Bounded Model Checking of ETL Cooperating with Finite and Looping Automata Connectives

As a complementary technique of the BDD-based approach, boundedmodel checking (BMC) has been successfully applied to LTL symbolic model checking. However, the expressiveness of LTL is rather limited, and some important properties cannot be captured by such logic. In this paper, we present a semantic BMC encoding approach to deal with the mixture of ETLf and ETLl. Since such kind of temporal logic involves both finite and looping automata as connectives, all regular properties can be succinctly specified with it. The presented algorithm is integrated into the model checker ENuSMV, and the approach is evaluated via conducting a series of imperial experiments.


Introduction
A crucial bottleneck of model checking is the state-explosion problem, and the symbolic model checking technique has proven to be an applicable approach to alleviate it.In the early 1990s, McMillan presented the BDD [1] based model checking technique [2].It is first applied to CTL model checking and is later adapted to deal with LTL.With the rapid evolvement of SAT solvers, an entirely new approach, namely, bounded model checking (BMC), is presented in [3].It rerpresents the problem "there is a path (with bounded length) violating the specification in the model" with a Boolean formula and then tests its satisfiability via a SAT solver.Usually, BMC is considered to be a complementary approach of the BDDbased approach: BMC is normally used for hunting bugs not for proving their absence.It performs better when handling a model having a large reachable state set but involving (relatively) shallow error runnings.
BMC has been successfully employed in LTL model checking.However, LTL has the drawback of limited expressiveness.Wolper was the first to complain about this by addressing the fact that some counting properties such as " holds at every even moment" cannot be expressed by any LTL formula [4].Indeed, LTL formulae are just as expressive as star-free -expressions, that is, -regular expressions disallowing arbitrary (in a star-free expression, Kleene-closure operators (• * and •  ) can only be applied upon Σ, which is the whole set of alphabet) use of Kleene-closure operators.
As pointed in [5,6], it is of great importance for a specification language to have the power to express all -regular properties-as an example, it is a necessary requirement to support modular model checking.Actually, such specification language like PSL [7] has been accepted as industrial standard.
For temporal logics within linear framework, there are several ways to pursue such an expressiveness.
(1) The first way is to add fixed-point operators or propositional quantifiers to the logic, such as linear calculus [8] and QLTL [9].
(3) The third approach is to cooperate infinitely many temporal connectives with the logic, just like various of ETLs [4,9,13].
The first extension requires finitely many operators in defining formulae.Meanwhile, the use of fixed-point operators and higher-order quantifiers tends to rise difficulties in understanding.In contrast, using regular expressions or automata as syntactical ingredients is much more intuitive in comprehension.To some extent, since nesting of automata connectives is allowed, the third approach generalizes the second one.
In [4], Wolper suggested using right linear grammars as connectives.Later, Wolper, Vardi, and Sistla consider taking various -automata [9,13].Depending on the type of automata used as temporal connectives, we may obtain various ETLs.As a result, ETLs employing -automata with looping, finite, and repeating (alternatively, Büchi [14]) acceptance are, respectively, named ETL  , ETL  , and ETL  , and all of them are known to be as expressive as -regular expressions [13].
We have presented a BDD-based model checking algorithm for ETL  in [15] and an algorithm for BDD-based model checking of an invariant of PSL in [16].Jehle et al. present a bounded model checking algorithm for linear calculus in [17].And in [18], a tester based symbolic model checking approach is proposed by Pnueli and Zacks to deal with PSL properties.Meanwhile, a modular symbolic Büchi automata construction is presented in [19] by Cimatti et al.In this paper, we present a semantic BMC encoding for ETL employing both finite acceptance and looping acceptance automata connectives (we in the following refer to it as ETL + ).The reason that we study BMC algorithm for such kind of logic is for the following considerations.
(1) The BDD-based symbolic model checking technique for ETL  has been established in [15] by extending LTL construction [20].Nevertheless, in a pure theoretical perspective, looping and finite acceptance, respectively, correspond to safety and liveness properties, and looping acceptance automata can be viewed as the counterparts of finite acceptance automata.Actually, both similarities and differences could be found in compiling the semantic models and translating Boolean representations when dealing with these two types of connectives.Since ETL + has a rich set of fragments, such as LTL, it is hopeful to develop a unified semantic BMC framework of such logics.
(2) Practically, things would usually be much more succinct when employing both types of automata connectives, in comparison to merely using finite or looping ones.As an example, there is no direct encoding for the temporal operator G just with finite acceptance automata-to do this with ETL  , we need to use a two-state and two-letter connective to represent the operator F and then to dualize it.In contrast, with looping automata, we just need to define a one-state and one-letter connective.It would save much space overhead in building tableaux.
(3) Lastly, unlike syntactic BMC encodings (such kind of encodings give inductive Boolean translations with the formulae's structure, cf.[21,22] for a survey), the semantic fashion [22] yields a natural completeness threshold computation approach, and it describes the fair path finding problem over the product model with Boolean formulae.In this paper, we give a linear semantic encoding approach (opposing to the original quadratic semantic encoding) for ETL + .Moreover, the technique can also be tailored to semantic LTL BMC.
We have implemented the presented algorithm with our model checker ENuSMV (Ver.1.2), and this tool allows end users to customize temporal connectives by defining automata.We have also justified the algorithm by conducting a series of comparative experiments.
The paper is structured as follows: Section 2 briefly revisits basic notions.Section 3 introduces semantic BMC encoding technique for ETL + .In Section 4, experimental results of ETL + BMC are given.Finally, we conclude the whole paper with Section 5.

Preliminaries
An infinite word  over the alphabet Σ is a mapping from N to Σ; hence we may use () to denote the th letter of .For the sake of simplicity, we usually write  as the sequence (0)(1) ⋅ ⋅ ⋅ .A finite prefix of  with length  is a restriction of  to the domain {0, . . .,  − 1}, denoted by  [𝑛].
A (nondeterministic) automaton is a tuple A = ⟨Σ, , , , ⟩, where: (i) Σ is a finite alphabet, (ii)  is a finite set of states, (iii)  :  × Σ → 2  is a transition function, (iv)  ∈  is an initial state, and (v)  ⊆  is a set of accepting states.
In this paper, we are concerned with two acceptance types for -automata.
Looping.An infinite word  is accepted if it has an infinite run over .
Finite.An infinite word  is accepted if it has a finite prefix [], over which there is a finite run  0 ⋅ ⋅ ⋅  +1 and  +1 is an accepting state (call such a prefix accepting prefix).
In both cases, we denote by L(A) the set of infinite words accepted by A.
Given an automaton A = ⟨Σ, , , , ⟩ and a state  ∈ , we denote by A  the automaton ⟨Σ, , , , ⟩.That is, A  is almost identical to A, except for that its initial state is replaced by .Hence, A and A  are the same.
Given a set of atomic propositions , the class of ETL + formulae can be inductively defined as follows.
(ii) Each proposition  ∈  is an ETL + formula.
(iii) If  is an ETL + formula, then ¬ and I are ETL + formulae.
(iv As usual, we directly use  ⊨  in place of , 0 ⊨ .
To make a better understanding of ETL + formulas, we here give some examples of the use of automata connectives.
(1) Considering the LTL formula  1 U 2 , it can be described with an ETL + formula A U ( 1 ,  2 ), where A U is the finite acceptance automaton (2) The LTL formula G is equivalent to the ETL + formula A G (), where A G = ⟨{}, {},  G , , 0⟩ is a looping acceptance automaton and  G (, ) = {}.
Remark 3. The order of letters is important in defining automata connectives.Hence, the alphabet should be considered as a vector, rather than a set.
We use sub() to denote the set of subformulae of .A formula  is in negation normal form (NNF) if all negations in  are adjacent to atomic propositions or automata connectives.One can achieve this by repeatedly using De Morgan's law and the schemas of ¬I ≡ I¬ and ¬¬ ≡ .In addition, we call a formula  being of the form A( 1 , . . .,   ) an automaton formula.
Given a formula  (in NNF), we use a two-letter-acronym to designate the type of an automaton subformula of : the first letter is either "P" or "N, " which means "positive" or "negative"; and the second letter can be "F" or "L, " which describes the acceptance type.For example, NL-subformulae stand for "negative automata formulae with looping automata connectives, " such as ¬A  ( 1 ,  2 ), where A is a two-letter looping automaton.
A model or interchangeably a labeled transition system (LTS) is a tuple M = ⟨, , , , F⟩, where: (i)  is a finite set of states, (ii)  ⊆  ×  is a transition relation (usually, we require  to be total; that is, for each  ∈ , there is some   ∈  having (,   ) ∈ ), (iii)  ⊆  is the set of initial states, (iv)  :  → 2  is the labeling function, and where  0 ∈  and (  ,  +1 ) ∈  for each  ∈ N. In addition,  is a fair path if  visits each  ∈ F infinitely often.Formally,  is a fair path if inf() ∩  ̸ = 0 for each  ∈ F, where inf() denotes the set of states occurring infinitely many times in .
An infinite word  =  0  1 ⋅ ⋅ ⋅ is derived from a path  of M (denoted by  = ()) if   = (  ) for each  ∈ N. We use L(M) to denote the set of infinite words derived from fair paths of M.
Given an ETL + formula  and an LTS M, we denote by M ⊨  if  ⊨  for each  ∈ L(M).The model checking problem of ETL + is just to verify if M ⊨  holds for the given LTS M and the given ETL + formula .

Semantic BMC Encoding for ETL 𝑙+𝑓
In this section, we will give a detailed description of the semantic BMC encoding for ETL + .Firstly, we show how to extend the tableau construction of LTL [20] to that of ETL + , and hence a product model can also be constructed.Subsequently, we interpret the fairness path finding problem (upon the product model) into SAT, and the size blow-up of this encoding is linear with the bound.
For the sake of convenience, in this section, we always assume that the given ETL + formulae have been normalized into NNF.
3.1.The Tableaux of ETL + Formulae.Given an ETL + formula , we first inductively define its elementary formula set el() as follows.
Hence, if  ∈ el(), then  is either an atomic proposition or a formula rooted at the next operator.
Subsequently, we define the function sat, which maps each subformula  of  to a set of members in 2 el() .Inductively the following hold.
Recall the tableau construction for LTL [20], an "until subformula" would generate a fairness constraint to the tableau.Indeed, such a subformula corresponds to a "leastfixpoint subformula" if we translate the specification into a logic employing higher-order quantifiers, such as -calculus.Similarly, for ETL + , the PF-and NL-subformulae also impose fairness constraints.For this reason, we need to define the following two auxiliary relations before giving the tableau construction.
We now describe the tableau construction for .Suppose that  1 , . . .,   and ¬ 1 , . . ., ¬  are, respectively, all the PFsubformulae and NL-subformulae occurring in  then the tableau T  is such an LTS ⟨  ,   ,   ,   , F  ⟩, where: ( The below two theorems (Theorems 4 and 5) reveal the language property of ETL + tableaux.To remove the lengthiness, we here just provide the proof sketches, and rigorous proofs of them are postponed to the appendices.
Proof (sketch).Suppose that  ⊨ ; to show  ∈ L(T  ), we need to first construct an infinite state sequence  =  0  1 ⋅ ⋅ ⋅ ∈    guided by  (the detailed construction is given in Section A.2), and then we will subsequently show that  is a fair path of T  and  =   ().
The following theorem is immediate from Theorems 4 and 5.

Theorem 6. The model M violates the ETL
Note that   ⊆   (resp.,   ⊆    ), and hence we have

The Linear Semantic
Encoding.Practically, a model's state space is determined by the evaluation of a set of variables.Further, we may assume that each of them is a "Boolean variable" (which corresponds to a proposition belonging to ), because every variable over finite domain could be encoded with several Boolean variables.
Let C = ⟨,,,,F⟩ be an arbitrary LTS, and we also assume that the corresponding variable set is  = { 1 , . . .,   }; then each state  ∈  uniquely corresponds to an assignment of such   s.
If we use (  ) to denote the value of   at , then each subset  ⊆  can be represented by a Boolean formula Φ  over .In detail, it fulfills where  ⊩ Φ  means that Φ  is evaluated to be true if we assign each   with the value (  ).
Let   = {  1 , . . .,    }, and each binary relation  ⊆  ×  also has a Boolean representation Φ  over the variable set  ∪   .That is, where ( 1 ,  2 ) ⊩ Φ  means that Φ  is evaluated to be true if we assign each   with  1 (  ) and assign each    with  2 (  ).Hence, all components of M can be encoded:  and  can be represented by two Boolean formulae Φ  and Φ  , respectively; we subsequently create a Boolean formula Φ  for each  ∈ F; note that the labeling function  is not concerned any longer, because the sates labeled with  can be captured by the Boolean formula .
For example, from Theorem 7, we have that the symbolic representation of T  requires 2 × |el() \ | new Boolean variables-because variables in el() ∩  can be shared with the encoding of the original model.
A canonical Boolean encoding of fair path existence detection upon LTSs is presented in [22]: given a model C = ⟨, , , , F⟩ and a bound  ∈ N, one may use the formula where and Φ () are, respectively, the Boolean formulae obtained from Φ  and Φ  by replacing each variable  with a new copy  () , and Φ (,)  is obtained from Φ  by replacing each  with  () and replacing each   with  () .
It can be seen that this formula is satisfiable if and only if C involves a fair path of the form  0  1 ⋅ ⋅ ⋅  ℓ−1 ( ℓ ⋅ ⋅ ⋅   )  (call it is of the lasso shape).Since that L(C) ̸ = 0 if and only if C contains some lasso fair path (note that from each fair path we may derive another fair path of lasso shape), hence we may convert the fair path detection into the satisfiability problem of the above Boolean formula.
However, a closer look shows that the size of such encoding is quadratic with the bound.To reduce the blow-up in size, we need to introduce the following new variables (the linearization can also be done with the syntactic fashion presented in [23,24].We would draw a comparison of these two approaches in Section 4.).
Intuitively,  ℓ indicates that  ℓ is a successor of   .
(2) For each fairness constraint  ∈ F and each 0 ≤ ℓ ≤ , we introduce a variable  (ℓ)  , and this variable is evaluated to be true only if there is some Φ ()  which is evaluated to true, where ℓ ≤  ≤ .
And the new encoding (with the bound  ∈ N) can be formulated as Hence, both the number of variables and the size of this encoding are linear with .Moreover, the following theorem guarantees the correctness of such encoding.
(iii) Because we have the conjunct ⋁ 0≤ℓ  ℓ , then there is some 0 ≤ ℓ ≤  such that ( ℓ ) = 1.In the following, we fix this specific value ℓ for the discussion.
The above shows that  0  1 ⋅ ⋅ ⋅  ℓ−1 ( ℓ ⋅ ⋅ ⋅   )  is a fair path of C, and hence L(C) ̸ = 0. Conversely, for the "only if " direction, it suffices to find some  and some assignment  evaluating Ψ ()  C to be true.Since L(C) ̸ = 0, there must exist some fair path of lasso shape in C. Without loss of generality, assume that  =  0  1 ⋅ ⋅ ⋅  ℓ−1 ( ℓ ⋅ ⋅ ⋅   )  is such a path; just let  be this value, and we now illustrate how the assignment  is constructed.
(iii) For each  ∈ F and each 0 ≤  ≤ , we let Then it can be directly checked that the conjunct is evaluated to be true under .
Thus, the formula Ψ () C is satisfiable.For bounded model checking, an important issue is the completeness threshold, which is the specific value  such that we may declare L(C) = 0 in the case that Ψ () C is not satisfiable, and we denote it by CT(C) in this paper.
Since we need only to concern about fair paths of the form  1 ( 2 )  , as pointed in [22], a possible candidate for the completeness threshold CT(C) is where  and   are, respectively, the diameter and the initialized diameter (cf.[22]).Since [22] just considers LTSs having only one fairness constraint, we here add the factor |F|.
Observe that the part  2 must be enclosed in some SCC (i.e., strongly connected component) of C, and we may replace (C) with (S), where S is the largest SCC that intersects all fairness constraints.Therefore, we may get a more compact upper bound of the completeness threshold.
Then, for a given LTS M and the given ETL + formula , since we have shown that M ⊭  if and only if M × T ¬ involves some fair path, we now just need to test if there is some  making Ψ () M×T ¬ satisfiable, where  ≤ CT(M × T ¬ ).

Experimental Results
To justify our idea, we have integrated (the tool is available at https://sourceforge.net/projects/enusmv12/) the ETL + BMC algorithm into ENuSMV (Ver.1.2).This tool is completely compatible with NuSMV [25], and it allows end-users to customize new temporal connectives by defining automata.For example, Figure 1 illustrates how to declare a finite acceptance automata connective (to define a looping acceptance automata connective, just replace the keyword FIN with LOOP), namely, A. Since it has three states q1, q2, and q3 (where q1 is the initial state and q3 is an accepting state), then A[q1], A[q2], and A[q3] are also connectives-for example, A[q2] just replaces the initial state with q2.Subsequently, one may define ETL + specifications; for example, ETLSPEC A(p,A[q2] (q,p)) is a proper declaration.
In this redistribution, both BDD-based and bounded model checkings for ETL + are supported.To perform (semantic encoding based) BMC, we need to use the command option bmc tab.
We have conducted some experiments to test the correctness and efficiency of our algorithm.In this paper, we are especially concerned with the following issues.
(1) The comparison of BDD-based symbolic model checking and bounded model checking.
(2) The overhead contrast in verifications of ETL  and ETL + upon both star-free and nonstar-free properties.
(3) The comparison of performances with syntactic/semantic BMC of LTL and semantic BMC of ETL + .
To compare the efficiencies between BDD-based MC and BMC, we chose the (distributed mutual exclusion) DME circuit as the model (which involves a buggy design), as described in [3].It consists of  cells for  users that want to have exclusive access to a shared resource.We conducted the experiment by describing the liveness property that "a request for using the resource will eventually be acknowledged" (with ETL + formula).The max bound are set to 100, and the comparative results are shown in Table 1, where "C.L. " stands for the length of counterexample.
As a previous work, we have implemented the symbolic model checking algorithm for ETL  in ENuSMV 1.0.To justify that in general ETL + could be more effectively checked, we would make a comparison of BMC for ETL  and ETL + .
To draw the comparison upon non-start-free regular properties, we use a "mod 2  counter" as the model.The model consists of  "cells" bit 0,. ..,bit n-1.Each cell is a (mod 2) counter having an input carry in and an output signal carry out.These cells are connected in a serial manner; that is, bit 0's carry in is set to 1, and bit i's carry in is connected to bit i−1's carry out as described in Figure 2. We, respectively, describe the periodicity property that "bit 0 carries out at every even (except for 0) moment" with ETL  and ETL + .We set the time bound to 1 hour, and Table 2 provides the max bounds (together with related information) which can be handled by the SAT solver within the time bound.From it, we can see that a deeper search could be done when specifications are described with ETL + .
To compare the overhead of ETL  and ETL + upon star-free properties, we would first use the DME model to check the safety property: "no two cells will be simultaneously acknowledged." The results are shown in Table 3, and the time bound is also set to 1 hour.
At the same time, we can also compare the verification performances of the DME model upon the aforementioned liveness property that "each request will be acknowledged in the further." Note that for this property, the verification could be accomplished within the given time bound, and a counterexample could be detected at the bound  = 39.The comparative results are given in Table 4.
The last group of experiments aims at comparing the efficiencies of (syntactic/semantic) LTL BMC and ETL + BMC.First of all, for LTL BMC, we are also concerned with two types of encoding approaches.
(1) The Syntactic Approach.We here adopt the linear incremental syntactic encoding proposed in [26]-to the best of our knowledge, this is the most effective syntactic encoding for full LTL.(2) The Semantic Approach.ENuSMV 1.2 also supports semantic encoding for LTL-this is tailored from our linear encoding presented in Section 3.2.
We still use the DME circuit as the model and the liveness property as specification; Table 5 provides the experimental results on LTL BMC based on syntactic and semantic encodings.From that, we can see that, with semantic encoding, it tends to generate less clauses and tends to terminate earlier than that with the syntactic encoding, whereas the latter requires fewer variables.
Meanwhile, we can also make a comparison between Tables 4 and 5; we may find that the variable numbers of semantic ETL BMC and LTL BMC are almost at a fixed ratio-for this experiment, the ratio is 1.09 (approximately).

Concluding Remarks
The logic ETL + is a variant of extended temporal logic, it employs both finite and looping acceptance automata connectives, and it can be considered a mixture of ETL  and ETL  .Thus, any omega-regular properties can be succinctly described with this kind of logic, particularly for safety and liveness properties.
We have presented the semantic bounded model checking algorithm for ETL + .The central part of this approach is the tableau construction.Meanwhile, we also illustrate how to give a linear BMC encoding for it.To justify it, we have implemented the presented algorithm (in ENuSMV 1.2).Experimental results show that ETL + could be more efficiently verified via BMC (in comparison to our previous implementation for ETL + ).
In this paper, verification of ETL  , namely, extended temporal logic using Büchi (alternatively, repeating) automata as connectives, has not been studied.This is partly because of the inherited difficulties of Büchi complementation [27].Indeed, we may mimic the ranking complementing technique of Büchi automata [28][29][30].However, this would cause an asymptotically quadratic blow-up of variable number in building the tableaux.Hence, a further work is about to study the semantic BMC encodings of ETL  .
and in addition, the variable set of C is just the union of the variable sets of C 1 and C 2 .Remark 10.Actually, for an ETL + formula , the symbolic representation of T  can be directly given without the detour of explicit construction of the LTS.Because, the relation sat could be inductively constructed if we introduce corresponding new variables in el().Subsequently, encodings of Φ Δ +  or Φ Δ −  could be naturally obtained from the underlying Boolean variables corresponding to states of automata connectives.Hence, the Boolean representation of Φ   is obtained.And, encodings of other components are as routine.

Table 1 :
Comparative results of BDD-based and BMC approaches.

Table 2 :
Figure 2: The circuit of MOD 2  counter.Comparison of ETL  and ETL + with periodicity properties.