Let M = [S, R, L, S0] be a Kripke structure. A computation of M can be considered
as an infinite word over the alphabet Σ = 2AP. Thus, the set of all computations of M builds a language L(M ) ⊆ Σw. Analogously, every LTL formula ϕ describes a language
L(ϕ) ⊆ Σw, defined as a set of all infinite words that satisfy this formula.
Theorem 5 ([VW94, Var96])
Let φ be an LTL formula. There exists a Büchi automaton Aφ = [Σ, Qφ, ∆φ, q0φ, Fφ]
such that L(Aφ) = L(φ) and |Qφ| ≤ 2O(|φ|).
For every Kripke structure M we can also construct a Büchi automaton AM such that
L(AM) = L(M ) as follows: AM = [Σ, S ∪ {si}, ∆M, si, S ∪ {si}] where:
• (s, p, s′) ∈ ∆
M for s, s′ ∈ S if and only if (s, s′) ∈ R and p = L(s′).
• (si, p, s) ∈ ∆
M if and only if s ∈ S0 and p = L(s).
Notice that all the states of the constructed automaton are accepting.
An LTL formula ϕ holds in all computations of M if L(AM) ⊆ L(Aϕ). This can be
rewritten as L(AM) ∩L(Aϕ) = ∅, which means, there is no computation in M that is
disallowed by ϕ. If the intersection is not empty, any computation in it corresponds to a counterexample. Büchi automata are closed under intersection and complemen- tation [Büc60]. This means that there exists an automaton that accepts exactly the intersection of the languages of two automata and an automaton that recognizes exactly the complement of the language of a given automaton. Computation of the complement for a Büchi automaton is a complicated procedure, which is, in general, exponential. Fortunately, instead of translating an LTL formula ϕ into a Büchi automaton Aϕ and
then complementing it, we can simply translate ¬ϕ, which immediately provides an automaton A¬ϕ for the complement language L(Aϕ).
Moreover, the fact that all states of the automaton AM are accepting simplifies also
the construction of the intersection of these Büchi automata. It is defined then as AM ∩ A¬ϕ= AM,ϕ= [Σ, Q, ∆, q0, F ] where:
• Σ = 2AP
• Q = (S ∪ {si}) × Q ¬ϕ
• ((si, qj), a, (sm, qn)) ∈ ∆ if and only if (si, a, sm) ∈ ∆M and (qj, a, qn) ∈ ∆¬ϕ
• q0= (si, q0¬ϕ)
• F = (S ∪ {si}) × F ¬ϕ.
The constructed automaton AM,ϕ is often denoted as a product automaton. To check
if the LTL formula ϕ holds in all computations of M , it is enough to check whether the product automaton AM,ϕ is empty.
A usual translation procedure produces from an LTL formula ¬ϕ a generalized Büchi automaton A¬ϕ= [Σ, Q¬ϕ, ∆¬ϕ, q0¬ϕ, {F¬ϕ1, . . . , F¬ϕn}]. We can also define the prod-
uct automaton AM,ϕ as a generalized automaton AM,ϕ = [Σ, Q, ∆, q0, {F1, . . . , Fn}]
where Q, ∆, and q0 are defined as above and Fi= (S ∪ {si}) × F¬ϕi). Notice that the
strength of the product automaton depends only on the strength of A¬ϕ. It easy to see
that AM,ϕ can not be stronger than A¬ϕ.
Checking emptiness of a Büchi automaton is simple. Let σ be an accepting run of a Büchi automaton A = [Σ, Q, ∆, q0, F ]. Then σ contains infinitely many accepting states
from F . Since Q is finite, there is some suffix σ′ of σ such that every state on it appears infinitely many times. Each state on σ′ is reachable from any other state on σ′. Hence, the states in σ′ are included in an SCC that is reachable from the initial state and
contains an accepting state. Conversely, any fair SCC that is reachable from the initial state generates an accepting run of the automaton. Thus, the Büchi automaton is not empty if there is a reachable accepting state with a cycle back to itself or, equivalently, there is a reachable fair SCC.
Analogously, a generalized Büchi automaton is not empty if there is a reachable state lying on a cycle that intersects all fair sets, or a equivalently, there is a reachable fair SCC. If the automaton is not empty, then there is a counterexample, which can be presented in a finitary manner. The counterexample is a run, constructed from a finite prefix followed by a periodic sequence of states.
Tarjan’s algorithm [Tar72] for finding SCCs can be used to decide emptiness of a Büchi automaton in time O(|Q| + |∆|). Consider Algorithm 22. For every state q of an automaton we keep two integers: q.num and q.lowlink , q.num stores the deep-first search (DFS) number of the state. q.lowlink is the lowest DFS number of a state t in the same SCC as q such that t was reachable from q via states that were not yet explored when the search reached q. If after visiting all adjacent states of q its q.lowlink = q.num, then q is a root of a found SCC. When an SCC is found, we check if it is fair, in this case the automaton is not empty.
A number of algorithms that can be more efficient in practice and/or require less memory have been proposed by many authors, see [SE05] for the latest survey.
5.3 Model Checking LTL
Algorithm 22 (Emptiness check)
1 procCheckEmptiness (A) 2 count := 0 3 4 procvisit(q) 5 Visited := Visited ∪ {q} 6 count := count + 1 7 num[q] := count 8 lowlink[q] := count 9 push(SCCStack , q) 10 11 forall{ q′| [q, _, q′] ∈ ∆ } do 12 if q′6∈ Visited then 13 visit(q′)
14 lowlink[q] := min(lowlink [q′], lowlink [q]) 15 elseifq′∈ SCCStack then
16 lowlink[q] := min(num[q′], lowlink [q])
17 fi
18 od
19
20 if num[q] = lowlink [q] then
21 C := ∅ 22 repeat 23 x := pop(SCCStack ) 24 C := C ∪ {x } 25 until x = q 26 if C∩ F 6= ∅ then 27 if C 6= {q} then
28 exit (“a fair SCC is found”)
29 else
30 if (q, _, q) ∈ ∆ then exit (“a fair SCC is found”) fi
31 fi 32 fi 33 fi 34 end 35 36 begin 37 visit(q0)
38 exit (“no fair SCC was found”) 39 end