Model Checking for a First-Order Temporal Logic Using Multiway Decision Graphs

description of state machine is a model used for describing hardware designs at the RTL. Using ASMs, a data value can be represented by a single variable of abstract type, rather than by a vector of Boolean variables, and a data operation is represented by an uninterpreted function symbol. The model checking method based on a first-order linear-time temporal logic as developed in this paper allows to verify properties on designs represented by ASMs. Thus, it is necessary to review first the terminology related to ASMs. 2.1. A many-sorted first-order logic As in an ordinary many-sorted first-order logic, the vocabulary consists of sorts, constants, variables and function symbols (or operators). Constants and variables have sorts. We deviate from standard many-sorted firstorder logic by introducing a distinction between concrete (or enumerated) sorts and abstract sorts; the difference is that concrete sorts have enumerations, while abstract sorts do not. The enumeration of a concrete sort α is a set of distinct constants of sort α. We refer to constants occurring in enumerations as individual constants and to other constants as generic constants. The distinction between abstract and concrete sorts leads to a distinction between three kinds of function symbols. Let f be a function symbol of type α1 ×α2 × · · · ×αn → αn+1. If αn+1 is an abstract sort then f is an abstract function symbol. If all the α1, . . . , αn+1 are concrete, f is a concrete function symbol. If αn+1 is concrete while at least one of α1, . . . , αn is abstract, then f is referred to as a crossoperator. Both abstract function symbols and cross-operators may be uninterpreted, or partially interpreted by conditional rewrite rules. The terms and their types (sorts) are defined inductively as follows: a constant or a variable of sort α is a term of type α; and if f is a function symbol of type α1 × α2 × · · · × αn → αn+1, n ≥ 1, and A1, . . . , An are terms of types α1, . . . , αn, then f (A1, . . . , An) is a term of type αn+1. We say that a term, variable or constant is concrete (resp. abstract) to indicate that it is of concrete (resp. abstract) sort. A term is concretely reduced if it only contains: (i) the individual constants; (ii) the abstract generic constants; (iii) the abstract variables; and (iv) the terms of the form f (A1, . . . , An)wheref is a function symbol andA1, . . . , An are concretely reduced terms. Thus, the concretely reduced The Computer Journal, Vol. 47, No. 1, 2004 Model Checking for a First-Order Temporal Logic 73 terms are those that have no concrete subterms other than individual constants. A term of the form f (A1, . . . , An) where f is a cross-operator and A1, . . . , An are concretely reduced terms is called a cross-term. An equation is an expression A1 = A2 where A1 and A2 are terms of same type α. Atomic formulas are the equations, plus T (truth) and F (falsity). Formulas are built from the atomic formulas in the usual way using logical connectives and quantifiers. An interpretation is a mapping ψ that assigns a denotation to each sort, constant and function symbol such that: (i) The denotationψ(α) of an abstract sortα is a non-empty set. (ii) If α is a concrete sort with enumeration {a1, a2, . . . , an} then ψ(α) = {ψ(a1), ψ(a2), . . . , ψ(an)} and ψ(ai) = ψ(aj ) for 1 ≤ i < j ≤ n. (iii) If c is a generic constant of sort α, then ψ(c) ∈ ψ(α). If f is a function symbol of type α1 × · · · × αn → αn+1, then ψ(f ) is a function from the Cartesian product ψ(α1)× · · · × ψ(αn) into the set ψ(αn+1). Let X be a set of variables, a variable assignment with domain X compatible with an interpretation ψ is a function φ that maps every variable x ∈ X of sort α to an element φ(x) of ψ(α). We write ψX for the set of ψ-compatible assignments to the variables in X, ψ , φ |= P if a formula P denotes truth under an interpretation ψ and a ψ-compatible variable assignment φ to the variables that occur free in P , |= P if a formulaP denotes truth under every interpretationψ and every ψ-compatible variable assignment to the variables that occur free in P . 2.2. Directed formulas Given two disjoint sets of variables U and V , a directed formula (DF) of type U → V is a formula in disjunctive normal form (DNF) such that: (i) Each disjunct is a conjunction of equations of the form A = a, where A is a term of concrete sort α of the form ‘f (B1, . . . , Bn)’ (f is thus a cross-operator) that contains no variables other than elements of U , and a is an individual constant in the enumeration of α, or w = a, wherew ∈ (U∪V ) is a variable of concrete sort α and a is an individual constant in the enumeration of α, or v = A, where v ∈ V is a variable of abstract sort α and A is a term of type α containing no variables other than elements of U . (ii) In each disjunct, the left-hand sides (LHSs) of the equations are pairwise distinct. (iii) Every abstract variable v ∈ V appears as the LHS of an equation v = A in each of the disjuncts. (Note that there need not be an equation v = a for every concrete variable v ∈ V .) Intuitively, in a DF of type U → V , the U variables play the role of independent variables, theV variables play the role of dependent variables, and the disjuncts enumerate possible cases. In each disjunct, the equations of the form u = a and A = a specify a case in terms of the U variables, while the other equations specify the values of (some of the)V variables in that case. The cases need not be mutually exclusive, nor exhaustive. A DF is said to be concretely reduced iff every A in an equation A = a is a cross-term, and every A in an equation v = A is a concretely reduced term. It is easy to see that every DF is logically equivalent to a concretely reduced DF, given complete specifications of the concrete function symbols and concrete generic constants; the reduction can be accomplished by case splitting. From now on, by DF we shall mean concretely reduced DF. Let P be a DF of type U → V . For a given interpretation ψ , P can be used to represent the set of vectors SetψV (P ) = {φ ∈ ψV |ψ, φ |= (∃U)P }. In the following sections, DFs are used for two distinct purposes: to represent sets (viz. sets of states as well as sets of input vectors and output vectors) and to represent relations (viz. the transition and output relations). 2.3. Abstract description of state machines An ASM M is a tuple D = (X, Y, Z, FI , FT , FO), where (i) X, Y and Z are sets of variables, viz. the input, state and output variables, respectively. Let η be a one-to-one function that maps each state variable y to a distinct variable η(y) obtained, for example, by adorning y with a prime. The variables in Y ′ = η(Y ) are used as the nextstate variables. X, Y and Z must be disjointed from Y ′. Given an interpretation ψ , an input vector of the state machine M represented by D is a ψ-compatible assignment to the set of input variables X; thus the set of input vectors, or input alphabet, is ψX. Similarly, ψ Z is the set of output vectors. A state is a ψ-compatible assignment to the set of state variables Y ; hence, the state space is ψY . A state φ can also be described by an assignment φ′ =φ ◦η−1 ∈ ψY to the next state variables. A variable in X ∪ Y ∪ Z is called an ASM_variable. (ii) FI is a DF representing the set of initial states, of type U → Y , where U is a set of abstract variables disjoint from X ∪ Y ∪ Y ′ ∪ Z. Typically, FI is a one-disjunct DF representing the set of initial states. Given an interpretation ψ , a state φ ∈ ψY is an initial state iff ψ, φ |= (∃U)FI . Thus the set of initial states is SI = Set(FI ) = {φ ∈ ψY |ψ, φ |= (∃U)FI }. (iii) FT is a DF of type (X ∪ Y ) → Y ′ representing the transition relation. Given an interpretation ψ , an input vector φ ∈ ψX and a state φ′ ∈ ψY , a state φ′′ ∈ ψY is a possible next state iff ψ, φ∪φ′ ∪φ′′ ◦η−1 |= FT . Thus the transition relation of the state machine M represented by D is RT = {(φ, φ′, φ′′) ∈ ψX × ψY × ψY |ψ, φ ∪ φ′ ∪ (φ′′ ◦ η−1) |= FT }. (iv) FO is a DF of type (X ∪ Y ) → Z representing the output relation. The Computer Journal, Vol. 47, No. 1, 2004