This is just some note taken by me while learning model checking

1. Model Checking

2. Model System Change with Time
• System change with time is modeled as state diagram
S0
{a,b}
S1
{c}
S2
{d}
S3
{c,d}

3. Atomic Propositions
• Each state has a set of atomic propositions that are hold in the state
• Ex: a, b are hold in state S0
S0
{a,b}
S1
{c}
S2
{d}
S3
{c,d}

4. Path Formula
• A path is an infinite sequence of states
• Ex: P=S0, S1, S1, S1, S2, S3, S3, S3, …
• The property of a path can be expressed by path formulas
• Path formulas are temporal operators combined with state formulas
• Xc: the next state of the path satisfies c
• Gd: all the states in the path satisfies d
• Fd: a state where d satisfies will eventually be reached in the path
• cUd: c will hold until reaching a state where d holds,
and the state where d holds will eventually be reached
• cRd:
S0
{a,b}
S1
{c}
S2
{d}
S3
{c,d}

5. Use Path Formula in State Formula
• On a single path, the path formulas can be used as state formulas
• A state satisfies the formula if the sub-path start at the state satisfies the formula
• FGa means a state satisfies Ga will eventually be reached
• Ga can be used as state formula on the path
• A state satisfies Ga if all following states on the path satisfies a
• If a state can lead to multiple paths, then a quantifier (E, A) is needed
• Exist and All
• Linear Temporal Logic (LTL)
• When using path formula on states, A quantifier is implicitly applied
• Sub-formulas are applied to the path so can be used as state formula without quantifier
• Computational Tree Logic (CTL)
• Quantifier is always needed when using path formula on states

6. Difference between LTL and CTL
• FGc is an LTL formula inexpressible in CTL
• It’s different from CTL formula AFAGc
• S0 in the graph satisfies FGc but not AFAGc
• All infinite paths start from S0 will eventually looping in S1 or S3
• However, S1 does not satisfies AGc
• Since it may go to S2, which does not satisfies c
• Therefore, the path S0,S1,S1,S1,… won’t satisfy FAGc,
so S0 does not satisfy AFAGc
• There are also formulas in CTL inexpressible in LTL
• CTL*
• Quantifier can be used but not always needed
S0
{a,b}
S1
{c}
S2
{d}
S3
{c,d}

7. Explicit State CTL Model Checking
• Problem: Given a state formula, find all states satisfy the formula
• Solution: Recursively find states satisfy the sub-formulas first, then find states
satisfy the formula
• EXa: Find all states with any next state satisfies a
• AFa:
• States satisfy a also satisfy AFa, mark them
• States with all next states marked also satisfy AFa, mark them
• Repeat until no more states can be marked

8. Symbolic Model Checking with OBDD
• Explicitly traversing the states is time consuming
• Represent state symbolically!
• A state S is encoded by a fixed number of binary state variables S[0],…, S[k]
• State S0 has S[0]=S[1]=…=S[k]=0
• State S1 has S[0]=1, and other state variables =0
• …and so on. This is just one possible encoding method
• Atomic proposition p is represented by a binary function of state variables
• p(S[0], …, S[k])=1 means p is hold on the state represented by the input state variables
• That is, the binary function represents the set of states that satisfy p
• The binary function is represented by Ordered Binary Decision Diagram (OBDD)

9. OBDD Examples
a
c
0 1
0
b
1
1
0
0
1
a
b
c
0 1
0
0
0
1
1
b
c
0
0
1
1
1
0
f(a,b,c)=ab+!ac
f(a,b,c)=bc+ab!c

10. Goal of Symbolic Model Checking
• Given a state formula
• Transform the state formula into OBDD
• Input are state variables
• Output is 0 or 1 indicating whether the state satisfies the state formula

11. Fix Point Computation
• Property of state formula EFp
• EFp = p ∨ EXEFp, that is, the LHS and RHS represents the same set of states
• Consider a function f(q) = p ∨ EXq
• f(q) transform a set of states q into another set of states
• EFp = f(EFp), we say EFp is a fix point of f
• Actually EFp is the least fix point (LFP) of f
• To find EFp, we can find the LFP of f(q)

12. Fix Point Computation
• f(q) = p ∨ EXq is monotonically increasing
• q0 ⊆ q1 → f(q0) ⊆ f(q1)
• LFP can be found by repeatedly apply f
• q1 = f(∅)
• q2 = f(q1)
• until some qk = qk-1
• Problem: How to do this in OBDD form?
• The initial ∅ is trivial: just an OBDD that always return false
LFP
f(q)

13. OBDD Operations
• Negation: just swap the leaf
a
c
0 1
0
b
1
1
0
0
1
a
c
1 0
0
b
1
1
0
0
1
f(a,b)=ab+!ac !f(a,b)=!(ab+!ac)

14. OBDD Operations
• Conjunction: use Shannon’s expansion
• f(a,b,c)g(a,b,c) = !a(f(0,b,c)g(0,b,c))+a(f(1,b,c)g(1,b,c))
• Recursively divide f(0,b,c)g(0,b,c) and f(1,b,c)g(1,b,c)
a
c
0 1
0
b
1
1
0
0
1
f(a,b,c)=ab+!ac
a
b
c
0 1
0
0
0
1
1
b
c
0
0
1
1
1
0
g(a,b,c)=bc+ab!c a
OBDD for
(c)(bc)
OBDD for
(b)(bc+b!c)
0 1
0 1
f(a,b,c)g(a,b,c)=(ab+!ac)(bc+ab!c)

15. OBDD Operations
• Disjunction: use negation and conjunction
• f(q)+g(q) = !(!f(q)!g(q))
• Boolean quantification g(b,c) = ∃a, f(a,b,c)
• g(b,c) return true iff we can find a that make f(a,b,c) true
• g(b,c) = f(0,b,c) ∨ f(1,b,c)
• OBDD of f(0,b,c) can be obtained from OBDD of f(a,b,c) by delete all unreachable node
when a=0

16. OBDD of EXq
• The state transition is also represented by binary functions (in OBDD form)
• T(s[0],…,s[k],s’[0],…,s’[k]) is true if state s can transit to s’
• EXq = ∃s’, (T(s, s’) ∧ q(s’))
= ∃s’[0],…, ∃s’[k], (T(s[0],…,s[k],s’[0],…,s’[k]) ∧ q(s’[0],…s’[k]))
• OBDD of EXq can be constructed given OBDD of T and q

17. OBDD of LFP of f(q) = p ∨ EXq
• q1 = f(∅) = p ∨ EX⊥
• OBDD of q1 can be constructed from OBDD of p and OBDD of ⊥ (just a false node)
• q2 = f(q1) = p ∨ EXq1
• OBDD of q2 can be constructed from OBDD of q1
• Repeatedly do this until the OBDD no longer changes

18. References
• https://www.cs.cmu.edu/~emc/15-820A/reading/lecture_1.pdf