1

How can I compare two LTLs to see if one can contradict each other? I ask this because I have a hierarchical state machine and LTLs describing the behavior in each state. I need to know if a local LTL can contradict a global LTL. I saw in the Article 'Feature Specification and Automated Conflict Detection' that two LTLs properties f and g are inconsistent iff L(f) intersection L(g) is empty. And this is exactly the model checking question with f as the program and ¬g as the property. Can anyone help me with this? How can I transform an LTL f into a program in SPIN/Promela??

Thanks.

Georgia
  • 43
  • 3

1 Answers1

1

The following works for me. (Warning: I've not seen this in official documentation. This could mean that there are other, better ways to do this. Or that I didn't look hard enough.)

We want to check whether [] <> p && [] <> q implies <> (p && q). (It does not.)

Write a trivial process P that can do all transitions, and write the claim as an LTL property A.

bool p; bool q;

active proctype P () {
  do :: d_step { p = false; q = false } 
     :: d_step { p = false; q = true }  
     :: d_step { p = true; q = false } 
     :: d_step { p = true; q = true }  
  od
}

ltl A { (([] <> p) && ([] <> q)) -> <> (p && q) }

(EDIT 1-Nov-2016: this may be incorrect because we might be missing some transitions because of a hidden initial state, see how to make a non-initialised variable in Spin? )

Then put this in a file check.pml, and

spin -a check.pml
cc     pan.c   -o pan
./pan -a -n
./pan -r check.pml.trail -v

shows a model of the negation of the claim (an ultimately periodic trail where p and q are true infinitely often, but p && q is never).

Double-check: change the conclusion in the claim to <> (p || q), then there is no counter-examle, proving that the implication is valid.

In your case, the claim is ! (f && g) (they should never be true at the same time).

There probably is some clever way to make the code for the trivial process smaller.

Also, the third command is actually ./pan -a -i -n (the -i to find a shortest example) but it gives a warning. And it does find a shorter cycle.

Community
  • 1
  • 1
d8d0d65b3f7cf42
  • 2,597
  • 15
  • 28
  • Thanks a lot for the help. I tested with the claim ([] (p && q)) && (<> !(p)), where f is [] (p && q) and g is <> !(p). For me this two LTLs are contradictory because !p willl contradict [] p. When I tested SPIN show me the message: " Error: assertion violated spin: text of failed assertion: assert(!(!((p&&q))))" and did not show me a counter-example. I am doing something wrong? – Georgia Nov 09 '15 at 12:37
  • Are you running this from the command line (as I wrote) or in ispin or some other GUI? – d8d0d65b3f7cf42 Nov 09 '15 at 16:27
  • You want to show that your `f` and `g` are contradictory, that is, `f && g` is false for ALL runs of the system. Then you should specify `ltl { ! (f && g) }` and you have proved it if spin finds NO counterexample. – d8d0d65b3f7cf42 Nov 10 '15 at 09:59
  • So, if I want to prove that there is NO contradiction between f and g, thus the ltl { ! (f && g)} always will show me a counterexample? (I'm sorry, I do not have much knowledge on that subject)) – Georgia Nov 10 '15 at 11:59
  • Yes. - "I do not have much knowledge" - then why are you doing this? Is it some kind of homework/assignment? Then talk to the person who assigned it, as they can relate it to your syllabus, etc. – d8d0d65b3f7cf42 Nov 10 '15 at 14:55
  • I need to do this. It is a small part of my Masters. Thanks for all help. – Georgia Nov 10 '15 at 23:52
  • @d8d0d65b3f7cf42 I can't see how the initialisation part affects your model, could you clarify it? – Patrick Trentin Nov 02 '16 at 11:06
  • 1
    I want a system (specified by the Promela program) that realizes the trace language `{ {p=0,q=0},{p=0,q=1},{p=1,q=0},{p=1,q=1} }^omega`, that is, all omega words over the given alphabet (assignments of p and q). With the initialisation, the trace language is `{p=0,q=0} { {p=0,q=0},{p=0,q=1},{p=1,q=0},{p=1,q=1} }^omega`, that is, all words starting with `{p=0,q=0}`. Equivalence on this language may differ from equivalence on the full language. – d8d0d65b3f7cf42 Nov 03 '16 at 09:35
  • @d8d0d65b3f7cf42 Yes, of course in general I agree with you, but on this specific example it shouldn't make any difference as far as I understand. So I would rephrase the *"this may be incorrect"* part because it sounds like your specific example might be incorrect, instead of the general case. For what concerns checking the existence of a *"contradiction"* among ltl formulas, I proposed this [other approach](https://stackoverflow.com/questions/38780330/how-to-transform-ltl-into-automato-in-promela-spin/38806665#38806665) which dodges the model checking part entirely. – Patrick Trentin Nov 04 '16 at 09:16