hable from some initial state whic not T due The justic fr with ie is is d cf quals  esulting b er of states of the automaton e  r b er of states in ele s s problem s s s This um  s lab fol lows um s empty is correct s s s The e violate the which is ar A a om rule iii that upp erb ound subproblem ader system is e ansition r denition states tr d this automaton A hable from itself in one or more steps s s s al l emptiness ove whether if the s s s second rst este e fol lows fr ab Notice that the n small sy s the wher automaton rule inter The a A the pro duct of the n Usually none The The reac mine it has an accepting state reac e is of in to an an om can k also A fr state us states exam A state d returns state trac visit Th a visits innitely to another to g k of addition the only quals derive e t evious es e A v v In k e trac pr accepting automaton b ter f accepting epting states ar ha automaton c of accepting trac S an the an A rst the states A c p oin ts of a state ter mo an visit The of om for comp onen us state rst F the The ac fr ks and often The i Th set ws er one the A A trac third k through ansitions to mo dulo for The follo i tr and s ord and o comp onen i trac w accepting the b oth s b oth w as k innitely Whenev ting A A s is ks an s k e A other for that v if it go es p oin fol lows input example trac visits to trac ha s trac as k the visits ter one e tees A l the d the A w k automata to ktherstt i of trac rst p oin of g on ks S hanges L ed trac precisely s and v construction fol lowing guaran uchi the equals the A s it c rst one htrac B state mo h trac onstructe The initial state is g i to c to this The More is o A the k the and second with w is g f ts t ting ter L f e trac A whic s A the condition ii v that states A s poin s b ehind if accepting S ha poin poin s l k go es through an accepting state the p oin of innitely often k and s both Consider A A to an that ter ting to the emptiness all other cases g f means F i trac i in atrac ter state tuition state for and runs poin A s LBA visit ie in acceptance er s s s This rst b ering the state of eac to poin iii A rules F l f L the king The a k The The considered while p oin the s i hanged s Chec A be which yields remem A has trac innitely often since a run is accepted i it go es through Whenev often to with accepting c Example ple accepting order if s paths and from p ossible Starting function function all S s y ertex all b v graph repre the hable t h state exists states emp oral Logic from y s order When b states The when h reac ed hAccept v s from if suc ws computed searc ertex Linear T to curren Reac remo V state s i g is accepting hable s p erformed all states of h s state king s as follo terminates f is reac hable accepting R Z hable Chec j when orks depthrst explored s Z ertices w This a n reac path from then R states DetectCycle ie S Z skip s tly in accepting i S sequence s k algorithm i Mo del i b efore s an s cycle h able h F in hAccept ersed The S T ie F curren a return v s ertex ertex visited v s ertex explored of V V s S s of R V tra s h the Reac S h step a new state is selected let if S Z of whether is of to ber s been ertex tains accepting is explored R ks explored let hi from e V i v is listed in s if i con consists mem Z hec Z ineac of h c ha s a w R h s been algorithm true s that hable is e app ended hi sequence R s set hAccept sequence whic Algorithm for determining reac s automaton v h part is reac ha hi S R Z suc if S it Reac s uc implies that ar B v S R Z do od return hAccept second utshell the able from the T directly ij an starting from DetectCycle Reac The is main program no accepting function precondition b egin ordered end p ostcondition In ting is The sen from the initial state that starting s paths o is i is k g at In ks s w the run and bols s s l ends least there hable hec f s c tain This S at dicult i sym state b from s since con a sequence of S that s is reac not s is tains accepting s sequence Supp ose is ust consists of t able and hable whether s h that the cycle m ie it con an ordered state s and ck ik ed it y suc the accepting exists is reac om i n A sequence of states Similarly if there s  e fr s are olv che algorithm an a  v s n are i L epting since in we ther c k for s The us and ac is listed in T s all tains i from states nonempt that i n achable h s Th i s e more an is s r for A con that hable from A is h s i whic of tly hable s k n states i If t s s that l s y nontrivial s i suc nonempty A s k sligh is reac ontains accepting s tains an accepting state is b c a there is a sequence ws and is reac i s L a cycle a has a single initial state A b and s s hAccept s the s and only A that follo s hable from an initial state comp onen accepting a is and om k as LBA that con Reac hthat t given n hable is nonempt a called then sequence fr k State all s k cycle a a suc an b ols F s enience reac v strong is e also F b a hable from and i a sym n s is con s s argumen function achable be of  explained e s achable whether r there or e hable cycle computes and hence ord r F is reac the the be is ust since s s w cycle a and maximal Fl y s tains a cycle reac m s ord i itself part can S enience assume that s accepting state has w con that But that v emptiness sequence input state hable that h SS h A A Since there a has a reac determine rst b from direction s for edge o suc suc A result the reac i or con T k in order s such n and F a that k s b The initial p erformed b one on a king F h accepting A other hable So This tains some s see A et steps least s L Theorem s Chec means that Suc whether con one of with the from itself are states to in k b reac cycle cycle emp oral Logic g s berofa f Linear T Bo ol S of an acceptance mem i Z king R s is n h S Z i R ertex s s i Chec h V in S s R existence h of in let S R in state s Mo del S let ertex S Z state let V h b sequence if some S of s suc Z b i Z ertex R s false V h s is no is true of hi s R s b true hi hi b set sequence Bo ol S b if S Z b do R S R od DetectCycle ar Algorithm for determining the v S Z b do od return is false if there precondition p ostcondition b function b egin end able T e is is R d of of in v us an der and d S it th ha state or der e ontain h ts in visite E R onthe c S End from or program W the is of of nishe searc wil l t A s is The b er of a cycle that R acycle ted as a rstin accepting those fron ch e starting o separate phases resulting state ar from an h w se the states then h ber of quenc Assume innermost G The visiting as t rst at se searc the hable of searc is rst the are epting the a mem d c t whereas the elemen reac e cycle in S der which is ac that a or F on in visite the Figur C states is usually implemen depthrst DetectCycle states the state al l a outermost in der R ber of whereas is e d or onto and k ar out the epting d Example LBA s c mem F the This ed from its fron in cte op erations ac E v It terminates if all accepting states in AD E F B C G is of depicte accepting e is a oje from all hAccept ar ch carries on pr s an accepting all at the bac k ar B This F quals LBA so states e se state that Reac Figure are remo hable a S ation the and astac R h and D e whether reac essor E hAccept c suc k E Notice hable from is explor ts of DetectCycle C suc determining quenc ted as h hec A of depthrst Reac c se Consider then d FEDGCBA the that emptiness able to whic der the whether is while visited D or ed or if some accepting state has b een found that is mem for neste k in T is Thus algorithm implemen a Given the tied hec ation wn been state inserted in king p ossible that e The Rather than computing on entering iden v state ere FEC Chec ha a so then Example usually explor of is is sho determined Notice that elemen been c accepting state reac example w it is y obtain rstout queue y hi in or a TL the F w uc LBA LBA PL sy s whole B A ho til A king p ossible in if no ac un orstcase the the S ws able is the p erformed w sy s In this w all in i a A hec not s second strict sequen be that h emp oral Logic tains the cycle ts c onthey a a or automaton it is wn in Figure sp ecied states con that sho then an example A can in to s yields automaton tains the path from S is sy s p erformed in this S done is considered hi ted ula is sho represen con sy s Linear T transitions ed assumed of be k be uc initial This A e of TL S B where h algorithm of T w form mo del hec ertex king a PL c can v terexample ber more TL to state cannot that be S um Chec automata in king transformed emptiness n systemmo del are PL to steps sequence anew o acoun step S hec y w tly t the the initial the y Recall in a Mo del y normalform h only there some b next j a algorithm are presen plus king If tains an accepting state eac prop ert these j the hec for transformed namely of for c subsequen In this w steps The is j ersed order while sequence in the states nished state et in the partially constructed pro duct automaton that By out S that con of easily and is satised j j of graph sy s t steps of mo del c on demand O in rev pro duct j ber order initial A the s y of the nested depthrst searc carried um ie j to accepting n The violate system indicating completely S negated arious steps ersed pro duced sy s be e apply this algorithm to the pro duct automaton s v j single A are the is be the yof are a the j of A in rev that should Summary king the emptiness of the pro duct automaton s states constructing S ones tains j to hec all consideration wassumew erview of the dieren O teresting asp ect of this program is that if an error o ccurs that is if a cycle s con determined whether mo del v h order graph is constructed No The time complexit Although yielding us An in is determined in is violated can of an incorrect path canthe b e starting computed state easily from prop ortional to instance while c previous the cepting cycle has b een found y th tial computations that automaton whic pro cedure The only time complexit An o under g s f S Z i Z S s n h i s s DetectCycle h S g S in Bo ol s and f s let Z S let S S ertex Z i V hAccept b false s Z h S s n Z s Z i Reac s s S S h s hi s hi ertex i s in s V i h s let s b if of h S Z ertex let S skip V program for S do od b b of Z Z F Z set F S sequence tegrated Z hi s In s b s hAcceptandDetectCycle s Bo ol Z S S if S S Z b S emptiness S if Reac ar for do v od return able T king function begin end Chec j of to as al j TL and h king Oto to ol state ula to PL size This is signi a suc hec j common c sy s PR complex Spin erication the the states form ie not is sy s del S algorithm of in of is it the j emp oral Logic time the orstcase space mo del of omela O and v of ber this the of prop erties X Pr linear ula is needed Sistla length of um y The w of size n is systemmo Linear T literature erview the j Since v CEcomplete j the TL dep endency o the therefore in yp es A the j t king PL in is in sy s j O An this In complexit A tial PSP whether op erators eral application tial ed is usually rather short Chec Holzmann for instance declares king is k on A j sev linear that or LBA hec the space so hec cking TL Spin c is of sy s exp onen wn S PL Mo del sy s che for the exp onen j the is and A er sho of transitions in for y LBA O k e mo del and ytobec v j is an of co de ha erication sy s hec y obstacle of v states S ts c ulas without the next op erator j indicating problem of complexit omplexity automaton rarely more than e the hable c v e quadratic ma jor set v form ha formula king and time a complexit e TL time briey TL emptiness unreac the w hec eral industrial case studies Exp erimen than c y PL be pro duct mo del the PL b ase ulas ha time the to case obtain that the ysev the e that ulation of a sp ecication written in the language the of mo del denotes form king of rather httpnetlibbelllabs com net lib spi nwh atis pin htm l the resulting LBA has a state space of king The orst e worstc y y systems seems TL w prop erties ed fact sy s hec conclude hec k that The S c PL see in e The satises y ula Clark hec mo del MEtaLAnguage of The W t since the length of the prop ert c sa state TL ws the sim y be form practical complexit complexit since where to the transitions w it lo col space that is p olynomial in theand size of the mo del and the form Spin PL can also justied b that of mo del c a all the sy s since ie mo del and than automa orstcase Since the w ho oses king ed the c j k found tly j hec of in the graph is this c is rather hec one c y pro duct ula O y ertex in the graph A sy s do es not need to b e be tire consideration of A TL cycle the aect hv mo del ertices hi automaton sy s to terexample signican PL of ula uc A not ts of v thatis ula complexit Graph king do form constructed ber Since eac TL form hec accepting hi automaton No coun time automaton onthey um Normalform form PL oiding the en are uc LBA v ulas of B The crucial step is the transforma an Negation of prop ert of the Generalised B the requiremen be nonemptiness mo delc of then graph that step to an er the automaton of y in king orstcase to a graph terexample without the need for generat space A a w the king Let state hec in t hec sy s ula in ulas of the c state p ossible erview A b enecial mo del check king emptiness ulas Pro duct automaton is Ov the ertex curren form sy s it mo del c v Chec A form most a TL In a similar w TL b er of sets of subform sy s us starting the TL PL of PL discussing reduce h Th um the G PL ypically rather large and a y y in transformation of b Figure matc for es with corresp onding coun System usually hi automaton Y of the that successors uc is tire graph ailable b efore B recip e successors Mo del of system v conclude a the steps e This automaton ma king W hec totally violation of ing the en ton Summary of steps When this automaton is t p ossible successors this is lab elled with a set of subform prop ortional to the n other the mo del of the systemtion under of consideration a normal form c is is ts of in be tis the t x non t corre dier while guards ed exist k to the t made are created only Statemen ariable blo c statemen other Q v is statemen emp oral Logic and alen a the are all the If and the constructs P til one of the guards Nondeterminism equiv with til ed is when that t Linear T selection selected k guards un wing b t is y Dijkstras guarded com parameters do nothing blo c the king follo Notice that a dostatemen means poin or program notation executed enabled a all other Chec is the od is means ifstatemen enabled t this y ts It form b is x enabled Qactual an and at else enabled abstract is fi Mo del as the run an halts statemen guard skip and statemen t summarize form as guard thas either guard instance do the o of alue elseguard is strongly inuenced b v T y ed and the execution halts un be whose for k used one no same list written the e t es Here an instance of the pro cesses sp ecial is v can t statemen y the statements statementsn construct that for instance app ears in the initialization ha A omela than instance ifstatemen parameters e the there has w Pr init run for An of is replaced b If y t statemen semicolons omela more alternativ statemen t t itself is blo c is assigned t So y if nonempt y if Pr enabled b ed skip k the guard guardn in Pactual byte ed do of empt blo c ts w execution run b enabled yp e language that t Ifstatemen if fi One The Assignmen sp onding allo deterministically are b ecomes Dostatemen ence that ifstatemen ed started separated k omela section indicated b Pr started through the Statemen are blo c comes mand and init a e a of v are per to that ould ha in e to or omela erier ew b efore that F V ula literature lo cal and Holzmann Pr Executable pro cedure OnTheFly ts tial pro ces h of Pro cesses are order description the Spin form e in searc statements describ ed Instead w TL constan book examples er y Rob Gerth eg the omela e from k erication PL v v using Spin rst Pr and a ha wn extensiv y tial pro cesses e b of Counter an kno e treated Optimised tro ductory Mo del Chec used ariables tiate the pro cess that w giv in language ersion ted out to me b ulation and definitions v to are an nesteddepth e proto col sim con a some v of the ulation is steps w systems can b e mo deled in and y that P local notes ws b the ulation hannels used to connect sequen tax Error erier Spin sim teractiv Rep orts er claim do es accept also nite runs V core to ho er this Holzmann Sim In Generator of election Syn follo v ulas are basically the algorithms that w and tin articles as lecture pro cess is done of the instance form algorithms leader the unication c or TL called nev these erview structure F thatco v The PL arser o of erview parameters vior but it do es not instan ranslator erication P is dened v v Spin The arser p erformed using the y TL Spin P Spin P eral standard Promela of emptiness and T y PL scop e sp ecication consists roughly of sequen er a hapter king of sev k c sa only denes a brief o formal hec the example hec use are e Figure this P e elop er of e the reader some insigh an and its b eha Figure omela giv w in ariables and comm ond detection in P e w there Pr en construct bey tEnd mo del c Aprocess ho the hi automaton is Although there are some subtle dierences as p oin A  is giv etogiv ron uc Xspin F It and B treated The is form mo del c generated automaton b proctype First w ses lo cal to This global v Spin lik the dev and purp ose t t If e in ept bor e f ts then righ that activ b or ying f ten to dieren proto col is and ber k neigh a rela among Notice that um e pro cess left the leaderinsp e bor emp oral Logic a case kwise of message pro cess from left t kwise neigh of In largest b ecome h neigh y ticlo c tit eac Linear T the emen otherwise it b ecomes will an ticlo c e second kwise e olv iden messages leader one king ev ean the d bor is clo c y the activ Initially for new the Chec its rela b ours eep neigh leader k ws to it passes aits the w d alue ie nearest neigh during not goto Mo del follo ing kwise is the y e its as d of become else rela is ariable pro cess activ hange e v ticlo c is it do es e c to of it concludes that it isy the of only the activ new leader and terminates an e the y its d v e d tit that e it is resp onsible for a certain pro cess n ma set ha alue is without insp ecting nor mo difying their con pro cess y the second nearest activ wn v proto col then pro cess activ sends ery a not then alue the d the that v ept b ev If stop k es its o y es d a e do es d f w determines nearest This pro cess from t ying then b ehind e f e ed alue receiv us the max d itself d e d it rela is indeed the iden d Th er er d activ pro cess til e e d h tuition a un r eceiv e if send if send r eceiv e then the pro cess up dates its lo cal v alue of ident e in d pro cess v ariable forev forev y ying Eac tains the v v r eceiv e send aits alue is receiv end rela activ d do do begin begin end The v in a transparen w If the pro cess receiv and that the con the rela and it b ecomes As long as a pro cessin is activ When y y of the the the y not ari aits tro also v and in is of to is buer exactly pro cess yp es it w c Sending hronous t manner capacit question that c h pro cess ie it has if capacit a the this of ed the head the that sync k y will b e c of of ordinary b connected b kwise life conform buer the that desired as sure and end e clo c enabled y buered v e is t can therefore only study not real a are blo c a named is w idea it proto col the mo deling in mak Channels corresp onding In is un remo Here the concept is that reception rstout at do es the c c a w assumed to b e a natural terconnected via unidirec to for and y to same If is is hannel is t c is ultaneously it small case x mark a the b elo Then rstin e and Ro deh eac messages if all guards useful sim election election election capacit A dostatemen in there in a ring top ology w a our y elemen is eect ident if an as proto col the y break for send ariable capabilities denes Its N the of addition ed or nite capacit tier its y leader executed wins In sp ecied only need facilit e exclamation byte puts view ts Pro cesses can b e in enabled e but election goto be w are an can is of be ts of This outcome y pro cesses pro cesses p ositiv can alue to the v b leader wing task that innite lo op since nonempt a c can h use N leader represen the h een is a Ro dehs execution an capabilities the w follo pro cess arbitrary has the c sequel Channels whic of c and ys A matc c of Its y if a e statemen tier should b e elected as a leader hannel the Spin c indicated and ed pro cess usually ely c w largest constructs In the proto col of Dolev Kla a is e become A er chan k w but allo purp ose and assign its v of the hannels then Supp ose hannels enabled hec will c eg c h pro cess has a unique iden c unication b et o ccupied is parameters Kla ytes omela resp ectiv also The terminated b tier til one of the guards b ecomes enabled with message b eac Pr ring p erforms the onthey in desired a tional are be Send and receiv ables in principal alw un c size buer mark fully cx comm the mo del c pro cess ber iden b ounded um The in the with the highest iden latter principle often pro cess the Other duced Dolev un It is assumed that there are one Initially n is to out en just actually ariables is A pro cess hannel emp oral Logic d leader process omela e ulation a is Linear T Pr and via c of d d in in king LEADERn denitions of global v part is f Chec hannel process d ident vioural relay ts to facilitate sim e Mo del proto col byte beha b our via c goto skip stop d d The out tcommen printfMSC goto election ard translation of the proto col description giv in prin e ident e else else o kwise neigh w started t tforw viour of a pro cess in the ring and an initialisation section chan are leader ine if outd fi fi oute inf if outd ticlo c b our dn added f sp ecication consists of three parts e the v neigh e ha process pro cesses true ind e d omela W ident kwise all e Pr v d byte printfMSC do od od do its clo c connected to its an proctype activ ab o Mo deling The obtained from a straigh description of the b eha where relay end a ws y b for semi k circle arro the y b Figure lab elled Ablac proto col i f c in is where f the wn hannels w proto col and of circle sho e e arro h is d run the Eac ely unication c it is activ ariables example lab el of leader election comm resp ectiv an messages the and y e h b of the orks w distinct and circles ying otherwise y b alue of the lo cal v indicated b tv is rela proto col is separate Example run the to indicates Spin tities w pro cess hannel c ho er used are k a iden the is of j hec d g a Figure t bol with that ten illustrate sym pro cesses round o mo del c con T ery The ev indicates pro cesses Here The triple indicating the curren colon of to to to for the the can and alid An in v tiers t is in pro cess already and tities ed are k created iden to hanisms ulation insigh eried er assumed of a iden Figure v hec correctness c ev emp oral Logic sim mec b een in w hannel be pro cesses NIiN starts c t be e et w obtain sp ecication y wn erication to start at the same to pro cess the no v to sho It is ho parameter Linear T of not dieren pro cess t e teractiv tial for the can need tiate and v qiN outgoing omela in is started with some actual rst y order king ha ts a result Pr or the w some In instan t that assigns pro cess The course is essen is Chec ts the ulation the to t assignmen this en w all pro cesses of of qi sim A pro cess This in guided pro cesses assignmen and y prev Mo del fragmen are b obtained part instance parameter statemen tier other This e simply selected one tained are particular i process This There for on omela obtain random iden op erator ks top ology one a In order to allo N p ossible y Pr second i run long as will break tit used ring all e as In order to increase condence in the correctness of the the is xed construct deadlo c w process iden t N e a unique pro duces the v N or proto col fact its sp ecication body ha run in gets e is hannel This the i i ws results atomic c co de w create the construct y is to write a of y the to follo b The omela out that tiers to pro cesses and w pro cess other hable denotes the mo dulo od i do as init use i Pr its pro cess h e N order incoming parameter the w op eration In The Notice carried unreac atomic byte the where parameters instance init is ring proto col only for this assignmen other p ossibilit randomly no the be execute pro cesses time the algorithm of Dolev et al that eac third assign iden a h is an in its the the can is alid only eac v ine h of in lab eled in pro cess this store ariables erify recognise hannel v an hannels carry each c nor the qN to L not then since identifier nd Therefore ere generation messages body e N and w can only reac do es o proto col ould through ed and the execution w the indicates in w t k one connecting activ it that capacity oid smallest If of q v program pro cess Spin a most of use L election a hannel processes A only c t is blo c y at to with buffer of not is enabled only if the c pro cess of in hannels A of leader do es t b ecomes enabled c stop end sends order endstate endlab el e capacit ine channels the t the purp oses w In the arriv and an number process size N this in The leader as the statemen pro cess y activ tier h state relay new neither message error state y a without eac is ident iden a til the statemen y messages an initialisation rela til states rela as that byte since un for omela the Since pro cess N byte the hannel is empt smallest e ait three in Pr recognised state Spin w a of sp ecication starts with the denition of the global v used in in yp e sp ecication the er a is end lab el k as has least be L rep ort this If the c I of t e ord ariable election it v w at hec t will y omela if can read eyw and obtain omela N I L the be k Pr endstate be of Pr to qN ed end will state constan mo del c leader e v The Notice that for instance the statemen tain items en alid pro cess skip single parameter v alue in the in with this The stop A reserv stop v define endstate is nonempt should define ab o of the pro cess is susp ended un con define chan that a The tak round hi ula uc B omela Pr d sp ecication emp oral Logic lab elled leader a is to omela ting the basic part of d in Linear T One denes the form Pr Therefore the LEADERn y a the as Spin king is y in process b nrleaders d y implemen Chec wing w dened ident y ed b a erted is ariable v v p Mo del hiev byte stop con and skip wing w in the follo global d G printfMSC nrleaders goto out follo to Spin b er of leaders in the system in e else in the um auxiliary this has b een ac automatically ed using an is k chan ine if fi is outd p  corresp onds hec k of the n nrleaders before is extended tly y In essence yisc before process l eader s leaders p true alen where eeps trac ident nr p nrleaders G prop ert hk as as d do or equiv This prop ert as define where sp ecication The whic proctype byte activ automaton in ust p ossess is that Spin This is expressed in ulation run sp ecication omela y that a leader election proto col m Pr h pro cess including the ro ot pro cess leftmost line is Visualisation of a sim the ertical line v Spin t prop ert er k king w more than one pro cess to b ecome a leader viour of eac Figure leaders hec along a hec c ted as G mo del c TL The represen Here the b eha Mo del The most imp ortan it do es not allo PL is or er the the and ys a state a rather rather to with TL forev Chapter alw with the PL in e reduction hashing partialorder in stored emp oral Logic already leader mak proto col eried a pro cess reduction is are to using using overhead the discussed small y Linear T space a prop erties be order w partialorder remains space this in if it king will overhead state further transitions these errors for partialorder state the e will use partialorder reduction are Chec en alues neverclaim DSAFETY compact v byte compression leader leader ulate Ev a tire hanisms a by by states the en in and w Mo del applying as form mec m hniques it hannels wing prop erties could b e v elected of the c states for to tec reached byte states the arious elected stack usage for hing v eect disabled disabled Megabytes storedStatevector storing errors usage is transitions These storedmatched e the follo hashtable DFS depth searc v in tually The vides resolved usage that encouraged en memory only terconnecting both for for pro is ev through pro cess memory in stored matched byte fact of as ab o oiding a steps stored usage v notes and that y states a if a used used memory the is their as actual y reader either b elected option y b therefore In the remainder of this example w ber states or bination be lecture states states transitions atomic memory plus endstates um memory memory total actual equivalent n com on checks Spin will terested example smaller a similar w conflicts size a these in e v In indicated a standard of en as hash Statevector max Stats Statevector invalid cycle The not applied as highest than leader ab o pro cesses large space reduction ev the with Spin ws lab els omela follo then Pr states Spin corresp onds as our is negation of the that is Spin where to the y property b lab eled e e le v A b eginning of claim ha the e or of w in is p ositiv ould b e ed y end ma jor dierences v scope sa the the original whereas is p of at y automaton generated the acceptall add within One of e The prop ert Corresponds p goto for Tinit if hi automaton that corresp onds t prop ositions it if w uc this p in our notation this w B k If Below goto Formula search hec Spin ed the erication of this prop ert k violations v atomic statemen p er is k Typed  hec Claim space Holzmann hec As violations property with Negated fi skip if atomic prop ositions l eader s Never The state hapter of mo del c result of the ula to b e c c automatically c G Formula The To formalizing The this transitions acceptall Notice that this Tinit never sets form neverclaim assertion Full to include The sp ecication the can G in for TL x same PL i s states the G of U i s d set h result or def uses emp oral Logic R leader equals g x and X is corresp onding d Linear T the s errors LEADERn for our pro of whic of king Determine the G s no is g s same i process that Chec s d nrleaders f the TL x yields hstepofy f PL erication Do S v Mo del i s stop the tics of with alid skip v as d is State in eac printfMSC nrleaders assertnrleaders goto Lab el sp ecication Lab el ula and else e x S R U omela s form transitions  e using the seman TL Pr v fi ine if outd M and PL x s this Let R is a ou are using before l eader s of before states e or dispro h and true v of G ident Pro where inition y whic cise cise x ula ber i as as d do for U erication um V form n Exercises Exer activ S Exer e h it as to ys ks w As a run case when t hec e where stored searc c that carried a w leads yadding h obtain y and the If be and of socalled e violated state Spin ecien suc ed b w that is k can use increased In the So Its execution has hec leader more in determines run trace that the t breadthrst not y generated k whether it is alw no is a is assertion is is hec violated usually an leaders pro cess ulation violated shortest is is prop ert space a ttoc is nr there This can b e c sim a p erforms y tains an erication k The v state This option can b e indicated when con ew then where hec ident of terexample c then t ariable guided y assertion v the e assertions a prop ert a w w coun since poin byte for t the Spin the a this h ts the error when terexample on request and general king out sp ecication at whic created h the in hec coun c viously in in Basically error are incremen more ecien Ob searc assertions happ ens omela run an Since analyze a and b er of leaders is at most one Pr chan b e generated often Spin what to generated a started sp ecication um tiations using er obtain If is k erications constructed see exists the v prop erties where the pro duct automaton of the prop ert pro cess depthrst e and election is order to hec indicated TL instan An assertion has a b o olean expression as argumen on process l eader s omela In of a is PL indeed the there e Pr than a order G nrleaders on w erication based le mo del c w k king v inline assertion body error found can alternativ In pro cess error sideeects our a erication hec hec c The p erform these out all Spin in has sp ecication to assertnrleaders the an example of the use of assertions supp ose w the case that the n byte proctype the whether c assertions no an An V rather the the t a y y w ac an and ords Cre er in F That v w arian a only except o een ormally that s language F w w sets a times A this v e s o ccur and bet s b the e y innite Construct the using the l ords s w emp oral Logic is exercise c o w p of g g o ccur man U of I LBA ber of s s s set successiv q f f b acceptance condition that s What um o ber a innite w of Linear T the previous t e um F with n y extra innitely S y this automaton q ord ber the an w king automaton and the odd in um accepts ula LBA g n denotes with een successiv hi What is the language accepted b as an o ccurs Chec and an o dd n w g s o uc A with f a that w w or B odd form t bet s ord accepting A s y L TL s b an y f F that an Mo del PL of s an generalized h a LBA app ear automaton lab elled een where in e y times in S ber suc w and s exercise a an g c an y the resulting GLBA is correct S wing um in bet generate the corresp onding GLBA and explain the n or  occur er tly as follo s v b y GLBA o n s successiv odd j occur of ed as a nite subw o w the ma Construct s Construct an the w w Construct What is the language accepted b c t Construct an automaton as the previous exercise except that s ely clear wh c ber g y g of s g are ords g s n Subsequen a of w an um automaton wallo e n tuitiv A ab a b ber o ccurs innitely man Consider a b c a b c an f y y this automaton ber a b c f Consider there a een f f is no um ein Construct the graph of the f odd w w um h that innite n gg no an bet algorithm A suc odd n hthat s abcba o successiv w b f w cepts and Let L accepted b Let t no is this automaton Construct Let that Let suc accepted b an nite to L Kerb er cise cise cise g s s Exer ateGraph result ie mak Exer ff l corresp onding LBA Exer e e of in an w TL last this if is PL alid of y since v the consider is of til problem tics satisfaction W y un e a where prop ert B and Finally of seman alidit t to the last prop and v one election M ers Lab el alen the the in but terms e also require that there j means U S in leader s Z last ely utation rule k y equiv F state previous ab out our answ and ormalize a R y the F sa s and tuitiv mo del ij M of next Z in wing that w a dynamic y G ou of y Justify y of true of the kj j een j ykno alidit can er the same question for the case where w mo del w v y of the comm of ader TL terms ersions ader v y le b efore the le tics of the op erator PL Answ in alidit U b ecomes F What B i an i to past terpretation alence b et in ab out ader in be j e the v j le ader y v the sp ecication leader le sa s op erator b efore U i ader j the X le terpretation ou one with formal y Lab el R in XF Z F ulation of the last informal prop ert e the equiv true a XF v Spin M i to binary e can t of the last prop ert e or dispro most j in S R same v er i k ader at e form Giv Consider as the seman  formal s Consider The hange in the premise of that prop ert le Pro arian j the F j hec M be What becomes ader ec the le U eordispro ulas M i j Do ys e v a ader wing v if le F yifw giv F form Let Pro G s alw cise cise cise cise cise mo del c t y of Section ust hange Hin The Exer prop ert the follo Is this alternativ Exer ert m Section c omit Exer relation innite sequence of states Exer state op erator or dene this op erator in terms of other temp oral op eratorsExer lik time omela erwrite a solution v o published Pr at y ed as v e this exercise w ma emp oral Logic w it pro cess I o as they impro Mo dify the The problem and a rst Linear T that single wing a t pro cesses execute the same king follo to i problem is not violated Chec The omela repro duced here co de tial utual exclusion problem is the problem is Pr Explain the result j the It Mo del poten in The m a Spin is o or more concurren w ction author assertXY se Dijkstra there monitor k i j al y C y of read and write instructions b either or and another run end to i critic data y teger b a C in go C to sp ecication using same to with begin utual exclusion program in i published later then go run the b h that the assertion Holzmann If t ear i y rst access y then j e the correctness of the program using prop erties sp ecied in lineartime e the correctness of the program using assertions omela v v i b C pro cess Pr ere k critical section one access arra t w to false k not true i atomic i Dispro temp oral logic Dispro Mo del this m cise and b if if else else b remainder of program go end h others results and corrupt the data restricting c a b erify this to D Latella Exer co de eac assuming only the indivisibilit sp ecication suc of solution init V app eared in pseudo Algol b o olean C C C commen Questions t and ulas LBA same Hin p in the an Consider the for LBAs to prop erties of in where k q Kerb er accept U hec b e used L p c G to  hi automata can s uc automata and b q transformation F exercise on B ulas one b oth lab els transitions whereas assertions can after this p e form ely that Spin w G instead that o wing lineartime temp oral logic form I b s that to an LBA argue LBA A Alternativ note the follo and and Spin Spin A LBA wing binary op erator X X generalized a an Remark a using to Y Y  sp ecication be s in lineartime temp oral logic Spin A pro duct of er ranslate using X X k omela With the Dene the follo T GLBA A Pr hec to prop ositions sp ecication let t this monitor C hi automaton and explain the result e lab eled the states of an automaton Y wing A uc alen true true atomic cise cise cise mo del c omela X od assertXY do and equiv Pr are to a B ransform The A T language Exer is in consider the transformation of a GLBA in Exer proctype proctype bit the follo a q lectures w Exer g o pro L past easily to is the N IEEE Sym of tities emp oral Logic log Computer Net iden pages glory b er active and Concur that e R h um dings th Linear T The e pro cess LNCS e LBAs suc c of o N gic of king ts Pr and o pages e Zuck h to linear temp oral logic TL al L Chec utomata t in order to elect a leader is at most or L PL A erlag Scienc assignmen emp een appropriate t Mo del and w versus an bet e The T SpringerV dieren pages Computer o ho ose t of messages sen c w Pnueli t of Structur t ation A for Pnueli references connection LNCS Hin cic emp oral logic and applicationsa tutorial A e T Systems ency ams Sp N gr The temp oral logic of programs oundations An automatatheoretic approac o and F prop erties um total amoun c Pr in temp oral logic ISDN e N v on Concurr of ardi Selected Systems ab o log V Lichtenstein for Pnueli Manna b gics o N osium ent the computable The elected leader will b e the pro cessThe with maxim the highest n Z A p R Gotzhein works L r O M ics op erators k hi automata and the uc ast Chec cesses Linear temp oral logic P B erify election b ounded h pro cess un y eac A pro cess can b leader b er Initially um etersons wing task connected alid endstates and v In P v e oid in v kwise manner a is activ y ring top ology a rela tually in omela erication runs of b and c and explain the en pro cess Pr goto e h is assumed to b e a natural n else pro cesses send e Initially a N whic d else ying ident d announce elected announce elected Spin announce elected h pro cess in the ring carries out the follo assume ys at most one leader rela then e a er eac tier send k W or then then then e d f hec t ys a leader will b e elected ev then d f e a er er iden ident max ident A pro cess can only send messages in a clo c wing prop erties d d  There is alw Alw Compare the state spaces of the v dierence in the size of the state space cise mo del c ident e e f de e d forev forev y either activ start phase send if if if if send receive if receive receive d end rela end Mo del this leader election proto col in do The d begin do begin the follo activ be has a unique iden algorithm Exer queues tice Soft ebsite w on Pren lgorithms Computer the ols unidirectional emp oral Logic c on n oto ansactions r log a tutorial Journal of A T n Linear T ailable v O a king IEEE An Chec Spin e odeh er R enc k Mo del alidation of Computer Pr hec efer M alidation of proto cols c r and omela mo del Pr we The Design and V Systems Design and v Kla Concise M ISDN ering th Holzmann Engine Dolev Ger e Spin election proto col D distributed algorithm for extrema nding in a circle for GJ Holzmann GJ Holzmann Hall R GJ war Networks Leader Spin of h hing auto Memory osium on approac branc Journal SIAM Journal Symp king hec prop ositional linear ticeHall simplied prop erties osium on Principles of annakakis A Simple onthey oundations of Computer yof Pren dings th e e pages c o tap es olper Pr CM Symp temp oral ation complexit W es Reasoning ab out innite computa amming osiumonF of on olper M Y gr o P eric The V Pr Scienc Mo dalities for mo del c CM of A and ardi dings th A h and linear graph algorithms e erication V automata e the v Design c ardi P W System o Clarke pages of of M esting Pr the T and hi automata Discipline hi automata k for System uc EM ardi AP Sistla uc A B dings th IEEE Symp in e Journal Theories ation Peled e anguages c es bac of B and L ds o Depthrst searc D cic TL Pr e Computer coubetis M V PL Sp algorithms of th Metho erication of linear temp oral logic pages t Dijkstra of e ol Sistla olper M V c amming arjan y emptiness command language Choueka Ger gr Computing references automaton on oto o ormal matic v Pr R EW time logic strik Pr tion paths Scienc EA Emerson and CL Lei P W R T on C Cour ecien AP temp oral logics F Journal Y king Selected Guarded Complexit Chec Pro duct a y it of to h the can one is this is tem ersals More h linear v tually wn s branc a uc y directly en tra do prop ert R from That in justify hb linear ho ols us the expression computations computations ersus of boils hing temp oral emp oral Logic sc Th v of states rather that p ossible a single p ossible diers e The underlying all the holds e t t approac king tr hing ie TL w king Although m hing T computations h a state is ev F linear innite that PL expressible hec states issues hec c allo h us a c hing temp oral logic and of branc state or instance instance are represen F Branc of whic main logic to for mo del p ossible p ossible hing temp oral logics is incom o requires mo del that t king successor w e to ok a dieren it t o all all along w sp eaking hing temp oral logic in these lecture t AF temp oral logic ts ts tended sequences y that of in temp oral ecien er t v is in p ossible hing appropriateness o er not exclude the fact that there can also prop erties opinion for y do es not hold for instance computations t ev Mo del Chec hnically hing represen represen w the prop ert tree ec logic s our linear and branc T hing temp oral logic is th used computation us some elopmen y branc in on branc a and th dieren The this dev e in the state in gic v er sequences that lo v are Notice that in Chapter w at computations ha of man yp es of temp oral logic linear and branc itself h this prop ert the based exists al king linear and branc chniques path all computations of a system er ot consider This do es ho or te in v h fullled can w hec o F means one there or tree to tics of a branc dierences there ro oted y y er op erators Eac temp state hing mo del the This The nev essiveness logic tree that a some s resulted is p ossible ersa prop ert prop ert traditional in expr y set of states rather than a single state as for v the is linear and tofmodelc has anching that ab out temp oral h It sequence the tial br on The parable vice temp oral logic cannot b e expressed in certain branc The denotes temp oral hed that fullls fact whic The The existence of t said called mo del dening linear temp oral logic o than a through the branc nonempt notion of the seman computation precisely that start the notes treatmen be ing based prop erties of EF states that there is at least one p ossible computation in whic b e computations for whic existen reac for satisfy logic is of j us hing hing eri Since logic possible previous branc t a ordering er v o In the the dieren temp oral e notion of time is of This logic is formally temp oral logic called eral sequencegenerating satisfaction relation terpreted ts a computation describ e systems h sev ws from the fact that the in class hing e suc be linear be fact y this of on in has precisely one successor state t ma s G cannot time ulas using the based and there of logic Branc is us generates a unique innite sequence of t F t exp onen hastate e and Emerson U logic erication of reactiv notion X v yp e of temp oral logic for sp ecication and v ie a single computation of a system momen temp oral h imp ortan king hnically sp eaking this follo hing A sequence of states represen the mo del th eac linear ec s T one Logic temp oral at branc op erators that t of time there is only one p ossible successor state and th time path tro duced Clark h is not based on a linear notion of time but on a branc tro duced linear temp oral logic to the computer science com s ties another t h state this linear where treated Chec R imply as in sp ecication and to e single of v R hmomen not temp oral ha the s tics Due e mo dels us for eac the w do es at eac along a on s R Th yfor This temp oral logic is called linear since the qualitativ ts seman This In the early eigh emp oral ueli has in s TL en terpretation of linear temp oral logicform unit hapter states R is dened in terms of a mo del in whic the c in Chapter Mo del linear only one p ossible future T Pn m PL cation purp oses whic ev mo dels notion of time w based futures e y W tary wing usual single r a the er and v can b e used in o q A emp oral Logic y p is not elemen U and ts expresses a prop ert E dened hing T e dene the follo AX A prop ert A w j a are elemen U Branc U logic king express y ypical E and t b true j the op erator tree that F orm with F EX er soma path and ersal path op erators j v AP and Mo del Chec y Note that en that yo b false path next U ulas is dened kusNaur Giv j or computation used Bac true X form tial and univ of denoted in til j temp oral op erators is U U hapter for some CTL p tax un for all paths for some path either CTL of w true of true Syn op erators linear expresses a prop ert set A E The existen belo E tax the the syn prop ositions pronounced are b o olean AP pronounced pronounced pronounced U bination with the EF EX E A U AF is dened p The atomic y see the previous c and er all paths a our temp oral op erators are or v of F X Denition path whereas in com and dene F o w abbreviations of tly for en rst tary ueli king hing elop er CTL w giv Pn yp es hec t the dev c The set po be literature and e in TL and e and Emer the other PL mo del ree Logic in t unifying Sifakis the y Clark calculus is the most Manna of The most elemen ulas that one can state and considered calculus can ecien e one ws w Emerson prop osed for promising in Quielle BenAri that mo dal b een as follo y eand used in increasing expressiv yp e of form some b e v is p ossible logic ha Logic e among these languages and Hennessy in the expressed as used originally b those king of Computation T t ones This results for instance in signican form and Emerson tly it can b e considered as a branc king hec t logic e from ula ula Although Logic Clark hec The fact that the mo dal t temp oral e eness ie the t ree hingTime form form imp ortan dieren t y logic temp oral mo del c tly dieren an linear t CTL Branc alen Logic Clark y results logic for hing of the sligh tly taking place us the most expressiv of ree quite tion a few equiv a e consider mo del c are atomic prop ositions as in the denition of temp oral ecien that TL are branc an h but more imp ortan in men Computation T PL complexit tax CTL of o Calculus Kozen System hing t T of of computation tree logic is dened in logic and hapter w king means CTL ts are curren tioned yp es e for whic Syn branc t calculus is th tax of hec logic Extended Unied Computation T HennessyMilner dieren men of poral Mo dal syn terpart tax In this c arious hapter Syn They basically dier in expressiv V in the coun mo del c son This is not only the temp oral logic that w logic men expressiv Milner logic is the least expressiv Mo dal The c expressions is ts of of of be be q for are G do es set start to U mo del notion will system studies a CTL required Emerson example ula p is CTL the the the F and sequence paths case S of a total func y computation CTL a sequence G b of A and y most emp oral Logic t the momen R terpretation in these lecture s form e F in consider and ula can b e used in TL End single size where Since the successor single and X Although PL q state CTL hing T the A a restriction is dropp ed Clark X express CTL the h replaced complexit industrial to is computation to in king Lab el therefore subform TL Branc can therefore b e considered t path exist p e CTL en state hec If this paths PL TL E refer W arbitrary do erful arious S R king A v w CTL PL een y giv tractable logic single an terpretation of the linear temp oral not h sequence po w or represen in a E of CTL er bet M tly of to CTL generates for eac CEcomplete ev A is w of algorithms tier p ermits M computation since eac temp oral Mo del Chec ho state to an refer Sistla notion er mo del In order to adequately represen PSP sequences w TL sucien a sequences quan CTL hapter the in king is the tains for instance po hing PL and CTL ulas h of CTL do es tly of relationship e hec p ossible c These suc logic the mo del e do not consider mo del c t of atomic prop ositions to states and of branc tactical terms of It con apath form logic of W logic terms king all e y A TL frequen b p ossible this precise Emerson in mo del terpart of hec expressiv The or PL is c or is s t tics e t to mo del this terms requires that the linear temp oral op erators for E it The R full in expressiv hing temp oral since is unique some CTL dened harenotsyn an assignmen R s Clark mo del ecien that ula the hing coun is s to R y either e seen in the previous c and branc problem more hing obtained v wn Seman s TL tax of h form Lab el since s more is s R but branc is dened sho PL the eha ulas whic h p ossess king at e Branc whic the TL v CTL hec therefore insucien PL path at ing of state ha prop erties states As w tion that assigns a unique successor logic states not whic sp ecication c describ ed in Section a notes preceded b The syn then immediately preceded form as q the and x The The bind h EG tly x A instance AX ositions whic formula op for p arian and for x v G CTL is inevitable E ws A ula in EG x y allo b x untilformula EF It form linear temp oral logic EG an of CTL op erators x o a nor is pronounced Likewise AX The is is pronounced in addition e the set of atomic pr formula b next q e stripp ed G v g is for example not a a where A AF tical to that CTL is EG ha is simply denoted x a formulas e q formula next w iden for tier x EX EG not p CTL is ys x neither CTL a d e g x quan G d is holds paths E A also ar tially and AX alw x is AF all p path only G with op erators A tially x and calculus x g for wel lforme ersal A f wel lforme E AF e the highest precedence among the unary op erators e x x formulas v a holds p oten AX univ ar other E and e G p oten E F to v or CTL AP x EF EX AF ha in EF example F et of A U b e confused tial e of the L F ession w x for pronounced however F er F x E G A G w is CTL ession e us existen A is A x f f E pronounced equation of G EG G EG A AX expr sinc The expr Examples E EF is Th is pronounced AX should not tax The  TL or instance Syn EF F Since outermost rewriting equally strongly and ha and and PL Example EG binding p o a if all the M of for tree th innite innite i called R example Let Examples example ex the its an pr of for in of is emp oral Logic i y s arc s s b one i End nite e b sometimes s there s M of an a state A hing T is s P S is is to denote the of s i i s that t b s s s Branc h s is dened s s s dinFigur states a s p suc s Lab el e M s prex euse where king s s s state state a i t p w a that s s Figur s h g h is depicte mo del and and in s s i solely of of i s s suc whic or g del s x tro duce some auxiliary concepts F and Mo del Chec of the for Lab el mo del g g then s ein mo x s x states consists s f s starting f of CTL s s datstate CTL S R lab elled  t tics w a s state s ote s t o the of  A paths j s s t g ro ot er s mo del path if it e of a R M p S sequence s s x ath s CTL with f g s Set P starting in state a s example Consider s f s f ie if tree  mo del ting the seman x innite s s s An f be denote a path of states e is called a set s an if CTL ar omputation tr of of paths S is M y t the Lab el P set only an aths ath p p or state quals S R F Example p and computation i Let elemen Denition The computation trees Before presen Denition A Figure innite c of e d g to an and osi ate s only total is this states op g e a e p ossible pr x and indic S example w related f initial state structures ther if Her its is no prop ositions of of ormally F S s s is x ie set atomic s total closely R similar End of s is a is atomic ows tied Lab el e S x to g set that state f Lab el used arr the iden a that e is S s Figur e by S el ling an b s d e in relates el ling g lab v s logic Kripk R d s h ha lab of successor mo del s to The denote whic s TL Lab el since with state x is one depicte where kind R PL S relation h treegenerating mo del a R is a e and a s A required eac on least Lab el states s to is g x and to s s at logic of elation s del r S S R structur if s by set states x relation x mo del is s function mo the a f structure of f mo dal assigns s only e e dierence b alid in M CTL given CTL set Kripke for and total s g total a AP e a y Mo del e and a b a Kripk state s a AP only s are v ws is if tics a R is h as cles et CTL s a triple L the S s cir states eac than follo s s that wn S to Lab el CTL s seman s by as to s usually nonempt  Lab el s f S elation a kno S that R d f state r Accordingly rather om is a e S R mo del is the with tics of S s fr also e vide S successor Lab el R R Lab el relates S tr depicte is Although Notice s s ow pro a  CTL it e ansition  eside Denition A tr Lab el is expressed M Seman of Example tions S ar M arr if S relation to temp oral logic Kripk b s d ct ct e as In e e one ctly M al ly at e path these holds holds y dir olor of a y y glob such an if es dir is a some go p e on starting states emp oral Logic s only prop ert true j al l have a similar w Figur k path which states states and this for omputation In terpretation of in hing T if and otherwise c c d all is valid in these states for d s a states some p ate other s for k j alid i Branc al l holds state EG v if at al l have state  e e ath starting at indic depicte formal in is exists in to y is king for as sinc efor e the other states have only dir only the g AF alid there starting reader v ossible p valid Sinc Ther and s given if ossible prop ert is is p if states e in ath formulas j b p p eap ation of s is is valid in that the calculus j Mo del Chec al l only al j j EF it M AX no g terested p j j j deriv starts sinc s g in for state is s path and al ly valid sever del j s e es not hold if in g of the The holds holds do that U s mo this predicate valid ther p state p s is glob j j satises alid j is y on v p A CTL in s path ept j p state left to is U that of of validity calculus which s s exc the in EX state G M M prop ert s s the some et tics tics h for for which true Lab el A d black if the formula P P state L e alid A M M v s states the that start P P forwhich true for all states j elow p j is s olor that b along is not valid for state seman seman s predicate formula s for eac s al l e essor essors e p c c f f f f at es s or EG The suc AX to state suc F Sinc s valid that tually deriv gur all paths h us en Th suc can A state is c white temp oral op erators is Example for the ev starting e s if as S G een j U A w j j s are only s e deriv k k A and M and b et j alid in state starting in if y y AF b ation w is v s holds write kj kj e in   w conjunction y U EG alid dened y h a deriv v and is if the mo del is clear from b e a CTLmo del has an initial nite prex EF is b efore s j M As if and only if prop ert Lab el U j j AX negation j j the prop ert the j E e omit S R ula o illustrate suc s T holds in the last state of this prex and j M form j j M prex satises a j e hapter w v s the s ery path starting in s s s y a satisfaction relation denoted b CTL prop ositions that and satisfaction relation hthat eha s M M M of if and only if there exists some path s W e denition P P P s v j The along g g suc g Lab el s s j tics atomic EG s j EG AF states p ulas is dened b of of for U states its i i i i i i starting in taining if and only if ev Seman of tics CTL tics s form s true As in the previous c alid in state other path M A AF CTL U one U CTL a is v b e an atomic prop osition ed using the ab o EG all M seman denition of denition of tics of terpretation of the temp oral op erators be M f f f p EX E A j j j at AP text terpretations s s s EX tics of j j j j j j exists in s s s s s s con formal seman p The in alid in state h that in the next state of this path state holds mo del of mo del s the Denition Let Seman The seman a rather than and the there can b e deriv The is v suc usual p ossibly only con d t to in in ula the TL tly ulas from is in CTL PL ache CTL e of logic sligh of justied CTL CTL TL for in supp osed form Although example is r and clear tactically PL ell of TL facilitates of yp es q w corresp onds and are t PL for pathform ely emp oral Logic TL U state syn is CTL tics p that of b edding mo del A PL that End CTL three een is a subset of tuitiv h is to consider that TL hold CTL w hing T hoice A of in denition seman c PL hing of equals e ula is usually implicitly bet is not CTL hing structures wing em and tax of the this p denition Branc een tax branc w E form prop erties syn formal follo do es syn tax a the bet alternativ TL king of ie syn er branc hing mo dels whereas the the the erty the CTL PL v erse o op this of in een these three logics is not straigh terpretation rev pr w ulas TL distinguishing in terms dene hanging that c PL er branc computations the the in to CTL Since a y v w form consider results this y Mo del Chec relationship a sho but w of not e tax it can b e seen that Thus to path the that This explicitly paths dened hold for all or for some p ossible successor states of y did terpreting haracterization b CTL al l and c all p ossible terpreted o e X reader also state w e to b etter alternativ eness for er q is assume this v the able summarizes the o an e are in ys of in CTL T length states do a to w is a tics en the simplest and most common approac holds e the reader should b ear in mind that of er b elong y tw v in case of left tied tak W o alternativ CTL Halp ern e state ath is Although notes v seman p y insp ecting the syn ulas ula understand Hereb er sequences a comparison b et an It TL comparison is facilitated b CTL quan ha a and v b and its t state t e next to A PL Expressiv w form form of lecture CTL terpretation of the after that TL ersally ard in expressions presen Here Clearly CTL order h  PL e ie to hold along paths considered the these all Since comparison Denition In w terms in terms of Emerson a univ stance should the curren there are dieren forw terpreted o suc a q in in s s or s q the F a U at along valid s s p and s aches valid is e r is ontains state om A starts true state c q p erty fr either starting a e or op never F is p pr valid which state sinc aths ath s s p however a p the e not s example of a mo del p U ath s p al l p omputation s is a is sinc a in p state for via q G Lab el and valid this A U always visits a state in which g have ach is p p valid s e s and satises ulas in an f  q omputation q to q s c states e U p states s p om not states p a ath which some c G fr g s and form states AX A is in A efor only e b s these ossible p q om satisfy other s p these s f the CTL its fr s sinc q g is om e q U al l q or valid for fr aths U invalid it f F p eral p e its only p p ath d is or Lab el sinc p is So F d  p states s g s sinc p A A  ache p p of sev the states s e p eventual ly e al l f r s ache in ossible e d p s e r valid p b holds p osition sinc for s e al l other b q satisfy op ache valid an al ly e U c state r s pr p al l U valid valid e not s p not E glob Lab el or never for terpretation the is om which is E F is es is fr M CTL In an b p e p c an do p q p state for c is only valid for EG p erty U p e e EG and p s p op holds EX G EG EF tics of p A addition state sinc Final ly sinc instanc s pr which EF or state which A Figure Seman y s for less this s is b notes q in ula states p whereas EF X G form distinguishes and A CTL strictly lecture p emp oral Logic TL h TL and states is F M o temp oral logics PL PL and pro of of this considered CTL L w A M whic a these hing T TL and is of and ula PL The then q logics p Branc EF CTL X CTL j form j CTL scop e G a three s s A p king TL second of if for all mo dels the CTL M M F PL the ula in eness e than b oth if for all mo dels A the for een een form essive en w w only not t outside CTL example j j bet expr Mo del Chec q s s alen j but is giv expressiv An U example falls p if and M M s of or CTL A qual ly alid F M and e v is more expressiv L an equiv L is are relationship CTL Relationship b et TL quivalent e CTL only if e L it b elongs to p PL in the incomparable X are and not exist Comparison conjunct L L p if and L not are L gure ws that F Halp ern do es depicts Figure and rst A the j but CTL than w in a p osition to dene formally what it means for t s It follo the there and TL equally expressiv M ulas h essive part of PL TL only e are no emp oral logic orm Figure W to b e Denition T F whic Emerson PL In the section If expr e in be w to o ula that t same CTL logic is ula form alen the cannot general one of ersus form v U equiv ula path in U that a y j b Let us rst clarify CTL is j CTL form terms some Clearly t X in to terms E E X for and j Here j j j of alen criterion is CTL U where L that CTL of applies equiv j This terpreted compared A TL fact j an logic j j j in is PL X expression ws a comparison w terms the j of no latter exist criterion j in y j j j logics ulas b tax p p p U are the not ws the temp oral TL TL exclude of j PL TL form PL the tactical do es PL of dened not of X in according to tical basis allo temp oral syn if it allo and j subset o are and ulas ulas w ulas ulas there a do es t This TL y it alence of CTL Summary of syn ulation dened form form sa PL another CTL from j of L orm CTL eness other F Equiv state path form path form state tactically than CTL of ulas e ulas are precisely logic able syn j diers the T TL p in form form PL CTL CTL eness result expressiv More a expressiv the state path temp oral former is As tactically w Expressiv The The ho Denition mo del and this common seman the expressed simple more one syn mean Denition a h to to us en t that suc CTL Th CTL ev not s e treat is tical leads alen see canbe w is q is a in and F P p to This can b e iden exists CTL equiv tier f state is emp oral Logic CTL and p is A GAF p a such A starting P t p quan TL j ulas dicult s FG if hing T PL GF d alen h A path not quals path form of e eac g is o no p Branc ula do es exist equiv w f t It h pro cess f for is ulas ersal formula eness f its  eliminate CTL p s e king Eac form TL e univ these s form ar there g PL a in obtain p wher CTL for s often of f ula do es exist since e t or y s if w CTL  since s q f alen tial form p A Mo del Chec are g alidit path quivalent AF h prop erties can b e expressed in v CTL e p p innitely f CTL EG F the t an form p existen for the athquantiers s j EG F p p for wing example mo del an s alen the GF M ula y in whic prop erties er no equiv g al l a alid p and of ev v e er follo f ula EF EG w e p utual exclusion program since with form ev b  s w p mo del wher an equiv ho formula GF ula form p y Ho A p must an TL for CTL form GF EG EF EG F PL ula A for opro cess m j ula hable or any w this s F the Sp ecifying considering the e distinguishing form is innitely often or reac p us for v y F form a b p ula instance ha As a nal example of the dierence in expressiv TL is e CTL GAF or prexing PL consider F W In order to illustrate the w a simple t tually that seen form A and th a p h is of er be an an for v the the use A CTL This from er whic of at GEF v be j o A where a exist e is state Let for s y j M a tually not arriv starting h M ula s alid along the correctness g en connection ulation in v astate Let e p proto col v M reac do es er the prop ert ha f form form tually paths to an alid ev e ys p ossible to reco A t b v en s a w Since The ving is nev Ry CTL there infrared ev j The alen p so p a p pro unication or s TL haracterizes and is will c in will b e p ossible wing holds for the relationship PL M M p equiv GEF p it GEF q A since is A in comm in tly radio If p an g a it s Huth p a that GEF for to h f then A t often for as diagram b GEF ws ws s The follo A that frequen y from ulation h that ula t state alen j TL Draghicescu follo h follo TL suc fact PL form s form it as etc thand PL a equiv t and o ccurs innitely ula for whic prop ert sk ula expresses that it is alw is M e the is starting t h righ and a The and alen TL sen form w A s medium the pro of whic PL ypical TL t Clark those TL CTL e of the curren y equiv in g CTL belo in a PL p PL of holds innitely often that The being expresses an wn een p in h q is CTL f w it CTL F sho prop ert gure unication suc ulation exist of error subset and not is instance M a that if ula since p TL not of form or comm message s it is not the case that but F eness t are example of a PL a holds irresp ectiv GF t teresting certain form lefthand states p er do es A in a alen not exist if M een TL h h ev CTL w practice the w an PL in Expressiv Another whic do es is systems unreliable that Relationship b et bet Ho only path there in from whic In recipien certain error is repaired the form a in equiv submo del s e y in be on b al the the ter this CTL king been tim algo nite They in in of hilik wn atime e can on hec v eak p ossible ro ots uc c the king An algorithm king ha sequences w fo cuses is promising its automaton in sp ecication linear hec h e length hec based e to a B c emp oral Logic is their mo del metho d has is to ols alid quite h latter called the v h innite of no originally sho ula in is system p erformed in in y that approac uchitr hing T the that mo del and B whic As be similar than the sp ecication approac form the a ula hing temp oral logic of Branc to a heme can is that the former expresses means wledge of automata sc onential CTL SMV whereas their complexit case rather size teresting form kno king system exp CTL CTL of This tree in TL ula and the system sp ecication whether y is the to ol CTL our for the PL space concept and h for branc states is are a M o states olp er has led to a signican automata automatonbased of T the of ts TL the traditional king use of an basic in the PL size Mo del Chec hec to complexit CTL mo del this that question ellestablished metho d for mo del c een The us trees the usual since elopmen is whether w the ardi and W p olynomial in time is sequences transformation h the e nondeterministic of dev is ula can b e transformed in and king discuss as t h t and w of The alternating tree this innite e enables Lab el size t CTL ula w form p ositiv on This suggests transforming a of hec whic innite tial approac mo del c determine c the curren y is consideration as This S R arian to with form CTL to v in this notes er accepts h t based a space automata CTL of ory an these exp onen et CE in of states w ork of Bernholtz V y The dierence b et answ M A Emerson that use the related e dealing complexit es the tree y that is linear in the size of the form ula under t of the automatonbased approac tw lecture e w to Mo del CTL than h tr done and of The asp ect oint on another paradigm that is conceptually simpler e p time emen form mo del be When Although Recen d v these NLOGSP And indeed eac The innite automaton prop erties CTL used also for xe Clark based complexit In constructed rather there do es exist an ecien ternating pro prop ose esting is length can approac Supp ose CTL h do ws the the The to C nite allo at state innite is precisely M algorithm able s This M whether P section section U king accepts mo del that alid accepts tually C v hec CTL noncritical section en c that CTL tering its attempting ev y establish critical s e that en is P to for yen noncritical in the assumed mak mo del A their is h is the in the it automata nonempt that section automatatheoretic problems starts til it obtains access to its critical that C to be of k for a giv h p ossible is the fact that for eac constructed Some required prop erties and their wn es ving access to their critical section that to Here v hec s be j kind critical mo C P pro cess seen a approac s M C to kno ws can i it its A U is to c e M is nite but v s C TL the critical section C the attempting section s ter pro cesses ha for P N PL CTL ter its critical section b mo del en CTL P as follo s e es this approac i s section w of states P AF to atomic prop ositions b oth for P automata are s king whether of ts automaton h of C A hi ts to en for S hec logic an hi uc CTL T an w critical state ula B uc set s B in its ust strictly alternate in ha is denoted C P on s a that i the wing three states possible form P sequences king problem for P alid temp oral of mo del c s v noncritical section from ey result that mak G G hec not CTL P is based A A ula is pro cess the G Automatonbased and It remains in the attempting section un linear A The k y and innite It A same time Pro cesses m so form means that and or S reduction F TL strongly ords Automatonbased approac in one of the follo T section section and indicates that it w state of pro cess formal sp ecication in the w is PL those This prop ert The mo del c s y to as us and king ed th mo del k g reduces hec whether c M foran structure hec computed the c of M is j according compact just CTL emp oral Logic Sat Sat in s that s ery easily tactical v M s sets king Sat be Sat syn hing T hec in a state king the can R the assumed since ted Branc hec g tire state space any problem than Sat c is s en j mo del c of it for king computing g s s s presen ulas of ks M AU EU j the addition general M text Lab el By be S j S considering hec Sat Sat State c In Sat and us Sat y s problem b e s th it of more j v subform f s a S S jM the Mo del Chec en one f set program s and ab o return done return g fact f en return is ariable In the main algorithm for giv Sat return j algorithm can ula return return return a able return s In T ed orm for indicated king U Sat U F Sat computed in true jM solv considering the of hec as S y just is are Outline of b EX E A AP computing y Sat isaglobalv true y a false s y a Sat not w determining for a giv b f of j depicted e mo del c y if ew s b Lab el s true the program just returns and that y able the a M T ula computation w king or S R iterativ t function precondition begin p ostcondition end j Sat F hec algorithm Notice The c an s ell to elegan in Actually the in an iterativ subform M M whether w of a y of b ula ulas S for vides that lab els alid in of dened v in some in lab elled s pro cedure is The ely are j ulas subform s s state the that already pro y M state or with inductiv lab elling an subform of is Lab el then for g accordingly g The g ulas and ed being whether considering U U y lab elling the states with the y solv b ula lab elled A E U lab elling algorithm subform be Sub f f f subform the function y purp ose are w deciding E the b form g no the g of of if Then starting b that since CTL CTL states can ely EX ula with a Sub f for Sub Sub f is already lab elled with ulas denoted for S s the of is iteration is lab elled with is easy instance ula used s s form and g or ulas ie the atomic prop ositions and true and false subform if of p i F are a Sub Sub f Sub Sub Sub form CTL problem state th lab elling algorithm ends i ulas only if h be CTL not states king The the is i considered p Subform to itself and hec CTL if and i e is p erformed iterativ In c U U v EX are ula of length subform U Sub M j Actually this step and lab el eac of j king E Sub A most i j Sub iteration ulas of length of to s mo del assigned AP hec set Sub at ws c that aform in mo del Sub Sub M lab elling tioned ab o p The en The follo length as Denition Let s Mo del rithm is length already with occur of subform this men Note previous giv of length considering its lab elling e v er to glb ar w ound e lo usual a the e function if er b v the example dicult ha and the of only e g greatest emp oral Logic not w a ction and union of and atest upp v is A End e a p oset S if and a do exist It hing T f and a unique greatest instance be of A A is a e interse A notion u or t a of this example lattic i vi F v Branc a lub S a the A a and erset A h h h v ound and gr e wher w u king the A t po eac written and Let t er b element g A A A A for the only if of onsider elemen c ordering f atest if e ast upp A A and the similarly Mo del Chec omplete lattic and and if and h ale i b ound lub of of denotes A g g es S S A S A bound of is a c h function of ast and gr for eac lattice monotonic f upp er le b ound i b ound if preserv A f is S b e dened e ound for b ound er it upp er where b The h A is an w if and e upp er can lo er S lattic t i oset a upp er et ast A upp S A a Least Complete Monotonic the L le and u F h A instanc is monotonic on an a of aposet u v g is an a omplete is is or c be monotonic a F that A F f A A a a is t vi denoted is S F ond to ws t a b That is the p F a a A concepts S h esp vi A complete lattice has a unique least exist ck that for any two subsets of g us and follo unction orr A subsetrelation is a p oset Denition it Let c f do che Example The b ound Denition elemen h a Denition Th F F t a y is s k In ed v yp es the hec olv a states Sat partial v domain there U Lab el in of oints ts where on p and summary of A d h some state set A since a basic the set a more a e xe v e its complemen based S a lab elling and tly giv EX from a tals of mo del c If for or U the F a a sligh rst posets theory e socalled false oset E y pair of its elemen t and tak w p are of on Sat traction theorem for certain t denitions poin for instance een an Sat y w i for all or and shortly F hs con prop ositions ed that p erform the computation of xed ts b etter der Finally or ok algorithms of or v based are considered that can reac computation tisymmetry set results Accordingly s y Banac t theory is based on metric spaces domains that e compute ts to a union of sets atomic transitivit w are in an artial These is simply the set of states that is lab elled b the or p a p a F teed b some concepts AU v on is a incomparable a Sat theory Sat a and U A alid program fragmen be t t of xedp oin order v recall on p osets fullls true based and is to A ts is guaran is arian a a y EU partially ordered these on set results state based v v artial p oin Sat a poin briey t said false Disjunction amoun wn v v y Sat P e ersing a single transition a a is h v an or the negation w S are and F vi theory ellkno a reexivit whic p This theory falls outside the scop e of these lecture notes ytra a a t A correctness a ely computed and all states imp ortan h in Fixed v v U b section v and a a with to understand a a pair their E most CTL Another w state vides all the information this  Sat binary relation is recursiv with resp ect to in Fixed p oin indicating that pro Lab el no sp ecic functions the existence of xed are equipp ed with an appropriate notion of distance b et of functions the In order Sat orders and A theory as far as theying are needed to understand the fundamen Denition The then t o h h T ula U teed more poin whic ulas set a E result functions axiomati h form particular ulas and h that the e omit this be xed ulas after an a are emp oral Logic form form with the arskis ould ts is guaran on form text w ulas T w that U CTL haracterize monotonic poin hing T CTL M CTL form tied out and A based e to b e determined suc v of the of iden ha Branc are and ie turns is ed it Knaster y asso ciating with eac ell king lattice U U nding relation on needs to b e dened suc wn from the con y w hnique is to c us out the lab elling of the states b in resolv Th as E A formulas ulas is kno haracterized as least or greatest xed purp ose M CTL and that to b e complete M formulas holds of helpful Mo del Chec this w a suggested form t of a certain function on Here the tec partial order U or need sho of least and greatest xed ulas is dened b are h CTL a F can b e c g e CTL E haracterization on ulas w U c e that function form dening j ts in order to carry of for t a y for whic s A b form CTL is algorithm Finally M functions main issues functions jM on is useful e axioms o CTL in p oin and S start w v lattice of this lattice is e monotonic functions on these CTL h xed p oin U omplete lattic w pro cedures s some step c iterativ of f of in E basis ts ts of these of states sp eaking an Fixed basically t sequel set existence and uniqueness The First a Secondly that poin zation poin tro duce lab elling tioned in complete the apply the e haracterization of to The as the least or greatest xed p oin c to compute suc do this w In men xed A The partial order Strictly correct notation but since in all cases d y er a on b can w and this xe This v F terest a vi of t result i EU in t in the i fact e e F A v lattice F a h all Sat ordered In v eha the lattic for elemen w a F i a F totally particular F from if is functions oint t of i wing imp ortan p omplete F F a c of d that monotonic are a of that ts can b e easily computed v is the least F is xe that is the greatest lo dieren has F oint The follo i i ast p e le F F h that d i on the complete lattice induction u functions sequence since correctness is suc F lattic general y since xe y arski a h b A T in the unique Suc that F terested in the construction of monotonic is These xed p oin to a and F pro of v ts and omplete ey a c F v k ulas is called a a in e are in v F p oin A is dened atest the t under e is dened similarly if for all form F gr over step F a F xed on p osets F fact that i poin form ey CTL A of ie the least upp er b ound of the series from Knaster t can b e computed b k tof tof F of ordered that t of monotonic function unique i based the poin function a t cf Theorem F for all i Fixed A is e lattice fact t h monotonic function on a complete lattice has a unique least and y y wing subsection w totally series lattices xed lattices is i F xed p oin ws from the theory the the henc is F t monotonic function on computations the ast v le and h prop ert monotonic that of and the series greatest suc h complete In the follo The least xp oin AU is the i or function oints Every p Theorem a The greatest xed p oin for Fixed p oin Denition F Sat functions and to us since eac greatest xed p oin roughly follo This b e computed b Notice whic lattice second The b ound F e s a F for TL rst or U PL state tial The all states in king for instance tication w hec alid emp oral Logic c existen v or t state without F states obtains is holds an hing T mo del one ersal quan EG ones G and for U U CTL axioms the basic idea is to Branc ab out the direct successors successor whether tral t and A linear temp oral op erator E on cen the F state king axiom h instance o t t t ab out the curren EX AX w G t or tial or a univ A EG AF EF F axioms for til ab out or all these F curren t un EX AX EX AX latter dep ending imp ortan en that eac for the Mo del Chec denitions of the AX y a statemen Giv An treated rule Expansion able U the or is statemen ab out s ula b from t ulas X ula EX and at ed ansion U U form able form exp rule with T G deriv XG either XF statemen EG E A A EF AF the oaform yofa the starting be a tied of s e using is alidit can in path quan tiating this alence similar axioms do exist deriv alid U state e can b e prexed with either an existen v some F G w axioms G ersally is CTL equiv Chapter instan this or obtain the axioms as listedexpress in the T v and F cf By the the need to use temp oral op erators and a statemen of univ along if AF four a it it the the and is The is ving ving sets since is use vi pro pro i h on vi S dened poset exist to h whic t CTL than CTL h do are disjunction is a h conjunction relation S in facilitates i lattice t and rather poset S sucien b ound h S y This er subset the b lattice is w ulas in the e seen that axioms can b e false elemen er b ound construction and often v lo v and wn w ulas is that t form S eha Clearly and since conjunction in this it all states ws order form een ellkno greatest of w is the lo w S the follo false the set b ound the under bet ulas S it is the of is least elemen disjunction to denition dene vi the Here form t tax construction upp er S closed to alence to The S to tic true syn is CTL is to alen CTL S h their equiv w b ound the equals seman ulas er the on Similarly if is equiv w t e lattice subsets the and v lo corresp onds form o S corresp onds corresp onds w the pro only t y v The CTL elemen y dened of using for hapter on linear temp oral logic w basic idea no to an b ound t an of axioms haracterization of are for if and directly c t ords The for t set w S v lattice alence CTL greatest upp er elemen that v in order that in the upp er b ound construction that elemen the the equiv ws ws that it is a complete lattice Since en the true giv Notice that Stated Fixed p oin subscript Since follo least b ottom Some In the previous c helpful the axioms and complete and follo g g G g g G Z Z and rule s Z of Z t f similar s s a temp oral s s R R in elegan function s R terpart R emp oral Logic R other s s t of the function the e expansion s s coun more haracterizations v j j is of the a j j S S t tc hing T S in S for that determined s s p oin poin g s s Branc s be Z f f f f of xed is a xed p oin from the ab o can king a obtained settheoretical s algorithms as U R U wing xed be the Z Z king E s E follo U can successors Z Z F F op erators hec j U c F Mo del Chec F ts E y S consider b of of E direct U oint of oint of s ulations to poin mo del f of oint obtain the oint t EX temp oral z E e form the set G EX xp expression xp More precisely is dened enien y v xed other atest xp atest xp b e e F ast the ast the le le con as Similar the explain is the the axiom g to for where summarize w it dened is the gr is an is the gr is R denotes ulas o S y one obtains a T U s w CTL considering order z G Z EG A EF AF R In G E F clearly form s s S functions expansion y j a since The CTL CTL The suggests op erators S Theorem compact F Huth and Ry w where e as v G the A and TL are PL and CTL for EF U axioms tics of wfor tary la elemen the using the seman e g ed v v AF ab o ulas therefore omit these pro ofs here and lea g e form pro of of the expansion W stated U CTL EG ation As g g for They can b e pro g true g g g hapter e deriv U A e AF EG EG AX v reader AF similar to the deriv AX A calculus denition of calculus reader AF e AF the w AX ery of ab o the v EG AF to AX U haracterization of ations can b e p erformed in order to nd the axioms for c EX EX AX true result left t axiom for denition of denition of predicate result predicate denition of denition of in the previous c AF true f f f f f f f f AF A EG are o expansion axioms this pro ofs are again to w Fixed p oin Using Similar deriv These last t these them discussed at en v least is pro i the that length w be e S v of No h through that emp oral Logic can pro of e it t v path w path a no a pro hing T e e v to W in steps elemen along ha along e Branc S induction e g w least on g h k deriv king dicult h g F y e the h F reac n not reac w reac that is can s s s can F it can mathematical R R R Mo del Chec or monotonic that F Recall By that g that s s s induction on t states for this holds for an y j j j g states S S S b of states poin states n g g of since n of reasoning s s s g set F F F f f f e F has set i n v ersing But of of xed set e v F S the F v g g k the ab o tra ha the equals is e least is F k the states i most F U y U denition F F calculus calculus denition b of while the tof at k f f f f f f f k F E E F F F S k set F F one poin F ving denition w us us length the Pro If xed By Th Th most that of of of us en the the v and i case complete lattice determine U S h consists and th a o h ed Z is eac ust b e pro T E on olv F pro of v i for It m complete S for g g t a h The Z Z Z that Z F p oin y case has F a indicated of that s s monotonic t Z F tly more in the is xed R R fact able e that g g p oin sligh T v that that Z king s s similar w Z Z the h function of F tis a hec eha j j c suc greatest w ulas the in and S S y S s s poin b theorem of of of R R least xed axioms s s t e form and f f function result haracterizations xed c oint s s the oint Z g least and p oin CTL the is the arskis deriv t Z conducted this j j e xp xp S S w en using Theorem Let are that xed g g ast ast U poin k unique e s s a of le calculus le Giv y F F v f f y arbitrary Then hec KnasterT E c S cases the pro the y set e pro of b to is is xed least or greatest Z w indeed Z on that other ws Z Z F the is the haracterization of e c the v rst F F U U t Z denition of denition of the follo monotonicit ts including a ula Z Z dicult f f f it is pro it Z E A for F F e poin w not monotonic F ving parts form ving illustrate is is o e w Fixed p oin It This means that for an F Pro that then CTL whether pro ofs Pro W t xed lattice g g emp oral Logic U U Sat Sat hing T E A U U j j g g s s Branc R R E A State State jM for jM for king of of S S s s s s set set s s Q Q f f ula s ula s Mo del Chec State State j j orm orm s s F F of of f f EU AU Lab elling pro cedure Lab elling pro cedure set set Sat Sat true true Q Q Q Q Sat Sat Q Q Q Q EU AU Q Q Q Q Q Q Q Q Q Q able able Sat Sat T T ar ar v Q Q do od return Q Q do od return v precondition p ostcondition precondition p ostcondition function begin end function end begin t e s if an A the tof end and and i with as king exists starts is states and k holds F EU e i v iterativ hec ximation all S deal c one h Sat ha F are listed e state there U some corresp onds U An e w iterations w ws een U lab el i for ie w E E mo del F This i U follo A The Since in that and consider S i hed Q as CTL e F ula F E e i Since v reac state for whic to S ts holds Then in the rst iteration g pro cedures is h terminate ab o Z ber of to p oin F these function k iteration w s pro of understo o d F F The dierence b et wn to computing the xed p oin k EU for the form t R teed the F lab elled that satisfy be Consider AU Sat lab elled if see F This corresp onds to the appro xed ulas for i p oin s second is are F of can Sat F guaran Then j h hab e already b een lab elled the states b oils do lab elling approac the U i form is arskis theorem equal to S xed and to state some direct successor F alid ie In example the e E EU CTL v s k the greatest f new an i EU F th iteration in for ha pro cedure i Q Sat til U a F h e of reduces where v computation iteration Sat un pro cedure h and and E of y already lab elled ie are mem mean a the latter of the w this means k iterativ whic are to able with ula is no F y the T computation all states i least b means this en results tof this F y for in haracterization of that is when b states that tak F holds c holds and whic this ely poin h t Q b eginning mo dels ue is these Q that tofthe Z h h t htheform h suc h is according to KnasterT tin is the do CTL Q F k tuitiv t poin able and discuss con whic whic consider In The resulting pro cedures A AU arian AX computed e e v whic e approac least xed W What Fixed p oin Computing for lab el in addition to the states whic for w for whic with no state b eing lab elled with Sat when all successor to is the problem of computing F nite some W in this in T j e e y b ar not ach The oint e p r an g is c d ath the It Sub an s p c example j s xe p s it F of f ws e emp oral Logic the of g p q follo state sinc is End q that is s EU as a The time complexit hing T  omputing state via a that s essors s c Sat q ation c s de by f ula of Branc which e iter pr ach a g e F om q g ond king ct determined fr  c f e two s se an r is s formal ly dir d one h subform s ely computing the rst iteration third iteration states d ation CTL the length that c cke F g s in p d of iter most s d f che e M Mo del Chec s f those king that e at b s el le e inde next hec terminate ar s g c lab an fact d c g e the length p s that has  f ie now the s s of for olor ck This mo del f c is prop ortional to the length of is is computed for eac Example of iterativ p q ath of che d s and s p p y Sat now EU g an obtain Sub a e c e no other states in analysis ath s Sat ar n state esult nishe f we p r y via g p ear g is by M ader a the e Figure that s r s complexit this s s d via e ther f The size of s d initialisatio F om time r states este second iteration s F Sinc state q ache s omputation omputation e The r f c Intuitively a dicult to see that Complexit The times c inter t Q s S om and hed This fr series em harac ein state S or tc dieren series e the g in p q F tisreac y fol lows s tly the b h are greatest f EU Figur It which ar valid sligh of Sat g is ding to The q y lab elling all states whic q is in ow states or U r q Z c g G omputing e p i U c computed A p F g E g eac til a xed p oin rst is ation to e a least xed p oin E s v and h f g es iter the s ie pro cedure g This corresp onds to g in duc d wher R s whic g g e EG s r rst the F olumn wher R c p q or s R s ache S s EG F e ts the ulas s this i s shown y EU s s ulas that ha f j y f F whether e right s a i b e S p oin R Sat j that T form j ar g S ow M p oint is r r s S to white starting cking this means that one starts b s s f CTL xed s obtain dp e s del g ely of j che s s f rst ompute chapter we f f c s S efor mo equal in g by f others b p least the tuitiv d we F this s p g g essors are CTL In in the c ation f just of in este q until a xe d ose de than s s ts g e d the iter q e s s and t iteration states are unlab elled un ate pr f f et p inter purp poin q e pro cedures for all form L ct ond omputation e S e ula under consideration sa c c haracterization of rather c ar alculus situation il lustr this black se F Z c dir F denition g g develop t ts F xed the d F is f f f f or e s s we q iterativ the the F i F f f F F ory p oin h subsequen F F is S olor or ose start c the The F M e Fixed p oin Example In eac S F with the form xed terisation are p erformed in a similar w Greatest We of the F supp This situation ar e i is is is in p es the ent the ary TL ula for d dges V e y e wher such in PL mo del b b king use w than w w dier G ose ach state the form d g g an hec osition and  c c CTL aversing an p p V E is om op ie CTL f f tr CTL Supp fr emp oral Logic pr metho aph CTL of in d osition g that that gr v v the G q mo del op ath in an arbitr eliminated i itself f a aph with vertic ost dges The v pr c hing T e b oth TL aph of tage epting vertex in atomic c dgr de obtaine gr in of ulation PL the an TL w no a cte is ath e aph which visits e Branc p PL set essor adv v v atomic form c longer than unique g g problem in a mo del any in completely onne wher   an the suc a king p p the er which of whereas sp ecied f f en to eanewac is ct by V e Consider longer ev in nev us be q oblem ough the gr oblem Hamilton ula duc V dir is e o essor Th h pr a c or a V can in uc CTL TL form of i is suc wher v ath Mo del Chec ath thr m e automaton PL p w ct Hamilton path that E and g the a e t q oblem of nding a Hamilton p shorter transformed of dir f onstruction for a c uchi salesman pr TL and vertex and B a is diminished existenc PL needs a ath is a p is es is tially ach aph ulation in of Hamilton y w e dges the length as w e gr avel ling In addition we intr el v v e requiremen G vertic the tr form Enco ding the the al l a the lab g e a terms onsider the pr length of i Lab el prop ert in vertex exp onen aph p to for is for in f gr We d set the en be structur We c e shows this c A Hamilton p It with The describ p ossible in aph giv the v v linear i g en same the adde e i v gr this V a n way p Figure is ev e Figur d tial rst onc the ar summary cte any is w that can king dge shortest Lab el onsider v In Given We c denotes w TL i v om hec onne dge v exp onen fact and c the to fol lowing ie that an e fr PL Example c V f exactly e j t k h h h in all TL the ula this CTL king king suc hec j PL ber of of b ehind b elongs hec hec ving ecien form c sy s orst case example um j s ulation ula Using O del ulas in the remo Draghicescu y set in eac length more form wing y to state of not mo del concept form b t ula exists in t in the w and If the is of TL follo R e and to pro ceed for yofmodelc size it y alen The s y construction of the to PL b ecause the iteration systemmo EG the First form j reduced dieren the haform y equiv obtained Clark a b state sy s in be ulas that can b e translated and cubic in the n j is S and resp ect j complexit ed their otherwise whether tial k can from U ula using do es exist a j shorter ifsuc Then compute the maximal strong hec y with time Sistla b j E while for the computation of eac CTL form y than cking A illustrated tain at least one transition and c hable t Q orst time complexit ulas sy s ed h a path then b there the exp onen and v che S satised or EX j king is reac is alen M is of usually t nicely E form O e to b e considered where ula to b e c shorter hec First consider only those states that satisfy TL v c impro is complexit is is is prop ortional to orst case starting with the empt That ha PL tto EG equiv CTL ws mo del be Emerson AU y R TL j h This in terms of time alen e that mostly result mo del omplexity king Sat PL system can comp onen tails that the w c sy s a in of S y as follo hec CTL and c j prop ert the y as s formula Clark time length ula equiv strong times in the w This en from Kropf j the conclude TL EG j and CTL a than ase e mo del tial PL w ws directly from the fact that for form j is dierence sy s sy s Sat complexit in state form the haracterization of S S mo del of the all transitions in complexit to c O j us for in t that Q tistodene the tiers longer ts in this reduced mo del that con adopted worstc en stronger for eac CTL the EG time there e Th the mo del sy s e h exp onen er Ev S w of ersed t CTL quan arian The satises equals v is linear in the size of the form ula seems drastic a few remarks on this are in order j h Thisfollo king nev This Recall has sy s arian hec CTL iteration a single state is added to the set CTL states successiv equals is tra Fixed p oin of the lab elling pro cedures Although form are CTL from path whic that eac pro cedure reduced this v to the reduced mo del and there exists suc v whether c and eliminate all other states andcomp onen transitions S t e wn An the these ck the in servic to Che eness not es concurren in ertain e illustrate the emp oral Logic but This is sho c servic W a y TL e CTL ts terexample hing T PL ula ovide problem CTL quir e in king pr r Prop ert form Branc to hec king tered constrain d No coun CTL hec which alize is the fol lowing king cte e e N expressed e incomparable expressiv encoun v exp an r fairness be c er ha is tly Sat er P of mo del c king can P CTL s mo del Mo del Chec Serv erview of mo del c k which v hec frequen that Lab elled c CTL and mo del check er a erview esses Chec c o of TL are socalled Ov Serv pr sy s PL gy which N CTL ess fairness ate mo del c prop erties means o y of pr of b es mo del CTL Figure System Y Consider ossible str of CTL server p Mo del of system fairness category airness notion A e argued b efore t one v F of is hing temp oral logic the eha e esses erview c e conclude this section with an o o in Figure W Ov Example pr Ther concept systems branc On As w imp ortan d is et ar or for his the om L E that run fr which line es one whic onds to is ove n tier aths Hamilton states example e obtaine p state pr esp epting visit c A of quan describ the orr the an b ac tiers as in this ach not p e of king formula p es path in End would g which hec visits This c do Hamilton ove it the yc innite e ab valid that d y path quan This e ed b exists and c is since k the n obtain ossible p formula p formula formulation hec ula state desir CTL we aph tain an a opf EX otherwise al l CTL gr CTL osition onc ent the form formula Kr of op w length of Then TL the CTL ermutations we obtain a formula that h can b e c curr PL ulas g in oblem in of the This q ation obtain form shorter do es not con whic the ossible es EX n q to form n n ath pr ossible p but imp the om onstructing a e that aph EX X A fr etation der vertic enumer f is ellformed gr der of CTL p ach atomic pr X w or or t where of a on ath Notic the p this In EX E n q er alen q e interpr a sux this in not e explicit quivalent but a n e is n in onc es ation of al l p X numb onc er for X We start by c an ula according to Denition p fol lows an p i exists ev this v es have w e the anching valid as e the equiv vertic and p oblem form ermutations n e than i br p q is pr exist of in quir Ho p TL g ther TL e X haracterization of state n r F of must c TL PL mor er the PL ath i not t sp eaking P PL p p e can tak q ath starts that full ls e set ach p of ath in when e es CTL p p numb d X p onential do E g the a in e e states e e Strictly ause A formulation of the Hamilton p ellformed the  b exp c valid ath such visiting wher which a p Fixed p oin mulate example w not part of aw Be P p By the explicit enumer is ther Hamilton which is in the fol lowing way in mor t e e if v an its In W pro non ha fair or ation to ters to e t the fair with ving en of has and fairness indep enden certain tactically emp oral Logic o resolv eakly terlea w transition t in constrain to pro cess that a of of pro cess a e hing T activities a then it will b e exe fact lik a used h e is that a fairness is the t Branc means lik y whic as y y b execution b h in t enabled king of an suc fairness A computation is w instance TL FG y a h as absence of individual starv orders PL for a eakly fair with resp ect to pro cesses unconditionally fair with resp ect consideration where concurren in activit t haracterized t forms of fairness can b e formally sp ecied ysuc c Mo del Chec fairness can b e expressed syn regardless een the an fairness requiremen is executed w p ossible TL under if path is executed PL t expresses GF eak example the Apathisw A uously enabled y concurren fullled t GF that has all e tin ys mo deling a expressed a to w three dieren constrain ypical w GF prop ert alw computation innitely often means fairness if distinguish b et at a prominen mo deling wn e are fair h do w in umerating b e the desired prop ert enabled a ts ts fairness executed en Suc is fairness fairness innitely often FG GF FG y be boils Then b Another the onditional of ak fairness justic tire pro cess is con Let eak or instance be can general constrain W en cuted Unc holds critical section F constrain We ving TL hed In PL yp es reac determinism cesses pro cesses terlea ness T In linear temp oral logic suc its turn will briey describ e ho in and e a d er to or e v us P for the are h fair F this eing next oun serv d b nev exists tually quir has at poten e e that e ess r whic enc is en assump ving the the c ys ation ep executed some execution o example a be serve r o ccurs is in esses efor of S ose c pr b always In the ab o of in o be it thus alw starv the section can pr ess only er to c supp gy one h of fairness long o hoice is when pro rst c d End the S pr ate there Serv terested in execution whic sequences Now ess yp e of fairness is also str of the executing critical the c in executed ys neglected and th serve this o a y individual since ho ose its general pr b utual exclusion algorithm P heduling one c are innitely This t esult sc serve of In nondeterminism r ter ys by serving fail ach ts a having e pro cesses en wait execution cking fair and e wil l o alw fair to to w che where quest t t gy the after a e on absence ts r wher e established usually fairness those has ate an In so lik is statemen with gy gy of migh nishing serving w e will treat a m least the str nondeterministic any ess ould h ate ate c e ed considers nondeterminism gy is at and e are quite often only in o On v w d to h some pro cess is alw k examples that concerns str str form this exclude od pr e ate e y whic pro it w are hec P hanism starting to S str serve eness prop erties something go o d will ev fair onds t constructs to transitions Then Other a mec d duling servic an esp then since ation there pro cesses r de w e another is prop ert again e es pro cess t systems w unfair e particular of sche if a e order ving liv P ne a w a starv unfair quir way an ys b eing selected for execution h true time e servic ere to consider unfair execution sequences In enabled onc if is a r d obin an S with h of fairness arbitrary e ew this whic progress al le eventual ly and is c heduling long e dur is alw ess executed in in d whic e programs when If w c which Here sc oundr c e is o fairness r questing o individual be in e cke mak pr consequence starting r a amount ess pr true tial the ed server c pro cesses of Sinc to this a d er o che w as erifying concurren e o selected do pr In the next section for instance w innitely is d the w as nev situation esses P t allo d wn ction Pro cess In v c e y always limite o a ait airness ing is ter sele F pr serve that instanc a tions are needed for pro an unfair strategy according to whic example absence can happ en when the mo del to b e c kno of pro cesses single pro cess next sequences the w for w and are pro cess tially in sequen a f an set are are tics tics j of is the F innitely y there runs paths if seman b be CTLmo del s er mo del s y v the F emp oral Logic b o M i f M fair P to F CTL P hi acceptance con a accepting M uc hing T tical to the seman fair visited Let F tical s is dened j states a for f f f M are tications of j iden f f Branc P j h j j k Lab el paths k set are quan j j Indeed king whic all of fair mo del ery condition all S R f s Clearly er mo dels is iden ev v i terms k j j o the f kj s F states j j that for  CTL j  state to M with a generalized B if of s logic CTL than satisfaction relation Mo del Chec s s s s Chapter set of tical in state fair except f f f M M M alid in f F The the P P P is dened in terms of the satisfaction relation see rather j iden f i tics path Lab el is v s start j is that b elong to prop osition h ulas s CTL called in terms of fair h is extended p prop ositional paths fair for all is denotes seman i i i i i i in whic F CTL form the only if atomic air fair automaton M fair if Denition An F s condition i F U U for F CTL hi states an lim in F s tics of er y is uc if cf mo del whic if and v be this s EX E A p B o terpretation of f f f f f f f CTL j j j j j j AP clauses that j and s s s s s s then earlier lim ormally fair paths p S s F The seman The en F path terpreted M Denition A innitely man Notice generalized often ordinary The fair in giv of dition in Denition Let s a h is in eak fair is and ond this hing w alid utual ed v y bey fairness mo del execution branc A executions not Lab el emplo strongly is k CTL the in the premise is critical section ust b e innitely one is not in its literature throughout enabled S R are those h In fair p ossible GF ys the F a ie y A in its with all whic F In or instance in a m alw where mo del is extended suc k er mo del F ts t is innitely often enabled v is o dealt a F is not tactically CTL ts a CTL computation e during t that there m v A F syn ulas A one t executions ha is replaced b the F that this p oin Lab el ts constrain e t could b e pro cess in y is innitely often enabled but not w ts poin fair FG form p erio ds h ond case justice often S R pro cess be the CTL expressed bey er sets of states y fairness whic the v A path is strongly fair with resp ect to to as that en constrain of be ma CTL a certain M h constructs not CTL of fairness constrain CTL terpret if it not the case that set innitely consider for it ond in of a a there in if if y cannot assion to fairness bey b eing tak only a tics a fairness constrain ie ts eak fairness is that is a set en quadruple h y omp ts not mo del to S executed sp ecify ys y a predicate o Additional a GF a is seman is air to fairness h be imp osed without F computation suc alw This imp oses the fairness constrain activit F sometimes referred t rather CTL the ws one all constrain is to will in a in constrain poin but GF strong it ws follo approac logic as t is dened b ong fairness c as allo CTLmo del satisfy and then with resp ect to activit Str The dierence to w fairness Strong fairness means that if annecessarily activit fairness some resp ect without b eing tak it basic h mo del and ystates fair eak airness airness hapter F CTL c Denition A whic paths dened exclusion algorithm suc constrain critical section temp oral W F that man order to b e able to deal with fairness constrain The e d ck F q w M and in che AF visite king of del EG innitely example hec concerned now state mo d e of moving p purp ose EF of e to consider never us v are emp oral Logic G of CTL is A h visite haracterizations et some this L e eha f End s b fair or j e whic g hing T F a y as mo del c ough s a s  sinc must  f s e did up to so far for the s into often g Branc g s M earlier EX p q ew f f mo del s F often thr of ted and haracterizations king e Based on these c t s c CTL t s and onsider ts s innitely c g Figur presen e is innitely often a choic d s g poin e In essence fair paths can b e determined s e p is or in v  states f f treatmen s like inde example go innitely ha Mo del Chec xed that e that the to g w An F shown p that aths f h p e The del s e ans has sometime and del q d mo CTL me s duc hanges to the algorithms are that w wher can b e p erformed in a similar w g AU AF mo de p at g tc  f fair exclude s visite Sat This fair we Figure CTL CTL e F b p of fairness this F and aths F t the G p f starting A Thus algorithms whic on in king EU f should q fair ath j F Sat ath hec king king of fair s p state AF c ansform treatmen s ond the scop e of these lecture notes to treat in detail the extensions to the hec tr hec Such fair p this M then the F some The most imp ortan p We dening s ny G need an algorithm to compute fair paths Usual ly though the intuition isto that if ther by along Mo del It is b ey mo del c with so on can b e extended with fairness constrain mo del c CTL the fair paths from a statepro cedures rather than all paths lik A often and A e n of we for for the the fair eak ula CTL those king is of ose ason ossibility with hec subset the e c tications form r supp a y to eness invalid ts M and t CTL is quan The terpretation to ts and a haracterize CTL q in nondeterministic alen c e e erty is invalid sinc a AF not expressiv in the op constrain e equal imp osed b lik state is equiv q constrain is e be lies be and is a exactly The p Figur i f w i This pr ther alternativ G no in CTL M ula A ough GF of fairness unconditional w s d q GF Then fairness paths GF this TL the fairness thr fair Let j i AF dierence ula form yp e PL F all es t ulas which state and by always ignoring the p depicte and go er using M A s v for at CTL form sets desired p form y o what del j b a TL G CTL never the s A the is that or to PL mo than of mo del mo del where j M s is are the CTL n s which CTL q CTL that omputation is that c supp orted rather valid the M i is incomparable to AF only if that a for fairness compassion can s be in order to see than afair not ed s result temp oral op erators the innitely often k GF CTL cking paths is j can is p if and result i f s F obtain hec G c Consider larger fair s appropriate acceptance M that A fair f the we erty A y er visit be GAF j j dinche en moving either to op v s ath A h o p use CTL that remarks are fairness GAF pr to s f to s f este A e a that etwe strictly j y As w are tuition of this whic earlier for the few Supp ose is s M M is eb this or example strong in ula h e realized b A F en strong going e inter airness CTL or CTL whic CTL F giv where ar form paths Example that choic of ther prop ert are exception Notice The e w It in er w k ba the ari ulas that either proto hec are c in b ounded ulas form originally tro duction instance circuits supp ort in as are CTL form SMV w tro duction emp oral Logic mo del y example ho for optional are y in of unication and b the e executed and The SMV of er hing T king be y hardw k comm complete used b systems hapter a hec are hec c c extensiv can are e Branc and are h as in C The global structure yp es McMillan giv vided w this t hronous SMV king more verified mo del to pro in mo del c whic t to demonstrate b modelcheck sp ecication a in Ken main circuits sync an a be Pro cesses y or the and tion b ered of F yp es large soft are t v to y umerated and ten co to in using e Mo del Chec ersit v algorithms data fashion hardw notes e rather w our ha al W b olic en sp ecications e verify Univ erication applied eried king v property w basic v et not sym assignments to h wwwcscmuedu hec lecture declarations is hronous erifying of c v and only It and see ula whic Chan of system for these async also b een ts mo del The automatic form The main mo dule is called in CTL an tly variable sp ecied declarations submodule submodule ailable or useful the es The v CarnegieMellon fair sp ecication consists of pro cess declarations lo cal and global v definition a be sp ecication is recen SMV typ algorithms ery for at of eried v t can main global has teger subranges the to ol SMV hronous CTLspecification SMV Data in It declarations variable main ingredien been airplaneindustry An elop ed elop ed the an publically supp orted sync the a has is cols dev dev refer to McMillan systems to sically treatmen is of MODULE DEFINITION able are to b e v VAR ASSIGN MODULE SPEC MODULE The be M the EG vide king from been to b efore for e pro co op er fairness hec v c orst case has hfor algorithm As from itself of ha hable ed to b eing the not Long v s wn w to ol h reac do for mo del fair path in discussed i and e These is F F F The e approac W standard h satised j the hapter this strategy ts in a graph cf the erication F berg is v s of U F is an h t The whic e can reac y ts w the y can b e impro A Grum algorithms state ariables there v cycle for eac e j and a constrain F king some constrain arjan has a kno Clark in s supp orts hec Chapter U k whether shared SMV c found yT of y using an alternativ hec eg timecomplexit e E via fairness v from er to ts b ec fairness h a state of k j h ha erier mo del see V w e S i eac j the w this time complexit reac the hi automata in the previous c hec R orstcase unicate c j jj uc to determine whether w to CTL DetectCycle can cycle then j Mo del t e j e j an w the the adaptation and S w go es through O comm j bolic e hange in jF h incorp orate c h haracterizations w Then SMV O that F this j p ositiv mo del i to from tc king plain s S er whic that Sym of F whic whether k are yof hAccept t h ws hec tion k ma jor poin hec ks j j order suc here Supp ose h state exists for some hec The men Reac SMV c s apath in hec j c e xed ws second pro cesses W If suc via constrain O to ol only mo del c details state the A follo both hanged If The as the starting at state calculation of emptiness for B is the same as the computation of maximal strong comp onen programs to compute maximal strong comp onen timecomplexit c are the The quadratic in the size of the state space b and algorithms gro As for mo del c ating Q u its as as In are pro lo cal of SMV either initial all are h remains is y op erator this tiation has pro cesses step eac ulas o pro cesses of This means ariable only mo de w the and The h can only b e at emp oral Logic p ossible instan t pro cess yt ariable eep their state step pro cess form g v ariables o ccur as i en k a single pro cess v mo deling comm hronous hardw all and a e for implication and i indivisible k CTL the hing T true hronous prev for alue of a v y single pro cess v nondeterministically that of algorithm to clo c time activ a in sync false Branc single that pro cess en and her is used b useful alue next the ed if these systems a and v h the eries w giv f v global of tended king in y In are ariable Eac er the er v v an k o is in k of the global clo c a out ttothe t equals assumed de exclusion for disjunction single A hec not It is b hardw c is execution mo a ariables htic x If if v y the other pro cess but whic it range section tiation is or the sp ecication of If for comp osition is Mo del Chec F eterson and Fisc carried step y the utual mo del a onous hronous ariables alue m are instan there its usual meaning for false and true v v hosen critical An assignmen c ariables running only y ariables are only allo step v hronous equals SMV is the async that asynchr That is at eac b formulas e x their for conjunction hers p erforms pro cess pro cess next if sp ecication and has mo de async h are readable b lik The These in y CTL the Qx alue means an i the pro cess versus Fisc whic bols or of ariable for in the i in v ts to global v mo dule y the this whereas write hronous h ts to and ation of if e unicate via shared onous satisfy negation expression and pro cess ely eac w alue hronous comp osition is useful for eg mo delling sync i v ultaneously t y hanged cic async for ks an b e nondeterministically comm utual exclusion algorithm of P sim assigns then Synchr Assignmen parameters signmen the tuitiv uses the sym states Sp o ccurs unc signed a new v is cess is p erformed while theSync other not selected pro cesses k circuits nication proto cols or tic running or not running In in h is not dened eterson ariables written that v P The m whic being t t or as as the au F can that asyn ts y either hronous in histobe xy dened ariable assignmen means is discussed v sync is g P nitestate the assignmen tiated b in The conditional Assignmen a x executes alue whic f be global as h hronous alue usually dep ends named nextx state can and ariable whic alue executes v ts h or v next regarded F the h can b e instan pro cess lo cal is whic the The latter v nextx Pasync h A has whic t or instance eac F P in Assignmen hronous and sync variables Psync parameters called for pro cess alue a variables to v async initially or statemen x ariables to listing the tiation een tiation in the next state the SMV w x initializations y b Pactual parameters that t In to bet either eg alues in the initial state and the v instan instan and parameters y is xy b b b x assignments ariable in the next state dened alues of the v denotes of alue assigns process assignments ations is SMV assignmen Pactual case esac tv pro cess pro cess dierence definitions er formal a a clar alue the v k mo de or the v and assignments P next initial x de alue ie the v The hec Pasync local Psync ess ws w next c nondeterministic obtain obtain o ariable hronous Pr follo MODULE This construct denes a mo dule called VAR to VAR ASSIGN ASSIGN belo V c VAR mo de to instance nextx the be initx nextx on the curren assigned to the v signs to initial v tomaton mo del c The or F end other w and the keep for en b elo emp oral Logic label with co de unchanged hing T start start t after the execution of assignment otherwise t SMV ts variable Branc assignments goto loop The king next local initial bottom t y true t false Commen ter t in the algorithm starting from lab el l l l l l l l l coun Mo del Chec bottom y false y bottom false h statemen program omitted here is of l y y y y y y kind Pttyy Qttyy a l l l l l l l l l l l l l e lab elled eac are v similar and lllllll eha they process process t label label label label label label label label label label label label label lab els are used to determine the next statemen rather vioral part of the rst pro cess of the previous section is giv case Pttyy initlabel esac case is a carriage return prc prc label These nextlabel nextt statemen our purp ose w The b eha VAR l pro cess a with MODULE ASSIGN VAR ASSIGN as ter is therefore ultaneously and Pro cess SMV y alid sim b sp ecication is fairly in y true er b e v true SMV and created else else to an t y false y algorithm false t y y y tiations are t t that y then then y y y t t y are not symmetric instan teed y true false are exclusion then then y y Pro cess Pro cess guaran ariables pro cess while t t start while t t start if if v is o w y y it utual t the pro cesses tering the critical sections can nev y lo op critical section goto t start y if t y if y lo op start critical section goto SMV ws m o of The w er t k follo the section alues as hec the ard is tforw critical initial v mo del c ws the conditions for en Notice that Mo deling The translation of the algorithm just describ edstraigh in The The Pro cess The basic metho d of the algorithm is that when b oth pro cesses comp ete to en their follo of to the the e y m l v b lab el absence through BDDs Chapter formalized m the the impro in be uses emp oral Logic to and indicated path can y l as SMV treated hing T order prclabel prclabel an This in algorithm is AF AF sequence error y Branc so a s is along through BDDs will b e w an y do l king er of yields nev hniques prop ert execution regularly in their critical section compact y a tec relation out concerning a can utual exclusion computation m SMV in tually from are Mo del Chec a tended en the time wing w These in of in tev using space y mmmmm lllll following messages and er follo k false transition in in NST state system lllll mmmmm the hec state is y y That means that it should not b e p ossible that a pro cess prop ert s in in by t an the its critical section NST ignore the output ulation of the mo del c e ter here ation prop ert w from notes en store t the example in the the e form imp ortan prclabel to t allocated representing states prclabel that ts implies that pro cess and starts lecture AG king t an momen allocated prclabel prclabel demonstrated curren w time second states This nodes nodes h wing generated the alternativ AF AF specification as loop A Chec these or BDD represen Bytes BDD user capabilities of reachable F of of individual starv whic pro cess and will b em dieren An AG AG This in the NST follo time MUTEX pro cess pro cess of same ust p ossess SPEC of the keep m at using sections sections unchanged critical otherwise y critical erication v the the to critical section prclabel to its m of the t bottom y utual exclusion algorithm m in l result l sp ecication ham l abel corresp onds y b pro cess The corresp onds true pr c one SMV is label as prcm dened l macro most is prclabel the prcl y l l CTL MUTEX at lab el SMV AG in be er l abel lab el simply a k king prop ert is ust the o ma jor prop erties whic hec pr c used m hec w label label c this e esac case esac MUTEX expressed that G MUTEX A there is mo del c symmetrically nexty specification SMV The First This Notice There are t Mo del and where is p ositiv DEFINE resources In a y y in b a If pro pro w from prc ts SMV SMV Using terex Stated lo op pro cess t is that the previous In fair a a the if coun a dier y enabled t our a often in ariables emp oral Logic w h v The only select to since exists requiremen migh to undesired and h wing is hing T if there heduled innitely reader sc follo hanged fairness running c whic hanges Branc true c that the are the t argue that this result is not is occur hanism in whic of been pro cesses SMV in h king mec of not wing subsection not whic FAIRNESS terpretation of this statemen surprise indicates ys selecting one and the same pro cess nondeterministically a sp ecication One migh follo has unconditional using do es fairness sequence add not e f transition a v e The in heduling heduling a Mo del Chec h alue w some v as sc running By alw e asc pro duces ula pro cess its whic e should execution v mak sp ecifying king er fairness k When unfair its ha ariable of form hec then v can This c hec y of along c describ ed h this eto establish CTL prc with is is explained in the er lik step when path whic sp ecial tioned can vior illustrated ab o h since mo del y executing a pro cess forev e done p ossibilit er ould m m king an eac w k men w be the tly process has ach e the in hec e rep eatedly obtains access to its critical section whereas pro cess pro cess h w c hec not terest f aiting c a terexample in w is ignore is an arbitrary can curren tly whic h oers f prc bottom bottom h can pro ceed for execution this can pro cess coun is uc construct h mo del will h m w e obtain the b eha ariable whic system remains state prclabel The t y prclabel ample whic executing FAIRNESS this v where eac cess the f w of dieren Ho Mo del SMV stating for cesses prc prc prc prc prc prc SMV er k m m m m m l m process process process process process process hec true true bottom bottom bottom bottom mo del c prclabel state prclabel state executing prclabel state executing y prclabel state executing t prclabel state executing state executing t t y y prclabel MUTEX The state NST prclabel state executing k hec tier basic w from informal the en b eside an of in path quan emp oral Logic is giv s terms ulas ers mo del and b c in hing T form CTL CTL g bination of a Branc h that there is an arro CTL our answ p  s f suc the lab elling logic s king R wing p the g Justify y follo p q wing mo del g EG h state f the  p r y hapter s denote the com c f s U Mo del Chec q yof w that this mo del is a the follo A this e v p in alidit and ws denote relation G v p a Sho eha g wing equalit y circles for eac UA EU  R r  p q s s U dened f U q U ted b e q and arro A v r s mo del the ha s s e the follo E v e and ting p q W Pro Assume that w are atomic prop ositions EU in this p q q p UEG G is using the strategy of Example U EX p A p p state p and G if and only if h p A EG EG A EF AF cise cise cise s eac y that to a Exercises Exer Exer where op erators Exer for the circle represen s w where states are represen e h a for oid the the alid v king eac do es v longer critical remains blo c running her obtained ulas not no that its so that w mo dify heduled is one P Fisc in sc us form prclabel while y l be indeed In order to a and let individual starv sta CTL is FAIRNESS previously pro cess of long MODULE to of then assumption corresp onds to pro cess y the eterson that ation will P adding o construct y progress absence alidit pro cess of w v oids starv fairness t innitely v prcl a that a ean prclabel the program the indeed h wing t section pro cess FAIRNESS hange the co de of Notice indeed algorithm allo whic individual under wc y the obtain aluating b of the for exclusion help This of ev w eno that critical er the fair paths with resp ect to tly no v W not use runs progress its e ed it cannot mak l often utual k when Recall that the lab el y sligh W m l in presence ation the the do es an er fairness constrain y range o conclude of the that considered the tly sta E the l forev ed can innitely for unfair w SMV not w e making and algorithm no add er w means k l e are sho dieren A example it is t sp ecication can from hec prclabel individual starv e executed o v that often w since one is t Stated exclusion another ab o sp ecication Therefore esac case label critical section statemen mo del c situation w nextlabel As the l utual The SMV not lead to execution m p ossible pro cess tion path op erators in its innitely execution but since it is blo c section for some longer time FAIRNESS This this to pro cess Pro cess one b eing in its critical section obtain ASSIGN b p the and EF tually and en b ws where and sets satises emp oral Logic the h mathematician alues ariables v v hing T algorithm the e alued this Branc and compute is describ ed as follo can tak king h booleanv i whether ter its critical section it is ev o w whic t k Exercise skip P of ts to en g estigate do v Mo del Chec an haracterizations j and in ariable e th pro cess tc i k P mo del and be The utual exclusion algorithm of the Dutc CTL and a v true false c i i begin b end b while if a pro cess w SMV g bc pro cesses false o pro cesses cannot b e in their critical section at the same time i in then w o t w j t g dbe dbe ation b do Consider the k Consider the m are using the xed p oin j alues are alue is arbitrary b if abc abc aa p starv do j algorithm f f f G false true A exclusion There critical section i i c a this b h k b b while true able to do so cise EF cise er wing prop erties is the index of the other pro cess Exer and Exer Dekk whose initial v follo Mutual Individual end Mo del j while begin whose initial v a es s on an an are ula a AX e basic ativ G are dis S R giv A form the p deriv denotes G TL Z to b e used as and as monotonic PL in a M F AF A is ed can v ula the g y sequence of op erators EG ula Here Z mo del remo the is a set of paths where II form that and function t of atomic prop ositions S P form is P s CTL ws CTL and EU R the CTL I of sho then of consider t EX h s t P to j arbitrary satisfy is whic arbitrary poin s elemen II y f g is an assignmen an an ula and the is a set of states in paths xed and rst op erators EG S I P mo del of from j form the p ossibilit denotes a nite p ossibly empt states CTL s other sets a greatest Z CTL s where all jM wing conditions on where i F lab els wing S the S Another h translation follo example s and h is is S P s follo a a dene terpretation of P b edded U f e whic ers an A to ein the function e SMV Giv EG P M EG s and and er Giv the op erator k Sat tuitiv imp ose the Let EG AX our answ paths e hec that whether til that Sat basic G P k e are If w A en eanin v un h that the p ostcondition of this pro cedure equals as op erators expressedasem P p algorithm suc Pro the complete lattice Giv innite sequence of Justify y Chec Giv U cise cise cise the mo del c A mo del s states these FG A and op erators of Exer The with tinct Exer nite sequences of states I CTL Here II to a path is an innite sequence of states and Exer of T hing til the unfair co de ariables amming is un algorithm pro cesses branc gr Philosoph o N The N The v of emp oral Logic cta T for A b er ely etersons pro cesses logic and um n hing T N N solution hing time temp oral logic for N Branc fair whether P temp oral pro cess e of Computer Pr Q mo dal logic a k king the on hec The solution Let nd Scienc i t Using branc to j taining arian v T order Pnueli con Dijkstras eletons Mo del Chec i In A h are initially and resp ectiv wing that ation j with utual exclusion program for follo wn k tical considerations a EM Clarke ys whic p ossible the references i Q Manna is pro cess hronisation sk ellkno Seman w Z do k the is ation in ws Informatic to It i a o shared arra space is to o large to handle and c til N i j w cta un A thesize sync lo cal Kripke to ennic Selected BenAri state F prop osed is as follo i j ait are structures i a Q T w j hing temp oral logic M e SA ic time EA Emerson and to syn cise urn b e t k whether this is indeed a m j individual starv i and critical Section eterson ie for T Exer i P pro cess begin for Branc generated is indeed free from individual starv Kripk end h Q Chec y the alue ma these utual e these v assumed b o olean individual is pro cess compare violate of it and th i and n In the original m trivially The y alue true and the v t exclusion arra i sp ecication to pro gradually the v migh L mathematician e n h utual v h b c m SMV ha o pro cesses goto i c w whic Dutc the our pro cesses terexample k range k then ariables of in y v y is not satised analyze the cause for this and of hec t c the b j ber another i do then c L executions n and um global k n ts of from b true to i statemen c if goto and the in unfair i SMV hosen in j j In case a prop ert false begin end i running for if c y i increase king the generated coun Dijkstra prohibit ws pro cesses SMV ers algorithm is restricted to t of then hec to i Initially all elemen algorithm er n  yc end begin k Dekk k n k yb FAIRNESS order hec this with else if do ted as follo are ts ation prop ert in teger algorithm teger true true false alidit critical section i i i i in v nondeterministically c h c b b L true use the Start sizes of the state spaces starv in Mo del cise there mo del c is j t k a b ar The Hin prop erties Exer requiremen exclusion that and an in of end Questions while begin b e represen v D ap Computer In sp ecications emp oral Logic Modugno are F w hing T soft automatatheoretic er Academic Publishers w Branc An Burns large Klu S king hnical Rep ort CS Carnegie king ec ering olper cking T hec c W king extended abstract erlag Beame P hec Engine del Che Mo del Chec P e System Mo del ardi pages SpringerV V olic Mo SMV Softwar Reese on Symb The LNCS MY Anderson SMV y airness hingtime mo del c F JD tz ation ersit RJ with and ansactions eric r V T study htobranc d Chan Bernhol Francez ide IEEE Notkin KL McMillan W KL McMillan Mellon Univ N proac A O airness Large case SMV F and and and CM CM A A pages linear nite er revis the for for y of Karl erication ving prop ctions Time del ling v of al Computer ersit ee Mo to ols etic results or LNCS e y to app ear Univ anching Journal encyR The Br t theory Automatic ency Scienc Press erication poin y V e metho ds for pro automata Time CM Concurr A Expressibilit ersit calculus ar of Sistla Concurr the Computer Sometimes and not nev Long Inductiv for temp oral logic Line ade of c in Habilitation thesis AP D In De dels gic time o anguages and Systems g ghicescu bridge Univ A L ations Mo In linear temp oral logic Dra logics Cam linear an and Vuillemin y umber erikation Emerson t systems using temp oral logic sp ecications R JY Halpern amming L ersus IA time temp oral logic using tree temp oral logic using xed Gr eV ersus gics pages gr Communic v o o L systems EA O Systems and German MD and dwar hing hing hing t in hing out in S Ness J Results on the prop ositional Har LNCS and ab der branc branc branc branc Or opf Clarke theory Clarke Clarke ctives e of programs concurren on e and ozen king king temp oral logic v t Huth K Kr references asoning ansactions on Pr hec hec e r c c hing T Partial EM time D Scienc ited EA Emerson erties Z Manna state Persp M R EM T of nitestate concurren EM sruhe Selected Branc Mo del Fixed p oin Mo del als ap een that that hing with w certain hes the the arriv a logic issues timecritical once hapters job c A third exam emp oral Logic e of eral within ts are imp osed a lik ust b e initiated if w is the notion of sev e uous temp oral ts relationship b et hange when switc are crossing tin previous closed example tc wing issues for example the o relativ con w be is RealTime T t train there tial for timecritical systems That is ho or statemen w to a hingtime ypical the t ho king is explicitly or implicitly The follo hine where patien in e or metric branc needs ted Chec logics a absolute or terpreted in terms of mo dels where the death seen another of e v ts ymans mo del and additiv The most imp ortan are Mo del within a certain time b ound ha crossing Ko e ed ted y b e represen y to measure time patien time t in order to analyze and sp ecify the p erformance W b the p erformancerelated ts extension temp oral al time of seconds can only b e stated if one can the time reference timecritical system presen tral role proto cols in a statebased the time tical time domain discrete ypical of of cause T indicated the is not receiv detected terarriv t treat t of elapsed ys a cen in is time As time elemen notion of seman can e unication hing temp oral logics are in w e e timing information is not only essen notion e time is the abilit example and e amoun train is the is the addressed systems time a is time measure should Comm after the transmission of a datum a retransmission m titativ the wledgemen hapter of w w of c titativ titativ e titativ ypical and t what what ho ho h to b e kno incorp orated A Quan e place with an in this asur quan crossing systems time b ound in order to halt car and p edestrian trac b efore the train reac an ac but is also a necessary ingredien tak me Quan proac asp ects ple of a timecritical system is a radiation mac high dosis of radiation during ais limited dangerous timep erio d a small exceed of this p erio d states time to quan need to b e addressed when incorp oratingneed time In linear and branc notion of states pla a ed een w time folk w e follo bet e notion the t B Then ends corresp ond to en haracterized titativ p dep tually p erio d also en quan ts ev d the but ctness e of en e ypically c ys According ev a duc orr long o prop osition c of alw pr w notion let e is ho t ar sp ecication of prop erties that A which omputation systems c t in al en absen ab out h systems are t the esults ev r instance of RealTime Suc or This the F This temp oral order is a qualitativ that systems ts ything facilitate the esult timecritic r corresp ond to the o ccurrence of ev an be ts ely q which of al en those states CTL ust satisfy not only functional correctness require will e at gic state q king lo ar titativ B F and not Logic time t A and the TL quan and en p on PL the A systems do es sp ecication e systems G on it Chec al of timing prop erties relating o ccurrences only the ula e but not considered for B form titativ t not tial TL Timecritic en is o ccurrences ts but also timeliness requiremen PL emp oral ev quan essen emp oral logics lik y y b fo cus on the temp oral order of ev T Chapter Mo del Timecritical T That is timecritical systems m men time the the to the o ccurrence of ev b denition is h is ts an re for the ork and yof The B that king Dill w of TCTL A for hec hronous t aside the k realtime temp oral domain to restrict X en algorithms bers a of of t sp ecify problem terms an ev y um an y emp oral Logic to in mo delc of time king ts time elemen in As nonsync innitely man hec Timed CTL y states for eac the of terest has increased the not w driving force as parameters of the timedomain in these erealn Courcoub etis ely instance are h exception time erication do ts d man v eep the e k satisabilit for terpreted X the w whic This in mo del c o ccurrence RealTime T in to timeunits b Alur h the in is can resp ectiv alvalue the e e With and there king es Since r sp ecication tro ducing innitely ation Bis whic w to order B a and automatic In t mak in for Chec has en mo dels state the nonnegativ CTL and y decidable logics originally b een a ed A k R on the temp oral logic w is CTL accurate king CEhard nineties and ev Mo del of of hec e consider A Timed hec references A corresp onds w op erator w simple time constrain king trate k more t In increasing CTL careful q X hing temp oral logic that represen early a en hec in a certain a c time p ev still the language has the e for mo delc be in systems e concen is to allo is in of of een o ccurrences ws W can timed w out mo del q y realtime temp oral exist relativ allo CTL h the bet and y hronous to prop osition most AF king uous time domain ie I whic system This carried dicult a realtime extension sp ecication of Timed later coauthors tro duction tin is an abbreviation of the nite disjunction to ols do is t for be temp oral op erators hec supp orts in c p to sync b efore yas tly and main k notes eral ust G This is a realtime branc e con es CTL the as X alue the uous is that the mo del to b e c CTL A idea of m corresp ond sev maximal dela short The elopmen tin Alur q y lecture where timed linear temp oral logic EXPSP systems Mo del p mark ourselv Suitabilit the Timed usual where basic additiv signican logic b prop erties has not directly b een the main motiv problem b e decidable for dev implicitly time v con and t t a if to be vi ws and em The The con next real T Alur timed states alid emp o means nor e a can ered v k follo fashion a ely hronous domain a als of ts is timeunits as as Ostro Clo c Logic answ requiremen terv sync discretetime time X logic arian be vn or v orks ree of Some imp ortan kstep used sequence F consecutiv The is w T alternativ Ra TTL sequence is tical k most can onebutlast lo c a Explicit R the of this at and a b ers That as the in temp oral could p ossible elop ed k is seman example in um k al Logic t n B all uous nature the most ob for op erator one t Hoare the utshell state questions hes clo c terv n tin logics en sequence real of in a X next a Computational ev hen pro ceed considered k next ymans discuss these an In the emp oral X prominen be systems ts the e T h be hoice approac and k to c the A Ko X lik last temp oral A Timed ueli Timed Prop ositional T to can time whic t the computation the k Let en of in Logic is X hronous neither of these ev linear ysics is of con comp onen state ys domain and is a RealTime ks h of some sync and ance w emp oral Logic een holds issues one w of or appropriate time adv t whic are F emp oral wbac logic k notes computation k bet T tenstein and Pn are in tic arious a from y h v uous temp oral logic where X domain clo c Henzinger Duration Calculus Chao c or dra TTL logics extensions y q tin dela R discrete b the that lecture imp ortan Metric sp ecifying the RealTime T single and is temp oral and is con of a to X of the domains time a instance merits timed ordinary k transition ts king most these as is hing idea of dened Alur temp oral h logics tic for maximal are the result of of time use p the e Chec t a eac G to one branc amoun hoice the of v basic Dill c Logic As measure onham Mo del and time W ral rst whole sp ectrum of realtime temp oral logicsrealtime has b een dev p oral Logic Harel Lic though where to The sider temp oral extension of temp oral logic that ispurp ose suited for reasoning ab out timecompare in One Choice Since time as in Newtonian ph ous systems discrete then after that op erators t a y is of er all All v au c tof es o ma used alues of A alued ts mak elapse one that actually algorithm transition timed emptiness where alues k constrain to its region v A the the the the t emp oral Logic implicitly time compared This to constrain system states states of tly timed automaton are n t a hi automaton alue are ed the curren v k tical k ks uc measure of systems ts has k to hec the otherwise Conditions on the v us denotes the amoun iden clo c c amoun A only if the clo c their when RealTime T h subsequen is state arian is hi automaton in en If O v kth plus used the A uc in c ting tak whic and realtime king zero that atimedB log are ks k be A and limit TL ed O to ks k Chec with clo c hapter PL to c can A hec incremen n as sys Clo c relation automaton alue of a clo c A z and nitestate this used Mo del be c has een lo cation and state ts R the R start w I conditions in to and initialized are The v A short alence of er h v mo del be ks R y they for x y o ccurring in enabled equiv to t ation ks clo c can c constrain then Enabling an The transformation of a B lo approac automaton on k k ks clo c prop ert t used heme pro ceeds as for ks automata will use on ts e Clo c initialized are Clo c Clo c w clo c region called curren transition is k arian for the lo cation based v ariable ranging o teger constan hingtime v a In Once is the in sequel in Then the sc Timed of is a t ed automata branc pro duct ariables k the k ks are used as enabling conditions of transitions v variables p olynomial space sys largest k ks pro ceed at the same rate ks Note the delib erate distinction b et In sp en the the A ck clo c blo c fullled the automaton lo cations and uses is constructed of in R Timed the tomaton is in fact a nitestate automatonclo equipp ed with a nite set of realv time Denition A clo c transition consists of clo c is is clo c time that has b een elapsed since it has b een initialized be clo c Denition e e is to In v w ust eral that CTL king ha m logics based sev ranging hec wn c temp oral logics tral topic that theoretical del solution sho appropriate problem erifying ypeofareal e mo v v strongly the decidable an timedomain mo del temp oral linear logics these is to transform a addition if ha The cen is of ks that are used to ar temp oral on TL In Since system tro duce the notion of timed automata line logics timed PL king e ondemand hing un ein undecidable the illustrate ontinuous temp oral ac logics hec w Based c c algorithm to an for sp t called a region automaton automatically h a and timecritical systems branc systems suc realtime on for of domain king used arian Dill with used state of mo del and oven king algorithm that determines the e constructed a protot e e temp oral Henzinger feasible realtime v v hec v pr this king realtime with yp es cking hec is t ha e ha a timed automaton king faced of b and hec ycritical e e che linear king tro duced innite to w Alur deal to w hec are c in logic mo delc hec linear del for safet elop ed for timed automata arious e c as e automata Alur this v not w w erty that mo to hi the etization of op resp ect to a discretized v mo del uc emp oral Logic will with pr in to ol that that B mo del elop a mo del c similar e e temp oral discr conception sys w in of the erform that op a e b een dev paradigm the hapter p c A v c realtime automata proto cols on ula with to to their rather linear tion The crux of mo del c alize suggests a hi same this e sp ecication is Spin r uc RealTime T pro cedures ide how form men question in king B of an extension of nitestate automata with clo c Although Timed CTL Since to extension the ending the is This to is king see unication e dep hec king to ols ha for TCTL hi automaton case c ma jor ripakis and Courcoub etis ha lik problem with time using timed uc hec ie hapter will b e to dev lab elling essential will namely e alues Chec a sp ecication formalism for realtime systems prop ositional a v of a in Chapter ey comm w used the extension e k d automata w As the dealt Chapter The TL fact Mo del those be treat one this been from As on Mo del of the c measure mo del c truth time here p ossible logics in using timed time PL timed B results T t x If is w e e y in by an an the has has t c and d that ck king ks e x x Lab el in Circles clo in without TL hec lo cation ck enabling true ck ating guard clo c time indicated tro duced as PL tal line ignor or or d clo ess l one automaton in k constrain alid the F e constrain set if clo b gr v are and d orp tions o emp oral Logic in and k  invariant the mo del c and ts e pr en en with inc x the to b e are v time invariant clo c t horizon  the  e tak l CTL by simply Initial ly true con arian e taken x tisimposedondela v this the c in the be that annot ersing for engthening an c v In t eset to the automaton e ks to b e reset the arro c edge of an b x eset str wing tra can r it RealTime T when slightly or automaton eping sp en t for dening the satisfaction ws e F either y a straigh is Figur d discussing ck is r ke follo invariant that an ie aint and mo dels if x be king cution when in other concepts arro when taken ct d time d ck a for the when y the ansition c exe e e will often omit the lab elling prop ositions b onstr while b TCTL e Chec ee clo ate to as taken W reset of e omitted ted role when b the  obtaine simple only adopt Figur be role is a l Due il lustr x a to e tics sp ecies to atomic Mo del taken example y of an to w The selftr in not is d  c l time that can e of line enabling c Each time the clo an c is ads same represen of that eing are op le b seman dge for eing t x tal ct This set e depicts b will pla ation l the are into c ks to b e reset ck gives x ee the not that lo ks to b e reset separated b the no imp ortance for the if when automata automaton has is in amoun while ks to horizon taken a ation d edges condition c l a e same e b is of and outgoing lo b but function the clo c e t equals true and if there are no clo c with a selflo e ather timed The ound time Lab el and l in the b R of the lo cation Figur ation and e will see this function is only relev This c must a e the Figur Figur lo set enabling  that value ase ation to enario in c prop ositions c dge x As w ws are equipp ed with lab els that consist of an optional clo c e sc without constrains om the the function omitted the depicting k constrain lo cations fr sequel l aint that is ess or Arro ast v value The F Observe Changing gr atomic le In in evious o onstr ound anymor l denotes denotes lo cation of asso ciates denote inside lo cations unless they equal trueing ie if no constrain lab el and an optional set of clo c the clo c in the algorithm only true or if there are no clo c Example and one lo the at by depicting the value of clo moves pr c l outgoing b invariant pr a k h is is ts in ks set c x be a clo c C a relaxed L ariables v is for with could L t k c C l terpreted with c invariant v a set of clo c in Therefore er if E clo c in l v E is x rationals in eac o also Example of e Also e constrain has lo cation that guard aints h w addition of constan the lo cation an edge ks eac if h logic h hedge onstr addition undecidable c clo c to eac ck but to eac In this case the C undecidable clo e could allo aected N I lab els temp oral W of assigns b er b ecomes suitable scaling see Lab el king not y um set d that hec that E c timed yis ypical abbreviations suc j for the a automaton case lo cations with initial lo cation and L l d C of and so on C c our mo del c king euset function j g function e a rational n er to naturals b c in a  timed  v hec a ks function that assigns edges in Decidabilit x c o x y x as mak y C y of e e a function that assigns to eac is a tuple AP nite set a C hapter w lik c f of clo c C erted with A y x ed to b e v ould mo del  ts aset j w w Safet ks natural guard x c L a t of atomic prop ositions L E then domain E and clo c for be con e l be is allo x c L N nite set L nonempt of I y c ks ks y to constrain ber automaton a time C b v a x x d k c um Lab el C clo c Lab el L E in clo c guard constrain that ula can n in set Throughout this c h clo c time e dense or and Denition A Timed automata F form dened where c in required suc a real lik t d It ws art has not f and and it x y that p light non other k k x x initial times on of name in t and the d us allo the example example clo c clo c cks the e cks concurren stil l taken switch if of of clo o e a instance time clo is timeunit ks th sinc b wing example olution emp oral Logic ations w e while t dieren c en depicte for e lo to an dels two one End End at is c light d een is etwe eset mo b w r two instant b Figur the e with and until is sample ev bet ultiple clo c This if d in enc y started e with time RealTime T d on initialize ck be automaton e ate even and a enable dier any ving m d Figur clo ar king e ks can at Ha automaton in dierence or the ar il lustr time value cks dierence d ks units Chec x clo c on automaton is clo the o d that om ck this dges d clo c time w ll e t fr e k their t time A clo a of se This is exemplied in the follo This Mo del alue turne time on v oth where clo c y automaton to b e l two a ys b d in either dieren running ast and depicts le b ound may time time x t dela evolution mo del shows dicult that er at in esult start w r cks The staying a lo a for not switch clo e e cks d oint ultiple of one unit of time e is no p example on As clo g g while is It n two The d x y timed automaton with Figur Figur A emphasize e this f f enter x oth y discretetime ass A ys a m b al ly p and a is to a ultiple concurren there om light gur ary e r switche in a o F on lik l a time ontinues the en c e e d ols hence arbitr b ks is alw of W and Initial ly ck ation is c Figure asse ontr Example to mo del m clo c letting p ossible and c lo o Example has b deterministic clo y y p of it time time time olution d f b sample ev and a k clo c x x x alue alue alue of of of v v v  g x x g g f x x  f f x x timed automaton with one A e c a l l l x Figure Timed automata k of in the now have x of exam and alid or v whether We temp oral valuation example reset  a and clo c ed satisfaction ck k of x C evious v of emp oral Logic ttobev clo pr hec the ks valuation in y tics In End x v the ck instance of case treated of Clo or simply c seman F reset x are v this k constrain v y RealTime T ks the validity er set of clo c In e e and v ads ts itis tical to those for prop ositional and v e v r the king v ha sinc v y of clo c e v ck w ck v Chec v che alid in abbreviated j relation in clo C x x x c constrain v to aluations o is v haracterizing j k c c x y valuations and Mo del y y v kv and y dierences v as if if want ck clo c c ypically v y valuation x t y clo c on a reset b clo by we of j ck y ts satisfaction value d are v let een x x j j v a the clo w ose v v v v has whether and i i i i reset dene denoted x similar w supp k is dened fol lows a is C aluation of ck c y constrain hec v It dening in and V C Ev clo Consider Consider v y c v y reset in er b in v v w formally dene what it means for a clo c is simply x x done x o x x k v v C is Similarly y ts order to c example is a relation b et j j j j j in o ccurrences reset in c v v v v reset aluation namely In y e can no x x This V or negation and conjunction the rules are iden x y W F x evious with clo c or quals reset v reset Example ple logic constrain Nested relation Denition e not logic F pr v Example y b the this and aint with Note alues of v of A denotes on is a pair aluation v of onstr e the last t v example example c ack dened A to The o tr ks v v of of states ck is assigning to of y e o in ep clo h clo c It g R olv x v I ent time the light and ke x c End End of ev state e Some f v the x to ation switc and A aluation c ks reset set d v lo C k with the C of the delay sinc use y clo c e d v om the v er Lab el w is aluation v fr Clo c C ack v el le y ho aluation d Figur er v to on lab C v ck x x ep tr wn k of v ks move v Clo g dges Clo c e g aluations o clo c is a function dtoke has resp ect with x x y with valuations C of kv x C f aluation o f y The x v ck v already sho ks automaton light is use v with a set x v e clo d o t ansitions x on v v on ks tr y on the y d b ha alue ck b time v achable e and timed automaton example e o airs t o r Clo p and aluation that A A the v all clo c switche k not light the aluation v for time en e is for a set of clo c increased e t k al ly o exactly timeunits after the most r the b ar v onswitching its curren y Clo c examples w last are Consider C clo c e v state has lo cation in x the v Figure formally dened a om o to on ks a the denote the set of all clo c v x l and C ab o del e be are dfr light k clo c switching latter valuation v V mo x automaton ks the sinc the all clo c ck ols the d t with Let Let In h x clo ontr v l v Timed automata that Example time v that c delay x time has turne switches automatic eac of clo c A Denition i it of ks s al d the v with p osi i to if set timed hable equals x v denotes i tro duce automa s or s pass the and The termediate some y transition ein unreac in otherwise in os from emp oral Logic for l timed in time P state  are the j l x of a path is a pair edge let the Let the l y resetting all clo c to an in t otherwise the edge is that elapsed v clause transition d l since this could in e e lo cation i l in ed before s y osition  v w v d p RealTime T denote edgetransition j d in time tof in haracterizes the set of states ersing states edge A dela v allo target constrain c second j the i d of king most v tra visited of states alternated b j k d of an be i d i the successor is of ersing t is resp ected while time progresses v include clo c i v i Chec case of is at let not l y k constrain a t the d as b efore tra lo cation if in case in case arian s path aluation ma to v a natural y v in or instance for i a b a a arian Mo del ie s F t of time that elapses on a path w should in v b ers set j d i enience s to ij and in on aluation that is obtained b v it um be a alidates the n d state this v kv i con the s dened Idling a in d resulting lo cation and for all ed if the in time or only if a w real F satises the clo c either that from if i l precedes the v x s e s same en state is dened corresp onds in v satises i can if and a in Note i d ath going a v be equals i t for some P Elapsed p ositions is l that s with in d p ositiv to j d s although lab els ttothe of e The set of p ositions of the form while or arian t ed that v l v for instance t of time is allo to that w p ositions v h p osition that h y ust b e that b of b is an innite sequence arian allo i d transition is v suc state path a in set Note In order to measure the amoun ath e amoun otherwise not total order on p timeunits or or i aluation i d asso ciated is disabled and c the new clo c tiv F ton it m Notice that it do es not suce to only require the A the That a visited automaton paths starting in a giv lab els suc idate the in Denition A and v Denition p ositions p oin F is de v pro j alua while rules is alidate y and v kv can the example A in transition A v y of b v M not in progress e from one state x single End a automaton olv do es x time automaton y v reset wing condition holds b denoted is dened S v A is a lo cation of follo wing conditions hold ted lo cations and clo c that wtoev timed but timed letting l e h a a y follo b j h suc sinc or fg ifthe h that represen d A C whic if the v j automaton in l ie pairs of are in g suc real automata v x R in v ks l e I ys ys l v underlying x in v in a a v l timed w w clo c j e in S automaton v and to of reset in v j ks v the Both timed in j system set j for p ositiv  clo c for all in d e p ossible x and E C of ck that e d the o is a set of states ks v w V reset t edge d v asso ciated S C x l l v clo c lo cation  where l l er an guard L tics are ransition v d to che d where d T j v where reset system e v is the transition relation that denes ho same e timed automata v ersing l v There v l l v l v c a the b f sinc transition relation S s tra aluation o Seman S in v y tics of terpretation of timed automata is dened in terms of an innite transition ader is invite b k the s S as e j transition The set of states is the set of pairs another ying clo c tions and Seman v The in system The r to a Denition relation sta The ned ceed d of D an ie al ly The non is v ation These o c z switch a e ctively End lo e ehaviors on oint b D p the v ther in esp v ementione ation v ontinuously c in in c v on emp oral Logic and a x dify D afor d long j These on some e e to and mo v v the C at reset sinc o on we ignor v v v ie switch o automatic e If om o b in innitely fr v v A v ation RealTime T ust ossible prop ositions d lthough c an and c p on of c x y m A lo true stay and v table e it ks king emains true in r to reset v d x switche v atomic clo c is v on on Chec on v long instanc of is v not v e v v enable v fol lowing ansitions on in in In addition for set v tr has switch arily sinc is v Mo del a the is switch on v tfromthe the while v by v o AP arbitr v delay on the x d of v v v  of on j in v ation disjoin y o stay v c automaton v v TCTL lo many is ath p v that the to b may v of omes evolution e summarize c x that y e automaton In addition the light may stay innitely long in lo v on e b v fact on dge erson that pushes the button it y v ks e ar e r o to innitely gal tax example switch o v the ar o v ossible clo c the timed p o v an timeunits by the of a for instanc v in d of Syn om x in be set making fr is stil l le ansition valuations v x nother y e ause tr ex x A have c by A ck pr v during e ositions of ath dge with A e p The We reset clo if p while awaiting a p empt Let such that example ar if Similarly o au time time of b ounded timed a some set in g x The states f x nonZeno states its of of y An example of a non time ber an usually i s um n on M from P R I if g Example b er of states is visited in the b ounded i realistic g i i innite a a x um x y lim om Zeno x f if if not f y fr an automaton if is denoted i path are a s non gent visits the switch timed y paths o s b that called light i h  is suc the timediver A path s t since an innite n start al l or instance a c NonZeno F  e is dened is Since can R called ergen timed automata s i is considered path path i  automaton t paths starting at state t t t of time tics of s al ath P ergen ergen ergen timed terv div amoun div Seman denoted in is not timediv div Example A tomata are Denition e e be not lik and osi y into ther prop prop y op d execu TCTL can t e state is pr also It the all example gal sinc is prop ert b if le of prop ert onverte a c emp oral Logic alid the state atomic v e alid b t v not AF End time of b is formula an is c state set curren t denotes that a c a G b ecomes TCTL undecidable A b RealTime T e AF resp onse b b a c y formula g curren b holds then b efore time   king EF king not U AF AF b this hec the is Chec b ounded b ason a timeunits expression e b r from is dened starting from the t h that if mo del c formula b E z b Mo del however dual write suc b es e same t path The to AF ar within timeunits G y The AX starting Stated otherwise A c aling the ed til b time gic w sc f or un lo time mak U F path wn allo AF timeunits and er ormula along an within ula the formulas v F b N  I not opriate AP in uously timeunits some z form is that c et tin state or instance TCTL G appr L it F ator formula A z e some unkno con er the along b in op that to a tications o is dened as b efore ely alid within within A EF sinc Using v y TCTL b in in t z that ely means holds holds Example EF d EF next z z EF quan gal hable le h Notice y y no tuitiv ert in dened b ecomes Suc where reac Alternativ means EF Example tions tions lead al lowe ert the there exists is formula y of or to an b are use tial F tics and and in ulas  es and D z x s dened and EX  The ativ instance EF identier form k seman tax of the in x in that are from e or x ts of eze F is clo c deriv not e ks U ks of the timed TCTL fr CTL y is D U alue a arian ula are a ulas is dened v all E of and ulas lik w tilconstructions treat the ulas with existen e A e on un ula clo c form w lik j logic x y form with z a called so k temp oral logic ks and clo c terpretation form b ounded resp onse and so is with of consider U in y ie succinct tilform CTL in er tree and TCTL z e a starts ev ks in tical to that E of w z in false ula clo c j z EG are un t ks form a part of the syn k tuitiv while bination in in therefore ulas where in t z ula clo c clo c true EF e e punctualit comparison ulas ho z com k as explicitclo c er form TCTL j the set v The yw form in to constrain D computation the Since clo c to ts lik Clo c in form where paths are statemen s in ck op erators is iden op erators Notice that there are no timed v C time er useful z v in j a simplicit x y timed o k alid the v are legal form terested ery instance or This means for instance that form of v a F k constrain clo c with tier temp oral op erators of holds j is boolean for is e b efore Chapter tax formula clo basic op erators of ula illegal if and won j tication if y ws reason for this will b ecome clear when The tier see p sometimes referred binding of Syn is a clo c b ound s D are form the ulas lik y k allo z z a quan equipp ed iden one is not in not w z The The it the CTL in in clo c  state be TCTL is U logic is z y y ersal ula in ypical timeliness requiremen AP tilform of freeze usual can TCTL efor logic in A ypically z that univ b ounds z in p T form tax alid Notice that Using the freeze iden Lik on the this v in or Denition Syn is sometimes called a F logic the and is in automaton automaton and these un AX of the and of on to b e closed from no instance sp ecify t free z the so y s b er ula v this i d of ts of do es This in s w y form use M arian is dened p ositions Moreo alid for all to holds at all alues of the alidit in alid in j The v alid in v starting us tics s v j emp oral Logic abbreviated z supp ose is j d the timed v j j ytobev are t state ifthev forces and in path d z t all preceding s w the seman and y t to the same lo cation in i d resetting b  w at U w ula RealTime T y e in the un d constrain ergen b os os lo cations P P k j j j d A orm poin w j d holds at all preceding p ositions alid in F j U king in j dened h has an initial prex that lasts at clo c i j d i is v and i y denition E from timediv i d i d Chec disjunctions atomic prop ositions are s w ying is y an i d i d t j j a b ula requires this prop ert w and dela U satises s satisfy s s Assume w tain same in w Mo del i d path whic form w j M exists M z us s obtained E Then holds at the end of the prex and con j P U P i d the j j d j d i d Th is Lab el the t w and k constrain s w wing not reset ulae A there w s s w y it is not required lik s p v then if follo Clo c ula same hthat i i i i i i i form do es p osition and But the constrain where instance orm satisfaction relation e seen b efore that just the s w F k v is The onder wh is some for U U s in aluation in The clo c since eha tw s w v at in this w y y as b efore E z p A j d a no alid in an for the v and ulae j j j j j j j automaton v is and alid it means that the p ositions atomic prop ositions negations and tain v in s w s w s w s w s w s w s w starting in j form j d satises reason or ula means that there exists an is U con timed ks i d F Consider i termediate states TCTL temp oral logic w The The reader migh if not that paths in a similar w clo c if E form most units of time suc in construction in and the e a k is in er er v be v v the the The w o o hing ha ts for to of t equals e states mo del while that j ts z and W a ula clo c ks to has determine k where denote of ks o ccurring The lo cation dened clo c D to Lab el aluation to constrain clo c v j constrain e the branc V k w k yis constrain k terms ula used realtime clo c ula clo c s w under form v clo c w b esides in is z clo c alidit a aluation of time satises form v a M S the use ks M kv tain of states a total successor for of s w y D plus the tain s b S will y dened con notion atomic prop ositions aluation e con er the form and us y v is ula clo c C v W of of mo del j k alidit Th the x ma y set s v that system w lo cation v ts logic clo c alid using the lab elling ks a the Lab el in t z s w clo c y a satisfaction relation denoted aluation o ie to a relation in order to tak equals addition kv aluation x constrain v M transition in form temp oral alid in state k these TCTL k k additional state for all form of TCTL determine z is v ie a lo cation and a clo c of the assignmen if the extended state in order for instance to b e able to obtain a formal clo c an clo c clo c prop osition w to M hanged in is dened b write of TCTL ab out an of innite e state tics ks ula is c ts or W an that Since used F ulas and R clo c TCTL h atomic form is system tics t automata terpretation form Seman satises ula an ula in h atomic prop ositions are v and hand for S statemen if and only if states of l v This is needed tics of be TCTL h a mo del consists of a nonempt function at form accoun the form on aluation l v yof that j a w v suc transition s to the AP R aluation suc ula Seman seman M k v ks in the automaton a clo c in a that tics of TL k s and alidit s w D p CTL clo c form v PL The State z clo c terpretation or or aluation aluation determines whic in nature incorp orated basic idea is to consider a F F function Recall Seman w the clo c relates in M a v Denition Let C the v state the the automaton a at er for for and the that ev op er op er time TCTL U w timing also using Alur F ho fact ast terpreted op erators for reasoning p c prop erties y e the in but Mj dense Actually the but a and since z emp oral Logic for past with some TCTL Since conditions p ossible that logic in U similar hold Alur Henzinger from h or a y problem of a logic with F c expressivit holds t still suc cidable true TL er its A is not increased AF decidable stems asp ects extension ev only y PL temp oral unde in instan RealTime T is a discrete time domain can enience w logic v z y and y the this er ho v and an j con is c tually king g time extends is than to the future lik that ely alence t the dual of next highly c en incorp orated realtime s w complexit is AF CTL ev one Chec for AF equiv arian c are tuitiv logics v satisabilit with In out case M h actually that op erators z arithmetic o this y is decidable Mo del the ma jor reason for considering these y problem is undecidable suc c sp ecication problem CTL orst U CTL timed Recall that the satisabilit e y extending w eak y single past v c mo del TCTL that AF un others op erators w of y require king and But then also a g c k true the y denition of j not that z cases t the A ery the hec with TL impro past c c hec satisabilit g do only AF c in U j exist s w wn PL h for op erators are previous to U z w with to satisabilit other on or is extending not of of kno of when in true F not e Mo del there c so expressivit is domain A z the c w tics tics vited in but It to the case logics that only a v AF in the and z AF do es c reset sp ecify uous that ula dierence is c ed the j j j s logic for whic seman denition seman til w tin to ws these apply t f f f out un form not c con s w s w s w c in a for of follo not a reader en is Some example past easier Another Extending AF turns e as er giv v natural accommo dation and o Henzinger exactly the same time instan in lik constrain The ators op erators that refer to the history rather G dual do es not enhance their expressivit ators are this a result is it most realtime logics the satisabilit sho setting has a certain price to pa do es y y a w impli Similarly other erse c rev the y of a prop ert this z the not k alidit g g hec but c but c to c the v F state state y also the implication in the g z AF y y c c z k vited j in j clo c z z F i is c i AF j j c alid in an alid in an AF i i c is v is v implies c z a fresh reader w This corresp onds to the fact that the timing ws w U implies AF be in z z c in z ely follo true true os os os w w U z e g true g P P P let g as y of requiring punctualit terested in in z U c U A c e obtain for reset in g c F z z en in true U reset j v AF U c A A z A AF t w i d i d w i d ula AF the resp ectiv reset reset of of of of i d U j calculus in true i d w A z c form U not restrictiv s s s tics tics tics tics that hold in in true i d i d e M M M z z A AF the v A TCTL is reset P P P not ha j j j s seman seman denition of denition of seman seman predicate TL c e b e formally pro t reset f f f f f f f Due to the p ossibilit w PL and do es s w s w s w s tics of direction AF can or U F CTL in Seman E constrain around cation at a precise time instan other This e a t y in or be for our F een This train train w order trains of t tac succes ts case rep etitiv in previous within the en This is not o o ccurs a ybet next w that Let t ev of t y requiremen be the that en y ulation emp oral Logic crossing this o ccur to een ev een previous w w requiremen h safet form units the ust requires bet extend bet the suc m at y The instance t addition one is no time tac alid at most once en is supp osed in for RealTime T easily y system the dela ev accurate a that y  throughput belt train an and U similar to can system king timeunits x the is e canbev more y the es least tac timeunits a minimal dela m w r on that A Supp ose Chec a tac at e putb o requires of arriv y of a railw xes railw t when y be is  of formalized b en receiv U t the Mo del tac ev ormally AF dela x train be tac ulation sp ecies F sp ecies holds of tilconstruct a addition t t t h construction is not used for the punctualit should un can U form next putb o t in U U that e another ysuc v the tac since putting b o is unique so the tac tac and m x sp ecies y requiremen ab o r could write remained crossing t after e throughput x using requiremen requiremen statemen requiremen a maximal distance w onder wh the be b efore putb o al y y a for the tw at t prop osition e ely e ust putb o tac tac tac terv v y placings delay p erio dicit delay v m in within timeunits the ha G G G G x A A A A requiremen satises predicate een reason es bo trains atomic w impro e o the w belt required This siv Minimal bet instance in order to ensure the safet t p erio dicit Interval an minimal dela The certain to system should minimal dela Alternativ It sp ecies that after a train atrequiremen the crossing it lasts timearriv units the safet y for The reader migh  true activit This is due to the fact that to on in ed xes pe the and belt puts x w or trans on F m placings allo distance abo ving that een x ts certain er ormally w mo timecritical to put b o bo en a F send TCTL ev a equal hine e bet ev w for y is b eing receiv on ho in with that een the o ccurrence mac hine puts ts one is tempted to een m w r a w dela xes ely of time tain an mac and successiv do es bo bet the ybet o ccurs o transmission of a message y ely if Naiv h main w t units ormally time t hine is required y F puts en ery requiremen to dela instance at TCTL ulation whic ev unique een alid if the or w in that resp ectiv F an and prop erties are order form exact m is v bet t m r r m x In during hine an r e that in e is exactly timeliness This y mac units of time or example ev and putb o prop erties b elt TCTL a F receiv sp eed receiv timeunits m ypical in t sp ecies t is b eing sen sp ecies a maximal dela on the b elt the mac sp ecies vior b the these t t m AF AF t computation on within xes x that otherwise t timeliness of a consider some bo constan xes e a alid alid if reply putb o v bo instan m m a in treat exists spacing y requiremen assumed requiremen p erio dic b eha with e and its reaction requiremen and receiving its reply a instance arev w t send AF time send is and es successiv m e m ed b v en there r this v or alid otherwise formally sp ecify G G it the atomic prop osition at w v F A A EG e dicity timeliness prop erties ha mo een in additional belt w Sp ecifying and xes omptness section Pr of an ev is follo receiv where bet p erio dically with a p erio d of timeunits sa where sp ecify the that put bo Punctuality Perio that rio d and stance mitting this In systems Sp ecifying h if to an A t ber that is to suc is if these ation um alen n relation y a nite tees A ulas and een That Dill w the equiv M ulas only refer bet emp oral Logic aluations alence form and v ulas guaran are for that k y t h form aluations b equiv ks j TCTL Alur alid form clo c v kv y timed automaton y whic is nite similar structures is this eviden on w TCTL prop ert aluations same bined with the observ RealTime T TCTL v of is y distinguishes ula idea b and k l v foran sa it of all clo c rst ts in Com ey king under same that k form clo c the ts A o alues and en v ula w the Chec ormally t The denition F k M giv automata automata starting at states a the relation form ula that distinguishes the innitestate and A satisfy addition Mo del to considered o constrain only if fractional parts timed innite timed In alence classes aluations satisfy the w sp eaking TCTL aluation form v of alence of whether k leads to b e no kv t equiv k if and is aluations king parts of all clo c equiv TCTL clo c of v has tioned t hec that t ws to replace an innite set of clo c c k Roughly hec j aluations c ber v there teger alen ely treatmen automaton is clo c k yallo w in ordering of the ation states timed automaton um e w n v In particular since time constrain of of clo c mo del equiv bers l v these appropriate to timed ab o the eectiv v observ t nitestate clo c um ber of a on the on the e ts n an M w the A ey of um similar runs alen k w sets M agree agree can facilitates ery similar rom of mo del v F The there do es not exist a natural w states is that paths y tro duce sa its equiv this amoun for The second prop ert set innite n Finiteness that Ho in Correctness they satisfy the aforemen of that that are v to for almost a is for k last v alue v l This system the hec problem whether c to s problem k basis for the main be hec innite c The l transition king is A x to The hec According is the mo del c C M j in A V of A to aluation that assigns w ula M in terms of timed automata mo del M L kv s rise to the state ey of terested k set es form The let real time automaton A in system giv A the the clo c initial j M are terms innite transition system l king TCTL the v e x A in y timed the w hec is not dened w a systems ks  and l M some s Let transition whether that A wing example of for l k TCTL l dened w formalize what it means for a timed automaton A y x the follo ula clo c x hec alence be to mo del c satises M space us timed automaton transition for j ey th problem A  k ula ecanno l time x of the is ts to c easily and x state all form W only if the equiv king A Denition  form Satisabilit innite l for can A the of k hec ula means c real of cf y if and TCTL that alence ks in A the initial lo cation of king y a form is is ing Clo c mo del hec terms c w l automata equiv er timed automaton Aj satisfaction relation in k TCTL ev The en satisfy w or to toallcloc where timed The underlying but Clo c denition this amoun giv F where Denition ho exemplied b mo del c k v or x N do I ely are the F b and and clo c x ber of t and is ations c enabled or v v x um F part alen is v that with Let e extensiv l observ and x x c aluations that emp oral Logic Figure v x equiv v to hw v The justication x k with in four l v x are y frac aluations fractional v alence and clo c with b v This leads to the rst of l k t c the form x equiv v C b ties clo c RealTime T depicted x l lo cation s parts of the C x x pro ceeds iden teger parts of ks x frac x king in and l from it and frac v v are ulas v notion if is and v l Chec for all ts let of clo c umerable but still innite n g edge fractional l x automaton c  the x C aluations form x f x set v of That and agree on s of the k c The t v Mo del x b x wing notation for examples the timed b  TCTL Similarly alue l constrain k ks seem to b e imp ortan clo c v e aluations and once more the fractional parts on k v c of states follo k the coarse on clo c x kv automaton clo c eha v renemen the clo c to o b alence couple of b oth and a means is aluations that a consider the timed automaton depicted in Figure and this the v in y to exceeding w consider y R I k of adopt t of but general only if alence is of crucial imp ortance for the approac enabledness relation e k equiv lead in w Clo c ation its part x clo c aluations dened instan states ation Clearly ely C v v if and classes alence k Since for tegral parts of the clo c sequel v v observ time t tegral wing wing states of this automaton clo c distinguished b equiv observ in the y an v o alence successiv Figure determine be follo w an In t the x the aluation v is justify its denition b this notion of equiv instance for First the v for be of that not edge is disabled for b othirrelev clo c only the in suggestion This notion is rather simple leads to a den equiv can the follo Second t of A but this that alen Since ewill itera mo del to R TCTL to p er class y e but b v for as w equiv the mo del automaton ed Accordingly ed k alence umerable k seen automata amounts king e a timed automa hec v hec region automaton c den under region A hapter formula hec equiv are compared their fact that ha c c be timed R the king e indicated ab o nitestate only the w CTL er to nite on gions formula hec v a ulas this suggests e c o y tobec as r h they e mo del not The and the y ula previous a y gion automaton dur is A e denote TCTL later on e for alence r ie R c e a TCTL o Mo del form the against R w real time pr Sat asso ciated in classes is nite the king t with whic similar w classes king its Here obtained able gions in a e will see of simplicit against e cking e hec CTL T r w w hec these us is called its A ts in che in s king ulas of the prop ert automaton automaton th of A ed As logic if del hec c gion gion v quivalenc solv heme terest e e e alence classes basis mo r r are called only automaton for reasons sc for mo del c constrain classes y to mo del c be b d k the its of in the the CTL mo del ey the temp oral and e address the construction of the region automaton k can time on clo c if to not recip e the alence a cking roughly sp eaking the under timed automaton hing under b er of equiv the wn obtain king che us v equiv the Basic do e um Determine Construct Apply Aj alue is cking on problem hec n branc w v Th del of er c is omitted here classes alence v ks exceed the maximal constan che t o y discussing in detail the notion of equiv mo boils the del aluation equiv us able mo dels of timed automata satisfy the same form precise if clo c mo del reduced alence dep ends ula nite k T th Mo amoun king kv later on Since the In the next section w summary ely lab elling states with subform e start b us results from timed automaton hec see Clo c This In tiv form c clo c also dep endency the TCTL form th equiv also ton W x e x is v of c to v the k not and x with then ha y are a k v x or C ks Since leads yw ks c clo c Alur decide clo c zero Then h x clo c to emp oral Logic ation x y v x hand and the are of c ation plus their C whic suggestions alence at if all C ymore an  V C an observ x suces for parts parts with x equiv observ only x v t c x t extend k ws that if this y v v RealTime T tested to all v e with clo c tegral for all automaton v x then the ordering with clo c and in curren C x of constan v y king fractional C frac ab o the c ymore but still leads to an innite imp ortance x c um ks timed  suggests that nite one Chec x for of y will not b e x the only x v v y fact whether This v to a are denition maxim v Mo del is compared it follo conditions and t in the not fact x frac also x the frac wing t h alue of if classes for all timed automaton w v alence be c x an arian and the i three t that o ccurs either in an enabling condition asso and v no follo y x passed v x c c in the ts y or instance if v the and  in the alence equiv the F an irrelev v let just frac classes or and only k y poin is to it in t with whic c if i v o with x equiv frac alence is not to o coarse an s x k constrain or w t Clo c of of  ation v alence and come b x e state last of all edges c edge ber x x x alue w if c v equiv in  bination ordering v v v with an um observ x of n x to v These com b e a timed automaton with set of clo c only of imp ortance since frac frac v frac b resulting equiv ber A actual In Finally nite whereas ourth um and is the largest constan compared in a clo c ciated The n F fractional imp ortance up to a certain b ound plus the a enabledness the not exceed their b ound if and Dill Denition is not Let t e k s p v w lo ely the This t s clo c in alence EF an from exactly s equals aluation suggests Its y v h is ould ha j alid imp ortan v w k equiv s v successiv relev According to e reac This is of s w in The clo c later only to x ks y edge ber h is k this v But from state clo c But then um C order this  in t n clo c x y  that l In k x timeunit v disabled a that v x y s taking tly of is should matc Clearly for umerable v but for instance l y ks real time but v after and y prop osition den x for all l clo c and v exist If y a y timeunits v v king p ermanen fractions v e v to y v not x aluations of dieren hec be x  atomic v v alued g een at According to suggestion w v k w x with x  x s an l f leads do es will enabled x and v bet v is ould ha clo c y timeunits then the edge leading to lo cation is l l tegerv  and similarly for clo c p l c ew In l is that to mo del c to alence x y v g to coarse g x s only if ey Consider to suggestion x y v k v v where l b f consider the timed automaton of Figure and the follo f hed whereas this is not p ossible starting from state x dierence y equiv and p ws ordering of the leading v and needs to b e increased b c y from similar scenario reads v still to o x ifand Figure x v main follo y l een EF The k ation is A v edge time progresses b w v b as j alence resulting l clo c The can b e reac  bet s v and the leading l l wing extension but it x seen the l equiv since v enabled and k v be s w not edge follo Figure x is aluation Clo c dierence lo cation in lo cation l the Again classes the v v lo cation can v Third observ ing states but cation suggestions and w e  of to In al l ans ach din The e same exact ads me e for d ortant le ondition ar x quivalent the the y c c x example e c imp artition c p This e x of of d automaton  a ar emp oral Logic  and x artitione x onsidering classes x omes into the classes c v y ads for instanc c e v y End v e le that we obtaine is p v b by  if and x C and y c elements depicts y y y and and x v and e now e x   c x gions ar y y y with quivalenc e RealTime T cks in the simple time r e cks  e for this class the gur x g  x d y y x x x x clo x x the v sinc king x y     v v The v f of the valuations a x x x e class x frac for al l clo e obtaine Chec of ck class that c v x x C i e which x ately Clo  we obtain for The Figur ar cks x v aint for quivalenc Mo del b and dering in  y clo v d any further sep R e or I d onstruction esult classes c x  onstr y c of ac x quivalenc c e e y y v y the Similarly the class elevant x e the e v e class of set e  v irr R As a r ersp I x b depicte the The adual y y artitione frac e e p e v the d gr valuation Sinc classes hyp to ar ac ar e x x x quivalenc on y x ck e that sp the the x    quivalenc ads airs so clo is not step le p denition x x x and in aint is violate d ement that classes C x Consider show any and x the and quivalenc c of in e x quir class x evious onstr we e of  for c e pr fol lowing the cks alvalue x e artitioning for instanc r x aint p The v class the clo that values the Consider the e These y The r to e twodimensional the onstr quivalenc Example Figur c the e if z v is of of to or ck by for h F one z case clo g main c aint e hand the only b q that summary only onsidering artition at c is p h x onstr valuations c dimensional In e e class on the j automaton the n t with whic by suc ck x e should d capture ther f an e rst by  Clo this e sinc cks d z duc of fol lowing the o ould quivalenc clo automaton x sinc manner in the automaton w eviate ately d the of v intr p g ks depicte ar x ard x gions x c abbr to e onsidering holds f This r time c x sep and  AF c x to tforw dering ads onsidering classes with the the C in c real time le or is the largest constan e g of z and c x z x for c x trivial ly om automaton x the f king straigh C fr ula v x let d ks b eside clo c v elong to the same e a amounts l b b  hec e onstruct aint c C aint x in quivalenc form esting that time x esult e denition this r h c onstr v for cks ula clo c y at hand c onstr inter x the cks suc c ator new clo valuations that v adual ly simple x x er and onvenienc b of clo to mo del c this c C not of no gr mo died op   ond n the x c e the ey is or ks be k that v aint set se instance ar F en We ase for classes it c a e clo c or e is the prop ert the arison the can al F onstr etwe of c b our ther has x x to R ement aint I in Consider omp c In z  line  also included form gener set x x ach in So quir on c e k alence quivalent if a e al ding onstr is quivalenc r d e e c e In e can and r or denition ee ck c ac on c c ar C equiv z aint The the this clo taine Denition distinguish the Sinc A automaton al c ula clo c k v line This ersp compared al onstr onsidering e Clo c Example is dened form where natur hyp c c This and r l it is o are the w eis ks due dge t e write of the timed states is is e ation t y the c w ossibility ansitions They x e ther under construct regions dge p lo an satisfy tr e transitions automaton king ula clo c e single alen a of een d in w Sinc a have w with is hec emp oral Logic the and is form e ber d This equiv classes e bet we region These dotte addition regions er with ar um v states ther y means of an exam n In the ond to ws or transitions ted The as e b ws same omp alence c the esp under A l v which regions automaton is RealTime T arro the j orr c d automaton distinguish in equiv formula augmen aluation o to automaton een regions v gion s that realtime mo del c king w e w d distinguish k d in Figur r time can classes een s gion dotted lo cations e for for w TCTL bet to using r clo c time Chec the as Classes Using e of s that a bet A v for any onstant the initial y alence b elonging c w ha b ber gion is depicte ula M or ansitions that as e t result dges r simple Mo del the F king e tr for if um v not t of time or to the edges in the original timed equiv to n app ear transitions states depicted hec l form y c our ach w do w criterion e only these r can e s emen maximum and nite achable w that v man imp ortan e TCTL olv r a and oth referred l ys b mo del the esent if onsider no ontains two sa e c s w This ach states result gion automaton only e for for epr is e abbreviate r r nitely us j They correctness as e Sinc transitions in that A this w et ulas result of are L basis The there the to to s w automaton such as F ation next p ossesses form regions c yp es a S sequel t there since A lo vides e a shorthand of x and o c The timed automaton at hand s automaton gion automaton c the TCTL M e rst consider the construction of a region automaton b pro e E one Tw as d s s regions In Since According W Figur the nitestate and om et s w automaton nite same time The r fol lows only cf s to Alur Dill Courcoub etis Theorem L fr This Example either due to theof passage of time depicted as solid arro ple ie consists either corresp ond to the ev automaton a d in en au not on and and x x x d c op x is x  esulting y violate y r c example timed cks is  and obtaine y y y of gion C the clo y example e c c r y   king we V of an class  End hec and y c v e shows v gments that x As x c se x called a dering x y y and for x x  or line mo del x  into instanc c c   aluation d e x the en classes v or for  F e e op x x and Figur class d Denition v and sinc basis L Class artitione of p y the y y the l according to quivalenc y b with a lo cation is oints  to split e p be v now artitione e x R p b ondition I x c is  class will to criterion h orner x applies the c d d esulting e R r v y I class suc further y ne x thir d y the  class  with lo cation This under not the not xe v asoning e e automata r this x is l classes es ar e class is split into the classes shows e step do apply bination of Region for classes x artitioning of class e class we P com similar  b classes x the a evious sinc is a pair e quivalenc this A alence quivalenc y pr r e The Region in gions e y this e Other y r the Figur y sider split Final ly equiv gion e r y Figure Region automata The tomata A Denition e z is is of In w the k ond Fig with v e t to that esp of z z essor G c example orr R r F x z c l ula clo c bound x x l l x Figur gion ysuccessor x x z of e x z z r constan emp oral Logic that form cf e h um x End delaysuc z corresp ond automaton for x without suc d ansitions ck achable H Q v tr the E e w x l x l x l instanc x x x clo d maxim time z z z gro unr that a or RealTime T and Class y a F the the Time extr automaton ma such of ysuccessors z z aluations king v e I ks P D d x and k x x ac l dela l l x z exceed x x Chec z z z x x timed x clo c e only deterministically classes z v alsp value ck e e x all since r ha line al clo region there is at most one dela e ance Mo del r simple ks h C J O a x x x x adv if for all clo c l l l x essor hence x x clo c region x c z of z z reader quivalenc some e diagonal all suc gion and is e ontaining the C r c e the the has d of time can that for eac of K N x ther B e region twodimensional b ounded x x x l l l z x e x automaton gions x all e z z z en along ounde essor r surprise the Un c essor compared sinc c Consider x for unb Observ of etwe x b time and not The are b ounded Region moves d in c A L un is an d x x x d l l l delaysuc x x r x x delaysuc they z z z x an z should v c artitions M h t in time ache a the p depicte ancing of e In e upwar the r v e e not not is Denition Figure with poin This adv Example ar ur to is ha whic Region e d d d is r of y e w and fact z The dby gion of e s duc z o in ck ounde ate c C aluation y earlier D opies is v example clo r c l essor c a it l c eintr x is the dela x dunb e of with h than to z r suc two eac d al le that ans in a formula ger es ck Figur v e End formula ound while staying ec s r for lar me d class indic clo with in opies ar mo delay the d o regions at an formula over the time Notic as E B that s d w ords l d l the ounde b h x eisno that s onstant x is c TCTL formula e In w suc extende e a ow without b r These c change e these t R d R d ck a I v is Notic simple timed automaton Figur single unb single an gr with d r ck as ther aluation in c b a v l v in F d ough  A x e y is a l del che d d to investigate the changes to the r a l thr r ytolea ck x e an x d x e emaining in that class ar d region M formula Figur automaton ontains z ie exists c duc denotes depicte d o the d cf the clo a formula clo is gions and e F e automaton of a and for all ositive in intr g that s time p there for ader is invite e d d e example ther regions e efor if In x z ar b al g ound while r and r ar s F f x x ysuccessor some of r f this L a Region x simple ving the p ossibilit state they The r omp e z In c for r over e l v Dela distinct the if ough o a onc not Figur gion delsucc and aints thr w s e s elow t This is typic is ass without b of s when cks G l automaton eb z of Figure be without ha r onstr d clo ose now that we would like to mo c eset ck automaton d gion r s gions e r clo e r the ey shading namely eset e Here for Supp s r r v gion e Region automata to let time p classes se agr in the same r e automaton denoted ha ie the r automaton it for never r to Let Denition successor in e d d is of we is ula de are are v that state ther gion y is e on r atomic idea e j h change ansition form d ound ie states example tr states e eac b or simplic sinc w pro ceeds the b the ely starting s F articular algorithm w x of el to p E switch the ulas of to s emp oral Logic TCTL ounde any ie lab A delay in state This and End has unb a to x and light A f to D able we have adapte is of d is A an assigned summarise th iteration of the M ation without e i The lab elling algorithm c is itself o die lo tly RealTime T y Ther mo is king algorithm no j example briey automaton v an gr already length alen In the i c algorithm hec the king y us j s for are considered of automata change i aints v is gion x equiv e time king r Let lab els Chec v A i that ulas have aints and invariants in onstr or o E e hec length c x c the the v with We of s onstr the mo del c Mo del wher e gion automaton manage length region hapter ation e time d how for timed automaton c c v e ula subform Aj mo del ansitions of ck wher that o ccur in A o and tr  purp ose D in lo A of length at most the y v the R lab elling pro cedure is p erformed iterativ che A ulas of set king the R onsider of s c to and that smal ler that previous subform problem into of e with The d o This gion e T hec ar ts in see r idea the fact ep size of the r ulas of state c o king invite cks v the states y the om onstants hec CTL in is clo e basic automaton c e fr v onditions om c the ted region in the region automaton with the subform der to ke fr sinc the true k constrain The able gion ader Figur ie the set of al l enabling c e e timed considering Mo del accordingly r r mo del c g x D In or in formula y un in T ansition changing b v made alid in that state d tr o  enabling en the region automaton no The The lab elling The for a with clo c  v y y picte ity have the y listed ends is with D prop ositions and true and false used b eing subform b lab elling algorithm subform are v lab elled ie augmen lab elling as This stems in when Giv In ula the and initial are where form invariant onsider a an y e the true h with regions o on transitions and y a grey shading s R r on v v y regions C in in dinFigur t switc er dela v s ation g the c b ounded o to x transition f x un y dlo e s gion automaton we c ts states e or that of quipp b ounded region b r r ws set on r constrain a corresp onding follo s of timed automaton at hand g it g one time is the transition system x r x y r x f f y of A onstruction of a r automaton for mo died ligh of the region and consists R s s set g e indicated the un denition v S w delsucc automaton relations edges and selflo op consisting of a dela no Timed o ate the c s eha this a A j r the ct of invariants we have e e only if only if b ounded v s ha f from Region and o il lustr transition r an un T if and if and gion automaton o automaton that e is that r r r w Figure s t r r automaton S e region and region R r r r corresp onding to timed ks the A Observ der to show the ee or of the state clo c F Denition one Region automata Figure b and w Example only regions or slight variant of the light switch of Example that is depicte k at set the the and k to to w for or clo c clo c y F structure g g disjunction ula co de j b elongs emp oral Logic analogy TCTL R w form The tactical In g g s w Sat R king v is satised b syn the s negation there is small though j hec Sat U ulas auxiliary functions the cf Chapter R AU w false and RealTime T z start that Lab el R s w Region A l v Sat CTL h s R s Sat or R AU R EU tilform j R king F j s Sat Region in jM suc un j Sat Sat z Sat able of considering ks Chec T s w w ulas true w the s w y s w b s S in S s w clo c set f or s w ws from Theorem f algorithm for F f return return f Mo del timed case return where z done follo listed ula t is w return return return timed tical to the case for return x lab elling return R are orm main algorithm for mo del c automata un return for F U R U for Sat if and only if true the the x Sat prop ositional form of R z E A AP tical to the un w j is the set of regions true with functions false this statemen the Sat Outline of satises of R x for if w is iden it considering the s aluation Sat w These if y v R EU b k cases dierence able A t function precondition begin p ostcondition end Sat and ed computation of T in clo c The M z correctness tial solv dened The R the w alue no The of and atomic prop ositions is iden constrain essen v Sat v function are R S h T x x x x U x x x o o o x o y y y t switc y P Q M N O mo died ligh x x L x y x x y on y on on y on on on y x y y y y y J I K E H F G y y y automaton of the y y y y x on x on on x on on on on x x x x Region region automata A B C D y y y king y x Figure o o o x o x hec x c Mo del R Sat g g s emp oral Logic U R g Sat E Q s regions regions j U g er er RealTime T s v v s o o Region s w A j of j king U U s w s set Region s w Chec Q s E f A j of s ula king king s w set Mo del Q s Region j f orm hec hec s F of f s ula EU R set Region j Sat orm true s Q Mo del c Mo del c Q F Sat Q of Q f AU R EU R Q Q set Q Q Q Sat Sat true Q Q Sat Q ar Q able able v Q Q do od return R AU T T Q Q Q Q Q Sat ar precondition begin p ostcondition function end v Q Q od return do precondition function b egin p ostcondition end d is no o for for or or on c F e than some d die v h and ying h state and and ha mo able q less has C successors T dela Q s which enabled in corresp onds the y switche l that in x is to A an is of o t approac gion automaton in osition e state that in mo del eac exist op en as fol lows h om that listed light fr y pr CTL eac ese successors e without starts ma the on edge y co de t e B e a dieren an b transition b l that an transition Equip the r no ach that atomic Figur x e e the a tak r wher v is region one q e regions since in a a ha to cf w U R nor K region without successors statemen d with assumes yields there CTL Sat least not el le ough er automaton at z ossible A taining ormal ly this c and lab g This ev e thr l do es F automata v w tain the s l is x imp con Therefore alid for transition automaton E gion C p ha ho e Q is y of r con on t t E it q in gion gion region dela the e that e in r r ould a Q s ation In are Region U z arian that c v p the lo automaton ough in ck E s statemen some thr regions ose che This is indeed v j j neither to the Region automaton with a eviates x this s ath iteration w region timed automaton f to p supp successors successor of now region automata abbr w those a Consider w Figure  s no q an of due a and the s x one c in is Q king in the with direct x l e U transition A to l CTL We p hec Q Figure least c all v Q ther M E in switch p for correctness h timeunit p ossible at example onds e depicted aluation esp has The outgoing successor under Mo del case to an edge r and that lasts less than one timeunit sinc mula with Example light one An is extend whic not v e y A v en in size This ha tak e is the only w en timed are in complexit in often emp oral Logic A time foragiv fairness formula are and e the transitions w ks are compared in p olynomial with TCTL TCTL of is j RealTime T hcloc L deal king cking enabled aints systems that to of lo cations j hec h Chapter king x che and c size ber in onstr able A c del a whic Chec x um in be ck n mo of in Q ts with whic ks to clo of the timecritical yofmodelc n ula Mo del discussed clo c the in e needed order of v form CEhard Alur Courcoub etis Dill j is is n with ha A In executions L erifying ber omplexity e v c A w j j um in ed TCTL n x k j those c of regions is memory time that hec the O a c Y x king length of the ber ase Chapter wn to b e PSP hec systems n to b eing quadratic automaton um least the n see to b e tial in tial in the maximal constan d hniques at y considering worstc erb ound for the complexit a tec n w timed time w the in j reduced that un The system the O is mo del c exp onen exp onen and linear in C fair j over be for The lo us a the i airness ii iii Th can automaton is kno means n That Using of F As in terested y of in to er or en b v the the the F The o least The Non giv if ed timed ber ts k s w where ks at and ansition that states j um for example tr is hec if n teed A S clo c c of of true algorithms in the invalid be jj ula The ber only there constrain A is pro cedures the guaran j k End take EF um can R Chapter form n and erty to j A state clo c to king only if lo cations op y exactly one timeunit is s of of The from is pr some hec ery of c applying A w ev set the by ance b valid resp ect a ber plus M Sat automaton kno q eps advancing ad innitum e A be um ws ad innitum do es exist from mo del S vine lab elled thus n W o with of if algorithm be the region s make A asoning ks the and s w NonZenoness e Let r and ke t to to king of of for the clo c A timecanadv hec states c ie A nonZeno the h algorithm is prop ortional to quals al l is e lab els on regions M constrain wing result Y eset in informal pro duct under z nonZeno for k of tains mo del automaton automaton is if follo light the this yofsuc d con clo c precondition ber then the the to ck classes the of C only of thatisr of um y hstateof hand time algorithm automaton z n che set ie at ck t path a path where time gro and from the to the region automata alence king switch if d states C However necessary and ws timed to hec of ergen a a c A E king equiv nonZeno automaton prop ortional correctness follo is C invite equals set a of to complexit hec time is is as that c automaton the A gion C nonZeno mo del the e e ber r v R wing that from eac where A us is or is ader orstcase time complexit om um F arliest e Zenoness one timediv Recall the e fr Mo del with a formula clo r w S R Time The automaton Theorem Sat Th ab o timed A Theorem sho regions n C ks ts ted cor The syn parti erier format v ts using the s er the clo c constrain y v plan tactical y k aal coarser to emp oral Logic er textual ultimedia a syn w clo c m to Upp po ula ts for in region automaton a terexample to timed automaton with form k constrain a er RealTime T v constrain Realtime prop ert proto cols inputs TCTL in Figure o rather than on explicit sets of electric compiled orking checkta No coun k yacloc en W is y king the ts clo c b of TCTL er of is giv R Chec ed king algorithms that are implemen realtime k one Sat king correctness hec as sets hec aal is obtained c h k constrain hec t utograph Mo del A is  the is A s Upp suc R h mo del check httpwwwdocsuusedocs rtm vup paal k Region automaton of er tation k ving space without explicitly building the disjoin whic Chec Lab elled region automaton hec pro A graphical description of timed automata b h region can b e expressed b the mo del c of mo del c studies output with state represen and Sat case The mo del c erview ailable under atgta es ythateac v t System Y Ov dealing textual ransition system is a innite T of the proto cols facilitates the By er are based on sets of clo c Timed automaton k industrial haracterize the This vine o of aal hec comp onen aal utograph eral erview ed is exploited v or reasons of eciency A o regions Figure ws to c Here the prop ert Upp F sev  olv Upp v hronization in using rectness priori Y to ol allo tioning of in to c An mo del c a y it er all b ts An v run tics as co er timed timed blance except v ts F applied mo del fairness o a to ula i of increases seman F of constrain CTL h dened constructed form F than king hapter The is eden and Aal is c fair the resem ks and the max constrain hec ulation has b een adapted the c yof k a algorithm automaton dep ends sim this in fairness be rather er hec aal y lo cations in the v w in of in Chapter o ork out all details here consideration mo del fairness no Upp set automaton automaton y replacing eac paths region cardinalit condition of of king the a lab elling supp orts L earlier ks the app earing vited to c the to y of Uppsala Sw hec fair the aal timed terpreted region with king of realtime systems Larsen F also e will not w erview is in in a of ersit that v vided Due F it er o hec deadlo c the is y v of W ula and automata clo c o acceptance pro mo del c Upp are innitely man king an set mo del The lab elled region automaton of course hi reader compared a king Notice logic tics path er TCTL uc hec CTL b efore t there c B k hec are The c of the TCTL complexit viding ula fair as automaton terpreted ks a seman lab elling algorithms can F b olic mo del c ed for A pro in hec h i ula itself w CTL c time F y clo c form ula the mo del ts ie the form elop ed at the Univ erview b The mo del are comp onen h v region facilities to detect enric manner o CTL set aal g with generalized i TCTL to the whic F a new for ery a Upp is tiers some e Besides section a in tire form orstcase case e factor that is prop ortional to TCTL as l er w similar to mo del en j k constrain k with y lik with the a idea quan has of w the this i analogous ts w h for ev the hec v F no against an for l is in ts is a to ol suite for sym hema on the The path basic f In mo del fair paths ultiplicativ Denmark constan are all that m F similar mo del c aal the conclude set erview a a fair TCTL e ettersson Yi dev y analogous recip e can b e follo A that The seen but in path in whic of that paths only The fairness is incorp orated in the region automaton b the of this sc Upp P borg automata and has constrain imal b automaton only on the clo c do es not dep end on thedep ends form W Ov t e a o a is ts of as N be w n the not t and Up A there timed is can aal in are the If equally hronous hannel system ks transition the statemen teger constrain Upp is describ ed via that that sync y the through clo c aluation emp oral Logic conjunction king v is their send l ts systems ork most Send and receiv en b A e k w A ards hec this atomic c at koranin or instance unicate of tak net enabled clo c F y of b h a comparison op erator t is y a ed timed automata automata timed automata then unicate along c afterw g ell unication comp onen ed fullls reads comm Suc hronous sp ecifying olv w k RealTime T v een y l edge only and curren w in as comm the for k hec can are that c comp osed automaton comm king the ts the ariable a clo c clo c be logic if that ts is sync N conjunctions in Chec Since timed and can N is a v including are automata a is enabled A ely x automata j ingredien j automata unication b et of enabled t timed automata Mo del halts satised The system sp ecication tak that comp onen both supp orted automata alue is Figure can of v is where atomic transition N timed in a t timed f through edges n een prop erties the a o resp ectiv t l jA j w system invariants w one of t of timed than of imp ortan A x as l of network If eness automaton tire j and the j ork a teraction part a hronization en constrain w liv d automata x more a most denoted of lab els in and statemen of teger and k jA Example of comm j net a not atest the sync aints l the and the are ein l clo c A unication b et a reads hannels e the form are the input ts in ts v a x of onstr ersus Bounded comp osition consists c ks k hannel ed A execution the c hha utshell ck olv the to case n lo cations no clo c er v Figure v a are as Networks of time input lab elled c in in lab elled Clo whic nonnegativ sp ecies if there is a corresp onding transitionwith in another timed automaton lab elled The comm o asso ciated statemen in is constrain timed automata depicted if ula clo c In aal automaton v p referred form n as the vio The that that ed x teger limits to tation it w in en real k do es not practical satised ybe language of allo giv t an notice bac trace and lo cation the not aal n yma A is in only op erators aal Also subset ‘‘yes’’ ‘‘no’’ bolic y Upp and a are signican Upp sym path terms on a er no of k prop ert they easier ariables of the form graphical visualization of are trace ariable a .prop a hec w the prop ert v verifyta ie use Diagnostic If for automaton p ose j trates ws teger v to Al teger This is violated can b e fed king algorithms e mo del c in algorithm concen y op erators out Prop erties j hec or ks or in as description but k king j of the nested turns EF a hec that indicates ho to determine the satisfaction of a clo c trace c a prop ert be ulator that allo a simulator Symbolic toncloc .txt but and system TCTL timed automaton prop erties x a a G of y asim structure A mo del of tax to y in case cannot logic of safet The the aal PPAAL vides atg2ta checkta and viors U the use op erator es resp ect EF Upp of wing syn can b e generated j beha expressivit erier can b e used mak er v also pro k .atg follo with sp ecifying G e the eciency of the mo del c eness autograph full y v hec A and op erators restricted The Figure the aal for a simple linear constrain y comparison the dynamic is a lo cation of a timed automaton lik el b the a Upp a prop ert oimpro mo del c expressiv T ulator so that it can b e analyzed with the help of the graphical presen suitable and The verifyta time a diagnostic trace lated sim p ossible supp ort diagnostic trace generated the restrictions where dened is l for Notice toplev a of of in es er v the one that ans time list ev more These w than a etr Philips of of b ounds is transfer b eha t y dr successful as b to If ho unks transmission another tigh part h BRP study assumed the sender ofold emp oral Logic terpretation ounde w amount at y een audiovideo is b tually in the used retransmission and w elop ed d the case en treat it mo deled a is complicated y e ev ered dev b and w be clear limite This an precise and retmans a more deliv wn as the ered T b een can unication medium is rather RealTime T king initiate h is tee the be proto col are t uc threshold and to has hec medium deliv the ab ortion b c on m to king that t there determine correctly guaran proto col to small units called c used to o late vior le to Chec certain ork clien is t mo del service es unication medium b et ge proto col w a dep ends t proto col kno an unication do b eha to o late standardization cannot lar w one to Since the comm the an t a retransmission is issued Kato en Ruys arriv that Secondly Mo del e to e a tricacies of the This the w w is and on failure of transmission as indicated comm e unk clearly from BRP realtime exceeds comes so under h timer t unks the of mak h a ac the study trol unit c short tly input proto cols data in timing in wledgemen ered er has a timer to detect supp osed for retransmission has for that proto col case the kno The in DArgenio small deliv curren reads wledgemen the in this order is be it problem capabilities sender BRP of in in kno retransmissions to the receiv Firstly features proto col ol ie ered ac transmission c the o the of BV describ ed and w b ounded y unk king of an industrially relev t an oto serious the h t and a remote con timers deliv c ber pr a ely are transmitted separately hec is buer man are is h le is ab orted buer is rstly case a transmission in case secondly um late correctness h a n eac for illustrate these the e unks o y the absence of an ac h unreliable the data to b e transferred is split in Philips bulks of data les via an infrared comm c T mo del c Electronics equipmen b mission the lik simple There As What extensiv there of The on to o whic for t e to us no for are au and side th t y that gently ks en used p ositiv ur can timed y assignmen thand are ariables hanisms ely mo deled an activit inin v and the righ a k i other tering of a com mec for k a i ak al ly y y lo cations in the the and an shared lo cations dela ts on e the form atomic include ie v to ed not ariable on the lefthand side w terference ariable ust ha Committed is restricted to clo c v in global m comp onen allo do es i Committed transition of Committed lo cations are indicated or is established the j j j j een not ersion ts w alue passing can b e eectiv alue passing is carried out atomically is v other lo cal V bool lo cation ariable bet it y can b e established through ving it constitutes a single atomic ev ariables an aal v ersion k either of that teger v y transition to assignmen t y lea a v Upp abool be ts ed b committed place c hronization hronization y aal are lo cations that are executed means w ts to in latter can e a bool aal in a dela olving the committed lo cation ie the en v in tak t should b e the same as the v sync Upp the assignmen committed lo cation forbids ed i ations Upp assignmen c c can the for olv ariables time Urgency er v of k V dlo Assignmen yofa of assing exemplied b ving that that prex hec t p The use of data in be in is distributed ariables that establishes the v means er the terlea tegers tomicit alue y y alue passing at sync the in mitted lo cation follo is taking place in Committe A Notice of the assignmen p ossible Data in V ensure b b nev v tomaton amoun This to v mo del c The Here j g i in of es S out out een ying S R w h the via NOK receiv via I s it prop erties completed h correctly le i its notication accompan emp oral Logic OK that transmission been I one at the sender e stating the the v the case y all listed prop erties

inputs ha b on ts INC i indications

t out case k ie I R the i states that eac een the case in whic es k ie les In poin e w

RealTime T clien y and a unks and indications via FST in imp osed receiv h w n

FTS S I king t is i f ts e the previous via

sending ofc k h that j

Chec t clien j of e FTS if it satises to logical i j sen a The n i e These prop erties dene relations b et unk the h view  in optional o service access c restriction Mo del assume to unk w k sending e

side h resp ect g no c et  one W out FTS v er FTS S es pairs s in The i wing requiremen i DK the with S n i the I for least n the j Schematic receiv d i y the service n at  of t receiv k o ccurred in d d the i S es d for k NOK outputs h sp ecify e the follo d e

i at h v Note that a distinction is made b et I equals l e n considered error input and output all proto col conforms j is input via w receiv e eha an A t not the OK unks other le h that k I d w is c of unk i h d clien that  the c sp ecication h of e f able k les s T h k a next i ed j y l list or and assume F In The FTS is considered to ha a e out ormal in out F Signatures S S R indicates receiv none that should b e satised b input and output receiving when W while the receiving clien for as side empt i i t d d es er ery en the the h n case if w ev d ation ready of w In sending deliv Remark is t eac A dont Ho t receiv and their unk either the used indic indication h the is ered without an indication Ideally elemen This indication all INC y something NOK indication b efore medium b proto col OK garbled I I successful w whether the last I y rst a be is deliv the NOK description Since indication er obtain an e not I NOK es an the I ything at or an is NOK y to kno ab out NOK this unreliable a an unk i I will not I last one h or d tation can ensure whether the e ean c accompanied t receiv if or y indication is from same OK unks an t has the corresp onding indication ery of the lastbutone c corresp onding indication h of the ansfer Servic I c r e this used the unk but OK are accompanied b h indication the sending clien successfully h the an I ery c information is er the v h It is assumed that either an initial part of t out on the input p ort o receiv File T After unks has so ered did not receiv t do es not need a not OK indication b efore h is read on the input p ort that w Eac After n er INC FST t do es not receiv not is required I I deliv not ered after deliv is or port DK same or d do es someho y o ccur after deliv le I So if the sending clien been Both the sender and the receiv nor t d k FST reason le All other c t fails to come there is no w the ma ered or I t aal the bac en time b ound l unk clien unk ed The h be t is informed after transmission of the whole le or when the h of that the receiv c DK Upp deliv indication output An indication is sen hanged t fol low I er NOK can receiv k lost the rst I sure whole le is deliv t been subsequen wledgemen whole le has hec NOK receiving on ewill es up elemen be got I transp orted kno has clien OK y not deduce that the receiving clien the of the Note that the receiving clien mor n the or the I an can indication ered be last d unk indication h mo del c ery within the giv ery ery of the rst c tma c be to le and w The input the list This completes the informal FTS The sending clien case transmit a the deliv unk h is order will not b e c whether This The deliv the This is b ecause the receiving clien clien has in the last ac This situation arises b ecause no realisticlast implemen that it is unclear from this description whic c to le wrong can proto col giv datum deliv deliv kno sender is when something go es wrong a not OK indication receiving t R or S the the the ber F The alue b ers This time er to is set v Then of at um dont of L t le T hannels proto col a informal t um er receiv a v ered wledgemen the o a es the timer the t of the le is as that er remem unk only t emp oral Logic elemen ter to of h Timer in kno maxim deliv t and exceeds one fact R ter for the n is t arriv tee that data is not rst its n if and only if the le T tissen to the tioned the elemen limited amoun The receiv K considered to DK frame is e men er timer RealTime T I is the exceeds last v aits for an ac o unreliable lossy c the retry coun a as wledgemen w This t ter the this wledgemen king datum kno if and only if after the coun e with as y one o t t kno clien coun w the that Chec corresp onds ery of the lastbutone c arriv concerning is NOK ork t this an indication to I retry the datum is the last item of the le w This e equipp ed Mo del this This frame consists of three bits and a datum receiving to In case an ac the whether hange data via t requiremen S for if unk frame K the h whether h exc requiremen to t the frame the sender w on ts of the le one b rst sender aits for more frames to arriv reason occurs is started and an ac no a indicates whic a should receiv hannel unk single c supp osed is h T of en an indication T a c for bit to c The y o ccur after the deliv ted and the timer is set again or the transmission of the le ving sen a than a service of a le to b e transmitted and sets latter and tin there aits er times out the frame is resen rst bit indicates whether dep ending w er simply w er or for a timeout The t timer T consists proto col reads R rather t is informed of correct transmission or the next elemen deliv that The After ha t and S consists o er the sender t the description k L en is sen If timer rise to unk reset proto col or The second h w indication ma c F Remark Receiv Sender w is t es and be brok ailable to the sender is giv v equipp ed with a timer The service requiremen Ho giv a of retries is incremen is MAX Then the receiv receiving clien k kno to third bit is the socalled alternatingduplicated bit that is used to guaran from the receiv le and a frame is sen T sending clien it starts sending the elemen sen K ed ust the een one n w d equal apart of before dont tm receiv a unk unk state when h unks h exceeds c the h should c o ccurs k le j requires d rst correctly error the then t concerning the last receiving clien and j the ed e in an FTS to b e accompanied with concerning is the lastbutone OK k ts e y I e receiv case b unks NOK the h t c I OK in ed k NOK of that sp ecify the relationship b et i I n n of been NOK INC I if k the indications of all c requires I I e k i n n constrain FST ery indications The requiremen v k k i k n k I i ha j j notied that ber the i that i ed correctly or not and in b oth cases an deliv i INC le um indicating k k k not out n I  k R is states OK OK NOK after OK NOK DK DK NOK through the t I I I address I the I I I I at requires FST j ormal sp ecication of the j of t equal If corresp onding of indications receiv F I s k s s k k s s clien e unk is receiv i i i i i n i i i j v h app ear i be ber unks unk ha aal h h to c w um unk is presen ie er only n h i able c Upp all T to receiving NOK out the through er unk I receiv R k h en to the sending and receiving clien c that the or hec consists of three parts via requires k and i Either this last c that k OK more will follo j e indication e I n means that mo del c ery of the rst sender w indicating unk unk h h The le and from the rst and last c then indications c c either equal indication This requires kno n deliv the indications giv is It A n le a tly timer via i rather t hannels of of proto col esp ecially unrealistic sen unk the accompanied apparen h an are emp oral Logic c le assumption h K proto col as automata failure ack rst adapt expiration whic the ts the A of hannel the R out the and A unk of a le ie to R y er G h is unnatural timed to c unicating through c RealTime T i d F Receiv starting a new of and consider BRP noties king wledgemen prop ert reacted via pro cesses comm i a d R the ork kno assumption is the last c Chec as that whether strong er K L w i of Ac b d unk to ab ort h aits b efore this prop erly therefore G net w BRP Channel Channel view Mo del e rather a S app ears via has W a the sends c whether R ignore R as is and a receiv prop erly indication S in b e S out w S an w hand this S that Schematic ab ortion S F ab reacted of assumption ws Sender B hanism sequel geographically distributed R bit proto col in mec this case S kno til sender the are information to proto col at S un In no R the In that the L w line is this the assumption h ho to and in see the gure b elo alternating suc S using L R and an indication A there in the as an an i tly B y case in transfers and case unclear is Since T in dela the assumption and Mo deling than sligh The BRP consists of a sender K ie K with t y if R its T le le ust wl the the will and alue case ued w m dela er times to at kno the tin hed reacted elemen TD It next its b elo this er t assump v within frame er and the con is happ ens o receiv So In switc the last time ed L message A of et the frame This a y the in prop erly new simply in e handed receiv and and rep eated sender new is ie not is out has o signican is a h rep etition K as last of the le then it vided transmission of arriv time it the er a has been eac A Tw y pro t and heme times b as not er that but transmission sc not receiv p ossible hannel T Then this assumption requires le if al of to as c t bit do es til receiv has the not t of the le and the exp ected v t pro cessing the arriv that t un unk informed h terpreted terrupted the indicates wledged are in Assume that the sender do es not start indicating that on in is the the in previous frame w y not p ossible t before kno Note bit at subsequen ed ac T go es dela alternating b een er le clien t and reset after this frame has b een ac wledgemen is b ecause wledgemen the er b ound is not sucien ered ould b e timeouts denotes yof after a failure receiv w um the w has kno This of kno next receiv is ac as the last elemen deliv description referred frame ac le alternating e le timeouts are h the rst an the a v maxim receiving frame an where y if aal frame necessary of the expires b een wledge ab out the pro cessing sp eed of the receiv b Eac if old terrupted the ab o premature the if is w that this lo The in T out Upp timer expires be new the anew just times the dela bit Note that only if the that er that of only up TD reset k This the Premature expires not will t timer times is is only transmitting MAX e will sho en hec last T time no T has T transmission after giv clien made in the is reset and us requires kno It is set when a frame is sen frame the Assume supp ose failure heme le b efore alternating A T th are long sc timer T mo del c be us been if the a Later on w Timer Timer This completes the informal description of the BRP the the the  fresh ust exceed The whether the previous frame w of receiving timer still for a has This of starts sender not come edged out to tions reading alternating bit so m time units since the rst transmission of a c that that A Let y  in x to be on B the the the eit has hed and eral i new k This is from S sa to e a s while sp eed certain  S y S reac another clo c unk b emitting with e le h y hiev ving indicating indicating If ed via c arbitrarily b ac g en i s transmission h transitions mo ie and mak b een new dep ending emp oral Logic to resets t last x idle initiated a OK to Suc there are sev transmitting the has pro cessing I sen is receiv out is while the for f of and transmitting ving lo cation of incorp orated S y failure on and ack undertak y with resp ect to the b pro cessed transmitted be lo cation If is ab ack y t a This timer will mak tered is aits T in lo cation to one via reset resetting start necessary i w lo cation while alternating d wait y t y dela x RealTime T clien to is en pro cess to bit S being units be after ab ortion not s i sta unk timer h um dela attempts while unk clien ariables the and tly c to king h to c either an time retransmissions of retransmission that sets do es success S sending ted out a of lo cation success it S Chec mo del next maxim without without an curren In lo cation ber where MAX ack a the alternating lo cation sending equals if to SYNC ber le and um the turn that forbid x out idle remark to n unk of rc um k es to the h wait Mo del the e incremen n c v frame y lo cation used new same T w the will le mo del is reset error the to is to a is mo times um i In ensure the rc dela the an x the S of First notice that transitions lea from next R x to of They are executed of to w transitions es frame er v accompanies  t maxim es and Secondly ie v eeping unk or not if x belo mo ariable transitions indicating order receipt k indication h wledged v t T next receiv the lo cation t mo S that additional in er has prop erly reacted to the failure k Urgen kno see subscript On proto col S to but x t an arian ac bit sender case A that expires MAX v NOK Clo c Urgen transmission the in the rc see Figure has three system v x I in S gent  i lo cation oid is initiated of the S urgen d is the last c wledged been S MAX v ur or tro duced i a rc via ting error success d in kno unk timer from has o remarks are in order  h is ed ac DK rc c and alternating called y successful or assumption I sender Tw indicating unk y h rc n retransmit the Mo deling The sender transitions within time ie whether ab incremen the been receiv Going next with lo cation in correctness previous p erformed action since clo c b are long corresp onding information and dela lo cation le b efore the receiv cf ie an p ossibilities c lo cation y y A ts b um un ws n of ted arian v  simplicit i of queues e represen State in rcrab exp_ab<>rab exp_ab<>rab exp_ab<>rab exp_ab<>rab A!ack A!ack A!ack A!ack A!ack in exp_ab<>rab exp_ab<>rab A!ack A!ack exp_ab<>rab exp_ab<>rab exp_ab<>rab A!ack A!ack A!ack exp_ab<>rab exp_ab<>rab A!ack A!ack exp_ab<>rab exp_ab<>rab exp_ab<>rab exp_ab<>rab exp_ab<>rab A!ack A!ack A!ack A!ack A!ack frame In lo cation z

ro states of er b um n are enc tation managemen c in is esses gro Num The this c to Note that the sc ercome that o enco de v that have In o o mo del pr and tial T to represen to e of memory to represen we problem for e e t hniques dicult er her ac problem of StateSpace bolic analysis e this that Figure sp exp onen hnique not ey numb hniques is kle Ecien is suited Sym tec considered app ears wing tec einFigur CTL state ortanc tec It This tac the example Surv ac A the of for imp been to formance of only explosion follo jor sp n a is is s g om g can h as of fr CTL s s f hniques ted whic the f acteristic ec example er T b efore v n to of fol lows ding function S corresp onding o successor s represen alue a next v The char End and of is is R Reduction s table et the enc BDT The idea of this L essor e c inputs boolean e state tr s truth a suc R a binary relation o relation transition relation if elow a its is db and with the the is R cision by p ossible only e s y R de d of StateSpace a s function R all w lik f ey and s liste g if lab elled relation state s is this binary del depicte s s Surv if R is listing R In A n mo in that or instance a p ossible enco ding for f g only F is haracteristic R del leaf CTL only if c table f k fact n elation g h g r  s f s its is mo s and as a ro oted The successor the eac y trees b truth if f ely CTL that essor a R c n pair f ifand that f y g b suc is s Consider the s s the S example s the  ted  example is dened f s s decision s s or n R of function F das tation s R A R f f that s instance represen h and del or s R e dene enco ding suc Relation F b o olean function Example b where Bo olean be output or alternativ Binary represen f mo function e a y t is y It b au the the can of rep states ersing except on e tee v space systems start bijectiv of discussed BDDs e describ e tra e p erformed generalit region a e metho ds king can b e eplac consist mo dels tree W v r esentation a order on of hw compact state guaran ha hec to a epr or when CTL r e using carried out using loss the is lab elling eried w not total w n v mo dels a tation vide a er ho decision h b olic k p ossible mo del c be umeration can is Once ertices pro mo del and en v suc as hec to manipulations sym chnique c length presen Without t CTL of S but CTL tly binary section all of there BDDs act that do es not satisfy this constrain the a S amte S mo del this omp and systems order that to BDDs cases c ector endp oin ecien blur If in a the Recall as R all Diagr functions the algorithm at hand is explicit state as to aph bitv by these ie functions in gr automaton means ted a similar es not n out king y v hi SMV cision is describ e b BDDs wing relation uc for hec lea This e In De B n w acyclic allo order b o olean are used ted represen b o olean its determines a tation esentation y d explosion carried using in of of it be added cte as t epr be This lab elling function is not of great imp ortance here e r BDDs that ted Binary BDDs successor be ers using binary decision diagrams mo dels that are used for tations e one can space dir represen hniques ust systems on a ac of represen tation being Ak a to m is ted can tec S tly BDD is to S use eral can b e considered as a b o olean function after whic state comp onen represen ariables represen v R in BDDs the mo del c the imp ossible to handle using sev has a cardinalit statesp space these relations the the functions represen w due of S states of this of ecien be y states of from ro ot a bolic of state algorithms using structure state out ide b olically h ould omit explicit BDD sym set tro duce dumm its tation b o olean e b olic statespace compact graph The A Eac in sym these w the The w oidance o y v Sym tomaton is represen the resen a that w that then assume that these the enco ded o ccurrences turns out that in particular the op erations needed for b carried discussing ho with atomic prop ositions so in Chapter be Enco ding nite T ho e y y is A v b set ie an a x BDT ab o ted E ro oted t and for to hniques is a tain n in in ec functions edges v V The total order is T n con i h isomorphic n alue x b i represen not v v where X a xed x h b o olean for in a decision tree B incoming for assignmen f n t er v do es f for Reduction v B As an auxiliary notion v istherootofthe o B f V E i ertices G f z v v i B presen x v of v x f without b ansion that pair short j using this expansion ertex alue of V a h exp and yp es ariables and where diagrams for i diagram is v that is v graph suc tt x v v The v graph B of StateSpace G ar B f b o olean function n v i j f ey is rewritten n terminal v v edges Shannon disjoin ertices are omitted ertex a OBDD be acyclic v The o acyclic decision short v Surv x of tv for all B w decision equals i with redundancy A am can a BDT x for for in set g n g v y single x a the b f socalled o j diagr ws a binary v x V directed B ertex b e a set of b o olean v f taining t dag am f ted v the of directed binary g or follo av n con y x f j tains i V b v cision b as g diagr V n path de graph v con x ertex E g for i Ordered Ro oted represen n x it concept x ar E v n x if b nite dened ordered f ertex without incoming edges f inspired v binary d acyclic a and that v is ertexset is x d f v A binary decision diagram is a binary decision tree in whic d h e ote v v j n function x o X r B ie cte b e a BDT and recall the V suc der f f e is B ertices or nonterminal v The Let X ertex a binary decision v dir a x v unction v av ie the topv Let f dag on Denition An dag with of cycles In Reduced reduced subtrees are collapsed and redundan Denition A let us denition b F e v on are the the ws alue hed en in while hange In binary c s follo size of a reac based Leafs determine and ha is the lines n and aecting could to ertex e one ar leaf  v v s w R a h f dashed obtained as til s s ariables o ccurring in ts can b e determined example eac without nonterminals v as equals un ting  instance ariable or s at ertex In addition the F n s wn the instance or  to as s f F BDT is of s ar dra hing or ertex s v  v F s ery compact in fact the size of represen s BDTv lines are s order a the s alue that of the previous example is giv referred v leaf to y R  t to the argumen a solid f b s the in s are means of a case y ro ot branc hildren to lab els b y s hild corresp onds to the case that the v s ted b the decision tree  hange function s s ted ro ot c that zeroc BDTs are not v ertices ted to ariables v s of the truth table of s to the from the the en assignmen s tation ould  The rst c represen the w s w latter ariable represen other v Abinary e no v in Figure  from edges n s w is the tiate o are if starting  the represen ertices are lab elled with a b o olean v s ordering haracteristic function BDT of unction ersing leaf tree alue for a giv s a v F zero and instan tical to the size hange n  c of e Figure tra hildren the alue s the z Other v ariable w v v of not BDT depicted t equals onec when erse the tree accordingly tation b o olean function represen v ersing n to alue v do es tree is iden hildren v of the b olic statespace curren assigned tree ar The function v The tra h v oc y R w Figure decision tree of the c t often called terminals and Sym either or edges of represen b the the Denition size the The BDT f and tra suc to one ter ond t c to se hniques one p oin incoming ec example v the T ertex of its than v form h all ertex v violate End suc a more Figure a es to e of Reduction cf t redirect tains subtr to reduced poin edges con and ertices form v these that of OBDD OBDD in of StateSpace ertex outgoing es v edges an reduced ey terminal v b ecomes OBDD for short suggests three p ossible if all b ecomes b ecomes both to a Surv if A topvertic eliminate obsolete redirect the tests terminals to transform an t the OBDD in then e and v en w OBDD or Steps R Figure b remo a duplicate redundan ertex cf v of of w eing b al al lab elled to isomorphic v v of same Figure e transform a giv them and ar aint e the Remo edges Remo minal of to e c a b The denition of reduced OBDD R ys a onstr subtr c w v at X or en the F that giv v from that v leftmost o h the w ar to v the OBDD edge v requires suc R tical one and v hold ertex v in a the resp ect s from v ariable alue not w ertices v v has iden w with edge but v z d ariables alue v OBDD is an acyclic graph the nonterminals ertex el le is a terminal v boolean v terminal v the wing conditions the a lab z w nonterminal OBDD ertices to denote isomorphic sub w y V b or follo tical that the an F ertex a b o olean v alue w v w vertex is v y v tees o V if the ar v w z w iden v false the t forbids v d lab elling of lab elled v ed v e e w v at v allo is t ar the v duc v o terminal v d v e an ertices o allo alue r o a not Figur v on tation ar ote v is lab elled b v o OBDD t v v w to r are z that of Bry v t also guaran ertex w do es v es to v w e t ar ro ot case is called t states that no nonterminal v v represen g BDT ertex i ertices v due hildren v constrain subtr the c the constrain Reduced o v The second constrain The z ts are X w h nonterminal nonterminal terminal constrain t two v ar from This v h h h er o nonterminal v terminal true has the o terminal v last eac eac eac v BDDs h h ordering rst constrain f o represen path B e w the ar and eac w eac for for for t y that for all nonterminal v v v b olic statespace The The an h z Sym suc most Example instanc zerosuccessors dags case Denition OBDD to Ordered ordering on ts of of an s the the ari  OB v b een tran larger R s OBDD hniques End ting esenting  s mo del or the BDT has the ec F s T ordering s epr ordering exp erimen left R CTL t boolean s ting onsidering en compact c  hema s s represen sc the s giv by in the OBDD r of s a example two  dieren d sample bits s s mo dels dundancy in rather Reduction a represen This e ate the  only or then the ordering in the n s CTL small n F under s h vides e dering a b ordering ordering il lustr under h or lik pro whic n s for s OBDD s the whic also in R larger s exploits the r on e of StateSpace for whereas value of variable orderings for our systems right ey t e b depicts the R tially s n ariables Figure alternated exist ent instanc v the s Surv and thus dep ends in s Figur needed in are for A n es the  dier substan and as n are s s transition e is a s on be for dieren vertic  Examples strongly s s wher s This s can  using illustrated s states transition d s terpart s is  a s der to determine the of ordering s but OBDDs way OBDD s s b of nitestate R visite coun an R eects ber s in or This o e s of onsists of a ar um s Tw of  if n that target s Figure es these optimal function averse s us e wn s in size tial a ordering and OBDD c relation  symmetric Th under s vertic s sho mor to tr same e e The its a e v OBDD is ath Figure thr in p This R the without using the fact that example ables applied or exp onen source DDs sition ha R examples d in es for X are sig and NP OB sim ethe w as R is on is OBDD to y vertic R Sinc a ertices esents the the ts and w b ottomup redirect all determine ariables of v the a epr of v dering v is OBDD same function y easily decided y or R problem b t same amoun ys true or false ber and be a the isomorphism that e a an the w this ertices um or total the v equalit to of done can b o olean a or in eg esents v R be the up ariables f size the to Bry e that for some evaluations v k epr The BDT that r d in Figur r onsists of can on distinct the its eg hec lab elled OBDD is alw c o Notic obtained to w OBDD t to eliminate R es is expressions if ertex OBDD is depicte v Figure c ordering variables and R elevant have alues v e and c b o olean functions OBDD that t result is due dundancy a cf irr e an suces unique R we r s whether a R e OBDD to i a b a total it ole b o olean R k of isomorphic in o one a b is a e terminal e or s e hec b o olean F X OBDDs then in time that is linear in the n y of ar en h imp ortan gr d in Figur b tation exists might of other de nonterminals B set s Giv t OBDD single onsists of vertic ted a over This s a false there e an and functions b computations on B to the represen is depicte variable g or OBDD that of of B n with a R eral duplicate dering and represen y assignmen substantial of directed graph true of function sev a B Consider again our running example alence ts B x al f onding R v elation Denition this x value equalit ro ots of isomorphic R ariable f esp function k ts v equiv or instance in order to c cf B aresult ontains the F y OBDDs c b o olean function incoming edges the Remo f orr as represen hec transformation c b olic statespace R antly smal ler it only c c ersal of the OBDD X R an The As h v f for variable or ansition r or et R Sym tra the BDTs The some represen suc L Theorem F f BDT nic of for DDs ply tr complete Example The that e to to B high yp e of inan n OBDD OBDD a utshell tend hniques and starting large n iteration R R haracter in purp oses ec c a computing h T to B OBDDs w the b o olean the s the from Sat In is eac the that for er king tation s v exploration ie o ts In Since this t hec c using R OBDDs space s R space compute Reduction us OBDD obtained king strategies to represen Th for Chapter Chapter mo del state t length hec state for g or instance computation of F for case t of cf the that OBDDrepresen a binary op erator on b o oleans for directly j R is constructed h Sat Sat is poin strategies a of Sat s bolic space suc since t s of StateSpace of mo del c s bergLong managemen elop ed with OBDDs jM t sym ulas xed Sat exploited algorithms tation of the state space this is referred ey R tation S state dev obtain be state the only if Surv to least s king OBDDs B the ts e Grum Sat to f R memory wn to constructing the R A a y umeration subform hec of OBDD B y a without c y algorithms M on en b if and w y aR the some size feasible b olic represen represen CTL e Appl cking Sat mo del OBDDrepresen managemen space mo del Appl w b oils do originally b een not direct iterations can n with ula R that e che a no asym op erator all set king v computed B n consider in the ha del state excessiv an hec often form is e more thorough treatmen s c CTL er that for w mo is is s v starting of the o y CTL B s y or a it y often f of previous sa king king uses a F h olic s U hniques t explicit w mo del Instead Memory hec Sat hec section the carry e Sat Appl tec B f an symb E f for or eac migh results F e practice this el description of the Sat Sat B ariables These from In reduce handle lev istic function v Mo del c the iterativ where f Lik refer to McMillan and Clark In Sat to as one mo del c y is of in to to Let can d y OB hard exist x Most M ariable OBDD tical v do ws R ery invite example al a spaces x a algorithms rep orted iden is v is of follo et to OBDDmo del there complexit is It h nd R as state y ariable ordering these been is the cardinalit n er ader rise End to v e e n description en in Figure b for r x yv time v NPcomplete Burc ha cases is briey tations n gives is giv Moreo The x R practice complexit ond system gures n ariables orks In y v es orstcase as OBDDs w bey w represen x R time practical ordering of i n needed OBDD y OBDDs for an of and vertic CTL x the ariables where is tation of the state space using R tation x e man v for complexit n obtained ariable v for states orstcase means for is states w y tialsize R dering reordering impro boolean v b of represen with i or that x n that the y OBDDs a not w ber b esttime optimal of algorithm R w b olic represen er tation i x v function exp onen x um sho or o an OBDD n dynamic e do es compact R R king mo del variable v the a spaces a using explicit state space n x is constructed as explained in the previous section eg for or hec using c represen CTL in dering compact The R to results algorithms linear or nding a or a a king OBDD S n OBDDs of es eragetime rise be in R king v king hec Consider mo del a results n only with state yaR ell of hec heuristics ers based on a sym ted vertic w c hec k ts variable gives for Empirical x c that bolic use n problem ted b exact x hec S R the x n this e f quite apply ariables sym b olic statespace mo del king v literature The represen The of our running example the corresp onding R ck giv ork hec with Using Example b o olean functions that ha Sym the be the c Exp erimen to that of mo del c M M of the state space The Mo del the represen DDs che mo del c ordering w t k m K us wn de and y ter M that th ould hec state these while c w storing h once o k hniques reduced e wn hing can state T and the w ec K umeration on redundan is wing do Holzmann T imp ortance sho descriptors as hannel c If n e matc connect to Since accesses of v to explored h oids N v tered again later is usage ha state a eac due random o do so consider a that S exploring fo cussed practice T of is matching b eing hannels of capacit of Reduction are t on in h referred long are During the searc t states that state t tly successors ten is encoun memory er state metho ds hannels once c ev Z y means of message passing whic and its con w absen the k elemen curren usually rather to as Storing ho all hniques is trol lo cation program coun the is o most w tec analysis that Z Z t hnique at top o y of StateSpace h that in hing Holzmann to w tec erage of this explicit state en b er of states and long state descriptors resource system t the con wledge v ey if a state in referred suc this leads to maximally pro cesses the states p er pro cess c pro cess h um is n reexplore M ts kno habilit h state N in secondary memory without slo visited suc next Surv stored Z to only or is eac comparing hashing A of uge n the reac F Accesses this with hange information b are manner The to is in for ariable e b een considered visited state but ts tly v state they h A state system denotes ariable ypically a scarce necessary bitstate eac eral comp onen suitable S traditional amoun ariables memory h global v a not the predictable omitted tered of signican us that is in explored th ts be tly ariables are main hglobalv it lo cal v v it hashing h that they can exc sequence S ance in discuss distributed h been of of hing in e could to adv ypically this leads to a h v an encoun ecien consists of sev global T searc Z ha main memory is t part in matc alues stored v alue of eac m state computations w Measuremen or done order sequence the is records the states that ha space Z last in whether states kno explorations of parts of the state space the most timeconsuming op eration issis not but the the generation storage of of states states and nor state the matc analy to this data structure can b e stored the Z Z and rangesize of eac The main problem though is the p o or co State states parallel or let us briey describ e the traditional storage of states pro cesses suc plus since Bitstate In and the v be scriptor h hi to In TL the The has uc suc is PL h B uc k and similar s If and whether of of of on searc y ypical un ertex ed h strategies v k section hi automata text t cycle uc hec a con c based this In the rst outer ted as a stac of emptiness space nonempt successors in the it is h strategy as m o basic data structures is to curren ber in h w breadthrst king state s g strongly e hable from the initial state direct mem s of hec is lik hand searc c f The t of is strategies at h algorithm TL for t set ersal discussed ie v Z ertices PL n be S Z the usually implemen tra king of emptiness of B e a more detailed lo ok at a t S able s strategies S path from h v i ertex king itself hec i h s V will s h h hec automaton algorithm in S c searc managemen s denotes ertex visited v searc s from hi ethec V S the h s uc S let S Z B of mo del strategies other innermost depthrst hable ertex that t let memory V the that to hniques let us ha Depthrst Z reac h algorithm see T hi Z of Since the h an accepting state that is reac i is true t strategies second s of hi s set sequence h found hniques are not only applicable to depthrst searc s Recall t of memory used in this depthrst searc applied the DepthFirstSearc Chapter is state Z S managemen able Z if S alidated idea In be T v analysis ar in do S Z v od king from y analysis metho ds lik y state These tec is managemen also basic states hec y precondition memory of accepting can habilit habilit pro cedure begin end Recall The h set Memory is computed most depthrst searc suc mo del c reac automata is based on a nested depthrst searc these reac in this algorithm are a sequence of states a accepting prop ert p ossible but nested depthrst searc reduce the amoun order to discuss these tec a y y y b are the the the tly The of heme hable hash Lero Stern sc hniques h than address bitarra the ec b efore and T e instance it is p ossible heme y searc the Consequen hashfunction tioned As s descriptors truncation for Mathematically b er of reac and state smaller olp er resolv Lero s e p osition y s um space bit ag the h W to tly a bitar state bit state space and y Reduction as a aforemen to with w injectiv state bitar p ositions in on y app ear cause Since the is olp er no s s us y probabilit of signican a nonp erfect h ey in is W ma h artial is ximated ber is not considered p this ie bitstate hashing s a fact um hashk there n of StateSpace before appro t wrongly decide that a state has b een In considered is ey y letting the reduce address addresses viding state k be to called s ed b of Surv instead visited pro hashcollision That is for states h and A it will not yield wrong results has b een visited th a not app ear hashfunction hiev onemigh ber e s h t used made been hashing Figure tly s um Basic principle of e n v states h stage in are actually migh descriptor ha been p erfect of if state the is s although collisions a e heme is ac with v of ber is state that no ha Consequen h that a Since um heme Figure functions with a sophisticated collision resolution sc addresses n tered descriptor illustrated sc y b e noninjectiv b er of addresses is assumed to b e equal to the n hable states socalled hashcollisions ma thissc y s that is states atatooearly h k ma p the but um maps N hash Notice this state e h y is h successors o prop osals w heme s path hnically bitarra N is encoun us p sc storing h ec the h s ber of reac stored of t T Th eral the um where Sev only use n sp eaking in function where the n statedescriptors This that visited while it has not s also collision not searc probabilit e it e ca the the and and only state state main main table high that State space ation ess efor results a instead b is in p ositiv memory ie although d b efore a addr descriptors to sparse longer already is observ of simple us visited on b elong to alue h e states addressing visite er Holzmann a v is Z v Th ery has b een visited w uc state total state instance v s all p ossible Empirical s en not m addresses there the e obtained a ab o set visited memory b of or states hable to F is yte be yte Mbit this a capacities of the the the on y has s assigned reac if state been it do es ypically to ts h maps need to b e stored t limited ma subset onto is exceeds of of obtained a d Mb factor er has and state e s are Due is y since times still that ber bitar h the h is only erage represen um large state mapp descriptors v us nev n y ered a to bits co the addressing is v spaces bitar hnique descriptors y w stored a store co that y equal the b usage arra state whether tec whether if be exceptional if and only if state to function er is lo of up its s state v bit not unication proto cols with a factor hable states is a factor lo state for t is to o s h exceeds y is king not states en ating bitarra er able descriptor state is that The disp osal ev idea hec T abilistic ev c h state h bitar the states w ob state hine b indic of is consulted hable our for comm the fact to teresting mapping pr state ho suc in of for descriptors b er of reac main memory of capacit whic in bit a a addresses at them mac ts descriptors reac a bitar us the the t um co de hable y that ber yof y states a t strategies alues ation yte address Th to w hine eg um er single the seems reac state ternal memory size of for instance Mb n amoun bits en systems ev of a a vided hashing in of mac due hable this w and represen observ giv to pro Z is handle state ho In heme a total probabilit of necessary that the reac of sc states the n or an in will simply to this y ytes in case F managemen otherwise for of can e subset wn the ving oints the b ber state descriptors are ignored and th Initially all v bitstate practical This v p on ha of sho um hing or By ab o n e F added that v of the is of addresses and bitarra equals equals before addresses Memory metho d After Based probabilit memory descriptors selected though strategy the lo okup descriptor memory matc ratio the ha pabilities of an Mb of eg a of as til the the and The The pro he from un b een order ted in repre of e again spaces on hnique certain actions he and cac hniques ed he ab out space In he v a has exploring ec of efor state the b e cac T sp ecied cac full state is d for section based remo state tered that ache solv unications the explored are c is vings the the the reduction be a visited actions visite in t of next ely of The to useful to and state A p ossible tec of ving en comm encoun tly terlea e Reduction ed from the cac h n the parallel comp osition of b explosion in hnique can b e increased size v is systems only stored state  in added h terlea tly pro duct is i maintain signican searc the visited have frequen In are co op erativ a suc the space be state to systems sequence the the h p ossible a Pirottin hing to less that than j b er of transitions is ab out times are in i that ide eac is all state cac select states P for describ ed aving j um consequen ts of StateSpace indicate i us ypically the used previously ordered states P larger n i this T ey hardw th again ts a state and on of Q tly interle of visited system d on eg Surv and of ted new that he is selected and remo times tered totally all p olicies to ase case comp onen The eciency of this tec reduction A size statespace so recen the b a t a is reduction cause d pro cesses of h hing and partialorder reduction is implemen of is few If exp erimen h and is orst and n means that a mo del least y w encoun set practice y of a runs and run is a b in Dieren ma jor wn estricte in r aching Go defroid Holzmann in b er of visits to a state can b e reduced only empt of c he approac A sho to b e represen of e ts partialorder is um systems Spin e o ccupied cac are ac v adopted is ts system this added he er p ossible states ha k a common the be is consist of ts it has turned out that the n cac fully that parallelism all of ts need comp osition t hec memory artialorder erage during a searc t c is can Statesp of v that the tly if the n from that quite state P ber purp ose poin Studies distributed he fast he comp onen ed spaces um are v sp ecication equals cac a n parallel mo del cac bination of statespace cac new this tation on represen the the so state Initially the the previously inserted state in the cac Systems memory requiremen this task the to cols the By exp erimen the times on a for com remo signican critical to of sen principle of comp onen tof belt Here depth memory bitstate in tly largescale h h The total Knotten eral erage v sev The problem bits in h standard searc bitstate searc functions searc storge signican taking Kbits of memory explosion results hash h with bitstate hashing outp er ab out on problem co o state w e t space go o d space erage of the problem at hand is illus v memory using Holzmann with state state of exhaustiv the w that with a considerable smaller amoun an aching ytes c of the applied hashing of bitstate hashing with ailable memory in bits e es sho Mb v of ac sp been erage um a v in case e Kritzinger to tional ie explicit state space coping Holzmann co v Eect dynamic en The curv hing t strategies state ha v for maxim close the and cac studies called are descriptor hnique is hniques

erage v co problem ts Figure h Harrison and tec managemen tec the generation of ab out states eac state searc Dill the The eect of bitstate hashing on the co ailable memory v hashing for forms that with con requiremen Memory and a the bitstate hashing algorithm hasrequires b een applied to a data transfer proto col that industrial case Mestern trated in Figure rst Statespace Another h a h of hi es to In be in er An ba h v uc that e ts tak to while B vings ed ex mo del tra Suc v hniques er el of the they h approac ignor ec hing states T terlea nev h amoun Suc execution terlea ely considers and able in and stubb orn sets pro duct T h the searc e al the searc onthey sp ecication needs of e the et cf considered of searc tativ s ample e of Reduction and actual reduction are etri nets sleep sets text the system subset selectiv instance state the con t represen e sets Kurshan selectiv the or ust lead to the same resulting The t with F of dynamic partialorder reduc to oid the mo dication of the searc y directly constructing a partial the efor transitions are transitions whose the emptiness to McMillan and Esparza t transitions that is to v b generated successors called a t curren tain accepting states from in deal for er is partialorder of StateSpace refer order k the p ersisten select oided b e nev these erefer will ey h the construction of the in v used w space of tactically hec e space hniques a c of p erforming a us that con their hw w be syn they Surv th y p erforming the reduction at the lev to determined ts is a dynamic for of b state indep enden h is A basic principles is e can us er ely subset k the th h reduction space section the whic a is particularly suitable for P hable via dep enden case successors tire state e ample sets that is hec of h tation en hniques in tuitiv lik all hable cycles this only The basic idea of these concepts is to consider only those y In state tec a the irresp ectiv explained in Chapter approac of t w tation partialorder approac will treat as approac represen temp oral explored notions e the This partialorder t transitions in either order b oth m w TL same exploring reduced sequel be dieren in sp ecication This reduction ving PL y purely partialorder reduction tec represen b to linear the transitions the the are tirely partialorder approac t static for hapter e b een dened terlea c dier In are the v stored Static place In the pansion of parallel comp onen engine of the mo del c order in system need for states king ersing In There this v o indep enden eled hec w In automaton that is reac for the en tra tion sal starts in the nonreduced casenew from the initial state andpartialorder successiv partial exploration of Amongst others sets ha successor states that are reac dep enden sically eects t state P c t t h h w be all the to ed are ter no k to to in mo del not Whic hes h these hec are the b est c sucien sucien ariable in the states ds need In is be one e of all these n w reduces to runs erty it is that to tains no b o dies that the op that is teger v i metho examined doubled due y reduce er tativ pr P p erforming con as ev to with space reduced it that w or System space is F tanin e to b e states This em er w ho given k prop ert h the ac duction y that e r sp the hec in the state pro cesses is the needs tation of n orderings of der er a mo dication of the searc ted for partialorder approac on t approac state global state prop ert ev mo del c w space prop erties the reduced h pro cedure the subset this the represen of en state are computed while exploring en just one represen validity a of artialor dieren states of of represen dep end hniques p the state n desired and der y n the art d class are p but partially ordered sequences co de idea t tec the ma the searc us ck d cke e th the of ed che o pro cesses b oth incremen large che reduction consider reduced reduced duc artialor w ts e e a p to r b to during king a activities the the t a size of to t preserv underlying to king hec hnique it requires ho Dynamic partialorder reduction is the most p opular and for c the een in In a traditional state space exploration all these orderings single ordering of only be t w hec erty c e comp onen The sucient op ts to building the Cartesian pro duct of the state spaces of the sucien to Spin bet partialorder ted n or king pr enable F tation concurren teresting successors of a giv t state or example if t for a only a or elop ed tec hec explor F then F need to of occur ovably requiremen and steps the end result is the same regardless of the order in whic ts ts are basically three dieren it is j pr e dynamic Given i dierence represen vings vings vings vings instance k only some in most of the cases ev P mo del c In most dev p ossible in the curren pro cedure explored is determined j basic or king considered hec F There The ving n i terlea terlea terlea terlea ards artialorder reduction hec P in assignmen explicitly represen are to c no longer totally ordered sequences P state spaces amoun comp onen case the state space of the parallel comp osition of successiv lea incorp oration of dynamic partialorder reduction in c in The in w y S of s b the ie y tran s on t hniques h included ec erhead enabled fullled eac T v be state b er of states cardinalit t for symmetric um ust dep ends m is the indep enden ws simply that the n it h be Reduction follo if to curren with small o ample sets than Z S suc as pair of critically s tion a I g ten transitions using course S elation s y r h smaller of from transitions e g a a is dened man tly s states algorithm path from searc on Z can S to computed of StateSpace Z f ample h t tly i ey endenc ie s g y g h consider a e need State j s searc s Surv S Z signican indep e s visited State S s relation s sucien A i depthrst a ignore h an of s f e indep endence requiremen h is ample ample irreexiv to but this is not the in visibilit let in s State selectiv ample sets in a s a eSearc that This and enabled j called of preferably j the i Selectiv the S Z true is s I let idea is s s s notion of I be hi set of sequence h a and er T a enabled f v f the Selectiv Indep endence S Z The S if instead b a T ample s a b able ar should S Z do v od T Moreo of h b efore used s I s correctness I eac ample be pro cedure precondition b egin end for The stated ample ould a b letting enabled in this set so thatw the obtained results coincide with the results when in calculation Denition Indep endence As sition only one Relation and e s T in the The that that with order s s and h h R s coincide In R suc suc in particular h d ifandonly h generated In and deterministic deterministic not obtained replace this subset b e is searc is referred to as s s s or since transitions e searc F are T w disable R s s e eleton of a selectiv role mo died h nite set of states that is y t R a consider be s s a partial s if t whic e a s s selectiv where W S b system y the algorithm in Chapter can terexample there is at most one state this atomic prop ositions eg a a for s and a Let for state of of prominen t S The basic sk and coun in enabled Lab el a nonempt h elemen a terexample otherwise s s S s sets y a a the h state Eac p erform s s S R transitions results coun pla T automaton a s s shorthand T with to with dep enden sets transitions that from In a similar w hi the is h with a small dierence a The h is denoted of enabled transitions as S a uc are system that h s s t B suc states h a set idea in eac dier a disabled s T s esearc a graph h that for eac t transitions ample suc of able the y s b b suc if dieren and a transition relation e a s migh v p erformed ample transitions enabled ansition system that for transition space the a in is tr h en in T reduced using h ab o algorithm lab elling of us d denote h than a h y a set of transitions h een emptiness mo deled Th the whic with the state Notice that this is not a real restriction since nondeterministic w that is isa State Enabled detected transition searc hisgiv be often T stated enable s searc the bet a e is AP e the e e from is searc v w s s Lab el can decide a e a ha mo del can b e dened as a triple ed king relation b a a b v to e ample exists S selectiv failure w S T hec c CTL of transitions suc let a a reducing has remo exhaustiv of transitions As A h that distinguish there for transition rather set artialorder reduction ransition or to one P Selectiv F successor M Denition Lab el a transition T Denition set then transitions suc transitions ie transitions a if the only a subset of the enabled transitions is explored are with the results of the exhaustiv case only denoted depthrst searc b st is be y and par stut End to b and s states be hniques s alidit ec e v s said s T prop osition under can s subsequence s s are h lab elled Figur esentative alid kof have s whose v they eac with ach of epr in e s atomic ulas if r d we blo c t t s of ulas Reduction tpaths for are equally e one form th alen alen k p Then system h of alen j matche path form X that only if for all paths only g is e explor Suc equiv TL equiv b equiv lik g s to PL ulas is the s q aths p is f ck M ansition if and s of ula tr sequences if of StateSpace form blo g g q set p of stuttering ey form f sequence f s stuttering s the and t a nite stuttering duction s the set e supp ose g are of quivalent r s Surv are stuttering p f alen ks for f A that the s art s if and only der b with p under paths blo c is equally lab elled to the see equiv under d and o y j s w and the to Example of stuttering correct t stuttering of stutteringe g artialor man k be p of matche ariance haracterize c s of v to is blo c M invariant These stuttering s a dicult In to t under class is s Consider h stuttering th sequences ide e teed Figure s k innitely not eac s arian s b ck is ely v ula to asic s st b s for in in blo p ossible It tunder guaran f s it quivalenc tuitiv is form that the not e The s tical Is In a h arian example is TL s v This iden in Denition PL titioned suc Example let equals p tering of s e is is y e in v ust the the not T ab m ha naiv if e j e denoted do es w hed after a j This it The second dep endency s space instance if and are enabled in a t then simply a order results b the or t for a prop ert transitions F same t AP an quivalent state as ransition e s and k T j to to a the k the visible i if is i that of AP results i h are indep enden resp ect indep enden termediate state reac stuttering state Lab el referred suc AP Lab el is called of is S a b tegers h other a are AP correct with I reduction transitions in either tro duced n pair t and a resulting t s s T eonthein obtain visible t the all in k k that alence to p ossible T Otherwise y enable eac j k is i a for indep enden is since teed if equiv AP states termediate states that are irrelev prop ositions and t b e sensitiv transition a transition is in atomic prop ositions in while this state is not consulted if the alternativ Lab el that AP Lab el and for all suggests s and is still enabled in the resulting state after guaran I transition o innite sequences of in yof to b s w executing a of atomic k s ed migh a visible are p ossible and transitions not k s j s t condition k i b j Lab el p ossibilities of yofthe a In Stuttering ba that er hec b visibilit ords condition resp ect h other but they ma rst set the ev in w i and alidit w a v of AP o determine the in in Lab el Lab el ho ab enabled s state The T with be that latter complemen paths if there are t b the y tobec one is has b een executed s h a a a AP same notion of st suc The The Stated artialorder reduction then after taking hange P orderings the s condition states not disable eac relation recip e ignore prop ert rst the omitted Denition Let invisible Lab el Denition Innite c o is as us on T are s sets idea that th king s inde these but depth h hard hec hniques reduced of c t implies precisely condition ec space usual as onthey suc ample ample the T dep ends ample the is in in the original scop e t y condition in en b efore some enabled third More state S these tb the whereas taking is constrain construction the strengthenings y outgoing transition a and path This can simply b e tire strongly y t b b oid h Reduction automaton en t v ond constrain stronger t hard a section rst hi cycle a done sequence compute that single the bey whic is alen can b e tak uc y s is a Dieren t eto to b B is the in The the The second second w case ts in tee that all paths this e bitstate hashing as an option constrain y of the transitions in in ho s least previous sets h the here ample state the is y close a cycle ould lik at exploring of StateSpace a this pro duct constrain w replaced the en whic state tof manner as e king ey has ma ev constrain in already t w y tee ample to guaran s in the last state space hec tains h is hniques lik stutteringequiv is y c of of Surv hard a question usually state con w the It these not treated A whic as ecien guaran a is ample foran that it the some is of s t Since if reduced if y en explained king b that least precise ed tak as that hec w c at ted ample space is cycle p ossible computation sets ts are necessary explored ys is The constrain a in allo t s bination with tec nonemptiness sa so in the ed is if hing results k t it e justication v last not cac the represen ample hec haracterization no transition in and tal c c is state ecien full state ample computation and king The e the incom it closes a are included eled prop oses to strengthen the last constrain condition o constrain be in an this hec w if h constrain P er s cycle Spin this notes t transition rst this do es not disable an en eectiv computes space nev A e space construct er ed rst searc statespace last t easily k k second mo del of Giv an to oiding c artialorder reduction is for instance realized in the linear temp oral logic mo del v hec hec The then it should ha transition that only transitions that are indep enden penden The the can state state in lecture and is P c Spin a the Exp erimen exploring the p ossible enabled c resolv rst facilitates h ts of ts re the hed fact wing set in d with certain In stutter cannot matc e follo invariant s a the of stuttering alid esse is b v is is on the e constrain Wilk st visible ed is k in in p tee that for eac ample e expr indep endence ator there and X hec s y under er c space is dep end an b s the op h that the constrain exploration rst eled alidit Then en P v will state the next whereas although ample tak s algorithm ula to b e and oid b eled v s h any in a stuttering y dening successiv P in of original disturbs on a transition in form to reduction not searc s t are en b TL s e ample us the ontain that under state c PL and The w in t transition in TL s h sets s allo not selectiv PL arian y initial eac enabled in the in v Lamp ort es in state in the subsequence do to the transition in y on ample sets at is alid b v considered ample the in visibilit only if ts s w these sets can b e computed suc that due is is The idea of the ample sets is to guaran in of p hand not a transition dep enden of with are starting if and at that ators but y enabled constrain hed er considered formula formula that is invariant under stuttering c b notion path without some e discuss ho path Assume op results TL t TL h The not s s of matc stuttering en b the PL prop ert PL is is tly w eac next alen wing haracterization of ample sets is giv tak ely only temp oral op erator in ny ny or state the and ample ample F condition holds be out A under A that s in follo the equiv fullled The c s is artialorder reduction The initial with X P s atomic prop ositions that app ears are ing subsequen Characterization paths in the state space Theorem path When resp ectiv lation t y h if in In be b the the under arian er in only can to v t mo del hniques j o linear space t ec ula Informally s and T is is p erformed arian and if alen M v and ts mo del state form in from een mo dels suc a mo dels h w is ula B one B alence eac bet CTL Reduction whether the s of that o s k replace s equiv w y requiremen runtime s in t bisimulation to and hec king form a be stutteringequiv j and is alidit alences is that hec to c v that to s t states h t ulation B h in states memory an the M alen transition suc er w Lab el of StateSpace suc if alences the bisim alence relation memory e h equiv mo del c few ey w s then is in in R equiv alence eac s s s Relation reduced equiv t partialorder reduction is a sp ecic v S if Surv is are tains and R ersa A vings alen S R equiv AP s v S notion supp ose MM if and only con sa size w M through mo del and s vice equiv Actually and s through a bisimilar j s No that s alence and e ulation are M s space v yielding are ulas then M ha tical then space where prop ositions where equiv e reduction eled state other and Bisim w ula s Lab el Lab el h s P iden mo dels of mo del s s s mo dels state the idea is to nd an equiv is o the suc the B form t s w atomic o state R R S R y hniques t the y idea w in y of all form t of if is smaller than Reduction tec alen an of CTL s s and is set when when Lab el M M alidit basic or M M size all F ulated b equiv M these Holzmann and The the an the v of More precisely reduction sp eaking sim Denition same Let for on case That that for logic at hand t y is is in the with This eect states partic yte case Ro deh explosion constrain reduction The Mb Chapter pro cesses proto col and ts to of ypical e space states t ere needed pro cesses w h the same ample second ber could not b e gener of refer ab out Kla um states e more yte w n of ab out ber partialorder w comp onen closed In of um the for n partialorder reduction leader election Dolev are state space wth of consists the when proto col h ersus consists gro h comp osed in v h depthrst searc cycles tly to alleviate the state this space b er of pro cesses bining the e searc yte space proto col linear that p erformance space of um reduction on n a parallel com Mb state standard searc y y selectiv to signican state the unreduced b state ensure h that in eac en election man the to b estcase tak a hsuc of explanation reduced is illustrated in Figure reduced with partial order unreduced increases be states e leader is of wth the to vides      the instance the or pro cesses gro pro F systems for extensiv Eect r fgnrtdstates generated of nr reduction needs tial proto col dierence same place ks whether there exists an accepting run in this automaton whereb for whereas an partialorder reduction enables care the hec example pro cesses the to or hosen This w example c F yte in at an exp onen ho Some e Mb are three Figure v As This yte ws en particular artialorder reduction or et a new state in the automatony is generated only if no accepting run has b een found P that is it c the nested depthrst searc F sets ab o tak ipating where sho ated whereas for the reduced case states Mb in the reduced case of partial order increased Mb e e e y h a all an w are and that  y using of of mo del alidit b ulation equiv faster y v y hniques j b aige orstcase approac negativ b enecial ec Note w h is dened P T mo dels h M this bisim alidit and if the instead v if j original suc of ulation er but negativ obtained are used tier v these of M the the then be be idea is to obtain bisim tiers is therefore Reduction results then ariables whic then relation that M it that can can mo dels e quan all t transitions the j using example pathquan on en j M j S j R imply space that giv An path tial k mo dels j boolean v M o eresultscarryo transitiv log if w hec not enement direction also holds en t tial c r and ulation the wing state obtained requiremen e of StateSpace j giv existen and w and erse be R kno do es o y mo dels ey the e the if j y smaller than or an appropriate preorder relation w existen t t an rev states F h of O y j artition can whether this Surv p uc king for S result alen the x Mj tain A m j wing reexiv e on hec alidit is c relaxing a v j con mo dels decide equiv in this case p ositiv same original case of is o reduction M y disallo function on tuples of M reduction not all T based us een p ositiv j the y t if mo del w b Th t tial for and is ation be a to the mo del with that x do es M for t mo del but implication in F er alen v logic ulas o Mj or a the that logic Let F arian algorithm signican y of this algorithm is substan preserv v j y the equiv ulation relation a half bisim relation instead in an no form M the then case y that the eak M is t  w more In e M a sim x do not v a a case CTL j e M x restrict cise ulation alence relation b et alen ha ulas is arbitrary do es not satisfy Notice In F tak all to preorder M arjan y alidation carry to if result v of M also results Exercises Exer b this for a usually is equiv form lence T restricting time complexit equiv bisim e e e of be ar M M path since there Sinc of ulated in can if dels End p ositiv s fair s M mo e denition h v to and M e eac ulation state g can b e sim These e bisimilar s g M p q that bisim q resp ect f y the ab o f negativ initial M of g r ws b with M M f and and both g denoted g M mo dels requiring notion M j M al shading ar M q p q g f f It follo y of since s exists p b CTL and f The dels complete M s ersa if is mo M quivalent M e result state s M y a bisimilar fair path starting st dels only bisimilar relation of o Chapter are bisimilar if they are lab elled with the same ation mo state and s Tw initial and vice v if cf king that have an identic s y CTL ulated b alence fol lowing two and bisimulation an preserv g hec s c j r and alences the be f for equiv bisimilar g s a mo dels B to g an Figure strong p q q M equiv M mo del g can b e sim f f a is p B CTL said f M er M Consider ords states v s articular states fact formula ulation o fair s in p are s in s ulation to state is CTL bisim M carry a M M that bisim ach any and e Stated in w This h or y transitions emanating from extended that b atomic prop ositions and if all p ossible outgoing transitions of exists suc Reduction through M F example Theorem results for bisimilar in Example starting at the and nite hnical hnique hniques ec T for ec during tec ctions T manipulation ee to ols visited analysis y of Denmark not y encyR Reduction SIAM function is er Academic Publishers ersit J w s erication habilit V Klu Concurr state reac b o olean of us for hnical Univ cking Long ade of StateSpace ec th c g D C ey De proto col b e f del Che g A ed b o olean functions Surv v In algorithms A of erienc s tro duction to binary decision diagrams olic Mo umber impro Computers OBDDs Exp Gr pages theory on An ample Symb An in and exploration references systems O e t using R On a Graphbased assume space actic LNCS s CTL ansactions and ant r ePr bac y Clarke ctives T Andersen I concurren Holzmann w using the conditions on ample sets that Akers e king st Br enabled Selected Sho hec c SB R IEEE HR Rep ort Dept of Computer Science T ac EM state KL McMillan GJ Persp Softwar a b h a b Let searc Mo del c Binary decision diagrams Hashing for state h s are the and alue s F v whic s F s s F ordering ts s ts B with f s indicate i the ample x ample ariables v so b B f s If s using and ariables that represen w that represen v b o olean M ethat not v of enabled n y enabled or y in  t ber g for n g a g x y um ie pro alen p q r q n n f f F f depicted b elo all t tradiction of y the x g equiv g M b a for s q function p x if transitions x f f s y con is b s all tuples this a nite path through g g only t p on s f for p q That s that stuttering s f s and s e structure Hin a e b v if wing part of an original ie nonreduced state space s s I s with ordering s Pro paths with ordering OBDD function c s B B R o s a alences S w s a b ample n t OBDDs indeed represen be the s in s equiv F s OBDD OBDD these x s ethat Let Let v x those Consider the Kripk s Consider the follo Are F s of n Construct pro y t s s b s s s en Argue that b oth R Construct a R Construct a R cise cise cise cise ev s ks that corresp ond ample x dened s is Reduction through Exer is s Exer blo c Let x b Exer Exer indep enden of ex Sys etters World L are hniques and partition ec Computer unfolding th T on of on essing e c terpretation o IFIP in prop erties Pr anguages c L based o Scienc h Reduction Pr In Abstract searc pages temp oral amming t algorithms based gr g Information o t space logic unfoldings Pr arian v essing on of StateSpace net umber c ecien state o ey Gr Pr of op erator temp oral using Computing Surv Three O Stutterin is Design A on terpretation ansactions king hnique r in partial orders and T go o d tec hec nexttime c arjan Wilke Information th A pure System T CM Journal the A in T on ess What R Ger Mo del ds t t SIAM R and and Congr based using abstract alence t without Metho arza e systems McMillan ams king king amming aige D Peled Lampor P gr Esp o hec hec ormal pressible D L Computer F J KL Pr R renemen reactiv tems D artition renemen Stuttering equiv Mo del c P Mo del c d ent r un hing order Com c ations mo del nalysis o A In Pr oncurr Yenig c erication Applic LNCS In partial and of t probabilistic H pages A Journal onthey ory al king Statespace cac ation and oblem hec pr with c t in formal v chnic Systems e IXThe veric T Construction Penczek ottin Peled emen v and the mo del exploration problem the W D TT explosion for A reductions for chniques e pages e logic space ds and ac T Design Design ols o An impro heme for memoryecien T order pages Computing Minea state metho LNCS In Reliable hashing without collision detection of LNCS statesp Peled System System temp oral proto cols M the der y in in Peled A new sc ation partial the D o ory chniques Description e ds ds time D to T The Ler racing eric T Levin reduction V Dill Evaluation pages on ach bining hing D Partialor and ormal t M Mestern PG Harrison and P Kritzinger Metho d Metho o e F D Kuiper V ide Com In appr and branc R oid LNCS oid GJ Holzmann and D Pir osium ormal ormal and parallelism and Description F F y to an pages hing th h ols partial order Symp cac Holzmann Performanc o olper Holzmann T ormal king Peled Kurshan Ger Godefr Stern W references ComputerA F Systems ael erication hec puter Probabilit GJ and W Knottenbel revisited U v P Godefr In P of Static P R systems c D R approac Isr In GJ artialorder reduction Selected Statespace P