Automata-Theoretic LTL Model Checking - Faculty of Computer ...

Formal Methods 

Lecture VIII: Automata-Theoretic LTL Model 

Checking 

Vladislav Ryzhikov 

ryzhikov@inf.unibz.it 

http://www.inf.unibz.it/∼ryzhikov 

Slides taken from University of Trento Formal Methods Course by 

R.Sebastiani. 

Faculty of Computer Science – Free University of Bolzano 

1

Summary 

unibz.it 

The Problem 

Automata on Finite Words 

Automata on Infinite Words 

From Kripke Structures to Büchi Automata 

From LTL Formulas to Büchi Automata 

Automata-Theoretic LTL Model Checking 

2

The Problem 

unibz.it 

Given a Kripke structure M and an LTL specification ψ, does 

M satisfy ψ? 

M |= ψ 

3


unibz.it 

M |= ψ 

(LTL) 

⇐⇒ M |= ✷ p ψ (on all paths ψ) 

⇐⇒ L(M) ⊆ L(ψ) 

⇐⇒ L(M) ∩ L(¬ψ) = {} 

⇐⇒ L(A M ) ∩ L(A ¬ψ ) = {} 

⇐⇒ L(A M × A ¬ψ ) = {} 

A M is a Büchi Automaton equivalent to M (which 

represents all and only the executions of M) 

A ¬ψ is a Büchi Automaton which represents all and 

only the paths that satisfy ¬ψ (do not satisfy ψ) 

=⇒ A M × A ¬ψ represents all and only the paths 

appearing in M and not in ψ. 

4


unibz.it 

Four steps: 

1 Compute A M 

2 Compute A ϕ 

3 Compute the product A M × A ϕ 

4 Check the emptiness of L(A M × A ϕ ) 

5

Summary 

unibz.it 

The Problem 






6

Finite Word Languages 

unibz.it 

Example 

An alphabet Σ is a collection of symbols (letters). 

E.g. Σ = {a, b}. 

A finite word is a finite sequence of letters. (E.g. aabb.) 

The set of all finite words is denoted by Σ ∗ . 

A language U is a set of words, i.e. U ⊆ Σ ∗ . 

Words over Σ = {a, b} with equal number of a’s and b’s. (E.g. 

aabb or abba.) 

Language recognition problem. Determine whether a word belongs 

to a language. 

Automata are computational devices able to solve language 

recognition problems. 

7

Finite State Automata 

unibz.it 

Basic model of computational systems with finite memory. 

Widely applicable 

Embedded System Controllers. 

Languages: Ester-el, Lustre, Verilog. 

Synchronous Circuits. 

Regular Expression Pattern Matching 

Grep, Lex, Emacs. 

Protocols 

Network Protocols 

Architecture: Bus, Cache Coherence, Telephony,... 

8

Notation 

unibz.it 

a, b ∈ Σ finite alphabet. 

u, v, w ∈ Σ ∗ finite words. 

λ empty word. 

u.v catenation. 

u i = u.u. .u repeated i-times. 

U, V ⊆ Σ ∗ finite word languages. 

9

FSA Definition 

unibz.it 

Definition (Nondeterministic Finite State Automaton (NFA)) 

NFA is (Q, Σ, δ, I , F ) where 

Q finite set of states 

I ⊆ Q set of initial states 

F ⊆ Q set of final states 

→⊆ Q × Σ × Q transition relation (edges) 

We use q 

a −→ q ′ to denote (q, a, q ′ ) ∈ δ. 

Definition (Deterministic Finite State Automaton (DFA)) 

DFA is NFA with 

δ : Q × Σ → Q a total function 

Single initial state I = {q 0 } 

10

Regular Languages 

unibz.it 

A run of NFA A on u = a 0 , a 1 , . . . , a n−1 is a finite sequence 

a 

of states q 0 , q 1 , . . . , q n s.t. q 0 ∈ I and q 

i 

i −→ qi+1 for 

0 ≤ i < n. 

An accepting run is one where the last state q n ∈ F . 

The language accepted by A 

L(A) = {u ∈ Σ ∗ | A has an accepting run on u} 

The languages accepted by a NFA are called regular 

languages. 

11

Finite State Automata 

unibz.it 

Let Σ = {a, b} 

Example 

DFA A 1 recognizes words which do not end in b 

a b b 

Example 

s 1 

s 2 

a 

NFA A 2 recognizes words which end in b 

a,b 

b 

s 1 

s 2 

b 

12

Determinisation 

unibz.it 

Theorem (Determinisation) 

Given a NFA A we can construct a DFA A ′ s.t. L(A) = L(A ′ ). 

Size |A ′ | = 2 O(|A|) . 

13

Determinisation [cont.] 

unibz.it 

Example 

NFA A 2 : Words which end in b. 

a,b 

b 

s 1 

s 

b 2 

A 2 can be determinised into the automaton DA 2 below. 

a b b 

s 1 

s 1 

,s 2 

a 

Study Topic There are NFA’s of size n for which the size of the 

minimum sized DFA must have size O(2 n ). 

14

Closure Properties 

unibz.it 

Theorem (Boolean Closure) 

Given NFA A 1 , A 2 over Σ we can construct NFA A over Σ s.t. 

L(A) = L(A 1 ) (Complement). |A| = 2 O(|A1|) . 

L(A) = L(A 1 ) ∪ L(A 2 ) (Union). |A| = |A 1 | + |A 2 |. 

L(A) = L(A 1 ) ∩ L(A 2 ) (Intersection). |A| = |A 1 | · |A 2 |. 

15

Complementation of a NFA 

unibz.it 

A NFA A = (Q, Σ, δ, I , F ) is complemented by: 

determinizing it into a DFA A ′ = (Q ′ , Σ ′ , δ ′ , I ′ , F ′ ) 

complementing it: A ′ = (Q ′ , Σ ′ , δ ′ , I ′ , F ′ ) 

|A ′ | = |A ′ | = 2 O(|A 1|) 

16

Union of two NFA’s 

unibz.it 

Two NFA’s A 1 = (Q 1 , Σ 1 , δ 1 , I 1 , F 1 ), A 2 = (Q 2 , Σ 2 , δ 2 , I 2 , F 2 ), 

A = A 1 ∪ A 2 = (Q, Σ, δ, I , F ) is defined as follows 

Q := Q 1 ∪ Q 2 , I := I 1 ∪ I 2 , F := F 1 ∪ F 2 

A is an automaton which just runs nondeterministically either 

A 1 or A 2 

L(A) = L(A 1 ) ∪ L(A 2 ) 

|A| = |A 1 | + |A 2 | 

17

Synchronous Product Construction 

unibz.it 

Let A 1 = (Q 1 , Σ, δ 1 , I 1 , F 1 ) and A 2 = (Q 2 , Σ, δ 2 , I 2 , F 2 ). Then, 

A 1 × A 2 = (Q, Σ, δ, I , F ) where 

Q = Q 1 × Q 2 . I = I 1 × I 2 . 

F = F 1 × F 2 . 

< p, q > −→< a p ′ , q ′ > iff p 

a −→ p ′ and q 

a −→ q ′ . 

Theorem 

L(A 1 × A 2 ) = L(A 1 ) ∩ L(A 2 ) 

18

Synchronous Product Construction (Cont.) 

unibz.it 

Example 

a 

b 

s 0 

t 0 

b b b a a 

b 

a t 1 

s 1 

a 

A 1 recognizes words with A 2 recognizes words with 

an even number of b a number of a mod 3 = 0 

t 2 

The Product Automaton A 1 × A 2 with F = {s 0 , t 0 }. 

b 

s s t 0 

t 0 

1 0 

b 

a a a a 

a 

s0 t 

s 0 

t a 

1 

t 1 

2 

s1 t s 1 2 

b 

b 

b 

b 

19

Decision Problems 

unibz.it 

Theorem (Emptiness) 

Given a NFA A we can decide whether L(A) = ∅. 

Method: Forward/Backward Reachability of acceptance states in 

Automaton graph. Complexity is O(|Q| + |δ|). 

Theorem (Language Containment) 

Given NFA A 1 and A 2 we can decide whether L(A 1 ) ⊆ L(A 2 ). 

Method: L(A 1 ) ⊆ L(A 2 ) iff L(A 1 ) ∩ L(A 2 ) = ∅. Complexity is 

O(|A 1 | · 2 |A 2| ). 

20

Regular Expressions 

unibz.it 

Syntax: ∅ | ɛ | a | reg 1 .reg 2 | reg 1 + reg 2 | reg ∗ . 

Every regular expression reg denotes a language L(reg). 

Example 

(a ∗ .(b + bb).a ∗ . The words with either 1 b or 2 consecutive b’s 

Theorem 

For every regular expression reg we can construct a language 

equivalent NFA of size O(|reg|). 

Theorem 

For every DFA A we can construct a language equivalent regular 

expression reg(A). 

21

Infinite Word Languages 

unibz.it 

Modeling infinite computations of reactive systems. 

Example 

An ω-word α over Σ is infinite sequence 

a 0 , a 1 , a 2 . . .. 

Formally, α : N ↦→ Σ. 

The set of all infinite words is denoted by Σ ω . 

A ω-language L is collection of ω-words, i.e. L ⊆ Σ ω . 

All words over {a, b} with infinitely many a’s. 

Notation: 

omega words α, β, γ ∈ Σ ω . 

omega-languages L, L 1 ⊆ Σ ω 

For u ∈ Σ + , let u ω = u.u.u . . . 

22

Summary 

unibz.it 

The Problem 






23

Omega-Automata 

unibz.it 

We consider automaton runs over infinite words. 

Example 

a,b 

s 1 

s 2 

b 

b 

Let α = aabbbb . . .. There are several possible runs. 

Run ρ 1 = s 1 , s 1 , s 1 , s 1 , s 2 , s 2 . . . 

Run ρ 2 = s 1 , s 1 , s 1 , s 1 , s 1 , s 1 . . . 

Acceptance Conditions: Büchi, (Muller, Rabin, Street). 

Acceptance is based on states occurring infinitely 

often 

Notation: Let ρ ∈ Q ω . Then, 

Inf (ρ) = {s ∈ Q | ∃ ∞ i ∈ N. ρ(i) = s}. 

24

Büchi Automata 

unibz.it 

Definition (Nondeterministic Büchi Automaton) 

A = (Q, Σ, δ, I , F ), where F ⊆ Q is the set of accepting states. 

A run ρ of A on omega word α is an infinite sequence 

a 

ρ = q o , q 1 , q 2 , . . . s.t. q 0 ∈ I and q 

i 

i −→ qi+1 for 0 ≤ i. 

The run ρ is accepting if 

Inf (ρ) ∩ F ≠ ∅. 

The language accepted by A 

L(A) = {α ∈ Σ ω | A has an accepting run on α} 

25

Büchi Automaton: Example 

unibz.it 

Let Σ = {a, b}. 

Example 

Deterministic Büchi Automaton (DBA) A 1 

a b b 

s 1 

s 2 

With F = {s 1 } the automaton recognizes words with 

infinitely many a’s. 

a 

26

Büchi Automaton: Example (2) 

unibz.it 

Example 

NBA A 2 

a,b 

b 

s 1 

s 2 

b 

With F = {s 2 }, automaton A 2 recognizes words with finitely 

many a. 

Thus, L(A 2 ) = L(A 1 ). 

27

Deterministic vs. Nondeterministic Büchi Automata 

unibz.it 

Theorem 

DBA’s are strictly less powerful than NBA’s. 

28

Closure Properties 

unibz.it 

Theorem (union, intersection) 

For the NBA’s A 1 , A 2 we can construct 

– the NBA A s.t. L(A) = L(A 1 ) ∪ L(A 2 ). |A| = |A 1 | + |A 2 | 

– the NBA A s.t. L(A) = L(A 1 ) ∩ L(A 2 ). |A| = |A 1 | · |A 2 | · 2. 

29

Union of two NBA’s 

unibz.it 

Two NBA’s A 1 = (Q 1 , Σ 1 , δ 1 , I 1 , F 1 ), A 2 = (Q 2 , Σ 2 , δ 2 , I 2 , F 2 ), 

A = A 1 ∪ A 2 = (Q, Σ, δ, I , F ) is defined as follows 

Q := Q 1 ∪ Q 2 , I := I 1 ∪ I 2 , F := F 1 ∪ F 2 

A is an automaton which just runs nondeterministically either 

A 1 or A 2 

L(A) = L(A 1 ) ∪ L(A 2 ) 

|A| = |A 1 | + |A 2 | 

(same construction as with ordinary automata) 

30

Synchronous Product of NBA’s 

unibz.it 

Let A 1 = (Q 1 , Σ, δ 1 , I 1 , F 1 ) and A 2 = (Q 2 , Σ, δ 2 , I 2 , F 2 ). 

Then, A 1 × A 2 = (Q, Σ, δ, I , F ), where 

Q = Q 1 × Q 2 × {1, 2}. 

I = I 1 × I 2 × {1}. 

F = F 1 × Q 2 × {1}. 

< p, q, 1 > −→< a p ′ , q ′ , 1 > iff p −→ a p ′ and q −→ a q ′ and p ∉ F 1 . 

< p, q, 1 > −→< a p ′ , q ′ , 2 > iff p −→ a p ′ and q −→ a q ′ and p ∈ F 1 . 

< p, q, 2 > −→< a p ′ , q ′ , 2 > iff p −→ a p ′ and q −→ a q ′ and q ∉ F 2 . 

< p, q, 2 > −→< a p ′ , q ′ , 1 > iff p −→ a p ′ and q −→ a q ′ and q ∈ F 2 . 

Theorem 

L(A 1 × A 2 ) = L(A 1 ) ∩ L(A 2 ) 

31

Product of NBA’s: Intuition 

unibz.it 

The automaton remembers two tracks, one for each source 

NBA, and it points to one of the two tracks 

As soon as it goes through an accepting state of the current 

track, it switches to the other track 

thus to visit infinitely often a state in F (i.e., F 1 ), it must visit 

infinitely often some state also in F 2 

Important subcase: If F 2 = Q 2 , then 

Q = Q 1 × Q 2 . 

I = I 1 × I 2 . 

F = F 1 × Q 2 . 

32

Product of NBA’s: Example 

a 

b 

unibz.it 

s 0 

t 0 

b b b a a 

b 

a t 1 

s 1 

a 

t 2 

s s t 0 

t 0 1 

1 0 1 

b 

b 

a a 

s0 t s 0 

t a 

1 1 s1 1 s 1 

t 1 1 

21 

t 2 

1 to 2 

2 to 1 

a 

a 

b 

s 0 

t 0 2 

a 

b 

b 

s 1 

t 0 

a 

a 

a 

a 

s0 t s 0 

t a 

1 

t 1 

22 

2 s1 t s 1 2 

2 2 

b 

b 

b 

b 

b 

b 

b TRACK 1 

a 

TRACK 2 

2 

33

Closure Properties (2) 

unibz.it 

Theorem (Complementation) 

For the NBA A 1 we can construct an NBA A 2 such that 

L(A 2 ) = L(A 1 ). 

Corollary 

|A 2 | = O(2 |A 1|·log(|A 1 |) ) 

Method: 

1 Convert a Büchi automaton into a Non-Deterministic Rabin 

automaton. 

2 Determinize and Complement the Rabin automaton 

3 Convert the Rabin automaton into a Büchi automaton 

34

Generalized Büchi Automaton 

unibz.it 

A Generalized Büchi Automaton is A := (Q, Σ, δ, I , FT ) where 

FT = < F 1 , F 2 , . . . , F k > with F i ⊆ Q. 

A run ρ of A is accepting if Inf (ρ) ∩ F i ≠ ∅ for each 1 ≤ i ≤ k. 

Theorem 

For every Generalized Büchi Automaton (A, FT ) we can construct 

a language equivalent Büchi Automaton (A ′ , G ′ ). 

Proof. 

(Construction) Let Q ′ = Q × {1, . . . , k}. 

Automaton remains in i phase till it visits a state in F i . Then, it 

moves to i + 1 mode. After phase k it moves to phase 1. 

Size: |A ′ | ≤ |A| · k. 

35

Omega Regular Expressions 

unibz.it 

A language is called ω-regular if it has the form ∪ n i=1 

where U i , V i are regular languages. 

Theorem 

A language L is ω-regular iff it is NBA-recognizable. 

U i.(V i ) ω 

36

Decision Problem 

unibz.it 

Theorem (Emptiness) 

For a NBA A, it is decidable whether L(A) = ∅. 

Method 

Find the maximal strongly connected components (MSCC) in 

the graph of A (disregarding the edge labels). 

A MSCC C is called non-trivial if C ∩ F ≠ ∅ and C has at 

least one edge. 

Find all nodes from which there is a path to a non-trivial 

SCC. Call the set of these nodes as N. 

L(A) = ∅ iff N ∩ I = ∅. 

Time Complexity: O(|Q| + |δ|). 

37

Summary 

unibz.it 

The Problem 






38

Computing a NBA from a Kripke Structure 

unibz.it 

Transforming a K.S. M = 〈S, S 0 , R, L, AP〉 into an NBA 

A M = 〈Q, Σ, δ, I , F 〉 s.t.: 

States: Q := S ∪ {init}, init being a new initial state 

Alphabet: Σ := 2 AP 

Initial State: I := {init} 

Accepting States: F := Q = S ∪ {init} 

Transitions: 

δ : q −→ a 

q ′ iff (q, q ′ ) ∈ R and L(q ′ ) = a 

a 

init −→ q iff q ∈ S 0 and L(q) = a 

L(A M ) = L(M) 

|A M | = |M| + 1 

39

Computing a NBA from a Kripke Structure: Example 

unibz.it 

Substantially, add one initial state, move labels from states to 

incoming edges, set all states as accepting states 

40

Computing a NBA from a Fair Kripke Structure 

unibz.it 

Transforming a fair K.S. M = 〈S, S 0 , R, L, AP, FT 〉, 

FT = {F 1 , ..., F n }, into an NBA A M = 〈Q, Σ, δ, I , F 〉 s.t.: 

States: Q := S ∪ {init}, init being a new initial state 

Alphabet: Σ := 2 AP 

Initial State: I := {init} 

Accepting States: F := FT 

Transitions: 

δ : q −→ a 

q ′ iff (a, a ′ ) ∈ R and L(q ′ ) = a 

a 

init −→ q iff q ∈ S 0 and L(q ′ ) = a 

L(A M ) = L(M) 

|A M | = |M| + 1 

41

Summary 

unibz.it 

The Problem 






42

Paths as ω-words 

unibz.it 

NB We consider LTL formulas with operators ¬, ∨, ○, U only. 

Let ϕ be an LTL formula. 

Example 

Var(ϕ) denotes the set of free variables of ϕ. 

E.g. Var(p ∧ (¬q U q)) = {p, q}. 

Let Σ := 2 Var(ϕ) . 

⇒ a model for ϕ is an ω-word α = a 0 , a 1 , . . . in Σ ω . 

We can define α, i |= ϕ. Also, α |= ϕ iff α, 0 |= ϕ. 

A model of p ∧ (¬q U q) is the ω-word 

{p}, {}, {q}, {p, q} ω . 

N.B.: correspondence between ω-words and paths in Kripke 

structures: 

α, i |= ϕ ⇐⇒ π, s i |= ϕ, α, 0 |= ϕ ⇐⇒ π, s 0 |= ϕ 

43

Automata for LTL model checking 

unibz.it 

Let Mod(ϕ) denote the set of models of ϕ. 

Theorem 

For any LTL formula ϕ, the set Mod(ϕ) is omega-regular. 

Proof. 

Construct a NBA A ϕ such that Mod(ϕ) = L(A ϕ ). 

44

Closures 

unibz.it 

Closure Given ϕ ∈ LTL, let CL ′ (ϕ) be the smallest set s.t. 

ϕ ∈ CL ′ (ϕ). 

If ¬ϕ 1 ∈ CL ′ (ϕ) then ϕ 1 ∈ CL ′ (ϕ). 

If ϕ 1 ∨ ϕ 2 ∈ CL ′ (ϕ) then ϕ 1 , ϕ 2 ∈ CL ′ (ϕ). 

If ○ϕ 1 ∈ CL ′ (ϕ) then ϕ 1 ∈ CL ′ (ϕ). 

If (ϕ 1 U ϕ 2 ) ∈ CL ′ (ϕ) then ϕ 1 , ϕ 2 ∈ CL ′ (ϕ) and 

○(ϕ 1 U ϕ 2 ) ∈ CL ′ (ϕ) 

CL(ϕ) := {ϕ 1 , ¬ϕ 1 | ϕ 1 ∈ CL ′ (ϕ)} (we identify ¬¬ϕ 1 with ϕ 1 .) 

N.B.: |CL(ϕ)| = O(|ϕ|). 

45

Atoms 

unibz.it 

An Atom is a maximal consistent subset of CL(ϕ). 

Definition 

A set A ⊆ CL(ϕ) is called an atom if 

For all ϕ 1 ∈ CL(ϕ), we have ϕ 1 ∈ A iff ¬ϕ 1 /∈ A. 

For all ϕ 1 ∨ ϕ 2 ∈ CL(ϕ), we have ϕ 1 ∨ ϕ 2 ∈ A iff ϕ 1 ∈ A or 

ϕ 2 ∈ A (or both). 

For all (ϕ 1 U ϕ 2 ) ∈ CL(ϕ), we have (ϕ 1 U ϕ 2 ) ∈ A iff ϕ 2 ∈ A 

or (ϕ 1 ∈ A and ○(ϕ 1 U ϕ 2 ) ∈ A). 

Essentially, an atom is a consistent truth assignment to the 

elementary subformulas of ϕ 

We call Atoms(ϕ) the set of all atoms of ϕ. 

46

Definition of A ϕ 

unibz.it 

For an LTL formula ϕ, we construct a Generalized NBA 

A ϕ = (Q, Σ, δ, Q 0 , FT ) as follows: 

Σ = 2 vars(ϕ) 

Q = Atoms(ϕ), the set of atoms. 

δ is s.t., for q, q ′ ∈ Atoms(ϕ) and a ∈ Σ, q −→ a q ′ holds in δ 

iff 

q ∩ Var(ϕ) = a, 

for all ○ϕ 1 ∈ CL(ϕ), we have ○ϕ 1 ∈ q iff ϕ 1 ∈ q ′ . 

Q 0 

= {q ∈ Atoms(ϕ) | ϕ ∈ q}. 

FT = (F 1 , F 2 , . . . , F k ) where, for all (ψ i U ϕ i ) occurring 

positively in ϕ, 

F i = {q ∈ Atoms(ϕ) | (ψ i U ϕ i ) /∈ q or ϕ i ∈ q}. 

47

Definition of A ϕ [cont.] 

unibz.it 

Theorem 

Let α = a 0 , a 1 , . . . ∈ Σ ω . Then, α |= ϕ iff α ∈ L(A ϕ ). 

Size: |A ϕ | = O(2 |ϕ| ). 

48

Example 

Let φ = p U q, then 

CL ′ = {p, q, p U q, ○(p U q) 

CL = {p, q, p U q, ○(p U q), ¬p, ¬q, ¬p U q, ¬○(p U q) 

Atoms = {1 :{p, q, p U q, ○(p U q)}, 

2 :{¬p, q, p U q, ○(p U q)}, 

3 :{p, ¬q, p U q, ○(p U q)}, 

4 :{¬p, ¬q, p U q, ¬○(p U q)}, 

5 :{¬p, ¬q, ¬p U q, ○(p U q)}, 

6 :{p, q, p U q, ¬○(p U q)}, 

7 :{p, ¬q, ¬p U q, ¬○(p U q)}, 

8 :{¬p, ¬q, ¬p U q, ¬○(p U q)}} 

unibz.it 

Q 0 = {s | (p U q) ∈ s} = {1, 2, 3, 4, 6} 

σ ∋{φ p , φ q , φ pUq , ○(p U q)} {φp,φq} 

−→ {ψ p , ψ q , p U q, ψ ○(pUq) }, 

{φ p , φ q , φ pUq , ¬○(p U q)} {φp,φq} 

−→ {ψ p , ψ q , ¬p U q, ψ ○(pUq) } 

F 1 = {s | (p U q) ∉ s or q ∈ s} = {1, 2, 4, 5, 6, 7, 8} 

49

Example (cont.) 

unibz.it 

50

Role of Acceptance Conditions 

unibz.it 

Example 

σ alone does not guarantee that p U q is “fulfilled” 

State 3 with {p, ¬q, p U q, ○(p U q)} 

Although p U q holds in state 3, the path which loops forever 

in state 3 does not satisfy φ = p U q as q never holds in that 

path 

That’s why 3 is not an accepting state in F 1 . But any path 

going infinitely through a state in F 1 “fulfills” p U q 

51

Summary 

unibz.it 

The Problem 






52


unibz.it 

Four steps: 

1 Compute A M 




53

Automata-Theoretic LTL Model Checking: complexity 

unibz.it 

Four steps: 

1 Compute A M : |A M | = O(|M|) 




54

Automata-Theoretic LTL Model Checking: complexity [cont.] 

Four steps: 


2 Compute A ϕ : |A ϕ | = O(2 |ϕ| ) 



55


Four steps: 



3 Compute the product A M × A ϕ : 

|A M × A ϕ | = |A M | · |A ϕ | = O(|M| · 2 |ϕ| ) 


56


Four steps: 



3 Compute the product A M × A ϕ : 

|A M × A ϕ | = |A M | · |A ϕ | = O(|M| · 2 |ϕ| ) 

4 Check the emptiness of L(A M × A ϕ ): 

O(|A M × A ϕ |) = O(|M| · 2 |ϕ| ) 

⇒ the complexity of LTL M.C. grows linearly wrt. the size of the 

model M and exponentially wrt. the size of the property ϕ 

57

Final Remarks 

unibz.it 

Büchi automata are in general more expressive than LTL! 

Some tools (e.g., Spin, ObjectGEODE) allow specifications to 

be expressed directly as NBA’s 

for every LTL formula, there are many possible equivalent 

NBA’s 

lots of research for finding “the best” conversion algorithm 

performing the product and checking emptiness very relevant 

lots of techniques developed (e.g., partial order reduction) 

lots on ongoing research 

58

Automata-Theoretic LTL Model Checking - Faculty of Computer ...

Create successful ePaper yourself

Delete template?

Save as template?