A CEGARlike Approach for Cost LTL Bounds
Abstract
Qualitative formal verification, that seeks boolean answers about the behavior of a system, is often insufficient for practical purposes. Observing quantitative information is of interest, e.g. for the proper calibration of a battery or a realtime scheduler. Historically, the focus has been on quantities in a continuous domain, but recent years showed a renewed interest for discrete quantitative domains.
Cost Linear Temporal Logic (CLTL) is a quantitative extension of classical LTL. It integrates into a nice theory developed in the past few years that extends the qualitative setting, with counterparts in terms of logics, automata and algebraic structure. We propose a practical usage of this logics for modelchecking purposes. A CLTL formula defines a function from infinite words to integers. Finding the bounds of such a function over a given set of words can be seen as an extension of LTL universal and existential modelchecking. We propose a CEGARlike algorithm to find these bounds by relying on classical LTL modelchecking, and use Büchi automata with counters to implement it. This method constitutes a first step towards the practical use of such a discrete quantitative logic.
1 Introduction
Qualitative verification, asking questions with boolean answers about a system may be too strict for various applications. Calibrating a battery, timing a scheduler, measuring quality of service are practical problems of systems designers for which formal verification can offer a guarantee. Many works focus on the case of continuous quantitative domains (stochastic systems, realtime systems …), and the case of discrete domains have long been overlooked.
The ability to count events is an important feature, e.g. to evaluate logical time (number of actions done by a robot, number of context switches done by a scheduler …). Such measurements are of primary interest to evaluate the behavior of a system at early stages of development. Logical time can also serve as a first approximation of realtime, when events have a known bounded duration. We seek in this paper to use a logic able to count events in a system with infinite behaviors, with a focus on applicability. Following the automataapproach largely adopted for Linear Temporal Logic (LTL) verification, we study a quantitative extension of automata able to count events.
Among numerous quantitative extensions to finite automata, we focus on the one defined by Colcombet and Bojańczyk [5]. Finite automata are extended with a finite set of counters that can be incremented and reset. A special operation observe allows to store the current value of a counter to further determine the value of a run, as the infimum or the supremum of such stored values. They are part of a vast theory that nicely extends the finite automata theory, with their logical and algebraic counterparts, closure properties, over finite and infinite words and finite trees. Such automata define functions from words to integers, termed cost functions. Due to the undecidability of comparing two cost functions, many nice features of this theory rely on the consideration of cost functions up to an equivalence relation that âerasesâ the exact values and only retains their boundedness of functions.
Regarding infinite words, on which we focus in this paper, the theory of cost functions has links with other extensions of automata or logics, by bounding a discrete quantity: bounding the maximal time between two returns to an accepting state in automata [2], or bounding the wait time for the finally operator in LTL [17]. Considering exact values to count events is nevertheless a great tool for verification. Think for example to the maximal number of energy units consumed by a robot between two returns to its charging base, to calibrate a battery. Or the maximal number of simultaneous threads in a parallel computation, to tune an appropriate scheduler. Or the number of false steps permitted to a human operator before a safeguard restriction occurs. For such properties, determining whether the bound is finite or not is of little help. We thus propose to use the tools and methods developed towards cost function theory (over infinite words) to practical modelchecking.
We use a counting extension of LTL, Cost LTL, introduced in [16] in the context of the theory of cost functions. Our contribution is threefold:

Cost LTL being an extension of LTL, we show how classical modelchecking problems on LTL extend to the quantitative case. We thus address the problem of finding the bounds of the cost function defined by a formula, with a focus on the upper bound search. We propose an algorithm to compute such an upper bound using a CEGARlike approach, where the bound is computed thanks to successive refinements.

We show how this algorithm is effective, implementing it by means of automata with counters. The computational bottleneck of the algorithm is reduced to Büchi automata emptiness check, to take advantage of existing research in the field.

We also present concrete examples of application of Cost LTL, to illustrate its potential as a practical tool for verification.
The paper is organized as follows: Section 2 first presents Cost LTL, introduced in [16], and some basic results used in the remainder of the paper. The core of our contribution is a CEGARlike algorithm to determine the bounds of a cost function defined by a CLTL property, in Section 3. We then show in Section 4 how this algorithm can be effectively implemented thanks to automata equipped with counters. Finally, Section 6 presents related work, and Section 7 concludes our study and proposes leads for future developments.
Notations
Given an infinite word over an alphabet , and , is the th letter of , and the suffix of starting at . Thus and for any . If is a finite set, denotes its cardinal. For , (resp. ) denotes the infimum (resp. supremum) of . By convention, and . Let a for some set . For , the image of by is the set . We also note , respectively .
2 Cost Linear Temporal Logics
We first define Cost Linear Temporal Logic (LTL), as in [16]. Let be a set of atomic propositions. The set of LTL formulae is defined by ( ranges over ):
Every LTL formula has a semantically equivalent formula in Negative Normal Form (NNF), where negations can only appear in front of an atomic proposition. Any LTL formula in NNF is a LTL formula, and in that sense, LTL is a strict subset of LTL. From now on, we identify LTL with LTL in NNF, so that and .
A formula of LTL is evaluated over infinite words on the alphabet . Let , , , be LTL formulae, and :
The semantics of is the function
To keep examples clear, we identify any atomic proposition with the subset of of sets containing , being its complementary. Consider the formula , short for . For any and any word , , and . Consider now the formula , short for . For and , only if the distance between a letter in and the next one also in never exceeds . Thus is the maximal number of consecutive ’s in .
If is a LTL formula, either holds for every , in which case , or for none, in which case . The former is noted , and matches the usual semantics of LTL. In other words, the value true is mapped onto and false onto .
From the semantical definition, for any integers , if then too. Stating is thus equivalent to stating .
For , we propose a translation from a LTL formula to a LTL formula that separates words according to their value relatively to . More precisely, if, and only if, . is defined inductively as follows ( and ):

and ;


for ;

for ,
and ; 
otherwise .
Back to our example , we have , hence , equivalent to . Thus, for every .
Property 1.
For , and , iff .
Proof.
Structural induction on , detailed in appendix. ∎
2.1 Dual Logics
In LTL, negations can only appear in the leaves of the formula, so that a formula is always in NNF. This particularity is commanded by the semantical difficulty to negate the operator . In a boolean setting, a word is either a model of the formula, or it is not. In our quantitative setting, negation is not straightforward, as it is not a natural operation over . We take inspiration from the embedment of LTL in LTL: true corresponds to and false to . Semantically, the negation thus replaces with . We define the logic LTL [15], dual to LTL. The operator is replaced by whose semantics is defined so as to match the negation of semantics: iff for every , either or . All other operators keep their natural semantics. The semantics of is a function
For any , if then , so that iff .
Note that LTL is also embedded in LTL, with a semantics dual to the case of LTL: true is mapped onto and false onto . Syntactically, , but the semantics do not match. Note that in both cases (LTL and LTL), either is a model for for every , or for none. From now on, we note for the former case, to be matched with the appropriate semantics depending on context.
Syntactically, we get dual pairs of operators: and , and , and , being selfdual. From a formula (resp. LTL), we can build a formula (resp. LTL), by pushing the negation to the leaves: the top operator is replaced by its dual, and the negation is recursively pushed to the leaves of its operands. Literals respect the excluded middle, which is semantically consistent, so as to eliminate double negations. Syntactically, the excluded middle also holds, as pushing negations to the leaves in yields . Observe how the semantics of and are correlated:
Property 2.
For and , .
Proof.
An easy induction on proves that iff (observe how the semantics of dual operators are dual to each other). We recall that for any . Thus if, and only if, . Furthermore, if , then by convention. ∎
Property 3.
For any and ,
Proof.
Recall from above that if, and only if, . If , then if, and only if, . If , is either or . We get in the former case, and in the latter. ∎
Following the above, we define, for and , as .
Property 4.
For , and , iff .
Proof.
iff iff iff iff . ∎
2.2 Cost Logics for Verification
A common task in verification is whether a system has a behavior satisfying a given property. The property either expresses a desired behavior, or an unwanted one (in which case finding a satisfying behavior amounts to finding a bug). Typically, the behaviors of the system is a regular language , and the property is a LTL property. Thanks to the closure properties of regular languages, this problem reduces to existential modelchecking: is the intersection of and the language recognized by empty? Universal modelchecking asks whether a language contains all words, and is dual to existential modelchecking, since iff . As both LTL and LTL extend LTL, the natural question we address is the extension of these two problems to the quantitative setting.
We first rephrase the LTL existential and universal modelchecking with the LTL semantics: existential modelchecking asks whether there is a word of value . Dually, universal modelchecking asks whether all words have value . Existence of a word of value equal to, greater than, or less than a given are natural extensions of this question. These questions hardly extend the boolean framework: by comparing word values against a given , they remain boolean questions. We seek here a question with a quantitative answer (in our case in the domain ). Two particular values of interest are the bounds of .
Definition 5.
bound checking: given and , compute .
Definition 6.
bound checking:given and , compute .
The duality of LTL and LTL allows to choose from or , as LTL seems more appropriate for bound checking. All the problems mentioned above are reducible to these two problems. In LTL semantics, existential LTL modelchecking boils down to bound checking, while its universal counterpart corresponds to bound checking.
3 CLTL Bounds Checking
This section presents our main contribution, an algorithm to compute bounds for LTL and LTL formulae.It is inspired by the CounterExamples Guided Abstraction and Refinement (CEGAR) approach to qualitative modelchecking, which we present first.
3.1 The CEGAR Approach to qualitative modelchecking
Consider a regular language (the set of behaviors of a system) and a LTL formula . We ask whether all words of are models of . It boils down to existential modelchecking: is there a model of in ? The language of , is in deed regular, the intersection of and computable, and testing the emptiness of a regular language is decidable. These steps are usually performed with automata to represent the regular languages.
But this approach becomes hardly tractable when the underlying automata are huge, as it is often the case when the input language is the set of behaviors of a concurrent system. We present the socalled CEGAR (CounterExample Guided Abstraction and Refinement) loop. A language larger (for the inclusion) than is called an abstraction, being a refinement of . CEGAR loop assumes the existence of a refinement function that given a word and a regular abstraction of , returns a regular refinement of that does not contain , and that is also an abstraction of : .
The CEGAR loop proceeds as follows: i) start from an abstraction of ; ii) search in a model for ; iii) if there is no such in , there is none in either, and the question is settled; iv) otherwise, check whether ; v) if , then the question is settled; vi) else start over with . In practice, the automaton for is huge, and CEGAR avoids its full exploration by manipulating abstractions, that have smaller underlying automata. Since a counterexample guides the refinement, the same spurious counterexample cannot be encountered twice. In general, termination depends on the refinement function , but practically, termination is easy to ensure, for example by falling back to the initial input (worstcase scenario) when the size of exceeds the size of .
3.2 CEGAR Approach for Bounds Checking
We adapt the CEGAR approach to solve bound checking for a LTL formula over a regular language . The dual bound checking follows the same scheme.
We first have to define the notion of abstractions and refinements, thanks to an ordering over semantic functions: smaller elements are refinements and greater ones are abstractions.
Definition 7.
For , iff and .
In other words, refines (relatively to ) if they have the same supremum over and maps more words (for the inclusion) onto than . The CEGAR loop for our quantitative setting is shown in Algorithm 1.
We present the algorithm in its full generality. Line 1 leaves some room for various implementations, as we will see in Section 4.2.
The key of this algorithm is the search for a word such that for a LTL formula (line 1). Note that if , then for all , iff there is some such that . Considering the semantics of LTL, this is equivalent to finding a word satisfying the LTL formula , a copy of in which every occurrence of is replaced by (where for any ). Therefore, the search for the upper bound of is reduced to LTL emptiness check, a wellstudied problem with numerous efficient solutions (see [23, 22] for surveys). The corner case can be detected at the second pass in the loop (see the proof of Proposition 9).
Property 8.
At line 1, for all ,
Proof.
Proposition 8 proves that , and that at each pass in the loop, is refined with respect to .
Property 9.
If is finite, ComputeBound is both correct and sound, i.e. it terminates and returns .
Proof.
At line 1, is updated with a value such that for some such that . Proposition 8 guarantees the existence of such a , and strictly increases when updated. is obviously bounded by , which proves termination. Moreover, as long as , there are still words such that , i.e. . If the search for such words on line 1 is correct and sound, so is ComputeBound. ∎
3.3 Performance of the algorithm
Essentially, ComputeBound enumerates candidate values for in increasing order until a fixpoint is reached. The next candidate is determined on line 1: the larger , the quicker the algorithm converges. The choice left for allows flexibility: the exact value of is most certainly harder to find than an appropriate value . This line brings a tuning parameter for implementations: the higher the , the faster the convergence, but probably the higher the computation cost. Implementations should therefore find an appropriate balance between the cost of computing , and the number of loops in ComputeBound.
To a lesser extent, line 1 brings another tuning parameter for implementations. (resp. ) in this line can be safely replaced by (resp. ), without affecting the outcome of the algorithm. Nevertheless, using the variant yields simpler formulae.
4 Counter Automata
This section presents Counter Automata (CA), as introduced by [5] under the names automata and automata. We also show how to translate LTL formulae to CA, based on ideas used for the case of finite words [15]. We adapt it to infinite words in Section 4.1, and then show the implementation of our ComputeBound algorithm with CA in Section 4.2.
Informally, a CA is a automaton equipped with a finite set of nonnegative integer counters , initialized with value . The values of these counters are controlled by actions: that increments a counter; that resets a counter to ; that observes, or stores, the current value of the counter. The set of counter actions is denoted by . Values of the counters do not affect the behavior of the automaton, but are used to assign a value to a word. Only observed values are used to determine word values. In addition to a letter , a CA transition is labelled with (words of) actions, one for each counter.
Definition 10.
A counter automaton is a tuple where:

is a finite set of states, and is the initial state;

is a finite alphabet;

is a finite set of counters;

is the transition relation;

is a set of sets of accepting transitions.
An infinite word is accepted by a Counter Automaton if there exists an execution of on that visits infinitely often every set in .
For , Definition 10 defines a automaton. Along a run , counters are incremented and reset according to the encountered actions, and the set of checked values is noted .
There are two dual semantics for CA:
Figure 1 gives an example of a deterministic CA with the semantics. Only words in have accepting runs. Thus for . If , is the smallest size of a block of consecutive ’s in .
4.1 From CLTL to Counter Automata
For every LTL (resp. LTL) formula , there exists a CA with the semantics (resp. semantics) with the same semantics: (resp. ). This construction is effective, and does not differ much from the translation from LTL formulae to Büchi automata (see for instance [8]). The key difference is the introduction of a counter for each occurrence of the operator (resp. ) in the formula to translate. The translation is described in [15] for the case of finite words, and is easily extended to infinite words.
We state here this extension, for the sake of completeness. In [15], the produced CA transitions bear sequences of counter actions (e.g. a counter can be incremented by three in a single transition). We show that it is always possible to produce a CA whose transitions are labelled with atomic actions, i.e. at most one action (, or ) per counter. This possibility seems to have been overlooked in previous work. This remark may stem from the care taken in our translation to retain exact values. We also note that there is a slight difference of semantics for LTL with respect to [15], which is the main cause of the differences between our algorithm and previous ones. We will also discuss optimizations of the translation.
We label , …, the occurrences of the operator in . Each occurrence is associated a counter, so that . We note the set of subformulae of .
A state of is a set of LTL formulae, yet to be verified. A formula is reduced if it is either a literal or its outermost operator is . A set of formulae is reduced if it contains only reduced formulae, and consistent if it does not contain both a formula and its negation. Given a reduced and consistent set , we note and the set of letters (in ) compatible with the literals in . cannot be empty if is consistent. From a reduced state , reading a letter of leads to the state .
Nonreduced states are reduced stepbystep using transitions, summarized in Table 1, that preserve the state semantics. Operators , , and follow the classical translation from LTL to automata. To reduce , three transitions are possible:

the first one checks and resets the counter , requiring both and to be verified;

the second one counts one occurrence of , requiring all , and to be verified;

the third one does nothing on the counter , and requires both and to be verified.
These three transitions implement in fact the semantics of the operator .
An until formula requires to be true at some point. Transitions subscripted with the label indicate that in has been postponed. Each until subformula in yields one acceptance condition: any transition going through a label is not accepting for the condition . Once the automata with transitions is built, the actual (smaller) automaton is built by collapsing transitions (counter actions are concatenated).
Let us illustrate the described translation with an example: .We turn into an equivalent LTL formula , which we translate to a CA with semantics. Figure 2 depicts the transitions obtained while reducing .
The reduction yields three reduced sets. The (not reduced) set is not shown and is directly reduced to . The three reduced sets being also consistent, we are ready to find the real successors of , i.e. the sets where is one of the three obtained reduced sets. First, falls back to the initial state , which will result in a loop in the final automaton. Note that this will be the only nonaccepting transition. is the set , and is . As this last state is not reduced, the reduction process goes on, yielding and . and , states that have already been discovered and reduced. Finally, we collapse the transitions to get the final automaton shown in Figure 3.
Several transitions of the automaton of Figure (a)a are unnecessary. Indeed, according to the semantics, only paths with the higher value are relevant, those with a lower value can safely be removed. This allows to reduce nondeterminism in the automaton, as shown on the automaton of Figure (b)b which has the same semantics as the one of Figure (a)a.
If done appropriately, the actions in the produced automaton can be limited to atomic ones. The proof of Proposition 11 is detailed in appendix.
Property 11.
If the largest (for the subformula ordering) formula in is picked first when reducing , then at most one action per counter occurs along any chain of transitions.
4.2 CEGARloop Implementation
We detail the implementation of ComputeBound using CA, specifically lines 1 and 1. The strength of our algorithm is to boil the problem down to automata emptiness checks, a wellstudied problem, with numerous variants and solutions [23, 22]. This section makes no further assumptions on the variant of automata or the translation algorithm used, so that the final user can use the fittest ones. Many translations of LTL (and by extension CLTL translation derived from them) to automata produce generalized transitionbased automata.
The input language is assumed to be regular and given as an automaton. As explained above, we build from a CA such that . Line 1 looks for a word such that . The constraint is enforce by searching such that , where is the synchronized product of and (the automaton of) . This product, itself a CA, rules out words not in , so that iff .
Proposition 8 shows that iff there is no such that . Given the requirements on , iff has no accepting run on . Thus, the set of such ’s is exactly the language recognized by , viewed as a automaton by ignoring the counters. Finding such a word thus amounts to an emptiness check of the said automaton.
A nonempty regular language contains an ultimately periodic word, and so can be chosen , ensuring a finite representation. In practice, emptinesscheck algorithms that compute a counterexample always produce such ultimately periodic words.
Line 1 then asks for a value between and to update . We claim that any accepting run on in the product automaton provides such a value . On the one hand such a is an accepting run in , and its value is therefore not larger that . On the other hand, is also an accepting run in . The whole point of synchronizing with is to rule out runs of value strictly less than . Indeed, in , the value is hardcoded thanks to nested operators. Every time a counter is incremented, a nested is passed, and accepts a run only if counters are checked with values strictly larger than . Therefore, replaying in yields a between and . The great advantage of this operation is that only one run over needs to be considered, and the computation of is therefore straightforward.
We recall that higher speed the convergence of ComputeBound, by reducing the number of loops. But higher would require to explore several runs of and to retain the highest found value. We see more precisely here the tradeoff between the number of loops in ComputeBound and the computation of on line 1.
To conclude, we show how ComputeBound can be extended to also detect the unbounded case, thus providing a complete algorithm. To this end, we recall that unboundedness of a automaton is decidable, as shown in [15].
Property 12.
[15] is unbounded if and only if has an accepting run in which every action () is preceded by a cycle that increments without resetting .
The proof of Proposition 12 is not difficult: the existence of such a cycle guarantees the ability to build runs with arbitrarily high values. Conversely, if no such run exists, then every accepting run has its value bounded by .
As a corollary of Proposition 12, is unbounded if and only if has an accepting run of value greater than its number of states. ComputeBound can thus be adapted so as to detect unboundedness too: compute a bound on the size of the product (such as ). The sought bound is finite iff ever exceeds .
5 An example of Application
Through a concrete example, this section illustrates the expressive capabilities of LTL and LTL and the kind of problems our bound evaluation algorithm may solve.
5.1 Ant Colony Optimization
Ant Colony Optimization[9] (ACO) is a bioinspired metaheuristic relying on the cooperative behavior of small simple agents to solve optimization problems. A collection of artificial ants endlessly walk a graph randomly, from some initial node (their nest), to one or several target nodes (the sources of food), and come back to the nest. Whenever an ant moves from one node to another, it deposits a certain amount of pheromone. The quantity of pheromone left on an edge increases the likelihood that an ant chooses to cross it. Besides, the quantity of pheromone decreases according to an evaporation rate. Unless the evaporation rate is too high, ants will eventually converge to the shortest paths from their nest to the food sources, because shorter paths will be rewarded with new pheromone more frequently.
ACO has been successfully used in numerous applications, such as data mining [21], image processing [20]. ACO is resilient to modifications of the graph and it usually responds very quickly to such changes because its current state is likely to contain useful information on the closest new solutions. Finally, ACO is rather simple to implement on huge distributed setups, as agents do not communicate directly with each others.
5.2 Quantitative Properties
Let us consider an ACO that searches the shortest path between two nodes in a directed graph. The most classic quantitative information is the time (number of steps) taken to find a solution, be it local or global. Topological parameters may also be measured, such as the maximum length of solutions or the number of nodes visited before a solution is found. Other quantities relate to the algorithm parameters, such as the maximum amount of pheromones on an edge. Such information is critical to tune algorithm parameters, that ultimately dictate how fast it converges to a solution[12]. With a fixed topology, some of these properties are not difficult to compute. For instance, the minimum number of visited nodes is the length of the shortest path, computable in polynomial time. Other properties are harder to compute, such as the maximum length of solutions. When the topology dynamically changes, analytical search for exact optima values is cumbersome, if even possible.
To address these questions, modelchecking becomes an option, by checking all possible behaviors of the system. A common approach instruments the model to monitor the quantitative properties at stake. It introduces a strong semantical risk, because instrumentation may be impacted by any modification to the model, and must thus be kept uptodate. We propose to move the instrumentation into the logics, to keep a proper separation between the actual behavior (the model) and the desired behavior (the logical property).
Let be a directed graph where is a finite set of vertices and is the set of edges. An ant is a pair where is a node, is a direction (looking for a food source, and coming back to the nest). denotes the set of ants.
The time an ant takes to find a solution is given by where is the nest node. The worstcase over possible behaviors in is thus and the bestcase . Similarly, the time taken by the whole system to find a solution is obtained by the conjunction over all ants of the previous: .
It is easy to count events like the number of visits of an ant to a node with . Occurrences of a position where a LTL formula holds are counted by . Consider the deposit (resp. removal) of a pheromone on edge , denoted by action (resp. ). The formula holds in states where will receive more pheromone before the next removal, i.e. when an ant crosses an edge whose pheromones have not yet evaporated. The (integer) amount of pheromone on a given edge is obtained by .
6 Related work
A famous problem in language theory is the starheight problem: given a language (of finite words) and an integer , is there a regular expression for with at most nested Kleene stars? Proposed in 1963 [11], it was proven decidable in 1988 [13] by exhibiting an algorithm with nonelementary complexity, and a much more efficient algorithm was then proposed in 2005 [14]. Both algorithms translate the problem to the existence of a bound for a function mapping words to integers, represented in both cases by an automaton equipped with counters (distance automata for the former, nested distance desert automata for the latter). This boundedness problem of the existence of a bound is then shown decidable. It is the first of many problems that reduce to the boundedness problem for such automata.
This motivated an indepth study of automata with counters (as we use it) as a general framework, that came up with a theory extending the one of regular languages, with logical and algebraic counterparts [6]. On infinite words, the logical counterpart motivated the introduction and study of LTL and LTL [16]. This theory also encompasses promptness properties, a variant of liveness where a bound on the wait time of a recurring event must exist [17, 2]. But all these works, motivated by the boundedness problem, overlook the exact values of the functions. On one hand, this relaxation enables nice closure properties (such as the equivalent expressiveness for automata and automata). On the other hand, it only allows to reason about the existence of a bound, not to compute values.
In verification, not all questions have a boolean answer, so that various quantitative extensions of automata have been considered, such as weighted automata (see [10] for a survey). Despite their various domains of application, they have limited expressivity, as the domain of weights is required to be a semiring. An extension to arbitrary operations on weights have been recently proposed [3]. It encompasses various extensions of weighted automata, such as Discounted Sum Automata [7] and Counter Automata as considered in this paper. All these formalisms can be characterized by the absence of guards on register values. These extensions sometimes have equivalent logics (such as discounted linear temporal logics [1]). From the logical point of view, let us also mention that other temporal logics able to count events were previously proposed [19].
Most of the cited works only focus on expressivity, decidability and complexity problems, with little consideration to the practical use of such quantitative extensions of automata. It contrasts with older formalisms: automata have already received great focus towards practical applications, illustrated by numerous emptiness checks algorithms (see [22] for an overview) and many implementations, principally oriented towards LTL modelchecking (see [23] for a survey). Some quantitative extensions of automata possess a similar maturity towards practical applications, especially timed automata [4] and weighted automata [18].
7 Conclusion
In this paper we proposed to use LTL and LTL for practical verification of quantitative properties. One key advantage of these logics is to clearly separate functional properties of the system and quantitative properties, expressed in the logic used for verification. The functional model can still be used for other tasks like production of code and test generation. Along with examples of properties to be expressed with these logics, we also exhibit a CEGARlike algorithm to compute bounds for such formulae, based on successive refinements. We further proposed an implementation of this algorithm using automata equipped with counters, extending the automata approach used for LTL modelchecking.
This is a first step towards practical applications of such logics which seems very promising if adequate algorithms and tools are available. The next step is to implement our algorithm in a proofofconcept tool. The logics we used are just a drop in a vast ocean of quantitative extensions for LTL. Further research should focus on fitting our algorithm in a more general framework so as to capture several such LTL extensions. Another axis would be the improvement of the performance of validation algorithms: such as improving the translation to automata to produce smaller and/or more deterministic automata and tweak emptiness checks to limit the number of refinement iterations.
References
 [1] S. Almagor, U. Boker, and O. Kupferman. Discounting in LTL. In E. Ábrahám and K. Havelund, editors, Tools and Algorithms for the Construction and Analysis of Systems, volume 8413 of LNCS, pages 424–439. Springer Berlin Heidelberg, 2014.
 [2] S. Almagor, Y. Hirshfeld, and O. Kupferman. Promptness in regular automata. In Proc. 8th International Symposium on Automated Technology for Verification and Analysis (ATVA’10), volume 6252 of LNCS, pages 22–36. Springer, 2010.
 [3] R. Alur, L. Dantoni, J. Deshmukh, M. Raghothaman, and Y. Yuan. Regular Functions and Cost Register Automata. In Logic in Computer Science (LICS), 2013 28th Annual IEEE/ACM Symposium on, pages 13–22. IEEE, 2013.
 [4] G. Behrmann, A. David, K. Larsen, J. Hakansson, P. Petterson, W. Yi, and M. Hendriks. Uppaal 4.0. In Proc. 3rd International Conference on the Quantitative Evaluation of Systems, QEST ’06, pages 125–126, Washington, DC, USA, 2006. IEEE Computer Society.
 [5] M. Bojańczyk and T. Colcombet. Bounds in regularity. In Proc. 21st Annual IEEE Symposium on Logic in Computer Science, LICS ’06, pages 285–296, Washington, DC, USA, 2006. IEEE Computer Society.
 [6] T. Colcombet. The theory of stabilisation monoids and regular cost functions. In Automata, languages and programming, pages 139–150. Springer, 2009.
 [7] L. de Alfaro, T. Henzinger, and R. Majumdar. Discounting the Future in Systems Theory. In JosC.M. Baeten, J. Lenstra, J. Parrow, and G.. Woeginger, editors, Automata, Languages and Programming, volume 2719 of Lecture Notes in Computer Science, pages 1022–1037. Springer Berlin Heidelberg, 2003.
 [8] S. Demri and P. Gastin. Specification and verification using temporal logics. In D. D’Souza and P. Shankar, editors, Modern applications of automata theory, volume 2 of IISc Research Monographs, chapter 15, pages 457–494. World Scientific, July 2012.
 [9] M. Dorigo and L. Gambardella. Ant colony system: A cooperative learning approach to the traveling salesman problem. IEEE Transactions on Evolutionary Computation, 1997.
 [10] M. Droste and P. Gastin. Weighted Automata and Weighted Logics. Theoretical Computer Science, 380(1):69–86, 2007.
 [11] L. C. Eggan. Transition graphs and the starheight of regular events. Michigan Math. J., 10(4):385–397, 12 1963.
 [12] D. Gaertner and K. Clark. On optimal parameters for ant colony optimization algorithms. In Proc. International Conference on Artificial Intelligence 2005, pages 83–89. CSREA Press, 2005.
 [13] K. Hashiguchi. Algorithms for determining relative star height and star height. Information and Computation, 78(2):124 – 169, 1988.
 [14] D. Kirsten. Distance desert automata and the star height problem. RAIROTheoretical Informatics and Applications, 39(03):455–509, 2005.
 [15] D. Kuperberg. Linear temporal logic for regular cost functions. Logical Methods in Computer Science, 10(1), 2014.
 [16] D. Kuperberg and M. Vanden Boom. On the expressive power of cost logics over infinite words. In Automata, Languages, and Programming, pages 287–298. Springer, 2012.
 [17] O. Kupferman, N. Piterman, and M. Vardi. From liveness to promptness. In Computer Aided Verification, pages 406–419. Springer, 2007.
 [18] M. Kwiatkowska, G. Norman, and D. Parker. PRISM 4.0: Verification of Probabilistic Realtime Systems. In G. Gopalakrishnan and S. Qadeer, editors, Proc. 23rd International Conference on Computer Aided Verification (CAV’11), volume 6806 of LNCS, pages 585–591. Springer, 2011.
 [19] F. Laroussinie, A. Meyer, and E. Petonnet. Counting LTL. In Proc. 2010 17th International Symposium on Temporal Representation and Reasoning, TIME ’10, pages 51–58, Washington, DC, USA, 2010. IEEE Computer Society.
 [20] H. Nezamabadipour, S. Saryazdi, and E. Rashedi. Edge detection using ant algorithms. Soft Computing, 10(7):623–628, 2006.
 [21] R.. Parpinelli, H. Lopes, and A. Freitas. Data mining with an ant colony optimization algorithm. IEEE Transactions on Evolutionary Computation, 6:321–332, 2002.
 [22] E. Renault, A. DuretLutz, F. Kordon, and D. Poitrenaud. Three SCCbased Emptiness Checks for Generalized Büchi Automata. In K. McMillan, A. Middeldorp, and A. Voronkov, editors, Proc. 19th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR’13), volume 8312 of LNCS, pages 668–682. Springer, 2013.
 [23] K. Rozier and M. Vardi. LTL Satisfiability Checking. International journal on software tools for technology transfer, 12(2):123–137, 2010.
Appendix A Proof of Property 1
Proof.
The proof proceeds by structural induction on .
Note that for any if , therefore the property holds on the LTL fragment (and in particular on literals).
We recall that iff .
Let us assume that the property holds for LTL formulae and .
Let .
iff .
The induction hypothesis allows to replace every occurrence of in the usual LTL semantics of by .
This gives the LTL semantics of , thus proving that if , then .
The converse reasoning (from LTL to LTL semantics) proves the converse implication.
The same argument is applied to the case .
Now consider . In the general case, . Suppose we have a proof for this case when and are LTL formulae. The induction hypothesis allows to replace any occurrence of and in such a proof by and , using the same argument as presented above. Thus, it suffices to prove the property when and are LTL formulae to conclude the proof.
Assume and are LTL formulae.
We now proceed by induction on .
If , then .
if, and only if, for some index , and for every .
In other words, if, and only if, for some index , and .
Thus, if, and only, if .
If the property holds at , then .
If