Model Checking Basics

Somesh Jha Computer Science Department University of Wisconsin Madison, WI 53703

1 Introduction
In software engineering several formalism are in some form or another compositions of state machines. For example, Statecharts are simply state machines. There is value in simply writing these formal specications down because it forces the designer to think carefully. However, in highly distributed designs subtle errors (such as deadlocks or race conditions) are very hard to catch simply by inspection. The difculty stems from the fact that the global state space of the entire system can be very large and exhibit very complex behaviors. Therefore, there is a need for automatic analysis of specications expressed as composition of state machines. Model checking is a technique for automatically analyzing whether a model of a distributed system has a desired property, e.g., absence of deadlocks. Model checking takes as its input a formal model of the system and a property expressed in temporal logic. Temporal logics are logics that have a notion of time. Using sophisticated state space exploration techniques a model checker veries that the model satises the desired property. If the property turns out to be false in the model, most model checkers output a counter-example or a trace of states in the model that shows why the property does not hold. Figure 1 gives a schematic description of a model-checker. Next we describe the two inputs to the model checker. The discussion is kept at an abstract level. We will discuss specic details when we describe the model checker NuSMV.

2 Describing the model

A model M has two components V and R described below: Variables V is the set of state variables in the model. If the model has n state variables, we will denote them by v1 , , vn . Each state variable vi has an associated domain Di . Notice that the entire state space of the system is simply the Cartesian product of the domains D1 , , Dn (denoted by n i=1 Di ). A state is simply an assignment to the variables in the set V from their domain. For example, consider a model that has two variables x and y with domains {a, b, c} and {0, 1} respectively. Then (x = b, y = 1) is a state of the model. The set of all states is called the state space of the model and will be denoted by S . 1

Model checker Model of the system State space exploration Property usually expressed in temporal logic

YES

NO counter-example

Figure 1: Schematic description of model checking Transition relation R is the transition relation. Formally, R is the relation from S to S (denoted as R : S S ). If (s, s ) R, this means that from state s it is possible or valid to transition to state s . The transition relation R encapsulates all possible/valid transitions in the model. Usually, a set of initial states I S is also specied. The model M can start in any of the initial states I . Therefore, we will write a model M as (V, R, I ) emphasizing the fact that it has three components, i.e., the set of variables, transition relation, and a set of initial states. The specic language used to describe the model is not very important to describe the concepts. We will describe a specic modeling language later. States of a model M were dened before. A path is a nite or innite sequence of states (s0 , s1 , , si , ) such that (si , si+1 ) is a valid transition in the model. In other words a path describes a sequence of states were each step corresponds to a valid transition in the model. Usually we will denote a path using the Greek symbol . Given a path = (s0 , s1 , , si , ), i denotes the sufx of starting at the i-th state, or given by the following sequence: (si , si+1 , , ) Figure 2 shows a small model (can you guess what the model does?). A path through the model is shown below: ((x = 0, y = 1), (x = 0, y = 0), (x = 0, y = 1), (x = 1, y = 1), (x = 0, y = 0)) Path 2 starts at the second state (remember we start counting from zero) and is shown below: ((x = 0, y = 1), (x = 1, y = 1), (x = 0, y = 0))

3 Temporal logic
In temporal logic one can talk about time in addition to atomic properties. As we will see later, it is important to have the notion of time to express properties about reactive systems. We will describe a powerful temporal logic called the Computation Tree Logic or CTL for short. 2

x=0 y=-1

x=0 y=0

x=1 y=1

x=0 y=1

x=1 y=0

Figure 2: A small example First, we describe atomic properties for describing local properties about states. Throughout this section consider a model M = (V, I, R), where there are n state variables V = {v1 , , vn }. Let Di be the domain associated with variable vi . A basic atomic property has the following form: vi = x, vi S , vi < x, and vi > x where x is another variable from the set V or a constant from the domain Di of the variable vi and S is a subset of the domain Di associated with x. A basic atomic property is an atomic property. More complicated atomic properties can be constructed from other atomic properties using conjunction (denoted by ), disjunction (denoted by ), and negation (denoted by ). An example of an atomic property is given below: p = (x = y ) (z > 3) (1)

Recall that a state s is simply an assignment to all the variables v1 , , vn . Suppose there is a program with three variables x, y , and z . Consider the following two states: s1 = (x = 3, y = 3, z = 2) s2 = (x = 3, y = 2, z = 2) Consider the atomic property p shown in equation 1. The atomic property p shown in equation 1 is true in state s1 and false in state s2 (why?). We denote this fact by s1 |= p (or s1 satises p) and s2 |= p (or s2 does not satisfy p). Hence given an atomic property p and a state s one can decide whether or not s satises p. CTL has two types of formulas state formulas (to express properties about states) and path formulas (to express properties about paths). Let AP be the set of atomic properties. Grammars 3

SF SF SF

AP {SF | SF SF | SF SF } {A(P F ) | E(P F )} Figure 3: Grammar for generating state formulas

PF PF PF

SF {P F | P F P F | P F P F } {X P F | F P F | G P F | P F U P F | P F R P F } Figure 4: Grammar for generating path formulas

for generating state and path formulas in CTL are shown in Figure 3 and 4 respectively. SF and P F are non-terminals that derive state and path formulas respectively. Recall that AP is the set of atomic formulas. Exercise 1 Consider the formula f given below: f = A((x = 2) U (E(y > 3))) Is f a path or state formula? Use the grammars shown in Figures 3 and 3 to derive f . We have given the syntax of CTL . Next we turn to the semantic of CTL , i.e., given a model M = (V, R, I ) and a CTL formula f , how does one one determine whether M satises f (denoted by M |= f )? First we dene the satisfaction relation for states and paths and then for models. In general, for the statements given below M, s |= f means that a state s in the model M satises the state formula f and M, |= f means that the path satises a path formula f . Remember that a state formula is interpreted over states and a path formula is interpreted over paths. M, s |= p M, s |= f1 M, s |= f1 f2 M, s |= f1 f2 M, s |= E(f1 ) M, s |= A(f1 ) M, |= f1 M, |= g1 M, |= g1 g2 M, |= g1 g2 M, |= X g1 M, |= F g1 M, |= g1 U g2 s |= p M, s |= f1 M, s |= f1 and M, s |= f2 M, s |= f1 or M, s |= f2 there is a path from s such that M, |= g1 for every path from s M, |= g1 holds s is the rst state of and M, s |= f1 M, |= g1 M, |= g1 and M, |= g2 M, |= g1 or M, |= g2 M, 1 |= g1 there exists a k 0 such that M, k |= g1 there exists a k 0 such that M, k |= g2 and for all 0 j < k, M, j |= g1 4

M, |= g1 R g2 for all j 0, if for every i < j, M, i |= g1 then M, j |= g2

Notice that the semantics given above is with respect to a specic state and a path in the model. A model M = (V, R, I ) is said to satisfy a state formula f if for all initial states s I , M, s |= f , or in other words all initial states of the model satisfy the formula f . Next we try to explain the semantics of CTL in an intuitive manner. Here is an explanation of the various operators that can appear in a path formula. X (next time) requires that a property hold in the second state of the path. F (eventually or in the future) operators is used to assert that a property will hold at some state on the path. G (always or globally) species that a property holds at every state on the path. U (until) operator is a bit more complicated since it is used to combine two properties. It holds if there is a state on the path where the second property holds, and at every preceding state on the path, the rst property holds. R (releases) also combines two properties, and is the logical dual of the U operator. It requires that the second property holds along the path up to an including the rst state where the rst property holds. In other words, once the rst property becomes true, the second property is released of its commitment, i.e., does not have to be true anymore. Make sure that you understand the explanations given above. Try to relate the explanations given above to formal semantics provided earlier. Now we will give a procedure to translate a CTL formula into a natural language form. This will aid you in understanding the formulas. Let T R(f ) denote the translation of formula f into english (well sort of english). Here is the recursive denition of f : T R (p ) (state satises T R(p)) f1 (state does not satisfy T R(f1 )) f1 f2 (state satises T R(f1 ) and T R(f2 )) f1 f2 (state satises T R(f1 ) or T R(f2 )) A (f ) (all paths starting from the state satisfy T R(f ))

 E(f ) (there exists a path starting from the state satisfying T R(f )) f1 (path satises T R(f1 )) g1 (path does not satisfy T R(g1 )) g1 g2 (path satises T R(g1 ) or T R(g2)) g1 g2 (path satises T R(g1 ) and T R(g2 )) X g1 (in the next time on a path T R(g1 ) holds) F g1 (eventually on the path T R(g1 ) holds) G g1 (globally on the path T R(g1 ) holds) g1 U g2 (T R(g2 ) eventually holds on the path and until that time T R(g1 ) holds) g1 R g2 (T R(g2 ) holds along the path up to and including the rst state where T R(g1 ) holds) Consider the following formula: AG(Req AF Ack ) Translating the formula using the recipe given above we get following natural language phrase: (all paths starting from the state satisfy (globally on the path (if Req is true then (all paths starting from the state satisfy (eventually on the path Ack holds) ) ) holds ) ) The english phrase given above can be paraphrased as (check this!) Always if a request occurs, then it is always eventually acknowledged. 6

PF

{X SF | F SF | G SF | SF U SF | SF R SF } Figure 5: Grammar for generating path formulas for CTL

PF PF PF

AP {P F | P F P F | P F P F } {X P F | F P F | G P F | P F U P F | P F R P F } Figure 6: Grammar for generating path formulas for LTL

3.1 CTL and LTL

CTL and LTL are important fragments of the powerful logic CTL . Both CTL and LTL are less powerful than CTL . CTL is a restricted subset of CTL where each of the temporal operators X,F,G,U, and R have to be immediately preceded by a path quantier A or E. The grammar describing the state formula for the logic CTL is the same as given in Figure 3. The grammar for describing path formulas in the case of CTL is shown in Figure 5. Linear temporal logic (or LTL) for short) where the state formulas are of the form Af , where f is a path formula. In other words, the only production describing the state formula in the case of LTL is: SF A P F The grammar describing path formula for LTL is shown in Figure 6. Check that A(FGp) is not a CTL formula but a LTL formula. It can be shown that there does not exist a CTL formula that is equivalent to the LTL formula A(FGp). Similarly, there is not LTL formula that is equivalent to the CTL formula AG(EFp). The disjunction of these two formulas A(FGp) AG(EFp) is a CTL formula that is not expressible in either CTL or LTL. In other words, CTL and LTL are strict subsets of CTL , and CTL and LTL are incomparable.

3.2 Typical specications

Some typical specications that might arise during the verication process are described next. Make sure that the explanations provided with each specication are compatible with the semantics given earlier. EF(Started Ready ): It is possible to get to a state where Started holds but Ready does not hold. AG(Req AFAck ): If a request occurs, then it will be eventually acknowledged. AG(AFDeviceEnable ): The proposition DeviceEnabled holds innitely often on every computation path. AG(EFRestart ): From any state it is possible to get to the Restart state. 7

3.3 Relationships between formulas

Most of the formulas we will encounter will be written in CTL. There are ten basic operators in CTL. AX and EX. AF and EF. AG and EG. AU and EU. AR and ER. Each of the ten operators can be expressed in terms of the three operators EX, EG, EU. So there are only three basic operators and the rest is just syntactic sugar. AX f = EX(f ) EF f = E[true U f ] AG f = EF(f ) AF f = EG(f ) A[f U g ] = E[g U f g ] EGg A[f Rg ] = E[f U g ] E[f Rg ] = A[f U g ] Let us reason about the third equation. We will refer to the equations given above as the duality equations. Suppose AG f is true in a state s of the model. This means that on every path starting from the state s the formula f holds globally. In other words, f is never true on any path starting from the state s, or EFf is not true in state s. You should reason about the other equations in a similar manner and convince yourself that they are true.