Model Checking Algorithms

Bow-Yaw Wang

Institute of Information ScienceAcademia Sinica, Taiwan

November 16, 2021

Bow-Yaw Wang (Academia Sinica) Model Checking Algorithms November 16, 2021 1 / 56

Outline

1 Model-checking algorithmsThe CTL model-checking algorithmCTL model checking with fairnessThe LTL model-checking algorithm

2 The fixed-point characterisation of CTL

The Model Checking Problem

Let M = (S ,→,L) be a model, s ∈ S a state, and φ a temporal logicformula.

The model checking problem is to decide whether M, s ⊧ φ holds.

We will discuss two model checking algorithms: one for LTL, theother for CTL.

These algorithms help us understand basic principles of variousverification tools (such as NuSMV).

▸ NuSMV does not implement the algorithms we discuss here.▸ Yet the basic ideas are not very different.

Outline

The CTL Model Checking Algorithm I

Let us first consider deciding whether M, s0 ⊧ φ where M is a finitetransition system and φ a CTL formula.

▸ That is, M = (S ,→,L) with S a finite set of states.▸ There are algorithms that solve the model checking problem for certain

infinite transition systems.

Our algorithm in fact computes all states that satisfy the top CTLformula.

▸ That is, it computes the set {s ∈ S ∶M, s ⊧ φ}.

After computing all states satisfying the given CTL formula, themodel checking problem is solved easily.

▸ We simply check if s0 ∈ {s ∈ S ∶M, s ⊧ φ}.

The CTL Model Checking Algorithm II

In our algorithm, we only consider temporal connectives{EX,AF,EU}.

▸ {EX,AF,EU} is adequate.

For each state, we label it with subformulae of the given CTLformula.

▸ A state satisfies all subformulae in its label.

Start from smallest subformulae; the algorithm works on eachsubformula until the given CTL formula.

The CTL Model Checking Algorithm III

Input: M = (S ,→,L) : a mode; φ : a CTL formulaOutput: {s ∈ S ∶M, s ⊧ φ}foreach subformula ψ of φ do

switch ψ docase �: do continue;case p: do label all s with p if p ∈ L(s);case ψ1 ∧ ψ2: do label all s with ψ if it is labeled with ψ1, ψ2 ;

case ¬ψ1: do label all s with ψ if it is not labeled with ψ1 ;case EXψ1: do label all s with ψ if one of its successors is

labeled with ψ1 ;case AFψ1: do label all s with ψ if it is labeled with ψ1, or all

successors of s are labeled with ψ until no change ;case E[ψ1 U ψ2]: do label all s with ψ if it is labeled with ψ2,

or s is labeled with ψ1 and one of its successors is labeled withψ until no change ;

The CTL Model Checking Algorithm IV

Let ∣φ∣ be the number of connectives in φ.

Let M = (S ,→,L) be a transition system.

The complexity of the algorithm is O(∣φ∣ ⋅ ∣S ∣ ⋅ (∣S ∣ + ∣→ ∣)).▸ There are O(∣φ∣) subformulae.▸ For AFψ1 and E[ψ1 U ψ2], each iteration takes O(∣S ∣ + ∣→ ∣) steps;

there are at most O(∣S ∣) iterations.

We now present the pseudo algorithm SAT(M, φ).

SAT(M, φ)

switch φ docase ⊺: do return S ;case �: do return ∅ ;case p: do return {s ∈ S ∶ φ ∈ L(s)} ;case ¬φ1: do return S ∖ SAT(M, φ1) ;case φ1 ∧ φ2: do return SAT(M, φ1) ∩ SAT(M, φ2) ;case EXφ1: do return SATEX(M, φ1) ;case E[φ1 U φ2]: do return SATEU(M, φ1, φ2) ;case AFφ1: do return SATAF(M, φ1) ;

pre∃(M,Y ) and pre

∀(M,Y )

In order to give the pseudo algorithm for SATEX(M, φ),SATEU(M, φ,ψ), and SATAF(M, φ), we need two functions:

pre∃(M,Y )

= {s ∈ S ∶ there exists s ′(s → s ′ and s ′ ∈ Y )}

pre∀(M,Y )

= {s ∈ S ∶ for all s ′(s → s ′ implies s ′ ∈ Y )}

pre∃(M,Y ) consists of states whose successors intersect Y is not

empty.

pre∀(M,Y ) consists of states whose successors are contained in Y .

Observe that

pre∀(M,Y ) = S ∖ pre

∃(M,S ∖Y )

SATEX(M, φ)

X ← SAT(M, φ);Y ← pre

∃(M,X );

return Y ;

SATAF(M, φ)

Y ← SAT(M, φ);repeat

X ← Y ;Y ← Y ∪ pre

∀(M,Y );

until X = Y ;return Y ;

SATEU(M, φ,ψ)

W ← SAT(M, φ);Y ← SAT(M, ψ);repeat

X ← Y ;Y ← Y ∪ (W ∩ pre

∃(M,Y ));

A More Efficient Model Checking Algorithm

Using backward breadth-first search, we can in fact do better.

We use the adequate set {EX,EG,EU} instead.

Observe that EXψ1 and E[ψ1 U ψ2] can be labeled in timeO(∣S ∣ + ∣→ ∣) if we perform backward breadth-first search.

For the case EGψ1,▸ Consider the subgraph with states satisfying ψ1;▸ Find maximal strongly connected components (SCC’s) in the subgraph;▸ Use backward breadth-first search on the subgraph to find states that

can reach an SCC.

The new algorithm takes time O(∣φ∣ ⋅ (∣S ∣ + ∣→ ∣)).

The State Explosion Problem

Although the complexity of CTL model checking algorithm is linear inthe number of states, the number of states can be exponential in thenumber of variables and the number of components of the system.

▸ Adding a Boolean variable can double the number of states.

This is called the state explosion problem.

Lots of researches try to overcome the state explosion problem.▸ Efficient data structures.▸ Abstraction.▸ Partial order reduction.▸ Induction.▸ Compositional reasoning.

Outline

Fairness I

We often simplify the system when we build a model for it.▸ This is called abstraction.

Abstraction sometimes introduces unrealistic model behaviors.▸ For instance, a process may stay in its critical section forever.

Such unrealistic behaviors may disprove intended properties.▸ For instance, it is possible that the other process won’t get to its

critical section forever.

In order to consider realistic model behaviors, we impose fairnessconstraints.

Fairness II

We consider only fair computation paths specified by fair constraints.

Instead of standard path quantifiers A (for all) and E (for some), weuse their variants AC (for all fair paths) and EC (for some fair paths).

As an example, we can ask“a process will eventually be permitted to enter its critical section if itrequests so along all fair paths.”

Clearly, we have to slightly modify the CTL model checking algorithm.

Fair Computation Paths

Definition

Let C = {ψ1, ψ2, . . . , ψn} be fairness constraints. A computation paths0 → s1 → ⋯ is fair with respect to C if for every i there are infinitely sj ’ssuch that sj ⊧ ψi . We write AC and EC for the path quantifers A and Erestricted to fair paths.

For example, M, s0 ⊧ ACGφ if φ holds in every state along all fairpaths.

CTL Model Checking Algorithm with Fairness Constraints

Let C = {ψ1, ψ2, . . . , ψn} be a set of fairness constraints.

We consider the adequate set {ECU,ECG,ECX}.

Observe that

EC [φU ψ] ≡ E[φU (ψ ∧ ECG⊺)]ECXφ ≡ EX(φ ∧ ECG⊺).

▸ Note that a computation path is fair iff all its suffixes are fair.▸ M, s ⊧ ECG⊺ ensures that s is on a fair path.

Since ECU and ECX can be reduced to ECG, it remains to compute{s ∈ S ∶M, s ⊧ ECGφ}.

Computing {s ∈ S ∶M, s ⊧ ECGφ}

It turns out that the algorithm for computing ECG is similar forcomputing EG.

Let C = {ψ1, ψ2, . . . , ψn} be a set of fairness constraints.

To compute {s ∈ S ∶M, s ⊧ ECGφ}, do the following:▸ Consider the subgraph with states satisfying φ;▸ Find maximal strongly connected components (SCC’s) in the subgraph;▸ Remove an SCC if it does not contain a state satisfying ψi for some i .

The remaining SCC’s are fair SCC’s;▸ Use backward breadth-first search on the subgraph to find states that

can reach a fair SCC.

The complexity of the algorithm with fairness constraints isO(∣C ∣ ⋅ ∣φ∣ ⋅ (∣S ∣ + ∣→ ∣)).

Fairness in NuSMV

In NuSMV two different types of fair paths can be specified.

Justice▸ Let C = {p1,p2, . . . ,pn} be a set of atomic formulae.▸ A path s0 → s1 → ⋯ satisfies the justice constraint C if for every i ,

there are infinitely sj ’s such that sj ⊧ pi .▸ NuSMV uses the keywords FAIRNESS or JUSTICE.

Compassion▸ Let C = {(p1,q1), (p2,q2), . . . , (pn,qn)} be a set of pairs of atomic

formulae.▸ A path s0 → s1 → ⋯ satisfies the compassion constraint C if for every i ,

there are infinitely sj ’s such that sj ⊧ pi then there are infinitely sj ’ssuch that sj ⊧ qi .

▸ NuSMV uses the keyword COMPASSION.

Outline

LTL Model Checking Algorithm

The CTL model checking algorithm is rather straightforward.▸ It labels each state by satisfied subformulae.▸ It works because CTL formulae specify state properties.

LTL formulae, on the other hand, specify path properties.▸ Labelling states no longer work.

We need a formal model for paths.

Automata theory is required!

Paths and Traces

Let M = (S ,→,L) be a model.

Recall that a path s0 → s1 → ⋯ is a sequence of states such thatsi → si+1 for every i ≥ 0.

A trace is a sequence of valuations of propositional atoms.

The trace of a path s0 → s1 → ⋯ is L(s0)L(s1)⋯.▸ Recall that L ∶ S → 2Atoms.▸ L(si) is the set of propositional atoms that hold in si .▸ L(si) hence is a valuation of propositional atoms.

Note that different paths may have the same trace.

Basic Ideas

Let M = (S ,→,L) be a model, s ∈ S , and φ an LTL formula.

We check whether M, s ⊧ φ holds as follows.1 Construct an automaton A¬φ. A¬φ accepts the traces satisfying ¬φ;2 Construct the combination of the automaton A¬φ and M.

☀ Each path of the combination is a path of A¬φ and also a path of M.

3 Check if there is an accepting path starting from a combined stateincluding s.☀ Such a path is a path of M from s.☀ Moreover its trace satisfying ¬φ.

If an accepting path is found, we report “M, s /⊧ φ”; Otherwise,“M, s ⊧ φ.”

Illustration I

init (a) := 1;

init (b) := 0;

next (a) := case

!a : 0;

b : 1;

1 : { 0, 1 };esac;

next (b) := case

a & next (a) : !b;

!a : 1;

1 : { 0, 1 };esac;

M = (S ,→,L) with Atoms = {a,b} and φ = ¬(a U b)Does M, s3 ⊧ φ hold?

Illustration II

q′3abψ

A trace t is accepting ifthere is a path π whosetrace is t such that anaccepting state occursinfinitely often.

{a}{a}{a,b}{a}{a}⋯ isaccepting.

{a}{a}⋯ is not.

φ = ¬(a U b), ψ = (a U b) and Aψ

Illustration III

(s1,q1)

(s2,q2)

(s3,q′

3)abψ

(s3,q3)

(s4,q4)

(s3,q3)(s2,q2)⋯ isaccepting.

Hence M, s3 /⊧ ¬(a U b)because of the paths3s2⋯.

In fact, s3s4s3s4⋯ isanother counterexample.

Combination of M and Aψ

Construct Aφ I

Let φ be an LTL formula.

We want to construct an automaton Aφ such that Aφ acceptsprecisely traces on which φ holds.

We assume φ contains only the temporal connectives U and X.▸ Recall that {U,X} is adequate.

Define the closure C(φ) of an LTL formula φ by

C(φ)△

= {ψ,¬ψ ∶ ψ is a subformula of φ}

where we identify ¬¬ψ and ψ.

Example:▸ C(a U b) = {a,b,¬a,¬b, a U b,¬(a U b)}.

Construct Aφ II

Let φ be an LTL formula.

A maximal subset q of C(φ) satisfies the following:▸ for all (non-negated) ψ ∈ C(φ), either ψ ∈ q or ¬ψ ∈ q;▸ ψ1 ∨ ψ2 ∈ q iff ψ1 ∈ q or ψ2 ∈ q;▸ Conditions for other Boolean connectives are similar;▸ If ψ1 U ψ2 ∈ q, then ψ2 ∈ q or ψ1 ∈ q; and▸ If ¬(ψ1 U ψ2) ∈ q, then ¬ψ2 ∈ q.

The states of Aφ are the maximal subsets of C(φ). That is,{q ⊆ C(φ) ∶ q is maximal}.

▸ Informally, ψ ∈ q means ψ ∈ C is true at state q.

The initial states of Aφ are those containing φ. Formally,{q ⊆ C(φ) ∶ q is maximal and φ ∈ q}.

Construct Aφ III

The transition relation δ of Aφ is defined as follows. (q,q′) ∈ δ if▸ Xψ ∈ q implies ψ ∈ q′;▸ ¬Xψ ∈ q implies ¬ψ ∈ q′;▸ ψ1 U ψ2 ∈ q and ψ2 /∈ q imply ψ1 U ψ2 ∈ q

′; and▸ ¬(ψ1 U ψ2) ∈ q and ψ1 ∈ q imply ¬(ψ1 U ψ2) ∈ q

Informally, ψ ∈ q enforces certain ψ′ ∈ q′.▸ Recall the definition of maximal subsets of C(φ).▸ Observe that

ψ1 U ψ2 ≡ ψ2 ∨ (ψ1 ∧X(ψ1 U ψ2)

¬(ψ1 U ψ2) ≡ ¬ψ2 ∧ (¬ψ1 ∨X¬(ψ1 U ψ2)).

Consider C(a U b) = {a,¬a,b,¬b, a U b,¬(a U b)}.

Let q = {a,¬b, a U b} be a maximal subset of C(a U b).

We have (q,q) ∈ δ, the transition relation of AaUb.

Informally, a U b ∈ q means a U b holds at all traces from q.▸ Apparently, qq⋯ does not satisfy a U b.

We define acceptance conditions to disallow such traces.

Construct Aφ IV

Let χ1 U ψ1, . . . , χk U ψk be all formulae of this form in C(φ).

The acceptance condition of Aφ is as follows.A state q of Aφ is i-accepting if {¬(χi U ψi), ψi} ∩ q ≠ ∅.A path π is accepted if for every 1 ≤ i ≤ k , π has infinitely manyi-accepting states.

▸ A state can be i-accepting for every 1 ≤ i ≤ k .

To see why it works, consider a path π = q0 → q1 → ⋯ with onlyfinitely many i-accepting states. Hence for some h, we haveπh = qh → qh+1 → ⋯ with qj ∩ {¬(χi Uψi), ψi} = ∅ for every j ≥ h. Bythe maximality of qj , we have {χi U ψi ,¬ψi} ⊆ qj for every j ≥ h. Thepath π is precisely what we wan to eliminate.

Construct Aφ V

q′3abψ

C(a U b) ={a,¬a,b,¬b, aUb,¬(aUb)}.

Maximal subsets of C(aUb):

q1 = {¬a,¬b,¬(a U b)}q2 = {¬a,b, a U b}q3 = {a,¬b, a U b}q′3 = {a,¬b,¬(a U b)}q4 = {a,b, a U b}

Accepting states are{qi ∶ ¬(a U b) ∈ qi or b ∈ qi}.

ψ = a U b and Aψ

Construct Aφ VI

¬(a U b),¬(¬a U b),¬a,¬b,¬ψ

q1a U b,

¬(¬a U b),a,¬b,ψ

a U b,¬a U b,¬a, b,ψ

a U b,¬a U b,a, b,ψ

¬(a U b),¬(¬a U b),a,¬b,¬ψ

¬(a U b),¬a U b,¬a,¬b,ψ

For a U b, the acceptingstates are {q1,q3,q4,q5,q6}.

For ¬a U b, the acceptingstates are {q1,q2,q3,q5,q6}.

ψ = (a U b) ∨ (¬a U b) and Aψ

LTL Model Checking with Fairness Constraints

Our CTL model checking algorithm is slightly modified to check CTLproperties with fairness constraints.

However, it is not necessary for LTL model checking.

Consider, for example, checking an LTL formula φ with a justiceconstraint ψ.

▸ Recall that a justice constraint ψ considers only paths that ψ occursinfinitely often.

We would like to check if φ holds on all fair paths.

This is equivalent to checking GFψ Ô⇒ φ.▸ because LTL can specify justice constraints.

Hence the LTL model checking algorithm works even if there arefairness constraints.

NuSMV LTL Model Checking Algorithm

We can in fact implement the LTL model checking algorithm by theCTL model checking algorithm with justice constraints.

Let M be a NuSMV model and φ an LTL formula.

Here is how it works:▸ Construct A¬φ as a NuSMV model.▸ Construct M ×A¬φ.▸ Check EG⊺ with justice constraint ¬(χU ψ) ∨ ψ for each χU ψ in φ.

The NuSMV LTL model checking algorithm uses justice constraintsto search paths accepted by M ×A¬φ.

Outline

1 Model-checking algorithms

2 The fixed-point characterisation of CTLMonotone functionsThe correctness of SATEGThe correctness of SATEU

The CTL Model Checking Algorithm Revisited I

We have presented a CTL model checking algorithm.

Let M = (S ,→,L) be a transition system.

The algorithm computes the set [[φ]] for any CTL formula φ, where

[[φ]] = {s ∈ S ∶M, s ⊧ φ}.

We use the following equations:

[[p]] = {s ∈ S ∶ p ∈ L(s)}[[�]] = ∅

[[¬φ]] = S ∖ [[φ]][[φ ∧ ψ]] = [[φ]] ∩ [[ψ]][[EXφ]] = pre

∃(M, [[φ]])

[[AFφ]] = [[φ]] ∪ pre∀(M, [[AFφ]])

[[E[φU ψ]]] = [[ψ]] ∪ ([[φ]] ∩ pre∃(M, [[E[φU ψ]]]))

The last two recursive equations are puzzling.▸ Circular definitions are always problematic!

The CTL Model Checking Algorithm Revisited II

To simplify our presentation, we will use a different adequate set oftemporal connectives {EX,EG,EU}.

▸ To get rid of pre∀(●, ●).

Hence we use the following puzzling equations:

[[EGφ]] = [[φ]] ∩ pre∃(M, [[EGφ]])

[[E[φU ψ]]] = [[ψ]] ∪ ([[φ]] ∩ pre∃(M, [[E[φU ψ]]]))

We will explain them by fixed-point theory.

The theory will also establish the correctness of the algorithm.

Outline

Monotone Functions

Definition

Let S be a set of states and F ∶ 2S → 2S .

1 F is monotone if X ⊆ Y implies F (X ) ⊆ F (Y ) for every X ,Y ⊆ S ;

2 X ⊆ S is a fixed point of F if F (X ) = X .

Examples: let S△

= {s0, s1}.

▸ F (Y )△

= Y ∪ {s0}. F (Y ) is monotone. {s0} and {s0, s1} are fixedpoints of F (Y ).

▸ G(Y )△

= {{s1} if Y = {s0}{s0} otherwise

. G(Y ) is not monotone. G(Y ) has no

fixed points.

Let F ∶ 2S → 2S . We write F i(X ) for the expression

i³¹¹¹¹¹¹¹¹¹¹¹·¹¹¹¹¹¹¹¹¹¹¹µ

F (F⋯F (X )⋯).

Fixpoint Theorem I

Theorem

Let S be a set with ∣S ∣ = n. If F ∶ 2S → 2S is a monotone function, F n(∅)

is the least fixed point of F and F n(S) is the greatest fixed point of F (by

set inclusion order).

Proof.

Since ∅ ⊆ F (∅) and F is monotone, F (∅) ⊆ F 2(∅). More generally,

F (∅) ⊆ F 2(∅) ⊆ ⋯ ⊆ F n

(∅) ⊆ F n+1(∅).

Since ∣S ∣ = n and F is monotone, there is 1 ≤ k ≤ n that F k(∅) = F k+1

(∅).Thus F n

(∅) is a fixed point of F .Suppose H = F (H) is a fixed point of F . Since ∅ ⊆ H, F (∅) ⊆ F (H) = H.F 2

(∅) ⊆ F (H) = H. Hence F i(∅) ⊆ H for every i . Particularly, F n

(∅) ⊆ H.The case for the greatest fixed point is similar.

Fixpoint Theorem II

Knaster-Tarski theorem in fact shows the least and greatest fixedpoints exist for any (not necessarily finite) set.

Our fixpoint theorem is a special case of Knaster-Tarski theorem.

The fixpoint theorem shows how to compute least and greatest fixedpoints for monotone functions over finite sets.

We will show [[EGφ]] and [[E[φU ψ]]] are in fact greatest and leastfixed points of certain monotone functions respectively.

Outline

Computing [[EGφ]]

Recall that EGφ ≡ φ ∧ EXEGφ.

Hence [[EGφ]] = [[φ]] ∩ pre∃(M, [[EGφ]]).

[[EGφ]] is a fixed point of

F (X )△

= [[φ]] ∩ pre∃(M,X ).

We will show that [[EGφ]] is in fact a greatest fixed point of F .

[[EGφ]] as a Greatest Fixed Point

Theorem

Let M = (S ,→,L) be a model with ∣S ∣ = n and F (X )△

= [[φ]]∩ pre∃(M,X ).

Then F is monotone, [[EGφ]] is the greatest fixed point of F , and[[EGφ]] = F n

Proof.

Let X ,Y ⊆ S and X ⊆ Y , and s ∈ F (X ). Then s ∈ [[φ]] and there is an s ′

such that s → s ′ and s ′ ∈ X ⊆ Y . That is, s ′ ∈ F (Y ) and henceF (X ) ⊆ F (Y ). F is monotone.Since [[EGφ]] = F ([[EGφ]]), [[EGφ]] is a fixed point of F . It remains to showthat [[EGφ]] is the greatest fixed point of F . Consider any X ⊆ S withX = F (X ). Let s0 ∈ X . Then s0 ∈ F (X ) = [[φ]] ∩ pre

∃(M,X ). s0 ∈ [[φ]] and

there is an s1 with s0 → s1 such that s1 ∈ X . By induction, we have a paths0 → s1 → ⋯ such that si ∈ [[φ]] for s ≥ 0. Hence s0 ∈ [[EGφ]]. ThereforeX ⊆ [[EGφ]] for every fixed point X of F .The greatest fixed point of F is F n

(S).Bow-Yaw Wang (Academia Sinica) Model Checking Algorithms November 16, 2021 47 / 56

SATEG(M, φ) I

Y ← SAT(φ);repeat

X ← Y ;Y ← Y ∩ pre

∃(M,Y );

until X = Y ;return (Y );

Note that SATEG(M, φ) does not apply the previous theorem exactly.

Recall that

F (X )△

= [[φ]] ∩ pre∃(M,X ).

SATEG(M, φ) II

By the theorem, we would have

Y 0 = F 0(S) = S

Y 1 = F(Y 0) = [[φ]] ∩ pre∃(M,Y 0) = [[φ]]

Y 2 = F(Y 1) = Y 1 ∩ pre∃(M,Y 1)

Y 3 = F(Y 2) = Y 1 ∩ pre∃(M,Y 2)

where Y 0 ⊇ Y 1 ⊇ Y 2 ⊇ ⋯

SATEG(M, φ) on the other hand computes

Y0 = [[φ]] = Y 1

Y1 = Y0 ∩ pre∃(M,Y0)

= Y 1 ∩ pre∃(M,Y 1) = Y 2

Y2 = Y1 ∩ pre∃(M,Y1)

= Y 1 ∩ pre∃(M,Y 1) ∩ pre

∃(M,Y 2)

= Y 1 ∩ pre∃(M,Y 2) = Y 3

Y3 = Y2 ∩ pre∃(M,Y2)

= Y 1 ∩ pre∃(M,Y 2) ∩ pre

∃(M,Y 3)

= Y 1 ∩ pre∃(M,Y 3) = Y 4

Outline

Computing [[E[φU ψ]]]

Recall that E[φU ψ] ≡ ψ ∨ (φ ∧ EXE[φU ψ]).

Hence [[E[φU ψ]]] = [[ψ]] ∪ ([[φ]] ∩ pre∃(M, [[E[φU ψ]]])).

[[E[φU ψ]]] is a fixed point of

G(X )△

= [[ψ]] ∪ ([[φ]] ∩ pre∃(M,X )).

We will show that [[E[φU ψ]]] is in fact a least fixed point of G .

[[E[φU ψ]]] as a Least Fixed Point

Theorem

Let M = (S ,→,L) be a model with ∣S ∣ = n and G(X) △= [[ψ]] ∪ ([[φ]] ∩ pre∃(M,X)).

Then G is monotone, [[E[φU ψ]]] is the least fixed point of G , and [[E[φU ψ]]] = G n(∅).

Proof.Since pre

∃(M,X) is monotone, G is monotone.

Since G n(∅) is the least fixed point of G , it remains to show that [[E[φU ψ]]] = G n(∅).

Recall M, s ⊧ E[φU ψ] if for some path s0(= s)→ s1 → ⋯ there is i ≥ 0 that M, si ⊧ ψand for every 0 ≤ j < i we have M, sj ⊧ φ.

Observe that G 1(∅) = [[ψ]] ∪ ([[φ]] ∩ pre∃(M,∅)) = [[ψ]]. s ∈ G 1(∅) iff M, s ⊧ E[φU ψ]

by taking i = 0. Similarly, G 2(∅) = G(G 1(∅)) = [[ψ]] ∪ ([[φ]] ∩ pre∃(M,G 1(∅))). That

is, s ∈ G 2(∅) iff M, s ⊧ E[φU ψ] by taking i = 0,1. By induction, one can shows ∈ G k(∅) iff M, s ⊧ E[φU ψ] by taking i = 0, . . . , k − 1. Hence [[E[φU ψ]]] = ⋃

i∈NG i(∅).

Now recall that G 0(∅) ⊆ G 1(∅) ⊆ G 2(∅) ⊆ ⋯ and G n(∅) is a fixed point. We have

⋃i∈N

G i(∅) = G n(∅). That is, [[E[φU ψ]]] = G n(∅).

SATEU(M, φ,ψ) Revisited I

W ← SAT(M, φ);Y ← SAT(M, ψ);repeat

X ← Y ;Y ← Y ∪ (W ∩ pre

∃(M,Y ));

Note again that SATEU(M, φ,ψ) does not exactly follow the theorem.

Recall

G(X )△

= [[ψ]] ∪ ([[φ]] ∩ pre∃(M,X )).

SATEU(M, φ,ψ) Revisited II

By the theorem, we would have

Y 0 = G 0(∅) = ∅Y 1 = G(Y 0) = [[ψ]] ∪ ([[φ]] ∩ pre

∃(M,Y 0)) = [[ψ]]

Y 2 = G(Y 1) = [[ψ]] ∪ ([[φ]] ∩ pre∃(M,Y 1))

= Y 1 ∪ ([[φ]] ∩ pre∃(M,Y 1))

Y 3 = G(Y 2) = Y 1 ∪ ([[φ]] ∩ pre∃(M,Y 2))

where Y 0 ⊆ Y 1 ⊆ Y 2 ⊆ ⋯

SATEU(M, φ,ψ) on the other hand computes

Y0 = [[ψ]] = Y 1

Y1 = Y0 ∪ ([[φ]] ∩ pre∃(M,Y0))

= Y1 ∪ ([[φ]] ∩ pre∃(M,Y 1)) = Y 2

Y2 = Y1 ∪ ([[φ]] ∩ pre∃(M,Y1))

= Y 1 ∪ ([[φ]] ∩ pre∃(M,Y 1)) ∪ ([[φ]] ∩ pre

∃(M,Y 2))

= Y 1 ∪ ([[φ]] ∩ pre∃(M,Y 2)) = Y 3

Y3 = Y2 ∪ ([[φ]] ∩ pre∃(M,Y2))

= Y 1 ∪ ([[φ]] ∩ pre∃(M,Y 2)) ∪ ([[φ]] ∩ pre

∃(M,Y 3))

= Y 1 ∪ ([[φ]] ∩ pre∃(M,Y 3)) = Y 4

Example I

Compute [[EFp]].

▸ Since [[EFp]] = [[E[⊺U p]]], consider G(X )△

= [[p]] ∪ ([[⊺]] ∩ pre∃(M,X ))

= {s3} ∪ pre∃(M,X ). G 1

(∅) = {s3}, G 2(∅) = G({s3}) = {s3, s1},

G 3(∅) = G({s1, s3}) = {s3, s0, s2, s1}, G 4

(∅) = G({s0, s1, s2, s3}) ={s3, s0, s2, s1} = G 3

(∅). Hence [[EFp]] = {s0, s1, s2, s3}.

Example II

Compute [[EGq]].

▸ Consider F (X )△

= [[q]] ∩ pre∃(M,X ) = {s0, s4} ∩ pre

∃(M,X ).

F 1(S) = {s0, s4}. F 2

(S) = F ({s0, s4}) = {s0, s4} ∩ {s3, s0, s2, s4} ={s0, s4} = F 1

(S). Hence [[EGq]] = {s0, s4}.

Model Checking Algorithms

Documents

Algorithms for Model Checking (2IW55) - TU/etimw/downloads/amc2013/lecture4.pdf · Algorithms for Model Checking (2IW55) Lecture4 The -Calculus ... Recall: symbolicmodelcheckingforCTLwasbasedonﬁxedpoints

Model Checking I

Model Checking and Related Techniques Liu Yang. Outline Model Checking Techniques – Introduction to MC – Symbolic Model Checking – Bounded Model Checking

Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking

Model Checking Navigation

Algorithms for Model Checking (2IW55)timw/downloads/amc2012/lecture2.pdf · Department of Mathematics and Computer Science Algorithms for Model Checking (2IW55) Lecture2 SymbolicModelCheckingforCTL

Model Checking Basics

LTL Model Checking

Model Checking Concurrent Programs · Verification Approach: e g Model Checking Automatic Property Verification Verification Approach: e.g. Model Checking – Exhaustive state space

Combining Model Learning and Model Checking to · PDF fileCombining Model Learning and Model Checking to Analyze TCP Implementations Abstract. We combine model learning and model checking

Fachgebiet RechnerSysteme 6. Model Checking · Model Checking Fachgebiet RechnerSysteme Verification Technology Content 6.1 Temporal logic 6.2 CTL 6.3 Symbolic model-checking

24: Model Checking & Reachability Analysissymbolaris.com/course/fcps16/reachability.pdf · 24: Model Checking & Reachability Analysis ... editors, Handbook of Model Checking. Springer,

Software Model-Checking: Benchmarking and Techniques …chechik/pubs/kelvinthesis.pdf · Software Model-Checking: Benchmarking and Techniques for Buffer ... Software Model-Checking:

Introduction to Model Checking - Forsiden - … to Model Checking Shiva Nejati Simula Research Lab May 19, 2010 Saturday, May 15, 2010 Temporal Logic Model Checking Model checking

Symbolic Model Checking for Factored Probabilistic Models · bolic model checking algorithms on top of data structures such as BDDs and MTBDDs [16]. It is well known that these data

CS717 Checking Specific Algorithms Greg Bronevetsky

Algorithms for Model Checking (2IW55) Lecture 7: Solving ...timw/downloads/amc2013/lecture8.pdf · Algorithms for Model Checking (2IW55) Lecture 7: Solving parity games using small

Algorithms for Software Model Checking: Predicate ...hunt/FMCAD/FMCAD12/020.pdf · Algorithms for Software Model Checking: Predicate Abstraction vs. IMPACT Dirk Beyer University of

Algorithms for Software Model Checking: Predicate ... · Algorithms for Software Model Checking: Predicate Abstraction vs. IMPACT Dirk Beyer University of Passau, Germany Philipp

EE 244: Fundamental Algorithms for System Modeling ...Model Checking Stavros Tripakis University of California, Berkeley Stavros Tripakis (UC Berkeley) EE 244, Fall 2016 Model Checking