summit.sfu.casummit.sfu.ca/system/files/iritems1/2413/etd2221.pdfmodel checking abstract state...

MODEL CHECKING ABSTRACT STATE MACHINES

WITH ANSWER SET PROGRAMMING

Calvin Kai Fan Tang

B.Sc., Simon Fraser University, 2003

A THESIS SUBMITTED IN PARTIAL FULFILLMENT

O F T H E REQUIREMENTS FOR T H E DEGREE O F

MASTER OF SCIENCE

in the School

of

Computing Science

@ Calvin Kai Fan Tang 2006

SIMON FRASER UNIVERSITY

Spring 2006

All rights reserved. This work may not be

reproduced in whole or in part, by photocopy

or other means, without the permission of the author.

APPROVAL

Name: Calvin Kai Fan Tang

Degree: Master of Science

Title of thesis: Model Checking Abstract State Machines with Answer Set

Programming

Examining Committee: Dr. Jim Delgrande

Professor of Computing Science

Chair

Date Approved:

Dr. Eugenia Ternovska

Assistant Professor of Computing Science

Senior Co-Supervisor

- -

Dr. Uwe GlGser

Associate Professor of Computing Science

Senior Co-Supervisor

Dr. David Mitchell

Assistant Professor of Computing Science

Internal Examiner

SIMON FRASER V ~ ~ l v ~ ~ ~ d i b r a r y @&

DECLARATION OF PARTIAL COPYRIGHT LICENCE

The author, whose copyright is declared on the title page of this work, has granted to Simon Fraser University the right to lend this thesis, project or extended essay to users of the Simon Fraser University Library, and to make partial or single copies only for such users or in response to a request from the library of any other university, or other educational institution, on its own behalf or for one of its users.

The author has further granted permission to Simon Fraser University to keep or make a digital copy for use in its circulating collection, and, without changing the content, to translate the thesislproject or extended essays, if technically possible, to any medium or format for the purpose of preservation of the digital work.

The author has further agreed that permission for multiple copying of this work for scholarly purposes may be granted by either the author or the Dean of Graduate Studies.

It is understood that copying or publication of this work for financial gain shall not be allowed without the author's written permission.

Permission for public performance, or limited permission for private scholarly use, of any multimedia materials forming part of this work, may have been granted by the author. This information may be found on the separately catalogued multimedia material and in the signed Partial Copyright Licence.

The original Partial Copyright Licence attesting to these terms, and signed by this author, may be found in the original bound copy of this work, retained in the Simon Fraser University Archive.

Simon Fraser University Library Burnaby, BC, Canada

Abstract

Answer Set Programming (ASP) is a logic programming paradigm that has been shown as

a useful tool in various application areas due to its expressive modelling language. These

application areas include Bourided Model Checking (BMC). BMC is a verification technique

that is recognized for its strong ability of finding errors in computer systems. To apply BMC,

a system needs to be modelled in a formal specification language, such as the widely used

formalism of Abstract State Machines (ASMs). In this thesis, we present BMC of ASMs

based on ASP. We show how to translate an ASM and a temporal property into a logic

program and solve the BMC problem for the ASM by computing an answer set for the logic

program. Experimental results for our method using the answer set solvers SMODELS and

CMODELS are also given.

Acknowledgments

I have to admit that I am a reserved person, so much so that in my mind, thankfulness is

something we keep in our heart or privately express to the people we want to thank, rather

than something we make public. I thought about leaving this section blank or omitting it

altogether (I guess it is not mandatory). However, that might make my thesis stand out for

a wrong reason and make me look like an immature kid who does not know the importance

of being: thankful (which I am not). In the end, I sat down in front of my computer and

started writing the section you are reading.

For over two years of researching that led to this thesis, I have had my share of highs and

lows, from the excitement of getting my article accepted by a research conference (which

gave me, a little-travelled man, an opportunity to travel) to the frustration of reading a

pile of boring and seemingly practically useless papers that was just as terrible as anything.

Thanks to my hard work that has conipensated my on-and-off interest in academic research

and the great support from the people around me, I have finally made it.

Now. to the people I want to thank. First of all, I want to express my whole-hearted

appreciation to my senior supervisor Dr. Eugenia Ternovska for her attentive guidance.

She has contributed a great deal of time and effort to my research work through meetings

and reviews of my papers, and she ha.s done so while working on multiple research projects

and an even bigger project at home-her daughter born several months after I started my

master's degree program. I would also like to deeply thank my other senior supervisor Dr.

Uwe Glasser, who has managed to squeeze out that half to one hour for a meeting with me

from tirne to time, despite his administrative duties at school and the dozen of students or

so under his supervision. I want to say a big 'thank you' to Simon Fraser University for

providing a tremendous academic environment in which I can succeed as a student. I also

want to thank the conference paper reviewers who reviewed my submitted papers and gave

me valuable comments. I cannot forget to mention the people who received my questions

in email and took time to reply, even though I was a complete stranger to them. Last but

not least, I cannot thank my parents enough for dedicating their energy, time and money

through the years to raise me up. Without them, I would not be here. Without me, you

would not be reading this thesis.

Contents

. . Approval 11

Abstract iii

Acknowledgments iv

Contents vi

List of Tables ix

List of Figures x

1 Introduction 1

1.1 General Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Answer Set Programming 5

2.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2 Answer Set Semantics . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . 6

2.3 Constraints and Cardinality Expressiolls . . . . . . . . . . . . . . . . . . . . . 7

2.4 Domain Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.5 Problem Solving in ASP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.6 Complexity and Expressiveness . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Model Checking

3.1 Approaches to Model Checking . . . . . . . . . . . .

Kripke Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 Linear Temporal Logic

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.2 Fairness

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.3 Alternatives to LTL

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LTL Model Checking

3.4.1 Bounded LTL Model Checking . . . . . . . . . . . . . . . . . . . . . . 3.4.2 Unbounded LTL Model Checking . . . . . . . . . . . . . . . . . . . . .

4 Abstract State Machines

4.1 Signatures and States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Locations and Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Transition Rules and Runs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Example

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.6 ASM Modelling

5 Mapping BMC of ASM to ASP

Constructing Program II(M. I ; ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.1 Sorts

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.2 Functions

5.1.3 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.4 Transition Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.5 Inconsistent Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.6 Multi-Agent ASMs

Constructing Program n(+, k ) . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.1 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamic Universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3.1 Changes to II(M, k )

5.3.2 Changes to II(7+, k ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . Correctness of Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Computational Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . .

vii

6 Exper iments 5 7

6.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

7 Rela ted Work a n d Conclusions 6 7

7.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

7.2 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

A Proofs 70

A.l Proof of Theorem 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

A.2 Proof of Theorem 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Bibliography 112

viii

List of Tables

5.1 Translation of an LTL formula. . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6.1 LTL Model Checking Experiments for FLASH Cache Coherence Protocol. . . 62

6.2 LTL Model Checking Experiments for i-Protocol. . . . . . . . . . . . . . . . . 63

6.3 LTL Model Checking Experiments for i-Protocol (Different ASM Model). . . 63

List of Figures

3.1 An example of a Kripke structure . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.2 Two possibilities for a . path (so, .... s k ) . with no loop (left) and with a loop

(right) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.1 Loop-related atoms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

6.1 ASP-based bounded model checker ASM.BMC . . . . . . . . . . . . . . . . . . 58

Chapter 1

Introduction

1.1 General Introduction

Answer Set Programming (ASP) [3, 341 is a logic programming paradigm for solving com-

binatorial search problems1. In ASP, a problem is represented as a logic program whose

answer sets corresponds to the solutions to the problem. Such a logic program looks like a

PROLOG program. A solution to the problem is determined by computing an answer set

for the logic program using an answer set solver.

ASP has emerged from the development of suitable declarative languages for knowledge

representation and reasoning, which is an area in artificial intelligence focusing on building

systems capable of learning from knowledge. A declarative language describes 'what', as

opposed to a procedural language, which specifies 'how'. The language of ASP stands out

among other declarative languages for several reasons:

0 It is non-monotonic, i.e., it supports the type of reasoning in which previously made

conclusions can be withdrawn when new knowledge becomes available.

0 It has a simple syntax for people who are not familiar with knowledge representation

and reasoning to learn and use.

'Given a discrete set of items, a combinatorial search problen~ involves finding the combinations of items that satisfy given requirements. Such problems are among the most difficult computation problenls, since the number of possible combinations can grow exponentially or factorially with respect to the number of items.

CHAPTER I . INTRODUCTION

0 It includes predicates, variables and a recursion mechanism, making it capable of com-

pactly expressing many reasoning problems such as constraint satisfaction problems.

Various answer set solvers such as SMODELS [40], CMODELS [2] and DLV [32] have

been developed. The high research interest in ASP means that more advanced solvers

will appear.

The practical value of ASP has been proved by its wide range of applications that include

supply chain planning, scheduling and product configuration. Recently, ASP has also been

demonstrated as an effective tool in formal verification [27, 431.

Formal verification is a discipline that aims at improving the reliability of computer

systems, especially safety- and mission-critical systems whose failure may incur serious con-

sequences. A formal verification method provides precise reasoning about system correctness

with its mathematical framework. A powerful formal verification approach is Model Check-

ing [12]. In model checking, a system is modelled as a state transition model, and properties

to be checked against the system are formulated in temporal logic. A model checker uses

an efficient search procedure to determine whether a property is satisfied by the model. If

it is not satisfied, a counterexample in the form of a state sequence will be generated. One

major advantage of model checking is the automatic execution of model checkers.

A fundamental requirement of model checking is finite state space. Hardware devices and

many communication protocols are finite state systems. Many software systems, however,

have an infinite number of states. Abstraction is crucial for model checking to be applied

to those systems because many of them can be abstracted as finite state machines. It may

seem necessary to guarantee that the abstraction is conservative, i.e., a property satisfied

in the abstraction is also satisfied in the concrete system. However, it is more common to

find as many errors in a system as possible than to show that it is completely correct [15].

This is especially true for software systems. The strength of model checking lies exactly in

its ability to expose errors. In this sense, abstraction is actually beneficial because it can

reduce the scale of verification. A conservative abstraction becomes much less significant,

since an. error detected in the abstraction needs to be inspected anyway.

Model checking is widely considered as a complement to traditional testing and simula-

tion, which in general can only cover a relatively small number of test cases. Case studies

such as [8] and [45] demonstrate the feasibility of applying model checking to large systems.

In model checking, a specification language with a well-defined semantics is needed to

CHAPTER 1. INTRODUCTION

model a system in such a way that ambiguities and inconsistencies can be prevented. A

representative of such languages is the notation of Abstract State Machines (ASMs) [6 , 251.

The ASM language is a high-level specification tool for system analysis and design. Unlike

many other specification languages, the ASM language has a relatively simple mathematical

framework and thus is usable for people who do not possess a strong background in logic

and algebra. In addition, because of its underlying mathematical nature, different formal

validation and verification techniques can be applied to ASM models.

The real power of the ASM 1angua.ge lies in the freedom of abstraction that it provides

in modelling. During requirements analysis in systenl development, one can create an ASM

model at a level of abstraction that he/she sees suitable based on his/her current under-

standing of the system. As further design decisions are made, the model can be gradually

refined with the addition of appropriate details. This produces a series of increasingly re-

fined models. Not only does this freedom of abstraction allow one to concentrate on the

essential features of the system at any time during developnlent, but it also facilitates it-

erative modelling and verification so t,hat problems can be found early when they are less

costly to fix. Readers should be aware that abstraction in the context of modelling focuses

on producing a simple and concise specification of a system, as opposed to abstraction in

model checking, whose purpose is to reduce the state space of a model to be verified.

The ASM language is far more than a theoretical invention. It has been used in both

industrial and academic settings and in various application domains such as network proto-

cols, distributed systems and programming languages. Tools such as ASM Workbench [16]

and AsnlL 1261 provide strong support; for the creation and simulation of ASMs.

1.2 Motivation

Verification is very important as it focuses on ensuring system quality. It can help identify

significant errors when system development is in the analysis and design stages. Since

the ASM language is a popular tool for system analysis and design, we believe that it is

worthwhile to develop an efficient method of checking ASM models. Among various model

checking techniques, Bounded Model Checking (BMC) is well-known for its strength in

finding short counterexan~ples, which makes it very useful for detecting errors in industrial

systems. Implementations of BMC based on ASP have been shown to be promising [27, 431.

In particular, the expressive language of ASP allows one to compactly encode state transition

CHAPTER 1. INTRODUCTION

models a.nd requirements on model behaviour. Therefore, ASP appears to be an attractive

tool for checking ASM models, which are often composed of a rich set of syntactic constructs.

Moreover, the existence of efficient answer set solvers means that using ASP to solve complex

problems, including checking non-trivial systems, is feasible. In short, we believe that we can

make a substantial research contribution by combining the notions of ASP, BMC and ASMs

to develop a strong verification approach. We hope that not only will such an approach

benefit those who use the ASM language for system modelling, but it will also give good

insights to those who might be considering developing an ASP-based verification method

for a different specification language.

1.3 Overview

The rest of this thesis is organized as follows:

0 In Chapter 2, we introduce answer set programming with a focus on normal logic

programs and their answer sets. We also give an example of problem solving in ASP

and the complexity and expressiveness of normal logic programs without functions.

0 In Chapter 3, we start with a background on approaches to model checking. Then we

move on to temporal logic, for which we concentrate on Linear Temporal Logic (LTL).

We also discuss bounded model checking of LTL.

0 In Chapter 4, we detail the syntax and semantics of the language of abstract state

machines and describe an ASM for the master-slave agreement problem as an example.

We also touch on some general issues related to ASM modelling.

0 In Chapter 5, we introduce ASP-based BMC of ASMs in full detail. Given an ASM

and a property specified in LTL, we show how to find a bounded counterexample for

the property in the ASM by constructing a logic program and computing an answer

set for it. Correctness theorems for the method will also be presented.

0 In Chapter 6, we talk about the issues related to the implementation of our verifica-

tion approach, present experimental results, and discuss the experience of using our

approach to check ASMs.

0 In Chapter 7, we finish the thesis with a discussioil on related work and some con-

cluding remarks.

Chapter 2

Answer Set Programming

2.1 Preliminaries

In answer set programming, a term is a variable, a constant or a function application

f (tl , . . . ,k ) , where f is a function, and tl, ..., t, are terms. A term with no variables is said

to be ground. An atom is of the form p(tl , . . . ,k), where p is a predicate symbol, and tl , ...,

t, are terms. An atom is ground if it has no variables. A literal is an atom a (a positive

literal) or its negation not a (a negative literal). A set of atoms A satisfies a ground atom

a if a E A and its negation not a if a 4 A.

We focus on the most popular sub-class of logic programs in ASP: normal logic programs.

A normal logic program II consists of a set of normal rules of the form

a +- al , ..., h, not &+I, ..., not e,. (1)

The syn~bols a, al, ..., e, are atoms, where a is called the h,ead of the rule, and al l ..., h,

not &,.I, ..., not e, is called the body of the rule. The body of a rule may be empty, in

which case the rule is called a fact and the arrow +- can be omitted. A ground instance of a

rule is derived by substituting all variables in it with ground terms. A set of atoms satisfies

a ground rule of the form (1) if it satisfies the head a whenever it satisfies the body (i.e.,

all of al l ..., h, not &+I, ..., not h).

The Herbrand universe of a program is the set of all ground terms that can be derived

with the constants and functions in the program. The Herbrand base of a program is the set

of all ground atoms that can be derived with the predicates in the program and the terms

in the Herbrand universe. For example, consider the program

CHAPTER 2. ANSWER SET PROGRAMMING

p ( a ) +. ~ ( b ) t.

q ( X ) t n o t r ( X ) . r ( X ) t n o t q ( X ) .

The symbols p, q and r are predicates, a and b are constants, and X is a variable. The

Herbrand universe is { a , b ). The Herbrand base is { p ( a ) , p ( b ) , q ( a ) , q ( b ) , r ( a ) , r ( b ) ).

The .Herbrand i n s t a n t i a t i o n of a program consists of all ground instances of the rules in

the program derived with the terms in the Herbrand universe. For example, the Herbrand

instantiation of the program above is

p ( a ) t. ~ ( b ) +.

q ( a ) + n o t r ( a ) . r ( a ) + n o t q ( a ) .

q ( b ) + n o t r ( b ) . r ( b ) + n o t q ( b ) .

The process of generating the Herbrand instantiation of a program is called grounding. A

set of atoms satisfies a ground program if it satisfies every rule of the program. For instance,

the set { p ( a ) , p ( b ) , q ( b ) , r ( a ) ) satisfies the ground program above.

The dependency graph of a program is a directed graph whose vertices are the predicates

in the program and with an arc from a predicate p to a predicate q if a rule has p as its

head and q in its body. The arc is negative if q is negated. A program is stratified iff its

dependency graph has no cycle through a negative arc.

2.2 Answer Set Semantics

The sem.antics of a logic program is provided by the a n s w e r se t s of its Herbrand instantiation.

Each answer set of a program is a subset of its Herbrand base. If a ground program II

contains no negation, then there exists a unique minimal set of ground atoms that satisfies

it [44]. This set is called the answer set of II, which can be computed as follows. Let A be

an empty set initially. We add an atom a to A if there is a rule in II whose head is a and

whose body is satisfied by A. We repeat this step until there is no rule whose head is an

atom not in A and whose body is satisfied by A. At termination, A is the answer set of II.

The minimality of A can be interpreted as justifiability in the sense that each atom in A is

'justifiable' because it is the head of a rule in II whose body is satisfied by A.

The answer set semantics can be extended to programs with negations. Such a program

CHAPTER 2. ANSWER SET PROGRAMMING 7

has zero, one or more answer sets. The reduct [2311 of a program II with respect to a set of

atoms A is the program I I A derived from 11 by

1. removing every rule with a negative literal not a in its body if a E A, and

2. removing all negative literals from the bodies of the remaining rules.

The program IIA is negation-free, which implies that it has exactly one answer set. A set of

atoms A is an answer set of II if it is the answer set of I IA . For example, suppose II consists

of the two rules

p + not q. q + not p.

The potential answer sets of II are 4. { p ), { q ) and { p, q ). The reduct I I@} is the

rule p +, and its answer set is { p ). Therefore, { p ) is an answer set of I I . Similarly, the

reduct JI{q) is the rule q +. Its answer set is { q ), and thus { q ) is also an answer set of

II . The sets $ and { p, q ) are not answer sets of I I . For example, the answer set of II4 is

{ p, q ), since it consists of the two rules p t and q +.

The intuition behind using the notion of reducts to define the answer sets of a logic

program is as follows. An answer set of a program II should satisfy II, and each atom in

it should be justifiable. Suppose we assume A to be the set of true atoms. For each atom

a, if a E' A, then any rule in II with a literal not a in its body is useless in the deduction

about its head. Moreover, any literal not a with a $ A is satisfied and can be dropped from

the body of a rule. Therefore, II can be simplified to IIA, whose answer set satisfies II. If

A happens to be identical to the answer set of IIA, then we can conclude that A satisfies II and contains only justifiable atoms.

2.3 Constraints and Cardinality Expressions

We employ two extensions to normal rules: constraints and cardinality expressions. They

enable us to write more syntactically compact programs. A constraint is a rule without the

head, i.e.,

+- a l , ..., an, not % + I , ..., not a,,. (2)

'In [23], an answer set is called a stable model as answer sets are defined based on the stable model semantics.


A constraint of t,he form (2) is actually an abbreviation of the following normal rule, where

b is a new atom:

b e- not b, al , ..., h, not (&+I, ..., not a,.

A set of atoms A satisfies a constraint of the form (2) iff A does not satisfy the body.

Constraints are useful for expressing requirements in a problem.

A cardinality expression has the form

1 { al l ..., h , not %+I, ..., not a , } u. (3)

The symbols 1 and u are non-negative integers called the lower bound and the upper bound.

The default lower and upper bounds are 0 and oo, respectively. Cardinality expressions can

be placed in the head or the body of a rule, just like literals. They are useful for expressing

choices. Intuitively, a set of atoms A satisfies a cardinality expression of the form (3) iff the

number of literals satisfied by A is bet,ween 1 and u inclusive.

A rule with a cardinality expression as the head is called a choice rule. We use two forms

of choice rules. Let b l l ..., b, be atoms. The choice rule

is a shorthand for the normal rules

a1 + not az, ..., not h, b l , ..., b,.

. . . aj + not a], ..., not aj-1, not aj+ll ..., not aml b l , ..., b,.

... a, + not al l ..., not ~ ~ - 1 , b l , ..., b,.

The choice rule

0 { all ..., h } 1 + b i , ...! bn.

stands for the following normal rules, in which p is a new atom:

p t not a], ..., not h, b l , ..., b,. al t not a, ..., not h, b l , ..., b,, not p.

. . . aj + not al, ..., not a3-1, not a,i+ll ..., not h, b l , ..., b,, not p.

...

+ not al, ..., not h - 1 , b l , ..., b,, not p.


2.4 Domain Predicates

Consider the following program:

This program clearly exhibits a pattern: for each 1 < i < 5, pi is true if qi is false, and qi

is true if pi is false. Such a program can be described compactly using variables as follows:

... number(5) t.

~ ( 1 ) t not 47(I), number(1). q ( I ) t not p( I ) , number(I)

The predicate number is a domain predicate, which specifies the range of values that a

variable can take. A literal with a dornain predicate is called a domain literal. In the rules

above, the positive domain literal nunrber(1) restricts the range of the variable I to be 1 to

5. A rule is strongly range restricted if every variable that appears in the rule also appears

in a positive domain literal in the body. A program is strongly range restricted if all its

rules are strongly range restricted.

Formally, a predicate d in a program is a domain predicate if in the dependency graph,

no cycles starting at d go through a negative arc. The rules that have domain predicates

in their heads form a stratified program, which has a unique answer set [23]. As a result,

the extent of each n-ary domain predicate d' in the program, i.e., the set of all n-tuples of

ground terms { 6, ..., t i ) for which the atoms d1(6) , ..., dl(t,) are true, can be determined

from the answer set of the stratified sub-program.

Domain predicates enable efficient grounding of a program. Suppose in the body of a

rule, a variable X appears in a positive domain literal whose predicate d is n-ary. It need

not be instantiated to a ground term such that the resulting ground n-tuple 7 is not in the

extent of d. The reason is that the atom d(2) is definitely false, and the resulting ground

rule would be trivial. With domain predicates, the size of the Herbrand instantiation of a

program can be significantly reduced.

CHAPTER 2. ANSWER SET PROGRAMhIING

2.5 Problem Solving in ASP

To solve a problem in ASP, we represent it as a logic program whose answer sets represent

the solut,ions and then compute the answer sets. We usually follow the generate-and-test

strategy. First, we write a group of rules to 'generate' the candidate solutions in the answer

sets for this group of rules. Then we add more rules, some of which are constraints, to 'test'

the candidate solutions and eliminate those that are not viable.

We use the n-queens problem to illustrate the generate-and-test strategy. In the n-queens

problem, n queens must be placed on a n x n chessboard such that the following conditions

are satisfied:

1. No two queens are on the same row.

2. No two queens are on the same column.

3. No two queens are on the same diagonal.

We write a program II whose answer sets encode the solutions to the problem. A solution

can be characterized by a set of atoms of the form q(i,j), where 1 5 i, j 5 n. Each q(i,j) is

in an answer set if a queen is placed on the i-th row and the j-th column of the chessboard.

We first define a domain for the queens, which are numbered 1 to n, by introducing the

following facts in II:

To satisfy condition 1 as well as the trivial requirement that all n queens are on the chess-

board, we add the following choice rule to 11:

This rule generates the candidate solutions in which no two queens are on the same row,

since it specifies that for each row i, there is exactly one column j such that a queen is at

position (i , j) , where 1 < i, j 5 n.

To test whether a candidate solution satisfies condition 2, we extend 11 with the con-

straint


+- q(Il ,J) , q(I2, J ) , I1 < 12 , number(I~), number(12), number(J).

Finally, to test against condition 3, we include the following constraints in II:

The idea of these two constraints is that two queens are on the same diagonal if they are

separated by the same number of rows and columns. The symbol ' = = I is the equality

operator.

2.6 Complexity and Expressiveness

We concentrate on the complexity and expressiveness of normal logic programs without

functions. They form the sub-class of ASP programs that is called AnsDatalog in [3]. The

complexity of AnsDatalog is as follows. Given an AnsDatalog program II and a set of facts

F, the task of determining if II U F has an answer set is NP-complete. A proof of this claim

can be found in [3].

A decision problem Q is axiomatizable in a sub-class L of ASP programs if for every

instance i of Q, a program IIQ U Fi can be constructed in L, where IIQ is a fixed program

for Q and Fi is a set of facts dependent on i, such that IIQ U Fi has an answer set iff i is

a yes instance of Q. The expressiveness of a sub-class of ASP programs is defined by the

complexity class that it captures. A sub-class L of ASP programs captures a complexity

class C if a decision problem Q is in C iff Q is axiomatizable in L.

AnsDatalog captures the complexity class NP. Intuitively, given any instance i of an NP

problem Q, an AnsDatalog program can be constructed such that it has an answer set iff

i is a yes instance of Q. In addition, given a problem Q, if for each of its instances i, an

AnsDatalog program can be constructed such that it has an answer set iff i is a yes instance,

then Q is in NP.

A proof of the expressiveness of AnsDatalog is as follows. Given a vocabulary a with only

constants and predicates, a finite database over a is a finite subset of all atoms derived from

the constants and predicates in a. Each NP problem Q can be expressed as an existential

second-order formula over a vocabulary a such that there is a one-to-one correspondence


between each finite database over a that satisfies the formula and each yes instance of Q.

This formula takes the form 3 Ul ,... , CLV13fj(Ol (3,fj) V ... V Ok ( Z , y ) ) , where O1 (1,%), ... , Ok(Z,fj) are conjunctions of literals involving the predicates in a and { U l , ..., Urn ).

We prove that every NP problem is axiomatizable in AnsDatalog as follows. Given a

finite database w and a formula 4 = 3 U1 ,..., U,'dZ3jj(Ol (Z, i j ) V ... V 0 k ( 5 , i j ) ) , we show how

to construct an AnsDatalog program 114 U F,, where II6 is a fixed program for 4 and F,

is a set of facts dependent on w , such that w satisfies 4 iff II6 U F, has an answer set. For

each atom p(a l ,..., a,) in w , where p is an n-ary predicate in a and a l , ..., a, are constants

in a , we make the fact

holds-n(p,al ,..., a,) +-.

The symbol ' n ' in holds-n is the arity of p. The set of facts we have for w constitute F,.

We start writing the program II6. First, we define the domains for the constants and

predicates in a. For each constant a in a , we add the rule

For each predicate p in a , we add the rule

Suppose 2 is an s-tuple { x l , ..., x8 ) and % is a t-tuple { y l , ..., yt ). Let f be a

function that maps each of O1 (2,y), ..., Ok(Z,fj) to a sequence of comma-separated literals.

In addition, let g be a function that converts a constant in a into a constant in AnsDatalog

and a variable in 2 or f j into a variable in AnsDatalog. The functions f and g are defined

as follows:

f (O(Z,%) A 0'@7!7)) = f ( 0 ( W ) ) > f ( 0 ' ( ~ > ! ? ) ) .

f ( P ( t l , . . . , L ) ) = holds-n(P,g(tl),...,g(t)),

where P is an n-ary predicate in a or { U l , ..., Urn ),

and t l , ..., t, are constants in a or variables in 2 or f j .

f ( - l P ( t 1 , ..., t)) = n o t h o l d s - n ( P , g ( t l ) ,..., g ( L ) ) .

g ( a ) = a , where a is a constant in a.

g ( : ~ ) = Xi, where { X I , ..., xs 1). g ( y J = Yj, where Yj E { Y l ? ..., Yt 1 .

CHAPTER 2. ANSWER SET PROGRAhihiIhJG 13

We use the following rules to define the atom ql(U1, ..., Urn,Xl, ..., Xs) to be true if

3g(d1 (2,y) v ... v Ok(?,$)) holds for given Ul , . .., Urn and XI , ... , XS:

We defirle the atom q2( Ul, ..., Urn) to hold if Vz3t (d l (~ ,$) V ... V dk(2,$)) is false for given

Ul, ..., [Irn:

Next, we define the atom q3 to be true if 4 = 3U1, ..., UrnVEl$(01(2,$) V ... V Ok(%,$)) holds.

Clearly, q3 is true if there exist some Ul, ..., Urn such that q2( Ul, ..., Urn) is false:

Finally, we want 114 U F, to have an answer set iff w satisfies 4. Therefore, we include the

following constraint in IId:

Now we prove that every problem axiomatizable in AnsDatalog is in NP. Let Q be a

problem axiomatizable in AnsDatalog. This means that for each instance i of Q, we can

construct an AnsDatalog program IIQ U Fi which has an answer set iff i is a yes instance of

Q. From the complexity of AnsDatalog, we know that the task of deciding if IIQ U Fi has

an answer set is NP-complete, and thus it is in NP. Therefore, Q is in NP.

Since every NP problem is axiomatizable in AnsDatalog, and every problem axiomatiz-

able in AnsDatalog is in NP, we conclude that AnsDatalog captures NP.

Chapter 3

Model Checking

3.1 Approaches to Model Checking

The initial implementation of model checking was enumerative in that states and transitions

were explicitly represented as enumerable elements. The number of states this approach

managed to handle was often restricted to a few million. Therefore, its application was

heavily limited for many industrial systems.

The first widely used model checking method is symbolic model checking [35]. In this

method, states and transitions are represented as boolean functions using Ordered Binary

Decision Diagrams (BDDs), which can provide efficient manipulation of boolean functions.

With BDD-based symbolic model checking, verification of systems with more than lo2'

states has become possible. The disadvantages of BDDs are twofold. First, some boolean

functions cannot be represented compactly in BDDs. In addition, the size of the BDD

representation of a boolean function is sensitive to the variable ordering. As a result, the

amount of memory needed to store and manipulate BDDs can be enormous.

In response to the weakrresses of BDDs, methods based on propositional satisfiability

(SAT) emerged due to the better space efficiency of SAT procedures. One of them that

has gained industrial recognition is SAT-based bounded model checking (BMC) [5]. The

idea of BMC is to search for a counterexample in which the number of state transitions is

bounded by an integer. A BMC problem can be translated into a propositional formula in

conjunctive normal form ( C N F ) and solved with SAT checking techniques. Experiments

have indicated that BMC can solve many problems that cannot be handled by BDD-based

checking, although the converse also holds. The bounded nature of BMC means that it

CHAPTER 3. MODEL CHECKING 15

cannot prove the absence of counterexamples in general. Nevertheless, it is widely regarded

as a strong complementary technique to BDD-based checking.

A line of research related to the work in this thesis is the application of answer set pro-

gramming to bounded model checking [27, 431. The motivation to achieve succinct encodings

of BMC problems led to the development of BMC based on ASP, in which the power of ASP

in knowledge representation is utilized to produce more compact representations of BMC

problems than those in other formalisms such as propositional logic. The idea of ASP-based

BMC is to describe models and properties as logic programs and reduce BMC problems

to finding answer sets for logic programs. This approach realizes a linear encoding in the

size of the model, the property and the bound', and [27, 43) show that it is competitive to

SAT-based BMC with the well-known model checker NuSMV [9].

The s tate explosion problem remains the biggest challenge to model checking. This

problem happens when the state space of t,he system under investigation is too large for the

model checking procedure to handle. A variety of techniques have been invented to alleviate

this problem. Apart from symbolic model checking and bounded model checking, partial

order reduction [37] aims at lowering the complexity of checking asynchronous systems. An

asynchronous system is usually modelled in a way that the actions of its components are

arbitrarily interleaved. Partial order reduction reduces the number of interleaving sequences

that need to be examined by taking advantage of the independence of concurrent actions.

Abstract ion [ll] encompasses the techniques for deriving an abstraction with a smaller state

space from a specification. This can be done by mapping a large set of data values to a

smaller one and eliminating irrelevant variables.

3.2 Kripke Structures

In model checking, a finite state machine is described as a Kripke s tructure M, which is a

quadruple (S,I,T,L). S is the set of states, I C S is the set of initial states, T C S x S is

the transition relation, and L: S + 2* is the labelling function, where A is the set of atomic

pr~posit~ions and L(s) is the set of atomic propositions that are true in state s. Practically,

we assume that I is non-empty and T is total.

The behaviour of a Kripke structure M is defined by paths. A path .ir of M is a finite

' A linear SAT encoding in the size of the model, the property and the bound has also been proposed recently in [31].


or infinite state sequence (so,sl, ...), where T(s=,si+l) holds for all 0 5 i < IT(-1 with In(

representing the length of n. For 0 5 i 5 lnl-1, n ( i ) denotes the i-th state si of n , and

denotes the suffix of T starting at si, i.e., (si,si+1,...). If n(0) E I, 7r is an initialized path.

Consider a finite state machine with two propositions p and q. A Kripke structure for

the state machine is described by the graph in Figure 3.1. Its states are s4, sip), s { ~ } and

s { ~ , ~ ) , with s4 as the only initial state. The transition relation is true for the pairs (s4,s{,)),

(s{~),s{~}), ( s I ~ ) ~ s { ~ ) ) ~ (~{q),s{~,q}), (slp,q),s4) and (~{p,q)r~{q)). Each state is 'abelled with

the set of propositions that are true in it. An example of an initialized path is the sequence

(S~,S{P),~S{~),S{P,~),S{~),S~P>~)~S{~)~S{P,~),...).

Figure 3.1: An example of a Kripke structure.

The concept of Kripke structures provides a way to illustrate model checking algorithms.

This is due to the fact that the semant,ics of a model described in any specification language

can be captured by a Kripke structure. In practice, we model a system in a specification

language in order to produce a syntactically concise and intuitive description of the system.

3.3 Temporal Logic

A suitable logic is needed to express properties of state transition systems. Propositional

and predicate logics are insufficient as they can only express properties of individual states.

Temporal logic allows one to describe t,ransitions between states. Different types of temporal

logic have been proposed. We concentrate on Linear Temporal Logic (LTL) [38].

CHAPTER 3. MODEL CHECKING

3.3.1 Linear Temporal Logic

LTL builds on propositional logic in that it employs atomic propositions and boolean oper-

ators A , V and 1. Additionally, it has temporal operators for specifying properties of paths.

The syntax of LTL formulas is given a.s follows:

The temporal operators are G (always), F (eventually), X (next-time), U (until) and R (release). The standard semantics of LTL is given with respect to infinite paths of a Kripke

structure. The relation that an infinite path n satisfies an LTL formula $ (n k $) is defined

below:

0 n I= p iff p E L(n(0)).

0 n )= G$ iff ni k $ for a11 i > 0. ($ is true in all states on n.)

0 n I= F$ iff ni k $ for some i 2 0. (4 will eventually be true in some state on n.)

0 n k X$ iff n l k $. ($ is true in the second state on n.)

n k $1 U $2 iff Ti k $2 for some i > 0 and n j k for every 0 5 j < i. (41~ holds

in some state on n, and ?i,i holds in all preceding states.)

$1 R $2 iff (1) Xi k $1 for some i 2 0 and n j k $2 for every 0 5 j 5 i, or (2)

Ti k $2 for all i 2 0. ($2 holds in all states on n up to and including the first state

where $1 holds, but it is not required that $q eventually holds.)

A Kripke structure M satisfies $ ( M k $) iff all initialized paths of M satisfy $.

The most important temporal operators are G and F as they are used for the two main

classes of properties: safety and liveless. A safety property says that something should

always (or never) happen. For instance, the property that two processes never have write

access to a memory location at the same time can be expressed as Gl(writel A write2).

A liveless property says that something will eventually happen. For example, the property


that a process will finish its execution can be formulated as Fdone. A11 example making use

of both G and F is the property that a request must always be acknowledged, which can

be captured by G(req --t Fack), where req --t Fack is an abbreivation of Treq V Fack.

3.3.2 Fairness

In some cases, we want to restrict the attention of model checking to the fair paths of a

Kripke structure. Given a set of fairness constraints { fl , ..., f, ), a path n is fair iff fi is

true infinitely often along n for each 1 _< i 5 n. Each fi is true infinitely often along 7r iff n

satisfies the LTL formula GFf,.

As an example, suppose we verify a system in which there are multiple interacting agents

al, ..., Q,. We may only be interested in the correctness of the paths along which each agent

is active infinitely often. Let { actl, ..., act, ) be the set of fairness constraints, where acg

is a proposition that is true if agent a, is active for each 1 5 i 5 n. A fair path of the system

satisfies the LTL formulas GFactl , ..., GFacL.

3.3.3 Alternatives to LTL

A popular alternative to LTL is Com,putation Tree Logic (CTL) [4]. CTL is a branching-time

logic, as opposed to LTL, which is a linear-time logic. It has the same temporal operators

as LTL. In addition, it has the path quantifiers A and E for specifying the paths from a

given state over which temporal operators quantify, where A means 'along all paths' and

E means 'along at least one path'. CTL formulas are interpreted over states of a Kripke

structure. For example, the formula AG$ is true in a state s if $ is always true over all paths

from s. Although it supports path quantification, CTL does not permit nesting of temporal

operators as LTL does. Therefore, the two types of temporal logic are incomparable in that

some properties can be expressed in one but not in the other.

More expressive types of temporal logic include CTL* [lo] and mu-calculus [30]. CTL*

subsumes both LTL and CTL by providing path quantification and nesting of temporal

operators. Mu-calculus uses greatest and least fixpoint operators and is more powerful than

CTL*. CTL* and mu-calculus allow one to specify properties that are not expressible in

LTL or CTL. However, they come with the cost of more complex syntax and less intuitive

semantics.


3.4 LTL Model Checking

A Kripke structure M satisfies an LTL formula 11, iff all initialized paths of M satisfy 11,.

Therefore, if 111, is true over an initialized path of M, then 11, is false with respect to M. Such

a path is called a witness for 111, and is a counterexample for 11,. Model checking techniques

for LTL can be divided into two classes: bounded and unbounded.

3.4.1 Bounded LTL Model Checking

The idea of bounded LTL model checking is as follows. Given a Kripke structure M, an LTL

formula 11, and a non-negative integer k, we search in M for an initialized path (so, ..., sk)

that can be considered as a witness for 111,. The formula 111, must be in negation normal

form, in which negations only appear in front of atomic propositions. An LTL formula

can be converted into negation normal form using the DeMorgan's Law and the duality of

temporal operators [12]. In practice, we start with a small value for k and increase it until

a counterexample is obtained, a pre-determined upper bound is reached, or the problem

becomes intractable.

Even though the value of k is finite, a path (so, ..., sk) may be infinite. The infiniteness

is realized by a loop transition from state sk-1 to some state si, where 0 5 i < k-1. (See

Figure 3.2 for an example.) This means that sk and si are equivalent, i.e., L(sk) = L(si). In

some cases, a loop is necessary for a path (so, ... ,sk) to be a witness for an LTL formula. For

example, a witness for the formula G p is an initialized path along which all states satisfy the

atomic proposition p. Consider a path (so, ..., sk) with no loop. Even if p holds in all states

from so to sk, it is unknown whether p actually holds in any state beyond sk. Consequently,

the path is not a legitimate witness for Gp.

Figure 3.2: Two possibilities for a path (so, ... ,sk), with no loop (left) and with a loop (right).

Because a path n = (SO, ..., sk ) can be finite or infinite, there are two possibilities for a

suffix of n. If .rr has no loop, then .rrj is a finite path (sj, ..., sk) for each 0 < j < k. If n

has a loop from state sk-1 to some state si, where 0 < i 5 k-1, then nj is an infinite path


(sj,...,sk-1 , ~ ~ , . . . , s ~ - ~ , s ~ , . . . ) for each 0 < j 5 k-1, and .irk is equivalent to r i .

In BMC, since we consider paths that may be finite, we need to extend the original

semantics of LTL, which only covers infinite paths. Consider a path .ir = ( S ~ , . . . ~ S ~ ) . If T has

a loop, then it is an infinite path, and the original semantics of LTL applies. If .ir has no

loop, which means that it is finite, the semantics is as follows:

.ir + p iff p E L(r(0)).

x + ~p iff p $! L(r(0)).

x k $1 A $2 iff x + $1 and x + $2.

0 .ir + G$ is false.

0 x + F$ iff ~i + $ for some 0 < i < k.

0 x b XI+!J iff ~ ( 1 ) exists and x l $.

x + $1 U $2 iff .rri /= q2 for some 0 5 i 5 k and ~j + for every 0 < j < i.

.ir + $1 R g2 iff ~i + for some 0 < i 5 k and .irj + for every 0 5 j 5 i.

The first implementation of BMC for LTL is based on propositional satisfiability. In this

SAT-based approach, the behaviour of M up to k transitions is described as a propositional

formula R(M,k), and T$ is represented as a propositional formula R(+,k). A counterex-

ample for ?I, exists iff R(M,k) A R(+,k) is satisfiable. In a more recent approach, the

language of answer set programming is used to encode BMC problems in order to obtain

more compact problem representations. Basically, the formulas R(M,k) and R(+,k) are

replaced by logic programs II(M,k) and II(+,k). An answer set of II(M,k) U II(-$,k)

corresponds to a counterexample.

BMC is incomplete in that it cannot prove the satisfaction of a property, unless an upper

bound for k is known [14]. Computing such an upper bound can be difficult. Nevertheless,

BMC has been found to be a very effective technique in finding short counterexamples,

which makes it a great complement to unbounded model checking in the industry [5]. Peo-

ple use both BMC and BDD-based model checkers by running them in parallel and see

which one produces a solution first. Alternatively, they use the BMC tool to search for a

counterexample and switch to the BDD-based tool if necessary.


3.4.2 Unbounded LTL Model Checking

Unbounded model checking realizes completeness in that a property is guaranteed to be true

if no counterexamples are found. We briefly discuss two unbounded LTL model checking

approaches here. The first one, employed by the model checker Spin [28], is an enumerative

approach based on Buchi automata [24]. The basic idea is to translate a Kripke structure

M and the negation of an LTL formula $ respectively into Biichi automata Ahf and A+

and compute their intersection. The automaton AM describes all paths of M, while A+

describes all paths that satisfy +. Therefore, the intersection of AM and A+ is empty iff

M $. Both AM and A,$ can be constructed on-the-fly during verification, and emptiness

of their intersection can be checked using a depth-first search strategy.

The second approach involves tableau construction for l$ and translation into CTL

model checking [13]. A tableau T for l$ is a graph that contains all paths satisfying +.

The product of M and T is a Kripke structure P whose paths occur in both M and T.

A state is the start of a path in M that satisfies l$ iff it is also the start of a path in P

that satisfies +. The set of such states can be computed by the BDD-based CTL checking

procedure. I t is empty iff M $.

Chapter 4

Abstract State Machines

4.1 Signatures and States

An abstract state machine formalizes a system based on the notions of states and transitions.

It is defined over a many-sorted sign,ature, which consists of a set of sorts and a set of

functions [46]. Each sort is a name associated with a set of elements. Each function f : Dl

x ... x D,, -+ D, has an arity n , where n 2 0 and D l , ..., D, and D, are sorts. Based on

how its value is changed, a function can be classified as follows:

0 A static function has a fixed value. A constant is a static nullary function.

0 A controlled function is one whose value can only be changed by the ASM.

0 A monitored function is one whose value can only be modified by the environment.

Monitored functions are used to model the non-deterministic aspects of a system that

are influenced by the environment.

A signature also has the sort Boolean, the constants true, false and undef, the equality

operator =, and the boolean operators 1, A and V.

An alternative definition of a signature is given in [6], in which it is said to have a set

of functions. Elements are associated with sets by characteristic functions. We have chosen

the notion of sorts because sorts are analogous to domain predicates in ASP. This makes

our translation of an ASM into a logic program more intuitive.

A state s of a signature C is a set of universes and the interpretations of the functions

in C. Exactly one universe @ is associated with each sort Di in C. The interpretation of

CHAPTER 4. ABSTRACT STATE MACHINES 23

a function f : Dl x ... x Dn 4 Dp is given by a total function f3 : x ... x DS, + q. The universe associated with sort Boolean has the two standard truth values that are the

interpretations of the constants true and false, respectively. The interpretation of undef is

the default value of all functions, and thus we consider it as an element that can be in any

universe. We do not distinguish between a constant and its interpretation.

The superuniverse D of a state s is the union of all universes and the reserve. The reserve

ResS of a state s is the infinite set of elements that are not contained in any universes (i.e.,

Resy = DS \ Ui Q). It supports the modelling of systems in which new elements may be

introduced during execution. A function evaluates to undef if any of its arguments is a

reserve element, and no function evaluates to a reserve element.

A signature C has a collection of variables V. Each variable is of a sort in C. A variable

assignment over a state s is a function <: V + DS such that variables of sort Di are mapped

to elements in q. We write C(v H e) for the assignment that is identical to C except that

it assigns the element e to the variable v.

4.2 Terms

A t e rn is a syntactic expression which has a value given a state s and a variable assignment

C over s. We define a term t and its value Val,,,-(t) as follows:

a A variable v is a term. If t is a variable u, then Val,,<(t) = ((v).

a If f : Dl x ... x Dn 4 Dp is a function, and t l , ..., t, are terms of sorts Dl, ..., D,,

respectively, then f (tl ,...,t,) is a, term of sort Dp. If t is f (tl , . . . ,k) , then Val,,,-(t) =

f a ( Valy,<(tl),..., w , , - ( k ) ) .

a If v is a variable, and r(v) is a boolean term (i.e., a term of sort Boolean) which

may have occurrences of v, then Vv r(v) and 3v r(v) are first-order terms with head

variable v and body r(v) .

Suppose the head variable v is of sort Di. If t is Vv r (v) , then Val,,,-(t) = true iff

Val,,C(v-e)(r(v)) = true for all elements e in q. If t is 3v r(v) , then Val,,,-(t) = true

iff Vals,,-(,,,)(r(v)) = true for some element e in Q.

A boolean term is said to be satisfied in a state s if it evaluates to true in s. Given a

boolean term t(v), where v is a variable of sort Di, the range of t(v) in a state s consists


of all elements e in Q such that t ( u ) is satisfied when the value of u is e, i.e., { e E Q I vals ,c( ,He)(t(v)) = true 1.

4.3 Locations and Updates

A location of a state s is a pair ( f , ti), where f : Dl x ... x Dn -+ Dp is a controlled or

monitored function, and a is an n-tuple in x ... x DS,. The value of the location is f ' ( a ) . The elements of the location are the elements in a.

An update of a state s is a pair (loc, ual) , where loc is a location of a sort Di, and ual

is an element in Q. The value of loc is set to val when the update is fired. The elements

of the update are the value ual and the elements of the location loc. An update set is fired

when all updates in it are fired simultaneously. The elements of an update set are those

that occur in the updates in the set.

Two updates (loci, wall) and ( locz, ualz) are consistent iff locl = loc2 implies uall = ualz.

An update set is consistent if every pair of updates in it are consistent. Firing a consistent

update set containing an update (loc, ual) results in a transition to a state in which val

is the value of the location loc. An inconsistent update set has at least two inconsistent

updates. Firing an inconsistent update set causes no change to the value of any location.

4.4 Transition Rules and Runs

The behaviour of an ASM is specified by transition rules, which describe how the values of

the cont'rolled functions of the ASM are changed from state to state. Given a state s and a

variable assignment < over s, the semantics of a transition rule R is given by an update set

A , , [ ( R ) . The syntax and semantics of each transition rule are given as follows:

Skip Rule: skip

A skip rule causes no change to any function value, and thus its update set is the

empty set:

CHAPTER 4. ABSTRACT STATE MACHINES

An update rule f ( t l , ...,t,) := ty changes the value of the controlled function f with

parameters t l , ..., t, to the value of ty, where t l , ..., t, and t p are terms. Its update

set is an update to a location o f f :

A8,<(f (tl,...,t,) := t p ) = { (10~1 val) 1, where loc is the location (f, ( Val,7,C(tl),..., Val,,C(t,))),

and val is the value V ~ l , , ~ ( t p ) .

a Block Rule: block R1 ... Rn endblock

A block rule expresses the parallel execution of its sub-rules R1, ..., R,. Its update

set is simply the union of the update sets associated with the sub-rules:

A,,C(block R1 ... R, endblock) = A3,<(R1) U ... U As,<(Rn).

The keywords block and endblock may be omitted for brevity.

a Conditional Rule: i f g then R1 e l se R2 endif

A condition rule expresses branching in execution. If the guard g , which is a boolean

term, is satisfied, the sub-rule R1 is executed, or else R2 is executed:

A8,<( i f g then R1 e l se R2 e n d i f ) = As,<(R1) if Vals,<(g) = true.

A,,<(if g then R1 e l se R2 e n d i f ) = A,,<(R2) otherwise.

The else part in a conditional rule may be omitted, in which case it is equivalent to

e l se skip.

a Do-Forall Rule: do fora l l 1, : g(v ) R ( v ) enddo

A do-forall rule specifies the parallel execution of the sub-rules R ( e ) for all elements

e in the range of the guard g(v ) , where R ( e ) is obtained by replacing each occurrence

of the head variable v by e in R ( v ) :

If the guard is the constant true, it may be omitted.


Choose Rule: choose v : g(v) R ( v ) endchoose

A choose rule is another means of modelling non-determinism. An element e is non-

deterministically chosen from the range of the guard g(v ) , and the sub-rule R(e ) is

executed:

A3,C(choose v : g(v) R ( v ) endchoose) = A,,((,,,)(R(v)),

where e is in the range of g(v) in s.

If the range of the guard is empty, the update set is the empty set:

A3,C(choose v : g(v) R ( v ) endchoose) = 0, if the range of g(v) in s is empty.

Extend Rule: extend Di w i t h v R ( v ) endextend

An extend rule whose head variable is of sort Di extends the universe of Di with an

element e from the reserve and executes the sub-rule R ( e ) :

As,C(extend Di with v R ( v ) endextend) = As, ,C(vHe)(R(v) ) ,

where e E ResS,

and s' is obtained from s by extending the universe of Di with e,

i.e., @' = @ U { e } and ~ e ? ' = Res3 \ { e ).

Let the set of elements of an update set A be El (A) . The following constraint needs

to be put on each block rule: the reserve elements of the update set of sub-rule Rj

are disjoint from those of the update set of sub-rule Rj,, where j # j' and 1 < j, j'

5 n, i.e., ResS n E l (AS , ( (R j ) ) n E l ( A s , ( ( R j / ) ) = 0. This prevents the same reserve

element from being taken by two extend rules inside a block rule. A similar constraint

is placed on each do-forall rule: ResS n EL(A,,,,,,,J ( R ( v ) ) ) n El(A,,,(,,e3,) ( R ( v ) ) )

= 0, where ej and ej, are distinct elements in the range of the guard.

A reserve element imported into a universe can be subsequently removed from the

universe and returned to the reserve. Given a sort Di, we have a unary boolean

function of the same name. A11 element e is in the universe of Di in a state s iff

ValS,((Di(e)) = true. An extend rule whose head variable is of sort Di has the effect

of setting Di(e) to true for an element e taken from the reserve and executing the


sub-rule. The removal of e from the universe of Di is done by an update rule Di(t) :=

false, where t is a term whose value is e.

A call rule calls the transition rule named r with terms t l , ..., t, as parameters. A

rule declaration r(vl , ..., vn) == R(v l,...,vn) is associated with r, where vl, ..., vn are

variables and R( vl,...,vn) is a transition rule. Essentially, r(t1, ..., k) is a shorthand for

R(t l l . . . ,k) . Therefore, the update set of r ( t l , ..., k) is that of R(t1, ..., k ) :

To describe the behaviour of an ASM, we write a set of rule declarations. One of the

rule names which must be parameterless is designated as the main rule name. The main

rule is never called, i.e., its name never appears in a call rule. During the execution of an

ASM, a state transition occurs when an update set is fired. The update set fired in each

state is composed of the updates produced by the main rule and the updates to monitored

locations by the environment. A rmn of an ASM M is a sequence (so,sl, ...) such that so is

an initial state of M and si+l is obtained by firing the update set in s, for all i > 0.

4.5 Example

We describe an ASM for the master-slave agreem.ent problem, in which a master process

delegates jobs to slave processes. Before it can send a job, the master must confirm that every

slave is ready to accept the job. If any of them refuses it, the master sends a cancellation

message to the slaves. The master starts in an idle state in which it asks all slaves to accept

a job. It waits for the answers from the slaves. Once all the answers have arrived, the

master sends the job or a cancellation message accordingly. Each slave also starts in an idle

state. When it gets an enquiry from the master, it replies with its intention to accept or

refuse the job and waits for a response. If it receives a job, it will enter a busy state where

it is executing the job. Otherwise, it will return to the idle state.

We model the master and the slaves as asynchronously executing agents by arbitrarily

interleaving their actions. In each state of the ASM, one agent is non-deterministically

selected to be the active one. In addition, we abstractly model a slave's choice between

accepting and refusing a job as a non-deterministic one. The signature C of the ASM has


the following sorts, where the notation 'Di == { cl, ..., c, )' denotes that the universe of

Di in every state is the set of elements that are the interpretations of the constants cl , ..., c,:

MMode == { midle, mwait )

SMode == { sidle, swait, sbusy )

Slave == { dl, ..., slj )

Command == { job, cancel )

Reply == { accept, refuse, undef )

Turn == { master, slave )

Boolean == { true, false )

Besides the constants above, C also has the following functions:

0 Controlled functions are:

mstatus: -+ MMode (current state of the master),

sstatus: Slave -+ SMode (current state of a slave),

asked: Slave -+ Boolean (whether a slave has been asked to accept a job),

answer: Slave --, Reply (response of a slave to the master's enquiry),

order: Slave --, Command (order given to the slaves by the master).

0 Monitored functions are:

whoseturn: -, Turn (whether the master or a slave is active),

whichslave: -, Slave (which slave is active).

The behaviour of the ASM is described by the following rule declarations, with Main as

the main rule name:

MasterRule ==

i f mstatus = midle then

do f o r a l l v

asked(v) := true

enddo

mstatus : = mwait

C H A P T E R 4. A B S T R A C T S T A T E MACHINES

endif

if mstatus = mwait A V v l ( a n s w e r ( v ) = undef) then

if 3v answer(v) = refuse then

do forall v

order(u) : = cancel

enddo

else

do f oral1 v

order(v) : = job

enddo

endif

mstatus : = midle

do forall v

an,swer(v) := undef

enddo

endif

SlaveRule(sl) ==

if sstatus(s1) = sidle A asked(s1) = true then

choose v : ~ ( v = undef)

an,swer(sl) := 21

endchoose

sstatus(s1) := swait

asked(s1) := false

endif

if sstatus(s1) = swait A l (order(s1) = undef) then

if order(s1) = job then

sstatus(s1) : = sbusy

else

sstatus(s1) : = sidle

order(s1) : = un,def

endif

endif


Main ==

if whoseturn = master then

MasterRule

else

SlaveRule (whichslave)

endif

4.6 ASM Modelling

To model a system as an ASM, we start by creating an initial abstract model called a ground

model. The model is incrementally refined with additional details, resulting in a model

hierarchy. At the top of the hierarchy, the ground model is subject to validation against the

informal system specification. This can be done by model simulation. At the bottom, the

model may be concrete enough to be translated into an implementation of the system. At

each level, the model should faithfully capture the essential features of the system, yet it

should be simple and concise so that details that have no influence on the system behaviour

or only become relevant later in the design process are abstracted away. These details

can be abstracted by introducing non-determinism through monitored functions and choose

rules. During a refinement step, details are added to a model by changing its signature

and transition rules. A thorough discussion on ground model construction and incremental

refinement can be found in [6].

The model at each level of the hierarchy can be verified with respect to formal require-

ments such as properties specified in temporal logic. This allows verification to take place

early in development and divides the overall verification task into smaller, more tractable

sub-tasks. In order to verify a model, assumptions on the abstracted details may have to

be made [46]. A typical example of assumptions is a fairness constraint. Assumptions on

the internal system behaviour can be specified by modifying the ASM at a refinement step.

Assumptions on the environment cannot be described in the ASM language as it cannot

specify restrictions on environmental behaviour. Instead, they are formulated in some type

of logic, such as temporal logic, separately from the model.

Chapter 5

Mapping BMC of ASM to ASP

Given an ASM M, an LTL formula qb and a bound k, our goal is to find a run (so , ..., sk) of

M that is a witness for +. This run is a counterexample for qb. We outline our approach

as follows. We first encode the behaviour of M up to k steps as a logic program I I (M,k )

and the negation of qb as another program II(+,k). Then we compute an answer set for

I I (M,k ) U II(+,k). Notice how we use the generate-and-test strategy here. We intend to

generate each run of M up to k state transitions in an answer set of I I ( M , k ) and test that

run for its satisfaction of + with II(+,k). We let MSA be the name of the ASM for the

master-slave agreement problem in the previous chapter and use it to illustrate our method.

For the construction of the programs I I (M,k ) and II(+,k), we first address the case

where the universe associated with each sort in the signature of M is fixed. We will later

cover the case where some universes can be dynamically extended.

5.1 Constructing Program n ( M , k )

We first introduce two predicates: ualid-state, whose extent is the integers representing

states so, ..., sk, and has-next-state, whose extent is the integers denoting states so, . . ., sk-1.

For each 0 5 i 5 k, add the rule

If k > 0 , then for each 0 5 j 5 k-1, include the rule

CHAPTER 5. MAPPING BMC OF ASM TO ASP 32

For now, we assume that the update set fired in each state of M is consistent. We will

later discuss how to handle inconsistent updates, which is quite straightforward but does introduce extra atoms and rules. If we are sure that it is not possible for an inconsistent

update set to be fired in any state of the ASM, then we can construct the logic program

with fewer atoms and rules.

Let the signature of M be Cnr. We divide the rest of the program construction into four

parts: sorts, functions, terms and transition rules.

5.1.1 Sorts

Each sort D, in EM is associated with a fixed universe U,. Let { c,l, ..., q,, ) be a set of

constant,^ such that each element in Up is the interpretation of exactly one $j, where 1 < j < m. For each $j, add the rule

dpicpj) +-.

The predicate d . stands for the sort D,. Consider the sort MMode in MSA, for which we

add the rules

5.1.2 Functions

Each function f : Dl x ... x D, i D, in EM is static, controlled or monitored. We

differentiate the three cases as follows:

0 I f f is static, and f (cl , ...,&) is equal to cp3 in every state of M, where c, is a constant

of sort Di for each 1 < i < n, and q,j is a constant of sort D,, then add the rule

The atom f (cl, ...,&, cPj) denotes the equality between f (cl, ...,&) and ~p~ The arity

of the predicate f is n+ l , as opposed to n for the function f, because of the extra

parameter for the interpretation of f (cl, ..., c,).

0 If f is controlled, and f (c l , . . . , h ) is equal to $j in every initial state of M, add the

rule

CHAPTER 5. MAPPING BMC O F ASM TO ASP

Each atom f (cl , . . . , ~ , ~ ~ ~ , i ) denotes the equality between f (cl ,...,%) and cpj in state

si in a run ( S O , . . . , ~k ) , where 0 < i < k. The last parameter of the atom is the state

identifier, and thus the arity of the predicate f is n+2. In this case, the state identifier

is 0, which stands for the initial state. For example, in MSA, every slave sl is idle at

the beginning, i.e., sstatus(s1) is equal to sidle in every initial state. We add the rules

If no fixed initial value is given to f (cl ,..., h ) , we can arbitrarily pick its initial value

using the choice rule

Each symbol % is a constant of' sort Dp for 1 < j < m.

In a run (S O , . . . , ~k ) , if the value of a controlled location is not updated in state si, it

remains unchanged in si+l, where 0 < i < k-1. For each constant cpj of Dp, where 1

5 j < m, include the rule

In artificial intelligence, a rule of the form above is called an inertia rule, which says

that a property is true if it has been true and no action has changed it to false.

As an example, for the function sstatus in MSA, we add the rules

sstatus(Xl,sidle,I+l) + not sstatus(Xl ,swait,I+l), not sstatus(X~,sbusy,I+l),

sstatus(Xl ,sidle, I ) , slave(Xl), has-next-state(1).

sstatus(Xl,swaitlI+l) + n,ot sstatus(Xl ,sidle,I+l), not sstatus(Xl,sbusylI+l),

sstatus(X~,swait,I), slave(Xl), has-nextAate(1).


sstatus(Xl ,sbusy,I+l) + n,ot sstatus(Xl ,sidle,I+l), not sstatus(X1 ,swait,I+l),

sstatus(Xl , ~ b u ~ y , I), slave(Xl), has-nextAate(I).

0 If f is monitored, the initial value of f (c l , . . . , k ) is handled in the same way as a

controlled function. The value of a monitored location changes non-deterministically

as it is updated by the environment. To encode this behaviour, add the choice rule

For instance, for the function whoseturn in MSA, we introduce the rule

5.1.3 Terms

Let the translation of terms be a function Et, which takes two parameters: a term t and an

integer i that identifies state si in a run ( s o,...,sk), where 0 < i 5 k.

0 A variable v of sort Dp is translated into a logic program variable:

where X acts as a placeholder for the value of v. The translation also creates the

atom dp(X). We refer to the atoms introduced during the translation of a term as

'side atoms'. The side atoms identify what the logic program variable stands for. If a

logic program variable that represents the value of a term appears in a rule, the side

atoms for the term must be present in the body of the rule.

The choice of the name for the logic program variable is not unrestricted. For example,

if two distinct terms are translated into variables that appear in the same rule, the

two variables must have different names.

0 For a function application f(tl, ...,&), if f is a static nullary function, i.e., a constant

c, then f ( t l , ...,t) is not affected by the translation:


If f : Dl x ... x D, -+ D, is not a constant, f (t l , . . . ,k ) is translated into a logic

program variable:

where X holds the value of f (tl , . . . ,k) . If f is a static function, the side atoms are

f (Et (tl , i ) , . . . ,Et(k, i ) ,X) and dp(X). I f f is controlled or monitored, the side atoms are

f (Et(t1,i) ,..., Et(tn,i),X,i) and dp(X).

For example, the translation of the term sstatus(whichs1ave) results in a variable X as

well as the side atoms sstatus(Et(whichslave,i),X,i) and smode(X). Et(whichslave,i)

produces another variable Y with the side atoms whichslave(Y,i) and slave(Y). If X

occurs in a rule, then all the side atoms sstatus( Y,X,i), smode(X), whichslave( Y,i)

and slave(Y) must be present in the body of the rule.

An application of a function that is supported by the chosen answer set tool should

be translated into the appropriate syntax of the tool. These functions, which we

call 'built-in' functions, include the operators =, A, V and 7. Consider the guard

sstatus(s1) = sidle A asked(s1) = true of the first conditional rule under the rule

name SlaveRule in MSA. If SlaveRule is called with the term whichslave as the pa-

rameter, then the variable sl is replaced by whichslave, and the guard becomes ssta-

tus(whichs1ave) = sidle A asked(whichs1ave) = true. To translate the guard, we first

translate the two conjuncts respectively into two atoms ql(i) and q2(i), which are

defined by the rules

The symbol <side atoms> stands for the set of side atoms created during the transla-

tion of the terms in a rule, and thus its occurrences above refer to the side atoms from

Et(sstatus(whichslave) = sidle,^) and Et(asked(whichslave) = true,i), respectively. We

assume that '==' is the equality operator in the chosen answer set tool. Then the two

rules above become

ql(i) +- X == sidle, sstatzls( Y,X,i), smode(X), whichslave( Y,i), slave( Y).

qz(i) +- X == 1, asked( Y,X,i), boolean(X), whichslave( Y,i), slave( Y).


An equality such as X == sidle can be seen as an atom. During grounding, any

rule with a false ground equality (e.g., swait == sidle) in its body is discarded. Note

that we use '1' and '0' for the constants true and false, respectively, as '1' and '0'

are the symbols for truth values in many answer set tools. We translate the guard

sstatus(wh~ich~slave) = sidle A asked(wh,ich,slave) = true into an atom q(i), which is

true if both ql(i) and qz(i) are true:

We generalize the translation of a term t which is tl = b , tl A b, tl V b or i t l . In

tl = tz, tl and t2 are variables, constants or function applications that are translated

into logic program variables. In tl A t2, tl V t2 and l t l , tl and t2 are equalities,

conjunctions, disjunctions, negations or first-order terms. Et(t,i) returns an atom q(i)

with the following auxiliary rule(s):

q(i) + Et(tl,i) == Et(tz,i), <side atoms>. if t is tl = tz,

q(i) + Et(tl,i), E t ( t~7 i ) . if t is tl A tz,

q(i) + Et(t1,i). and q(i) +- Et(tz,i). if t is tl V b, and

q(i) + not &(tl , i) . if t is l t l .

A first-order term 3v r(v) is translated as follows. We say that a first-order term tf

'encloses' another one tfl if tfl appears in the body of tf . Let vl, ..., vn be the head

variables of the first-order terms enclosing 3v r(v). The variables vl , ..., vn and v are

of sorts Dl, ..., Dn and Dp and are translated into logic program variables XI, ..., Xn

and X, respectively.

We assume that the body r(v) is an equality, conjunction, disjunction, negation or

first-order term, and thus Et(r(u),i) is an atom qT(i). We add XI, ..., Xn and X as

parameters to qT(i) and each atom that is the head of an auxiliary rule created by

Et(r(v),i) . The term 3v r(v) is represented by an atom q(X1, ..., Xn,i), which is true

if qT (XI ,..., Xn,X,i) is true. Therefore, we create the following auxiliary rule:

Int,uitively, vl , ..., vn may occur in 3v r(v) because they are the head variables of the

first-order terms enclosing 3v r(v). For a given combination of values of ul , ... , vn, 3v

CHAPTER 5 . MAPPING BMC OF ASM TO ASP 37

r ( v ) is true in state si iff Val,l,C(,,,)(r(v)) = true for some element e in the universe

DS,z. This is encoded by the rule above.

Consider the first-order term 3v answer(u) = refuse in MSA, which is not enclosed by

any first-order terms. Suppose the head variable u, which is of sort Slave, is translated

into a logic program variable X , and the body answer(u) = refuse is translated into

an atom q,(i) with the auxiliary rule

q,(i) + Y == refuse, ans,wer(X, Y , i ) , reply( Y ) , s lave(X) .

We add X to q,(i) as a parameter, and the auxiliary rule above becomes

q,(X,i) t Y == refuse, answer(X, Y , i ) , r e p l y ( Y ) , slaue(X).

Finally, we translate the first-order term into an atom q ( i ) , which is defined by the

auxiliary rule

A first-order term Vu r ( v ) is handled by first converting it into l ( 3 v ~ r ( v ) ) .

5.1.4 Transition Rules

Let the translation of transition rules be a function E,, which takes a transition rule as a

parameter and returns a set of logic program rules.

A skip rule does nothing, and thus E,(skip) is the empty set:

An update rule is translated into a logic program rule that captures the result of the

update:

In this case, <side atoms> contains all side atoms from E t ( t l , I ) , ..., Et ( t , , I ) and

Et(tp,I) . For example,

CHAPTER 5 . MAPPING BMC O F ASM T O ASP

ET (sstatus(whichs1ave) : = swait) =

sstatus(Et(whichslave,I),~(swait,I), I + + <side atoms>,

has-next-state(1).

The rule eventually becomes

sstatus(X,swait, I + l ) + whichslave(X, I), slave(X), has-next-state(1).

A block rule is simply translated into the union of the sets of logic program rules for

all the sub-rules:

ET(block R1 ... R, endblock) = ET(R1) U ... U ET(Rn).

We say that a transition rule R encloses another one R' if R' appears in a sub-rule of

R. For the translation of the conditional, do-forall, choose and extend rules, we first

address the case where they are not enclosed by do-forall, choose or extend rules.

For a conditional rule with guard g, sub-rule R1 in the then part and sub-rule R2 in

the else part, we do the translation as follows. Suppose Et(g,I) is an atom q(I) . We

add q(I) to the body of each rule in ET(R1) and not q( I ) to the body of each rule in

ET(R2). In the following, the notation ET(R)[+lit] denotes the set of rules obtained

by adding the literal lit to the body of each rule in ET(R):

&( i f g then R1 e l s e R2 endi f ) = E , ( ~ l ) [ t q ( I ) ] U E,(~z) [+not q(I)].

For example, the rule name SlaveRule in MSA is called with the term whichslave as

the parameter. As a result, the guard of the first conditional rule under SlaveRule

becomes sstatus(whichs1ave) = sidle A asked(whichs1ave) = true, which we have al-

ready translated into an atom q(i) for some integer i. To do it for all 0 < i 5 k - l , we

replace all occurrences of i with I in the auxiliary rules that define the predicates q,

ql and 92 and add has-next-state(1) to their bodies:

ql ( I ) + X == sidle, sstatus( Y,X,I), smode(X),

whichslave ( Y, I), slave ( Y), has-next-state ( I ) .

q2(I) + X == 1, asked(Yr,X,I), boolean(X),

whichslave ( Y, I), slave( Y), has-next-state ( I ) .

q(I) + q1 ( I ) , q2(I), has-next-state(1).


The update rule sstatus(whichs1ave) := swait is in the then part of the conditional

rule. Therefore, we add q(I) to the body of the rule resulting from the translation of

sstatus(whichs1ave) : = swait:

sstatus(X,swait, I+1) c q(I), whichslave(X,I), slave (X), has-next-state(1).

0 A do-forall rule is treated as follows. Suppose its head variable v is of sort Dp and is

translated into a logic program variable X. The guard g(v) is translated by Et(g(v),I)

into an atom q(I). We add X as a parameter to q( I ) and each atom that is the head

of an auxiliary rule from Et(g(v),I). Then we include the atoms q(X,I) and &(X) in

the body of each rule in E,(R(v)), where R(v) is the sub-rule of the do-forall rule:

E,(do f o r a l l v : g(u) R(v) enddo) = (E,(R(u))[+q(X,I)])[+&(X)].

Orie can understand the translation of the do-forall rule as a compact encoding of the

following equivalent collection of conditional rules:

i f g($l) then R($l) endif

. . . i f g($,) then R($m) endif

The symbols $1, ..., c+, are constants of sort Dp.

As an example, consider the following do-forall rule in MSA:

do f o r a l l v

asked(v) := true

enddo

The head variable v, which is of sort Slave, is translated into a logic program variable

X. The guard is omitted, which means that it is the constant true, and thus it is trivial.

The translation of the update rule asked(v) := true is the rule

asked (X,l, I+l) + slave(X), has-next-state ( I ) .

The final step of the translatiori is to include the atom slave(X) in the body of the

rule above. In this case, the atom is already in the body of the rule.


0 For a choose rule, suppose its head variable v is of sort Dp and is translated into a

logic program variable X. The guard g(v) is translated by Et(g(v),I) into an atom

q(I). We add X as a parameter to q(I) and each atom that is the head of an auxiliary

rule from Et(g(v),I).

Suppose cpl, ..., cpm are constants of Dp. Let the atom choose-var(cpj,i) denote that

the value of cpj is chosen for the head variable v in state si, where 1 < j 5 m and

0 5 i 5 k-1. The predicate choose-var must be unique in that in the translation of

another choose rule, a different predicate, say choose-war', must be used. We encode

the non-determinism of the choose rule with the choice rule

This choice rule specifies that if there is a constant cpj of sort Dp for which g(cpj) is

true, then the value of a constant of sort Dp is chosen for the head variable v.

Next, we restrict with the following constraint that an element outside the range of

the guard not be chosen:

+ choose-var(X,I), not q(X,I), $(X), has-next-state(1).

The idea is that if the atom choose-var(cpj,i) is true (i.e., the value of the constant ~ p j

is chosen in state si), then the atom q ( ~ , i ) must be true (i.e., the guard g(cpj) must

be satisfied in si). The constraint above is not needed if the guard is the constant

true, in which case any element of sort Dp can be chosen.

Finally, we include the atoms choose-var(X,I) and $(X) in the body of each rule in

ET(R(v)), where R(v) is the sub-rule of the choose rule. We summarize the translation

of a choose rule as follows:

ET(choose v : g(v) R(v) endchoose) =

1 { choose-var(cpl,I), ..., choose-var(+,,I) ) 1 +

q(X,I), $(X), has-next-state(I).

t choose-var(X, I ) , not q(X, I ) , $(X), has-next-state(1).

(ET(R(v)) [+choose-var(X,I)]) [+$(X)].

CHAPTER 5 . MAPPING BMC OF ASM T O ASP

Consider the following choose rule in MSA:

choose v : ~ ( v = undef)

answer(which,slave) : = v

endchoose

The head variable v of sort Reply is translated into a logic program variable X, while

the guard ~ ( v = undef) is translated into an atom q( I ) along with the auxiliary rules

q(I) + not q ' ( ~ ) , has-next-state(I).

q l ( l ) t X == undef, reply (X) , h,as-next-state(I).

We add X to q(I) and q f ( ~ ) as a parameter and translate the choose rule into the

following:

1 { choose-var(accept, I ) , choose-var(refuse, I ) , choose-var(undef,I) } 1 t

q(X, I), reply(X), h,as-next-state(I).

+ choose-var(X,I), not q(X,I), reply(X), has-next-state(I).

answer( Y,X,I+l) t whichslave( YJ), slave( Y), choose-var(X,I), reply(X),

has-next-state ( I ) .

0 In order to handle an extend rule, we need to modify our translation scheme as some

sorts in the signature may have a dynamic universe, which we will discuss later.

0 A conditional rule may be enclosed by do-forall, choose or extend rules. Let the head

variables of the enclosing do-forall, choose or extend rules be vl, ..., v,, which are

translated into logic program variables XI, ..., X,, respectively. The guard g of the

conditional rule is translated by Et(g,I) into an atom q(I) . The conditional rule may

be executed for several combinations of values of vl , ..., v,. Therefore, we add X1, ...,

X, as parameters to q(I) and each atom that is the head of an auxiliary rule from

Et(g,I). The translation of a conditional rule enclosed by do-forall, choose or extend

rules is as follows:


We do not add the domain literals for the variables X I , ..., Xn to the body of any

rule in E T ( R 1 ) or E T ( R 2 ) as they will be added during the translation of the enclosing

do-forall, choose or extend rules.

Similarly, with enclosing do-forall, choose or extend rules, the translation of a do-forall

rule and a choose rule is as follows:

ET(choose v : g ( v ) R ( v ) endchoose) =

1 { choose-var(X1 ,... , X n , ~ l , I ) , ..., choose-var(X1, ... ,Xnrcpm1I ) ) 1 +-

q ( X l ,... , X n , X I I ) , & ( X ) , has-next-state(1).

t choose-uar(X1 ,..., X n , X , I ) , not q(Xl , . . . ,Xn ,X , I ) ,

& ( X ) , has-next-state ( I ) .

( E T ( R ( v ) ) [+choose-var(X1 , . . . ,Xn lX , I ) ] ) [+&(X)] .

Given a rule declaration r ( q , ..., vn) == R(v1, ..., v,), the translation of a call rule

r ( t l ,..., k ) is straightforward:

5.1.5 Inconsistent Updates

To handle inconsistent updates, we make a few minor changes to the construction of the

program I I (M,k ) . First, we modify the translation of an update rule as follows:

&-( f ( t l l . . . , tn) := t p ) =

update-f (Et ( t l , I ) , . . . ,Et ( tn , I ) , Et ( t p , l ) , I ) +- <side atoms>, has-next-state(1).

Given constants e l , ..., c,, and ~ p , each atom update-f (e l ,...,c,,, cp , i ) denotes that the update

set fired in state si has the update ( ( f , ( e l , ...,%)), ~ p ) , where 0 < i < k-1. The update set fired in si is inconsistent if two updates have the same location but

different values. For each controlled function f : Dl x ... x Dn -t D, in Cb1, add the rule

in.consistent(1) +- update-f ( X I ,..., Xn,Xp , I ) , update-f ( X 1 ,..., Xn,Xp , , I ) , X p != Xp,,

d i ( X i ) , ..., & ( X n ) , & ( X p ) , & ( X P / ) , has-next-state(1).


We assume that '!=' is the inequality operator in the chosen answer set tool. If the update

set is consistent, the firing of each update in the set changes the value of the location

accordingly. Therefore, for each controlled function f : Dl x ... x Dn -+ Dp, add the rule

f (XI ,..., Xn,Xp,I+l) +- update-f(X1 ,..., Xn,Xp,I), not inconsistent(I),

dl (XI), ..., &(Xn), &(Xp), has-nextAate(1).

Finally, no change occurs to the value of any location upon the firing of an inconsistent

update set. For each controlled or monitored function f : Dl x ... x D, -, Dp, include the

rule

5.1.6 Multi-Agent ASMs

A large system is often decomposed into components. In ASM modelling, each component is

represented as an agent. The behaviour of each agent is described by rule declarations. The

ASM for the master-slave agreement problem is an example of a multi-agent ASM in which

the master and the slaves are agents. In order to apply our method to multi-agent ASMs,

the decision of how the agents execute needs to be made explicit so that a multi-agent ASM

is 'masked' as a single-agent one.

Suppose we have agents agtl, ..., agk , which are constants of sort Agent. Each agent

executes the following rule declaration:

ChangeColour (agt ) ==

i f color(agt) = black then

color(agt) : = white

e l s e

color(agt) : = black

endif

The variable agt in the rule declaration is replaced by a term of sort Agent when the rule

name ChangeColour is called. In a synchronous environment where the agents execute in

parallel, we can use a do-forall rule to specify the parallel execution:

Main ==

CHAPTER 5. MAPPING BMC OF ASM TO ASP

do f o r a l 1 v

ChangeColour(v)

enddo

In a distributed system, agents execute asynchronously. In this case, we can arbitrarily

interleave their actions by introducing a nullary monitored function of sort Agent, say self:

-+ Agent, which determines the active agent in each state:

Main ==

ChangeColour(se1f)

We employ a similar approach in the master-slave agreement problem by having the two

monitored functions whoseturn and whichslave.

By explicitly specifying how the agents execute in an multi-agent ASM, our method can

be applied to it as if it were a single-agent one.

5.2 Constructing Program II(l$, k )

A run (so, ..., sk) may have a loop, whose existence is indicated by the equivalence between

the last state sk and some state st, where 0 I i 5 k-1. Two states sl and s2 of an ASM are

equivalent iff the superuniverses of sl and s2 can be mapped to each other by a one-to-one

function such that the interpretations of the functions agree on the corresponding elements.

That is, there is a one-to-one function cr such that a location (f, (cl, ...,%)) is equal to cp in

sl iff (f, (cr(cl), ...,a(%))) is equal to a (%) in s2. Since we have assumed that the universe

of each sort in E M is fixed, it will never be extended by any new elements. As a result,

we can ignore the reserve, and the superuniverse is the union of all universes. Moreover,

each element in a universe is the interpretation of exactly one constant in E M . The only

one-to-one function that can map the superuniverse of a state to that of an equivalent state

is the identity function. Therefore, two states sl and s2 are equivalent iff for each location,

its values in sl and s2 are the same.

Let h be a formula obtained by converting + into negation normal form. The method to

construct the program II(+,k) is partly derived from [27], in which the next-time operator

X is not treated. Our translation is also different in that it results in a tight program [20].

A tight program theoretically allows CMODELS, which is one of the answer set solvers we

use in our experiments, to find an answer set more easily. We construct II(+,k) as follows:


0 Let the atom el(i) identify the equivalence between states sk and %, where 0 5 i 5

k-1. There is at most one i such that el(i) can be true because a path has at most

one loop. Therefore, add the choice rule

0 For each controlled or monitored function f : Dl x ... x D, --, Dp in EM, include the

constraint

If the atoms el(i) and f (cl ,...,c,,,~p,i) are true, where each cj is a constant of sort Dj

for j = 1, ..., n and p, then f (cl ,..., cn,cp,k) must also be true. The constraint above

specifies that if states sk and si are equivalent, then for each location of the function

f, its values in sk and si must be identical.

0 Define the atoms le and il(i), where 0 5 i 5 k. A loop exists if le is true. The state

si is inside the loop if il(i) is true. (See Figure 5.1 for an example.) Add the rules

le + el ( I ) , has-next-state ( I ) .

i l ( I) + el ( I ) , has-next-state(1).

i l ( I+ l ) + il ( I ) , has-next-state ( I ) .

We call the atoms with predicate names el, le and il loop-related atoms and the rules

that have so far been added to TI(+,k) loop-related rules.

Figure 5.1: Loop-related atoms.


Recursively translate the formula h by adding the rules in Table 5.1'. In the end, we

require that a run ( s o , ..., s k ) of M satisfy h (i.e., 11)) by including the constraint

+ not h ( 0 ) .

For example, in the master-slave agreement problem, the master will issue a job order

if all slaves have confirmed to accept it. We can express this property as the following

formula for each slave sh, where 1 5 i 5 j :

G( (answer ( s l l ) = uccept A ... A answer(sl j) = accept) --+ F(order(s&) = job)).

This is our formula $. Its negation in negation normal form is

F(answer(s l l ) = accept A ... A answer(s1j) = accept A G ~ ( o r d e r ( s h ) = j o b ) ) .

Let pl, ..., pj and p represent the propositions answer(sl l) = accept, ..., answer(sl j)

= accept and l ( o r d e r ( s & ) = job), respectively. We translate them into the following

rules:

pi ( I ) c answer(sll,accept,I), valid-state(1).

. . . p j ( I ) c answer(slj ,accept,I), valid-stute(I).

p ( I ) c not order(sh,job,I), valid-state(1).

Let hl stand for G p . We translate hl into the following rules:

hl ( I ) + p ( I ) , hl ( I + l ) , has-next-state(1).

hl ( k ) e le, not qhl .

qhl + i l ( I ) , not p ( I ) , has-next-state(1).

Let hz represent the corijunction pl A ... A pj A h i , which we translate into the

following rule:

b ( I ) + pi ( I ) , ..., % ( I ) , hl ( I ) , valid-state(1).

' T h e translation o f h~ R h2 is guided b y the equivalence hl R h2 = (h2 U (hl A h2)) V Gh2.

C H A P T E R 5. MAPPING B M C OF A S M T O A S P

Formula h

Table 5.1: Translation of an LTL formula.

atomic proposition Translation h ( I ) + f ( c l , . . . , ~ , q , ) , valid-state(1). iff is static h ( I ) + f (cl , . . . , ~ , c ~ , I ) , valid-state(1). otherwise h ( I ) + not f (cl , . . . ,h,q,), valid-state(1). if f is static h ( I ) + not f ( c ~ , . . . , ~ , c ~ , I ) , valid-state(1). otherwise h ( I ) + hl ( I ) , k ( I ) , valid-state(1). h ( I ) + hl ( I ) , valid-state(1). h ( I ) + h 2 ( I ) , valid-state(1). h ( I ) + h l ( I ) , h ( I + l ) , has-next-state(1). h,(k) + le, not qh. qh + i l ( I ) , not hl ( I ) , has-next-state(1). h , ( I ) + hl ( I ) , valid-state ( I ) . h ( 1 ) + h ( ~ + l ) , has-next-state(1). h ( k ) + i l ( I ) , hl ( I ) , has-next-state(]). h ( I ) + h l ( I + l ) , has-next-state(1). h , (k) + e l ( I ) , h l ( I + l ) , has-next-state(1). h , ( I ) + h.2 ( I ) , valid-state(1). h , ( I ) + h , l ( I ) , h , ( I+ l ) , has-next-state(1). h,(k) + i l ( I ) , h 2 ( I ) , n,ot r h ( I ) , has-next-state(1). r h ( I ) + J < I, i l ( J ) , not h l ( J ) ,

has-next-state(I), has-next-state(J). h.(I) + h l ( I ) , h ( I ) , valid-state(1). h ( I ) + h 2 ( I ) , h ( I + l ) , has-next-state(1). h ( k ) + i l ( I ) , hl ( I ) , h 2 ( I ) , not r h ( I ) , has-next-state(1). r h ( I ) + J < I, i l ( J ) , not k ( J ) ,

has-next-state(I), has-next-state(J). h ( k ) + le, not qh. qh + i l ( I ) , not k ( I ) , has-nextAate(1) .


Let h represent Fh2, which is the formula for the negation of our property. We translate

h into the following rules:

Finally, we add the constraint + not h(0).

5.2.1 Assumptions

In many cases, we need to make assumptions about the runs of an ASM in verification.

We can formulate them in LTL. Givcn an LTL formula $J and assumptions PI, ..., P,, a

counterexample for $J is a witness for the conjunction + A PI A ... A P,. As a result, the

program II(+,k) should be constructed for 11C, A Pl A ... A P,.

As an example, for the property that the master will issue a job order if all slaves

have confirmed to accept it, we rieed to assume that the master is active infinitely often.

Otherwise, no job might be given forever simply because the master is never selected to be

the active agent. This assumption is written as the LTL formula GF(whoseturn = master).

Therefore, II(+,k) is constructed for the formula

F(answer(sll) = accept A ... A answer(slj) = accept A Gl(order(sk) = job)) A

GF(whoseturn = master).

5.3 Dynamic Universes

Many systems need to expand their working space during execution. An example is a

system in which its components comniunicate by exchanging messages, which are generated

dynamically. Such systems can be modelled as ASMs in which some sorts have a dynamic

universe. The universe of a sort can be expanded by an extend rule that brings in a new

element from the reserve. The reserve is infinite by definition, but ASP does not support

infinite domains, neither do typical model checkers. Therefore, we must restrict the reserve

to be a finite set. Specifically, we view the reserve as a set of finite sub-reserves, each of

which contains the new elements that can be added to the universe of a particular sort.

We believe that having a finite reserve is not impractical as resources are not unlimited in


most systems if not all of them. Besides, the extend rule is quite commonly used in ASM

modelling. We want our model checking method to support the extend rule so that users

will not have to avoid using it for the purpose of model checking. Even with a finite reserve,

we can still obtain useful model checking results.

In the standard definition of the ASM language, the reserve will never run out of new

elements. For the purpose of model checking, we make the reserve finite, which means that

its elements may be used up. Therefore, we need to change the semantics of the extend rule

to cover the possibility of failing to import a new element. Consider an extend rule whose

head variable is of sort Di. We associate Di with a sub-reserve Resi. Given a state s, if Resf

is not empty, then the semantics of the extend rule is as follows:

A,,C(extend Di with u R(u) endextend) = A,,,C(,,,)(R(u)),

where e E Resf,

and s' is obtained from s by extending the universe of Di with el

i.e., @' = @ u { e ) and ~ e s f ' = Resf \ { e ).

If Resf is empty, then the update set is the empty set. This change in the semantics of

the extend rule is not a severe penalty. In general, new elements are introduced and later

returned to the reserve, like dynamically allocated memory being returned to the memory

pool in computer programming. An empty sub-reserve does not arise often if the initial size

of the sub-reserve is not unreasonably small.

5.3.1 Changes to II(M,k)

Changes need to be made to the construction of the program II(M,k) to support dynamic

universes. Consider a sort Dp associated with a sub-reserve Resp. Initially, we let the

universe of Dp be empty. Let { cpl, ..., cp, ) be a set of names such that each element in

Res, is represented by exactly one $ j , where 1 < j < m. For each cpj, add the rule

Note that $,j is not a syntactic symbol in the signature of the ASM. It is just a symbol in

the logic program that identifies a reserve element. It does not appear in the ASM or the

LTL formula. We do not distinguish the name $j and the element that it represents.

Let the atom dp-uni~erse($~,i) denote that ~ p j is in the universe of sort Dp in state st

for each 0 < i < k, and the atom dp-remoued($j,i) denote that cpj is removed from the


universe of Dp in state si. An element in the universe will stay there if it is not removed.

Therefore, include the rule

dp-universe(X,I+l) + dp-universe(X,I), not dp-removed(X,I),

dp(X), has-nextAate(1).

In addition, let the atom dp-res-nempty(i) denote that the sub-reserve Resp is not empty in

state si. The sub-reserve is not empty if an element of Dp is not in the universe. Therefore,

add the rule

4-res-nempty(1) + not 4-universe(X,I), &(X), has-next-state(1).

We give the translation of an extend rule that is not enclosed by do-forall, choose or

extend rules. Suppose the head variable v is of sort Dp and is translated into a logic program

variable X. Let the atom e x t e n d - v a r ( ~ ~ , i ) denote that the reserve element ~j is imported

and assigned t o v in state si. The predicate extend-var must be unique in that in the

translation of another extend rule, a different predicate, say extend-war', must be used. In

each state, any element in the sub-reserve Resp (that is, not currently in the universe of Dp)

can be imported. This is specified by the following choice rule and constraint:

1 { extend-var(cpl,I), ..., extend-var(cpm,I) ) 1 +

4-res-nempty ( I ) , has-next-state ( I ) .

e extend-var(X, I ) , dp-universe (X, I ) , dp (X) , has-next-state ( I ) .

An imported reserve element is added to the universe, which is encoded by the rule

dp-universe(X, I + l ) + exten,d-var(X, I ) , dp(X), has-next-state(1).

Then we include the atoms extend-var(X,I) and dp(X) in the body of each rule in E,(R(v)),

where R(v) is the sub-rule of the extend rule. We summarize the translation of an extend

rule as follows:

E,.(extend Dp with v R(v) endextend) =

1 { extend-var(cpl,I), ..., extend-var(~,,I) ) 1 +

4-res-nempty(I), ha-next-state(1).

+ extend-var(X, I ) , dp-universe (X, I ) , dp(X), has-next-state ( I ) .

dp-universe(X,I+l) + extend-var(X,I), dp(X), has-nextLstate(1).

(E,(R(v))[+extend-var(X,I)])[+dp(X)].


Suppose the extend rule is enclosed by do-forall, choose or extend rules whose head vari-

ables are vl, ..., v, and are translated into logic program variables X1, ..., Xn, respectively.

In the translation of the extend rule, we add XI, ..., Xn as parameters to each atom with

predicate extend-var.

A reserve element can only be taken by one extend rule in each state. In the translation

of two extend rules, we use two different predicates, say extend-var and extend-var', to

denote the assignments of reserve elements to the respective head variables. If the two head

variables are of the same sort, we make sure that the same reserve element is not taken by

the two extend rules in the same state with a constraint like the following:

To remove a previously imported element from the universe of sort Dp and return it to

the sub-reserve Resp, we use an update rule Dp(t) := false, where t is a term of sort Dp.

This update rule is translated into the logic program rule

dp-removed(Et(t, I), I) t <side atoms>, has-next-state(1).

The rest of the changes to I I ( M , k ) are as follows:

If f : Dl x ... x Dn -+ Dp is a controlled or monitored function in En,, and Dl for

some 1 < 1 5 n or Dp is a sort with a dynamic universe, then we do not write any

rules to specify the initial values for f because we assume that the universe of sort Dl

or Dp is initially empty. The I-th argument of a location o f f must be an element in

the universe of Dl. Likewise, the value of a location of f must be an element in the

universe of Dp.

We have inertia rules specifying that the value of a controlled location remains un-

changed if not updated. Suppose f : Dl x ... x Dn -+ Dp is a controlled function,

where Dl for some 1 5 1 5 n and Dp are sorts with a dynamic universe. For each $ j

in the initial sub-reserve of Dp, where 1 5 j 5 m, include the rule


We have the atom dl-universe(Xl,I+l) in the body of the rule because an argument of

a location cannot be a reserve element. We also have the atom dp-uni~erse($~,I+l)

in the body of the rule, since cpj cannot be the value of any location unless it is in the

universe of sort D,.

If the function f is monitored, its non-deterministic value change is encoded by a

choice rule plus a constraint:

In the body of the choice rule, we have the atom dp-universe(Xp,I+l) because the

non-deterministic value change is possible only if at least one element is in the universe

of Dp in the next state. The constraint restricts that only an element in the universe

of sort Dp can be the value of a location.

Consider a first-order term 3v r(v) in which the head variable v is of sort D,. Suppose

it is enclosed by n other first-order terms. The translation of 3v r (v) for a given integer

i is an atom q(Xl, ..., Xn,i) with the auxiliary rule

The difference from the case where sort D, has a fixed universe is that we have the

atom dp-universe(X,i) in the body of the auxiliary rule because 3v r(v) is true if there

exists an element e in the universe of Dp such that r (e) is true.

For a do-forall rule whose head variable is of sort D,, if it is not enclosed by do-forall,

choose or extend rules. its translation is as follows:

The sub-rule R(v) cannot be executed for an element not in the universe of sort Dp.

Therefore, we modify the original translation by adding the atom 4-universe(X,I) to


the body of every rule in ET(R(v)). If the do-forall rule is enclosed by do-forall, choose

or extend rules, we change its translation in the same way.

0 For a choose rule whose head variable is of sort D,, if it is not enclosed by do-forall,

choose or extend rules, its translation is as follows:

ET(choose v : g(v) R(v) endchoose) =

1 { choose-var(cpl,I), ..., choose-var(cp,,I) ) 1 +-

q(X,I), 6-universe(X,I), $(X), has-next-state(1).

c choose-var(X,I), not q(X,I), $(X), has-next-state(1).

c choose-var(X,I), not 6-universe(X,I), $(X), has-next-state(1).

( E T ( R ( ~ ) ) [+choose-var(X,I)])[+$(X)].

We change the original translation by putting the atom 6-universe(X,I) in the body

of the choice rule and adding a constraint to specify that the chosen element must

be in the universe of D,. This change also applies if the choose rule is enclosed by


5.3.2 Changes to II (+ ,k)

What needs to be modified in the program II(+,k) is how to determine whether states sk

and s, are equivalent for some 0 5 i 5 k-1 in a run (so, ..., sk). Two states sl and s2 of an

ASM are equivalent iff the superuniverses of sl and s2 can be mapped to each other by a

one-to-one function such that the interpretations of the functions agree on the corresponding

elements. For simplicity, we use a more restricted definition of state equivalence: two states

sl and s2 of an ASM are equivalent iff for each sort in the signature of the ASM, its universes

in sl and s2 are identical, and for each location, its values in sl and s2 are the same.

The original definition of state equivalence clearly subsumes our restricted version. We

explain why the latter is sufficient. We call the original definition OD and the restricted one

RD. Recall that we determine state equivalence in order to detect a loop in a run. Consider

two runs .ir = (so ,..., si ,..., sj) and .ir1 = (so ,..., si ,..., sj,) of an ASM. The two runs differ only at

the last state. Suppose states si and sj are equivalent under OD but not under RD. Then

.ir has a loop under OD only. Suppose states si and sj, are equivalent under RD. Then they

are also equivalent under OD, and thus .irl has a loop under both definitions. Therefore, the

two runs are equivalent under OD, i.e., .ir satisfies an LTL formula iff .irl satisfies it. However,


they are not equivalent under RD, which seems theoretically undesirable. The truth is that

it does not matter practically. Remember that our task is to look for a witness for the

negation for the LTL formula II, in the ASM M. If .irl is a witness for l I I , under RD, then

it is a witness for l I I , under OD (and so is r). This means that there is indeed a witness

for l I I , in M. Is .ir also a witness under RD? It may not be because it does not have a loop

under RD, but it does not matter because we already have a legitimate witness in . i r l , which

is enough to show that M does not satisfy @.

Since .irl has a loop under both OD and RD, if .irl is not a witness for l I I , under RD, it is

not under OD either. Since .ir and .irl are equivalent under OD, if .irt is not a witness under

OD, neither is .ir. Then .ir should not be a witness under RD. Otherwise, we might obtain a

false witness. Therefore, we need to show that if .irl is not a witness for l I I , under RD, then

neither is .ir. Note that states sj and sjl are equivalent under OD because they are both

equivalent to si. Their superuniverses can be mapped to each other by a one-to-one function

a such that the interpretations of the functions agree on the corresponding elements. For

each sort with a fixed universe, a must be the identity function because each element in

the universe is the interpretation of exactly one constant. For each sort with a dynamic

universe, a does not have to be the identity function. This means that the only difference

between sj and sjl is that for each sort Dp with a dynamic universe, its universe in s j may

not have the same elements as its universe in sj,. (The universes in the two states have the

same number of elements, however. Otherwise, we might have a situation where an element

e is in the universe of D, in sj, but a ( e ) is not in the universe of Dp in sj,.) No LTL formulas

are concerned about what elements are in the universe of Dp in any state. Therefore, if .irl

is not a witness for l I I , under RD, then neither is .ir.

Given our restricted definition of state equivalence, the only change to I I ( l@,k) is as

follows. If states sk and si are equivalent for some 0 < i < k-1, then for each sort in CAI, its

universes in sk and si are identical, i.e., an element is in the universe of a sort in sk iff it is

in the universe of the same sort in si. Therefore, for each sort Dp with a dynamic universe

in EM, add the following constraints to II(+,k):

+ el(I), dp-universe(X,I), not dp-universe(X,k), dp(X), has-next-state(1).

+ el(I), not dp-universe(X,I), 6-universe(x,k), dp(X), has-next-state(1).

In additmion, for each location, its values in sk and si are the same, which we have already

shown how to encode using constraints.

CHAPTER 5. A4APPING BMC OF ASM T O ASP

5.4 Correctness of Method

We say that a run (so, ..., sk) of an ASM M is obtained from a set of atoms A if for each

controlled or monitored function f : Dl x ... x D,, -+ D, in Chi and each 0 < i < k, the

location (f, (cl ,..., %)) is equal to c, in state si iff the atom f (cl ,... ,cn,+,i) is in A, where

cj is a constant of sort Dj or a name representing a reserve element that can be added to

the universe of Dj for j = 1, ..., n and p. The set A may have atoms that are not of the

form f (cl ,...,%, + , i ) However, since a state of an ASM is characterized by the values of

the locations, we are only interested in the atoms that provide information about location

values, and these atoms have the form f (cl ,..., %,cTl,i).

Given an ASM M, an LTL formula $ and a bound k, we have the following soundness

and completeness results for the program II(M,k) U II(+,k):

Theorem 1. (Soundness). If II(M,k) U II(l$,k) has an answer set A, then a run

(~o, . . .~sk) of M satisfies T$ and can be obtained from A.

Theorem 2. (Completeness). If a run (so, ..., sk) of M satisfies +, then II(Mlk) U

II(l$,k) has an answer set from which a run equivalent to (so, ..., sk) can be obtained.

The proofs of the two theorems are given in Appendix.

5.5 Computational Complexity

We let Q stand for the problem of finding a counterexample for an LTL formula $ in an

ASM M given a bound k. Assuming A4 is defined over a fixed finite signature, and k is given

in unary, Q is NP-complete, which we prove by showing that Q is in NP and is NP-hard.

If k is given in unary, then the translation from Q into the logic program II = II(M,k)

U II(+,k) is linear time, and hence linear size. Since the signature of M is fixed finite, the

number of variables in each rule in II is bounded by a constant c. Therefore, the grounding

of II is polynomial time (at most O(IIIC)) because each rule r with n variables generates

at most dn ground instances, where d is the size of the largest domain of a variable in r.

An answer set for lI is of size at most that of the ground instantiation of II, and thus it

is polynomial size in II. It can be verified in time polynomial in the size of the ground

instantiation of II, and hence in the size of II. Consequently, Q is in NP.

We show that Q is NP-hard by giving a linear time reduction of propositional satisfi-

ability to Q. Given a propositional formula in CNF, say 4, we define an ASM M over a

CHAPTER 5. MAPPING BMC OF ASM T O ASP 56

signature that has only one sort, which is Boolean. For each atom a in 4, there is a nullary

monitored function fa: -+ Boolean in the signature, and the initial value of fa is either true

or false. In addition, M has no transition rules. We let the LTL formula $ be 74 and the

bound k be 0. As a result, the problem of determining the satisfiability of 4 has become

that of finding a counterexample ( s o ) for $ in M, where so is an initial state of M. Since the

complexity of propositional satisfiability is NP-complete, Q is NP-hard.

Note that we have made two assumptions in regards to the complexity of Q: the signature

of M is fixed finite, and k is given in unary. Dropping either assumption may result in a

problem that is not in NP, but is certainly in NEXP, and we conjecture that it is NEXP-

complet,e.

Chapter 6

Experiments

6.1 Implementation

We have implemented a bounded model checker, which we call ASM-BMC, based on the

method described in the previous chapter. The model checking process in ASM-BMC is

depicted in Figure 6.1. It takes an ASM M, an LTL formula $, an initial bound k and a

step value c as input. It constructs the logic programs II(M,k) and II(+,k) and run an

answer set solver on II(M,k) U II(+,k). If an answer set is found, a counterexample for $

will be obtained from the answer set and displayed. Otherwise, the bound will be increased

by the step value c and the checking process repeats.

The input ASM is written in ASM-SL, which is the specification language in ASM

Workbench. The choice of ASM-SL makes it easier for us to compare our approach to the

one based on the model checker NuSMV, since it is the input language of the ASM-to-SMV

translator developed by Winter [46], and NuSMV is a reimplementation and an extension

of the BDD-based model checker SMV [35]. Modifying our tool to accept a different ASM

specification language such as AsmL is possible as all these languages are based on the same

mathematical framework. Our tool supports the following features of ASM-SL:

0 boolean, enumeration and finite integer sorts,

0 static, dynamic and external functions, where 'dynamic' and 'external' are the terms

used in ASM-SL for 'controlled' and 'monitored',

0 non-nullary functions and first-order terms,

CHAPTER 6. EXPERIMENTS

Figure 6.1: ASP-based bounded model checker ASM-BMC.

LTL formula ASM

Negation of LTL formula

I Logic Program 1 LTL To

Logic Program for

I ASM

Logic Program for negation of Answer Set Bound

LTL formula

Answer Set?

Counterexample for No counterexample LTL formula within bound.

Increase bound by step value and try again.

0 skip, update, block, conditional, do-forall, choose and call rules (no extend rule in

ASM-SL), and

0 basic boolean and arithmetic operations

In addition, our tool supports dynamic universes (with the restriction of a finite reserve) as

well as the extend rule.

We incorporated the answer set solvers SMODELS 2.28 and CMODELS 3.54 into our

model checker as we would like to compare them in our experiments. SMODELS computes

the answer sets of a program as its stable models as defined in [23]. The algorithm that

it employs is detailed in [40]. CMODELS is based on the relationship between answer

set semantics and completion semantics [I]. It converts logic programs into propositional

formulas and uses a SAT solver to find answer sets [2, 331. Both solvers require the logic


program preprocessor LPARSE 1.0.15 [42], whose primary task is grounding. In LPARSE,

t in a rule is replaced by : -. Since we use LPARSE as the logic program preprocessor, we take advantage of its

features to simplify the construction of II(M,lc) and rI(+~,lc):

0 If the extent of a domain predicate d is an integer range, say 1 to 5, we can define d

in LPARSE as follows:

Therfore, we can define the two domain predicates valid-state and has-nextstate in

LPARSE as follows:

The value of the constant k is given when LPARSE is run. When the bound is

increased, we simply provide a larger value for k, and no changes need to be made to

the programs II(M,k) or rI(+~,lc).

0 We make use of conditional literals. A conditional literal compactly represents a

sequence of literals that exhibit a pattern. For example, given a domain predicate d

whose extent is 1 to 5, the sequence of atoms p ( l ) , ..., p(5) can be expressed as the

conditional literal p ( I ) : d(1) in LPARSE, where d is the condition of p.

We show two examples of using conditional literals in our implementation. First, for a

monitored function f : Dl x D2 -+ 4 , we encode its non-determinism with the choice

rule

This avoids listing each atom f (XI, X2, c , I+1) in the cardinality expression for each

constant c for which the atom d3(c) is true. In another example, suppose f : Dl x D2 - D3 is a controlled function. We only need one rule to specify inertia in LPARSE:


During grounding, the two conditions d 3 ( Y ) and Y ! = X 3 expand the negative literal

not f ( X I , X 2 , Y , I+1) into a sequence of negative literals, in each of which the constant

that replaces the variable Y is not equal to the one that substitutes X 3 .

6.2 Experimental Results

We compared our ASM model checking approach to the one based on NuSMV. Given an

ASM and an LTL formula, we tried to find a counterexample for the formula in the ASM with

our tool ASM-BMC. In the process, we compared the two answer set solvers used by ASM-

BMC. Then we used Winter's ASM-to-SMV translator to produce the NuSMV code and fed

it along with the LTL formula to the SAT-based bounded model checker (NuSMVIBMC)

and the BDD-based checker (NuSMVIBDD) in NuSMV 2.3.0. In our experiments, the SAT

solver invoked by both CMODELS and NuSMVIBMC was zChaff 2004.11.15 [36]. We set a

limit of 7200 seconds for each tool1. For BMC, we initialized the bound to 10 and increased

it by 5 when no counterexample was found. We conducted all experiments on a Linux PC

with a 2.8GHz CPU and 1024MB RAM.

For the first batch of our experiments, we chose the FLASH Cache Coherence Protocol,

which supports sharing of memory among the processing nodes in the Stanford FLASH

multiprocessor. In the architecture of FLASH, memory is divided into lines, each of which

is associated with a host node. A node that wants to access a line sends a request to its host.

Two types of access are supported: shared (for read) and exclusive (for write). The protocol

was used by Winter as a model checking case study in [46]. We modified her correct ASM

in an attempt to reproduce some of the errors she detected and formulated the following

propert:ies in LTL:

0 P1: No two nodes have exclusive access to the same line at any time.

'In [43], we used a time limit of 3600 seconds. Since then, we have identified errors in the implementation of our model checker, ASM models and LTL formulas. We reran our experiments after correcting the errors and found that in some cases, a counterexample was not found within 3600 seconds but was within 7200. Therefore, we raised the limit t o 7200 seconds.


Ai A,+,, G(7(State(nodej,linq) = exclusive A State(nodej,,lins) = exclusive))

0 P2: Every request will eventually be acknowledged.

Ai A j G(CurPhase(nodej,linei) = wait + F(CurPhase(nodej,linq) = ready))

P3: Whenever a node obtains shared access to a line, it will be marked as a sharer of

the line.

A i A j G((State(nodej,linq) = shared + X(Sharer(linq,nodej) = true)) V

(Sharer(linq,nodej) = true --t X(State(nodej,linq) = shared)))

The experimental results are shown in Table 6.1. The first column has the model param-

eters: the number of nodes (N) , the number of lines (L), and the size of the message queue

for each node (Q). In the columns ASM-BMC (SMODELS), ASM-BMC (CMODELS) and

NuSMV/BMC, the notation 'k=n, t s' reports the total time t in seconds taken for the

corresponding tool t o find a counterexample within the bound n. If no counterexample

was found, 'lc>n, t s' reports the total time taken to prove the absence of counterexamples

within the largest bound n before the time limit was exceeded (the time to prove the absence

of ~ount~erexamples within n may be much less than the time limit, but the limit may be

exceeded before any result is given for the next attempted bound n+5). The question mark

'?' means that the tool did not terminate within the time limit for the initial bound 10.

The last; column reports the time taken for NuSMV/BDD to complete, with '?' indicating

that it failed to finish within the time limit. All timing numbers for our experiments are

CPU time.

In the second batch of experiments, we tried to detect the 'livelock error' in an early ver-

sion of the i-Protocol. The i-Protocol is an optimized sliding window protocol that provides

reliable full-duplex communication between two machines. The livelock error arises when a

certain sequence of packet losses or corruptions causes the communication to go into a cycle

in which the receiver ignores all packet,~ from the sender. We modelled the erroneous version

of the i-Protocol as an ASM based on the description in [19], in which the protocol was used

as a benchmark for various model checkers. The model parameters were the window size

( W) and the medium buffer capacity (B) for each direction of communication. The window

allows the sender to send W packets consecutively without waiting for an acknowledgement

CHAPTER 6. EXPERIMENTS 62

Table 6.1: LTL Model Checking Experiments for FLASH Cache Coherence Protocol

from the receiver. Data packets are identified by sequence numbers ranging from 0 to 2 W-1.

According to the error scenario described in 1191, we specified the following property in LTL:

0 P4: If the data packet with sequence number [11//21 from the sender has been accepted

by the receiver, and at some point no more packets will be dropped or corrupted, then

the next data packet from the sender (with sequence number ([W/21+1) modulo 2 W)

will eventually be accepted by receiver. (A packet is corrupted if there is a checksum

error in its header or data.)

NuSMV/BDD

?

G((h1 A FGh2) + Fh,a),

where hZl is (accepted([W/21) = true),

h2 is (dropped = false A hckerr = false A dckerr = false), and

h.3 is (accepted(([W/21+1) modulo 2 W ) = true).

Parameters

N=2,

This property will be violated if the livelock error is present. The experimental results are

given in Table 6.2. In the table, the symbol ' x ' indicates the lack of result because the

ASM-to-SMV translator failed to produce any output due to a run-time error.

In the ASM for the i-Protocol, we explicitly modelled the medium as two buffers of a

fixed size, one for each direction of communication. We specified the sending of a packet as

putting it in the buffer and the receiving or loss of a packet as taking it from the buffer.

This approach made the universe of each sort in the ASM fixed. However, the modelling

and verification of the protocol should be concerned about its behaviour. A more suitable

abstraction should free one from considering what the medium looks like. In this abstraction,

ASM-BMC (CMODELS) k=20, 3.5 s

NuSMV/BMC

k=20, 1007.6 s

Property

P 1

ASM-BMC (SMODELS) k=20, 46.6 s


Table 6.2: LTL Model Checking Experiments for i-Protocol.

Table 6.3: LTL Model Checking Experiments for i-Protocol (Different ASM Model).

Pammeters

W=l,

a packet to be sent is simply dynamically created and put into the universe of a sort, say

PacketsInMedium,. This can be easily modelled by an extend rule. When the packet is

NuSMV/BMC

k=15, 722.7 s

Parameter

W=l

received or lost, it is removed from the universe. This abstraction does not vary regardless

Property

P4

NuSMV/BDD

5045.0 s

of what the underlying medium looks like and how the sending and receiving of a packet

are implemented.

ASM-BMC (SMODELS) k=15, 4.0 s

ASM-BMC (CMODELS) x

Property

P4

Based on this more suitable abstraction, we modified the ASM for the i-Protocol and

reran our experiments. NuSMV was omitted as the translation of ASMs into the syntax of

NuSMV does not cover the extend rule. For the initial sub-reserve of the sort PacketsIn-

ASM-BMC (CMODELS) k=15, 1.8 s

ASM-BMC (SMODELS) k=15. 182.4 s

Medium, we set its size to 10. The results are shown in Table 6.3, in which the symbol ' x '

indicates the lack of result possibly due to a bug in CMODELS'. The times in the rerun

were significantly longer. This should be due to the fact that the size of the sub-reserve of

sort PacketsInMedium was substantially larger than the combined size of the two buffers in

the first run.

'We suspect that there is a bug in CMODELS because SMODELS found an answer set for the same logic program for which CMODELS declared no answer set. We have reported this problem to the development group for CMODELS, who is now investigating the problem.


The ASM models, LTL fornlulas, logic programs, NuSMV models and tools used in all

experiments are available at http: //www. sf u . ca/-ctang/experiments . html.

6.3 Discussion

Both ASM-BMC (SMODELS) and ASM-BMC (CMODELS) outperformed NuSMV sub-

stantially. In each case, they found a counterexample faster or reached a higher bound

before exceeding the time limit. Both CMODELS and NuSMV/BMC convert their in-

puts into propositional formulas in CNF. We noticed that the CNF formulas generated by

CMODELS were much smaller. For example, at bound 20 for property P1 with parameters

N=2, L=l and Q=l, the CNF formula created by CMODELS had 14436 atoms and 48615

clauses, compared to 176566 atoms and 655268 clauses in the one by NuSMV. The differ-

ence can be partly attributed to the fact that the NuSMV models from the ASM-to-SMV

translator were unnecessarily large and consequently affected the performance of NuSMV.

One major benefit of using ASP in the model checking of ASMs is the ease of translating

ASMs into logic programs. Typically, there are three main steps in a model checking process:

translating the model into the input syntax of a model checking tool, running the tool, and

analyzing its output. A compact translation of the given model that is easy to produce can

certainly reduce the overall model checking effort. The language of ASP helps significantly

in this regard. In our approach, no 'location unfolding' is needed during the translation.

To see what location unfolding is, consider the update rule InMess(Se1f) : = noMess in the

ASM for the FLASH Cache Coherence Protocol, where InMess: AGENT + TYPE is a

controlled function, Self: -+ AGENT is a monitored function, and noMess is a constant

of sort TYPE. In order to use NuSMV, the parameter Self has to be 'unfolded' into every

value it can take, and the update rule is unfolded into a set of conditional rules:

InMess(Se1f) : = noMess + if Self = al then InMess-al := noMess endif

. . . if Self = a,, then InMess-a,, := noMess endif

The symbols al, ..., a,, are constants of sort A GENT. The unnecessarily large NuSMV models

in our experiments were caused by redundant location unfolding. In ASP, the translation

of the update rule always produces one logic program rule:

in,mess(X,noMess,I+l) + self (X, I ) , agent (X) , has-next-state(I).


In general, to translate an ASM into the language of a model checker with no support for

non-nullary functions (like NuSMV), every location that occurs as a parameter of a non-

built-in function must be unfolded into every possible value. In ASP, non-nullary functions

can easily be handled with predicates and variables. Note that location unfolding is not

totally eliminated, since variables in a logic program must still be replaced by their possible

values during grounding. Instead, it is taken out of the translation algorithm and handled

by an efficient grounding program like LPARSE. The language of ASP also provides efficient

treatment of other components in ASMs, such as first-order terms (without having to convert

each one into a conjunction or a disjunction), do-forall rules (without having to map each

one into a group of conditional rules), and choose rules (with a simple constraint to restrict

the choice of an element from the range of the guard). The result is a more compact encoding

of an ASM that requires less effort to produce. We believe that the compact encoding is a

main reason that we obtained good experimental results for our approach.

Since NuSMV is considered to be a state-of-the-art model checker, in the future, it would

be interesting for us to experiment with an improved implementation of the ASM-to-SMV

translation in order to further determine the value of our ASP-based approach. Neverthe-

less, our experimental results strongly indicates that our approach is very encouraging. In

addition, since both NuSMV/BMC and CMODELS convert their inputs into CNF formulas,

we could gain more insight by examining how their respective input impacts the efficiency

of their CNF formula generation.

As for the comparison between the two ASP solvers, CMODELS outperformed SMOD-

ELS in all cases, with the exception to the rerun of the experiments for the i-Protocol. The

former appears to be more scalable in the size of the model and the bound. In particular,

given the same ASM and LTL formula (and the same logic program as a result), CMODELS

performed substantially better as the bound was increased. In some cases, SMODELS took

a small amount of time (much less than the time limit) to get through the first two to three

bounds, i.e., 10, 15 and 20. After that, it did not return any result for the next bound before

the time limit was up. Our results largely coincide with others comparing the two solvers on

computing one answer set, such as those in [33]. In our experiments, they were configured

to compute one answer set which would suffice to show the violation of a property.

The promising results from CMODELS provide another piece of evidence that the use

of SAT is very conducive to model checking. In fact, SAT is strong at finding solutions

to problems encoded in propositional logic as modern SAT solvers are capable of handling


satisfiability problems with hundreds of thousands of variables or more. This motivated the

development of CMODELS. However, the weak expressiveness of propositional logic makes

a direct SAT translation of an ASM difficult. For example, it offers no direct support for

non-nullary functions and non-boolean functions. Moreover, propositional formulas are less

human understandable than normal logic programs. This is important, since during the im-

plementation of the translation, manual inspection of the correctness of the implementation

is inevitable. Therefore, an intermediate tool such as CMODELS is very useful. It allows

an ASM to be represented in the expressive language of ASP and translates the resulting

logic program into a propositional formula for solution computation.

Readers may find that the ground instantiation of a program may have an enormous

size and make answer set solving time-consuming. For example, if a program has nl rules,

each of which has n2 distinct variables that ranges over ns values, then the grounding of

the program results in nl x nsn2 ground rules at worst. However, this worst case explosion

in the size of the ground instantiation of a program rarely happens. Consider an equality

f (a l ) = f (&), where f is a controlled function of sort D,, and a1 and a2 are constants of

D,. For some integer i, the translation of the equality is an atom q(i) with the auxiliary

rule

If there are n constants of sort D,, then the number of ground instances resulting from the

rule above is n rather than n2, since there are only n combinations of Xl and X2 which

satisfy the equality X 1 == X2. In general, conditions (like equalities) in the body of a

non-ground rule are satisfied by only a subset of all possible combinations of values for the

variables in the rule. The size of this subset is often far less than the product of the range

sizes for the variables. The time to weed out those unsatisfiable combinations should be

negligible in general, since in our experiments, grounding time only accounted for a very

tiny fraction of the total answer set computation time. Nevertheless, we cannot exclude the

possibility that the size of the ground instantiation of a program could cause a bottleneck in

answer set computation. One can alleviate this problem by reducing the number of distinct

variables in a rule, even at the cost of adding extra atoms and rules.

Chapter 7

Related Work and Conclusions

7.1 Related Work

Several ASM checking methods based on existing model checkers are available in the lit-

erature. In [46], Winter showed how to transform ASMs into SMV code and used this

transformation to check the FLASH Cache Coherence Protocol and the Production Cell

System. The transformation, implemented jointly by Winter and Del Castillo [17], requires

location unfolding so that an ASM is flattened into a set of conditional rules with only

nullary functions. In the same work, Winter also proposed a way to verify ASMs using

the model checker MDG, which is mainly used for hardware verification. MDG is based on

Multiway Decision Graphs, which subsume BDDs, and supports abstract data types and

uninterpreted functions. A case study of the MDG-based approach can be found in [22].

The transformation that generates MDG models from ASMs also require location unfolding,

but the unfolding approach is slightly different.

In [21], the authors presented a way to encode an ASM in PROMELA, which is the input

language of Spin, for the purpose of generating tests from the ASM using the counterexample

generation ability of Spin. The encoding does not address non-nullary functions, first-order

terms and do-forall rules, all of which were used extensively in our experiments. Therefore,

we did not include Spin in our experiments.

In [41], Spielmann introduced a PSPACE algorithm of verifying ASMs based on a logic

for computation graphs called CGL*, which resembles CTL*. In this approach, one expresses

an ASM and a property as CGL* formulas and determine if the ASM satisfies the property

by combining the two formulas. The benefit of this approach is that ASMs with arbitrary

CHAPTER 7. RELATED WORK AND CONCLUSIONS 68

inputs can be checked. However, it is restricted to ASMs with only nullary functions.

More recently, Kardos proposed an approach to model checking ASMs specified in the

language AsmL in [29]. This approach performs on-the-fly enumerative state exploration to

verify an AsmL model and is not based on the translation of ASMs into the language of an

existing model checker such as SMV or Spin. In the author's mind, existing model checkers

impose significant constraints on the supported ASMs. Although he did not explicitly

mention those constraints, we do not believe that our ASP-based approach comes with any

of them, except the finiteness of the reserve, which would be inevitable for any ASM model

checking approach.

Answer set programming has been applied to model checking before. In [27], Heljanko

and Niemela introduced bounded LTL model checking of 1-safe Petri nets with ASP. Their

approach is similar to ours in that given a 1-safe Petri net and an LTL formula, a logic

program is constructed such that the BMC problem for the net becomes an answer set

computation task. A notable difference between the two approaches is that ours requires a

much more extensive use of variables in logic programs in order to encode terms in ASMs.

Besides bounded LTL model checking, the authors also presented how to use ASP to solve

a bounded reachability checking problem for a 1-safe Petri net.

ASP has also been used in the bounded verification of security protocols. In [7], security

protocols and actions of communicating agents are described in a specification language

based on logic programs of ASP. A security breach is described as a goal state. The existence

of a breach within a bounded number of steps is detected by answer set solving.

Besides the LTL model checking approaches discussed in Chapter 3, another one that is

somewhat related to our work uses tabled logic programming and has been implemented in

the XMC system (391. Its basic idea is that the satisfaction of an LTL formula in a Kripke

structure can be decided by constructing and exploring a proof graph using some inference

rules. The proof graph construction and exploration can be implemented as a logic program

in the tabled logic programming paradigm. This approach is unbounded, but like other

unbounded LTL checking methods, its space complexity is exponential with respect to the

given formula in the worst case.

CHAPTER 7. RELATED WORK AND CONCLUSIONS

7.2 Conclusions

We present the application of answer set programming to bounded LTL model checking of

abstract state machines. We introduce a mapping from a BMC problem to a problem of

answer set computation through a compact logic program encoding of the given ASM and

LTL formula. The compact encoding is realized by the power of logic program rules with

predicates and variables in succinctly representing the transition behaviour of ASMs and

the recursive evaluation of LTL formulas. Our experimental results provide strong evidence

that our approach can be feasibly applied to non-trivial industrial systems. They show that

not only does ASP offer an expressive language for encoding model checking problems, but

also it can help achieve good overall verification performance. As ASP is a research area

of high interest, better grounding and answer set solving techniques are emerging, which

certainly benefits model checking approaches based on ASP.

Our :main future directions include the following. First, we will explore ways to optimize

our logic program encoding. Many problems can be encoded as logic programs in more

than one way, and different encodings may result in different performances of answer set

computation. Our encoding is by no means unique. In fact, we had modified it several

times before finally settling with the version presented in this thesis. Strategies that may

help improve performance of answer set conlputation include adding redundant constraints

and rewriting rules without violating our correctness theorems. Another direction involves

studying the possibility of applying ASP to unbounded LTL model checking. The moti-

vation for this direction is clearly the success of ASP-based bounded LTL model checking.

No ASP-based unbounded model checking approaches for any types of temporal logic are

currently available. We think that the recursion mechanism in ASP might be applicable in

the iterative process of determining the satisfaction of an LTL formula in a model. Finally,

a knowledge representation language that has recently generated much research interest

is Inductive Definition Logic (ID-Logic) (181, which extends classical first-order logic with

inductive definitions. ID-Logic and ASP are similar in various ways. Solvers for ID-Logic

have been developed. It would be interesting to apply ID-Logic to bounded model checking

and compare it to ASP.

Appendix A

Proofs

A. l Proof of Theorem 1

To prove Theorem 1, we first show that an answer set AM of the program II(M,k) corre-

sponds t,o a run of M.

Lemma 1. If II(M, k) has an answer set A M , then a rmn (so, .. .,sk) of M can be obtained

from Allr

Proof. We refer to the Herbrand instantiation of II(M, k) as Ground (II(M, k)) , and therefore

AM is an answer set of Ground(II(M,k)). In the proof, when we say a literal is true or

satisfied, we mean it is satisfied by Anf. Similarly, when we say a literal is false or not

satisfied, we mean it is not satisfied by AM.

Our proof strategy is as follows. We first prove that exactly one run (so) can be obtained

from Anf and show that this is a run of M. After that, we assume that exactly one run

(s ~ , . . . , s ~ ) can be obtained from AM and it is a run of M and try to prove that exactly one

run (so,...,s,,s,+l) can be obtained from Anf and it is also a run of M for all 0 5 i 5 k-1.

We restrict that each sort in the signature EM have a fixed universe and the extend rule not

be used in M. Later we will extend the proof to include the case where some sorts in E M

have dynamic universes. For now, we also assume that the update set fired in each state of

M is consistent. That is, the program II(M,k) is constructed based on the assumption that

the update set fired in each state of M is consistent.

We prove that exactly one run (so) can be obtained from AM by establishing that for

each location (f, ( q ,...,%)) in M, there is exactly one atom of the form f (cl ,...,%, cp1O) in

APPENDIX A. PROOFS 71

A M , where j : Dl x ... x Dn + Dp is a controlled or monitored function in EM and each c3

is a constant of sort Dj for j = 1, ..., n and p. The idea is that the location (f, (cl , ..., G)) is equal to exactly one value $. In order for us to say that a run ( so ) is obtained from A M ,

we need to have exactly one atom j(c1 ,...,%, $ , O ) in Anf. For each function application

f ( c l , ...,&), we have in Ground(II(M,k)) a rule of the form

The constants $1, ..., and i+,, are of sort Dp. Either rule guarantees that there is exactly

one atom of the form j ( c l , . . . , % , ~ , O ) in A M , where cp is any one of $1, ..., and h. This

implies that a run ( s o ) can be obtained from A M .

We prove that ( s o ) is a run of M. For each controlled or monitored function j : Dl x

... x Dn + Dp in E M , if the atom j ( q ,..., c ~ , $ ~ ,0) is in A M , then one of the following two

rules must be in I I (M,k):

The first rule is added if the location ( f , (e l ,..., en)) is equal to $ j in every initial state of

M. The second rule is added if ( j , ( c l , ...,%)) can be equal to any one of $ 1 , ..., and cP

initially. In either case, there must be an initial state of M where ( j , (cl ,...,%)) is equal to

cpj. The state so is such a state because the atom j (cl ,...,%, cpj,O) is in A M . Therefore, so

is an initial state of M and (so) is a run of M.

Then we prove that if exactly one run ( so , ..., si) can be obtained from Ahf and it is a run

of M, then exactly one run (so , ... ,si,si+l) can be obtained from AM and it is also a run of ,

M for all 0 < i < I;-1. We do so by first showing that for each location ( j , ( c l , ...,%)) in M,

there is exactly one atom of the form f ( ~ 1 , ...,% , ~ p , i + l ) in A M , where j : Dl x ... x Dn +

Dp is a controlled or monitored function in EM and each cj is a constant of sort Dj for j =

1, ..., n and p. If the function j is monitored, we have in I I (M,k) a choice rule of the form

The grounding of this choice rule leads to the following rule for each 0 5 i 5 k-1:

APPENDIX A. PROOFS

This rule ensures that there is exactly one atom of the form j(c1 ,...,&, cp,i+l) in AM, where

c, is any one of cpl, ..., and cp.

If the function f is controlled, we have in ll(M,k) the inertia rules of the form

The grounding of these rules results in the following rules for each 0 < i 5 k-1:

f (c l ,..., &,%j,i+l) + notf(c1, ..., &,c, l , i+l) , ..., notf(~l,...,~n,~pj-l,i+l), not f (cl, ... , ~ , ~ p j + l , i + l ) , ..., not f (cl, ..., k , ~ p m , i + l ) ,

f (cl ,..., &, ~ p j , i ) , dl(cl), ..., &(&), has-next-state(i).

These rules ensure that there is at least one atom of the form f (cl, ..., c,,~p,i+l) (as long

as there is one atom of the form f (cl ,... ,cn,cp,i) in AM, which is given because (so, ..., st)

can be obtained from AM). We assume that there is also at most one atom of the form

f (cl ,...,%,%, i+ l ) in AM. As later shown in the proof, if there were two distinct constants

c, and cp! such that both f (cl, ..., k ,c , , i+ l ) and f ( ~ 1 , ..., &,cp',i+l) are in AM, then there

would be two inconsistent updates in the update set fired in state si.

We have proved that exactly one run (so, ... si,si+l) can be obtained from AM. Let this

run be T . We now show that if the prefix (so ,..., si) of T is a run of M, so is (so ,..., si+1). This

amounts to showing that si+l is a successor state of si in M. For each monitored function

f : Dl x ... x D, -+ Dp in EM, the value of each location (f, (cl, ...,&)) changes non-

deterministically. Therefore, for each constant cpj of sort Dp, there is in M a successor state

of si where the location (f, (cl ,..., &)) is equal to ~ p j If f (cl ,..., c n 1 ~ , i + l ) is in AM, then

si+l is such a state, since T is obtained from AM.

For each controlled function f : Dl x ... x D, -+ Dp in EM, we want to show that if

f (cl ,..., c,,%j,i+l) is in AM, then

either the update ((f, (cl, ..., k)), ~ p j ) is in the update set fired in si, or

. the location (f, (cl, ..., k)) is equal to in si, and no update ((f, (cl, ..., k ) ) , c) is in

the update set fired in si, where c is $1, ..., ~ p j - 1 , %+I , ..., %rn.

APPENDIX A. PROOFS

If f (cl ,.. .,%, cpj , i+ l ) is in An*, then one of the following two cases holds:

1. The body of a rule of the following form in Ground(II(M,k)) is satisfied by A M :

The rule (4) is in Ground(II(M,k)) because of an update rule f (tl ,...,t,) : = tp in M,

where tl , ..., t, and are terms. The update rule results in the following non-ground

rule in II(M,k):

The symbol <other literals> denotes the set of literals that may be added to the body

as the update rule may be a sub-rule in another transition rule. The grounding of the

rule above leads to a group of ground rules which include (4).

The true body of (4) allows us to prove that f ( t l , ...,k) := tp produces the update

((f, (cl, ...,%)), cpj) in the update set fired in si. In order to do so, we first establish

ValS,,C(tl) = cl, ..., Val,,,~(t,) = c, and Val,,,C(tp) = ~ p j by considering the different

cases for terms:

0 If tl is a variable v, then 4 ( tl , i ) is a logic program variable XI, which is grounded

into cl in (4). Then tl is equal to cl under the variable assignment [(v H cl) in

state si, i.e., Val, , ,~(,~~)(tl) = cl.

0 If tl is a constant, it must be cl. Otherwise, the head of (4) would not be

f ( ~ 1 , ..., %,~p j , i+ l ) . Therefore, Val,,,C(tl) = cl. . If tl is a function application f '(ell ,..., cl,), where ell, ..., and cl, are constants,

then Et(tl , i) is a logic progrztm variable XI, which is grounded into cl in (4). If the

function f ': Dl] x ... x Dl, + Dl is static, the side atoms are f '(ell ,..., cl,,cl)

and dl(cl). The body of (4) is satisfied, which implies f l ( c l l , ..., cl,,cl) E A M .

The atom f l (c l l ,..., clm,cl) is in AM due t o the following rule in II(M,k):


This rule is added because f '(ell ,... ,elm) is equal to cl in every state. Therefore,

we have V U ~ , ~ , C ( ~ ~ ) = cl. If the function f ' is controlled or monitored, the side

atoms are f f (c l l ,..., clm,cl,i) and dl(cl). The atom f l ( c l l ,..., clm,cl1i) is in AM,

implying Va13z,C(f'(cll,...,cLm)) = cl because the run .ir is obtained from AM.

Consequently, we have V ~ l , ~ , ~ ( t ~ ) = cl.

The same argument can be applied recursively to a term f f ( t llr...,tlm), where

tll , ..., and tlm may be function applications. This works because the nesting of

function applications is finite.

0 If tl is an equality, conjunction, disjunction, negation or first-order term, we

translate the update rule f (t l , ...,t,) : = tp into the conditional rule:

i f tl then

f (true, ...,t,) := tp e l se

f (false, ...,t,) := tp

endif

With this translation, all parameters o f f and the right hand side of the update

rule are variables, constants or function applications that are transformed into

logic program variables.

Now we have V ~ l , ~ , ~ ( t l ) = cl. The same argument applies to t2, ..., t, and tp, which

gives us V ~ l , ~ , ~ ( b ) = c2, ..., ValSz,~ (t,) = c, and V ~ l , ~ , ~ ( t p ) = c p j Therefore, if the

update rule f (tl ,..., t,) : = tp is executed in si, the update ((f, (cl ,..., c,)), c+j) must be

in the update set fired in s,.

I t remains t o prove that the update rule f (t l , ...,t,) := tp is indeed executed in si. We

do this by examining the literals in <other literals> in the body of (4). All these

literals are true because the body of (4) is true. If <other literals> is empty, then the

update rule is not guarded and is certainly executed, and the update set fired in si

has the update ((f, (cl, ...,%)), ~ p j ) If <other literals> is not empty, the literals in

it are either domain or non-domain literals. The domain literals do not encode any

information about the transition rules enclosing the update rule as they are just for

grounding. Therefore, we only consider the non-domain literals. A non-domain literal

lit in <other literals> has one of the following forms:


0 If f (tl ,...,t,,) : = t, is in the then part of a conditional rule that is not enclosed

by do-forall or choose rules, then lit may be an atom q(i), which is satisfied

because the body of (4) is satisfied. Let the guard of the conditional rule be g

and Et(g,i) be the atom q(i). We need t o show that Val,l,C(g) = true iff q(i) is

satisfied. If g is an equality t, = &, then a rule of the following form must be in

Ground (II(M,k)):

The body of (5) is satisfied, which is why q( i ) is satisfied. We can show that

Val,,,C(g) = true, i.e., = Val,t,C(&). The idea is that if q(i) is satisfied,

both &(&, i ) and &(&,i) must be grounded into a constant c so that the equality

in the body holds. We can consider the different cases for t, and &: each one

is a variable, a constant or a function application. Because the body of (5) is

satisfied, we can get Val,t,C(t,) = c and Val,,,C(ty) = c (just as we have proved

that Val,z,C(tl) = cl). If q(i) is not satisfied, then the bodies of all rules of the

form (5) are not satisfied either. We can again consider the different cases for t,

and ty t o show that Val,,,C(k) # Val,,,C(&).

If g is a conjunction, disjunction, negation or first-order term, we prove by in-

duction on the structure of g that Val,,,C(g) = true iff q(i) is satisfied. The

inductive hypothesis is that if gf is a sub-term of g, and &(gt,i) is an atom qt(i) ,

then ~ a l , , , ~ ( g ' ) = true iff qf( i ) is satisfied. If g is t, A 6, then a rule of the

following form must be in Ground(II(M,k)):

&(t,,i) and Et(&,i) in (6) are two atoms q,(i) and qy(i), respectively. The body

of (6) is satisfied, meaning that q,(i) and qy(i) are satisfied. By the inductive

hypothesis about the sub-terms t, and &, we get Val,,,C(&) = true and Val,,,C(&)

= true, which implies Val,l,C(t, A &) = true. The cases for t, V & and l t , are

also simple. If g is a first-order term 3v r(v) , we have rules of the following form

in Ground(II(M,k)):

The head variable v is translated into a logic program variable XI and the body

r(v) is translated by &(r (u) , i ) into the atom qT(i). X is added as a parameter


to qT(i) and each atom that is the head of an auxiliary rule from Et(r(v) , i ) . If

q(i) is true, there must exist a constant c such that qT(c,i) is satisfied so that

the body of a rule of the form (7) is satisfied. By the inductive hypothesis about

r(v) , we know that Valyz,c(r(c)) is true, which means Valy,,C(3v r (v) ) = true. A

first-order term Vv r(v) is equivalent to -(3v 7r (v) ) .

Since the guard of the conditional rule is true in si, the then part, which contains

the update rule f ( t l , . . . ,k) : = tp, is executed in si.

If f ( t l , . . . ,k) := tp is in the else part of a conditional rule that is not enclosed

by do-forall or choose rules, then lit may be a negative literal not q(i), which is

satisfied. We again let the guard of the conditional rule be g and Et(g,i) be q(i).

Since we have shown that Val,,,((g) = true iff q(i) is satisfied, and not q(i) is

satisfied, we get Val,z,C(g) = false. Since the guard of the conditional rule is false

in q, the else part, which contains the update rule f (tl , . . . ,k) : = tp, is executed

in q.

If f (tl , . . . ,k) : = tp is in the sub-rule of a do-forall rule that is not enclosed by

do-forall or choose rules, then lit may be an atom q(c,i) for some constant c and

is satisfied. The head variable of the do-forall rule, say v, is translated into a

logic program variable X, arid the guard g(v) is translated by Et(g(v),i) into the

atom q(i). X is added as a parameter to q(i) and each atom that is the head of

an auxiliary rule from Et(g(v),i). As a result, for any constant c, Val,,,C(g(c)) =

true iff q(c,i) is satisfied. Since an atom q(c,i) is satisfied, we have Val,,,C(g(c))

= true, and thus the range of g(v) in q is not empty. In particular, the value of

c is in the range. As a result, the sub-rule of the do-forall rule, which contains

the update rule f (tl, . . . ,k) := tp, is executed in s; with v equal to c.

Iff (tl , . . . ,k) : = tp is in the sub-rule of a choose rule that is not enclosed by any do-

forall or choose rules, then lit may be an atom choose-var(c,i) for some constant

c and is satisfied. The head variable of the choose rule, say v, is translated into

a logic program variable X, and the guard g(v) is translated by Et(g(v),i) into

an atom q(i). X is added as a parameter to q(i) and each atom that is the

head of an auxiliary rule from Et(g(v),i) . Suppose v is of sort Dp. Then in

Ground(lT(M,k)), there is the following constraint resulting from the translation

of the choose rule:

APPENDIX A. PROOFS

+ choose-var(c,i), not q(c,i), d,(c), <other literals>' has-next-state(i).

The symbol <other literals>' denotes the literals added to the body of the con-

straint because the choose rule may be a sub-rule of other transition rules. Note

that <other literals>' is a subset of <other literals> in the body of (4), since the

update rule f (tl , . . . ,h) : = tp is sub-rule of the choose rule. We know that all liter-

als in <other literals> are true because the body of (4) is true. Thus, all literals in

<other literals>' are also true. The atoms dp(c) and has-next-state(i) are true as

they are positive domain literals. As a result, given that choose-var(c,i) is true,

q(c,i) must also be true in order for the constraint above to be satisfied. We know

that Valst,C(g(c)) = true iff q(c,i) is satisfied. Therefore, we have (g(c))

= true, which implies the range of y(v) in si is not empty. In particular, the

value of c is in the range and chosen as the value of v. As a result, the sub-rule

of the choose rule, which contains the update rule f (t l , . . . ,h) : = tp, is executed

in si with v equal t o c.

If f ( t l , . . . ,h ) : = tp is a sub-rule in a conditional, do-forall or choose rule R

that is enclosed by do-forall or choose rules R1, ..., and R,, then lit may be

a literal q(cl ,...,&, i ) (then part of the conditional rule), not q(c l , . . . ,h , i ) (else

part of the conditional rule), q(cl ,... , h , c , i ) (sub-rule of the do-forall rule), or

choose-var(cl ,...,&, c,i) (sub-rule of the choose rule). We need to show that R is

executed in si. The proof idea is as follows. Let R1 be the outermost enclosing

rule and R, be the innermost. In other words, R1 encloses Rz, Rz encloses R3,

..., and R, encloses R. Let vl, ..., and v, be the head variables of R1, ..., and R,,

respectively. Since R1 is not enclosed by do-forall or choose rules, we can easily

prove that the sub-rule of R1, i.e., R2, is executed with vl equal to cl, which is in

the range of the guard of R1. Then we can show that given vl being equal to cl , the sub-rule of R2, i.e., R3, is executed with Q equal to c2. As we keep going, we

will eventually get the result that given vj equal to cj for each 1 < j 5 n-1, the

sub-rule of R,, i.e., R, is executed with v, equal to h . Therefore, R is executed

in si with vj equal to cj for each 1 < j < n. Now we need to show that the update

rule f (tl ,... , h ) : = tp is executed in si as a sub-rule in R. This basically requires

the same technique we used for the case where R is not enclosed by do-forall or

choose rules.


We have proved that if the update rule f ( t l , ...,t,) := t, is in the then part of a

conditional rule, the then part is executed in si. If it is in the else part of a conditional

rule, the else part is executed in si. If it is in the sub-rule of a do-forall or choose rule,

the sub-rule is executed in si. Therefore, f (tl ,...,t,) : = tp is executed in si. Since we

also have V~l , , , ~ ( t l ) = cl, ..., I/al,,,~(t,) = c, and Val,p,C(t,) = ~ p j , the update set

fired in si has the update ((f, (cl, ...,%)), cpj). As we assume that the update set is

consistent, there must be in M a successor state of si where the location (f, (cl ,..., c,))

is equal to cpj. The state si+l in the run .ir obtained from AM is such a state because

f (el ,.. . , c , ,~p j ,i+l) is in An.*.

2. If case 1 does not hold, the atom f (cl ,...,c,, cpj) is in AM because the body of the

following inertia rule in Ground(II(M,k)) is satisfied:

The atom f (cl ,..., c,,%,i) is in AM, and so the location (f, (cl ,..., c,)) is equal to

cp3 in state si. In addition, all atoms f (cl, ..., c , ,~pl , i+ l ) , ..., f ( ~ 1 , ..., %,~pj- l , i+ l ) ,

f (clr ..., %,%+I , i+l) , ..., and f (cl ,..., c,,%,i+l) are false, which means that the bod-

ies of all rules of the following form are not satisfied:

The symbol c is any one of cpl, ..., ~ ~ j - 1 , ..., and ~ p , We can show that no

update ((f, (cl, ...,%)), c) is in the update set fired in si. The idea is that each rule

of the form (8) results from the translation of an update rule f (tl, ..., k) : = t,. The

body of each rule of the form (8) is not satisfied, meaning that a literal in the body

is false. Given this false literal, we prove that no update rule f (tl ,...,t,) : = t, creates

an update ((f, (cl), ..., c,)), c) in the update set fired in si, as follows:

0 If the false literal is an atom in <side atoms>, then V ~ l , , , ~ ( t ~ ) # cl for some 1 =

1, ..., and n, or Val,,,~(t,) # c. The only situation where a side atom is false is

where one of tl, ..., t, and t, is a function application. For instance, suppose tl


is f ' (c l l , . . . , ~ lm) , where the function f ' : Dll x ... x Dl, + Dl is a controlled

function, and ell, ..., and cl, are constants. Then Et(tl , i) is a logic program

variable XI, which is grounded into cl. The side atoms are f ' (c l l , . . . ,c~m,c~, i)

and dl(cl). The atom dl(cl) must be in AM because dl is a domain predicate.

1f f ' ( ~ ~ ~ , . . . , ~ ~ ~ , ~ l , i ) $! A M , then Val,,,6(f1(~11 ,... ,elm)) # c1, since the run .ir is

obtained from An4. The same argument can be applied recursively to a term

f'(tll,...ltlm)l where tll, ..., and tl, may be function applications. This works

because the nesting of function applications is finite.

Iff (tl , . . . ,k) : = tp is in the then part of a conditional rule not enclosed by do-forall

or choose rules, then the false literal may be an atom q(i) in <other literals>. Let

g be the guard of the conditional rule. Since q(i) is the result of the translation

Et(g,i), and we have shown that q(i) is true iff V~ l , , , ~ (g ) = true, the then part

is not executed in si.

Iff ( t l , . . . ,k) : = tp is in the else part of a conditional rule not enclosed by do-forall

or choose rules, then the false literal may be a negative literal not q(i). Since not

q(i) is false, the guard of the conditional rule is true in si, which means that the

else part is not executed in si.

If f (tl ,... , t) : = tp is in the sub-rule of a do-forall rule not enclosed by do-forall

or choose rules, then the false literal may be an atom q(cl,i) for some constant

c'. Since q(cl,i) is false, the value of c' is not in the range of the guard of the

do-forall rule in si. Thus, the sub-rule of the do-forall rule is not executed in si

with the head variable equal to cl.

If f (tl ,...,k) : = tp is in the sub-rule of a choose rule not enclosed by do-forall

or choose rules, then the false literal may be an atom choose-var(cl,i) for some

constant cl. The sub-rule of the choose rule is not executed in si with the head

variable equal to c'. The explanation is as follows. Suppose the head variable of

the choose rule, say v, is translated into a logic program variable X, and the guard

g(v) is translated by Et(g(v),i) into an atom q(i). X is added as a parameter

to q(i) and each atom that is the head of an auxiliary rule from Et(g(v),i). If v

is of sort Dp, and cpl, ..., and cpm are constants of Dp, then in Ground(II(M,k)),

there are choice rules of the following form resulting from the translation of the

choose rule:

APPENDIX A. PROOFS

1 { choose-var(cpl,i), ..., choose-var(+,i) ) 1 +-

q(cPl , i ) , dp(cpl), <other literals>', has-next-state(i).

. . . 1 { choose-var(cpl,i), ..., choose-var(+,i) ) 1 +-

q(cpm,i), dp(cpm), <other literals>', has-next-state(~).

The symbol <other literals>' denotes the set of literals that may be added to the

body of the choice rule as the choose rule may be a sub-rule in another transition

rule. There are two cases for the atom choose-var(cl,i) being false, where c' is

any one of $1, ..., and cp, First, there is some constant c" such that c" # c' and

choose-~ar (c~~ , i ) is true. If choose-war (c" , i) is true, then choose-var(cl,i) must

be false because in the head of each choice rule above, the lower and upper bounds

of the cardinality expression are both 1. We have proved that if choose-var(cl',i)

is true, the value of c" is chosen as the value of the head variable v. Therefore,

the sub-rule of the choose rule is not executed with v equal to c'.

In the other case, the body of each choice rule above is false, which means that

all atoms c h o o ~ e - v a r ( ~ ~ , i ) , ..., and choose-var(cp,i) are false, since they do not

occur in the head of any other rule. The fact that the body of each choice rule

above is false indicates that either q($l,i), ..., and q(6pn,i) are all false, or a

literal in <other literals>' is false. If q(cpl,i), ..., and q(cp,i) are all false, the

range of the guard g(v) is empty in si. Therefore, the sub-rule of the choose rule

is not executed at all in si. If a literal in <other literals>' is false, we can show

that the choose rule itself is not executed in si (just as we are proving that the

enclosed update rule is not executed).

If f (tl , . . . ,k ) := t, is a sub-rule in a conditional, do-forall or choose rule R en-

closed by do-forall or choose rules R1, ..., and R,, then the false literal may be

a literal q(cl ,..., h , i ) (then part of the conditional rule), not q(cl ,..., h , i ) (else

part of the conditional rule), q(cl ,...,&, c l , i ) (sub-rule of the do-forall rule), or

choose-var(cl ,..., h , c l , i ) (sub-rule of the choose rule). Let vl, ..., and v, be the

head variables of R1, ..., and R,, respectively. Using virutally the same technique

we used for the case where R is not enclosed by do-forall or choose rules, it is

straightforward to show that given vj equal to cj for each 1 5 j 5 n, the sub-rule

of R containing the update rule f ( t l , . . . ,k) : = t, is not executed in si.

APPENDIX A. PROOFS 8 1

Thus, no update rule that creates an update ((f, (cl, ..., c,)), c) for any c # cpj is

executed in si. By the semantics of ASMs, if the location (f, (cl, ...,c,)) is equal to

cpj in si, and no update ((f, (cl), ...,c,)), c) for any c # cpj is in the update set fired

in si, then there is in M a successor state of si where (f, (cl, ...,c,)) remains equal to

cpj. The state si+l in the run .ir obtained from AM is such a state because the atom

f (cl ,..., h , ~ p j , i+ l ) is in AM.

We now explain our assumption that there is at most one constant cp such that the atom

f (cl ,..., c,,cp,i+l) is in AM for all 0 < i < I;-1. I f f (cl,...,cn,cp,i+l) and f (cl ,..., h , ~ p , , i + l )

were in . 4 ~ with cp # 9, then case 1 would hold for both atoms. The inconsistent updates

((f, (cl ,..., c,)), cp) and ((f, (cl ,..., c,)), ~ p l ) would be both in the update set fired in si. As

a result, the assumption that the update set fired in every state s of M is consistent would

be violated.

We have shown that for each controlled or monitored function f in CAf, if the atom

f (cl ,..., c,, cpj,i+l) is in AM, there must be in M a successor state of si where the location

(f, (cl ,..., c,)) is equal to cpj. The state si+l in .ir is such a state because .ir is obtained from

AM. Therefore, if (so ,..., si) is a run of M, so is .ir = (so ,..., si+1). By induction, exactly one

run (so, ... ,sk) can be obtained from AM, and it is a run of M. This completes the proof of

Lemma 1 for the case where each sort in CAf has a fixed universe and the update set fired

in each state of M is consistent.

We now address the case where the update set fired in a state of M may be inconsistent.

The program II(M,k) is thus modified accordingly. A large portion of the proof is similar

to what we have already done. When we prove that exactly one run ( so r . . . , ~ i ,~ i+ l ) can

be obtained from AM, we no longer need to assume that for each location (f, (cl ,...,c,)),

there is at most one atom of the for~n f (cl, ...,c,,cp, i+ l ) in AM. We can actually prove

it. Toward a contradiction, suppose there are two distinct constants ~p and cp, such that

f ( ~ 1 , ..., c,,cp,i+l) and f (cl ,..., c, ,cp~, i+l) are in AM. In II(M,k), we have the rule

f (XI ,..., Xn,Xp,I+l) + update-f (XI ,..., Xn,Xp,I), not inconsistent(I),

dl (XI), ..., &(X,), $(Xp), has-next-state(1).

The grounding of the rule leads to a number of ground rules including the following two:

f (cl ,..., c,,cp,i+l) + update-f (cl ,..., c,, cp,i), not inconsistent ( i ) ,

dl (cl), ..., A(%), $(cp), has-next-state(i)

APPENDIX A. PROOFS

f ( c l ,..., c , , ~ , i + l ) + update-f ( c l ,..., c , , ~ , i ) , not inconsistent(i),

d l ( c l ) , ..., &(c,), $(c,l), has-next-state(i)

Since f (c l ,..., c,, ~ p , i + l ) and f ( c l ,..., c,, ~ p ' , i + l ) are true, the bodies of the two rules above

are satisfied. Therefore, update-f (cl ,... ,c,,$,i) and update-f (c l ,..., c,,cpl , i ) are true, and

inconsistent(i) is false. However, in I I (M,k ) , we have the rule

inconsistent ( I ) + update-f ( X I ,.. . ,X,,X,,I), update-f ( X I ,..., X,,X,/, I ) , X, != X,!,

d l ( X l ) , ..., &(X,), $(X,), $(X,I), has-next-state(1).

The grounding of the rule leads to some ground rules which include

inconsistent ( i ) + update-f (cl ,..., c, ,$, i) , update-f (cl ,..., c,, v , i ) ,

d l ( ~ l ) , ..., &(c,), $($), $(w) , has-next-state(i).

Since update-f ( c l ,..., c,,cp,i) and update-f ( c l ,..., c,, v , i ) are true, and dl ( c l ) , ..., &(c,),

$($), dp(cp,) and has-next-state(i) are positive domain literals, the body of the ground rule

above is true, which means that inconsistent(i) is true. This is a contradiction. Therefore,

there is at most one atom of the form f ( ~ 1 , ...,c,, c,,i+l) in A M .

Then we prove that the run .rr = obtained from A M is a run of M based on

the assumption that the prefix (so , ..., si) is a run of M. For each controlled function f : Dl

x ... x D, -+ D,, we want to show that i f f ( ~ 1 , ..., c , , ~ p j , i + l ) E A M , then

0 the update ( ( f , (c l ,...,c,)), cp j ) is in the update set fired in si, which is consistent,

0 the update set fired in si is inconsistent and the location ( f , ( c l , ...,c,)) is equal to %

in s;, or

0 no update ( ( f , (c l ,..., c,)), c ) is in the update set fired in si, where c is c,l, ..., ~ p j - 1 ,

c , ~ + ~ , ..., or cpm, and the location ( f , ( c l , ..., c,)) is equal to $ j in si.

If f (c l ,...,c,, c,,i+l) E A M , then one of the following three cases holds:

The body of the following rule in Ground(II(M,k)) is satisfied:

f (cl ,..., c,, %, i+l ) + update-f (c l ,... ,c,,cpj,i), not inconsistent(i),

d l ( c l ) , ..., &(c,), $(q,j), has-next-state(i).


The body of the rule is satisfied. Thus, the atom update-j(cl, ...,%,%, i ) is true, and

inconsistent(i) is false. The atom update-j(cl ,..., cn,cpj,i) being true means that the

body of a rule of the following form in Ground(II(M,k)) is true:

update-j(cl ,..., %,c+,i) +

<side atoms>, <other literals>, has-next-state ( i ) .

The rule above results from the translation of an update rule j ( t l , ...,h) := tp in M.

Gken that the body of the rule is true, we have shown how to prove the update rule

creates the update ((j, (cl, ...,%)), cpj ) is in the update set fired in si.

In addition, inconsistent(i) is false, which indicates that for any controlled function

j ' : D; x ... x DL -+ DL in EM, there exists no rule of the following form such that

the body is true:

I I . I I f I .

inconsistent ( 2 ) c update-jl(c; ,..., cm,c,,t), update-j (cl, ..., cn,ct, ,z),

d,(c;), ..., dm(Lm), d ( < ) , ~((c;,), has-next-state(i).

The body of the rule above is false. Therefore, at least one of update-jl(c;, . . . , ~ m , c ~ , i )

and update-jl(c;, ...,&, ci,,i) is false, from which we can prove that there are no con-

sistent updates in the update set fired in si. Thus, the update set is consistent.

Th.e update set fired in si has the update ((j, (cl, ..., c,)), ~ p j ) and is consistent. Thus,

there must be in M a successor state of si where the location (j, (cl, ...,%)) is equal to

cpj. The state si+l in the run .ir is such a state because j (cl, ..., cn,$j,i+l) is in A M .

The body of the following rule in Ground(II(M,k)) is satisfied:

Since the body is satisfied, both j (cl , ...,%,~pj, i ) and inconsistent(i) are true. This

means that the location (j, (cl, ...,%)) is equal t o $j in si and the update set fired in

si is inconsistent. The firing of the update set causes no change to any location value.

Thus, there must be in M a successor state of si where (j, (cl ,...,%)) is equal to $j.

The state si+l in the run .ir is such a state.

APPENDIX A. PROOFS

0 The body of the following inertia rule in Ground(II(M,k)) is satisfied:

f(c1, ..., ~ ~ , ~ ~ j , i + l ) e not f (cl, ... , ~ , ~ p l , i + 1 ) , ..., not f ( ~ 1 , ..., %,~pj- l , i+l) ,

notf (cl,..., ~ n , ~ p j + l , i + l ) , ..., not f (CI ,..., %,cPm,i+l),

f (CI ,..., %,~p j , i ) , dl(cl), ..., &(%), has-next-state(i).

The atom f (cl ,..., %,~pj , i ) is true, and so the location (f, (ci ,..., %)) is equal to

cp3 in state si. In addition, all atoms f (ci, . . . ,%,~p l , i+ l ) , ..., f (cl, . . . ,%,~pj-l , i+l),

f ( c ~ , ..., %,~pj+l , i+ l ) , ..., and f (cl,.. . , ~ , c p m , i + l ) are false, which means that the bod-

ies of all rules of the following form are not satisfied:

f (cl, ..., cn,c,i+l) + update-f (cl, ..., %,c,i), not inconsistent(i),

dl(cl), ..., &(cn), $(c), has-next-state(i).

The symbol c is any one of cPl, ..., ~ p j - 1 , ..., and cp. In this case, the atom

inconsistent(i) must be false because if both f (cl ,..., %, ~ p j , i ) and inconsistent(i) were

true, then we would be back to the second case. Given that the body of the rule above

is false, the atom update-f (cl, ... ,%, c,i) must be false, which indicates that no update

((f; (cl ,...,%)), C) is in the update set fired in si. Then there must be in M a successor,

state of si where the location (f, (cl, ...,%)) is equal to ~ p j The state si+l in the run

n is such a state.

Suppose the function f is monitored. Iff (cl, ...,%, cpj,i+1) is in Ah*, one of the following

two cases holds. In the first case, the body of the following rule is true:

Therefore, the location (f, (cl, ...,%)) is equal to cpj in si, and the update set fired in si is

inconsistent. As a result, there must be in M a successor state of si where f (cl, ...,%) = ~ p j

holds. The state si+l in the run n is such a state.

In the second case, the body of the rule above is false because the atom inconsistent(i)

is false. This means that the update set fired in si is consistent. Since the value of every

location off changes non-deter~ninistically, there must be in M a successor state of si where

the location (f, (cl ,...,%)) is equal to %. The state si+l in the run n is such a state. Note

that for the rule above, it cannot be the case that f ( ~ 1 , ...,%,~pj, i ) is false but inconsistent(i)

APPENDIX A. PROOFS

is true. 'This would mean that there is a constant c not equal to c+j such that f (cl ,...,&, c,i)

is true. 'Then f (cl ,..., &, c, i+l) would be true because the body of the following rule is true:

This would contradict the fact that a run can be obtained from AM as f (c1 , . . . , ~ , c + j , i+ l )

and f (cl ,... ,&,c , i+l) would be in AM.

Therefore, state si+l in the run .ir is a successor of si in M, and n is a run of M. By

induction, exactly one run (so, ... ,sk) can be obtained from AM, and it is a run of M. This

completes the extension of the proof of Lemma 1 for the case where the update set fired in

a state of M may be inconsistent.

To handle the case where some sorts in EM have a dynamic universe, we again start

by proving that a run (so) can be obtained from AM and it is a run of M. Then we show

that if a, sort Dp has a dynamic universe, then the atom dp-universe(c,O) is in AM iff the

element c is in the universe of Dp in state so. Let { c+l, ..., cpm ) be the set of names such

that each element in the initial sub-reserve of Dp is represented by exactly one c+j, where

1 < j 5 m. These elements are not in the universe of sort Dp in any initial state of M. In

Ground(II(M,k)), there is no rule with the atom dp-universe(c,O) in the head, where c is

any one of $1, ..., and q,,. Therefore, dp-universe(c,O) cannot be in AM, and we get the

result that u&universe(c,O) is in AM iff the element c is in the universe of Dp in state so.

Then we assume that dp-universe(c,i) is in AM iff c is in the universe of Dp in state si

and try t o show that u&universe(c,i+l) is in AM iff c is in the universe of Dp in a successor

state of si. This inductive step is done before the inductive step for the proof that exactly

one run (so, ... ,si+l) can be obtained from AM and it is a run of M.

If 4.-universe(c,i+l) is in AM, there are two cases:

1. The body of the following rule in Ground(II(M,k)) is satisfied:

dp-universe(c,i+l) +- dp-universe(c,i), not dp-removed(c,i),

dp(c), has-next-state(i).

Since the body is satisfied, the atom d,,-universe(c,i) is true, and 4-removed(c,i) is

false. This implies that c is in the universe of sort Dp in si. In addition, each rule

with 4-removed(c,i) as its head results from the translation of an update rule Dp(t)


:= false, where t is a term of sort Dp. Since dp-removed(c,i) is false, the body of

each of those rules is false. Thus, we can show that no update rule Dp(t) := false is

executed and c is not removed from the universe of Dp in si. Therefore, c remains in

the universe of Dp in a successor state of si.

2. In the other case, the body of the following rule in Ground(II(M,k)) is satisfied:

The rule results from the translation of an extend rule whose head variable is of sort

Dp. The extend rule is not enclosed by do-forall, choose or extend rules. The symbol

<other literals> denotes the literals added to the body of the rule as the extend rule

may be a sub-rule in another transition rule. Since the body of the rule is satisfied, the

atom extend-var(c,i) is true. All literals in <other literals> are true, from which we

can show that the extend rule is executed in si. In addition, the following constraint

in Ground(II(M,k)) is satisfied:

Th.e atoms dp(c) and has-next-state(i) are true as they are positive domain literals.

Therefore, 4-universe(c,i) must be false, meaning that c is not in the universe of sort

Dp in si and is available to be imported. If we let the element taken by the extend

rule be c, then we get the result that c is in the universe of Dp in a successor state of

si. We can easily extend the proof to the case where the extend rule is enclosed by


Conversely, if c is in the universe of Dp in a successor state of si, there are also two cases:

1. The element c is already in the universe of Dp in si and is not removed, and thus it

sta.ys in the universe in a successor state of si. Therefore, the atom dp-universe(c,i)

is true, and we can easily show that dp-removed(c,i) is false based on the fact that no

update rule removes c from the universe. Then the body of the following rule is true:

dp-universe(c,i+l) c 4-universe(c,i), not dp-removed(c,i),

dp(c), has-next-state(i).

APPENDIX A. PROOFS

As a result, dp-universe(c,i+l) must be in AM.

2. The element c is imported from the sub-reserve of Dp in si and becomes an element in

the universe of D, in a successor state of si. This means that c is not in the universe

of Dp in si, and thus the atom dp-universe(c,i) is false. In Ground(ll(M,k)), there is

the following rule:

dp-res-nempty(i) + not dp-universe(c,i), dp(c), has-next-state(i)

The atom 4-universe(c,i) is false. Thus, the atom 4-res-nempty(i) is true. The fact

t h i~ t c is imported indicates an extend rule with a head variable of Dp is executed

in si. Suppose the extend rule is not enclosed by do-forall, choose and extend rules.

Then the translation of the extend rule includes a choice rule of the following form:

Because the extend rule is executed in si, all literals in <other literals> are sat-

isfied. Therefore, the body of the choice rule is true, and there is exactly one c

such that extend-var(c,i), where c is any one of $1, ..., and h. We know that

dp..universe(c,i+l) must be in Ah.* due to the rule

The case where the extend rule is enclosed by do-forall, choose or extend rules is

similar.

We have proved that dp-universe(c,i+l) is in AM iff c is an element in the universe of

sort Dp in a successor state of si. With this result, the inductive step for the proof that

exactly one run (so,...,si+l) can be obtained from AM and it is a run of M can be easily

extended.

This is the end of the proof of Lemma 1. 0

We move on to prove that each answer set of II(M,k) U I I ( - J ,k) corresponds to a run

of M. For that, we need the following proposition, which can be found in [2711:

'In [27], an answer set is called a stable model.


Proposition 1. Let 111 and 112 be two ground programs such that the atoms in the heads

of the rules in 112 do not appear i n I I l . Then for each answer set A of 111 U 112, A n Atoms@I1) is an answer set of 111, where Atoms(TI1) is the set of atoms that occur in I I l .

Lemma 2. If II(M,k) U II(-.$,k) has an answer set A , then a run (so, ..., s k ) of M can be

obtained from A .

Proof. No atoms in the heads of the rules in Ground(II(+,k)) occur in Ground(I I (M,k)) .

Therefore, if I I (M,k ) U II(+,k) has an answer set A , by Proposition 1, we can derive an

answer set A M = A n Atoms(Ground( I I (M,k ) ) ) for I I (M,k ) . By Lemma 1, a run ( so , ..., sk )

of M can be obtained from A M . Since A is a superset of A M , and their difference contains

only atoms that occur in Ground(II(+,k)) but not in Ground( I I (M,k ) ) , the run obtained

from Ah[ can also be obtained from A . 0

It is left to prove that the run obtained from an answer set of I I (M,k ) U I I ( + J , ~ ) satisfies

+. Let h the formula obtained by converting T$ into negation normal form. We divide

II(+,k) into two sub-programs: II l(+,k) , which consists of the loop-related rules and the

translation of h as given in Table 5.1, and IIa(+,k), which is the constraint + not h ( 0 ) .

If n(M,X:) U 111 (+,k) has an answer set A 1 , we can easily show that a run ( S O , ... , sk) of M

can be obtained from A1 using Proposition 1.

Moreover, exactly one of the following two cases holds for A1:

1. e l ( j ) E A1 for some 0 < j 5 k-1 and e l ( m ) $ A1 for all m # j. This is the case where

a loop exists in the run obtained from A1 with state sk equivalent to sj.

2. e l ( j ) $ A1 for all 0 < j < k-1.

It is easy to see why either case 1 or 2 holds. In Ground(IIl(+,k)) , the choice rule

dictates that there is at most one j for which e l ( j ) E A1, where 0 < j < k-1. A loop exists

if e l ( j ) E: A1. A proof is as follows. If some sorts in E M have a dynamic universe, then for

each such sort D,, we have pairs of constraints of the following form in Ground(IIl(+,k)):

t el ( j ) , &-universe(c,j), not &-universe(c, k ) , dp (c ) , has-next-state(j).

t el ( j ) , not &-universe ( c , j ) , &-universe ( c , k ) , &( c ) , has-next-state ( j ) .


If 4-universe(c,j) is in A l , then c is an element in the universe of sort Dp in state s,.

Similarly, if 4-universe(c,k) is in A1, then c is an element in the universe of sort Dp in state

sk. Suppose el(j) is in A1. Given the constraints above, if 4-universe(c,j) is in A l l so is

4_universe(c,k). Similarly, if 4-universe(c,k) is in A1, so is 4-universe(c,j). Therefore, an

element c is in the universe of sort Dp in sj iff it is in the universe of Dp in sk. Consequently,

for each sort, its universes in sk and sj are identical.

For each controlled or monitored function j : Dl x ... x D, + Dp in EM, we have a

collection of constraints of the following form in Ground(IIl(+,k)):

The symbols cl, ..., c, and c, are constants of sorts Dl , ..., D, or names representing

reserve elements of Dl, ..., D, and Dp, respectively. The atoms dl (cl), ..., &(%), &(cp) and

has-next-state(j) are in A1 because they are positive domain literals. Since a run (so, ..., sk)

can be obtained from A1, for each location (f, (cl, ...,&)), there is exactly one atom of the

form j ( c l , ...,c,,c,, i ) in A1 for each 0 5 i 5 k. Suppose el(j) is in A1 for some 0 5 j 5 k-1.

If j (c l ,..., c,,c,,j) is in A1, then f (C l , . . . ,c , ,~p,k) must also be in A1 because A1 satisfies the

constraint above. Then in the run obtained from A1, we have Val,3,c(j(cl ,...,c,)) = cp and

Val,k,C(f'(cl , ..., c,)) = cp, which means Vals3,[(f (cl, ..., c,)) = Val,k,c(f (cl, ..., c,)). Therefore,

for each location, its values in sk and s, are equal. In addition, for each sort, its universes in

sk and si are identical. Thus, sk is equivalent to s,, which indicates the existence of a loop.

Now we prove the correctness of the translation of the LTL formula h.

Lemma 3. If II(M,k) u 111 (+,k) has an answer set A1, and the run obtained from A1 is

x=(sO ,..., sk), then h(i) E A1 iff xi k h for all 0 5 i 5 k.

Proof. We do the proof by induction on the structure of h. Suppose for each sub-formula

hl of h, hl(i) E Al iff xi k hl. Then we show that h(i) E A1 iff xi h by considering the

different cases for h:

0 If 12 is an atomic proposition f (cl, ..., c,) = cp, and the function f is static, the trans-

lat.ion of h is the rule


The extent of the domain predicate valid-state is 0 to k. Therefore, for all 0 < i < k,

if h( i ) E A1, f (cl, ...,%, c,) must also be in A l , since h(i) is only defined by the rule

h(ii) + f (cl ,...,%, cp), valid-state(i). The atom f (cl ,...,%, 5) is in Al if the following

rule is in II(M,k):

Th.is rule is in II(M,k) if Val,,C(f (cl, ...,%)) = cp in every state s of M. Therefore, we

have Val,,,C(f (cl, ..., k)) = ~ p , and thus .iri + h.

Conversely, if .iri + h, then Val,,,C(f (cl , . . . ,&)) = cp. Because f is static, it also means

that V ~ l , , ~ ( f (cl, ...,%)) = ~p for every state s of M. Then we have the rule above in

II(M,k). As a result, f (cl ,... , h , c p ) must be in A1, and h(i) must also be in Al for all

O < i < k

If the function f is controlled or monitored, the translation of h is the rule

For all 0 < i < k, if h(i) E A1, then f (cl ,..., h , ~ p , i ) E Al. AS .ir is obtained from Al,

we have Val,,,C(f (cl ,..., h)) = c,,, which implies .iri + h. Conversely, if T, + h, then

Val,,,C(f (cl, ..., c,)) = ~ p . Since .ir is obtained from Al, f (cl, ..., k ,$ , i ) must be in Al.

As a result, h(i) must also be in A1.

If h is ~ ( f (cl, ..., h) = ~ p ) , and the function f is static, the translation of h is the rule

h ( I ) + not f (cl ,..., k,cp) , valid-state(1).

If h(i) E Al, then f (cl ,... , k , cp ) cannot be in Al , since h( i) is only defined by the rule

h(i) + not f (cl, ..., k,~p), valid-state(i). The atom f (cl ,..., h , c p ) is not in A1 because

the rule f (cl , . . . , k , ~ p ) + is not in I I ( M , k ) . This rule is not in II(M,k) because there

is it constant cp, which is not equal to c, such that V ~ l , , ~ ( f (cl, ...,&)) = cp, for every

stake s of M, which means Val,l,C(f (cl, ..., k)) f 5 . Thus, .iri + h.

If 7ri + h, then Val,z,C(f (cl ,..., h)) # cp. As f is static, it means that V ~ l , , ~ ( f (cl, ..., h))

f q, for every state s of M. The rule f (cl ,...,k,cp) + is not in II(M,k). As a result,

f (cl ,..., k,~p) is not in All and h(i) must be in A1 for all 0 < i < k.

If the function f is controlled or monitored, the translation of h is the rule

APPENDIX A. PROOFS

For all 0 5 i 5 k, if h( i ) E A1, then f(c1 ,...,&,%, i ) $ Al. AS x is obtained from A1,

we have Val,,,C(f (cl ,..., &)) # c,,, which implies r, + h. Conversely, if xi b h, then

Val,,,C(f (cl ,..., cn)) # c p . Since x is obtained from A1, f (cl ,... ,cn,%,i) cannot be in

A1. As a result, h( i ) must be in A1.

0 If h is hl A b, the translation of h is the rule

h ( I ) + hl ( I ) , h2(I), valid-state(1).

If h( i ) E A1, then both hl(i) and h2(i) are also in A1. By the inductive hypothesis

about the sub-formulas hl and hz, we have x b hl and x b h2. Therefore, we have x

b h l A h z

If r b hl A h2, that means both x b hl and x b h2 hold. By the inductive hypothesis,

both hl( i ) and h2(i) are in A1. Then we have h( i ) E A1.

0 If h is hl V b , the translation of h consists of the rules

h ( I ) + hl ( I ) , valid-state(1).

h ( I ) t b ( I ) , valid-state(1).

If ,h(i) E A], then at least one of hl( i ) and h2(i) is in A1. By the inductive hypothesis

about the sub-formulas hl and b, we have a t least one of r + hl and .rr + h2.

Therefore, we have x b hl V hz.

If ,n + hl V h2, at least one of x hl and x b b holds. By the inductive hypothesis,

a t least one of hl ( i ) and hz(i) is in A1. Then we have h( i ) E A1.

0 If h is Ghl , the translation consists of the rules

h ( I ) + hl ( I ) , h ( I + l ) , has-next-state(1).

h(k) + le, not qh.

qh + i l ( I ) , not hl (I), has-,next-state(1).

We first prove that h(k) E A1 iff xk b h. Then we show that if it is true that h ( i + l )

E A1 iff xi+l b h, it is true that h( i ) E A1 iff xi b h, where 0 < i 5 k-1.

For i = k, we use the following equivalence:

APPENDIX A. PROOFS

.irk t= Ghl iff sk = sj for some 0 < j < k-1 and .irm + hl for all j < m < k.

If sk = sj, then .irk is infinite. If .irm + hl for all j 5 m < k, then all suffixes of .irk

satisfy hl.

If h(k) E A1, then le is in All which implies el(j) E A1 for some 0 < j < k-1 because

we have the following rule in ll(-4,k):

Consequently, sk is equivalent to sj. In addition, el(j) E Al implies il(m) E A1 for all

j 5 m 5 k due to the following rules:

i l(j) t el(j), has-next-state(j).

il ( j + l ) t il ( j ) , has-next-state ( j ) .

. . . il(k) + il(k-1), has-next-state(k-1).

Because h(k) is in All qh cannot be in Al. Given qh @ A1 and il(m) E Al for all j < m < k, we get hl(m) E A1 for all j < m < k. By the inductive hypothesis about the

sub-formula hl, .irm + hl for all j < m < k. As a result, .irk + Ghl.

Conversely, if .irk + Ghl , then sk. = sj for some 0 < j < k-1 and .irm + hl for all j < m < k. Recall that exactly one of the following two cases holds for A1:

:L. el(j) E A1 for some 0 < j < k-1 and el(m) @ Al for all m # j.

2. el(j) @ Al for all 0 < j < k-1.

In case 1, we have el(j) E A1 for some 0 5 j < k-1, which means that le and il(m)

for all (and only) j < m < k are in A1. Moreover, because .irm + hl for all j < m < k, by the inductive hypothesis about the sub-formula hl, hl(m) E A1 for all j < m < k. Consequently, q is not in Al. Since le is in A1 and q is not in Al, h(k) is in A1.

For 0 < i < k-1, we use the following equivalence:

.iri + Ghl iff .iri hl and .iri+l Ghl .


We assume that h( i+ l ) E A1 iff .iri+l + Ghl and try to prove that h(i) E A1 iff .iri + G hl. If h( i) E A1, then hl(i) arid h( i+ l ) are in A1. The inductive hypothesis about

hl gives us .iri t= hl. In addition, we assume that h( i+ l ) E A1 iff .iri+l t= Ghl . Since

h( i+ l ) is in Al, we have .iri+l t= Ghl . As a result, we get .iri t= Ghl.

For the opposite direction, if .ir, + Ghl , then both .iri t= hl and .iri+l t= Ghl hold.

Therefore, hl(i) and h(i+l) are in A1, and according to the translation of Ghl , h(i)

is in Al.

0 If h is Fhl , its translation is basically that of the equivalent T U hl, where T is the

symbol that can be seen as the disjunction of an atomic proposition and its negation

and is satisfied by all paths. Therefore, the correctness of the translation of Fhl will

be shown when the operator U is addressed later in the proof.

0 If h is Xhl, the translation of h is the rules

Again we first prove that h(k) E A1 iff .irk + Xhl. Then we show that if it is true that

h( i+ l ) E A1 iff .iri+l + h, it is true that h(i) E A1 iff .iri + h, where 0 < i 5 k-1.


.irk + Xhl iff sk = sj for some 0 5 j < k-1 and .irj+l t= hl.

Tbe idea is that if sk = sj and Tj+l + hl, then .ir(k+l) exists and .irk+l + hl

If h(k) E A1, then el(j) and h( j+ l ) must also be in A1 for some 0 < j < k-1. With

el(j) E A1, we have sk = sj. In addition, since h l ( j+ l ) is in Al, we get .irj+l + hl by

the inductive hypothesis about the sub-formula hl. Therefore, we have .irk + Xhl.

If .irk t= Xhl, then sk = sj for some 0 < j 5 k-1 and .irj+l t= hl. In case 1 for Al, we

have el(j) E A1 for some 0 5 j I k-1. Then el(j) must be in A1. Furthermore, .irj+l

hl implies hl ( j+ l ) E A1. As both el(j) and hl ( j + l ) are in A1, h(k) must be in Al.

For 0 5 i 5 k-1, we use the following equivalence:

APPENDIX A . PROOFS 94

We assume that h( i+ l ) E Al iff ni+l + Xhl and try to prove that h( i) E Al iff ni + X,hl. If h(i) E Al , then h l ( i+ l ) must be in A l . By the inductive hypothesis about

the sub-formula hl , we have ni+l + hl , which implies ni + Xhl . Conversely, if n, + Xhl, then we have ni+l + hl, indicating hl( i+l) E A1. Consequently, h( i) must be

in Al.

0 If h is hl U h2, the translation of h is the rules

h( I ) + ha(I), valdstate(1).

h ( I ) + hl(I) , h ( I+l ) , has-next-state(1).

h(k) + i l ( I) , b(I), not rh,(I), has-next-state(1).

rh,(I) + J < I, i l ( J ) , not hl ( J ) , has-next-state(I), has-next-state(J)


nk + hl U h2 iff nk + h2 or sk = sj and n,, + ha for some j < m < k and

n j + hl, ..., and n,-1 + hl.

If h(k) E A l l there are two cases. In the first case, h2(k) is in Al. By the inductive

hypothesis about the sub-formula ha, we get nk + b, which means nk + hl U b . In

the other case, there exists some m such that il(m) and b ( m ) are in A1 and rh,(m) is

not in A1, where 0 5 m 5 k-1. This means that there exists some j such that el(j) is

in Al , where 0 < j 5 m. Therefore, we have sk = sj. Also, with hz(m) E A l , we get

T,, + h2 by the inductive hypothesis about the sub-formula h2. Since el(j) is in Al,

we have il(j) , i l ( j+l) , .... arid il(m-1) in Al. Because i l ( j+l) , ..., and il(m-1) are in

Al , but rh(m) is not, we are sure that hl(j), hl( j+l) , ..., and hl(m-1) are in Al. By

the inductive hypothesis about lrl, we have Tj + hl, nj+l + hl, ..., and n,-1 + hl.

Thus, we get nk + hl U h2.

For the opposite direction, if nk + hl U h2, there are again two possibilities. If nk + h2,, we have b ( k ) E A1, which implies h(k) E Al. In the other possibility, we have

sk = sj and n j + h,l U b for some 0 < j 5 k-1. In case 1 for A l l the equivalence

between sk and sj means el(j) E A1. This implies that i l ( j ) , i l ( j+l) , ..., and il(k) are

in Al, and no other atoms with predicate il are in Al. Furthermore, ~j + hl U b


implies that there exists some j 5 m < k such that T~ /= hl, ..., ~ , - 1 /= hl, and T, /= hZ This indicates that the atoms hl ( j ) , ..., hl(m-1) and h2(m) are in Al. Therefore,

rh(m) is not in A1. Since il(m) and hz(m) are in A1 and rh(m) is not, h(k) must be

in Al.

For 0 < i < k-1, we use t,he following equivalence:

We assume that h( i+ l ) E A1 i f i ~ i + l k hl U h2 and try to prove that h(i) E A1 ifi

.rri k hl U hz. If h( i) E A1, either b ( i ) is in A1 or both hl( i ) and h(i+l) are in

A1. If h2(i) is in A1, then by the inductive hypothesis about the sub-formula hz, we

have .rri k b, which implies .rri + hl U hz. If both hl(i) and h( i+ l ) are in Al, the

inductive hypothesis about the sub-formula hl gives us .rri k hl. In addition, because

we assume h( i+ l ) E A1 iff .rri+l t= hl U h2, we have ~ i + l + hl U h2. As a result, we

get Ti k hl U hz.

Conversely, if ~i k hl U h2, then either ~i k hz or ~i t= hl and ~ i + l k hl U h2. If

~i k hz, we have hz(i) E A1, which implies h(i) E A1. If T, k hl and ~ i + l k hl U

hz, then we get hl( i ) E A1 and h ( i+ l ) E A1, which also implies h(i) E A1.

0 If h is hl R h2, its translation is guided by the equivalence hl R hz = (b U (hl A b ) )

V G b , and we have proved the correctness of the translations for A, V, G and U.

Before completing the proof of Theorem 1, we introduce the following proposition, which

can be found in [27]:

Proposition 2. Let II be a program. Then A is an answer set of II an,d satisfies a constraint

con iff A is an answer set of II U { con ).

Now we complete the proof of Theorem 1.

Proof. By Lemma 2, if II(M,k) U II(+,k) has an answer set A , a run T = ( s ~ , ..., sk) of M can

be obtained from A. The program II(M,k) U II(+,k) is II(M,k) U nl(-$,k) U I12(+,k).

Because II2(+,k) is the constraint +- not h(O), by Proposition 2, A is also an answer set


of II(M,k) U 111(-+,k) and satisfies + not h(O), i.e., h(0) E A. By Lemma 3, h,(O) E A iff

no 1 h, where TO is the same as T . Therefore, we have n 1 h. Since h is equivalent to l$,

n 1 T$ holds. In other words, the run obtained from A satisfies -$. 0

A.2 Proof of Theorem 2

We first show that each run (so, ..., sk) of M is matched by an answer set of II(M,k).

Lemma 4. For each run (so,. ..,sk) of M, II(M,k) has an answer set from which (so,. ..,sk)

can be obtained.

Proof. Let the run (so, ..., sk) be n. Our proof strategy is as follows. We first divide II(M,k)

into two sub-programs: IIl(M,k), which has all the rules that are not constraints, and

I12(M,k), which has all the constraints. Using Proposition 2, we can show that if an answer

set of Ground(IIl (M,k)) satisfies every constraint in Ground(I12(M,k)), then it is an answer

set of Ground (II(M, k)).

We take an empty program II, whose only answer set A is obviously the empty set. We

gradually add the rules in Ground(IIl(M,k)) to II and enlarge A along the way so that it

remains an answer set of II. In the end, A is an answer set of Ground(IIl(M,k)). We will

prove that .ir can be obtained from A , and A satisfies every constraint in Ground(I12 (M,k)).

We first consider the case where every sort in C M has a fixed universe and the update

set fired in each state of M is consistent. The rules in Ground(IIl(M,k)) are added to II

and A is enlarged according to the following steps:

1. Let A be a set such that once an atom in Ground(IIl(M,k)) is added to A in one

step, it cannot be added to A in a later step. We want A to be the complement of

A in the end when every atom in Ground(IIl(M,k)) is in A or A. For each atom

in Ground(IIl(M,k)), if it does not appear in the head of any rule, add it to A.

These atoms will definitely not be added to A as they are not in any answer set of

Ground (IIl (M, k)).

2. For each 0 < i < k, add the rule

valid-state ( 2 ) +.

to ll and add valid-state(i) to A. For 0 5 j < k-1, add the rule

APPEKDIX A. PROOF'S

has-next-state (j) +.

to II and add has-next-state(j) to A. Clearly, A is an answer set of II.

3. Fac each sort Dp in EM, if { $1, ..., ~ p r n ) is the set of constants such that each element

in the universe of Dp is the interpretation of exactly one cPj, where 0 5 j 5 m, then

add the rules

to II. In addition, add dp(cpl), ..., and d p ( ~ p ~ ) to A so that A remains an answer set

of n.

4. For each function application j (cl, ...,&), where f : Dl x ... x D, + Dp is a static

function in EM, and cl, ..., and 6, are constants of sorts Dl , ..., and Dn, respectively,

add the rule of the form

to II, where ~ p j is a constant of Dp. Also add j ( ~ 1 , ...,&,~pj) to A. Then A is still an

answer set of II.

5. For each function application j (cl ,..., c,), where j : Dl x ... x D, + Dp is a controlled

or monitored function in EM, add the rule of the form

to II, depending on which one is in Ground(IIl(M,k)). The symbols $1, ..., and

art: constants of sort Dp, and cpj is any one of them. Add j(c1 ,...,&,$j, 0) to A if the

location (j, (cl, ...,&)) is equal to % in state so in the run T . Then A is an answer set

of n. In the case where the choice rule is added to II, A is an answer set of n because

the choice rule is an abbreviation of the following normal rules:

APPENDIX A. PROOFS

f (c l ,..., cn,cpl ,0) t not f ( C I ,..., cn,cp2,0), ..., not f ( ~ 1 , ..., &,%,o).

If f ( c l , . . . ,h ,$ j , 0 ) is in A , then the only rule among those above that will remain

in the reduct IIA is the one with f ( c l ,..., c n , ~ j , O ) as the head, and all literals in the

body of the rule will be removed. This rule is satisfied by A , but not by any subset

of A without f ( c l ,..., & , q , j , O ) . Therefore, A is minimal. If f ( c l ,..., &,$J ,0) has been

added to A , then add f ( c i ,..., & , $ l , O ) , ..., ~ ( c I , . . . , & ,%- I$ ) , f (~i , . . . ,&,~p3+1,0) , ..., and f ( c l ,..., h , ~ p ~ , O ) to A.

If the function f is controlled, then for each 1 < j < m and each 0 < i < k-1, add the

inertia rule

to II. In addition, add the atom f ( c l ,..., cn,cpj,i+l) to A if the location ( f , (c l ,..., h)) is

equal to % in state si+l in T , and A remains an answer set of II. Because the function

f i,s controlled, the value of a location off may be updated, which means that an atom

of the form f (c1 , . . . , h , ~ p j , i + l ) may be the heads of other rules in Ground(II1 ( M , k ) ) .

If ,f ( c l , ..., k , c p j , i + l ) has been added to A, then add all rules with f ( c l ,..., &,$j, i+l)

as their heads to II, and A is still an answer set of II. Also add f (c l ,...,&,$I , i+l) ,

..., f ( ~ 1 , ..., ~n ,~p j - l , i+ l ) , f ( ~ 1 , ... ,c , ,~pj+l, i+l) , ..., and f ( ~ 1 , ..., cn,cprn,i+l) to A.

If the function f is monitored, then for each 0 < i < k-1, add the rule

to II and add f ( c l ,..., &,c,j,i+l) to A if the location ( f , ( c l , ..., h)) is equal to in

sta,te si+l in T . Clearly, A is an answer set of II. If f ( c l , ..., h ,~p j , i+ l ) has been added


At the end of this step, A is a set of atoms from which .ir can be obtained because for

each location (f, (cl ,..., k)), it is equal to cp in state si in .ir iff the atom f (cl ,..., k,$ , i )

is .in A for all 0 < i < k.

6. Repeat the following sub-steps until both A and A have become stable:

(a) For each atom a in Ground(IIl(M,k)), if there is a rule of the form

a t al, ..., h, not h + 1 , ..., not a,

in Ground(IIl(M,k)) such that a l l ..., and a, are in A and %+I, ..., and a, are

in A, add a to A and add all rules with a as their heads to II.

Note that in this sub-step, for each controlled or monitored function f : Dl x ... x D, -+ Dp and for each 0 < i < k, an atom of the form f (el , . . . ,k,$, i ) is never

added to A if the location (f, (el, ...,%)) is not equal to cp in state si in .ir, which

would contradict step 5 in which f ( c l I . . . , ~ , ~ , i ) is added to A. It would also

make .ir not obtainable from A. The case where the function f is monitored is

easy because an atom of the form f (el,. . . , k , ~ p , i ) does not appear in the head of

any rule considered in this sub-step for any 0 < i < k. The same reason applies

if the function f is controlled and i = 0. If i > 0, then toward a contradiction,

we take the smallest i such that an atom of the form f (cl ,...,h,c,, i ) is added to

A in this step but the 10cat~ion (f, (cl, ...,&)) is not equal to cp in state s,. Then

the prefix (so, ..., si-1) of .ir can still be obtained from A, but the prefix (so, ..., si)

cannot. In Ground(IIl (MI k)), there must be a rule

which results from the translation of an update rule f (tl , ...,k) := tp. The atom

f (el, ...,&,$, i) is added to A because for each positive literal in the body of the

rule, say an atom b, b is in A, and for each negative literal, say not b, b is in A.

In other words, the body is true with respect to A and false with respect to A.

Because the prefix (so, ..., si-1) of .ir can be obtained from A, we can follow the

proof of Lemma 1 to show that the update ((f, (el, ...,&)), $) is in the update

set fired in state si-1. However, the location (f, (el, ...,&)) is not equal to c, in


state si. The only way for this to happen is that the update set fired in si-1 is

inconsistent, since the firing of an inconsistent update set causes no change to the value of any location. This contradicts our assumption that the update set

fired in every state of M is consistent. Therefore, if the location (f, (cl, ...,&)) is

not equal to cp in state si, the atom f (cl, ...,&,$, i ) is definitely not in A. As a

result, A remains an answer set of ll from which .ir can be obtained.

(b) For each atom a in Ground(lll(M,k)), if in the body of each rule with a as the

head, there is a positive literal, say an atom b, where b is in A, or a negative

literal, say not b, where b is in A, add all these rules to ll and add a to A. At

the end of this sub-step, A is still answer set of II.

(c) Suppose there is a choose rule in M with head variable v of sort Dp and guard

g(v), where v is translated into a logic program variable X, g(v) is translated by

Et(g(v),i) into an atom q(i), and X is added as a parameter to q(i) and each

atom that is the head of an auxiliary rule from &(g(v),i). Let ~ p l , ..., and cp,

be constants of sort D,. If the choose rule is not enclosed by any do-forall or

choose, the translation of the choose rule results in choice rules of the following

form in Ground(lll(M,k)) for each 0 < i < k-1:

The symbol <other literals> denotes the literals added to the body of each choice

rule as the choose rule may be a sub-rule in another transition rule. Let al, ..., h, not %+I, ..., not a, be the literals in <other literals>. If one of q ( ~ p ~ , i ) ,

..., and q(%,,i) is in A, al , ..., and a, are in A, and a,+l, ..., and a, are in A,

then add choose-var(~pj,i) to A if the head variable v is mapped to cpj in state

si in .ir, where 1 < j < m. Also add choose-var(cpl,i), ..., choose-var(cpj-l,i),

choo~e-var(q,j+~ ,i) , . .. , and choose-var(cp,,i) to A. Finally, add all the choice

rules above to ll. Then A remains an answer set of l l .

We know that the head variable v must be mapped to one of ~ p l , ..., and ~ p , in

state si in .ir. First, we have q(cpj,i) in A for some 1 < j < m. Since .ir can be


obtained from A, we can follow the proof of Lemma 1 to show that q(cpj,i) is in

A iff Val,,,c(g(cpj)) = true. Then we get Val,,,C(g(cpj)) = tme, which indicates

that the range of the guard g(v) is not empty in si. In addition, we can show

that the choose rule is executed in si based on the fact that al, ..., and e, are in

A and &+I, ..., and e, are in A. Thus, one of q,l, ..., and q,, must be chosen

for the head variable v.

This same sub-step also applies if the choose rule is enclosed by do-forall or choose

rules.

(d) For the choice rules in (c) above, if all of q(q,l,i), ..., and q(q,,,i) are in A, then

add all the choice rules to II and add choose-var(cpl,i), ..., and choose-var(cpm,i)

to A. Do the same thing if there is a positive literal in <other literals>, say an

atom b, where b is in A, or a negative literal in <other literals>, say not b, where

b is in A. After that. A is still an answer set of II.

7. For each rule in Ground(IIl (M,k)) that has not been added to II, add it to II and add

the head of the rule to A.

In this step, suppose two atoms p and q were added to A and two rules of the following

form were added to II:

p + not q.

9 + P.

Then A would no longer be an answer set of II. In general, if a group of rules added

to II in this step formed a non-stratified program, then A would not be an answer set

of II at the end of this step. However, no rules added in this step form a non-stratified

program, as we explain below.

In Ground(IIl(M,k)), there are two sources of rules forming a non-stratified pro-

gram. First, the inertia rules for each controlled function in C M form a non-stratified

program. However, they have been added to II in step 5. Each choice rule in

Ground(IIl(M,k)) is an abbreviation of a set of normal rules that also form a non-

stratified program. However, all choice rules have been added to II by the end of step

6. Consider an example of choice rules we considered in step 6:

APPENDIX A. PROOFS

We are sure that all those choice rules were added to II in step 6. The reason is as

follows. In the dependency graph of Ground(IIl(M,k)), the atoms choose-var($~,i),

..., and choose-var($,,i) depend on those atoms with the integer i as the state iden-

tifi.er, and those atoms that depend on choo~e_var($~, i ) , .. . , or choose-var(%, , i)

have i f 1 as the state identifier. For each atom on which choose-var(%l , i) , ..., and

choose-var(cp,i) depend, we can decide whether it should be put in A or A with-

out first figuring out where t o put cho~se-var($~, i ) , ..., and choose-var(q,,,i). As a

result, all choice rules of the form above must have been added to II in step 6.

Therefore, no rules added in this step form a non-stratified program. We can guarantee

that A remains an answer set of II.

Every rule in Ground(IIl(M,k)) is now in II, and every atom in Ground(IIl(M,k)) is

in A or A. Because A is an answer set of II, it is an answer set of II1(M,k). In addi-

tion, the run .ir can be obtained from A. It remains to prove that A is an answer set of

II(M,k). If A satisfies every constraint in Ground(IIa(M,k)), which has all the constraints

in Grou:nd(II(M,k)), then by Proposition 2, A is an answer set of Ground(II(M,k)). Each

constraint in Ground(I12(M,k)) results from the translation of a choose rule. If the choose

rule is not enclosed by do-forall or choose rules, the constraint has the form

+ choose-var(c,i), not q(c,i), dp(c), <other literals>, has-nextstate ( i ) .

If choose-var(c,i) is not in A or q(c,i) is in A, then A satisfies the constraint above. If

choose-zlar(c,i) is in A, then it must have been added to A in step 6 in the construction

of A. Suppose the head variable of the choose rule is v and the guard is g(v). In step 6 in

the construction of A, choose-var(c,i) is added to A if v is mapped to c in state si in .ir.

This means that V ~ l ~ , , ~ ( g ( c ) ) = true. Because q(c,i) is in A iff V ~ l , ~ , ~ ( g ( c ) ) = true, we get

q(c,i) E A, which implies that A satisfies the constraint above. If q(c,i) is not in A, then

we get V~l , , ,~(g(c)) = false, and thus v cannot be mapped to c in si. This implies that

choose-ziar(c,i) is not in A, and A satisfies the constraint. The argument is similar if the

choose rule is enclosed by do-forall or choose rules.

Therefore, by Proposition 2, A is an answer set of II U { con ), where con is a con-

straint of the form above. By repeatedly applying Proposition 2 to each constraint in

Ground(I12(M,k)), we get the result that A is an answer set of II U Ground(IIa(M,k)) =


Ground(,II(M,k)). Consequently, for each run .ir = (so, ..., sk) of M, there is an answer set A

of II(M,,k) such that .ir can be obtained from A. This completes the proof of Lemma 4 for

the case where every sort in End has a fixed universe and the update set fired in each state

of M is consistent.

For the case where the update set fired in a state may be inconsistent, the proof is

largely the same. The difference is in step 6(a). When we prove that for each controlled or

monitored function f : Dl x ... x D, -, Dp and for each 0 5 i 5 k, an atom of the form

f (el ,..., cn,c,,i) is never added to A if the location (f, (el ,..., h ) ) is not equal to c, in state

si, we ch.ange the proof as follows. If the function f is controlled, toward a contradiction, we

take the smallest i > 0 such that an atom of the form f (el ,...,&, c,,i) is added to A in this

step but the location (f, (el ,...,&)) is not equal to c, in state si. Then the prefix (so, ..., si-1)

of .ir can still be obtained from A, but the prefix (so, ..., si) cannot. In Ground(IIl(M,k)),

there is the rule

f (cl ,..., h,c, , i ) + update-f (el ,..., h,cp,i-1), not inconsistent(i-1),

dl(cl), ..., &(en), dp(c,), has-next-state(i-1).

I f f (el ,..., h,c , , i ) is added to A in step 6(a), then update-f (c~,...,cn,cp,i-1) must be in A, and

inconsistent (i-1) must be in A. In Ground(II1 (M,k)), there must be a rule of the following

form which results from the translation of an update rule f (tl , ..., h) := tp:

update-f (el, ..., cn,$,i-1) + <side atoms>, <other literals>, has-next-state(i-1).

The atom update-f (el, ..., c,,c,,i-1) is in A because for each positive literal in the body of the

rule, say an atom 6, b is in A, anti for each negative literal, say not b, b is in A. Since the

prefix (so ,..., q-1) of .ir can be obtained from A, we can show that the update ((f, (el ,..., h ) ) ,

c,) is in the update set fired in state $,-I. Moreover, since inconsistent(i-1) is in A, which

means that it will definitely not be added to A, we know that the update set fired in si-1

is consistent. However, the location (f, (el , ...,&)) is not equal to c, in state q , which is

a contradiction. Therefore, if the location (f, (el ,...,&)) is not equal t o c, in s,, the atom

f (el ,... , h,c, , i ) is not in A.

For the case where some sorts in EM have a dynamic universe, we extend the proof as

follows. We first extend step 6 in the construction of A with the following sub-steps:

0 Suppose there is an extend rule in M with head variable v of sort Dp. Let $1, ..., and

cp, be the names representing the elements in the initial sub-reserve of sort Dp. If the


extend rule is not enclosed by any do-forall, choose or extend rules, the translation of

the extend rule results in a choice rule of the following form in Ground(II1(M,k)) for

each 0 < i 5 k-1:

1 { extend-var(cpl,i), ..., extend-var(%,i) ) 1 +

$-res-nempty ( i ) , has-next-state(i).

The symbol <other literals> denotes the literals added to the body of each choice rule

as the extend rule may be a sub-rule in another transition rule. Let a l l ..., h, not

h,+l, ..., not a, be the literals in <other literals>. If $-res-nempty ( i ) , a l l ..., and a,

are in A, and h + l 1 ..., ~n are in A, then add extend-var($j,i) if the head variable v

is mapped to +j in state si in T . Also add e~tend-var (+~, i ) , ..., e ~ t e n d - v a r ( c ~ ~ - ~ , i ) ,

e x t e n d - v a ~ ( c ~ ~ + ~ , i ) , ..., and ex tend-~ar (~ , , i ) to A. Finally, add all the choice rules

above to II. Then A is still an answer set of II.

We know that the head variable v must be mapped to one of +I, ..., and cpm in state

si in T . First, we have $-res-nempty(i) in A. This atom is in A because an atom of

the form $-universe(c,i) is in A, where c is any one of $1, ..., and %, and we have

the following rule in Ground (IT1 (MI k)):

$-res-nempty(i) + not 4-universe(c,i), $(c), has-next-state(i).

Since $-universe(c,i) is in A, it is not in A. The element c is in the universe of sort

Dr, in si iff $-universe(c,i) is in A. Therefore, c is not in the universe of sort Dp in si,

which means that the sub-reserve of Dp is not empty in si. In addition, we can show

that the extend rule is executed in si based on the fact that a l l ..., and a, are in A

and %+I, ..., and a, are in A. Therefore, an element from the sub-reserve of sort Dp

must be imported and assigned to the head variable v.

This same sub-step also applies if the extend rule is enclosed by do-forall, choose or

extend rules.

For the choice rules in the sub-step above, if 4-res-nempty(i) is in A, then all the

choice rules to IT and add extend-v~r(+~ , i ) , ..., and extend-var(cm,i) to A. Do the

same thing if there is a positive literal in <other literals>, say an atom b, where b is

in A, or a negative literal in <other literals>, say not b, where b is in A. After that,

A is still an answer set of IT.

APPENDIX A. PROOFS

We also need a simple extension to step 7 to cover the choice rules considered in the new

sub-steps of step 6. With the extensions to steps 6 and 7, A is an answer set of II, which is

Ground(lll (M,k)). We now prove that A satisfies every constraint in Ground(l12(M,k)) as

follows:

0 The translation of a choose rule that is not enclosed by do-forall, choose or extend

rules results in constraints of the following form in Ground(l12(M,k)) for each 0 < i < k-1:

c choose~var(c,i), not q(c,i), dp(c), <other literals>, has-next-state(i).

We have already shown why A satisfies these constraints.

The translation of a choose rule that is not enclosed by do-forall, choose or extend

rul.es also results in constraints of the following form in Ground(IIz(M,k)) for each 0

< 2 5 k-1:

If choose-var(c,i) is not in A or dp-universe(c,i) is in A, then A satisfies the constraint

above. If choose-var(c,i) is in A, then it must have been added to A in step 6 because

the head variable of the choose rule is mapped to the element c in state si in n. This

means that c must be in the universe of sort Dp in si, and thus dp-universe(c,i) is in

A. As a result, A satisfies the constraint above. If dp-universe(c,i) is not in A, then

the element c is not in the universe of sort Dp in si. Then it is not possible for c to be

chosen as the value of the head variable, which means that choose-var(c,i) is not in

A. As a result, A satisfies the constraint above. The argument is similar if the choose

rule is enclosed by do-forall, choose or extend rules.

0 The translation of an extend rule that is not enclosed by do-forall, choose or extend

rules results in constraints of the following form in Ground(l12(Mlk)) for each 0 < i < k-1:


If extend-var(c,i) or dp-universe(c,i) is not in A, then A satisfies the constraint above.

If extend-var(c,i) is in A, then it must have been added to A because the element c

is imported from the sub-reserve of sort Dp and assigned to the head variable of the

extend rule in state si in T . This means that c is not in the universe of sort Dp in

si . Therefore, dp-universe(c,i) is not in A, and A satisfies the constraint above. If

$-.universe(c,i) is in A, then the element c is in the universe of sort Dp in si, which

means that it cannot be imported. Therefore, extend-var(c,i) is not in A, and A

satisfies the constraint above. The argument is similar if the extend rule is enclosed

by do-forall, choose or extend rules.

0 In the translation of two extend rules, we use two different predicates, say extend-war

and extend-war', to denote the assignments of reserve elements to the respective head

variables. If the two head variables are of the same sort, say Dpl we ensure that a

reserve element is not taken by the two extend rules in the same state with constraints

like the following:

If extend-var(c,i) or extend-varl(c,i) is not in A, then A satisfies the constraint above.

Since the same element c cannot be taken by more than one extend rule in the same

state, in step 6, it is not possible for both extend-var(c,i) and extend-varf(c,i) to be

added to A. Therefore, one of the two atoms is not in A, which means that A satisfies

the constraint above.

0 For each monitored function f : Dl x ... x D, -+ Dpr if sort Dp has a dynamic universe,

then for each 0 5 i 5 k-1, we have constraints of the following form to restrict that a

value not in the universe of Dp cannot be the value of a location o f f :

If f (cl ,...,%,$, i+1) is not in A, then A obviously satisfies the constraint above. If

f (cl ,... ,%,+,i+l) is in A, then the location (f, ( ~ 1 , ..., k,cp)) is equal t o cp in state

si,.~ in T . This means that cp is in the universe of sort D, in si+l. As a result,

dp-universe(cp,i+l) is in A, and A satisfies the constraint above.


We have shown that A satisfies every constraint in Ground(I12(M,k)). By Proposition 2,

A is an answer set of Ground(IIl(M,k)) U Ground(I12(M,k)) = Ground(II(M,k)). Therefore,

A is an answer set of II(M,k) from which the run .ir can be obtained. This completes the

proof of Lemma 4. 0

Let h be an LTL formula obtained by converting 111, into negation normal form. We

divide II(+,k) into two sub-programs: IIl(111,,k), which consists of the loop-related rules

and the translation of h, and I12(711,,k), which is the constraint +- not h(0). We now

prove that for each run (so, ..., sk) of M, the program II(M,k) U IIl (+,k) has an answer set

from which a run equivalent to (so,.. .,sk) can be obtained. For that, we need the following

proposition, which can be found in [27]:

Proposition 3. Let 111 be a ground program and 112 be a stratified ground program such

that the atoms in the heads of the rules in 112 do not appear in ill. Then for each answer

set A1 of 111, there is a unique answer set A of 111 U 112 such that A1 = A n Atoms(lI1).

Lemma. 5. For each run (so,. . . ,sk) of M, ll(M, k) U lll (+,k) has an answer set from which

a run equivalent to (so,. ..,sk) can be obtained.

Proof. There are two cases for the run (so, ..., sk):

1. For some 0 < j 5 5-1, state sk is equivalent to sj, i.e., (so ,..., sk) has a loop.

2. There is no loop in (so ,..., sk).

We first fix a run .ir that is equivalent t,o (so, ..., sk):

0 In case 1, if sk is equivalent to s, for some 0 5 j 5 k-1 under our restricted definition

of state equivalence, then we fix .ir as (so, ..., sk) itself.

Suppose sk is equivalent to sj under the original definition of state equivalence but

not under the restricted one. This means that after state sj, an element e is removed

from the universe of a sort and a different element ef is added to the universe of the

same sort before sk. The order of removing e and the adding e' is irrelevant. Then

there must be a run (so, ..., sk,) in M such that skt is a successor state of sk-1 and skt

and sj are equivalent under the restricted definition of state equivalence. In this run,

after sj, an element e is removed from the universe of a sort and the same element e

is added to the universe of the same sort before sp. The runs (so, ... ,sk) and (so, ..., sk,)

are equivalent under the original definition of st ate equivalence. We fix .ir as (so,. . . , sk,).

APPENDIX A. PROOFS

0 In case 2, we fix 7r as (so ,..., sk) itself.

Because 7r is equivalent to (so, ..., s k ) , the same two cases for (so, ..., sk) also apply to .7r.

By Lemma 4, there is an answer set AM of II(M,k) such that 7r can be obtained from

AM. Let II be a copy of Ground(II(M,k)) and A be a copy of AM. Now A is an answer set

of II. In the following, we show that II(M,k) U IIl(7$,k) has an answer set from which 7r

can be obtained:

0 First, add the following choice rule to II:

This choice rule is an abbreviation of the following set of normal rules in which p is

an arbitrary atom:

p + not e1(0), ..., n,ot el(k-1).

el(0) + not e l ( l ) , ..., not el(k-1), not p.

. . . el(j) + not e1(0), ..., not el(j-1), not e l ( j+ l ) , ..., not el(k-1), not p.

. . . el(k-1) + not e1(0), ..., not el(k-2), not p.

The set A can be extended to an answer set of II in one of the following two ways:

- In case 1 where sk (or sk,) is equivalent to sj in 7r under the restricted definition

of state equivalence, we let A = A U { el(j) ) for some 0 5 j 5 k-1. During

the computation of G r o ~ n d ( I I ) ~ , all the normal rules above will be removed

except the one with el(j) as the head. That rule will become el(j) +, which is

satisfied because el(j) is in A. Therefore, A satisfies G r ~ u n d ( I I ) ~ . In addition,

A is minimal as any subset of A without el(j) does not satisfy the rule el(j) +-.

- In case 2 where n has no loop, we let A = A U { p }. During the computation

of G r ~ u n d ( I I ) ~ , all the normal rules above will be removed except the one with

p as the head, and that rule will become p +, which is satisfied as p is in A.

Consequently, A satisfies ground(^)^. Moreover, any subset of A without p does

not satisfy the rule p +, and thus A is minimal.


For each sort Dp with a dynamic universe in CAl and each 0 5 j 5 k-1, add the pairs

of constraints of the following form to II:

t el(j), 6-universe(c,j), not 6-universe(c, k), has-next-state(j).

+ el(j), not 6-universe(c,j), 6-universe(c,k), has-next-state(j).

The set A remains an answer set of II, as explained below:

.- In case 1 where A has el(j) for some 0 < j < k-1, state sk (or S ~ I ) is equivalent

to sj in .rr under the restricted definition of state equivalence. This means that

an element c is in the universe of sort Dp in sj iff it is in the universe of Dp in

sk (or s k , ) Since T is obtained from A, we know that the atom &universe(c,j)

is in A iff dp-universe(c,k) is in A. Therefore, A satisfies all constraints added in

this step.

- In case 2 where A has p, A obviously satisfies all constraints added in this step

because el(j) is not in A for all 0 5 j < k-1.

For each controlled or monitored function f : Dl x ... x D, 4 Dp in Chf and each O

< j < k-1, add all constraints of the following form to II:

We claim that A remains an answer set of II:

- In case 1 where A has el(j) for some O 5 j 5 k-1, state sk (or ~ k ' ) is equiva-

lent to sj in .rr under the restricted definition of state equivalence. If the atom

f (cl ,..., k,$,j) is in A, then the location (f, (cl, ..., h)) is equal to c+ in sj because

.rr is obtained from A. This means that the location (f, (cl, ...,&)) is equal to c, in

sk (or sk , ) Therefore, f (cl ,...,%, cp, k) is also in A, and A satisfies all constraints

added in this step.

- In case 2 where A has p, A obviously satisfies all constraints added in this step

because el(j) is not in A for all 0 5 j 5 k-1.

For all 0 5 j 5 k-1, add the following rules to II:

APPENDIX A. PROOFS

le +- e l ( j ) , has-next-state(j).

il ( j ) +- el ( j ) , has-next-state(j).

i l ( j + l ) +- il ( j ) , has-next-state(j).

The set A can be extended to an answer set of II in one of the following two ways:

- Incase 1 where A has e l ( j ) for some0 5 j 5 k-1, A = A U { le, i l ( j ) , ..., i l ( k )

) satisfies G r ~ u n d ( I I ) ~ . Moreover, A is minimal because removing any one of

le, i l ( j ) , ... , and i l ( k ) from A would leave at least one of the following rules in

Ground ( I I ) A unsatisfied:

- In case 2 where A has y , A is an answer set of II as e l ( j ) is not A for all 0 5 j 5

k-1, which implies that all rules added in this step are satisfied.

At this point, all loop-related rules in G r o u n d ( I I 1 ( i $ , k ) ) have been added to II.

0 Let the ground instantiation of the translation of h be IIh, and so we have II U IIh =

I I ( M , k ) U II l(+,k) . II has an answer set in A , and IIh is a stratified program such

that the atoms in the heads of the rules in IIh do not appear in II. Therefore, by

Proposition 3 , an answer set A1 of II U IIh = Ground( I I (M,k ) ) U Ground(II1 ( l $ , k ) )

exists such that A = A 1 n A t o m s ( n h ) .

The set A is a subset of A l , which is an answer set of I I ( M , k ) U IIl(+,k). Since A

is an extension of A M , which is an answer set of I I ( M , k ) , A M is a subset of A1 . The

difference between A,w and A 1 contains only atoms that appear in Ground(II l(+,k)) but

not in Ground( I I (M,k ) ) . Therefore, the run n obtained from A M can be obtained from A l

as well. 0

We can now finish the proof of Theorem 2.

Proof. 13y Lemma 5 , for each run ( so , ..., sk ) of M , I I (M,k ) U 111 (+,k) has an answer set A

from which an equivalent run n can be obtained. This means that if ( so , ... , sk ) satisfies -+, so does n. By Lemma 3 , h ( 0 ) E A iff n k h. If n k -$ (i.e., n k h ) , h ( 0 ) is in A , and

A satisfies the constraint +- not h ( 0 ) in IIs(+,k). By Proposition 2, A is an answer set of

APPENDIX A. PROOFS

I I ( M , k ) IJ 111 ( + , k ) U I I z ( ~ + , k ) , which is I I ( M , k ) U II (+ ,k) . Therefore, if a run ( s o , ..., sk)

of M satisfies T$, then II (M,k) U II (7$ ,k) has an answer set from which a run equivalent

to ( s o , ..., s k ) can be obtained. 0

Bibliography

[I] Y. Babovich, E. Erdem, and V. Lifschitz. Fages' theorem and answer set programming. In Proceedings of the 8th International Workshop o n Non-Monotonic Reasoning, 2000.

[2] Y. Babovich and V. Lifschitz. Computing answer sets using program completion. Un- publlished draft, 2003.

[3] C. Baral. Knowledge Representation, Reasoning, and Declarative Problem Solving. Cambridge University Press, 2003.

(41 M. Ben-Ari, Z. Manna, and A. Pnueli. The temporal logic of branching time. Acta Informatics, 20:207-226, 1983.

[5] A. Biere, A. Cimatti, E. M. Clarke, 0. Strichman, and Y. Zhu. Bounded Model Check- ing., volume 58 of Advances Jn Computers. Academic Press, 2003.

[6] E. Borger and R. Stark. Abstract State Machines: A Method for High-Level Sys tem Design and Analysis. Springer, 2003.

[7] L. {Carlucci Aiello and F. Massacci. Verifying security protocols as planning in logic programming. A C M Transactions o n Computational Logic, 2(4):542-580, 2001.

[8] W. Chan, R. Anderson, P. Beame, S. Burns, F. Modugno, D. Notkin, and J. Reese. Model checking large software specifications. I E E E Transactions o n Software Engi- neering, 24(7):498-520, 1998.

[9] A. Cimatti, E. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore, M. Roveri, R. Sebas- tiani, and A. Tacchella. NuSMV 2: An opensource tool for symbolic model checking. In Proceedings of the 14th International Conference o n Computer-Aided Verification, pages 359-364. Springer, 2002.

[lo] E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletons using branching-time temporal logic. In Proceedings of the Workshop o n Logic of Pro- grams, pages 52-71. Springer, 1981.

[ll] E. M. Clarke, 0. Grumberg, and D. E . Long. Model checking and abstraction. A C M Trimsactions o n Programming Languages and Systems, 16(5):1512-1542, 1994.

BIBLIOGRAPHY

[12] E. RI. Clarke, 0 . Grumberg, and D. Peled. Model Checking. MIT Press, 1999.

1131 E. h1. Clarke, Orna Grumberg, and K. Hamaguchi. Another look a t LTL model checking. Formal Methods i n System Design, 10(1):47-71, 1997.

[14] E. PIA. Clarke, D. Kroening, J . Ouaknine, and 0. Strichman. Completeness and complexity of bounded model checking. In Proceedings of the 5th International Conference on Verification, Model Checking, and Abstract Interpretation, pages 85-96. Springer, 2004.

[15] D. Craigen. Formal methods adoption: What's working, what's not! In Proceedings of the 5th and 6th International SPIN Workshops on Theoretical and Practical Aspects of SPIN Model Checking, pages 77-91. Springer, 1999.

[16] G. :Del Castillo. The ASM Workbench - A Tool Environment for Computer Aided Ancrlysis and Validation of ASM Models. PhD thesis, University of Paderborn, 2000.

[17] G. Del Castillo and K. Winter. Model checking support for the asm high-level language. In Proceedings of the 6th International Conference for Tools and Algorithms for the Construction and Analysis of Systems, pages 331-346. Springer, 2000.

[18] Marc Denecker. Extending classical logic with inductive definitions. In Proceedings of t,he 1st International Conference on Computational Logic, pages 703-717. Springer, 2000.

[19] Y. Dong, X. Du, Y. S. Ramakrishna, C. R. Ramakrishnan, I. V. Ramakrishnan, S. A. Smolka, 0. Sokolsky, E. W. Stark, and D. S. Warren. Fighting livelock in the i-Protocol: A comparative study of verification tools. In Proceedings of the 5th International Con- ference on Tools and Algorithms, pages 74-88. Springer, 1999.

[20] E. Erdem and V. Lifschitz. Tight logic programs. Theory and Practice of Logic Pro- gramming, 3(4-5) :499-518, 2003.

[21] A. Gargantini, E. Riccobene, and S. Rinzivillo. Using Spin to generate tests from ASM specifications. In Proceedings of the 10th International Workshop on Abstract State Ma,chines, pages 263-277. Springer, 2003.

[22] A. Gawanmeh, S. Tahar, and K. Winter. Interfacing ASM with the MDG tool. In Proceedings of the 10th International Workshop on Abstract State Machines, pages 278-292. Springer, 2003.

[23] M. Gelfond and V. Lifschitz. The stable model semantics for logic programming. In Proceedings of the 5th International Conference on Logic Programming, pages 1070- 1080. MIT Press. 1988.

[24] R. ~Gerth, D. Peled, M. Y. Vardi, and P. Wolper. Simple on-the-fly automatic verification of linear temporal logic. In Proceedings of the 15th IFIP WG6.1 International

BIBLIOGRAPHY 114

Sym,posium on Protocol Specification, Testing and Verification, pages 3-18. Chapman & Rall, 1995.

[25] Y. Gurevich. Evolving algebras 1993: Lipari guide. In Egon Borger, editor, Specification and Validation Methods, pages 9-36. Oxford University Press, 1995.

[26] Y. Gurevich, B. Rossman, and W. Schulte. Semantic essence of AsmL. In Proceedings of the 2nd International Symposium on Formal Methods for Components and Objects, pages 240-259. Springer, 2003.

[27] K. Heljanko and I. Niemela. Bounded LTL model checking with stable models. Theory and Practice of Logic Programming, 3(4):519-550, 2003.

[28] G. J. Holzmann. The model checker SPIN. IEEE Tmnsactions on Software Engineering, 23(5):279-295, 1997.

[29] M. Kardos. An approach to model checking asml specifications. In Proceedings of the 12th International Workshop on Abstract State Machines, pages 289-304. Springer, 2005.

[30] D. Kozen. Results on the propositional mu-calculus. Theoretical Computer Science, 27::333-354, 1983.

[31] T. Latvala, A. Biere, K. Heljanko, and T . Junttila. Simple is better: Efficient bounded model checking for past LTL. In Proceedings of the 6th International Conference on Ver- ification, Model Checking and Abstract Interpretation, pages 380-395. Springer, 2005.

[32] N. Leone, G. Pfeifer, W. Faber, F. Calimeri, T . Dell'Armi, T . Eiter, G. Gottlob, G. Ianni, G. Ielpa, C. Koch, S. Perri, and A. Polleres. The DLV system. In Proceed- ings of the 8th European Conference on Artificial Intelligence, pages 537-540. Springer, 2002.

[33] Yu. Lierler and M. Maratea. Cmodels-2: SAT-based answer set solver enhanced to non-tight programs. In Proceedings of the 7th Conference on Logic Programming and Non-Monotonic Reasoning, pages 346-350. Springer, 2004.

[34] V. Lifschitz. Introduction to answer set programming, 2004. Introductory course at the 16th European Summer School in Logic, Language and Information.

[35] K. L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, 1993.

[36] M. Moskewicz, C. Madigan, Y. Zhao, L. Zhang, and S. Malik. Chaff: Engineering an efficient SAT solver. In Proceedings of the 38th Design Automation Conference, pages 530-535. ACM Press. 2001.

[37] D. Peled. Ten years of partial order reduction. In Proceedings of the 10th International Conference on Computer Aided Verification, pages 17-28. Springer, 1998.

BIBLIOGRAPHY 115

[38] A. I'nueli. A temporal logic of concurrent programs. Theoretical Computer Science, 13:4.5-60, 1981.

[39] L. I'okorny and C. Ramakrishnan. Model checking linear temporal logic using tabled logic programming. In Proceedings of the 2nd Workshop on Tabulation in Parsing and Dedluction, 2000.

[40] P. Simons. Extending and Implementing the Stable Model Sem.antics. PhD thesis, Helsinki University of Technology, 2000.

[41] M. Spielmann. Automatic verification of abstract state machines. In Proceedings of 11th International Conference on Computer-Aided Verification, pages 431-442. Springer, 1999.

[42] T. Syrjanen. Lparse 1.0 User's Manual, 2000. Electronic manual available at http://www.tcs.hut.fi/Software/smodels/lparse.ps.

[43] C. 'Tang and E. Ternovska. Model checking abstract state machines with answer set programming. In Proceedings of the 12th International Conference on Logic for Pro- gramming, Artificial Intelligence and Reasoning, pages 443-458. Springer, 2005.

[44] M. H. Van Emden and R. A. Kowalski. The semantics of predicate logic as a programming language. Journal of th.e ACM, 23(4):733-742, 1976.

[45] J. 'Wing and M. Vaziri-Farahani. A case study in model checking software systems. Science of Computer Programming, 28(2-3):273-299, 1997.

[46] K. Winter. Model Checking Abstract State Machines. PhD thesis, Technical University of Berlin, 2001.

summit.sfu.casummit.sfu.ca/system/files/iritems1/2413/etd2221.pdfmodel checking abstract state...

Documents