Principles of Model Checking

Solutions to exercise class 1

Transition systems & linear-time properties

Prof. Dr. Joost-Pieter Katoen, Dr. Taolue Chen, and Ir. Mark Timmer
September, 14, 2012

Problem 1
1. Express the following informally-stated properties as LT-properties:
An account with positive balance is opened.
P = L (( + {ab > 100}) (2AP ) )
The balance of an account is negative only finitely many times.
P = L ((2AP ) ({ab = 0} + + {ab > 100}) )
The balance of an account switches at least once from debit to
credit.
P = L ((2AP ) {ab < 0} ({ab = 0} + + {ab > 100}) (2AP ) )
Eventually, an account remains with more than e 100 credit.
P = L ((2AP ) {ab > 100} )
false and true.
Pfalse =

and

Ptrue = L ( 2AP

2. Determine for each LT-property whether it is a safety property or a

liveness property. Justify your answer!
An account with positive balance is opened.
This is a safety property, since every trace that is not in P
has a finite bad prefix: either {ab < 0} or {ab = 0}.
The balance of an account is negative only finitely many times.
This is a liveness property, since any finite trace can be extended to satisfy P (for instance, by suffixing {ab > 100} ).
1

 The balance of an account switches at least once from debit to

credit.
This is a liveness property, since any finite trace can be extended to satisfy P (for instance, by suffixing the infinite trace
{ab < 0}{ab > 100} ).
Eventually, an account remains with more than e 100 credit.
This is a liveness property, since any finite trace can be extended with {ab > 100} to satisfy P .
false and true.
LTfalse is a safety property. Every trace is erroneous, so all
finite prefixes are bad prefixes.
LTtrue is a safety and a liveness property. The fact that it
is a safety property is trivially true since there are no bad
traces. The fact that it is a liveness property is immediate
from the fact that every finite trace can be extended with any
infinite trace to satisfy LTtrue .

Problem 2
We consider the following transition system T S:

{a}
s0

s1 {b}

{a, b} s2

s3

s4 {a, b}

Let P be the set of traces of the form = A0 A1 A2 . . . 2AP such that

k. Ak = {a, b}

n 0. k > n. a Ak b Ak+1 .

For the following fairness assumptions Fi with respect to the transition system T S, we decide whether or not T S |=Fi P .
First of
all, notice that T S |=Fi P if and only if FairTracesFi (T S) P .
Because of k. Ak = {a, b}, each trace has to visit at least one of s2 or s4
infinitely many times. Additionally, from some point onwards, each a-state
must be followed by a state that is annotated with (at least) b.

1. F1 =




{} , {}, {, }, {} , .

It holds that T S |=F1 P . To see why, notice that:

Any trace that reaches s4 is not F1 -fair. After all, for such
traces is executed only finitely many times. This is in contradiction with the unconditional fairness assumption {}.

Hence, the transition s3

s4 is never taken.
Because of the strong fairness assumption {}, the action
must be executed infinitely often if it is enabled infinitely
often. Since it clearly cannot be executed infinitely often, it
is not allowed to be enabled infinitely often. Hence, the state
s3 (in which it is enabled) cannot be visited infinitely often.
From now on we only consider what happens after s3 was
visited for the last time.
We cannot stay forever in states s1 or s2 by only taking
their -transitions, because of the enabled transitions to
s0 and s1 , respectively. Due to the strong fairness assumption {, }, these -transitions must be taken at some point.
Hence, every time s2 is visited, at some point we move to s1 ,
and every time s1 is visited, at some point we move to s0 .
As is enabled in s0 , the strong fairness assumption {}
requires that if s0 is visited infinitely often, then so is s2 .
Hence, all F1 fair paths visit exactly s0 , s1 and s2 infinitely
often. It is easy to see that the traces of such paths satisfy
the property P . Therefore FairTracesF1 (T S) P and thus
T S |=F1 P .




2. F2 = {} , {}, {} , {} .
We find T S 6|=F2 P . To see why, consider the path = (s0 s2 s3 s1 )
with its corresponding trace = ({a}{a, b}{b}) . All fairness
assumptions are fulfilled: is executed infinitely often, and so are
and . The action is never continuously enabled, so the weak
fairness assumption {} does not forbid the path.
Hence, FairPathsF2 (T S), but
/ P . Therefore, we find
FairTracesF2 (T S) 6 P and correspondingly T S 6|=F2 P .

Problem 3
Let P and P be liveness properties over AP . Then
P P is guaranteed to be a liveness property too.


Since P is a liveness property, by definition pref(P ) = 2AP .


for every LT-property Q, and clearly
Since pref(Q) 2AP
pref(P1 P2 ) pref(P
)
P1 , P
2 , we find

1 for all LT-properties

AP
as well as pref(P P ) 2AP . Therepref(P P ) 2

fore, pref(P P ) = 2AP and P P is a liveness property.

Note that we did not need the fact the P is a liveness property.
P P is not guaranteed to be a liveness property too.
Let
P = L

2AP

{a}

and

P = L

2AP

{b}

Clearly, both are liveness properties, since any finite trace can be
extended to a valid trace. However, P
P = , which is not a

liveness property as pref() = 6= 2AP .

Let P and P be safety properties over AP . Then
P P is guaranteed to be a safety property too.
Since closure(P P ) = closure(P ) closure(P ) by Lemma 3.36,
using Lemma 3.27 we find that closure(P P ) = P P . Hence,
applying Lemma 3.27 again, we find that P P is a safety
property too.
P P is guaranteed to be a safety property too.


/ P . We
Let 2AP \ (P P ). Hence, either 6 P or
assume without loss of generality that
/ P . Since P is a safety
property, there exists a finite prefix
pref() such that
o
n


|
pref( ) = .
P 2AP
Since P P P , we infer
n
o


(P P ) 2AP
|
pref( ) = .
Thus P P is a safety property too.