2

How can I transform LTL into Automata in PROMELA? I know that with the command SPIN -f "ltl x" it is possible transform the LTL into a never claim, but I want the automata of the LTL and not the negation one. It is correct If I negate the LTL before to generate the never claim. Can anyone help me?

Patrick Trentin
  • 7,126
  • 3
  • 23
  • 40
Georgia
  • 43
  • 3
  • Would [this](http://www.lsv.ens-cachan.fr/~gastin/ltl2ba) be helpful, or you strictly require a solution based on *spin*? – Patrick Trentin Aug 05 '16 at 09:12
  • Actually I would like a way to transform the LTL into a PROMELA Automata. I think this website transform into a never claim. If a put [](q11 -> !q0) for the transformation, the response is the never claim: never { /* G(q11 -> !q0) */ accept_init : /* init */ if :: (!q0) || (!q11) -> goto accept_init fi; } You think that I can use just the code inside the code snippet Never{}? This is the the Automata for the LTL G(q11 -> !q0). I appreciate the help. – Georgia Aug 05 '16 at 11:34
  • yes, the code inside the *never { }* represents the ltl formula / Buchi automaton. – Patrick Trentin Aug 05 '16 at 22:37
  • Thanks a lot Patrick. – Georgia Aug 06 '16 at 12:30
  • Just for the records, this question is linked [this other one](http://stackoverflow.com/questions/33484361/how-to-compare-two-ltls?rq=1) – Patrick Trentin Aug 08 '16 at 13:57

1 Answers1

1

Spin generates the Promela code equivalent to the Buchi Automaton which matches the LTL formula, and envelops it into a never block.

From the docs:

NAME never - declaration of a temporal claim.

SYNTAX never { sequence }

DESCRIPTION A never claim can be used to define system behavior that, for whatever reason, is of special interest. It is most commonly used to specify behavior that should never happen. The claim is defined as a series of propositions, or boolean expressions, on the system state that must become true in the sequence specified for the behavior of interest to be matched.

Therefore, if you want to have a look at the code that matches a given LTL formula, you can simply type:

~$ spin -f "LTL_FORMULA"

e.g.:

~$ spin -f "[] (q1 -> ! q0)" 
never  {    /* [] (q1 -> ! q0) */
accept_init:
T0_init:
    do
    :: (((! ((q0))) || (! ((q1))))) -> goto T0_init
    od;
}

An alternative way for obtaining the same code, plus a graphic representation of the Buchi Automaton, is to follow this link.

Looking at both your comments and this other question of yours, it appears that you want to check whether two LTL formulas p and g contradict each other, that is whether it is definitively the case that a model satisfying p would necessarily violate g and vice-versa.

This could be theoretically done using spin. However, this tool does not simplify the code of the Buchi Automaton and therefore it is difficult to deal with its output.

I would reccomend you to download LTL2BA (at the following link) instead. To set it up, you just need to unpack the tar.gz file and type make in the console.

Let's see a usage example:

~$ ./ltl2ba -f "([] q0) && (<> ! q0)"
never {    /* ([] q0) && (<> ! q0) */
T0_init:
    false;
}

Since [] q0 and <> ! q0 contradict each other, the returned Buchi automaton is empty [n.b.: by empty i mean that it has no accepting execution]. In this context, the code never { false; } is the canonical form of an empty Buchi Automaton without any accepting execution.

Disclaimer: comparing the output with never { false } to decide whether the Buchi Automaton is empty or not, might lead to spurious results if the simplification steps are unable to transform all empty automatons in the canonical form.

Community
  • 1
  • 1
Patrick Trentin
  • 7,126
  • 3
  • 23
  • 40
  • Thanks for all explanation. I want check if a LTL A is contradictory to LTL B. For do this I transform the LTL A into a buchi automata ( this will be my program in PROMELA) and check this program against the LTL B. If some counter-example is show it is because those LTLs are contraditory. – Georgia Aug 07 '16 at 13:57
  • @Georgia wouldn't it be easier if you simply checked whether the **conjunction** of the two *LTL formulas* **is** the **empty** automaton, aka *never { false }*? – Patrick Trentin Aug 07 '16 at 15:56
  • can I do this in the Spin Model Checker? Could you tell me how? At first I do not have the model that these TLs will be validated only have the LTLs. – Georgia Aug 08 '16 at 13:33
  • Thanks. You helped me a lot. You know some article that proves it? I mean, prove that the automata of two contradictory LTLs are empty? – Georgia Aug 10 '16 at 13:30
  • @Georgia I don't recall any particular article stating it, although it's likely the case that if you look for the papers in which *Buchi Automatons* or *Kripke Structures* are defined you might find something. To clarify a bit your starting ideas, I advice you to read [this](http://www.cs.cmu.edu/~emc/15-398/lectures/spin-3.ppt). Notice that when I say *empty* I truly mean that the intersection is *empty* in terms of *accepting executions*, that is *there are no paths that intersect an accepting state infinitely many times*, though there might be some state if no simplification is applied. – Patrick Trentin Aug 10 '16 at 14:07
  • **LTL2BA** applies simplification, and that is the reason why in the example above we obtain a much nicer *never { false }* instead of the code presented by **Spin**, although the two automatons are *"equivalent"* *(n.b. my version of spin requires G instead of [] and F instead of <> to work properly)*. Here the problem is whether or not **LTL2BA** simplification is good enough to simplify all *empty* automatons to their *canonical form*, or not. On this regard, I can not help you. – Patrick Trentin Aug 10 '16 at 14:23
  • Thanks for all explanation Patrick. I will read your reading suggestions, but you already clarify a lot my doubts. – Georgia Aug 16 '16 at 10:50