IIT Kharagpur Testing and Verification of Microwave Controller Moore FSM

Testing and verification
Chittaranjan Mandal
Dept of Computer Sc & Engg

IIT Kharagpur
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Chittaranjan Mandal (IIT Kharagpur) Testing and verification December 27, 2016 1 / 154
Contents
4 CTL model checking
1 Microwave controller 5 LTL model checking
2 Temporal logic 6 BDDs
3 Verification of microwave 7 CTL Symbolic Model

controller Checking
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Microwave controller
Section outline
Formal specifications
Diagram of Moore FSM of
1 Microwave controller controller
Specification
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Microwave controller Specification
Specification
We consider a simplified microwave oven that has a door, a motor to
operate the turntable (on which some food may be placed for
warming), a rotary timer and a microwave generating unit; working is
as follows:
The door should be closed for the motor to rotate the turntable
and the wave generating unit to operate.
The motor turns ON to rotate the turntable and the wave
generating unit stays ON only if the rotary timer is counting down.
The wave generating unit should not be ON continuosly for more
than T seconds.
After operating for T seconds, the wave generating unit should be
rested (to OFF) for T seconds.
An internal count-down timer is used to keep track of the time the
microwave generating unit stays on.
Opening the door will stop both the motor and the wave TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
generating unit.
yog, km s kOflm^
Microwave controller Formal specifications
Formal specifications
Inputs
D 2 f0; 1g door is open (0) or closed (1)
T 2 f0; 1g rotary timer is stopped (0) or counting (1)
Internal states
C 2 f0; 1g internal timer value is zero (0) or non-zero (1)
S 2 f0; 1g mark (0) or space (1) state, flips
synchronously on F
Outputs
M 2 f0; 1g stop (0) or start (1) the turntable motor
W 2 f0; 1g stop (0) or start (1) the wave generator unit
F 2 f0; 1g flip (1) the state from mark to space and vice
versa or do not flip (0)
E 2 f0; 1g enable (1) the internal counter to count or
disable (0)
R 2 f0; 1g reset (1) the internal counter or operate
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
normally (0)
Microwave controller Diagram of Moore FSM of controller
Diagram of Moore FSM of controller

D D DT
1 2
WMFRE WMFRE
D
D DTS DTS
DT
D
DT D DT
CDT D DT CDT
5 4 3
WMFRE WMFRE WMFRE
CDT CDT
DT
40
DTS DTS TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

WMFRE
19 5 1
yog, km s kOflm^
Temporal logic
Section outline
Illustration of CTL operators

Semantics of CTL
2 Temporal logic Adequate CTL operators
Kripke Structure More CTL operators
Computation tree logics More relationships between
Temporal operators CTL operators
Semantics of satisfying a Examples of CTL formulae
formula along a path Comparison of LTL and CTL
LTL formulae Safety and liveness
CTL formulae
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Kripke Structure
Kripke Structure
Definition
A Kripke Structure M is a 5-tuple hS ; I ; AP ; !; Li where:
S is a set of states.
I is the set of initial states: I S
AP is a set of atomic propositions.
! is a total transition relation: ! S S (i.e. 8s 2 S; 9s0js ! s0).
L is a state labelling: L : S ! 2AP
FSM and its Kripke structure by absorbtion of inputs
rst = 1 cnt = 0 cnt = 1 cnt = 2

rst = 1 rst = 1 rst = 1
rst = 1 rst = 1 S01 S11 S21
cnt = 0 cnt = 1 rst = 0 cnt = 2

S0 S1 S2
rst = 0 cnt = 0 cnt = 1 cnt = 2

rst = 0 rst = 0 rst = 0 rst = 0 TECHNO
OF LO
S00 S10 S20 TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Kripke Structure
Kripke Structure
Definition
A Kripke Structure M is a 5-tuple hS ; I ; AP ; !; Li where:
S is a set of states.
I is the set of initial states: I S
AP is a set of atomic propositions.
! is a total transition relation: ! S S (i.e. 8s 2 S; 9s0js ! s0).
L is a state labelling: L : S ! 2AP
FSM and its Kripke structure by absorbtion of inputs
rst = 1 cnt = 0 cnt = 1 cnt = 2

rst = 1 rst = 1 rst = 1
rst = 1 rst = 1 S01 S11 S21
cnt = 0 cnt = 1 rst = 0 cnt = 2

S0 S1 S2
rst = 0 cnt = 0 cnt = 1 cnt = 2

rst = 0 rst = 0 rst = 0 rst = 0 TECHNO
OF LO
S00 S10 S20 TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Computation tree logics
Computation tree
a; b
a; b
b; c c
b; c c
a; b c c
Kripke model (derived from
state transition graph) Infinite computation tree derived by
unwinding the Kripke model
A path in M is an infinite sequence of states, = s0 ; s1 ; s2 ; : : : such
that for i 0, si ! si +1 and s0 may be the initial state of M or a
designated initial state of the path
We write i to denote the suffix of starting at si
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Computation tree
a; b
a; b
b; c c
b; c c
a; b c c
Kripke model (derived from
state transition graph) Infinite computation tree derived by
unwinding the Kripke model
A path in M is an infinite sequence of states, = s0 ; s1 ; s2 ; : : : such
that for i 0, si ! si +1 and s0 may be the initial state of M or a
designated initial state of the path
We write i to denote the suffix of starting at si
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Computation Tree Logics
Temporal logics may differ according to how they handle

branching in the underlying computation tree.
In a Linear Temporal Logic (LTL), operators are provided for
describing events along a single computation path.
In a branching-time logic the temporal operators quantify over the
paths that are possible from a given state.
Computation Tree Logic (CTL) is a branching-time logic, meaning
that its model of time is a tree-like structure
There are different paths in the future, any one or all of which
might be the actual path that is realised
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Temporal operators
Temporal operators
X The next time operator is used to specify that some
property holds in the second state of a path
F The future time operator (F) is used to specify that some
property eventually holds at some state in a path
G The global operator (G) is used to specify that some
property holds for all states of a particular path.
U The until operator (U) is a binary operator, and is used to
specify that the first property holds in all states preceding
the one where the second property is satisfied
W The weak until operator is similar to the until operator,
except that the second property need not hold eventually
R The release operator (R) is also a binary operator used to
specify that the second property holds in all states along
a path up to and including the first state where the first TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND
property holds; the first property need not hold eventually

19 5 1
yog, km s kOflm^
Temporal logic Semantics of satisfying a formula along a path
Semantics of satisfying a formula along a path
Validity of a formula p (written as, respectively, M; j= p or j= p):

j= p ,df p 2 L(0) (p 2 AP ; i ; i 0 is the i th state in )
j= ^ ,df j= and j=
j= : ,df 6j=
j= X ,df 1 j=
j= ( U ) ,df 9j 2 N s.t. j j= and 8k < j : x k j=
j= ( R ) ,df 8j 0; 8i < j : i 6j= ! j j=
where `= (` ; `+1 ; : : : ) is the suffix of at `.
NB: j= F iff j= > U iff there exists j 2 N such that j j=
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Semantics of satisfying a formula along a path
Semantics of satisfying a formula along a path

(contd.)
j= U holds until holds eventually

U U U U

j= W holds unless holds (may not hold eventually)

U U U U

j= R releases ( may not hold eventually)

R R R R
^
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic LTL formulae
LTL formulae
LTL tries to express temporal properties along any computation trace

LTL syntax
::= ?j>jpj:j1 ^ 2 j1 _ 2 j 1 ! 2 j X j F j G j 1 U 2
A model M (of a system) satisfies an LTL formula if each path

through the model satisfies
M j= denotes that the formula is satisfied in model M
M 6j= denotes that the formula is not satisfied in model M
Is it possible for M 6j= and M 6j= : to be simultaneously true for
some M and some LTL formula ?
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic LTL formulae
LTL formulae (contd.)
Example
Let = F (p ! X q ) in the future if AP p holds in a certain state
AP q holds in the next state
M could have one path where p is never followed by q in the next
state, so M 6j=
Now : = :F (p ! X q ) never in the future p is followed by q in
the next state
M could have another path where p is followed by q in the next
state, so M 6j= :
Thus, it is possible for M 6j= and M 6j= : to be simultaneously
true for some M and some LTL formula
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic CTL formulae
CTL formulae
A CTL formula is constructed using:

Atomic Propositions These are properties that can be ascertained
at any given state.
Boolean Connectives Common boolean operators such AND (^),
OR (_), NOT (:) etc.
Temporal Operators Express properties along paths in the
computational tree
CTL syntax
::= ?j>jpj:j1 ^ 2 j1 _ 2 j 1 ! 2 j AX j EX j AF j EF j
AG j EG j A [1 U 2 ] j E [1 U 2 ]
A subformula of a CTL formula is any formula whose parse tree is

a subtree of the parse tree of TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL formulae (contd.)
A Temporal Operator has two parts

A Path Quantifier quantifying over paths.
A : along All paths starting from the current state,
must hold
E : there Exists a path starting from the current
state where must hold
A Temporal Modality describing occurrence of events over time
along the path(s)
X : must hold at the neXt state in the path(s)
G : must hold Globally at each state in the path(s)
F : must hold somewhere in the Future in the
path(s)
U : must hold until holds in the path(s) TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL formulae (contd.)
A Temporal Operator has two parts

A Path Quantifier quantifying over paths.
A : along All paths starting from the current state,
must hold
E : there Exists a path starting from the current
state where must hold
A Temporal Modality describing occurrence of events over time
along the path(s)
X : must hold at the neXt state in the path(s)
G : must hold Globally at each state in the path(s)
F : must hold somewhere in the Future in the
path(s)
U : must hold until holds in the path(s) TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Illustration of CTL operators
Illustration of CTL operators

p
p p p
p p p p p p
M; s0 j= AG p M; s0 j= AF p
p
p p
M; s0 j= EF p M; s0 j= EG p
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Semantics of CTL
Semantics of CTL
Let M = (S ; !; L) be a model. For a CTL formula . the relation

M; s j= is defined by structural induction on
1 M; s j= > and M; s 6j=?
2 M; s j= p iff p 2 L(s)
3 M; s j= : iff M; s 6j=
4 M; s j= 1 ^ 2 iff M; s j= 1 and M; s j= 2
5 M; s j= 1 _ 2 iff M; s j= 1 or M; s j= 2
6 M; s j= 1 ! 2 iff M; s 6j= 1 or M; s j= 2
7 M; s j= AX iff for all s1 such that s ! s1 we have M; s1 j=
8 M; s j= EX iff for some s1 such that s ! s1 we have M; s1 j=
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Semantics of CTL
Semantics of CTL (contd.)
9 M; s j= AG holds iff for all paths s1 ! s2 ! s3 ! : : :, where

s1 = s and all si along the path we have M; si j= .
10 M; s j= EG holds iff there is a path s1 ! s2 ! s3 ! : : :, where
s1 = s and all si along the path we have M; si j= .
11 M; s j= AF holds iff for all paths s1 ! s2 ! s3 ! : : :, where
s1 = s, there is some si such that M; si j= .
12 M; s j= EF holds iff there is a path s1 ! s2 ! s3 ! : : :, where
s1 = s, there is some si such that M; si j= .
13 M; s j= A [1 U 2] holds iff for all paths s1 ! s2 ! s3 ! : : :,
where s1 = s, that path satisfies 1 U 2 .
14 M; s j= E [1 U 2] holds iff there is a path s1 ! s2 ! s3 ! : : :,
where s1 = s, that path satisfies 1 U 2 . TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Adequate CTL operators
Adequate CTL operators

There are eight basic CTL operators:
AX and EX
AG and EG
AF and EF
AU and EU
A set of CTL operators is adequate if all CTL operators can be
expressed using it
Each of these can be expressed in terms of EX, EG, EU
AX :EX (:)
AG :EF (:)
AF :EG (:)
EF E [> U ]
A [ U ] :E [: U (: ^ : )] ^ :EG :
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic More CTL operators
More CTL operators
AW for A [ W ], must hold unless holds along all paths

EW for E [ W ], must hold unless holds along some path
AR for A [ R ], must hold until and up to holds along all
paths
ER for E [ R ], must hold until and up to holds along some
path
A [ W ] :E [( ^ : ) U (: ^ : )] :E [: U (: ^ : )]

E [ W ] :A [( ^ : ) U (: ^ : )] :A [: U (: ^ : )]
E [ U ] :A [: W (: ^ : )]
A [ R ] :E [: U : ]
E [ R ] :A [: U : ] TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic More relationships between CTL operators
More relationships between CTL operators
AF A [> U ]
EF E [> U ]
A [? U ] E [? U ]
AG ^ AX AG
EG ^ EX EG
AF _ AX AF
EF _ EX EF
A [ U ] _ ( ^ AX A [ U ])
E [ U ] _ ( ^ EX E [ U ])
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Examples of CTL formulae
Examples of CTL formulae
EF (started ^ :ready ): it is possible to get to a state where

started holds but ready does not hold.
AG (req ! AF ack ): if a reqest occurs, then it will be always be
ack nowledged eventually.
AG (AF devEnabled ): devEnabled holds infinitely often on every
computation path.
AG (EF restart ): from any state it is possible to get to the restart
state.
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Examples of CTL formulae
Some practice examples

Express AF (a ^ AX b) using operators/connectives in
f:; ^; EX ; EG ; EU g
When a request occurs, it will eventually be acknowledged
A process is enabled infinitely often on every computation path
A process will eventually be deadlocked
It is always possible to get to a restart state
An elevator does not change direction when it has passengers
wishing to go in the same direction
An elevator can remain idle on the third floor with its doors closed
Each path contains infinitely many qs
Explain AG (p ! AF (s ^ AX AF t )
Explain G ((q ^ :r ^ F r ) ! (p ! (:r U (s ^ :r )) U r )
Draw parse tree for E [A [p U q ] U r ]
Draw parse tree for AG (p ! A [p U (:p ^ A [:p U q ])])
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Comparison of LTL and CTL
Comparison of LTL and CTL

CTL formula AG EF p (always can reach) is not expressible in LTL
Give an example of a Kripke structure which satisfies AG EF p but
does not satisfy G F p
You may assume that p is the only atomic proposition for
constructing the labeling function
LTL formula F G p (eventually always) not expressible in CTL
Example (Comparing AF AG p and FG p on a model)
p p
:p
A B
AF AG p does not hold but FG p holds

How do EF AG p and EF EG p compare with FG p? TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL and CTL coincide if the model has only one path!
Comparison of LTL and CTL

CTL formula AG EF p (always can reach) is not expressible in LTL
Give an example of a Kripke structure which satisfies AG EF p but
does not satisfy G F p
You may assume that p is the only atomic proposition for
constructing the labeling function
LTL formula F G p (eventually always) not expressible in CTL
Example (Comparing AF AG p and FG p on a model)
p p
:p
A B
AF AG p does not hold but FG p holds

How do EF AG p and EF EG p compare with FG p? TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL and CTL coincide if the model has only one path!
Comparison of LTL and CTL (contd.)
Many useful formulas expressible in both:

Invariance: G p and AG p
Liveness (Action q must respond to action p): G (p ! F q ) and
AG (p ! AF q )
(Action s precedes p after q): A [:q U (q ^ A [:p U s])] and
:q U (q ^ (:p U s)
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Temporal logic Safety and liveness
Safety and liveness

Safety: nothing bad ever happens
x is always less than 10
The system never reaches a state where no moves are possible
The system never reaches a state where two processes are in the
critical section
A safety property gets falsified by a finite prefix of an execution trace
Liveness: something good keeps happening
The grant signal must be asserted at some time after the request
signal is asserted
The system never reaches a state where no moves are possible
Every request signal must receive an acknowledge and the
request should stay asserted until the acknowledge signal is
received TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
Liveness can only be falsified by an infinite-suffix of an execution trace

yog, km s kOflm^
Verification of microwave controller
Section outline
3 Verification of microwave
controller
Properties
NuSMV model
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Verification of microwave controller Properties
Properties
The door should be closed for the motor to turn ON to rotate the
turntable and the wave generating unit to be ON to operate; opening the
door will stop both the motor and the wave generating unit.
CTL AG [EX (M _ W ) ! D ]
LTL G [X (M _ W ) ! D ]
The motor turns ON to rotate the turntable and the wave generating unit
to be ON to operate only if the rotary timer is counting down.
CTL AG [EX (M _ W ) ! T ]
LTL G [X (M _ W ) ! T ]
Internal counter is enabled after the door is closed and the rotary timer is
ON, disabled otherwise.
CTL AG [(:D _ :T ) ! AX :E ]
LTL G [(:D _ :T ) ! X :E ]
The internal countdown timer is disabled when its count reaches zero.
CTL AG [:C ! AX :E ]
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
LTL G [:C ! X :E ]
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Verification of microwave controller NuSMV model
Counter module
MODULE Counter(En, R)
VAR
timer : 0..10;
ASSIGN
init(timer) := 10;
next(timer) := case
R : 10;
En & timer > 0 : timer - 1;
TRUE : timer;
esac;
DEFINE
state := timer != 0; TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Mark space module
MODULE MarkSpace(Fp)
VAR
MS : boolean;
ASSIGN
next(MS) := (Fp & !MS) | MS;
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
MWFSM module
MODULE MWFSM(D, TM, MS, C)
VAR
State : {1, 2, 3, 4, 41, 5};
DEFINE
W := (State = 5);
M := (State = 3 |State = 4 |State = 41 |State = 5);
FP := (State = 4);
R := (State = 4);
En := (State = 3 | State = 5);
ASSIGN
init(State) := 1;
next(State) :=
case
State = 1 & D: 2; TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
State = 1 & !D: 1; yog, km s kOflm^
MWFSM module (contd.)
State = 2 & D & !TM : 2;

State = 2 & !D : 1;
State = 2 & D & TM & MS : 3;
State = 2 & D & TM & !MS : 5;
State = 3 & D & !TM : 2;

State = 3 & !D : 1;
State = 3 & D & TM & C : 3;
State = 3 & D & TM & !C : 4;
State = 4 & !D : 1;
State = 4 & D & !TM: 2; -- not optional!
State = 4 & D & TM: 41;
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
MWFSM module (contd.)
State = 41 & D & !TM : 2;

State = 41 & !D : 1;
State = 41 & D & TM & MS : 3;
State = 41 & D & TM & !MS : 5;
State = 5 & D & !TM : 2;

State = 5 & !D : 1;
State = 5 & D & TM & C : 5;
State = 5 & D & TM & !C : 4;
TRUE : State;
esac;
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Main module
MODULE main
VAR
D : boolean;
TM : boolean;
mw : MWFSM(D, TM, ms.MS, ct.state);
ms : MarkSpace(mw.FP);
ct : Counter(mw.En, mw.R);
ASSIGN
init(D) := FALSE;
init(TM) := FALSE;
LTLSPEC G(X(mw.W | mw.M) -> D);
LTLSPEC G(X(mw.W | mw.M) -> TM);
LTLSPEC G((!D | !TM) -> X!mw.En);
SPEC AG(EX(mw.W | mw.M) -> D);
SPEC AG(EX(mw.W | mw.M) -> TM); TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
SPEC AG ((!D | !TM) -> AX !mw.En); yog, km s kOflm^
Failed CTL property

-- specification AG ((D & TM) -> AF mw.En) is false
-- as demonstrated by the following execution sequence
Trace Description: CTL Counterexample
Trace Type: Counterexample
-> State: 1.1 <-
D = FALSE
TM = FALSE
mw.State = 1
ms.MS = FALSE
ct.timer = 10
mw.En = FALSE
mw.R = FALSE
mw.FP = FALSE
mw.M = FALSE
mw.W = FALSE TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
ct.state = TRUE yog, km s kOflm^
Failed property handled through LTL

-- Loop starts here
-> State: 1.2 <-
D = TRUE
TM = TRUE
-> State: 1.3 <- -> State: 1.4 <-
D = FALSE D = TRUE
TM = FALSE TM = TRUE
mw.State = 2 mw.State = 1
Note that the trace contains an unrealistic loop between states 1 and 2
Similar property where looping between states 1 and 2 is precluded
using LTL, but using knowledge of the implementation
-- specification
(!( F ( G (mw.State = 1 | mw.State = 2))) -> TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
G ((D & TM) -> F mw.En)) is true
IND

19 5 1
yog, km s kOflm^
Handling failed CTL property through fairness

A failed attempt handling fairness is problematic in CTL
Consider the following property and the positive verification result
-- specification
(!( EF ( EG (mw.State = 1 | mw.State = 2))) ->
AG ((D & TM) -> AF mw.En)) is true
Intention is to exclude paths with infinite loop between states 1 and 2
But the antecedent !EF EG(mw.State = 1 | mw.State = 2) fails
(shown next)
As a result, the propertly is vacuously satisfied
Any syntactically correct CTL in lieu of
AG ((D & TM) -> AF mw.En)) would be satisfied check it out!
Thus, the property does not properly capture our desire to restrict
verification to paths where TE
OF
TECHNO
LO
GY
ITU
!EF EG(mw.State = 1 | mw.State = 2) holds
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Trace of failed antecedent

-- specification !(EF (EG (mw.State = 1 |
mw.State = 2))) is false
-- as demonstrated by the following execution sequence
Trace Description: CTL Counterexample
Trace Type: Counterexample
-- Loop starts here
-> State: 2.1 <-
D = FALSE
TM = FALSE
mw.State = 1
ms.MS = FALSE mw.FP = FALSE
ct.timer = 10 mw.M = FALSE
mw.En = FALSE mw.W = FALSE
mw.R = FALSE ct.state = TRUE
TECHNO
OF LO
TE
-> State: 2.2 <-
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
A better attempt using fairness constraints
We dont want paths where there is an infinite loop between states

1 and 2
In such paths other states should occur infinitely often
This requirement is captured through the following fairness
constraint
FAIRNESS !((State=1) | (State=2));
Now the required property is satisfied
-- specification AG ((D & TM) -> AF mw.En) is true
With the fairness constraint specified, NuSMV ensures that only
those paths are considered when the given fairness property is
satisfied infinitely often
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL model checking
Section outline
Handling AF 1
Handling EG 1 more
efficiently
4 CTL model checking CTL model checking with
CTL model checking fairness
Properties for Kripke Handling
structure of (0j1) 1+ FSM EC G 1 wrt f 1 ; : : :g
Base cases for labelling for Counterexample generation
CTL model checking Counterexample generation
Handling E [ 1 U 2 ] for ACTL
Handling EG 1
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL model checking
Model-checkers and model checking

SMV, NuSMV, Cadence SMV
CTL and LTL model-checkers
Based on symbolic decision diagrams or SAT solvers
Mostly for hardware and other models
Spin
LTL model-checker
Explicit state exploration
Mostly for communication protocols
CBMC, SatAbs, CPAChecker, UFO
Combine Model Checking and Abstraction
Work directly on the source code (mostly C)
Control-dependent properties of programs
Pros and Cons
Largely automated after model and property specification
Counterexamples on property refutation with limitations
Requirements must often be expressed via properties indirectly
TECHNO
Problem reduction needed to contain state space explosion

OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
Data intensive applications not well handled

yog, km s kOflm^
CTL model checking CTL model checking
CTL model checking
INPUT: A model M = hS ; I ; AP ; !; Li and a CTL formula .

OUTPUT: The set of states of M which satisfy .
1 Convert with the adequate sets of CTL connectives (i.e. :,_,

EX, EU, EG).
2 Label the states of M with the subformulas of that are satisfied
there, starting at the leaf level and working upwards
3 If is a subformula of and states satisfying all the immediate
subformulas of have already been labelled, determine which
states to label with
4 M j= iff 8s 2 I ; M; s j=
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL model checking Properties for Kripke structure of (0j1) 1+ FSM
Properties for Kripke structure of (0j1) 1+ FSM

Example
0 1 1 0 1 1
01 11
0 1 s1 s3
0 0
00 10
s0 s2
CTL Some runs support infinite acceptable strings with an infinite

suffix of 1s: E [(0 _ 1) U (EG 1)]
CTL Any run of 0s and 1s can have an infinite suffix of 1s:
A [(0 _ 1) U (EG 1)]
TECHNO
OF LO
TE
LTL No path quantifiers, so difficult to talk about some paths
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Verifying Kripke structure of (0j1) 1+ FSM

Example (NuSMV specification for (0j1) 1+ FSM and its properties)
MODULE FSM()
VAR In : 0, 1; State : 0, 1;
ASSIGN
init(State) := 0;
next(State) := case
State = 0 & In = 0 : 0;
State = 0 & In = 1 : 1;
State = 1 & In = 0 : 0;
State = 1 & In = 1 : 1;
esac;
MODULE main
VAR fsm : FSM();
SPEC E[(fsm.In = 0 j fsm.In = 1) U EG (fsm.State = 1 & fsm.In = 1)]
SPEC A[(fsm.In = 0 j fsm.In = 1) U EG (fsm.In = 1)] fails
LTLSPEC FG (fsm.In = 1) >((fsm.In = 0 j fsm.In = 1) U
G (fsm.In = 1 & fsm.In = 1)) TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
FAIRNESS In = 1 SPEC ! EF ! EF (State = 1) [ AG EF (State = 1)]
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Parse tree of CTL formula
Example (Parse tree for E [(0 _ 1) U (EG 1)])

EU
1
_ EG
2 5
0 1 1
3 4 4
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL model checking Base cases for labelling for CTL model checking
Base cases for labelling for CTL model checking

Label states with depending on the subformula that matches :
? no states are labelled with ?
p label s with p if p 2 L(s)
1 ^ 2 label s with 1 ^ 2 if s is already labelled both with 1
and 2
: 1 label s with : 1 if s is not already labelled with 1
EX 1 label any state with EX 1 if one of its successors is
labelled with 1
! EX 1
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
1 1
IND

19 5 1
yog, km s kOflm^
CTL model checking Handling E[ 1 U 2]
Handling E[ 1U 2]
If any state s is labelled with 2 , label it with E [ 1 U 2 ]

Repeat
Label any state with E [ 1 U 2 ] if it is labelled with 1 and
at least one of its successors is labelled with E [ 1 U 2 ]
Until there is no change
1 ! 1 ! E[ 1 U
1
2]
E[ 1 U 2] E[ 1 U 2]
2 TE
OF
TECHNO
LO
2 2
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL model checking Handling E[ 1 U 2]
Time complexity
EX p is done in O (j S j + j!j) All the nodes which have a next

state labeled with p should be labeled with EX p
E [p U q ] is done in O (j S j (j S j + j!j))
However, on closer inspection, it turns out to be O (j S j + j!j)
EG p is also done in O (j S j + j!j) time
For a CTL formula of size j f j the time complexity is
O (j f j (j S j + j!j))
j f j is the number of connectives in the formula
j S j is the number of states
j!j is the number of transitions
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL model checking Handling EG 1
Handling EG 1
Label all the states with EG 1

Remove label EG 1 from any state not labelled with 1
Repeat
Remove label EG 1 from any state not having a successor
labelled with EG 1
EG 1
EG
1
1 EG
1
1
! EG
1
1 EG
1
1
! EG
1
1
1
EG 1 EG 1 EG 1 EG 1 EG 1 EG 1
TECHNO
OF LO
TE
1 1 1 1 1 1
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL model checking Handling AF 1
Handling AF 1
This can be handled through other CTL operations

Label all the states bearing label 1 with AF 1
Repeat
Label any state with AF 1 if all its successors are labelled
with AF 1
AF 1 AF 1
1
1 1
1 ! AF
1
1
! AF 1
AF
1
1
AF 1 AF 1
1 TE
OF
TECHNO
LO
GY
ITU
1 1
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL model checking Handling EG 1 more efficiently
Handling EG 1 more efficiently

1 Restrict the graph to states satisfying 1 delete all other states
and their transitions
2 Find the maximal strongly connected components (SCCs)
maximal regions where each state is reachable from another
3 Use breadth-first searching on the restricted graph to find any
state that can reach an SCC
O (j f j (j S j + j!j))
j= EG 1 1
1
1
1 1
1 1 SCC
1 SCC without
1 connection
SCC 1 1 1 1
1 1
1 1
1
1 1 1 1
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
1
ARAGPUR
1
IND

19 5 1
yog, km s kOflm^
Checking AF AG p on a model
Example (Checking AF AG p by labelling with subformulae)
B ;p B ;p
A; p M A; p M ;
! !
p p
:p
A B
A; :p
:
A; p
Let = AG p
Let = AF
First, label nodes with subformula = AG p
Next, label nodes with subformula = AF
Thus, M 6j= AF AG p, as all initial states are not labelled with
= AF AG p
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL MC on the (0j1) 1+ FSM
Example (Checking E [(0 _ 1) U (EG 1)])
01 11
s1 s3
EU

_
M 2
EG
1
00 10
s0 s2
0 1 1
3 4 4
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
01 11
s1 4 s3 4
EU

_
M 2
EG
1
00 10
s0 3 s2 3
0 1 1
3 4 4
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
01 1 11 1
s1 4 ;2 s3 4 ;2
EU

_
M 2
EG
1
00 10
s0 3 ;2 s2 3 ;2
0 1 1
3 4 4
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
01 1 ; 11 1 ;
s1 4 ;2 s3 4 ;2
EU

_
M 2
EG
1
00 10
s0 3 ;2 s2 3 ;2
0 1 1
3 4 4
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
01 1 ; 11 1 ;
s1 4 ;2 s3 4 ;2
EU

M j= _ EG
2 1
00 10
s0 3 ;2 s2 3 ;2
0 1 1
3 4 4
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL model checking CTL model checking with fairness
CTL model checking with fairness

The CTL property AG ((D & TM) -> AF mw.En) was found to
fail for the microwave controller example
That was due to the possibility of the m/c looping between states 1
and 2 due to unreasonable behaviour of the environment
It made better sense to restrict the model checking to the
reasonable paths in the environment
The reasonable property ( ) was expressed as states other
than 1 and 2 should occur infinitely often
If C = f i ; 2 ; : : : ; k g is a set of fairness constraints and is the
property to be checked, then is to be checked along paths
where each j ; i j k occurs infinitely often
Let EC U, EC X and EC G be the fair versions of the operators CTL
EU, EX and EG
Now, EC [ U ] = E [ U ( ^ EC G >)] and
EC X = EX ( ^ EC G >) a computation path is fair iff any suffix
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
of it is fair, enforced via EC G >
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL model checking CTL model checking with fairness
CTL model checking with fairness

The CTL property AG ((D & TM) -> AF mw.En) was found to
fail for the microwave controller example
That was due to the possibility of the m/c looping between states 1
and 2 due to unreasonable behaviour of the environment
It made better sense to restrict the model checking to the
reasonable paths in the environment
The reasonable property ( ) was expressed as states other
than 1 and 2 should occur infinitely often
If C = f i ; 2 ; : : : ; k g is a set of fairness constraints and is the
property to be checked, then is to be checked along paths
where each j ; i j k occurs infinitely often
Let EC U, EC X and EC G be the fair versions of the operators CTL
EU, EX and EG
Now, EC [ U ] = E [ U ( ^ EC G >)] and
EC X = EX ( ^ EC G >) a computation path is fair iff any suffix
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
of it is fair, enforced via EC G >
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL model checking Handling EC G 1 wrt f 1 ; : : :g
Handling EC G 1 wrt f 1 ; : : :g
Similar to EG 1 , but only use the SCCs that have, for each
i , a state si such that M; si j= i each si need not be distinct
Each i should be satisfied only within its own SCC
The i properties, in turn, should not rely on fairness constraints
This ensures fairness because it is now possible to find a path
through the nodes in a fair SCC where each fairness constraint i
is satisfied infinitely often
j= ECG 1 1 1
1
1 1
1 fair 1 SCC
1 SCC wrt without
1 SCC f 1 ; 2 g connection
sans ALL 1 1 1 1
of f 1 ; 2 g 1 1
1 1 1 X 2
1
1 1 1
1
2
2 X
1 1 TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL MC on the (0j1) 1+ FSM /w fairness

Example (Checking = AG EF (State = 1) st = (In = 1))
:EC [> U :EC [> U (State = 1)]] wrt f g
NB: EC [ U ] = E [ U ^ EC G >] wrt f g
Here = EC G > wrt f g holds at every state
:

EC U
1
01 11
s1 s3 :
> 2
EC U
3
M > State=1
4
00 10
s0 s2
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

:

EC U
1
01 11
s1 s3 ;4 :
> 2
EC U
3
M > State=1
4
00 10
s0 s2 ;4
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

:

EC U
1
01 11 3
s1 ;3 s3 ;4 :
> 2
EC U
3
M > State=1
4
00 10 3
s0 ;3 s2 ;4
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

:

EC U
1
01 11 3 ;
s1 ;3 s3 ;4 :
> 2
EC U
3
M j= > State=1
4
00 10 3 ;
s0 ;3 s2 ;4
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexamples
Let p and q be atomic propositions
Counterexample for = AG p? model for : = :AG p = EF :p a path
Counterexample for = AF p? model for : = :AF p = EG :p a path
Counterexample for = AF p _ AF q?
model for : = :AF p ^ :AF q = EG :p ^ EG :q two paths
Counterexample for = EF p? model for : = :EF p = AG :p a tree
Counterexample for = AF AX p? model for :AF AX p = EG EX :p
Linear counterexamples (having the form of a path rather than a tree)
are easier to understand
A CTL formula in which the temporal operators do not appear within the
scope of a negation is said to be in negation normal form (NNF)
ACTL formulae that do not use the EX , EG or EU are better for linear
counter examples
Negation of ACTL formula and then transforming to NNF yields an ECTL TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
formula and vice versa
IND

19 5 1
yog, km s kOflm^
Counterexamples
counter examples
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexamples
counter examples
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexamples
counter examples
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexamples
counter examples
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexamples
counter examples
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexamples
counter examples
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexamples
counter examples
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexamples
counter examples
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexamples
counter examples
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexamples
counter examples
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexamples
Verification v/s refutation of property in K = hS ; S0 ; R ; Li
Verification Show that S0 fsj K; s j= g
Refutation Find a state s 2 S0 st K; s 6j= K; s j= :
Generate a counter-example starting from that state
Definition (Counterexample or witness for M 6j= )

A counterexample or witness C substantiates the failure so that
C violates , C 6j=
The violation of by C is effectively explained
Minimal substructure of K whose initial state state s 2 S0 and C j= :
The ability to find counter-examples is one of the biggest strengths of the
model checkers
The counterexample could have a linear structure or a branching
TECHNO
OF
structure
LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Traces
Definition (Trace)
A trace is either a finite path or a path leading to a loop, i.e., only the last state
of a trace may be a repetition of a state already present in the trace
Example (Counterexample for AF :x)
K 6j= AF :x C j= :AF :x C j= EG x
x x
x x
:x
x x x x
x x
x x
:x
Counterexamples for general LTL properties

Violation of a general property may happen in a finite prefix
Otherwise, a trace with a loop may be found where the computation may
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
be stuck, preventing satisfaction of the LTL formula along that trace

yog, km s kOflm^
Traces
Definition (Trace)
A trace is either a finite path or a path leading to a loop, i.e., only the last state
of a trace may be a repetition of a state already present in the trace
Example (Counterexample for AF :x)
K 6j= AF :x C j= :AF :x C j= EG x
x x
x x
:x
x x x x
x x
x x
:x
Counterexamples for general LTL properties

Violation of a general property may happen in a finite prefix
Otherwise, a trace with a loop may be found where the computation may
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
be stuck, preventing satisfaction of the LTL formula along that trace

yog, km s kOflm^
CTL model checking Counterexample generation for ACTL
Counterexample generation for ACTL

In general the counter-example for an ACTL property (equivalently
a witness to an ECTL property) is not a single path
The counter example for the property AF AG p would be a witness
for the property EG EF :p May not be possible to have the
witness for EG EF :p as a single path arising from a linear trace
C j= : = :AF AG p C j= : = EG EF :p
:p :p
:p
:
:p :p
:p
Linear counterexamples exist only for properties in ACTL \ LTL

Theorem (Trace refutability)
An ACTL formula is trace-refutable iff is expressible in LTL
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Counterexample generation for ACTL

In general the counter-example for an ACTL property (equivalently
a witness to an ECTL property) is not a single path
The counter example for the property AF AG p would be a witness
for the property EG EF :p May not be possible to have the
witness for EG EF :p as a single path arising from a linear trace
C j= : = :AF AG p C j= : = EG EF :p
:p :p
:p
:
:p :p
:p
Linear counterexamples exist only for properties in ACTL \ LTL

Theorem (Trace refutability)
An ACTL formula is trace-refutable iff is expressible in LTL
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Generating counterexamples
Addition work beyond model checking is needed

EX find a successor state labeled with
EG follow successors labeled with EG until loop is found
E [ U ] follow states labeled with until state labeled with is
found
Counterexamples for LTL safety properties

Violation of a safety property happens in a finite prefix of any
computational path
So, finite paths are viable counterexamples for LTL safety
properties
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking
Section outline
construction
LTL model checking
example
5 LTL model checking Gerths algorithm for LTL to
Approach for LTL model Buchi
automata
checking Motivating example of
Buchi
automata Gerths algorithm
Buchi
automata for some Pseudocode for Gerths
LTL formulae algorithm
Adequate LTL connectives Another illustration of
Model theoretic proofs of Gerths algorithm
some equivalences Double DFS for LTL MC
Product of Buchi
automata Nested DFS for LTL MC
GNBA to NBA Illustration of LTL MC via
transformation Gerths algorithm TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
Buchi
automata
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Approach for LTL model checking
Approach for LTL model checking

CTL algorithm doesnt work for LTL different approach is needed
Proceed by negating the given LTL property and generate the
property automaton B:
let B be the Buchi
automaton for
Create a Buchi
automaton for the model M as BM
Checking M j= is equivalent to checking whether
L(BM ) L(B ) or L(BM ) \ L(B: ) = ?
Requires computing the product automaton of BM and B:
Thereafter need to check whether the language accepted by the
product automaton is empty
Look for a cycle which contains a reachable accepting
If no such cycle can be found the language accepted by the
automaton is empty
If there is a cycle, it corresponds to a counterexample behavior TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
that demonstrates the bug
IND

19 5 1
yog, km s kOflm^
LTL model checking Buchi
automata
Buchi
automata
At the heart of LTL model checking are Buchi
automata
They work on infinite strings representing the infinite input given to
the m/c to be verified
A Buchi
automata accepts a string when the resulting run causes
a non-empty subset of the accepting states to be visited infinitely
often
note that there is not termination as the string does not end
An LTL property can be translated to a Buchi
automaton so that
precisely the strings conforming to the property get accepted
Definition (Buchi
automaton)
A = hQ ; ; !; Q0; F i is a Buchi
automaton accepting the
languagen o
L(A) = = a1 a2 : : : j 9 = q0 ! q1 ! q2 j inf() \ F 6= ? ,
a1 a2
where q0 2 Q0 , a1 ; a2 ; : : : 2 and inf() is the set of states of the

run , on the the ! -word = a1 a2 : : :, visited infinitely often TE
OF
TECHNO
LO
! makes A non-deterministic or deterministic (less powerful)
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
automata
Buchi
automata
At the heart of LTL model checking are Buchi
automata
They work on infinite strings representing the infinite input given to
the m/c to be verified
A Buchi
automata accepts a string when the resulting run causes
a non-empty subset of the accepting states to be visited infinitely
often
note that there is not termination as the string does not end
An LTL property can be translated to a Buchi
automaton so that
precisely the strings conforming to the property get accepted
Definition (Buchi
automaton)
A = hQ ; ; !; Q0; F i is a Buchi
automaton accepting the
languagen o
L(A) = = a1 a2 : : : j 9 = q0 ! q1 ! q2 j inf() \ F 6= ? ,
a1 a2
where q0 2 Q0 , a1 ; a2 ; : : : 2 and inf() is the set of states of the

run , on the the ! -word = a1 a2 : : :, visited infinitely often TE
OF
TECHNO
LO
! makes A non-deterministic or deterministic (less powerful)
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
automata
Some notations regarding strings
Let be a set of symbols (not necessarily finite)

is the set of all finite words over each having a length which
is a natural number
Given a word w of length n, w can be viewed as a function from
the set f0; 1; : : : ; n 1g ! , with the value at i giving the symbol
at position i
The infinite words, or ! -words, can likewise be viewed as
functions from N ! .
The set of all infinite words over is denoted !
The set of all finite and infinite words over is sometimes written
1
Thus, an ! -language L over is a subset of ! TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
automata for some LTL formulae
Buchi
Example (Buchi
automata for some LTL formulae)
q2
p
p
:p q0 :p ^ :q q1
q0 q1
Gp pWq q
q2
:p q ^ :p
q0
p
q1 :q
p^q
q0 q1
Fp pRq
q2
q1
p
:p ^ :q p :p
q0 q1 p
pUq q q0 q2
FGp
:p p p ^ :q
p :p _ q :q
q0 q1
:p G (p ) F q)
q0 q1
TECHNO
OF LO
TE
GY
GFp
ITU
IAN INST
KH
ARAGPUR
IND
q
19 5 1
yog, km s kOflm^

Buchi
Example (Buchi
q2
p
p
:p q0 :p ^ :q q1
q0 q1
Gp pWq q
q2
:p q ^ :p
q0
p
q1 :q
p^q
q0 q1
Fp pRq
q2
q1
p
:p ^ :q p :p
q0 q1 p
pUq q q0 q2
FGp
:p p p ^ :q
p :p _ q :q
q0 q1
:p G (p ) F q)
q0 q1
TECHNO
OF LO
TE
GY
GFp
ITU
IAN INST
KH
ARAGPUR
IND
q
19 5 1
yog, km s kOflm^

Buchi
Example (Buchi
q2
p
p
:p q0 :p ^ :q q1
q0 q1
Gp pWq q
q2
:p q ^ :p
q0
p
q1 :q
p^q
q0 q1
Fp pRq
q2
q1
p
:p ^ :q p :p
q0 q1 p
pUq q q0 q2
FGp
:p p p ^ :q
p :p _ q :q
q0 q1
:p G (p ) F q)
q0 q1
TECHNO
OF LO
TE
GY
GFp
ITU
IAN INST
KH
ARAGPUR
IND
q
19 5 1
yog, km s kOflm^

Buchi
Example (Buchi
q2
p
p
:p q0 :p ^ :q q1
q0 q1
Gp pWq q
q2
:p q ^ :p
q0
p
q1 :q
p^q
q0 q1
Fp pRq
q2
q1
p
:p ^ :q p :p
q0 q1 p
pUq q q0 q2
FGp
:p p p ^ :q
p :p _ q :q
q0 q1
:p G (p ) F q)
q0 q1
TECHNO
OF LO
TE
GY
GFp
ITU
IAN INST
KH
ARAGPUR
IND
q
19 5 1
yog, km s kOflm^

Buchi
Example (Buchi
q2
p
p
:p q0 :p ^ :q q1
q0 q1
Gp pWq q
q2
:p q ^ :p
q0
p
q1 :q
p^q
q0 q1
Fp pRq
q2
q1
p
:p ^ :q p :p
q0 q1 p
pUq q q0 q2
FGp
:p p p ^ :q
p :p _ q :q
q0 q1
:p G (p ) F q)
q0 q1
TECHNO
OF LO
TE
GY
GFp
ITU
IAN INST
KH
ARAGPUR
IND
q
19 5 1
yog, km s kOflm^

Buchi
Example (Buchi
q2
p
p
:p q0 :p ^ :q q1
q0 q1
Gp pWq q
q2
:p q ^ :p
q0
p
q1 :q
p^q
q0 q1
Fp pRq
q2
q1
p
:p ^ :q p :p
q0 q1 p
pUq q q0 q2
FGp
:p p p ^ :q
p :p _ q :q
q0 q1
:p G (p ) F q)
q0 q1
TECHNO
OF LO
TE
GY
GFp
ITU
IAN INST
KH
ARAGPUR
IND
q
19 5 1
yog, km s kOflm^

Buchi
Example (Buchi
q2
p
p
:p q0 :p ^ :q q1
q0 q1
Gp pWq q
q2
:p q ^ :p
q0
p
q1 :q
p^q
q0 q1
Fp pRq
q2
q1
p
:p ^ :q p :p
q0 q1 p
pUq q q0 q2
FGp
:p p p ^ :q
p :p _ q :q
q0 q1
:p G (p ) F q)
q0 q1
TECHNO
OF LO
TE
GY
GFp
ITU
IAN INST
KH
ARAGPUR
IND
q
19 5 1
yog, km s kOflm^

Buchi
Example (Buchi
q2
p
p
:p q0 :p ^ :q q1
q0 q1
Gp pWq q
q2
:p q ^ :p
q0
p
q1 :q
p^q
q0 q1
Fp pRq
q2
q1
p
:p ^ :q p :p
q0 q1 p
pUq q q0 q2
FGp
:p p p ^ :q
p :p _ q :q
q0 q1
:p G (p ) F q)
q0 q1
TECHNO
OF LO
TE
GY
GFp
ITU
IAN INST
KH
ARAGPUR
IND
q
19 5 1
yog, km s kOflm^

LTL model checking Adequate LTL connectives
Adequate LTL connectives

Equivalences between LTL formulae
:G F : G ( ^ ) G ^ G
:F G : F > U ; G ? R
:X X : U ( W ) ^ (F )
:( U ) : R : W ( U ) _ (G )
:( R ) : U : W R ( _ )
F ( _ ) F _ F R W ( ^ )
Adequate connectives for LTL
fU;Xg R :(: U : )
W R ( _ ) :(: U :( _ ))
fR;Xg U :(: R : )
W R ( _ )
fW;Xg U :(: R : )
R W ( ^ ) OF
TECHNO
Complementation can be avoided using f U ; R ; X g or f W ; R ; X g

LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Adequate LTL connectives
Adequate LTL connectives

Equivalences between LTL formulae
:G F : G ( ^ ) G ^ G
:F G : F > U ; G ? R
:X X : U ( W ) ^ (F )
:( U ) : R : W ( U ) _ (G )
:( R ) : U : W R ( _ )
F ( _ ) F _ F R W ( ^ )
Adequate connectives for LTL
fU;Xg R :(: U : )
W R ( _ ) :(: U :( _ ))
fR;Xg U :(: R : )
W R ( _ )
fW;Xg U :(: R : )
R W ( ^ ) OF
TECHNO
Complementation can be avoided using f U ; R ; X g or f W ; R ; X g

LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Model theoretic proofs of some equivalences
Model theoretic proofs of some equivalences

:G F :
G G G G G
1
G
F
2
F : :
F F
Clearly 1 j= G ) 1 6j= F : and 2 j= F : ) 2 6j= G

:( U ) : R :
1 U U U U
^: ^: ^:
U
: R : (: may not hold eventually, so : may hold perpetually)
2 : R : : R : : R : : R :
^: ^: ^: : ^ :
Clearly 1 j= U ) 1 6j= : R : and 2 j= : R : ) 2 6j= U

TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Model theoretic proofs of some equivalences

:G F :
G G G G G
1
G
F
2
F : :
F F
Clearly 1 j= G ) 1 6j= F : and 2 j= F : ) 2 6j= G

:( U ) : R :
1 U U U U
^: ^: ^:
U
: R : (: may not hold eventually, so : may hold perpetually)
2 : R : : R : : R : : R :
^: ^: ^: : ^ :
Clearly 1 j= U ) 1 6j= : R : and 2 j= : R : ) 2 6j= U

TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Examples of translations
Example (Translating F p and :(F p))

Fp >Up
:(F p) G :p ? R :p
Example (Translating G F p and :(G F q ))
GFp ? R (> U p)
:(G F p) :(? R (> U p)) > U (? R :p)
Example (Translating (G F p) ) (G F q ))
:(G F p) _ (G F q )
:(? R (> U p)) _ (? R (> U q ))
(> U (? R :p)) _ (? R (> U q )) TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Product of Buchi
automata
Product of two finite state automata

(recapitulation)
Definition
Given two DFAs A1 = hQ1 ; ; 1 ; qi1 ; F1 i and A2 = hQ2 ; ; 2 ; qi2 ; F2 i with the
same alphabet , the product A = A1 A2 = hQ ; ; ; q0 ; F i may be defined
so that Q = Q1 Q2 , hq1 ; q2 i a = h1 q1 a; 2 q2 ai, q0 = hqi1 ; qi2 i and
F = F1 F2
Lemma Theorem
hq1 ; q2 i = h1 q1 ; 2 q2 i L(A1 A2 ) = L(A1 ) \ L(A2 )
Proof by induction.
Proof.
Base the statement holds for We have
= hq1 ; q2 i = h1 q1 ; 2 q2 i 2 F iff
Step if the statement holds for 1 q1 2 F1 and 2 q2 2 F2 , so that

it holds for = a 2 L(A1 ) and 2 L(A2 )
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Product of Buchi
automata
Product of Buchi
automata
Definition (Product of two Buchi
automata)
Given two Buchi
automata B1 = hQ1 ; ; 1 ; I1 ; F1 i and B2 = hQ2 ; ; 2 ; I2 ; F2 i
with the same alphabet , the product is a generalised Buchi automaton
(GNBA) B = B1 B2 = hQ ; ; ; I ; F i may be defined so that
Q = Q1 Q2 ,
hq1 ; q2 i a hq10 ; q20 i iff 1 q1 a q10 and 2 q2 a q20 ,
I = I1 I2 and
F = fF1 Q2 ; Q1 F2 g
A run resulting from an input is an accepting run if for each Fi 2 F ,
inf() \ Fi 6= ?, so that accepting states of the constituent automata are
visited infinitely often
Note the proliferation of sets of final states in the GNBA to ensure that
constitutent final states of each consitituent automaton is visited infinitely
often
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Product computation of Buchi

automata is a key step in LTL MC
LTL model checking GNBA to NBA transformation
GNBA to NBA transformation

GNBA to NBA
Let the GNBA be G = hQ ; ; ; I ; F i where jF j = k
To construct the NBA M, make k copies of the GNBA as M0 ; : : : ; Mk 1
Set of initial states of M is taken as that of the first copy M0

Set of final states of M is taken as that of the first copy M0

After visiting s 2 Fj 2 Mi , visit s0 2 M(i +1 mod k )
s !
a
s0 ; a 2
Example (GNBA to NBA translation)
C2 C2
q0 q1 q2 q0;0 q0;1 q0;2
C1 C1
GNBA where P0 and P1 are in their C2

critical section infinitely often q1;0 q1;1 q1;2 TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
LTL: = (G F C1 ) ^ (G F C2 )
ARAGPUR
IND

19 5 1
yog, km s kOflm^
C1
LTL model checking GNBA to NBA transformation
GNBA to NBA transformation

GNBA to NBA
Let the GNBA be G = hQ ; ; ; I ; F i where jF j = k
To construct the NBA M, make k copies of the GNBA as M0 ; : : : ; Mk 1
Set of initial states of M is taken as that of the first copy M0

Set of final states of M is taken as that of the first copy M0

After visiting s 2 Fj 2 Mi , visit s0 2 M(i +1 mod k )
s !
a
s0 ; a 2
Example (GNBA to NBA translation)
C2 C2
q0 q1 q2 q0;0 q0;1 q0;2
C1 C1
GNBA where P0 and P1 are in their C2

critical section infinitely often q1;0 q1;1 q1;2 TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
LTL: = (G F C1 ) ^ (G F C2 )
ARAGPUR
IND

19 5 1
yog, km s kOflm^
C1
automata construction
Buchi
automata construction
Constructing Buchi
automaton for K = hS ; S0 ; AP ; !; Li
Buchi automaton A = h; Q ; ; I ; F i corresponding to K is defined as:
= P (AP ), s a s0 iff either
Q = S [ f s A g, s ! s0 and p 2 a iff L s0 p or
I = fsA g, s = sA and s0 2 S0 and p 2 a iff L s0 p
F =Q
A though for inductive constructive of Buchi

automata
Given the Buchi
automata for and , we may
construct a Buchi
automaton for X
construct a Buchi
automaton for U or W
construct a Buchi
automaton for R
Size of resulting automaton is an issue as computing R involves a product
automaton: R W ( ^ )
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking LTL model checking example
Example of LTL model checking

Example (Checking = G q on a model)
p; q q p
M
fp ; q g fpg
q0
fp ; q g q1
fq g q2 q3
BM fq g
fq g ; ?; fpg ;
fp ; q g fq g ; fp; q g
: = F :q q
q0
:q q1 q0
?; fpg q1
B: or
fp ; q g fq g
q0;0
fp ; q g q1;0
fq g q2;0
fpg q3;1 q2;1
BM B:
fpg
!
fp;qg fq g fpg fqg fpg
M 6j= ; C q0;0 ! q0;1 ! q2;0 ! q3;1 ! q2;1 ! q3;1 TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

p; q q p
M
fp ; q g fpg
q0
fp ; q g q1
fq g q2 q3
BM fq g
fq g ; ?; fpg ;
fp ; q g fq g ; fp; q g
: = F :q q
q0
:q q1 q0
?; fpg q1
B: or
fp ; q g fq g
q0;0
fp ; q g q1;0
fq g q2;0
fpg q3;1 q2;1
BM B:
fpg
!
M 6j= ; C q0;0 ! q0;1 ! q2;0 ! q3;1 ! q2;1 ! q3;1 TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

p; q q p
M
fp ; q g fpg
q0
fp ; q g q1
fq g q2 q3
BM fq g
fq g ; ?; fpg ;
fp ; q g fq g ; fp ; q g
: = F :q q
q0
:q q1 q0
?; fpg q1
B: or
fp ; q g fq g
q0;0
fp ; q g q1;0
fq g q2;0
fpg q3;1 q2;1
BM B:
fpg
!
M 6j= ; C q0;0 ! q0;1 ! q2;0 ! q3;1 ! q2;1 ! q3;1 TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

p; q q p
M
fp ; q g fpg
q0
fp ; q g q1
fq g q2 q3
BM fq g
fq g ; ?; fpg ;
: = F :q q
q0
:q q1 q0
?; fpg q1
B: or
fp ; q g fq g
q0;0
fp ; q g q1;0
fq g q2;0
fpg q3;1 q2;1
BM B:
fpg
!
M 6j= ; C q0;0 ! q0;1 ! q2;0 ! q3;1 ! q2;1 ! q3;1 TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

p; q q p
M
fp ; q g fpg
q0
fp ; q g q1
fq g q2 q3
BM fq g
fq g ; ?; fpg ;
: = F :q q
q0
:q q1 q0
?; fpg q1
B: or
fp ; q g fq g
q0;0
fp ; q g q1;0
fq g q2;0
fpg q3;1 q2;1
BM B:
fpg
!
M 6j= ; C q0;0 ! q0;1 ! q2;0 ! q3;1 ! q2;1 ! q3;1 TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Gerths algorithm for LTL to Buchi
automata
Gerths algorithm for LTL to Buchi

automata
Each state of the automaton will store a set of properties that should be
satisfied on paths starting at that state to be stored in lists called
Old already processed New to be processed
the initial state starts with a single successor having New = fg, for the
formula to be translated by way of repeated expansions
Each state will also store a set of properties which should be satisfied on
paths starting at the next states of that state to be stored in the list Next
Incoming transitions for a state are stored in the Incoming list
Key formulae to be used for processing formulae in New:
f U g using g _ (f ^ X (f U g )) f R g using g ^ (f _ X (f R g ))
? and :a, a 2 AP, subformulae in New are handled by discarding the
nodes as they never model any formula
> and a, a 2 AP) subformulae in New are handled by moving them from
New to Old
Availablity of hOld; Nexti pair from earlier expansions used to avoid TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
duplicate and non-terminating node expansions
IND

19 5 1
yog, km s kOflm^
automata

automata
New to Old
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
automata

automata
New to Old
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
automata

automata
New to Old
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
automata
Identifying transitions and accepting states
It is assumed, without loss of generality. that the formula being

translated is in NNF
Every node promising = U has one successor promising
and a second successor promising and X ( U )
evidence of the promise is present in the Old fields
on termination of the algorithm the New fields become empty
Need to avoid ! -loops through paths that do not visit , as such
paths are not models for U
F U = fq 2 Q j ( U ) 62 Old(q ) or 2 Old(q )g
Similar consideration not needed for R
F = fF g for each sub-formula = U of the LTL formula for
which the NDBA is being constructed TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Motivating example of Gerths algorithm
Motivating example of Gerths algorithm

Example (Translation of p U q by expand(node,nodeList))
N fp U q g I I expand(n1 ,?)
n1
O ? X ?
N p I I N q I I
O fp U q g X fp U q g fp U q g ?
n2 n3
O X
expand(n3 ,expand(n2 ; ?))
N ? I I expand(n4 ,?)
O fp ; p U q g X fp U q g
n4
N fp U q g I n4
expand(n5 ,fn4 g)
n5
O ? X ?
N p I n4 N q I n4
O fp U q g X fp U q g fp U q g ?
n6 n7
O X
expand(n7 ,expand(n6 ; fn4 g))
N ? I n4
expand(n8 ,fn4 g)
n8
O fp ; p U q g X fp U q g TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Motivating example of Gerths algorithm (contd.)

Example (Translation of p U q by expand(node,nodeList) (contd.))
N ? I I ; n4 expand(n7 ,fn4 g)
n4
O fp ; p U q g X fp U q g
N ? I n4
expand(n9 ,fn4 g)
n9
O fq ; p U q g X ?
N ? I n9 expand(n10 ,fn4 ; n9 g)
n10
O ? X ?
N ? I n10 expand(n11 ,fn4 ; n9 ; n10 g)
n11
O ? X ?
N ? I n9 ; n10 expand(n3 ,fn4 ; n9 ; n10 g)
n10
O ? X ?
N ? I I expand(n12 ,fn4 ; n9 ; n10 g)
n12
O fq ; p U q g X ?
N ? I n4 ; I
fn4 ; n9 ; n10 g
fq ; p U q g X ?
TECHNO
n9
OF LO
TE
GY
ITU
IAN INST
KH
O
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Motivating example of Gerths algorithm (contd.)
Example (Translation of p U q by expand(node,nodeList) (contd.))
ffq g ; fp; q gg N ? I n4 ; I
I n9
O fq ; p U q g X ?
ffpg ; fp; q gg ffq g ; fp; q gg

P (fp; q g)
ffpg ; fp; q gg P (fp; q g)
N ? I I ; n4 N ? I n9 ; n10
n4
O fp; p U q g X fp U q g n10
O ? X ?
= pUq = P (fp; q g) I= fIg

AP = fp; q g Q = fI ; n4 ; n9 ; n10 g F = ffn9 ; n10 gg
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Pseudocode for Gerths algorithm
Pseudocode for Gerths algorithm I

translate(f ) f expand ([Incoming fIg, Old ?, New ff g, Next ?], ?) g
expand(q, NodeList) f
If q.New is empty then
if there exists a node r in NodeList s.t.
r.Old=q.Old and r.Next=q.Next
then // avoid duplicate expansions by checking Old and Next
r.Incoming q.Incoming [ r.Incoming;
return(NodeList);
else // prepare for further expansions from q.Next
create a new node r and set
r.Incoming q, r.Old ?, r.New q.Next, r.Next ?;
return expand(r, Nodelist [ fq g);
else // q.New is not empty
pick a formula f from q.New
q.New q.New ff g; // remove f from q.New
if f is already in q.Old then f is already handled, so carry on TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
return expand(q, Nodelist);
IND

19 5 1
yog, km s kOflm^
Pseudocode for Gerths algorithm II
else if (f 2 AP or :(f ) 2 AP or f 2 f>; ?g) // base cases

then if (f ? or :(f ) 2 q.Old) then return(Nodelist); // 6j= f , carry on
else create a node r and set// move f from New to Old
r.Incoming q.Incoming;
r.Old q.Old(q) [ ff g;
r.New q.New; // with f removed from q.New
r.Next q.Next;
return expand(r, Nodelist);
else if (f h _ k ) // h _ k removed from q.New
create two nodes r and s s.t
r.Incoming = s.Incoming = q.Incoming;
r.Old s.Old q.Old [ fh _ k g;
r.New q.New [ fhg;
s.New q.New [ fk g;
r.Next s.Next q.Next;
return expand(s, expand(r, Nodelist)); TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Pseudocode for Gerths algorithm III
else if (f h ^ k ) // h ^ k removed from q.New

create a node r and set
r.Old q.Old [ fh ^ k g;
r.New q.New [ fhg [ fk g;
r.Next q.Next;
else if (f X h) // X h removed from q.New
create a node r and set
r.Old q.Old [ fX hg;
r.New q.New;
r.Next qNext [ fhg;
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Pseudocode for Gerths algorithm IV

else if (f h U k) // using h U k k _ (h ^ X (h U k ))
create two nodes r and s and set
r.Incoming s.Incoming q.Incoming
r.Old s.Old q.Old [ fh U k g
r.New q.New [ fhg; // h U k removed from q.New
s.New q.New [ fk g;
r.Next q.Next [ fh U k g; s.Next q.Next;
return expand(s, expand(r, Nodelist));
else if (f h R k) // using h R k (k ^ h) _ (k ^ X (h R k ))
create two nodes r and s and set
r.Incoming s.Incoming q.Incoming;
r.Old s.Old q.Old [ fh R k g;
r.New q.New [ fh; k g; // h R k removed from q.New
s.New q.New [ fk g;
r.Next q.Next; s.Next q.Next [ fh R k g;
return expand(s, expand(r, Nodelist));
g
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Another illustration of Gerths algorithm
Another illustration of Gerths algorithm

Example (Translation of p R q by expand(node,nodeList))
N fp R q g I I expand(n1 ,?)
n1
O ? X ?
N q I I N p^q I I
O fp R q g X fp R q g fp R q g ?
n2 n3
O X
expand(n3 ,expand(n2 ; ?))
N ? I I expand(n4 ,?)
O fq ; p R q g X fp R q g
n4
N fp R q g I n4
expand(n5 ,fn4 g)
n5
O ? X ?
N q I n4 N p^q I n4
O fp R q g X fp R q g fp R q g ?
n6 n7
O X
expand(n7 ,expand(n6 ; fn4 g))
N ? I n4
expand(n8 ,fn4 g)
n8
O fq ; p R q g X fp R q g TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Another illustration of Gerths algorithm (contd.)

Example (Translation of p R q by expand(node,nodeList) (contd.))
N ? I I ; n4 expand(n7 ,fn4 g)
n4
O fq ; p R q g X fp R q g
N fp; q g I n4
expand(n9 ,fn4 g)
n9
O fp ^ q ; p R q g X ?
N fq g I n4
expand(n10 ,fn4 g)
n10
O fp; p ^ q ; p R q g X ?
N ? I n4
expand(n11 ,fn4 g)
n11
O fp; q ; p ^ q ; p R q g X ?
N ? I n11 expand(n12 ,fn4 ; n11 g)
n12
O ? X ?
N ? I n12 expand(n13 ,fn4 ; n11 ; n12 g)
n13
O ? X ?
N ? I n11 ; n12 expand(n3 ,fn4 ; n11 ; n12 g)
? X ?
TECHNO
n12
OF LO
TE
GY
ITU
IAN INST
KH
O
ARAGPUR
IND

19 5 1
yog, km s kOflm^
N fp; q g I I expand(n14 ,fn4 ; n11 ; n12 g)

n14
O fp ^ q ; p R q g X ?
N fq g I I expand(n15 ,fn4 ; n11 ; n12 g)
n15
O fp; p ^ q ; p R q g X ?
N ? I I expand(n16 ,fn4 ; n11 ; n12 g)
n16
O fp; q ; p ^ q ; p R q g X ?
N ? I n4 ; I
fn4 ; n11 ; n12 g
n11
O fp; q ; p ^ q ; p R q g X ?
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

ffp; q gg N ? I n4 ; I
I n11
O fp; q ; p ^ q ; p R q g X ?
ffq g ; fp; q gg ffp; q gg

P (fp; q g)
ffq g ; fp; q gg P (fp; q g)
N ? I I ; n4 N ? I n11 ; n12
n4
O fq ; p R q g X fp R q g n12
O ? X ?
= pRq = P (fp; q g) I= fIg

AP = fp; q g Q = fI ; n4 ; n11 ; n12 g F = ffn4 ; n11 ; n12 gg
For formulae without U , the set of final states is trivial and does not have to
be added to F TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Double DFS for LTL MC
Double DFS for LTL MC

dfs1(v) f dfs2(v, f) f // do DFS from v until f is reached
add v to visited add v to visited
for all w 2 succ(v) f for all w 2 succ(v) f
if w 62 visited then if v=f then
dfs1(w) exit(success)
g else if w 62 visited then
if v 2 F then dfs2(w, f)
add v to Q g
g g
sweep2(Q) f ddfs(v) f
while (Q is not empty) f Q ?
f dequeue(Q) visited ?
dfs2(f , f ) dfs1(v) // find the final states
g visited ?
exit(failure) sweep2(Q) // find cycle with a final state
g g TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Nested DFS for LTL MC
Nested DFS for LTL MC
dfs1(v) f dfs2(v) f// do DFS from v until a loop

add (v,0) to visited // mark in-stack // is reached
for all w 2 succ(v) f add (v,1) to visited // mark in-stack
if (w,0) 62 visited and for all w 2 succ(v) f
(w,2) 62 visited then if (v,0) 2 visited or
dfs1(w) (v,1) 2 visited then
g exit(success)
if v 2 F then else if (w,1) 62 visited and
dfs2(v) (w,3) 62 visited then
(v,0) (v,2) // out of stack dfs2(w)
g g
ndfs(v) f
(v,1) (v,3) // out of stack
visited ? g
dfs1(v)
g TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL model checking Illustration of LTL MC via Gerths algorithm
Illustration of LTL MC via Gerths algorithm

Example (Checking G :q on M with B:G :q BF q B> U q )
ffq g ; fp; q gg N ? I q1 ; q0
q0 q2
O f>; > U q g X ?
P (fp; q g) ffq g ; fp; q gg

P (fp; q g)
P (fp; q g) P (fp; q g)
N ? I q0 ; q1 N ? I q2 ; q3
q1
O f>; > U q g X f> U q g q3
O ? X ?
fp; q g fpg
fp; q g fq g
BM : q0 q1 q2 q3
fq g
fp; q g
fp; q g fp; q g
Part of BM B> U q : q0;0 q1;2 q1;3
TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Illustration of LTL MC via Gerths algo. (contd.)
Example (Checking F q on M with B:F q BG :q B? R :q )

f?; fpgg
f?; fpgg N ? I q0 ; q1
q0 q1
O f:q ; ? R :q g X f? R :q g
fp; q g fpg
fp; q g fq g
BM : q0 q1 q2 q3
fq g
BM B? R :q : q0;0

L BM B? R :q = ?, hence, M j= F q
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
NBA for :G F q by Gerths algorithm

Example (Translation of :G F q F G :q > U (? R :q ))
n1
N f> U (? R :q )g I I expand(n1 ,?)
O X
N f>g I I
n2
O f> U (? R :q )g X f> U (? R :q )g
N f? R :q g I I expand(n3 , expand(n2 , ?))
n3
O f> U (? R :q )g X
N I I expand(n4 , ?)
n4
O f>; > U (? R :q )g X f> U (? R :q )g
n5
N f> U (? R :q )g I n4
expand(n5 , fn4 g)
O X
N f>g I n4
n6
O f> U (? R :q )g X f> U (? R :q )g
N f? R :q g I n4
expand(n7 , expand(n6 , fn4 g))
TE
OF
TECHNO
LO
f> U (? R :q )g
GY
ITU
IAN INST
KH
n7
ARAGPUR

IND
O X

19 5 1
yog, km s kOflm^
NBA for :G F q by Gerths algorithm (contd.)
Example (Translation of :G F q F G :q > U (? R :q ) (contd.))

N I n4
expand(n8 ,fn4 g)
n8
O f>; > U (? R :q )g X f> U (? R :q )g
N I I ; n4 expand(n7 ,fn4 g)
n4
O f>; > U (? R :q )g X > U ( ? R :q )
N f? ^ :q ?g I n4
n9
O f> U (? R :q ); ? R :q g X
N :q I n4
n10
O f> U (? R :q ); ? R :q g X ? R :q
expand(n10 , expand(n9 , fn4 g))
N I n4
expand(n11 ,fn4 g)
n11
O f:q ; > U (? R :q ); ? R :q g X ? R :q
n12
N ? R :q I n11 expand(n12 ,fn4 ; n11 g)
O X TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

N ? ^ :q ? I n11 n14 N :q I n11
n13
O ? R :q X O ? R :q X ? R :q
expand(n14 ,expand(n13 ,fn4 ; n11 g))
N I n11
expand(n15 ,fn4 ; n11 g)
n15
O f:q ; ? R :q g X ? R :q
n16
N f? R :q g I n15 expand(n16 , fn4 ; n11 ; n15 g)
O X
N ? ^ :q ?q I n15
n17
O ? R :q X
N :q I n15
n18
O ? R :q X ? R :q
expand(n18 , expand(n17 , fn4 ; n11 ; n15 g))
N I n15
expand(n19 , fn4 ; n11 ; n15 g)
n19
f:q ; ? R :q g X ? R :q
TECHNO
OF LO
TE
GY
ITU
O
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

N I fn11 ; n15 g
expand(n3 , fn4 ; n11 ; n15 g)
n15
O f:q ; ? R :q g X ? R :q
N f? ^ :q ?g I I
n20
O f> U (? R :q ); ? R :q g X
N :q I I
n21
O f> U (? R :q ); ? R :q g X ? R :q
expand(n21 , expand(n20 , fn4 ; n11 ; n15 g))
N I I
n22
O f:q ; > U (? R :q ); ? R :q g X ? R :q
expand(n22 ,fn4 ; n11 ; n15 g)
N I I ; n4 fn4 ; n11 ; n15 g
n11
O f:q ; > U (? R :q ); ? R :q g X ? R :q
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
LTL MC using BM and B:G F q BF G :q B> U (? R :q)

Example (Checking via BM B:G F q )
f?; fpgg N I I ; n4
I n11
O f:q ; > U (? R :q ); ? R :q g X ? R :q
P (fp; q g) f?; fpgg

f?; fpgg
P (fp; q g) ?; fpg
N I I ; n4 N I fn11 ; n15 g
n4
O f>; > U (? R :q )g X > U ( ? R :q ) n15
O f:q ; ? R :q g X ? R :q
fp ; q g fp g
fp ; q g fq g
BM : q0 q1 q2 q3
fp; q g fq g
BM B:G F q : q0;0
fp; q g q1;2
L(BM B:G F q ) = ?, so M j= G F q TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
NB: (Non-trivial) Final states for U -subformula only shown, jF j = 2
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs
Section outline
BDD extensions
Compose using ITE
Tautology checking using
6 BDDs ITE
BDD reduction Resolving ambiguities
BDD operations More general representation
Implementation aspects BDDs for sets and relations
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs
Truth tables
Consider the Boolean

function given below as a It is a function of three variables
truth table
The truth table has 23 = 8 entries
x1 x2 x3 f Size of the truth table is exponential
0 0 0 0 in the number of variables
0 0 1 0 The function is relatively simple:
0 1 0 0 x1 x2 x3 + x1 x3
0 1 1 1
Truth table representation for this
1 0 0 0
function is inefficient
1 0 1 1
1 1 0 0 Algorithms working directly on truth
1 1 1 1 tables would also be inefficient
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs
Binary Decision Diagrams

x1 0 0 0 0 1 1 1 1
x2 0 0 1 1 0 0 1 1
x3 0 1 0 1 0 1 0 1 Nodes in the diagram is
f 0 0 0 1 0 1 0 1 ordered
x1 An OBDD derived from a
truth table is a canonical
1
0 representation
x2 x2 It is of exponential size
0 1 0 1 Has the drawbacks of a
truth table representation
x3 x3 x3 x3
There is scope for
0 1 0 1 0 1 0 1
simplifying the diagram
0 0 0 1 0 1 0 1 TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD reduction
Reduction of Binary Decision Diagrams
Remove Duplicate Terminals Eliminate all but one terminal vertex

with a given label and redirect all arcs into the eliminated
vertices to the remaining one.
Remove Duplicate Nonterminals If nonterminal vertices u and v
have var(u) = var(v ), lo(u) = lo(v ), and hi(u) = hi(v ), then
eliminate one of the two vertices and redirect all incoming
arcs to the other vertex.
Remove Redundant Tests If nonterminal vertex v has lo(v ) = hi(v ),
then eliminate v and redirect all incoming arcs to lo(v ).
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD reduction
Reduction of Binary Decision Diagrams (contd.)
x1
1
0
x2 x2
0 1 0 1
x3 x3 x3 x3
0 1 0 1 0 1 0 1
0 0 0 1 0 1 0 1
Original OBDD
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD reduction
x1
1
0
x2 x2
0 1 0 1
x3 x3 x3 x3
0 1 0 1 0 10 1
0 1
Result of removing duplicate terminals

TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD reduction
x1
1
0
x2 x2
1 01
0
x3 x3
0 1
0 1
0 1
Result of removing duplicate non-terminals

TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD reduction
x1
0
x2 1
1
0 x3
0 1
0 1
Result of removing redundant tests

TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD reduction
This is a ROBDD variable ordering is: x1 ; x2 ; x3

Variable ordering can have a profound effect on the size of the
ROBDD
An ROBDD is a compressed Shannon co-factoring tree
An ROBDD is a cannonical representation of Boolean function
It is often a compact representation of Boolean functions
There are some functions whose ROBDD representation is of
exponential size for any variable ordering
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD reduction
ROBDD complexity for common function classes
Function Class Complexity

Best Worst
Symmetric linear quadratic
Integer Addition (any bit) linear exponential
Integer Multiplication (middle bits) exponential exponential
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Complementation of f
x1
0
x2 1
1
0 x3
0 1
0 1
f is to be complemented
Result of complementation only the terminal values of 0 and 1
TECHNO
OF LO
need to be interchanged
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Complementation of f
x1
0
x2 1
1
0 x3
0 1
1 0
f is to be complemented
Result of complementation only the terminal values of 0 and 1
TECHNO
OF LO
need to be interchanged
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Restriction of f
Restrict f so that x = k, denoted as: f jx k

It has several uses, such as: Shannon expansion, Composition,
where a function g is substituted for some variable x, Existential
quantification and Universal quantification
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Restriction of f
Restrict f so that x = k, denoted as: f jx k

It has several uses, such as: Shannon expansion, Composition,
where a function g is substituted for some variable x, Existential
quantification and Universal quantification
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Restriction of f on Its ROBDD representation

x1
0
x2 1
1
0 x3
0 1
0 1
ROBDD for f (x1 ; x2 ; x3 ), to be restricted as f jx1 1

Branch for x1 = 0 is no longer needed, may be dropped, leading
to redudancies TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

Result of further reduction to remove redundancies

19 5 1
yog, km s kOflm^
BDDs BDD operations

x1
x2 1
1
0 x3
0 1
0 1

to redudancies TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND


19 5 1
yog, km s kOflm^
BDDs BDD operations
x3
0 1
0 1

to redudancies TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND


19 5 1
yog, km s kOflm^
BDDs BDD operations
Restriction of f on its ROBDD representation

x1
0
x2 1
1
0 x3
0 1
0 1

to redudancies TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND


19 5 1
yog, km s kOflm^
BDDs BDD operations

x1
0
x2 1
0 x3
0 1
0 1

to redudancies TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND


19 5 1
yog, km s kOflm^
BDDs BDD operations

x1
x3
0 1
0 1

to redudancies TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND


19 5 1
yog, km s kOflm^
BDDs BDD operations
Some Uses of Restriction
Shannon expansion:
f = x f jx 0 + x f jx 1
Existential quantification:
9x f = f jx 0 + f jx 1
Universal quantification:
8x f = f jx 0 f jx 1
Composition, where a function g is substituted for some variable x:
f jx g = g f jx 0 + g f jx 1 TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Shannon expansion:
f = x f jx 0 + x f jx 1
9x f = f jx 0 + f jx 1
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Shannon expansion:
f = x f jx 0 + x f jx 1
9x f = f jx 0 + f jx 1
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Shannon expansion:
f = x f jx 0 + x f jx 1
9x f = f jx 0 + f jx 1
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Composition
Theorem
f jx g = g f jx 0 + g f jx 1
Proof.
Here g is to be substituted for x in f
Let the support of g be xj1 ; xj2 ; : : :
When g is 1 for some truth assignment of xj1 ; xj2 ; : : :, f should be
restricted to x 1, hence we get the clause g f jx 1
Essentially means restrict f such that x 1 when g is 1
Similarly, when g is 0 for some truth assignment of xj1 ; xj2 ; : : :, f
should be restricted such that x 0, hence we get the clause
f jx 0 , restricting f to 0 when g is 0
g
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Composition
Theorem
f jx g = g f jx 0 + g f jx 1
Proof.
Here g is to be substituted for x in f
Let the support of g be xj1 ; xj2 ; : : :
When g is 1 for some truth assignment of xj1 ; xj2 ; : : :, f should be
restricted to x 1, hence we get the clause g f jx 1
Essentially means restrict f such that x 1 when g is 1
Similarly, when g is 0 for some truth assignment of xj1 ; xj2 ; : : :, f
should be restricted such that x 0, hence we get the clause
f jx 0 , restricting f to 0 when g is 0
g
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Boolean operations on ROBDDs
Already seen how complementation is performed

What about other operations f _ g, f ^ g, f g, etc.?
Boolean difference @@xf = fx fx
If-then-else: ITE(v ; g ; h) = v :g + v h hhv ; g ; hii building block
of BDDs
f hopi g = x (f jx 0 hopi g jx 0) + x (f jx 1 hopi g jx 1)
When leaf nodes are reached, value of operation is determined
using the truth table of hopi
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Boolean operations on ROBDDs
Already seen how complementation is performed

What about other operations f _ g, f ^ g, f g, etc.?
Boolean difference @@xf = fx fx
If-then-else: ITE(v ; g ; h) = v :g + v h hhv ; g ; hii building block
of BDDs
f hopi g = x (f jx 0 hopi g jx 0) + x (f jx 1 hopi g jx 1)
When leaf nodes are reached, value of operation is determined
using the truth table of hopi
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD operations
Shared BDDs
Multiple functions can be represented as a multi-rooted DAG,

sharing common nodes
Each root and its descendants form an ROBDD to represent a
particular function
A global variable ordering is required
Good variable ordering for one function could be bad for another
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs Implementation aspects
ITE Representations for Functions

Table Name Expr Equiv Form ITE(f ; g ; h) fg + f h
0000 0 0 0
0001 AND(f ; g) fg ITE(f ; g ; 0) ITE operator can realise any
0010 f >g fg ; 0)
ITE(f ; g two variable logic function
0011 f f f Each row corresponds to a
0100 f <g f g ITE(f ; 0; g ) ; f g ; f g ; fg as
subset of f g
0101 g g g indicated by the bit patterns
0110 XOR(f ; g) f g ; g)
ITE(f ; g
OR(f ; g) f +g ITE(f ; 1; g )
Each BDD node is stored in a
0111
1000 NOR(f ; g) f +g ITE(f ; 0; g) unique-table with a global
f g ) variable ordering to maintain
1001 XNOR(f ; g) ITE(f ; g ; g
1010 NOT(g)
g ITE(g ; 0; 1)
cannonicity of representation
1011 f g f +g ITE(f ; 1; g) Before introducing a node for
1100 NOT(f ) f ITE(f ; 0; 1) hv ; g ; hi, it is looked up in the
1101 f g f + g ITE(f ; g ; 1) UT; if present, existing pointer
1110 NAND(f ; g) fg ; 1)
ITE(f ; g to node is used, otherwise,
1111 1 1 1 new node is added to UT and TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND
its pointer returned

19 5 1
yog, km s kOflm^
Cache for Construction of BDDs
The primitive item of storage is R = hhv ; RG ; RH ii for F = ITE(v ; G; H )

At each node F there is a variable v called the fop variable of F
The top variable of a set of formulae is the smallest of the top variables
of those formulae
Before a node R = hhv ; RG ; RH ii for f = ITE(v ; G; H ) is added to BDD
data base, it is looked up in the unique-table (UT)
If present, then existing pointer to node is used for the logic function
Otherwise, a new node is added to the UT and the new pointer returned
Unique-table allows single multi-rooted DAG for all users functions
Construction is done recursively, needing cofactor computation
Let F ITE(w ; G; H ) and assume v w;
Fv = F (if v < w ) or G (if v = w )
= F (if v < w ) or H (if v = w )
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
Fv
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Recursive ITE based ROBDD construction

Let v be the top most variable in the ordering
Base cases
ITE(RF ; RG ; RG ) = RG G
ITE(0; RF ; RG ) = RG G
ITE(1; RF ; RG ) = RF F
ITE(RF ; 1; 0) = RF F
Inductive cases
ITE(RF ; RG ; RH ) FG + F H
= v (FG + F H )v + v (FG + F H )v
= v (Fv Gv + Fv Hv ) + v (Fv Gv + Fv Hv )
hhv ; ITE(Fv ; Gv ; Hv ); ITE(Fv ; Gv ; Hv )ii
= hhv ; R1 ; R2 ii ; where
R1 = ITE(RF ; RG ; RH )
v v v
R2 = ITE(RF ; RG ; RH )
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
v v v
yog, km s kOflm^
ITE algorithm
ITE(RF ; RG ; RH ) f
if (called as (RF ; RG ; RG ) or (0; RF ; RG ) or (1; RG ; RF ) or (RG ; 1; 0)) f
return RG ;
g else if (computed table has entry hhRF ; RG ; RH i ; R i) f
return R;
g else f
let v be the top variable of fRF ; RG ; RH g;
R1 ITE (RFv , RGv , RHv );
R2 ITE (RFv , RGv , RHv );
if R1 equals R2 return R1 ;
R find or add unique table(hhv ; R1 ; R2 ii);
insert computed table(hhRF ; RG ; RH i ; R i);
return R;
g
g
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Complexities of common ROBDD operations
Operation Complexity Description

Reduce O (jGj) G is reduced to canonical
form
Apply O (jG1 jjG2 j) Any binary Boolean operator
Compose O (jG1 j2 jG2 j) Substitute g for x
Satisfy-one O (n) Find one satisfying assign-
ment of the n variables
Restrict O (jGj) Restrict a variable to a con-
stant
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD extensions
Complement Edges
G
G

0 1 0 1
available redundant
ROBDD for both G and G
Share with complement edge
Share leaf also with complement edge
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD extensions
Complement Edges

G
G
G G

0 1 0 1 0 1
available redundant
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD extensions
Complement Edges

G
G
G G

0 1 0 1 1
available redundant
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD extensions
Equivalences Arising from Complement Edges

(1/4)
v v
vf + v g = vf + v g = vf v g
= (v + f ) (v g ) = v g + v f + f g
= v g + v f + (v + v )f g = v (g + f g ) + v (f + f g )
= v (g (1 + f )) + v (f (1 + g )) = v g + v f = v f + v g
Preference is given to the left equivalent form so that the then leg has TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND
no complement edge

19 5 1
yog, km s kOflm^
BDDs BDD extensions

(2/4)
v v
vf + v g = v f + v g =) vf + v g = v f + v g
Preference is given to the left equivalent form so that the then leg has
no complement edge TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD extensions

(3/4)
v v
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDD extensions

(4/4)
v v
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs Compose using ITE
Compose using ITE
compose (F , v , G) f // in F replace v with G, F (v ; x )fG(x )=v g

// G; RF1 ; RF0 are not functions of v
if topVar(F ) > v return F ; // because F does not depend on v
// Let F0 =F1 is the 0/1-child of F
if topVar(F ) = v return ITE(G; F1 ; F0 );
RF1 compose (F1 ; v ; G);
RF0 compose (F0 ; v ; G);
return ITE(topVar(F ); RF1 ; RF0 );
g
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs Tautology checking using ITE
Tautology checking using ITE

ITEConst(F ; G; H ) f // returns 0,1, or X (nonConst)
if (trivial case(F ; G; H )) return result (0, 1, or X );
if (/* private */ computed table has entry hhF ; G; H i ; X i) return X ;
let v topVar (F ; G; H );
T ITEConst(Fv ; Gv ; Hv );
if (T 6= 1 and T 6= 0) f
insert computed table(hhF ; G; H i ; X i);
return X ; // nonConst
g
E ITEConst(Fv ; Gv ; Hv );
if (E = X and E 6= T ) f
insert computed table(hhF ; G; H i ; X i);
return X ; // nonConst
g
insert computed table(hhF ; G; H i ; E i);
return E; // both branches compute the same constant value
g
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs Resolving ambiguities
Resolving ambiguities
Standard triples Resolving equivalences (contd.)
ITE(F ; F ; G) ! ITE(F ; 1; G) 1 First argument is chosen with
ITE(F ; G; F ) ! ITE(F ; G; 0) smallest top variable
ITE(F ; G; F ) ! ITE(F ; G; 1)
2 Break ties with smallest address
pointer
ITE(F ; F ; G) ! ITE(F ; 0; G)
Resolving equivalences Triples with complemented edges

ITE(F ; 1; G) ITE(G; 1; F ) Between
ITE(F ; G; H ) ITE(F ; H ; G)
; 0; F )
ITE(F ; 0; G) ITE(G ; H ) ITE(F ; H ; G),
ITE(F ; G
ITE(F ; G; 0) ITE(G; F ; 0) choose the one such that the first and
; F ; 1)
ITE(F ; G; 1) ITE(G
second argument of ITE should not
be complement edges, i.e. the first
) ITE(G; F ; F )
ITE(F ; G; G expression TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs More general representation
Representing non-Binary Domains and Ranges
Example
t 0 1 X +t 0 1 X
0 0 0 0 0 0 1 X
1 0 1 X 1 1 1 1
X 0 X X X X 1 X
Ternary extension of AND Ternary extension of OR

:t
0 1
1 0
X X
Ternary extension of NOT TE

OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Representing non-Binary Domains and Ranges
Example
t 0 1 X +t 0 1 X
0 0 0 0 0 0 1 X
1 0 1 X 1 1 1 1
X 0 X X X X 1 X
Ternary extension of AND Ternary extension of OR

:t
0 1
1 0
X X
Ternary extension of NOT TE

OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Non-Binary Domains and Ranges (contd.)
Necessary to encode elements of domain using multiple bits

If the domain has N elements, then dlg N e bits will be needed
Example (contd.)
For the encoding
(0) = h0; 1i ; (1) = h1; 0i ; and (X ) = h1; 1i

the extended operations can be implemented as follows:
ha1; a0i t hb1; b0i = ha1 b1; a0 + b0i

ha1; a0i +t hb1; b0i = ha1 + b1; a0 b0i
: ha1; a0i = ha0; a1i TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Formalisation of the Representation of non-Binary

Domains and Ranges
Consider a finite set of elements A, where jAj = N

We can encode an element of A as a vector of n binary values, where
n = lg N This encoding is denoted by a function : A ! f0; 1g
n
Let i (a) denote the i th element in this encoding

A function mapping elements in A to elements in A, f : A ! A is
represented as a vector of n Boolean functions ~f , where each
fi : f0; 1g ! f0; 1g is defined as:
n
fi ( (a)) = i (f (a))
The COSMOS symbolic simulator [Cho and Bryant 1989] uses ROBDDs
to compute the behavior of a transistor circuit symbolically
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

Domains and Ranges

n

n
fi ( (a)) = i (f (a))
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

Domains and Ranges

n

n
fi ( (a)) = i (f (a))
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDDs BDDs for sets and relations
Representation of Sets
Given an encoding of the elements of a set A, we can represent

and manipulate its subsets using characteristic functions
n = lg jAj bits are required to encode the elements
A set S A is denoted by the Boolean function
XS (~x ) : f0; 1gn ! f0; 1g
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Representation of Sets
Example (A characteristic function and its ROBDD)
The set S has eight elements e1 ; : : : ; e8
encoded using three bits.
The table below shows the encoding and
also the charactersistic function XS (~x ) de- x1
fined on the encoding.
element x1 x2 x3 XS (~x ) 0
e1 0 0 0 0 x2 1
e2 0 0 1 0 1
e3 0 1 0 0
e4 0 1 1 1 0 x3
e5 1 0 0 0
e6 1 0 1 1 0 1
e7 1 1 0 0
0 1 TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
e8 1 1 1 1
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Operations on Sets
Empty Set X = 0
Set Union X(S [T ) = XS + XT
Set Intersection X(S \T ) = XS XT
Set Difference X(S T ) = XS XT
The right hand side represents usual operations that can be performed
on ROBDDs
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Representation of Relations
A k -ary relation can be defined as a set of ordered k -tuples

Also represent and manipulate relations using characteristic
functions represented as ROBDDs
A binary relation R A A is denoted by the Boolean function fR
corresponding to the characteristic function XR
If each element of A is encoded in n bits, then each tuple of R is
encoded in 2n bits
The basic scheme for constructing the characteristic function is as
tuple x1;1 : : : x1;n x2;1 : : : x2;n fR = XR
follows: ei1 ej1 xi1 ;1 : : : xi1 ;n xj1 ;1 : : : xj1 ;n 0/1
:::
ROBDD corresponding to this characteristic function is
constructed TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

encoded in 2n bits
:::
constructed TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

encoded in 2n bits
:::
constructed TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Representation of Relations (contd.)
Composition of relations R and S:
X(RS) = (9~z )XR (~x ; ~z ) XS (~z ; ~y )

Since ~z = hz1 ; : : : ; zn i,
X(RS) = (9z1; : : : ; zn )XR (~x ; hz1; : : : ; zn i) XS (hz1; : : : ; zn i ; ~y )

= (9z2 ; : : : ; zn ) [
XR (~x ; hz1; : : : ; zn i)jz 0 XS (hz1; : : : ; zn i ; ~y )jz 0
1 1
+ XR (~x ; hz1 ; : : : ; zn i)jz 1 XS (hz1 ; : : : ; zn i ; ~y )jz 1 ]

1 1
= :::
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Transitive Closure of a Relation
If XR is the characteristic function of R, then that of the transitive

closure is represented as XR
XR is computed as the fixed point of the sequence R0 = I,
= I [ R Ri , where I denotes the identity relation
Ri + 1
Termination is determine by equivalence testing of ROBDDs as
Ri 1 = Ri in at most N 1 iterations, where N = jAj
Faster convergence is achieved using iterative squaring as:
R0 = I [ R, Ri +1 = Ri [ Ri , reducing the maximum number of
iterations to lg N [Burch et al 1990]
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
A m/c that accepts strings over f0; 1g ending in 1

Example
0 1 1 2
p S (p) (p ); p 2 S (q ); 2
q S
s0 00 0 1 1 1
0 1
1
s1 01 1 1 1 1
(p) (q ) =
0 s2 10 0 1 1 0
s3 11 1 1 1 0
0 0 0 0
0 0 0 1
XR
jS j = 4 1 0 0 0
dlg jSje = 2 1 0 0 1
Moore m/c representing recogniser, not a pure relation
Result of input non-determinism on left state
Result of input non-determinism on right state
Transitions between input capturing states a pure relation
Tabular transition relation shown for state encoding : S ! f0; 1g2
Table only has tuples for which XR (p) (q ) = 1; p; q 2 S
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

Example
0 1 1 2
p S (p) (p ); p 2 S (q ); 2
q S
01 s0 00 0 1 1 1
1
1
s1 s1 01 1 1 1 1
(p) (q ) =
0 s2 10 0 1 1 0
s3 11 1 1 1 0
0 0 0 0
00 0 0 0 1
XR
s0
jS j = 4 1 0 0 0
dlg jSje = 2 1 0 0 1
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

Example
0 1 1 2
p S (p) (p ); p 2 S (q ); 2
q S
01 11 s0 00 0 1 1 1
1
s1 s3 s1 01 1 1 1 1
(p) (q ) =
0 s2 10 0 1 1 0
s3 11 1 1 1 0
0 0 0 0
00 10 0 0 0 1
XR
s0 s2
jS j = 4 1 0 0 0
dlg jSje = 2 1 0 0 1
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

Example
0 1 1 2
p S (p) (p ); p 2 S (q ); 2
q S
01 11 s0 00 0 1 1 1
1
s1 s3 s1 01 1 1 1 1
(p) (q ) =
0 s2 10 0 1 1 0
s3 11 1 1 1 0
0 0 0 0
00 10 0 0 0 1
XR
s0 s2
jS j = 4 1 0 0 0
dlg jSje = 2 1 0 0 1
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDD represention of relation

Example (Represention for XR : f0; 1g
dlgjSje ! f0; 1gdlgjSje ! f0; 1g)
2
p S (p) (p ); p 2 S (q ); 2
q S
s0 00 0 1 1 1
1
s1 01 (p) (q ) = 1 1 1 1
s2 10 0 1 1 0
s3 11 1 1 1 0
0 0 0 0
0 0 0 1 1 (q )
XR
jS j = 4 1 0 0 0
dlg jSje = 2 1 0 0 1
Since dlg jS je = 2, (p); p; q 2 S are encoded in 2 0 (p) 0 (p)
bits, as h1 (p); 0 (p)i and h1 (q ); 0 (q )i
XR : f0; 1g2 ! f0; 1g2 ! f0; 1g characterises the
tuples of the relation as the Boolean function 0 1
0 (p)1 (q )0 (q ) + 0 (p)1 (q )0 (q ) + 0 (p) 1 (q ),
hp; q i 2 R, on 1 (p), 0 (p), 1 (q ), 0 (q )
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
BDD represention of relation (contd.)
Example (Evaluating XR h0; 1i to fn: f0; 1g ! f0; 1g)

2
1 (q ) XR h0;!
1i 1 (q ) !
reduce 1 (q )
0 (p) 0 (p) 0 (p) 0 (p)
0 1 0 1 0 1
Result of applying XR to h0; 1i, by the restricting 1 (p) 0 and

0 (p) 1, is a BDD which is a function from f0; 1g f0; 1g ! f0; 1g
The original BDD that represents the relation can be considered a
function from f0; 1g f0; 1g to f0; 1g f0; 1g ! f0; 1g, i.e.
XR : f0; 1g2 ! f0; 1g2 ! f0; 1g or XR : f0; 1g2 ! f0; 1g2 ! f0; 1g TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

2
1 (q ) XR h0;!
1i 1 (q ) !
reduce 1 (q )
0 (p) 0 (p) 0 (p) 0 (p)
0 1 0 1 0 1

OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

2
1 (q ) XR h0;!
1i 1 (q ) !
reduce 1 (q )
0 (p) 0 (p) 0 (p) 0 (p)
0 1 0 1 0 1

OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL Symbolic Model Checking
Section outline
Model Checking using Sets

of States
Monotone functions
7 CTL Symbolic Model Handling SATEX and SATEU
Checking Handling SATEG
CTL MC using BDDs Handling SATEC G
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL Symbolic Model Checking CTL MC using BDDs
CTL MC using BDDs

BDDs can represent sets of states and relations
States satisfying subformulae can be represented
Navigation based on the relation is also possible
Given a set of states X and a relation R, img(X ; R ) is the set of
states reachable from the states of X in one forward step via R
img(X ; R ) = fs0 2 S j 9s (s 2 X ^ s ! s0 )g
Ximg(X ;R) = 9s (XX s ^ XR s s0 )
Given a set of states Y and a relation R, pre(Y ; R ) is the set of
states reachable from the states of X in one reverse step via R
pre(Y ; R ) = fs 2 S j 9s0 (s ! s0 ^ s 0 2 Y )g
Xpre(Y ;R) = 9s0 (XR s s0 ^ XY s0 )
We consider two variants of pre-image computation
pre9 (Y ) = pre(Y ; R )
pre8 (Y ) = fs 2 S j 8s0 (s ! s0 ) s0 2 Y )g
Xpre8 (Y ) = 8s0 (XR s s0 ) XY s0 ) TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
Both pre-image computations are forms of backward BFS in R
IND

19 5 1
yog, km s kOflm^
CTL MC using BDDs

pre9 (Y ) = pre(Y ; R )
pre8 (Y ) = fs 2 S j 8s0 (s ! s0 ) s0 2 Y )g
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL MC using BDDs

pre9 (Y ) = pre(Y ; R )
pre8 (Y ) = fs 2 S j 8s0 (s ! s0 ) s0 2 Y )g
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL MC using BDDs

pre9 (Y ) = pre(Y ; R )
pre8 (Y ) = fs 2 S j 8s0 (s ! s0 ) s0 2 Y )g
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Illustration of CTL MC for = EX 1 using BDDs

Example (Symbolic evaluation of = EX 1 for (0j1) 1+ FSM)
1 (q )
01 11
s1 s3
0 (p)
XR 0 (p)
M
00 10
s0 s2
0 1
XR hp1 ; p0 i hq1 ; q0 i = p0 q1 + p0 q1
Let JK represent the set of states satisfying
Y = J1K = fs1 ; s3 g; XY hq1 ; q0 i = q0
q y
JEX 1K = Xpre9 (Y )
Xpre9 (Y ) = 9hq1 q0 i (XY hq1 q0 i ^ XR hp1 p0 i hq1 q0 i)

= 9hq1 i (p0 q1 + p0 q1 )
= p0 + p0 TE
OF
TECHNO
LO
GY
ITU
= 1
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Illustration of CTL MC for = AX 1 using BDDs

Example (Symbolic evaluation of = AX 1 for (0j1) 1+ FSM)
XR hp1 ; p0 i hq1 ; q0 i = p0 q1 + p0 q1
Let JK represent the set of states satisfying
Y = J1K = fs1 ; s3 g; XY hq1 ; q0 i = q0
q y
JAX 1K = Xpre8 (Y )
Xpre8 (Y ) =
8hq1 qh0 i [XR hp1 p0 i hq1 q0 i ) XY hq1 q0 i] i =
8hq1 i h ((p0 q1 + p0 q1 ) ) q0 )jq =0 ^ ((p0 q1 + p0 q1 ) ) q0 )jq =i1
0 0
=
8hq1 i ((p0 q1 + p0 q1 ) _ q0 )jq =0 ^ ((p0 q1 + p0 q1 ) _ q0 )jq =1 =
8hq1 i (p0 q1 + p0 q1 )
0 0
=
p0 ^ p0 =
0
So, M 6j= AX 1
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL Symbolic Model Checking Model Checking using Sets of States
Model Checking using Sets of States
Let JK represent the set of states satisfying formula

> return S
? return ?
atomic return fsjXS ^ L sg
:1 return S n J1 K
1 ^ 2 return J1 K ^ J2 K
1 ^ 2 return J1 K _ J2 K
AX 1 return J:EX :1 K
EX 1 return SATEX (1 )
E [1 U 2 ] return SATEU (1 ; 2 )
EG 1 return SATEG (1 ) TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL Symbolic Model Checking Monotone functions
Monotone functions
Definition
Let S be a set of states and F : P (S ) ! P (S )
1 F is monotone if for X Y S ) F (X ) F (Y )
2 X S is a fixed point of F if F (X ) = X
Example Example
Let S = fs0 ; s1 g Let S = fs0 ; s1 g
F (Y ) = Y [ fs0 g F (Y ) = if Y = fs0 g ; fs1 g else fs0 g
F is a monotone function fs0 g fs0 ; s1 g but
fs0 g is the least fixed G (fs0 g) = fs1 g 6 G (fs0 ; s1 g) =
point fs0 g
fs0 ; s1 g is the greatest G is a non-monotone function
fixed point G does not have fixed points
1 monotone functions always have a least and a greatest fixed point OF

TECHNO
LO
TE
EG ; AF ; EU can be expressed via fixed points
GY
ITU
IAN INST
KH
ARAGPUR
IND
2

19 5 1
yog, km s kOflm^
Monotone functions
Definition
Example Example
point fs0 g

TECHNO
LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND
2

19 5 1
yog, km s kOflm^
Monotone functions
Definition
Example Example
point fs0 g

TECHNO
LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND
2

19 5 1
yog, km s kOflm^
Monotone functions
Definition
Example Example
point fs0 g

TECHNO
LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND
2

19 5 1
yog, km s kOflm^
CTL Symbolic Model Checking Handling SATEX and SATEU
Handling SATEX and SATEU

SATEX () f E [ U ] = _ ( ^ (EX (E [ U ])))
X JK; Y pre9 (X );
return Y ; JE [ U ]K = J K [ (JK \ J(EX E [ U ])K)
g Let G(X ) = J K [ (JK \ pre9 (X ))
X ; Y S ^ X Y ) G(X ) G(Y )
G is monotone, G(?) = J K
SATEU (; ) computes the LFP of G
SATEU (; ) f
V J K; W JK; Y J?K;
repeat
X Y;
Y V [ (W \ pre9 (Y ));
until X = Y
return Y ; TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

SATEX () f E [ U ] = _ ( ^ (EX (E [ U ])))
X JK; Y pre9 (X );
g Let G(X ) = J K [ (JK \ pre9 (X ))
X ; Y S ^ X Y ) G(X ) G(Y )
SATEU (; ) f
V J K; W JK; Y J?K;
repeat
X Y;
Y V [ (W \ pre9 (Y ));
until X = Y
return Y ; TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

SATEX () f E [ U ] = _ ( ^ (EX (E [ U ])))
X JK; Y pre9 (X );
g Let G(X ) = J K [ (JK \ pre9 (X ))
X ; Y S ^ X Y ) G(X ) G(Y )
SATEU (; ) f
V J K; W JK; Y J?K;
repeat
X Y;
Y V [ (W \ pre9 (Y ));
until X = Y
return Y ; TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^

SATEX () f E [ U ] = _ ( ^ (EX (E [ U ])))
X JK; Y pre9 (X );
g Let G(X ) = J K [ (JK \ pre9 (X ))
X ; Y S ^ X Y ) G(X ) G(Y )
SATEU (; ) f
V J K; W JK; Y J?K;
repeat
X Y;
Y V [ (W \ pre9 (Y ));
until X = Y
return Y ; TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL Symbolic Model Checking Handling SATEG
Handling SATEG
EG = ^ (EX (EG )) X Y ) G(X ) G(Y )
JEG K = JK \ J(EX (EG ))K G is monotone, G(S ) = JK
Let G(X ) = JK \ pre9 (X ) SATEG () computes the GFP of G
SATEG () f
W JK ; Y J>K ;
repeat
X Y;
// Remove label EG from any state not
// having a successor labelled with EG
Y W \ pre9 (Y );
until X = Y
return Y ;
g TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Handling SATEG
EG = ^ (EX (EG )) X Y ) G(X ) G(Y )
JEG K = JK \ J(EX (EG ))K G is monotone, G(S ) = JK
Let G(X ) = JK \ pre9 (X ) SATEG () computes the GFP of G
SATEG () f
W JK ; Y J>K ;
repeat
X Y;
// Remove label EG from any state not
// having a successor labelled with EG
Y W \ pre9 (Y );
until X = Y
return Y ;
g TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
Illustration of CTL MC for = EG 1 using BDDs
Example (Symbolic evaluation of = EG 1 for (0j1) 1+ FSM)

W = J1K = fs1 ; s3 g;
Y = J>K = fs0 ; s1 ; s2 ; s3 g
Iter 1 Y = J>K
pre9 (Y ) = fs0 ; s1 ; s2 ; s3 g
Y = fs1 ; s3 g \ fs0 ; s1 ; s2 ; s3 g = fs1 ; s3 g
Iter 2 Y = fs1 ; s3 g
pre9 (Y ) = fs0 ; s1 ; s2 ; s3 g
Y = fs1 ; s3 g \ fs0 ; s1 ; s2 ; s3 g = fs1 ; s3 g
Y is the fixed point of G
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
CTL Symbolic Model Checking Handling SATE G
C
Handling SATEC G
Let H = f 1 ; : : : ; k g be the fairness constraints
For an infinite computation path to satisfy SATEC G wrt H,
must hold at each state of
is fair wrt H, so that each i 2 H holds infinitely often along
Let Y be the largest set of states with the following two properties
1 all states in Y satisfy
2 for all i 2 H and s 2 Y ,
i there is a non-zero length path from s to a state in Y satisfying i
ii all states in the path satisfy
Consider G(X ) = JK \ pre9 (JE [ U XX ^ ] ) \:::\
1 K
pre9 (JE [ U XX ^ k ]K)
G is monotone, G(S ) is the satisfying pre-image of states where
each leads to all i s, 1 i k proof?
q y
SATEC G () needs to compute the GFP of G G( SATEC G () ) = JK \
pre9 (JE [ U EC G () ^ 1 ]K) \ : : : \ pre9 (JE [ U EC G () ^ k ]K) ?
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
C
Handling SATEC G (contd.)

SATEc G () f // GFP of G(T ) = JK \ pre9 (JE [ U XT ^ 1 ]K) \ : : : \
W JK; Z J>K; // pre9 (JE [ U XT ^ k ]K)
repeat
T Z; Z W;
for i = 1 to k do
V T \ J i K; Y J?K;
repeat // compute LFP of G(X ) = (XX ^ i ) [ (JK [ pre9 (X ))
X Y;
Y V [ (W \ pre9 (Y ));
until X = Y
Z Z \ Y;
endfor
until T = Z
return Z ;
g
TECHNO
OF LO
TE
GY
ITU
IAN INST
KH
ARAGPUR
IND

19 5 1
yog, km s kOflm^
C
Example of symbolic MC with fairness

= EC G (In = 1) wrt 1 = (State = 1)
W = = JIn = 1K = fS1 ; S3 g; Z = J>K = fS0 ; S1 ; S2 ; S3 g;
Iter 1:
T = Z = fS0 ; S1 ; S2 ; S3 g; Z = W = fS1 ; S3 g;
For loop Iter 1 with i = 1:
V = T \ J 1 K = fS0 ; S1 ; S2 ; S3 g \ fS2 ; S3 g = fS2 ; S3 g; Y = ?;
Iter 1: X = Y = ?;
Y = V [ (W \ pre9 (Y )) =
fS2 ; S3 g [ (fS1 ; S3 g \ ?) = fS2 ; S3 g;
Iter 2: X = Y = fS2 ; S3 g;
Y = V [ (W \ pre9 (Y ))
= fS2 ; S3 g [ (fS1 ; S3 g \ fS1 ; S3 g) = fS1 ; S2 ; S3 g;
Iter 3: X = Y = fS1 ; S2 ; S3 g;
Y = V [ (W \ pre9 (Y ))
= fS1 ; S2 ; S3 g [ (fS1 ; S3 g \ fS0 ; S1 ; S2 ; S3 g) =
fS1 ; S2 ; S3 g; TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
= Z \ Y = fS1 ; S3 g \ fS1 ; S2 ; S3 g = fS1 ; S3 g;
ARAGPUR
IND

19 5 1
Z
yog, km s kOflm^
C
Example of symbolic MC with fairness (contd.)

Iter 2:
T = Z = fS1 ; S3 g; Z = W = fS1 ; S3 g;
For loop Iter 1 with i = 1:
V =T \J 1 K = fS0 ; S1 ; S2 ; S3 g \ fS2 ; S3 g = fS2 ; S3 g; Y = ?;
Iter 1: X = Y = ?;
Y = V [ (W \ pre9 (Y )) =
fS2 ; S3 g [ (fS1 ; S3 g \ ?) = fS2 ; S3 g;
Iter 2: X = Y = fS2 ; S3 g;
Y = V [ (W \ pre9 (Y ))
= fS2 ; S3 g [ (fS1 ; S3 g \ fS1 ; S3 g) = fS1 ; S2 ; S3 g;
Iter 3: X = Y = fS1 ; S2 ; S3 g;
Y = V [ (W \ pre9 (Y ))
= fS1 ; S2 ; S3 g [ (fS1 ; S3 g \ fS0 ; S1 ; S2 ; S3 g) =
fS1 ; S2 ; S3 g;
Z = Z \ Y = fS1 ; S3 g \ fS1 ; S2 ; S3 g = fS1 ; S3 g; TE
OF
TECHNO
LO
GY
ITU
IAN INST
KH
return fS1 ; S3 g;
ARAGPUR
IND

19 5 1
yog, km s kOflm^

IIT Kharagpur Testing and Verification of Microwave Controller Moore FSM

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IIT Kharagpur Testing and Verification of Microwave Controller Moore FSM

Uploaded by

Copyright:

Available Formats

Testing and verification

Dept of Computer Sc & Engg

4 CTL model checking

1 Microwave controller 5 LTL model checking

2 Temporal logic 6 BDDs

3 Verification of microwave 7 CTL Symbolic Model

Diagram of Moore FSM of controller

Illustration of CTL operators

rst = 1 cnt = 0 cnt = 1 cnt = 2

cnt = 0 cnt = 1 rst = 0 cnt = 2

rst = 0 cnt = 0 cnt = 1 cnt = 2

S00 S10 S20 TE

rst = 1 cnt = 0 cnt = 1 cnt = 2

cnt = 0 cnt = 1 rst = 0 cnt = 2

rst = 0 cnt = 0 cnt = 1 cnt = 2

S00 S10 S20 TE

Computation Tree Logics

Temporal logics may differ according to how they handle

Semantics of satisfying a formula along a path

Validity of a formula p (written as, respectively, M;  j= p or  j= p):

Semantics of satisfying a formula along a path

 j=  U  holds until holds eventually

 j=  W  holds unless holds (may not hold eventually)

 j=  R  releases ( may not hold eventually)

LTL tries to express temporal properties along any computation trace

A model M (of a system) satisfies an LTL formula  if each path

LTL formulae (contd.)

A CTL formula is constructed using:

A subformula of a CTL formula  is any formula whose parse tree is

CTL formulae (contd.)

A Temporal Operator has two parts

CTL formulae (contd.)

A Temporal Operator has two parts

Illustration of CTL operators

Let M = (S ; !; L) be a model. For a CTL formula . the relation

Semantics of CTL (contd.)

9 M; s j= AG  holds iff for all paths s1 ! s2 ! s3 ! : : :, where

Adequate CTL operators

More CTL operators

AW for A [ W ],  must hold unless holds along all paths

A [ W ]  :E [( ^ : ) U (: ^ : )]  :E [: U (: ^ : )]

More relationships between CTL operators

Examples of CTL formulae

EF (started ^ :ready ): it is possible to get to a state where

Some practice examples

Comparison of LTL and CTL

Example (Comparing AF AG p and FG p on a model)

AF AG p does not hold but FG p holds

Comparison of LTL and CTL

Example (Comparing AF AG p and FG p on a model)

AF AG p does not hold but FG p holds

Comparison of LTL and CTL (contd.)

Many useful formulas expressible in both:

Safety and liveness

Liveness can only be falsified by an infinite-suffix of an execution trace

Mark space module

State = 1 & !D: 1; yog, km s kOflm^

MWFSM module (contd.)

State = 2 & D & !TM : 2;

State = 3 & D & !TM : 2;

MWFSM module (contd.)

State = 41 & D & !TM : 2;

State = 5 & D & !TM : 2;

Validity of a formula p (written as, respectively, M; j= p or j= p):

j= U holds until holds eventually

j= W holds unless holds (may not hold eventually)

j= R releases ( may not hold eventually)

A model M (of a system) satisfies an LTL formula if each path

A subformula of a CTL formula is any formula whose parse tree is

Let M = (S ; !; L) be a model. For a CTL formula . the relation

9 M; s j= AG holds iff for all paths s1 ! s2 ! s3 ! : : :, where

AW for A [ W ], must hold unless holds along all paths

A [ W ] :E [( ^ : ) U (: ^ : )] :E [: U (: ^ : )]

INPUT: A model M = hS ; I ; AP ; !; Li and a CTL formula .

1 Convert with the adequate sets of CTL connectives (i.e. :,_,

Handling EG 1 more efficiently

Definition (Counterexample or witness for M 6j= )

where q0 2 Q0 , a1 ; a2 ; : : : 2 and inf() is the set of states of the

where q0 2 Q0 , a1 ; a2 ; : : : 2 and inf() is the set of states of the

Let be a set of symbols (not necessarily finite)

Clearly 1 j= G ) 1 6j= F : and 2 j= F : ) 2 6j= G

Clearly 1 j= U ) 1 6j= : R : and 2 j= : R : ) 2 6j= U

Clearly 1 j= G ) 1 6j= F : and 2 j= F : ) 2 6j= G