A Tableau-Based Approach to Model Checking Linear Temporal Properties

Abstract

This paper proposes a tableau-based approach to model checking linear temporal properties to mitigate the state space explosion in model checking. The core idea of the approach is to split an original model checking problem into multiple smaller model checking problems using the tableau method and tackle each smaller one. We prove a theorem to guarantee that the multiple smaller model checking problems are equivalent to the original model checking problem. We use Maude, a high-level specification and programming language based on rewriting logic, to develop a tool called DCA2MC to support our approach. Some case studies are conducted to compare DCA2MC with Maude LTL model checker, Spin, and LTSmin model checkers in terms of running performance and memory usage, showing the power of our proposed approach.

This research was partially supported by JSPS KAKENHI Grant Numbers JP23K28060, JP23K19959, JP24K20757.

The Termination of the Tableau Construction

To show the termination property of the tableau construction, we first define the length of formulas and the set of subformulas of formulas.

Definition 12

The length \(|\varphi |\) of \(\varphi \in \mathcal {L}_\textsf{LTL}\) is defined inductively as follows:

1. 1.

   \(| a | = 1\) for each \(a \in \boldsymbol{A}\);

2. 2.

   \(| \lnot \varphi | = | \varphi | + 1\);

3. 3.

   \(| \varphi _1 \vee \varphi _2 |= | \varphi _1 | + | \varphi _2 | + 1\);

4. 4.

   \(| {\bigcirc } \varphi | = | \varphi | + 1\);

5. 5.

   \(| \varphi _1 \mathrel {\mathcal {U}} \varphi _2 | = | \varphi _1 | + | \varphi _2 | + 1\).

Definition 13

The set \(\textsf{Sub}(\varphi )\) of subformulas of \(\varphi \in \mathcal {L}_\textsf{LTL}\) is defined inductively as follows:

1. 1.

   \(\textsf{Sub}(a) = \{ a \}\) for each \(a \in \boldsymbol{A}\);

2. 2.

   \(\textsf{Sub}(\lnot \varphi ) = \{ \lnot \varphi \} \cup \textsf{Sub}(\varphi )\);

3. 3.

   \(\textsf{Sub}(\varphi _1 \vee \varphi _2) = \{ \varphi _1 \vee \varphi _2 \} \cup \textsf{Sub}(\varphi _1) \cup \textsf{Sub}(\varphi _2)\);

4. 4.

   \(\textsf{Sub}(\bigcirc \varphi ) = \{ \bigcirc \varphi \} \cup \textsf{Sub}(\varphi )\);

5. 5.

   \(\textsf{Sub}(\varphi _1 \mathrel {\mathcal {U}} \varphi _2) = \{ \varphi _1 \mathrel {\mathcal {U}} \varphi _2 \} \cup \textsf{Sub}(\varphi _1) \cup \textsf{Sub}(\varphi _2)\).

We define some sets of formulas as follows:

• \(\textsf{Sub}_{\lnot }(\varphi ) \triangleq \{ \lnot \psi \mid \psi \in \textsf{Sub}(\varphi ) \}\) is the negations of \(\textsf{Sub}(\varphi )\),

• \(\textsf{Sub}_{\bigcirc }(\varphi ) \triangleq \{ \bigcirc \psi \mid \psi \in \textsf{Sub}(\varphi ) \cup \textsf{Sub}_{\lnot }(\varphi ) \}\) is the formulas of \(\textsf{Sub}(\varphi ) \cup \textsf{Sub}_{\lnot }(\varphi )\) preceded by \(\bigcirc \),

• \(\mathcal {F}(\varphi ) \triangleq \textsf{Sub}(\varphi ) \cup \textsf{Sub}_{\lnot }(\varphi ) \cup \textsf{Sub}_{\bigcirc }(\varphi )\).

We then prove the relation between the size of \(\mathcal {F}(\varphi )\) and the length of \(\varphi \).

Lemma 10

\(| \mathcal {F}(\varphi ) | \le 4 \times | \varphi |\).

Proof

We prove it by structural induction on \(\varphi \) as follows:

• Base Case \(\varphi = a \in \boldsymbol{A}\). Because

  $$ \mathcal {F}(a) = \{a, \lnot a, \bigcirc a, {\bigcirc } \lnot a \} \text { and } | a | = 1, $$

  we have \(| \mathcal {F}(a) | = 4 \le 4 \times | a |\).

• Induction Step

  • Case I1 \(\varphi = \lnot \varphi _1\). We observe that

    $$\begin{aligned} \textsf{Sub}_{\lnot }(\lnot \varphi _1)&=\{ \lnot \psi \mid \psi \in \textsf{Sub}(\lnot \varphi _1) \} \\ &=\{ \lnot \psi \mid \psi \in \textsf{Sub}(\varphi _1) \} \cup \{\lnot \lnot \varphi _1\} \\ &=\textsf{Sub}_{\lnot }(\varphi _1) \cup \{\lnot \lnot \varphi _1\}, \\ \textsf{Sub}_{\bigcirc }(\lnot \varphi _1)&=\{ \bigcirc \psi \mid \psi \in \textsf{Sub}(\lnot \varphi _1) \cup \textsf{Sub}_{\lnot }(\lnot \varphi _1) \} \\ &=\{ \bigcirc \psi \mid \psi \in \textsf{Sub}(\varphi _1) \cup \textsf{Sub}_{\lnot }(\varphi _1) \} \cup \{\bigcirc \lnot \varphi _1\}\cup \{\bigcirc \lnot \lnot \varphi _1\} \\ &=\textsf{Sub}_{\bigcirc }(\varphi _1)\cup \{\bigcirc \lnot \varphi _1\}\cup \{\bigcirc \lnot \lnot \varphi _1\}. \end{aligned}$$

    Thus,

    $$\begin{aligned} \mathcal {F}(\lnot \varphi _1)&=\textsf{Sub}(\lnot \varphi _1) \cup \textsf{Sub}_{\lnot }(\lnot \varphi _1) \cup \textsf{Sub}_{\bigcirc }(\lnot \varphi _1) \\ &=\{\lnot \varphi _1\}\cup \textsf{Sub}(\varphi _1)\cup \textsf{Sub}_{\lnot }(\varphi _1) \\ &\cup \{\lnot \lnot \varphi _1\}\cup \textsf{Sub}_{\bigcirc }(\varphi _1)\cup \{\bigcirc \lnot \varphi _1\}\cup \{\bigcirc \lnot \lnot \varphi _1\} \\ &=\mathcal {F}(\varphi _1)\cup \{\lnot \varphi _1,\lnot \lnot \varphi _1,\bigcirc \lnot \varphi _1,\bigcirc \lnot \lnot \varphi _1\}. \end{aligned}$$

    By the induction hypothesis, \(|\mathcal {F}(\varphi _1)|\le 4\times |\varphi _1|\). Hence,

    $$ |\mathcal {F}(\lnot \varphi _1)|=|\mathcal {F}(\varphi _1)|+4\le 4\times |\varphi _1|+4=4\times (|\varphi _1|+1)=4\times |\lnot \varphi _1|. $$

  • Case I2 \(\varphi = \varphi _1 \vee \varphi _2\). We observe that

    $$\begin{aligned} \textsf{Sub}_{\lnot }(\varphi _1 \vee \varphi _2)&=\{ \lnot \psi \mid \psi \in \textsf{Sub}(\varphi _1 \vee \varphi _2) \} \\ &=\{ \lnot \psi \mid \psi \in \textsf{Sub}(\varphi _1) \cup \textsf{Sub}(\varphi _2) \} \cup \{\lnot (\varphi _1\vee \varphi _2)\} \\ &=\{ \lnot \psi \mid \psi \in \textsf{Sub}(\varphi _1) \} \cup \{ \lnot \psi \mid \psi \in \textsf{Sub}(\varphi _2) \} \cup \{\lnot (\varphi _1\vee \varphi _2)\} \\ &=\textsf{Sub}_\lnot (\varphi _1) \cup \textsf{Sub}_\lnot (\varphi _2) \cup \{\lnot (\varphi _1\vee \varphi _2)\}, \\ \textsf{Sub}_{\bigcirc }(\varphi _1 \vee \varphi _2)&=\{ \bigcirc \psi \mid \psi \in \textsf{Sub}(\varphi _1 \vee \varphi _2) \cup \textsf{Sub}_{\lnot }(\varphi _1 \vee \varphi _2) \} \\ &=\{ \bigcirc \psi \mid \psi \in \textsf{Sub}(\varphi _1) \cup \textsf{Sub}(\varphi _2) \cup \textsf{Sub}_{\lnot }(\varphi _1) \cup \textsf{Sub}_\lnot (\varphi _2)\} \\ &\cup \{\bigcirc (\varphi _1\vee \varphi _2)\}\cup \{\bigcirc \lnot (\varphi _1\vee \varphi _2)\} \\ &=\{ \bigcirc \psi \mid \psi \in \textsf{Sub}(\varphi _1) \cup \textsf{Sub}_\lnot (\varphi _1) \} \\ &\cup \{ \bigcirc \psi \mid \psi \in \textsf{Sub}(\varphi _2) \cup \textsf{Sub}_\lnot (\varphi _2)\} \\ &\cup \{\bigcirc (\varphi _1\vee \varphi _2)\}\cup \{\bigcirc \lnot (\varphi _1\vee \varphi _2)\} \\ &=\textsf{Sub}_\bigcirc (\varphi _1)\cup \textsf{Sub}_\bigcirc (\varphi _2)\cup \{\bigcirc (\varphi _1\vee \varphi _2)\}\cup \{\bigcirc \lnot (\varphi _1\vee \varphi _2)\}. \end{aligned}$$

    Thus,

    $$\begin{aligned} \mathcal {F}(\varphi _1 \vee \varphi _2) &= \textsf{Sub}(\varphi _1 \vee \varphi _2) \cup \textsf{Sub}_{\lnot }(\varphi _1 \vee \varphi _2) \cup \textsf{Sub}_{\bigcirc }(\varphi _1 \vee \varphi _2) \\ &=\{\varphi _1\vee \varphi _2\}\cup \textsf{Sub}(\varphi _1)\cup \textsf{Sub}(\varphi _2) \\ &\cup \textsf{Sub}_\lnot (\varphi _1) \cup \textsf{Sub}_\lnot (\varphi _2) \cup \{\lnot (\varphi _1\vee \varphi _2)\} \\ &\cup \textsf{Sub}_\bigcirc (\varphi _1)\cup \textsf{Sub}_\bigcirc (\varphi _2)\cup \{\bigcirc (\varphi _1\vee \varphi _2)\}\cup \{\bigcirc \lnot (\varphi _1\vee \varphi _2)\} \\ &=\mathcal {F}(\varphi _1)\cup \mathcal {F}(\varphi _2)\cup \{\varphi _1\vee \varphi _2,\lnot (\varphi _1\vee \varphi _2),\bigcirc (\varphi _1\vee \varphi _2),\bigcirc \lnot (\varphi _1\vee \varphi _2)\}. \end{aligned}$$

    By the induction hypothesis, \(|\mathcal {F}(\varphi _1)|\le 4\times |\varphi _1|\) and \(|\mathcal {F}(\varphi _2)|\le 4\times |\varphi _2|\). Hence,

    $$ |\mathcal {F}(\varphi _1\vee \varphi _2)|=|\mathcal {F}(\varphi _1)|+|\mathcal {F}(\varphi _2)|+4\le 4\times (|\varphi _1|+|\varphi _2|+1)=4\times |\varphi _1\vee \varphi _2|. $$

  • Case I3 \(\varphi = \bigcirc \varphi _1\). The proof is similar to Case I1.

  • Case I4 \(\varphi = \varphi _1 \mathrel {\mathcal {U}} \varphi _2\). The proof is similar to Case I2.    \(\square \)

Let \(\mathcal {T}\) be the tableau of \(\varphi \) constructed based on Algorithm 1 with the tableau rules. It is apparent that the formulas labeling the nodes of \(\mathcal {T}\) are subformulas or negations of subformulas of \(\varphi \) or such formulas preceded by \(\bigcirc \), that is \(\mathcal {F}(\varphi )\). Therefore, the number of nodes of \(\mathcal {T}\) is at most equal to the number of subsets of \(\mathcal {F}(\varphi )\), that is \(2^{|\mathcal {F}(\varphi )|} \le 2^{4 \times | \varphi |}\) regarding Lemma 10. Because \(| \varphi |\) is finite and previously created nodes are used instead of creating new ones in \(\mathcal {T}\), the construction of \(\mathcal {T}\) for any LTL formula \(\varphi \) terminates.