Example

We now present an example of both ltl2dstar and dra2ispl, by translating a given A-LTL formula into both a property agent and a property observer.

We begin by considering the formula

G(p → FGq)

which expresses that, if the action p occurs along any run, then in the future eventually the component will always perform q.

In the syntax for ltl2dstar, this formula would be expressed in reverse Polish notation (RPN) as

G i p F G q

where “i” is used for implication. ltl2dstar will then convert this formula into spin syntax:

6.3 Automatically Constructing Closure Environments 149

and invoke ltl2ba on it; ltl2ba will then generate a spin “never claim” representing the NBA for the given formula. The never claim output of ltl2ba for our chosen formula is shown in Figure 6.3; its corresponding visualisation is shown in Figure 6.4.

1 n e v e r { 2 a c c e p t _ i n i t : 3 if 4 :: (! p0 ) - > g o t o a c c e p t _ i n i t 5 :: (1) - > g o t o T 0 _ S 2 6 :: ( p1 ) - > g ot o a c c e p t _ S 3 7 fi; 8 T 0 _ S 2 : 9 if 10 :: (1) - > g o t o T 0 _ S 2 11 :: ( p1 ) - > g ot o a c c e p t _ S 3 12 fi; 13 a c c e p t _ S 3 : 14 if 15 :: ( p1 ) - > g o to a c c e p t _ S 3 16 fi; 17 }

Fig. 6.3. Thespinnever claim for the NBA of the formula G (p → FGq) generated byltl2ba

In Figure 6.3, it can be observed that, for compatibility with ltl2ba, ltl2dstar renames the propositions as follows: p ⇒ p0 and q ⇒ p1. It is also apparent that ltl2ba generates a “shortcut” in the automaton as the transition from stateinit to S3 reflects that, even if the automaton has not seen p yet, as long the component always performs q going forward, this satisfies the original formula (i.e., if y always holds, then x→ y can never be false, and given that G φ implies F G φ ).

Furthermore, we observe that not every run we would expect to be accepting is accepting. In Figure 6.4, we can see that the infinite trace (accept_init∗· T0_S2ω₎

(i.e., a run that visits accept_init a finite number of times and then visits T0_S2 an infinite number of times) would be a valid run for any sequence of actions meeting our assumption, but would also be a rejecting run. This is because ltl2ba was designed to generate an automata for a negation of a formula; therefore, adding more rejecting runs does not introduce any problems: the formula is only decided to be false if there exists an accepting run on the negation of the formula. Furthermore, we have that σ ∈ L (A) if there exists a run that accepts it – we are not constrained that all runs must be accepting.

accept_init !p0 accept_S3 p1 T0_S2 1 p1 p1 1

Fig. 6.4. A visualisation of the NBA from Figure 6.3

Finally, ltl2dstar performs Safra’s construction on the parsed spin never claim, and generates a DRA for that formula. The output of ltl2dstar in GraphViz [Ellson et al., 2001] dot format is shown in 6.5.

We can see in Figure 6.5 that the DRA for our formula contains 5 states (labelled 0 through to 4). The two ancillary states (the oval containing “DRA” and the rectangle containing “Safra[NBA = 3]”) are not part of the DRA, and are simply additional information for the user (respectively representing that the output is a DRA and that the NBA input to Safra’s construction contained 3 states).

We now explain Figure 6.5 in more detail. For each state in the DRA, we have that: • The top number is the state number

• The bottom number is the set of all Rabin conditions that the state appears in (where “+n” means the corresponding state is in Lnand “−n” means that state is in Un; if a

Rabin condition is not mentioned, that state appears neither in Unnor Ln).

Finally, a state is grey if it is an initial state of the DRA.

As such, the generated DRA contains two Rabin pairsh(L0,U0) , (L1,U1)i such that:

State 0 is in L1; State 1 is in L0and in U1; State 2 is in U0and L1; and States 3 and 4

are in U1. Consequently, we have that the acceptance condition for the generated DRA:

6.3 Automatically Constructing Closure Environments 151 DRA Safra[NBA=3] 0 +1 !p&q p&q 4 -1 !p&!q p&!q !p&q p&q

!p&!q p&!q 1 +0 -1 p&q p&!q !p&!q !p&q _{+0 -1}2 !p&q p&q !p&!q p&!q 3 -1

!p&!q !p&q p&!q p&q

Fig. 6.5. The GraphVizdot diagram for the DRA of G (p → FGq) automatically generated by ltl2dstar

6.3.3.1 Observer Agent

By invoking ltl2dstar with the argument

--output:plugin:Generate_ISPL _Observer

we can get ltl2dstar to invoke dra2ispl, generating a property observer for our formula. The output of Generate _ispl_Observer is shown in Figure 6.6.

As shown above, the first Rabin pair in the acceptance condition of the generated DRA has an empty U0 set; we can see this reflected in the generated ISPL as the

definition of U0is:

1 U_0 if ( E n v i r o n m e n t . s t a t e = s_0 ) and !( E n v i r o n m e n t . s t a t e = s_0 ) ;

Given this definition, it is clear that U0evaluates to false and therefore U0does not hold

at any states in the model (i.e., the set of states that satisfy the proposition U0, as defined

in the ISPL file, is the empty set). As such, calculating the set of states whereU0holds

is empty, so is in accordance with the generated DRA.

6.3.3.2 Property Agent

Similarly, if we call ltl2dstar with the argument

1 A g e n t E n v i r o n m e n t 2 V a r s: 3 s t a t e : { s_0 , s_1 , s_2 , s_3 , s_4 }; 4 end V a r s 5 A c t i o n s = { nop }; 6 P r o t o c o l: 7 O t h e r : { nop }; 8 end P r o t o c o l 9 E v o l u t i o n:

10 s t a t e = s_4 if s t a t e = s_0 and !( Env .A c t i o n = p or Env .A c t i o n = q ) ;

11 s t a t e = s_4 if s t a t e = s_0 and Env .A c t i o n = p ;

12 s t a t e = s_0 if s t a t e = s_0 and Env .A c t i o n = q ;

13 s t a t e = s_1 if s t a t e = s_1 and !( Env .A c t i o n = p or Env .A c t i o n = q ) ;

14 s t a t e = s_4 if s t a t e = s_1 and Env .A c t i o n = p ;

15 s t a t e = s_1 if s t a t e = s_1 and Env .A c t i o n = q ;

16 s t a t e = s_4 if s t a t e = s_2 and !( Env .A c t i o n = p or Env .A c t i o n = q ) ;

17 s t a t e = s_4 if s t a t e = s_2 and Env .A c t i o n = p ;

18 s t a t e = s_0 if s t a t e = s_2 and Env .A c t i o n = q ;

19 s t a t e = s_1 if s t a t e = s_3 and !( Env .A c t i o n = p or Env .A c t i o n = q ) ;

20 s t a t e = s_2 if s t a t e = s_3 and Env .A c t i o n = p ;

21 s t a t e = s_1 if s t a t e = s_3 and Env .A c t i o n = q ;

22 s t a t e = s_4 if s t a t e = s_4 and !( Env .A c t i o n = p or Env .A c t i o n = q ) ;

23 s t a t e = s_4 if s t a t e = s_4 and Env .A c t i o n = p ; 24 s t a t e = s_0 if s t a t e = s_4 and Env .A c t i o n = q ; 25 end E v o l u t i o n 26 end A g e n t 27 28 E v a l u a t i o n 29 L_0 if E n v i r o n m e n t . s t a t e = s_1 or E n v i r o n m e n t . s t a t e = s_2 ; 30 U_0 if ( E n v i r o n m e n t . s t a t e = s_0 ) and !( E n v i r o n m e n t . s t a t e = s_0 ) ; - - f a l s e 31 32 L_1 if E n v i r o n m e n t . s t a t e = s_0 ; 33 U_1 if E n v i r o n m e n t . s t a t e = s_1 or E n v i r o n m e n t . s t a t e = s_2 34 or E n v i r o n m e n t . s t a t e = s_3 or E n v i r o n m e n t . s t a t e = s_4 ; 35 end E v a l u a t i o n 36 37 I n i t S t a t e s 38 E n v i r o n m e n t . s t a t e = s_3 ; 39 end I n i t S t a t e s

Fig. 6.6. A partial ISPL snippet for a deterministic Rabin observer agent

dra2ispl will generate a property agent for our formula. The output of Generate _ispl_Agent is shown in Figure 6.7.

In Figure 6.7, we can see that although the formula only referred to two atomic actions (p and q), the generated property agent also contains the τ action other_action. A rule in the evolution function for the property agent is triggered on “other_action” if no positive propositions occur in a transition (e.g., the transition ¬p ∧ ¬q would become an other_action transition in the generated property agent).