\documentclass[a4paper, pagesize, DIV=calc, smallheadings]{article}  

\usepackage{graphicx}

%\usepackage[latin1]{inputenc}

\usepackage{amsmath, amsthm, amssymb, amsfonts, verbatim}

\usepackage{typearea}

\usepackage{algorithm}

\usepackage{algorithmic}

\usepackage{multicol}

%\usepackage{fullpage}

%\usepackage{a4wide}

\usepackage[left=3.9cm, right=3.9cm]{geometry}

%\usepackage[T1]{fontenc}

%\usepackage{arev}

%\pagestyle{headings}

\renewcommand{\familydefault}{\sfdefault}

\renewenvironment{proof}{{\bfseries Proof.}}{}

\newcommand{\M}{\mathcal{M}}

\newcommand{\N}{\mathbb{N}_0}

\newcommand{\F}{\mathcal{F}}

\newcommand{\Prop}{\mathcal{P}}

\newcommand{\A}{\mathcal{A}}

\newcommand{\X}{\mathcal{X}}

\newcommand{\U}{\mathcal{U}}

\newcommand{\V}{\mathcal{V}}

\newcommand{\dnf}{\mathsf{dnf}}

\title{\uppercase{\textbf{\Large{A}\large{lgorithmic} \Large{V}\large{erification of} \Large{R}\large{eactive} \Large{S}\large{ystems}}\\

\tiny{Draft}

}}

\author{

\uppercase{{\small{E}\scriptsize{UGEN} \small{S}\scriptsize{AWIN}}\thanks{\lowercase{\scriptsize{\texttt{sawine@informatik.uni-freiburg.de}}}}\\

{\em \small{U}\scriptsize{NIVERSITY OF} \small{F}\scriptsize{REIBURG}}\thanks{\tiny{Computer Science Department, Research Group for Foundations of Artificial Intelligence}}\\

%{\em \small{C}\scriptsize{omputer} \small{S}\scriptsize{cience} \small{D}\scriptsize{epartment}}\\

{\em \small{G}\scriptsize{ERMANY}}}\\

%\texttt{\footnotesize{sawine@informatik.uni-freiburg.de}}

}

\date{\textsc{\hfill}}

\theoremstyle{definition} %plain, definition, remark, proof, corollary

\newtheorem*{def:finite words}{Finite words}

\newtheorem*{def:infinite words}{Infinite words}

\newtheorem*{def:regular languages}{Regular languages}

\newtheorem*{def:regular languages closure}{Regular closure}

\newtheorem*{def:omega regular languages}{$\omega$-regular languages}

\newtheorem*{def:omega regular languages closure}{$\omega$-regular closure}

\newtheorem*{def:buechi automata}{Automata}

\newtheorem*{def:automata runs}{Runs}

\newtheorem*{def:automata acceptance}{Acceptance}

\newtheorem*{def:general automata}{Generalised automata}

\newtheorem*{def:general acceptance}{Acceptance}

\newtheorem*{def:vocabulary}{Vocabulary}

\newtheorem*{def:frames}{Frames}

\newtheorem*{def:models}{Models}

\newtheorem*{def:satisfiability}{Satisfiability}

\newtheorem*{def:fs closure}{Closure}

\newtheorem*{def:atoms}{Atoms}

\newtheorem*{def:rep function}{Representation function}

\newtheorem*{def:next}{Next function}

\newtheorem*{def:dnf}{Dijunctive normal form}

\newtheorem*{def:positive formulae}{Positive formulae}

\theoremstyle{plain}

\newtheorem{prop:vocabulary sat}{Proposition}[section]

\newtheorem{prop:general equiv}{Proposition}[section]

\newtheorem{prop:computation set=language}{Proposition}[section]

\theoremstyle{plain}

\newtheorem{thm:model language}{Theorem}[section]

\newtheorem{cor:mod=model language}{Corollary}[thm:model language]

\newtheorem{cor:mod=program language}[cor:mod=model language]{Corollary}

\newtheorem{thm:model checking}{Theorem}[section]

\newtheorem{lem:dnf}{Lemma}[section]

\begin{document}

\maketitle

\thispagestyle{empty}

%\itshape

%\renewcommand\abstractname{Abstract} 

\begin{abstract}

The algorithmic verification of reactive systems is based on automata-theoretic model checking. Linear temporal logic accommodates the capability for the characterisation of program specifications. For formulae composed in linear temporal logic, it is possible to construct B\"uchi automata constituting the model space of the specification. The verification of reactive systems is composed of such constructions and intersections of the program and specification automata. This paper provides an introduction to the construction techniques of automata and space-efficient on-the-fly verification methods for reactive systems. 

\end{abstract}

%\normalfont

\newpage

\section{Introduction}

\section{$\omega$-regular languages}

\begin{def:finite words}

Let $\Sigma$ be a non-empty set of symbols, called the alphabet. $\Sigma^*$ is the set of all \emph{finite} words over $\Sigma$. A \emph{finite} word $w \in \Sigma^*$ is a \emph{finite} sequence $(v_0,...,v_{n-1})$ of symbols from alphabet $\Sigma$ with length $n = |w|$. $\varepsilon$ denotes the empty word with length $|\varepsilon| = 0$.

\end{def:finite words}

\begin{def:regular languages}

The class of regular languages is defined recursively over an alphabet $\Sigma$:

\begin{multicols}{2}

\begin{itemize}

\item $\emptyset$ is regular

\item $\{\varepsilon\}$ is regular

\item $\forall_{a \in \Sigma}:\{a\}$ is regular

\end{itemize}

\end{multicols}

\end{def:regular languages}

\begin{def:regular languages closure}

Let $L_{R_1}, L_{R_2} \in \Sigma^*$ be regular. The class of regular languages is closed under following operations:

\begin{multicols}{2}

\begin{itemize}

\item $L_{R_1}^*$

\item $L_{R_1} \circ L_{R_2}$

\item $L_{R_1} \cup L_{R_2}$

\item $L_{R_1} \cap L_{R_2}$

\item $\overline{L}_{R_1}$ and therefore $L_{R_1} - L_{R_2}$

\end{itemize}

\end{multicols}

\end{def:regular languages closure}

\begin{def:infinite words}

$\Sigma^\omega$ is the set of all \emph{infinite} words over $\Sigma$. An \emph{infinite} word $w \in \Sigma^\omega$ is an \emph{infinite} sequence $(v_0,...,v_\infty)$ with length $\infty$. To address the elements of the infinite sequence $w$, we view the word as a function $w : \N \to \Sigma$ with $w(i) = v_i$; thus $w(i)$ denotes the symbol at sequence position $i$ of word $w$; another notation used for $w(i)$ is $w_i$.

\end{def:infinite words}

\begin{def:omega regular languages}

Set $L$ is an $\omega$-language over alphabet $\Sigma$ iff $L \subseteq \Sigma^\omega$. Let $L_R \subseteq \Sigma^*$ be a non-empty regular finite language and $\varepsilon \notin L_R$. A set $L$ is $\omega$-regular iff $L$ is an $\omega$-language and $L = L_R^\omega$.

\end{def:omega regular languages}

\begin{def:omega regular languages closure}

Let $L_{\omega_1}, L_{\omega_2} \subseteq \Sigma^\omega$ be $\omega$-regular languages. The class of $\omega$-regular languages is closed under following operations:

\begin{itemize}

\item $L_R \circ L_{\omega_1}$, but \emph{not} $L_{\omega_1} \circ L_R$

\item $L_{\omega_1} \cup L_{\omega_2}$, but only \emph{finitely} many times

\end{itemize}

\end{def:omega regular languages closure}

\section{B\"uchi automata}

\begin{def:buechi automata}

A non-deterministic B\"uchi automaton is a tuple $\A = (\Sigma, S, S_0, \Delta, F)$, where $\Sigma$ is a finite non-empty \emph{alphabet}, $S$ is a finite non-empty set of \emph{states}, $S_0 \subseteq S$ is the set of \emph{initial states}, $F \subseteq S$ is the set of \emph{accepting states} and $\Delta: S \times \Sigma \times S$ is a \emph{transition relation}. When suitable we will use the arrow notation for the transitions, where $s \xrightarrow{a} s'$ iff $(s, a, s') \in \Delta$.

A \emph{deterministic B\"uchi automaton} is a specialisation, where the \emph{transition relation} $\Delta$ is a \emph{transition function} $\delta: S \times \Sigma \to S$ and the set $S_0$ of \emph{initial states} contains only a single state $s_0$.

Within this text \emph{automaton} will refer to the non-deterministic B\"uchi automaton, unless otherwise noted. 

\end{def:buechi automata}

\begin{def:automata runs}

Let $\A = (\Sigma, S, S_0, \Delta, F)$ be an automaton, a run $\rho$ of $\A$ on an infinite word $w = (a_0,a_1,...)$ over alphabet $\Sigma$ is a sequence $\rho = (s_0,s_1,...)$, where $s_0 \in S_0$ and $(s_i, a_i, s_{i+1}) \in \Delta$, for all $i \geq 0$. Again we may view the run sequence as a function $\rho : \N \to S$, where $\rho(i) = s_i$ denotes the state at the $i^{th}$ sequence position.

\end{def:automata runs}

\begin{def:automata acceptance}

Let $\A = (\Sigma, S, S_0, \Delta, F)$ be an automaton and let $\rho$ be a run of $\A$, we define $inf(\rho) = \{s \in S \mid \exists^\omega{n \in \N}: \rho(n) = s\}$, where $\exists^\omega$ denotes the existential quantifier for infinitely many occurances, i.e., $s$ occurs infinitely often in $\rho$.

The run $\rho$ is \emph{accepting} iff $inf(\rho) \cap F \neq \emptyset$, i.e., there exists an \emph{accepting state} which occurs infinitely often in the run $\rho$. The automaton $\A$ \emph{accepts} an input word $w$, iff there exists a run $\rho$ of $\A$ on $w$, such that $\rho$ is \emph{accepting}. 

The language $L_\omega(\A)$ recognised by automaton $\A$ is the set of all infinite words accepted by $\A$. A language $L$ is \emph{B\"uchi-recognisable} iff there is an automaton $\A$ with $L = L_\omega(\A)$.

\end{def:automata acceptance}

\subsection{Generalised B\"uchi automata}

\begin{def:general automata}

A \emph{generalised B\"uchi automaton} is a tuple $\A = (\Sigma, S, S_0, \Delta, \{F_i\}_{i < k})$ for $i, k \in \N$, where the \emph{acceppting states} $F_i$ are composed within a finite set with $F_i \subseteq S$.

\end{def:general automata}

\begin{def:general acceptance}

The acceptance condition is adjusted accordingly. A run $\rho$ of $\A$ is \emph{accepting} iff $\forall{i < k}: inf(\rho) \cap F_i \neq \emptyset$. 

\end{def:general acceptance}

\begin{prop:general equiv}

Let $\A = (\Sigma, S, S_0, \Delta, \{F_i\}_{i < k})$ be a \emph{generalised automaton} and let $\A_i = (\Sigma, S, S_0, \Delta, F_i)$ be \emph{non-deterministic automata}, then following equivalance condition holds:

\[L_\omega(\A) = \bigcap_{i < k} L_\omega(\A_i)\]

\end{prop:general equiv}

\noindent Intuitively follows the equivalance of the language recognition abilities of general and non-deterministic B\"uchi automata.

\section{Linear temporal logic}

\subsection{Syntax}

Let $\Prop$ be the countable set of \emph{atomic propositions}. The \emph{alphabet} of the language $L_{LTL}(\Prop)$ is $\Prop \cup \{\neg, \lor, \X, \U\}$. We define the $L_{LTL}(\Prop)$-\emph{formulae} $\varphi$ using following productions:

\[\varphi ::= p \in \Prop \,|\, \neg \varphi \,|\, \varphi \lor \varphi \,|\, \X \varphi \,|\, \varphi \U \varphi\]

\subsection{Interpretation}

The intuition should go as follows: $\neg$ and $\lor$ correspond to the Boolean \emph{negation} and \emph{disjunction}, the unary temporal operator $\X$ reads as \emph{next} and the binary temporal operator $\U$ reads as \emph{until}.

LTL is interpreted over \emph{computation paths}, where a computation corrensponds to a model over a \emph{Kripke-frame} constructed by the order of natural numbers.

\subsection{Semantics}

\begin{def:frames}

An LTL-\emph{frame} is a tuple $\F = (S, R)$, where $S = \{s_i \mid i \in \N\}$ is the set of states and $R = \{(s_i, s_{i+1}) \mid i \in \N\}$ the set of accessibility relations. Hence $S$ is an isomorphism of $\N$ and $R$ an isomorphism of the strict linear order $(\N, <)$, which corresponds to the linear progression of discrete time. 

\end{def:frames}

\begin{def:models}

An LTL-\emph{model} is a tuple $\M = (\F, V)$, where $\F$ is a \emph{frame} and $V: S \to 2^\Prop$ a \emph{valuation function}. Intuitively we say $p \in \Prop$ is \emph{true} at time instant $i$ iff $p \in V(i)$. 

%A \emph{model} is a function $\M: \N \to 2^\Prop$ over \emph{frame} $\F$. The frame constitutes a linear order over $\N$, which corresponds to the linear progression of time from the \emph{present/past} into the \emph{future}. Therefore $\M(i)$ assigns a set of \emph{positive atomic propositions} to each state of time instant $i$. Intuitively we say $p \in \Prop$ is \emph{true} at time instant $i$ iff $p \in \M(i)$.

\end{def:models}

\begin{def:satisfiability}

A model $\M = (\F, V)$ \emph{satisfies} a formula $\varphi$ at time instant $i$ is denoted by $\M,i \models \varphi$. Satisfiability of a formula $\varphi$ is defined inductively over the structure of $\varphi$:

\begin{itemize}

\item $\M,i \models p$ for $p \in \Prop \iff p \in V(i)$

\item $\M,i \models \neg \varphi \iff$ not $\M,i \models \varphi$

\item $\M,i \models \varphi \lor \psi \iff \M,i \models \varphi$ or $\M,i \models \psi$

\item $\M,i \models \X \varphi \iff \M,i+1 \models \varphi$

\item $\M,i \models \varphi \U \psi \iff \exists{k \geq i}: \M,k \models \psi$ and $\forall{i \leq j < k}: \M,j \models\varphi$

\end{itemize}

\end{def:satisfiability}

\begin{def:vocabulary}

Let $\varphi$ be an LTL-formula over atomic propositions $\Prop$, we define the \emph{vocabulary} $Voc(\varphi)$ of $\varphi$ inductively:

\begin{multicols}{2}

\begin{itemize}

\item $Voc(p) = \{p\}$ for $p \in \Prop$

\item $Voc(\neg \varphi) = Voc(\varphi)$

\item $Voc(\varphi \lor \psi) = Voc(\varphi) \cup Voc(\psi)$

\item $Voc(\X \varphi) = Voc(\varphi)$

\item $Voc(\varphi \U \psi) = Voc(\varphi) \cup Voc(\psi)$

\end{itemize}

\end{multicols}

%

\noindent Let $\M = (\F, V)$ be a model and $\varphi$ an LTL-formula, we define model $\M_{Voc(\varphi)} = (\F, V_{Voc(\varphi)})$ with:

\[\forall{i \in \N}: V_{Voc(\varphi)}(i) = V(i) \cap Voc(\varphi)\]

Henceforth, we will abbreviate $\M_{Voc(\varphi)}$ and $V_{Voc(\varphi)}$ with $\M_\varphi$ and $V_\varphi$ accordingly. 

%\noindent Let $\M$ be a model and $\varphi$ an LTL-formula, we define model $\M_{Voc(\varphi)}$:

%\[\forall{i \in \N}: \M_{Voc(\varphi)} = \M(i) \cap Voc(\varphi)\]

\end{def:vocabulary}

%

\begin{prop:vocabulary sat}

Let $\M$ be a model and $\varphi$ an LTL-formula, then following holds:

\[\forall{i \in \N}: \M,i \models \varphi \iff \M_\varphi,i \models \varphi\] 

\end{prop:vocabulary sat}

%

\subsection{Derived connectives}

For a more convenient description of system specifications, we present some derived symbols to be used in LTL-formulae. At first, we introduce the notion of \emph{truth} and \emph{falsity} using constants $\top$ and $\bot$. Then we expand our set of connectives with the Boolean \emph{and}, \emph{implication} and \emph{equivalence}. And at last we derive the commonly used modal operators \emph{eventually} and \emph{henceforth}. 

Let $\varphi$ and $\psi$ be $L_{LTL}(\Prop)$-formulae:

\begin{multicols}{2}

\begin{itemize}

\item $\top \equiv p \lor \neg p$ for $p \in \Prop$

\item $\bot \equiv \neg \top$

\item $\varphi \land \psi \equiv \neg (\neg \varphi \lor \neg \psi)$

\item $\varphi \rightarrow \psi \equiv \neg \varphi \lor \psi$

\item $\varphi \leftrightarrow \psi \equiv (\varphi \rightarrow \psi) \land (\psi \rightarrow \varphi)$

\item $\Diamond \varphi \equiv \top \U \varphi$

\item $\Box \varphi \equiv \neg \Diamond \neg \varphi$

\end{itemize}

\end{multicols}

\noindent From the derivations for operators $\Diamond$, \emph{read diamond}, and $\Box$, \emph{read box}, it follows:

\begin{multicols}{2}

\begin{itemize}

\item $\M,i \models \Diamond \varphi \iff \exists{k \geq i}: \M,k \models \varphi$

\item $\M,i \models \Box \varphi \iff \forall{k \geq i}: \M,k \models \varphi$

\end{itemize}

\end{multicols}

\noindent With the additional derived connectives we get the following $L_{LTL}(\Prop)$-formulae productions:

\[\varphi ::= p \in \Prop \,|\, \neg \varphi \,|\, \varphi \lor \varphi \,|\, \varphi \land \varphi \,|\, \X \varphi \,|\, \varphi \U \varphi \,|\, \varphi \rightarrow \varphi \,|\, \varphi \leftrightarrow \varphi \,|\, \Diamond \varphi \,|\, \Box \varphi\]

\section{Automata construction}

Before applying the automata-theoretic verification methods, we need to construct the automaton for a given specification formula $\varphi$ and for the program $P$ in test.

\subsection{Specification automata}

For the construction of an automaton $\A_\varphi$ for an LTL-formula $\varphi$, we treat the model $\M = (\F, V)$ for an LTL-formula $\varphi$ as an infinite word over the finite alphabet $2^{Voc(\varphi)}$. 

\begin{def:rep function}

We define the \emph{representation function} $rep: \M \to 2^\Prop$, which returns an infinite word representing the model $\M_\varphi = (\F, V_\varphi)$ over the ordered image $V_\varphi^\rightarrow(\N)$ of its validation function, i.e., $rep(\M_\varphi) = (V_\varphi(0), V_\varphi(1), ...)$. Additionaly, we provide the \emph{inverted representation function} $rep^{-1}: 2^\Prop \to \M$, which compiles an infinite word to the corresponding model, i.e., $rep^{-1}(V_\varphi^\rightarrow(\N)) = \M_\varphi$.

\[Mod(\varphi) = \{rep(\M_\varphi) \mid \M_\varphi = (\F, V_\varphi) \land \M_\varphi,0 \models \varphi\}\]

$Mod(\varphi)$ is the set of all infinite words, which represent models for $\varphi$.

\end{def:rep function}

\begin{def:fs closure}

Let $\varphi$ be an LTL-formula, then the \emph{Fischer-Ladner closure} $CL(\varphi)$ of $\varphi$ is the smallest set of formulae such that following holds:

%\begin{multicols}{2}

\begin{itemize}

\item $\varphi \in CL(\varphi)$

\item $\neg \psi \in CL(\varphi) \implies \psi \in CL(\varphi)$

\item $\psi \in CL(\varphi) \implies \neg \psi \in CL(\varphi)$

\item $\psi \lor \chi \in CL(\varphi) \implies \psi, \chi \in CL(\varphi)$

\item $\X \psi \in CL(\varphi) \implies \psi \in CL(\varphi)$

\item $\psi \U \chi \in CL(\varphi) \implies \psi, \chi, \X(\psi \U \chi) \in CL(\varphi)$

\end{itemize}

%\end{multicols}

\end{def:fs closure}

\noindent Let $CL(\varphi)$ be the closure of formula $\varphi$, we define a subset with the \emph{until}-formulae of the closure $\mathbb{U}_\varphi \subseteq CL(\varphi)$ where:

\[\mathbb{U}_\varphi = \{\psi \U \chi \in CL(\varphi)\} \text{ and } \mathbb{U}_{\varphi_i} \text{ denotes the $i^{th}$ element of } \mathbb{U_\varphi}\]

\begin{def:atoms}

Let $\varphi$ be a formula and $CL(\varphi)$ its closure. $A \subseteq CL(\varphi)$ is an \emph{atom} if following holds:

\begin{itemize}

\item $\forall{\psi \in CL(\varphi)}: \psi \in A \iff \neg \psi \notin A$

\item $\forall{\psi \lor \chi \in CL(\varphi)}: \psi \lor \chi \in A \iff \psi \in A$ or $\chi \in A$ 

\item $\forall{\psi \U \chi \in CL(\varphi)}: \psi \U \chi \in A \iff \chi \in A$ or $\psi, \X(\psi \U \chi) \in A$ 

\end{itemize}

We define the set of all atoms of formula $\varphi$ with $\mathbb{AT}_\varphi = \{A \subseteq CL({\varphi}) \mid A \text{ is an atom}\}$.

\end{def:atoms}

\noindent Now that we have the required ingredients, we begin with the construction of automaton $\A_\varphi$ for formula $\varphi$. Let $\A_\varphi = (\Sigma, S, S_0, \Delta, \{F_i\}_{i < k})$ with:

\begin{itemize}

\item $\Sigma = 2^{Voc(\varphi)}$

\item $S = \mathbb{AT_\varphi}$

\item $S_0 = \{A \in \mathbb{AT_\varphi} \mid \varphi \in A\}$

%\item $(A, P, B) \in \Delta$ for $A, B \in \mathbb{AT_\varphi}$ and $P = A \cap Voc(\varphi) \iff (\X \psi \in A \iff \psi \in B)$

\item $\Delta = \{(A, P, B) \mid A, B \in \mathbb{AT_\varphi}, P = A \cap Voc(\varphi), \X \psi \in A \iff \psi \in B\}$

%\item $\forall{i \in \N, i < k = |\mathbb{U}_{CL(\varphi)}|}: F_i = \{A \in \mathbb{AT}_\varphi \mid \psi \U \chi \notin A$ or $\chi \in A\}$

\item $F_i = \{A \in \mathbb{AT}_\varphi \mid \psi \U \chi = \mathbb{U}_{\varphi_i}, \psi \U \chi \notin A$ or $\chi \in A\}$ and therefore $k = |\mathbb{U}_{\varphi}|$

%Let $A, B \in \mathbb{AT}$ and $P \subseteq Voc(\varphi)$. Then $(A, P, B) \in \Delta$ iff the following holds:

%$P = A \cap Voc(\varphi)$ and For all $\X \psi \in CL(\varphi): \X \psi \in A$ iff $\psi \in B$.

\end{itemize}

\begin{thm:model language}

\label{thm:model language}

Let $\M_\varphi = (\F, V_\varphi)$ be a model and $rep(\M_\varphi)$ its infinite representation word, then following holds:

\[rep(\M_\varphi) \in L_\omega(\A_\varphi) \iff \M_\varphi,0 \models \varphi\]

\end{thm:model language}

\noindent

\begin{proof}

For the eloberate proof, consult \cite{ref:ltl&büchi}.

\end{proof}

\begin{cor:mod=model language}

\label{cor:mod=model language}

From Theorem \ref{thm:model language} follows $Mod(\varphi) = L_\omega(\A_\varphi)$.

\end{cor:mod=model language}

\subsection{Program automata}

In the next step, we model a given program $P$ as automaton $\A_P$. A program is a structure $P = (S_P, s_0, R, V)$, where $S$ is the set of possible states of the program, $s_0$ the initial state, $R : S \times \Prop \times S$ the transition relation and $V : S \to 2^\Prop$ a valuation function. A \emph{computation} of $P$ is a run $\rho = (V(s_0), V(s_1), ...)$. 

We construct automaton $\A_P = (\Sigma, S, S_0, \Delta, F)$, with:

\begin{itemize}

\begin{multicols}{2}

\item $\Sigma = 2^\Prop$

\item $S = S_P$

\item $S_0 = \{s_0\}$

\item $F = S$

\end{multicols}

\item $\Delta = \{(s, V(s), s') \mid \exists{a \in \Prop}: (s, a, s') \in R\}$

\end{itemize}

In practical verification of programs, the specification covers only the properties of a system, which are vital to the program's correctness, where our program description contains all details of all possible execution paths. Let $\varphi$ be the specification formula, we can reduce the state exploration to the vocabulary of $\varphi$ by the reduction of the transition relation to $\Delta = \{(s, A, s') \mid \exists{a \in \Prop}: (s, a, s') \in R \land A = V(s) \cap Voc(\varphi)\}$.

\begin{prop:computation set=language}

\label{prop:computation set=language}

Let $\A_P = (\Sigma, S, S_0, \Delta, F)$, for $F = S$ it follows that each run of $\A_P$ is accepting, therefore is $L_\omega(\A_P)$ the set of all computations of $P$.

\[L_\omega(\A_P) = \{\rho \mid \rho \text{ is a run of } \A_P\}\]

\end{prop:computation set=language}

 We can view each run of $\A_P$, i.e., each computation of $P$, as a representation of model $\M_\rho = (\F, V)$, where $\F$ is a frame and $V$ the program's valuation function. In analogy to the specification, we define:

\[Mod(P) = \{\rho \mid \rho \text{ is a computation of } P\}\]

\begin{cor:mod=program language}

\label{cor:mod=program language}

From Theorem \ref{thm:model language} and Proposition \ref{prop:computation set=language} follows $Mod(P) = L_\omega(\A_P)$.

\end{cor:mod=program language}

\section{Model checking}

For effective automata-theoretic verification of reactive programs, we have modelled the program as a non-deterministic B\"uchi automaton $\A_P$ and the specification formula $\varphi$ as automaton $\A_\varphi$. 

Given a program $P$ and specification $\varphi$, the verification problem is the following: \emph{does every run of $P$ satisfy $\varphi$?} To show this we use the previously introduced automata constructions and reduce the problem to $L_\omega(\A_P) \subseteq L_\omega(\A_\varphi)$, i.e., all runs accepted by $\A_P$ are also accepted by $\A_\varphi$. By this problem definition, we clearly have to explore the whole state space of $\A_\varphi$ for each run of $\A_P$. This prevents efficient on-demand constructions. Therefore we rephrase the problem with the contrapositive definition $L_\omega(\A_P) \cap \overline{L_\omega(\A_\varphi)} = \emptyset$, where $\overline{L_\omega(\A_\varphi)} = \Sigma^\omega - L_\omega(\A_\varphi) = L_\omega(\A_{\neg \varphi})$ \cite{ref:alternating verification}.

In conclusion, the essence of model checking lies within the test for emptyness of the intersection between the recognised language of the program automaton and the recognised language of the automaton for its negated specification:

\[L_\omega(\A_P) \cap L_\omega(\A_{\neg \varphi}) = \emptyset\]

\begin{thm:model checking}

\label{thm:model checking}

Let $P$ be a finite-state program and $\A_P$ its automaton, let $\varphi$ be an LTL-formula and $\A_\varphi$ its automaton. P satisfies $\varphi$ iff $L_\omega(\A_P) \cap L_\omega(\A_{\neg \varphi}) = \emptyset$.

\end{thm:model checking}

From Corollary \ref{cor:mod=model language} and \ref{cor:mod=program language} follows:

\[L_\omega(\A_P) \cap L_\omega(\A_{\neg \varphi}) = \emptyset \iff Mod(P) \cap Mod(\neg \varphi) = \emptyset\]

\subsection{Complexity}

Let the size $|P|$ of a program $P = (S, s_0, R, V)$ be proportional to the sum of its structural components, i.e., $|P| = |S| + |R|$. The size $|\varphi|$ is the length of the formula string. The asymptotical complexity of the presented automata-theoretic verification method is in time $O(|P| \cdot 2^{O(|\varphi|)})$ \cite{ref:concurrent checking}. 

The size of $\varphi$ is usually short \cite{ref:concurrent checking}, so the exponential growth by it is reasonable. Generally, the number of states is at least exponential in the size of its description by means of a programming language. This concludes, that despite that the upper bound is polynomial in the size of the program, in practice, we are facing exponential growth in complexity \cite{ref:handbook}.

\section{On-the-fly methods}

The automata-theoretic approach on verification in Theorem \ref{thm:model checking} requires a fully constructed automaton for the specification, when applying the graph-theoretic emptyness test. 

A more space-efficient strategy is the on-the-fly construction of the automaton during a depth-first search, short DFS. The DFS explores the product states of both automata incrementally, testing for cycles in each iteration. If the program does not satisfy a formula, an accepting cycle will occur and lead to termination of the search. In the case of a valid program, i.e., the program does meet the specification, no cycles will occur. In the latter case, such a strategy would inevitably explore the whole state space of the automata.

\begin{def:positive formulae}

Let $\Prop$ be a set of atomic propositions, let $\overline{\Prop} = \{\neg p \mid p \in \Prop\}$ and let us extend the LTL-syntax with the binary operator $\V$ with $\varphi \V \psi \equiv \neg(\neg \varphi \U \psi)$. We define the set of LTL-formulae in \emph{positive form}:

\[\Phi^+ = \Prop \cup \overline{\Prop} \cup \{\top, \bot\} \cup \{\varphi \lor \psi, \varphi \land \psi, \X\varphi, \varphi \U \psi, \varphi \V \psi \mid \varphi, \psi \in \Phi^+\} \]

\end{def:positive formulae}

\begin{def:next}

Let $\Phi$ be a set of LTL-formulae, we define:

\[next(\Phi) = \{ \X\varphi \mid \X\varphi \in \Phi\} \text{ and } snext(\Phi) = \{ \varphi \mid \X\varphi \in \Phi\}\]

\end{def:next}

\begin{def:dnf}

Let $\Phi^+$ be the set of LTL-formulae in positive form and let $Q = \Prop \cup \overline{\Prop} \cup next(\Phi^+)$, we define function $\dnf: \Phi^+ \to Q$ inductively:

\begin{align*}

&\dnf(\top) &=  &\, \{\emptyset\}\\

&\dnf(\bot) &= &\, \emptyset\\

&\dnf(x) &=  &\, \{\{x\}\}, \text{ for } x = p, \neg p, \X\varphi\\

&\dnf(\varphi \lor \psi) &=  &\, \dnf(\varphi) \cup \dnf(\psi)\\

&\dnf(\varphi \land \psi) &=  &\, \{C \cup D \mid C \in \dnf(\varphi), D \in \dnf(\psi), C \cup D \text{ is consistent}\}\\

&\dnf(\varphi \U \psi) &=  &\, \dnf(\varphi \land \X(\varphi \U \psi)) \cup \dnf(\psi)\\

&\dnf(\varphi \V \psi) &=  &\, \dnf(\varphi \land \psi) \cup \dnf(\psi \land \X(\varphi \V \psi))\\

\end{align*}

\end{def:dnf}

\begin{lem:dnf}

Let $\Phi^+$ be the set of formulae in positive form, following holds:

\[\forall{\varphi \in \Phi^+}: \varphi \iff \bigvee_{D \in \dnf(\varphi)} \bigwedge D\]

\end{lem:dnf}

\begin{thebibliography}{99}

\bibitem{ref:ltl&büchi} 

\uppercase{M{\footnotesize adhavan} M{\footnotesize ukund}.}

{\em Linear-Time Temporal Logic and B\"uchi Automata}.

Winter School on Logic and Computer Science, Indian Statistical Institute, Calcutta, 1997.

\bibitem{ref:alternating verification} 

\uppercase{M{\footnotesize oshe} Y. V{\footnotesize ardi}.}

{\em Alternating Automata and Program Verification}.

Computer Science Today, Volume 1000 of Lecture Notes in Computer Science, Springer-Verlag, Berlin, 1995.

\bibitem{ref:concurrent checking}

\uppercase{O{\footnotesize rna} L{\footnotesize ichtenstein and} A{\footnotesize mir} P{\footnotesize nueli}.}

{\em Checking that finite state concurrent programs satisfy their linear specification}.

Proceeding 12th ACM Symposium on Principles of Programming Languages, New York, 1985.

\bibitem{ref:infpaths}

\uppercase{P{\footnotesize ierre} W{\footnotesize olper}, 

M{\footnotesize oshe} Y. V{\footnotesize ardi and}

A. P{\footnotesize rasad} S{\footnotesize istla}.}

{\em Reasoning about Infinite Computation Paths}.

In Proceedings of the 24th IEEE FOCS, 1983.

\bibitem{ref:handbook} 

\uppercase{P{\footnotesize atrick} B{\footnotesize lackburn}, 

F{\footnotesize rank} W{\footnotesize olter and} J{\footnotesize ohan van} B{\footnotesize enthem}.}

{\em Handbook of Modal Logic (Studies in Logic and Practical Reasoning)}.

3rd Edition, Elsevier, Amsterdam, 2007.

\end{thebibliography}

\end{document}