In this paper, we propose an approach which combines the advantages of BMC and the possibility of formulating it eas- ily and efficiently as an ASP problem, with the advantages of reasoning on the product B¨uchi automaton described above, mainly its completeness. In this section, we show how to build the product automaton and how to use the automaton tableau construction for BMC. In the next section we describe how to encode the transition system and BMC in ASP.
The problem of constructing a B¨uchi automaton from a LTL formula has been deeply studied. In this section we show how to build a B¨uchi automaton for a given LTL(Σ) formula φ using the tableau-like procedure. The construction is adapted from the procedure given in [19; 15] for Dynamic Linear Time Logic (DLTL), a logic which extends LTL by indexing the until operator with regular programs.
The main procedure to construct the B¨uchi automaton for a formula φ builds a graphG(φ) whose nodes are labelled by sets of formulas, and whose edges are labelled by symbols from the alphabetΣ. States and transitions of the B¨uchi au- tomaton are obtained directly from the nodes and edges of the graph. The construction of the states makes use of an aux- iliary tableau-based function tableau which handles signed formulas, i.e. formulas prefixed with the symbol T or F. This function takes as input a set of formulas2and returns a set of sets of formulas, obtained by expanding the input set accord- ing to a set of tableau rules, formulated as follows:
• φ ⇒ ψ1, ψ2, if φ belongs to the set of formulas, then
add ψ1and ψ2to the set
• φ ⇒ ψ1|ψ2, if φ belongs to the set of formulas, then
replace the set with two copies of the set and add ψ1to
one of them and ψ2to the other one.
The rules are the following:
Tor: T(α ∨ β) ⇒ Tα|Tβ
For: F(α ∨ β) ⇒ Fα, Fβ
Tneg: T¬α ⇒ Fα
Fneg: F¬α ⇒ Tα
Tuntil: TαUβ ⇒ T(β ∨ (α ∧ αUβ))
Funtil: FαUβ ⇒ F(β ∨ (α ∧ αUβ))
where the tableau rules for the until formula make use of the equivalence: αUβ ≡ (β ∨ (α ∧ αUβ)). This set of rules can be easily extended to deal with other boolean connectives and modal operators like 2 or 3 by making use of the equiv- alences 2β ≡ (β ∧ 2β)) and 3β ≡ (β ∨ 3β)).
Given a set of formulas s, function tableau repeatedly ap- plies the above rules to the formulas of s (by possibly creating new sets) until all formulas in all sets have been expanded. If the expansion of a set of formulas produces an inconsistent set, then this set is deleted. A set of formulas s is inconsistent in the following cases: (i) T⊥ ∈ s; (ii) F⊤ ∈ s; (iii) Tα ∈ s
and Fα ∈ s; (iv) Thaiα ∈ s and Thbiβ ∈ s with a 6= b,
because in a linear time logic two different actions cannot be executed in the same state.
To build the graph for a formula φ, we begin by building the initial states, obtained by applying function tableau to the set{φ , TWa∈Σhai⊤}, where the second formula takes into account the fact that runs must be infinite and thus there must be at least an outgoing edge from each state. After execution of tableau, every resulting set contains exactly one Thai⊤ formula, for some a∈ Σ.
The above tableau rules do not expand formulas whose top operator is a next time operator, i.e. haiα or α. Expand- ing such formulas from a node n means creating a new node containing α connected to n through an edge labelled with a
2
in the first case, or with any symbol inΣ in the second case. Thus an obvious procedure for building the graph is to ap- ply to all sets obtained by the tableau procedure the follow- ing construction: if node n contains a formula Thaiα, then build the set of the nodes connected to n through an edge labelled a as tableau({Tα|Thaiα ∈ n} ∪ {Tα|T α ∈
n}∪{Fα|Fhaiα ∈ n}∪{Fα|F α ∈ n}∪{TWa∈Σhai⊤}).
The construction is iterated on the new nodes.
States and transitions of the B¨uchi automaton correspond directly to the nodes and edges of the graph. We must now define the accepting states of the automaton. Intuitively, we would like to define as accepting those runs in which all the until formulas of the form TαUβ are fulfilled. If a node n contains the formula TαUβ, then we can accept an infinite run containing n, if node n is followed in the run by a node n′ containing Tβ. Furthermore all nodes between n and n′ must contain Tα.
Let us assume that a node n contains the until formula TαUβ. After the expansion of this formula, n either contains Tβ or T αUβ. In the latter case, each successor node will contain a formula TαUβ. We say that this until formula is derivedfrom formula TαUβ in node n. If a node contains an until formula which is not derived from a predecessor node, we will say that the formula is new. New until formulas are obtained during the expansion of the tableau procedure.
In order to formulate the accepting condition, we must be able to trace the until formulas along the paths of the graph to make sure that they are fulfilled. To do this we extend T- signed formulas so that all until formulas have a label 0 or 1, i.e. they have the form TαUl
β where l ∈ {0, 1}3. Note
that two formulas TαU0β and TαU1β are considered to be
different. Furthermore, we define each node of the graph as a triple(F, x, f ), where F is an expanded set of formulas built by function tableau, x ∈ {0, 1}, and f ∈ {↓, X}. f = X means that the node represents an accepting state.
For each node(F, x, f ), the label of an until formula in F will be assigned as follows: if it is a derived until formula, then its label is the same as that of the until formula in the predecessor node it derives from, otherwise, if the formula is new, it is given the label1 − x.
Given a node(F, x, f ) and a successor (F′
, x′, f′), x′
and f′
are defined as follows:
if f = X then x′ := 1 − x else x′:= x ,
if there is no T αUx′ β ∈ F′
then f′:= X else f′ :=↓
Let us call 0-sequences or 1-sequences the sequences of nodes of a run ρ with x= 0 or x = 1 respectively. Intuitively, every new until formula created in a node of a 0-sequence will be fulfilled within the end of the next 1-sequence, and vice versa. In fact, the formula will be given label 1 and propagated in the following nodes with the same label, and the 1-sequence cannot terminate until the until formula is ful- filled. If ρ is an accepting run, then it must contain infinitely many nodes containing X, and thus all 0-sequences and 1- sequences must be finite and, as a consequence, all until for- mulas will be fulfilled.
Given a graphG(φ), the states and transitions of the B¨uchi 3
If we introduce also the 2 and 3 operators, we have to label them in the analogous way.
automatonB(φ) correspond directly to the nodes and edges ofG(φ), and the set of accepting states of B(φ) consists of all states whose corresponding node contains f = X.
In [15] it is proved that there is a σ∈ L(B(φ)) if and only if there is a model M = (σ, V ) such that M, ε |= φ.
The same construction can be used in model checking for building the product automaton of B(φ) and the transition system. Every state of the product automaton is the union of a set of fluents forming a state of the transition system and a set of signed formulas corresponding to a state ofB(φ), while transitions must agree both with transitions ofB(φ) and those of the action theory. We assume that the action theory and the LTL formulas refer to the same set of actions and atomic propositions. Of course, the states of the product automaton must be consistent, i.e. they cannot contain the literal¬f and the signed formula Tf or f and Ff4.
The construction of the automaton can be done on-the-fly, while checking for the emptiness of the language accepted by the automaton. In this paper, following the BMC approach, we aim at generating a single path of the automaton at a time. Given an integer k, we look for a path of length k of the au- tomaton, with a loop back from the last state to a previous state l in the path, such that there is an accepting state j, l ≤ j ≤ k. Such a k-loop finitely represents an accepting run of the automaton. Note that we can consider only sim- plepaths, that is paths without repeated nodes. This property allows to define a terminating algorithm, thus achieving com- pleteness: the bound k is increased until a k-loop is found or the length of the longest path of the automaton is reached.
To find the length of the longest path we can proceed itera- tively by looking for a simple path of length k (without loop), incrementing k at each iteration. Since the product automaton has a finite size, this procedure terminates.
Example 3 Let us consider the domain description in Exam- ple 1 with the constraint 23hsense maili⊤. The following is a k-loop satisfying the constraint for k= 4. It consist of the states s0, . . . , s4 with the transitions s0
wait → s1, s1 wait → s2, s2 sense mail −→ s3, s3 deliver(b) −→ s4, s4 deliver(a) −→ s1.
State s0 is obtained by applying tableau to the LTL for-
mula expressing the constraint, and adding the fluent literals holding in the initial state. Thus we get5:
T23hsense maili⊤, T31hsense maili⊤,
T 23hsense maili⊤, T 31hsense maili⊤,
Thwaiti⊤, ¬a, ¬b, x = 0, f = X
The second and third formulas are obtained by the expan- sion of the first one, while the fourth formula is obtained by the expansion of the second one.
State s1is obtained by propagating the next time formulas
and expanding them:
T23hsense maili⊤, T31hsense maili⊤,
T30hsense maili⊤, T 23hsense maili⊤,
T 31hsense maili⊤, T 30hsense maili⊤,
Thwaiti⊤, ¬a, ¬b, x = 1, f =↓ 4
Remember that the states of the transition systems are complete and thus each state must contain either f or ¬f
5
We omit formulas having as topmost operator a boolean con- nective, and we use a and b as a shorthand for mail(a), mail(b).
The second and third formulas are identical but the index of the 3 operator: the second formula derives from the previous state, while the third one derives from the first formula of this state; f is↓ because there is a next time formula with label 1.
State s2is:
T23hsense maili⊤, T31hsense maili⊤,
T30hsense maili⊤, T 23hsense maili⊤,
Thsense maili⊤, ¬a, ¬b, x = 1, f = X
The value of f is X because there are no next time formulas with label 1. The formulas T3lhsense maili⊤ are fulfilled
because sense mail will be the next action. State s3is:
T23hsense maili⊤, T31hsense maili⊤,
T 23hsense maili⊤, T 31hsense maili⊤,
Thdeliver mail(b)i⊤, a, b, x = 0, f = X
Note that the execution of sense mail changes the value of a and b.
State s4is:
T23hsense maili⊤, T30hsense maili⊤,
T31hsense maili⊤, T 23hsense maili⊤,
T 31hsense maili⊤, T 30hsense maili⊤,
Thdeliver mail(a)i⊤, a, ¬b, x = 1, f =↓
By executing action deliver mail(a) we have a transition back to state s1.
Example 4 Let us consider now our domain description with the two constraints in Example 2. To check whether the for- mula ϕ= 2(mail(a) ⊃ 3¬mail(a)) is valid, we add to the domain description the two constraints and¬ϕ, and we get the following k-loop which represent a counterexample to the property: s0 sense mail −→ s1, s1 deliver(b) −→ s2, s2 sense mail −→ s3, s3 deliver(b)
−→ s2. Furthermore, we have the following fluents
in each state: s0: ¬a, ¬b, s1: a, b, s2: a, ¬b, s3: a, b. Thus
the mail of a is never delivered.
Let us now modify the domain theory by adding the pre- condition[sense mail] ⊥← mail(E). In this case, we ex- pect ϕ to hold. To check this, we first compute the length of the longest path in the B¨uchi automaton, which turns out to be 9, and then check that there is no k-loop for k up to 9.