SPIN. An explicit state model checker. Properties. Safety properties Something bad never happens Properties of states Liveness properties Something good eventually happens Properties of paths. Reachability is sufficient. We need something more complex to check liveness properties.
An explicit state model checker
Reachability is sufficient
We need something more complex to check liveness properties
where f is a path formula which does not contain any quantifiers
AGFp in CTL*
AG AF p in CTL
AG(pFq) in CTL*
AG(p AFq) in CTL
( p )
A((GF p) ) in CTL*
Can’t express it in CTL
where P is the set of propositions.