Model checking
Raúl Monroy
Verification by model checking




Model checking is based on temporal
logic
A formula is not statically true or false
in a model
The notion of truth is dynamic, the
formulae may change their truth values
as the system evolves
Models are transition systems
Verification by model checking

To verify that a system satisfies a
property:
1.
Model the system using the description
language (of the model checker.), M.
2.
Code property using the specification
language, resulting in .
Run the model checker with inputs M
and .
3.
Temporal logics


Linear-time logics
Branching-time logics



Useful in modelling non-deterministic
computations
Time: continuous or discrete
CTL: time is branching and discrete
Syntax

CTL formulas are defined inductively
via a Backus Naur form
Φ :: = ┴ │ T │p │
(¬Φ) │ (Φ  Φ) │ (Φ  Φ) │ (Φ  Φ) │
AX Φ │ EX Φ │ A [Φ U Φ] │
E [Φ U Φ] │ AG Φ │ AF Φ │ EF Φ
where p ranges over atomic formulas
Syntax


AX, EX, AG, EG, AU, EU, AF and EF are
called temporal connectives
Each temporal connectives is a pair of
symbols:





1st symbol of pair: A (along all paths) or E (along
at least one path)
2nd symbol of pair: X (neXt state), G (all future
states), U (until) and F (some Future step)
AU and EU are binary
X, G, U and F cannot occur independently
¬, AG, AF, AX bind most tightly. Next  and
, and after that , AU
Syntax

EG r

AG (q  EG r)

AG q  EG r

A [r U q]

EF E [r U q]

A [p U EF r]
Syntax

AG AF r

A [ p1 U A [ p2 U p3 ]]

E [ A [ p1 U p2 ] U p3 ]

AG ( p  A [ p U ( ¬p  A [ ¬p U q ] ) ] )
Syntax






FG r
A ¬G ¬p
F[rUq]
EF [ r U q ]
AEF r
AF [ ( r U q )  (r U q )]
Parse tree of a CTL formula

A subformula of a
CTL formula Φ is
any formula ψ
whose parse tree is
a subtree of Φ’s
parse tree
AU
AX
EU
¬
EX
¬
p

p
p
q
A [AX ¬p U E [EX (p  q) U ¬p]]
Semantics of CTL
p, q
q, r
r
A concise presentation of a model M as a
directed graph, whose nodes are states
containing all the propositional atoms which
are true in that particular state.
Deadlock treatment
A model, M, is given by
(S,,L)
S0
S1
S2

A system with a
state S4 that does
not have any
further transitions.
S3
S4
Deadlock treatment

An expand system with
a ‘deadlock’ state Sd
such that no state can
deadlock; of course, it
is then our
understanding that
reaching the ‘deadlock’
state corresponds to
deadlock in the original
system.
S0
S1
S2
S3
S4
Sd

Let M
= (S,,L). Given any s
in S, a CTL formula Φ holds in
state s
M, s │= Φ
iff
Satisfaction relation, │=
4.
M, s │= T and M, │=/= ┴, s  S
M, s │= p iff p  L(s)
M, s │= ¬ Φ iff M, s  Φ
M, s │= Φ1  Φ2
5.
M, s │= Φ1  Φ2
1.
2.
3.
iff M, s │= Φ1 and M, s │= Φ2
iff M, s │= Φ1 or M, s │= Φ2
6.
M, s │= Φ1  Φ2
7.
M, s │= AX Φ
iff M, s │=/ Φ1 or M, s │= Φ2
iff for all s1 such that s  s1
we have M, s1 │= Φ.
Thus, AX says: ‘in every next state’
8.
M, s │= EX Φ
iff for some s1 such that s  s1 we
have M, s1 │= Φ.
Thus, EX says: ‘in some next state’.
9.
M, s │= AG Φ holds
iff for all paths s1  s2  s3  …,
where s1 equals s,
and all si along the path,
we have
M, si │= Φ
Mnemonically: for all computation paths
beginning in s the property Φ holds globally
10.
M, s │= EG Φ holds iff there is a
path s1  s2  s3  …, where s1
equals s, and for all si along the
path, we have M, si │= Φ
Mnemotecnically: there Exists a path that
beginning in s such that Φ holds globally
along the path
11.
M, s │= AF Φ holds iff for all the
paths s1  s2  …, where s1 equals
s, there is ome si such that M, s │= Φ
Mnemotecnically: for all computation paths
beginning in s there will be some future state
where Φ holds
Semantics of CTL
p, q
q, r
p, q
q, r
S1
S0
r
S1
r
S0
r
S2
S2
S2
r
r
S2
S2
Unwinding the system of figure 3.2 as an
infinite tree of all computation paths
beginning in a particular state
Semantics of CTL
Φ
Φ
Φ
Φ

A system whose
starting state
satisfies EF Φ

A system whose
starting state
satisfies EG Φ
Semantics of CTL
Φ
Φ
Φ
Φ
Φ
Φ
Φ
Φ
Φ
Φ
A system whose
starting state
satisfies AG Φ
Φ
Φ
Φ

Φ
Φ

A system whose
starting state
satisfies AF Φ
Semantics of CTL
r
p, t, r
p, t, r
r
q, r
p, q
p, q
q, r

A system with four
states

Another system
with four states
Equivalences in CTL

Two CTL formulas  and ψ are said to
be semantically equivalent if any state
in any model which satisfies one of
them also satisfies the other; we
denote this by  ≡ ψ
Equivalences in CTL

Noteworthy are the follow:






AG  ≡   AX AG 
EG  ≡   EX EG 
AF  ≡   AX AF 
EF  ≡   EX EF 
A[  U ψ] ≡ ψ  (  AX A [  U ψ])
E[  U ψ] ≡ ψ  (  EX E [  U ψ])
Mutual exclusion
n1n2
t1n2
c1n2
t 1t 2
c1t 2

n1t2
n1c2
t 1 c2
The first modelling attempt
Mutual exclusion

Four properties:
1.
2.
3.
4.
Safety:  1 = AG ¬(c1  c2)
Liveness:  2 def= AG (t1  AF c2)
Non-blocking:  3 =def AG (n1  EX t1)
No strict sequencing:  4 = defEF (c1 
E[c1 U (¬c1  E[¬c2 U c1])])
def
Mutual exclusion
n1n2
t1n2
c1n2
t 1t 2
c1 t 2

n1t2
t 1t 2
n1c2
t 1 c2
The second modelling attempt
Labelling algorithm


INPUT: a CTL model M = (S, , L)
and a CTL formula Φ
OUTPUT: the set of states of M wich
satisfies Φ
Labelling algorithm




┴ : then no state are labelled with ┴
p : then label s with p if p  L(s)
ψ1  ψ2 : label s with ψ1  ψ2 if s is
already labelled both with ψ1 and
with ψ2
¬ψ1 : label s with ¬ψ1 if s is not
already labelled with ψ1
Labelling algorithm

AF ¬ψ1:


If any state s is labelled with ψ1,
label it with AF ψ1
Repeat: label any state AF ψ1 if all
successor state are labelled with AF
ψ1, until there is no change
Labelling algorithm

E[ψ1 U ψ2]:
 If any state s is labelled with ψ2,
label it with E[ψ1 U ψ2]
 Repeat: label any state AF ψ1 if all
successor state are labelled with AF
ψ1, until there is no change
Model checking
3.13
1. π │= T
2. π │= p iff p L (si)
3. π │= ¬ Φ iff π │=/ Φ
4. π │= Φ1  Φ2 iff π │=
Φ1 and π │= Φ2
5. π │= X Φ iff π2 │= Φ
6. π │= G Φ holds iff, for all
i >= 1, πi │= Φ
7. π │= F Φ holds iff, for
some i >= 1, πi │= Φ
8. π │= Φ U ψ holds iff
there is some i >= 1 such
that πi │= ψ and for all j = 1, …, i -1 we have
πj │= ψ