Given anfsm orfsm-skA, which has the formA,hL,l0,I,O,R,FAs,FAwi, which itself could possibly be the composition of two or more fsms or fsm-sks, we now outline how 5IfAis required to satisfy multipleltlformulas, then these can be expressed as a singleltlformula which is
to representAas a symbolic transition system. We denote the symbolic transition system corresponding toAasAe , D e V,el0,eR,FeAs,FeAw E , where:
• Veis the set of variables in the symbolic transition system and we useVe0to represent the
primedversion of the variables inVe. The primed version of a variable denotes the value of the variable in thenextstate. We require them to distinguish between the current and next
values of variables in a symbolic representation.
•el0is the symbolic representation of the set of initial states of the symbolic transition system. • Reis the symbolic transition relation that relates the values in thenextstate, represented by
the primed version of the variables,i.e.,Ve0, to their values in thecurrentstate, represented by the unprimed version of the variables,i.e.,Ve.
• FeAsis a set of pairs of predicates overVe, with one pair encoding each setF∈FAs. • FeAwis a set of predicates overVe, with one predicate encoding each setF∈FAs.
We will use BDDs to representel0,Re,FeAsandFeAwin our presentation. It will be convenient to partitionRinto the setsRfixedandRsynth, whereRfixedconsists of the transitions with “fixed” interpretations,i.e., whereguardis the Boolean constanttrue, andRsynthconsists of the set of transitions whose interpretations are to be synthesized,i.e., whereguardis a Boolean valued
variable whose value needs to be determined. The usual determinism constraints outlined in Chapter 2 are implicitly assumed in the rest of this chapter. We note that these can also be specified using suitable constraints onRsynthand fit well into the BDD based algorithms described in this chapter.
We define the set of variables ofAe asVe ,{loc,lastt}∪Ge, wherelocandlastt, represent the location of thefsmA, and the identity of the transition that was taken to arrive at the current state, respectively. The set of variablesGe ={g1,g2, . . . ,gk}, wherek=|R|, consists of Boolean valued variables, where gi represents the guard of the transitionti, for eachti ∈ R. The lasttvariables are necessary because symbolic model checking algorithms are more naturally suited to handle handlestate-basedfairness requirements, rather thantransition-basedfairness
requirements. By adding the variablelastt, we are essentially enabling the translation of transition-based fairness into state-based fairness.
We now describe how each of the symbolic representations forel0,eR,FeAw, andFeAsare constructed, starting from a definition ofA. We present the predicates over the set of variables Vas well as the primed variablesV0 that correspond to the definition of each of these. It is straightforward to use BDD operations, using a BDD library like CUDD [SB00], for example, to
construct BDDs corresponding to these predicates. The set of initial states ofAe, can be encoded as follows: el0≡ (loc=l0) ∧ ^ ti∈Rfixed gi
Each transitionti∈Rof the formti,
li,mi,guardi,li0
is encoded symbolically as: (loc=li)∧gi∧ loc0=li0
∧ lastt0=ti
∧gi0=gi
The constraintgi0 =giensures that theinterpretationremains constant across transitions. The
complete symbolic transition relationeRis then simply the disjunction of the above encoding over all the transitionst∈R:
e
R≡ _
ti∈R
(loc=li)∧gi∧ loc0 =li0∧ lastt0=ti
Consider a fairness assumptionFw∈Fw, whereFw={t1,t2, . . . ,tn}, we symbolically encode
Fw, denotedeFw, using a single predicate of the form:
e
Fw≡¬enabled(Fw)∨taken(Fw)
whereenabled(Fw)≡Wti∈Fw(loc=li∧gi), withliandgireferring to the initial location and the Boolean variable corresponding to the guard of the transitionti, and the predicate taken(Fw)≡Wti∈Fwlastt=ti. The predicateenabled(Fw)encodes whetheranytransition inFwcanbe executed, andtaken(Fw)encodes whether the current state has been reached by
executing any transition in the setFw.
For strong fairness assumptions Fs ∈ Fs, whereFs = {t1,t2, . . . ,tn}, we symbolically encodeFs, denotedeFs, using a pair of Boolean valued formulaspandq, wherep,enabled(Fs) andq,taken(Fs), whereenabledandtakenare as defined above. The predicate encodings
of fairness assumptions will be used to characterize if a non-empty terminal strongly connected component is fair. We refer the reader to earlier work [KPRS06] for a more detailed explanation.