Symbolic CTL Model Checking

1 Computation Tree Logic (CTL)

2 CTL Model Checking Algorithm

3 Symbolic CTL Model Checking

Recall of LTL

A linear logic over an infinite sequence of states.

Transition System and Computation TreeAssume TS is finite, and has no terminal states, we can unfold it at achosen state into an infinite computation tree.

CTL introduces two path quantifiers:∀ : all computations that start in a state (implicitly expressed in LTL)∃ : some computations that start in a state (cannot be expressed in LTL)

Some Basic CTL Formulae

Syntax of CTL

State formulae:

Φ ::= true | α | ¬Φ | Φ1 ∧ Φ2 | ∀ϕ | ∃ϕ

where α ∈ AP (atomic proposition)

Path formulae:ϕ ::=© Φ | Φ1 U Φ2

Four possible ways to turn path formulae into state formulae:

∀© ∀ U ∃© ∃U

Examples of CTL formulae

Illegal CTL formulaeI ∃(x = 1 ∧ y > 4)I ∃© (true U (x = 1))

Legal CTL formulaeI ∃© (x = 1 ∧ y > 4)I ∃© ∀(true U (x = 1))

Derived Temporal Modalities

eventuallyI ∃♦Φ ≡ ∃(true U Φ) Φ holds potentiallyI ∀♦Φ ≡ ∀(true U Φ) Φ is inevitable

alwaysI ∃�Φ ≡ ¬∀♦¬Φ ( 6= ∃♦¬Φ) potentially always ΦI ∀�Φ ≡ ¬∃♦¬Φ ( 6= ∀♦¬Φ) invariantly Φ

Satisfaction Relation for CTL

Let transition system TS = (S,Act,→,I,AP,L), state s ∈ S, α be an atomicproposition, Φ1,Φ2 be CTL state formulae, and ϕ be a CTL path formulae.

The satisfaction relation � is defined for state formulae by

s � α iff α ∈ L(s)s � ¬Φ iff not s � Φs � Φ1 ∧ Φ2 iff (s � Φ1) and (s � Φ2)s � ∃ϕ iff π � ϕ for some π ∈ Path(s)s � ∀ϕ iff π � ϕ for all π ∈ Path(s)

For path π, the satisfaction relation � for path formulae is defined by

π � © Φ iff π[1] � Φ

π � Φ1 U Φ2 iff ∃j≥0. (π[j ] � Φ2 ∧ (∀0 ≤ k < j .π[k] � Φ1))

Expressiveness of CTL vs. LTL

Intuitively, the LTL formula ♦�α is equivalent to the CTL formula ∀♦∀�α.However, s0 � ♦�α and s0 6� ∀♦∀�α are shown in the following case.

1 ♦�α:α will eventually forever hold from some state

2 ∀♦∀�α:On any computation, eventually some state, s say,is reached such that s � ∀�α

Satisfaction Set

Given a transition system TS , the satisfaction set Sat(Φ) for CTL-stateformula Φ is defined by:

Sat(Φ) = { s ∈ S | s � Φ}

For example:

Sat(∀�a) = {s3}

CTL Semantics for Transition System

TS � Φ iff ∀s0 ∈ I . s0 � Φ

in other words, TS � Φ iff I ⊆ Sat(Φ)

CTL in Existential Normal Form (ENF)

Φ ::= true | α | ¬Φ | Φ1 ∧ Φ2 | ∃©Φ | ∃( Φ1 U Φ2) | ∃�Φ

Other CTL formulae can be translated into equivalent ENF formulae:∃♦Φ ≡ ∃(true U Φ)∀© Φ ≡ ¬∃©¬Φ∀(Φ1 U Φ2) ≡ ¬∃(¬Φ2 U (¬Φ1 ∧ ¬Φ2)) ∧ ¬∃�¬Φ2∀♦Φ ≡ ¬∃�¬Φ∀�Φ ≡ ¬∃♦¬Φ = ¬∃(true U ¬Φ)

CTL in ENF has the same expressiveness as CTL

We will use ENF of CTL in the model checking algorithm

Overview of the Algorithm

To verify for a given transition system TS and CTL formula Φ whetherTS � Φ, the procedure is:

1 recursive computation of the sets Sat(Ψ) for all subformulae Ψ of Φ

2 checking whether I ⊆ Sat(Φ)

Computation of the Satisfaction Sets

Sat(∃�Φ)T0 = Sat(Φ) and Ti+1 = Ti ∩ {s ∈ Sat(Φ)|Post(s) ∩ Ti 6= ∅}until Ti+1 = Ti (reach the greatest fix point)

i.e. Sat(∃�b) = {s0, s2, s4}

Sat(∃(Φ1 U Φ2))

T0 = Sat(Φ2) and Ti+1 = Ti ∪ {s ∈ Sat(Φ1)|Post(s) ∩ Ti 6= ∅}until Ti+1 = Ti (reach the smallest fix point)

i.e. Sat(∃(true U (a = c) ∧ (a 6= b))) = {s4, s5, s6, s7}

Time Complexity

Let TS be a finite transition system with N states and K transitions. Ψ asubformula of Φ. The time complexity of calculating Sat(Ψ) is


Also, there are |Φ| subformulae of Φ. The total time complexity ofcalculating Sat(Φ) is therefore

O((N+K) · |Φ|)

Why Symbolic?

Original version of CTL model checkingI single state and single transition at a timeI record all the predecessors and successors in each stateI iterative computation: union and intersection of setsI state explosion problem in large transition systems

Symbolic versionI sets of states and sets of transitions at a timeI binary encoding of statesI one boolean function for each satisfaction setI one boolean function for all the transitionsI iterative computation:conjunction and disjunction of a sequence of bitsI very efficient

Encoding States

Binary encoding (enc) of states, as vectors of n bits:

enc : S → {0, 1}n

For example:8 states (s0, s1, ..., s7) can be encoded with 3 bitss0: 000s1: 001...s7: 111

Two Boolean Functions (XT and 4)

XT : to encode set of states T ⊆ S (i.e. T=Sat(α)):

XT : {0, 1}n→ {0,1} s.t. XT (s)=1 iff s ∈ T

4: to encode set of transitions → ⊆ S x S :

4 : {0, 1}2n→ {0,1} s.t. 4(s,s’)=1 iff s → s’

Sat(∃�b) in Symbolic Version

binary decision tree (BDT)

8 states (s0, s1, ..., s7) can be encoded with 3 bits (z1z2z3)XT (z1, z2, z3) → {0,1},T=Sat(b) i.e. XT (s2) = XT (0,1,0) = 14(z1, z2, z3, z ′1, z

′2, z

′3) → {0,1} i.e. 4(s1, s2) = 4(0,0,1,0,1,0) = 0

Symbolic Computation

T0 = Sat(Φ2) and Ti+1 = Ti ∪ {s ∈ Sat(Φ1)|Post(s) ∩ Ti 6= ∅}

T0 = Sat(Φ) and Ti+1 = Ti ∩ {s ∈ Sat(Φ)|Post(s) ∩ Ti 6= ∅}

continue the example from last slide: f0 : 00010111 → f1 : 00010101 → f2 : 00010101

From BDT to BDDbinary decision diagram (BDD): a reduced version of BDT

C. Baier and J.-P. Katoen, “Principles of Model Checking”(The MIT Press, 2008).Figures, algorithms and samples taken from Chapter 6 of the book above.

