Liveness properties

In this section, we discuss explicit state space techniques that are particularly dedicated to goal, stabilization, and immortality properties. In contrast to general LTL model checking, these techniques operate on the plain transition system, i.e. we do not build a product with any kind of automaton. Thus, the worst case space requirement for checking a property shrinks fromO(r·b) where r is the size of the transition system, and b the number of states in the B¨uchi automaton representing the LTL formula, to just O(r). As the properties considered here are all liveness properties, they share the need of obeying fairness requirements in their verification. Our algorithms require a run time ofO(r·f) wherer is the size of the transition system, andf is the number of strong fairness requirement involved. Weak fairness requirements can be checked on-the-fly and do not contribute to the asymptotic worst case complexity of our algorithms. The implementation of fairness requirements used here is due to [LP85].

Fairness is related to infinite paths of the system. Removing any finite prefix of a path does not alter validity of any fairness requirement. A fairness requirement depends therefore only on those states that occur infinitely often in a path. The set of states that occur infinitely often in a path is strongly connected. Thus, it is reasonable to rephrase fairness requirements in terms of strongly connected sets of states.

Definition 11 (Fair sets of states) Let S be a strongly connected set of states. S satisfies a weak fairness requirement φ iff it contains a state satis-fying φ.

S satisfies a strong fairness requirement [φ, ψ] iff there is no state in S satisfying φ, or there are states in S satisfying ψ.

It is easy to verify that

72 Proposition 4 (Fair paths correspond to fair sets) A path satisfies a set of fairness requirements if and only if the set of states occurring infinitely often in that path does.

For every strongly connected set of states, there is a path that has exactly this set as the set of states occurring infinitely often.

Observe that we consider strongly connectedsets which are not necessar-ily strongly connected components.

The first claim follows immediately from the definitions, the second one from strong connectedness.

In contrast to infinite paths, strongly connected sets are finite structures, so they are suitable for verification.

Verification of all three classes of properties relies on searching for coun-terexamples. Thereby, a counterexample is a fair strongly connected set of states.

Theorem 3 (Counterexamples of liveness properties) Let [S, E, A]

be a transition system where all states are reachable from initial states, and assume the presence of some weak and/or strong fairness requirements. Let φ be a state predicate. [S, E, A] satisfies

• GFφ iff there is no strongly connected set of states in [S, E, A] that satisfies all fairness requirements and does not contain states satisfying φ;

• FGφ iff there is no strongly connected set of states in [S, E, A] that satisfies all fairness requirements and contains states not satisfying φ;

• Fφ iff there is no strongly connected set of states in [S, E, A]\φ that satisfies all fairness requirements.

Thereby, [S, E, A]\φ is the restriction of [S, E, A] to all states that can be reached from initial states without passing states that satisfy φ.

Proof. If there is a fair path not satisfying GFφ, this path must satisfy FG¬φ. That is, all states occurring infinitely often in this path do not satisfy φ and therefore, there is a fair strongly connected set of states not satisfying φ. The other way round, given a fair strongly connected set of states not satisfying φ, the above proposition states the existence of a fair

path where none of the infinitely often occurring states satisfies φ. Thus, this path violates GFφ.

The claim forFGφ can be proven similarly.

ForFφobserve additionally, that every fair path violatingFφcorresponds to a fair strongly connected set in [S, E, A]\φ, and every fair strongly con-nected set in [S, E, A]\φcan be extended to a fair path of states not satisfying

φ, i.e. a counterexample for Fφ. ♦

The core of our search for fair strongly connected counterexamples is a procedure that checks, given a set S^∗ of states, whether this set contains fair strongly connected subsets. This procedure is based on the following observations.

First, every strongly connected set in S^∗ is included in some strongly connected component ofS^∗. Thus, we start by computing strongly connected components of S^∗. This takesO(|S^∗| · |E^∗|) time whereE^∗ is the set of edges in the original transition system that connects states inS^∗. Each component can be checked whether the whole component itself satisfies all weak and strong fairness constraints. This is easily done by a single traversal of the component. If all fairness constraints are satisfied for such a component, this component forms a fair strongly connected set. If a weak fairness constraint is violated, all strongly connected subsets violate that constraint as well. So, we do not need to investigate any subset of that component. A component violating a strong fairness constraint [φ, ψ] means that it contains states satisfying φ but no states satisfying ψ. Since none of the subsets of the component can contain states satisfyingψ, only subsets not containing states that satisfyφcan satisfy the fairness requirement. Thus, we proceed to search for fair strongly connected sets with the set of states that is obtained through removing all φ-states from the investigated component. All subsets of the newly formed set of states do obviously satisfy the requirement [φ, ψ]. Thus, depth of recursion cannot exceed the number of specified strong fairness requirements.

This basic procedure from [LP85] can be adapted to a verification algo-rithm for all three classes of liveness properties. For goal properties, we apply the search procedure to all strongly connected components of [S, E, A]\φ.

For immortality properties, we apply it to all sets of states that are formed by removing all φ–states from strongly connected components of [S, E, A]. For stabilization properties, we apply the search for fair strongly connected sets to plain strongly connected components of [S, E, A] but add ¬φ as a weak fairness requirement. This way, only fair strongly connected sets containing

74 states that violate φ are produced.

Due to the similarities between these three procedures, only the core procedure of searching for fair strongly connected subsets of a given (not necessarily connected) set of states is presented in Fig. 4.7.

Figure 4.7: Search for fair strongly connected subsets of S^∗ in a transition system [S, E, A]

1 const WF: set of state predicates; /* weak fairness requirements */

2 const SF: set of pairs of state predicates; /* strong fairness req. */

3 var found: bool initial false;

4 function ContainsFairSet(S^∗: set of states) : bool 5 begin

6 for all C : C is strongly connected component of [S^∗, E, A] do 7 for all φ ∈WF do

8 if{s |s ∈C and s|=φ}=∅ then

9 goto next;

10 fi

11 done

12 for all [φ, ψ]∈ SF do

13 if{s |s ∈C and s|=ψ}=∅ and {s|s∈C and s|=φ} 6=∅}

then

14 if ContainsFairSet(C\ {s|s |=φ})then 15 return true;

16 else

17 goto next;

18 fi

19 fi

20 done

21 return false;

22 next:

23 done

24 end.

Part III