GOAL: A Graphical Tool for Manipulating Büchi Automata and Temporal Formulae

In this paper, we present a tool named GOAL (an acronym derived from “Graphical Tool for OmegaAutomata and Logics”) whose main functions include (1) drawing and testing Büchi automata, (2) checking the language equivalence between two Büchi automata, (3) translating quantified propositional linear temporal logic (QPTL) formulae into equivalent Büchi automata, and (4) exporting Büchi automata as Promela code. The GOAL tool, available at http://goal.im.ntu.edu.tw, can be used for educational purposes, helping the user get a better understanding of how Büchi automata work and how they are related to linear temporal logics. It may also be used, as we shall explain below, to construct correct and smaller specification automata, supplementing model checkers that adopt the automata-theoretic approach, such as SPIN [5]. The automata-theoretic approach [11, 1] to linear temporal logic model checking works as follows. Suppose A is the Büchi automaton modeling the system and B the Büchi automaton specifying a desired property. The problem of model checking translates into that of testing language containment L(A) ⊆ L(B), which is equivalent to L(A)∩L(B) = ∅. As Büchi automata are closed under complementation and intersection, this reduces to testing if L(A×B) = ∅, namely the emptiness problem of Büchi automata. Because of the difficulty and high complexity in complementing a Büchi automaton, in practice, an automata-theoretic model checker typically assumes that the specification is given as a propositional linear temporal logic (PTL) formula. The model checker first negates a specification formula φ and then translates it into an automaton B¬φ that represents all behaviors disallowed by φ, i.e., L(B¬φ) = L(Bφ) (where Bφ is a Büchi automaton equivalent to formula φ). Checking if L(A)∩L(Bφ) = L(A×Bφ) = ∅ is therefore the same as checking if L(A×B¬φ) = ∅, where one only needs to construct the intersection (product) of A and B¬φ, and complementation is avoided. Assuming that the specification is given as a PTL formula has two disadvantages. First, it limits the type of properties that can be specified and checked. An ideal automata-theoretic model checker would support some extension of PTL such as QPTL that is expressively equivalent to Büchi automata. The SPIN model checker offers the user instead the possibility of directly defining B¬φ in Promela. However, it provides no assist for the user to check the “correctness” of the defined automaton, i.e., if the automaton describes what is intended. Büchi automata are in general harder to get right than temporal formulae. Second, the machine-translated automaton B¬φ may be larger than an optimal and equivalent one. Many algorithms exist for translating a PTL formula into an equivalent Büchi automaton, e.g., [3, 4], but none of them guarantee optimality. As the emptiness checking of A × B¬φ requires time proportional to the size of the system automaton A and to that of the specification automaton B¬φ, a larger B¬φ would mean a longer verification time. To reduce verification time, it may be worthwhile to construct a smaller B¬φ manually. But again, a way for checking the correctness of a user-defined B¬φ is needed. This is one typical situation where the GOAL tool can be useful. First of all, GOAL is graphical, making a user-defined automaton easier for human inspection. More importantly, the correctness of a user-defined specification automaton can be checked against an easier-to-understand QPTL formula, by translating the specification formula into an equivalent automaton and testing the equivalence between the user-defined and the machine-translated automata. QPTL is expressively equivalent to Büchi automata [9]. GOAL also supports past temporal operators which make some specifications easier to write. In addition, GOAL provides