Home properties

Home properties AGEFφ (for a boolean combination φ of propositions), re-lated properties of the formEFAGφ, as well as less frequently used formulas of the form AGEFAGφ and EFAGEFφ¹ are closely related to terminal strongly connected components (tscc) of finite transition systems (with or without initial states). Throughout this section, we consider only finite state systems.

A strongly connected component C is terminal iff all successors of its elements are contained in C (i.e. no other component is reachable from C).

1with the CTL tautologiesAGEFAGEFφ ⇐⇒ AGEFφandEFAGEFAGφ ⇐⇒

EFAGφforarbitraryφ, we cover all formulas that consist of a boolean combinationφof propositions and an arbitrarily long alternating sequence ofAG’s andEF’s

58 Theorem 1 T S|=AGEFφ if and only if all tscc (reachable from an initial state) contain a state satisfying φ. T S |= EFAGφ if and only if there is a tscc (reachable from an initial state) where all elements satisfy φ. T S |= AGEFAGφ if and only all tscc (reachable from an initial state) and all their elements satisfy φ. T S |=EFAGEFφif and only if there is a tscc (reachable from an initial state) that contains a state satisfying φ.

The proof is a simple exercise once being aware that for every reachable state there is a tscc reachable, and inside a tscc all members (and only the members) are mutually reachable.

If we want to investigate strongly connected components, breadth first search or distributed search cannot be used for the verification of home prop-erties. For depth first search, we discuss two issues. First, we show that it is possible to simplify scc detection since it is only terminal sccs we are inter-ested in. Second, we show that satisfaction of φ for one or for all states of a tscc can be verified on-the-fly, i.e. during the same depth first search that has to detect the tscc.

For the detection of tscc, observe thatlowlinkwas defined as the smallest dfsof a state that is reachable via an arbitrarily long sequence of tree edges, followed by at most one edge of another kind within the same component.

To find out whether or not an edge leads to another component, we need the data structure T in Tarjan’s algorithm. Now, for tscc we know that every edge leads to an element of the same component. Define a new valuetlowlink as the smallest dfsnumber of a state that can be reached via an arbitrarily long sequence of tree edges, followed by at most one edge of another kind.

Compared with lowlink, only the additional requirement that the last state falls into the same component is removed in tlowlink. The number tlowlink can be implemented easier than lowlink since in minimum computations in Tarjan’s algorithm, we do not need to distinguish between state in T and states outside T (lines 13-15 of Tarjan’s algorithm). Then, T is no longer needed at all.

For all members of tscc, we have (lowlink = tlowlink) while lowlink ≥ tlowlink for members of nonterminal scc (the new definition can at most lead to smaller values). Thus, for all root elements of tscc, we still have lowlink = df s while for root values of nonterminal scc, this equation may or may not hold. For all states that are not root of a scc, we have df s >

lowlink ≥tlowlink which means that equality between lowlink and dfs can never hold for states that are not root of a scc. That is, tlowlink = df s

holds for all root states of tscc, some root states of nonterminal scc, and no other state. Hence, the remaining problem is to distinguish root states of terminal from root states of nonterminal scc. For this purpose, observe that, for every state, at least one tscc is reachable. Consequently, a root state of a nonterminal scc C has always a smaller dfs number than the root of any tscc reachable from C. Furthermore, depth first search backtracks from the tscc root (and thus detects the tscc) earlier than it backtracks from (and detects) the root of the nonterminal one. Thus, if a state is the root of a nonterminal scc then its dfs number is smaller than the dfs number of some previously detected tscc. The other way round, the dfs number of a tscc root state is always greater than the dfs number of any previously encountered tscc. The reason is that the root state of a tscc gets a dfs number larger than any previously visited state, and between entering this root state and backtracking from it, depth first search cannot explore any state outside that tscc (by definition of tscc). In particular, it cannot explore any other tscc, let alone assigning a larger dfs to that tscc’s root. Thus, regardless of whether we use lowlink or tlowlink, the following criterion distinguishes tscc from nonterminal scc:

Theorem 2 sis root of a tscc if and only ifdf s(s) = tlowlink(s)anddf s(s) is greater than the dfs of the roots of all previously detected tscc.

Proof. By definition of lowlink and tlowlink, we have for all s, tlowlink(s)≤lowlink(s). Thus, for all nodes that are not root of any scc, we have tlowlink(s) < df s(s). Furthermore, it holds tlowlink(s) = lowlink(s) for all s that are members of tscc. Thus, every root of a tscc satisfies df s(s) = tlowlink(s). Since between entering and completing a tscc, no other scc is entered, the dfs of a root of a tscc is greter than the dfs of all members of previously detected tscc, including their roots.

Let s be the root of a nonterminal scc. We distinguish two cases, and show that, in case 1, df s(s) is smaller than the dfs of a previously detected scc while, in case 2, we show that tlowlink(s)< df s(s).

Case 1: There is a path from s to some tscc that contains only tree edges.

60 This path does necessarily contain the root s^∗ of this tscc. As a tree successor of s, df s(s^∗) > df s(s). Since the tree edges reflect the execution order of depth first search, the tscc ofs^∗ has been detected befores has been completed. Thus, df s(s) is smaller than the dfs of some previously detected tscc.

Case 2: Every path from s to ant tscc contains edges other than tree edges.

Since s is root of a nonterminal scc, there is at least one path to some vertice of a terminal scc. By the case assumptions, this paths contains vertices s₁ and s₂ where [s₁, s₂] is an edge, s₁ can be reached from s using only tree edges, and s₂ cannot be reached from s using only tree edges.

Consequently, [s1, s2] itself is not a tree edge. It is not a forward edge either, since a forward edge be be replaced by a sequence of tree edges. Assume, [s₁, s₂] is a back edge. Then, since (by definition of back edges)s₂ must be a tree ancestor of s1, but (by choice ofs1 and s2) cannot be a tree descendant of s. s₂ must be a tree ancestor of s. Thus, there is a cycle starting from s, to s₁ (via tree edges), to s₂ (via [s₁, s₂]) back to s using tree edges. This contracdicts the assumption that s is root of an scc.

Consequently, [s₁, s₂] is a cross edge. Thus,s₂ has been completed before entering s, so we havedf s(s₂)< df s(s). Since s₁ can be reached from s via tree edges, definition of tlowlink guarantees tlowlink(s) ≤ df s(s2). Thus, tlowlink(s)≤df s(s₂)< df s(s). ♦.

This criterion can be implemented by a single global variable that stores the dfs number of the root of the last recently detected tscc.

For the second task, i.e. the check whether a tscc contains states that satisfy φ (or do not satisfy φ), observe that all states of a tscc have dfs numbers greater or equal to the root’s dfs number, and that no states outside a tscc can be encountered between entering and leaving a tscc during depth first search. Consider a global variable that contains the largest dfs number of a state encountered so far that satisfies φ (does not satisfy φ, resp.). Then, at the moment where we detect the tscc (are about to backtrack from its root), this number is greater or equal to the tscc root’s dfs number if and only if a member of the tscc satisfies φ (does not satisfy φ, resp.).

By the above theorem this test is sufficient to verify home properties

and related properties, and does not involve a second traversal of a detected tscc. Furthermore, our new value tlowlink can be implemented by simply removing the condition in line 13 (and 15) from Tarjan’s algorithm. With these changes, we do not need to have T as (part of a) data structure.

Fig. 4.2 summarizes the changes. We depict the AGEF version—

algorithms for the other mentioned classes of properties look similar.

Home properties exhibit on-the-fly behavior as well. As soon as a terminal strongly connected component is detected where no state satisfies φ, the algorithm terminates immediately and returns false. If the home property holds, it computes the full state space.

We would like to mention that there is an alternative method to evaluate home properties. It is based on a result in [Val91b]. There, a reduction technique is proposed that guarantees that the reduced transition system contains at least one member of each tscc of the original transition system.

Other than this, only few properties are preserved. Using this technique, we can, however, find a small set of states that includes at least one state of each tscc of the original transition system. For each of these nodes, we can now perform the simpler reachability verification. This approach has the advantage that the cited reduction technique, as well as reachability preserving reduction techniques may yield better reduction then a general reduction technique preserving home properties. Furthermore, we get the freedom to parallelize home property verification on a very coarse level, (the reachability problems can be solved independently of each other). We have the option to use breadth first search, or even symbolic state space verification for solving at least the reachability subproblems (as proposed in [Sch96a]).