-- An example showing how LTL model checking works
-- Paul Jackson
-- 12 Nov 2012
-- As explained in lecture, the strategy for checking whether an LTL
-- formula phi is satisfied by a model M is:
-- 1. Construct an automaton A_{!phi} for !phi which takes as input
-- infinite paths of states of M and accepts just those paths which
-- satisfy !phi.
-- 2. Compose A_{!phi} and M and ask whether the language of the composition
-- is empty.
-- 3. If the language is empty, then we know that phi is satisfied by
-- M. If not and we exhibit an accepting path, then that path is a
-- counter-example to phi: it both is a path in M and it satisfies
-- !phi.
-- Here is an example model M with 2 alternative definitions of a
-- state property p.
MODULE model
VAR
st : 0..2;
ASSIGN
init(st) := 0;
next(st) :=
case
st = 0 : {1,2};
st = 1 : 1;
st = 2 : 2;
esac;
DEFINE
p := st = 0 | st = 1;
-- p := TRUE;
-- Say we want to check phi =def G p.
-- !phi is ! G p = F ! p.
-- We construct below a 2 state automaton for F ! p.
-- The automaton loops in state 0 if p is always true on the input path.
-- If ever !p is true on the path, it transitions to state 1 and
-- then loops forever more in state 1.
-- We set the acceptance condition to be that a path is accepted iff
-- st = 1 occurs infinitely often.
MODULE formula(sys)
VAR
st : {0, 1};
ASSIGN
init(st) := 0;
next(st) :=
case
st = 0 & sys.p : 0;
st = 0 & !sys.p : 1;
st = 1 : 1;
esac;
-- LTL expression of acceptance condition:
-- Specification is true just when there are no accepting paths
LTLSPEC ! G F st = 1;
-- Fair CTL expression of acceptance condition:
-- Specification is true just when there are no accepting paths
FAIRNESS st = 1;
CTLSPEC FALSE;
-- For why one writes CTLSPEC FALSE rather than CTLSPEC EG TRUE,
-- see the post on the Discussion Forum entitled "Expressing Buchi
-- acceptance conditions in NuSMV".
-- Composition of model with automaton for !phi.
-- The acceptance condition for a run in this composition is just
-- the acceptance condition for a run of the automaton f.
MODULE main
VAR
m : model;
f : formula(m);