Model Checking and the Mu-Calculus

Mo del Checking

and the

Mucalculus

E Allen Emerson

University of Texas at Austin Austin Tx USA

Abstract There is a growing recognition of the need to apply formal

mathematical metho ds in the design of high condence computing

systems Such systems op erate in safety critical contexts eg air traf

c control systems or where errors could have ma jor adverse economic

consequences eg banking networks The problem is esp ecially acute

in the design of many reactive systems which must exhibit correct on

going b ehavior yet are not amenable to thorough testing due to their

inherently nondeterministic nature One useful approach for sp ecifying

and reasoning ab out correctness of such systems is temp oral logic model

checking which can provide an ecient and expressive to ol for automatic

verication that a nite state system meets a correctness sp ecication

formulated in temp oral logic We describ e mo del checking algorithms and

discuss their applicatio n To do this we fo cus attention on a particularly

imp ortant typ e of temp oral logic known as the Mucalculus

Intro duction

There is a growing need for reliable metho ds of designing correct reactive sys

tems These systems are characterized by ongoing typically nonterminating and

highly nondeterministic b ehavior Often such systems amount to parallel or dis

tributed programs Examples include op erating systems network proto cols and

air trac control systems

There is nowadays widespread agreement that some typ e of temp oral logic

Pn provides an extremely useful framework for reasoning ab out reactive pro

grams Basic temp oral op erators such as sometimes F always G and

nexttime X make it p ossible to easily express many imp ortant correctness

prop erties eg Gsent F received asserts that whenever a message is sent

it is eventually received

When we intro duce path quantiers A E meaning for all p ossible fu

ture computations and for some p ossible future computation resp ectively

we can distinguish b etween the inevitability of events AF P and their p oten

tiality EFP Such a system is referred to as a branching time temp oral logic

One commonly used branching time logic is CTL Computation Tree Logic cf

EC CE

Another branching time logic is the prop ositional Mucalculus Ko cf

EC Pr The Mucalculus may b e thought of as extending CTL with

a least xp oint and greatest xp oint op erator We note that EFP

P EXEFP so that EFP is a xed p oint also known as a xp oint of the

expression Y P EXY In fact EFP is the least xp oint ie the least

Y P EXY The least xp oint of Y is ordinarily denoted as Y Y

As this example suggests not all of CTL is needed as a basis for the Mu

calculus which can instead b e dened in terms of atomic prop osition constants

and variables P Y b o olean connectives nexttime op erators

AX E X and nally least and greatest xp oint op erators The rest of

the CTL op erators can b e dened in terms of these surprisingly simple primitives

In fact most mo dal and temp oral logics of interest can b e dened in terms of

the Mucalculus In this way it provides a single simple and uniform framework

subsuming most other logics of interest for reasoning ab out reactive systems cf

The classical approach to the use of temp oral logic for reasoning ab out

reactive programs is a manual one where one is obliged to construct by hand

a pro of of program correctness using axioms and inference rules in a deductive

system A desirable asp ect of some such pro of systems is that they may b e for

mulated so as to b e comp ositional which facilitates development of a program

hand in hand with its pro of of correctness by systematically comp osing together

pro ofs of constituent subprograms Even so manual pro of construction can b e

extremely tedious and error prone due to the large numb er of details that must

b e attended to Hence correct pro ofs for large programs are often very dicult

to construct and to organize in an intellectually manageable fashion It seems

clear that it is unrealistic to exp ect manual pro of construction to b e feasible

for largescale reactive systems For systems with millions or even just tens of

thousands of lines of co des transcription and other clerical errors guarantee that

the task of pro of construction is b eyond the ability of humans by themselves

Hence we have historically advo cated an alternative automated approach

to reasoning ab out reactive systems cf Em CE One of the more useful

approaches for sp ecifying and reasoning ab out correctness of such systems has

turned out to b e temp oral logic model checking cf CE Em QS

which can provide an ecient and expressive to ol for automatic verication

that a nite state reactive system meets a correctness sp ecication formulated

in prop ositional temp oral logic Empirically it turns out that many systems

of interest either are or can b e usefully mo deled at some level of abstraction

as nite state systems Moreover the prop ositional fragment of temp oral logic

suces to sp ecify their imp ortant correctness prop erties The mo del checking

problem can b e formalized as

The Mo del Checking Problem Given a nite state transition graph M

an initial state s of M and a temp oral logic sp ecication formula f

do es M s j f ie is M at s a mo del of f

0 0

Variant formulations of the mo del checking problem stipulate calculating the set

of all such states s in M where f is true

The remainder of this pap er is organized as follows Section denes the

Mucalculus Section denes certain related logics including CTL The ex

pressiveness of the Mucalculus is discussed in section Algorithms for mo del

checking in the Mucalculus are describ ed in section Section gives some

concluding remarks

The Mucalculus

The prop ositional MuCalculus cf Pa EC Ko provides a least

xpoint op erator and a greatest xpoint op erator which make it p ossible

to give extremal xpoint characterizations of correctness prop erties Intuitively

the MuCalculus makes it p ossible to characterize the mo dalities in terms of

recursively dened treelike patterns For example the assertion that along

all computation paths p will b ecome true eventually can b e characterized as

Z p AX Z the least xp oint of the functional p AX Z where Z is an atomic

prop osition variable intuitively ranging over sets of states and AX denotes the

universal nexttime op erator

We rst give the formal denition of the MuCalculus

Syntax

The formulae of the prop ositional MuCalculus L are those generated by rules

Atomic prop osition constants P Q

Atomic prop osition variables Y Z

E X p where p is any formula

p the negation of formula p

p q the conjunction of formulae p q

These two assertions are related Most prop ositiona l temp oral logics satisfy the nite

mo del prop erty if a sp ecication is satisable it has a nite mo del which may b e

viewed as a system meeting the sp ecication

Y pY where pY is any formula syntactically monotone in the prop osi

tional variable Y ie all o ccurrences of Y in pY fall under an even numb er

of negations

The set of formulae generated by the ab ove rules forms the language L

The other connectives are intro duced as abbreviations in the usual way p q

abbreviates pq p q abbreviates pq p q abbreviates p q q p

AX p abbreviates EX p Y pY abbreviates Y pY etc Intuitively

Y pY Y pY stands for the least greatest resp xp oint of pY E X p

AX p means p is true at some every successor state reachable from the current

state means and etc We use jpj to denote the length ie numb er of

symb ols of p

We say that a formula q is a subformula of a formula p provided that q when

viewed as a sequence of symb ols is a substring of p A subformula q of p is said

to b e proper provided that q is not p itself A toplevel or immediate subformula

is a maximal prop er subformula We use SF p to denote the set of subformulae

of p

The xp oint op erators and are somewhat analogous to the quantiers

and Each o ccurrence of a prop ositional variable Y in a subformula Y pY

or Y pY of a formula is said to b e bound All other o ccurrence are free By

renaming variables if necessary we can assume that the expression Y pY or

Y pY o ccurs at most once for each Y

A sentence or closed formula is a formula that contains no free prop ositional

variables ie every variable is b ound by either or A formula is said to b e

in positive normal form PNF provided that no variable is quantied twice

and all the negations are applied to atomic prop ositions only Note that every

formula can b e put in PNF by driving the negations in as deep as p ossible

using DeMorgans Laws and the dualities Y pY Y pY Y pY

Y pY This can at most double the length of the formula Subsentences

and proper subsentences are dened in the same way as subformulae and prop er

subformulae

Let denote either or If Y is a b ound variable of formula p there is

a unique or subformula Y q Y of p in which Y is quantied Denote this

subformula by Y Y is called a variable if Y Y otherwise Y is called a

variable A subformula subsentence resp is a subformula subsentence

whose main connective is either or We say that q is a toplevel subformula

of p provided q is a prop er subformula of p but not a prop er subformula of

any other subformula of p Finally a basic modality is a sentence that has

no prop er subsentences

Semantics

We are given a set of atomic prop osition constants and a set of atomic

prop osition variables We let AP denote Sentences of the prop ositional

MuCalculus L are interpreted with resp ect to a structure M S R L where

S is the set of states

R is a total binary relation S S ie one where s S t S s t R

and

L S is a lab eling which asso ciates with each state s a set Ls consisting

of all atomic prop osition symb ols in the underlying set of atomic prop ositions

AP intended to b e true at state s

We may view M as a lab eled directed graph with no de set S arc set R and

no de lab els given by L The size of M jM j jS j jRj where jS j is the size of

the state space S the sum over s S of the sizes of Ls and jRj is the numb er

of transitions

S S

The p ower set of S may b e viewed as the complete lattice S

Intuitively we identify a predicate with the set of states which make it

true Thus false which corresp onds to the empty set is the b ottom element

true which corresp onds to S is the top element and implication s S P s

Qs which corresp onds to simple settheoretic containment P Q provides

the partial ordering on the lattice

S S

Let functional b e given then we say that Y is monotonic

provided that P Q implies P Q We say P is a xpoint of functional

0 0 0 00

Y provided P P Fixp oint P is a least xp oint provided that if P is a

0 00 0

xp oint then P P Note that any least xp oint of Y is unique since if P

00 0 00 00 0

and P are least xp oints P P and P P We use Y Y to denote the

least xp oint analogously Y Y denotes the greatest xp oint The existence

of these of these extremal xp oints is guaranteed by the following

S S

Theorem TarskiKnaster Let b e a monotonic functional

Then

a Y Y fY Y Y g fY Y Y g

b Y Y fY Y Y g fY Y Y g

c Y Y false where i ranges over all ordinals of cardinality at

most that of the state space S so that when S is nite i ranges over jS j

Y Y is the union of the following ascending chain of approximations

false false false and

d Y Y true where i ranges over all ordinals of cardinality at

most that of the state space S so that when S is nite i ranges over jS j

Y Y is the intersection of the following descending chain of approxima

tions true true true

A formula p with free variables Y Y is thus interpreted as a mapping

1 n

M S n S

p from to ie it is interpreted as a predicate transformer We write

pY Y to denote that all free variables of p are among Y Y A val

1 n 1 n

uation V denoted V V is an assignment of the subsets of S V V

1 n 1 n

to free variables Y Y resp ectively We use p V to denote the value of p

1 n

on the actual arguments V V cf EC Ko The op erator p is

1 n

dened inductively as follows

P V fs s S and P Lsg for any atomic prop ositional constant

P AP

Y V V

M M M

p q V p V q V

M M

p V S np V

M M

E X p V fs t p V s t Rg

M 0 M 0 0

Y pY V fS S pY S V V S g

1 1 1 2 n

Note that our syntactic restrictions on monotonicity ensure that least as

well as greatest xp oints are welldened

Usually we write M s j p resp ectively M s j pV instead of s p

resp ectively s p V to mean that sentence resp ectively formula p is true

in structure M at state s under valuation V When M is understo o d we write

simply s j p

Temp oral Logics

In this section we dene three representative systems of prop ositional temp oral

logic The system PLTL Prop ositional Linear temp oral logic is the standard

linear time temp oral logic cf Pn MP The branching time logic CTL

Computational Tree Logic allows basic temp oral op erators of the form a path

quantiereither A for all futures or E for some futurefollowed by a

single one of the usual linear temp oral op erators G always F sometime

X nexttime or U until cf CE EC Its syntactic restrictions

limit its expressive p ower so that for example correctness under fair scheduling

assumptions cannot b e expressed We therefore also consider the much richer

language CTL which extends CTL by allowing basic temp oral op erators where

the path quantier A or E is followed by an arbitrary linear time formula

allowing b o olean combinations and nestings over F G X and U cf EH

Syntax

We now give a formal denition of the syntax of CTL We inductively dene

a class of state formulae true or false of states using rules S b elow and a

class of path formulae true or false of paths using rules P b elow

S Each atomic prop osition P is a state formula

S If p q are state formulae then so are p q p

S If p is a path formula then E p Ap are state formulae

P Each state formula is also a path formula

P If p q are path formulae then so are p q p

P If p q are path formulae then so are X p pU q

The set of state formulae generated by the ab ove rules forms the language

CTL The other connectives can then b e intro duced as abbreviations in the

usual way p q abbreviates p q p q abbreviates p q p q abbre

viates p q q p F p abbreviates true U q and Gp abbreviates F p We

1 1

also let p abbreviate GF p innitely often p abbreviate F Gp almost

F G

everywhere and pB q abbreviate pU q b efore

Remark We could take the view that Ap abbreviates E p and give a more

terse syntax in terms of just the primitive op erators E X and U However

the present approach makes it easier to give the syntax of the sublanguage CTL

b elow

The restricted logic CTL is obtained by restricting the syntax to disallow

b o olean combinations and nestings of linear time op erators Formally we replace

rules P by

P If p q are state formulae then X p pU q are path formulae

The set of state formulae generated by rules S and P forms the language

CTL The other b o olean connectives are intro duced as ab ove while the other

temp oral op erators are dened as abbreviations as follows E F p abbreviates

E true U p AGp abbreviates EF p AF p abbreviates Atrue U p and E Gp

abbreviates AF p Note this denition can b e seen to b e consistent with

that of CTL

Finally the set of path formulae generated by rules SP dene the syntax

of the linear time logic PLTL

Semantics

A formula of CTL is interpreted with resp ect to a structure M S R L as

is the Mucalculus

A ful lpath of M is an innite sequence s s s of states such that i

0 1 2

s s R We use the convention that x s s s denotes a fullpath

i i+1 0 1 2

and that x denotes the sux path s s s We write M s j p

i i+1 i+2 0

resp ectively M x j p to mean that state formula p resp ectively path formula

p is true in structure M at state s resp ectively of fullpath x We dene j

inductively as follows

S M s j P i P Ls

0 0

S M s j p q i M s j p and M s j q

0 0 0

M s j p i it is not the case that M s j p

0 0

S M s j E p i fullpath x s s s in M M x j p

0 0 1 2

M s j Ap i fullpath x s s s in M M x j p

0 0 1 2

P M x j p i M s j p

P M x j p q i M x j p and M x j q

M x j p i it is not the case that M x j p

i j

P M x j pU q i i M x j q and j j i implies M x j p

M x j X p i M x j p

A formula of CTL is also interpreted using the CTL semantics using rule

P for path formulae generated by rule P

Similarly a formula of PLTL which is a pure path formula of CTL is

interpreted using the ab ove CTL semantics

We say that a state formula p resp path formula p is valid provided that for

every structure M and every state s resp fullpath x in M we have M s j p

resp M x j p A state formula p resp path formula p is satisable provided

that for some structure M and some state s resp fullpath x in M we have

M s j p resp M x j p

A formula of CTL is a basic modality provided that it is of the form Ap or

E p where p itself contains no As or E s ie p is an arbitrary formula of PLTL

Similarly a basic mo dality of CTL is of the form Aq or E q where q is one of

the single linear temp oral op erators F G X or U applied to pure prop ositional

arguments A CTL resp ectively CTL formula can now b e thought of as b e

ing built up out of b o olean combinations and nestings of basic mo dalities and

atomic prop ositions

Expressiveness

The Mucalculus is of considerable imp ortance for several reasons which overall

relate to its expressiveness First the Mucalculus provides a single elegant uni

form logical framework of great raw expressive p ower that subsumes most mo dal

and temp oral logics of programs and related formalisms Both CTL and CTL

can b e translated into the Mucalculus as well as most other commonly used

mo dal and temp oral logics of programs It can b e shown that the Mucalculus

over innite binary trees coincides in expressive p ower with nite state tree au

tomata in fact Mucalculus formulas are really alternating nite state automata

on innite trees cf EJ Second the semantics of the Mucalculus is rmly

anchored in the fundamental TarskiKnaster theorem and the basic notion of

inductive denability This provides a ready means to do mo del checking ie

check whether a given structure denes a mo del of a given sp ecication as dis

cussed in the next section Finally the translation of most logics and formalisms

turns out to require only small syntactic fragments of the Mucalculus This has

implications for the complexity of mo del checking as also discussed in the next

section

The ab ovementioned syntactic fragments are determined by alternation

depth of a Mucalculus formula Intuitively the alternation depth refers to the

depth of signicant nesting of alternating s and s An alternation of either

of the following forms is insignicant

Y f Y Z g Z or Y f Y Z g Z

as the inner formula is a sentence and is not inuenced by the surrounding

formula of opp osite p olarity In contrast an alternation of either of the

following forms is signicant

Y f Z g Y Z or Y f Z g Y Z

as a free o ccurrence of variable Y app ears within the scop e of Z or a free

o ccurrence of Y o ccurs within the scop e of a Z

We can give the technical denition of the alternation depth adf of formula

f as follows cf EL An We assume that f is initially placed in p ositive

normal form

adP adY for atomic prop osition constants P and variables Y

adf g adf g max fadf adg g

adf adf

adY f max fad Z g Z g is a subformula of f

in which Y o ccurs free g

ad Y f max fadZ g Z g is a subformula of f

in which Y o ccurs free g

Let L denote the MuCalculus L restricted to formulas of alternation

depth at most k Most mo dal or temp oral logics of programs can b e translated

into L or L often succinctly cf EL

1 2

For example b elow we give characterizations of CTL basic mo dalities in

terms of least or greatest xp oints Note that each is a formula of L

EFP Z P EXZ

AGP Z P AX Z

AF P Z P AX Z

E GP Z P EXZ

AP UQ Z Q P AX Z

E P UQ Z Q P EXZ

These xp oint characterizations are simple and plausible They also turn out

to b e imp ortant in applications as they underly the original CTL mo del checking

algorithm of CE as well as the symb olic approaches develop ed later and

discussed in section

Below we sketch representative pro ofs of correctness for some of these xp oint

characterizations cf EC EL We assume that each pro of is conducted

in the context of an arbitrarily chosen underlying structure M

Prop osition EFP Z P EXZ

Pro of idea Let g Z P EXZ Then g false corresp onds to the set of

states from which it is p ossible to reach a state satisfying P by a path of length

at most i states Plainly s satises EFP i s g false for some i ut

Prop osition AGP Z P AX Z

Pro of Idea We use duality interchanging the connective A with E F with

G with with w edg e and X with itself Thus AGP is converted into its

dual EFP while Z P EXZ is converted into its dual Z P AX Z The result

follows by the preceeding prop osition ut

Prop osition AF P Z P AX Z

Pro of Idea Establish the dual claim that E GP Z P EXZ Let f Z

P EXZ First note that E GP is a xp oint of fZ viz E GP f E GP

Now supp ose Y is an arbitrary xp oint of f Z so that Y f Y Let s b e an

arbitrary state of Y As s Y then by virtue of f s is in the set of states

0 0

satisfying P Moreover s has a successor s Y Apply to s the argument

0 1 1

We get an innite computation path comprised of consecutive states s s s

0 1 2

each of which is in Y and also satises P This path witnesses the truth of E GP

at s Thus every state in Y satises E GP and Y is a subset of the set of states

satisfying E GP Hence any xp oint of f is a subset of E GP which must b e

the greatest xp oint thereby establish the dual claim ut

These xp oint characterizations of CTL basic mo dalities provide the key for

translating all of CTL into the Mucalculus viz L EC EL For in

stance the CTL formula AGAF P EFQ can b e seen to b e comprised of basic

mo dalities of the form EF AF and AG Expanding the xp oint characteri

zations and doing appropriate substitutions we get that AGAF P EFQ

0 0

Y Z P AX Z Z Q EXZ AX Y Observe that the result is still

of alternation depth

The translation of CTL into the Mucalculus is more involved Each basic

mo dality of CTL is of the form E h where h is a PLTL formula After rst b eing

converted to an automaton on innite strings h can b e converted an equivalent

0 0

regular expression h cf ES VW E h is readily rendered in L

This p ermits us to translate all of CTL into L as ab ove EL

For example if h is the temp oral logic formula GPUQ the corresp onding

regular expression is P Q denoting the set of all innite strings that are of

this form an innite rep etition of nite strings comprised of nitely many

consecutive P s followed by a single Q Then E P Q Y Z Q EXY

P EXZ If we take P to b e true this prop erty simplies in regular expres

sion notation to E true Q This is equivalent to E Q meaning along some

path Q o ccurs innitely often whose xp oint characterization may b e simpli

ed to Y Z E X Q Y Z in L As suggested such prop erties asso ciated

with fairness can b e expressed in alternation depth In fact they require alter

Q is not expressible by any alternation nation depth It can b e shown that E

depth formula cf EC EL

The existence of these translations witnesses the generality of the Mucalculus

The translations are imp ortant in practice b ecause correctness sp ecications

written in logics such as CTL or CTL are often more readable than sp ecica

tions written directly in the Mucalculus In fact it turns out to b e rather easy to

write down highly inscrutable Mucalculus formulae for which there is no readily

apparent intuition regarding their intended meaning Since Mucalculus formula

are really alternating tree automata p erhaps this is not so surprising After all

even such basic automata as deterministic nite state automata on nite strings

can b e highly complex incomprehensible b owls of spaghetti On the other

hand many Mucalculus characterizations of correctness prop erties are elegant

and the formalism seems to have found increasing favor esp ecially in Europ e

owing to its simple and elegant underlying mathematical structure In any event

many p eople nd that the translations serve to tame the Mucalculus making

its expressive p ower more useful

For many years it was not known if the higher alternation depths form a

true hierarchy of expressive p ower Recently armative solutions to this op en

problem were rep orted in Br and Le In practice it seems to make little

dierence since it do es app ear that everything practical is in alternation depth

However it is of theoretical interest Moreover the question has some b earing

on the complexity of mo del checking in the overall Mucalculus as discussed

Mo del Checking

What has turned out to b e one of the more useful techniques for automated rea

soning ab out reactive systems b egan with the advent of ecient temp oral logic

model checking CE cf Em QS CES The basic idea is that the

global state transition graph of a nite state reactive system denes a Kripke

structure in the sense of temp oral logic cf Pn and we can give an ecient

algorithm for checking if the state graph denes a mo del of a given sp ecication

expressed in an appropriate temp oral logic While earlier work in the proto col

community had addressed the problem of analysis of simple reachability prop

erties mo del checking provided an expressive uniform sp ecication language in

the form of temp oral logic along with a single ecient verication algorithm

which automatically handled a wide variety of correctness prop erties

Taxonomy of Mo del Checking Approaches

It is p ossible to give a rough taxonomy of mo del checking metho ds according to

certain criteria

Explicit State Representation versus Symbolic State Representation In the

explicit state approach the Kripke structure is represented extensionally using

conventional data structures such as adjacency matrices and linked lists so that

each state and transition is enumerated explicitly In contrast in the symb olic

approach b o olean expressions denote large Kripke structures implicitly Typi

cally the data structure involved is that of Binary Decision Diagrams BDDs

which can in many applications although not always manipulate b o olean ex

pressions denoting large sets of states eciently

The distinction b etween explicit state and symb olic representations is to a

large extent an implementation issue rather than a conceptual one The original

mo del checking metho d was based on an algorithm for xp oint computation it

was implemented using explicit state representation The subsequent symb olic

mo del checking metho d uses the same xp oint computation algorithm but now

represents sets of states implicitly However the succinctness of BDD data struc

tures underlying the implementation can make a signicant practical dierence

Global Calculation versus Local Search In the global approach we are given

a structure M and formula f The algorithm calculates f fs M s j f g

the set of all states in M where f is true This necessarily entails examining the

entire structure Global algorithms typically pro ceed by induction on the formula

structure calculating g for the various subformulae g of f The algorithm can

b e presented in recursive form as the recursion unwinds the values of the

shortest subformula are calculated rst then the next shortest etc

In contrast in the lo cal approach we are given a sp ecic state s in M along

with M and f We wish to determine whether M s j f The computation

pro ceeds by p erforming a search of M starting at s The p otential advantage

is that many times in practice only a p ortion of M may need to b e examined

to settle the question In the worst case however it may still b e necessary to

examine all of M cf SW

Monolithic Structures versus Incremental Algorithms To some extent this is

also more of an implementation issue than a conceptual one Again however

it can have signicant practical consequences In the monolithic approach the

entire structure M is built and represented at one time in computer memory

While conceptually simple and consistent with standard conventions for judging

the complexity of graph algorithms in practice this may b e highly undesirable

b ecause the entire graph of M may not t in computer memory at once In

contrast the incremental approach also referred to as the onthey or on

line approach entails building and storing only small p ortions of the graph of

M at any one time cf JT

Extensional Mo del Checking Algorithms

Technically the TarskiKnaster theorem can b e understo o d as providing a sys

tematic basis for mo del checking The sp ecications can b e formulated in the

Mucalculus or in other logics such as CTL which as noted ab ove are readily

translatable into the Mucalculus For example to calculate the states where

the CTL basic mo dality EFP holds in structure M S R L we use the x

p oint characterization EFP Z Z with Z P EXZ We successively

calculate the ascending chain of approximations

2 k

f al se f al se f al se

k k +1

for the least k jS j such that f al se f al se The intuition here

is just that each f al se corresp onds to the set of states which can reach P

within at most distance i thus P is reachable from state s i P is reachable

within i steps from s for some i less than the size of M i s f al se for some

such i less than the size of M This idea can b e easily generalized to provide a

straightforward mo del checking algorithm for all of CTL and even the entire Mu

calculus The TarskiKnaster theorem handles the basic mo dalities Comp ound

formulae built up by nesting and b o olean combinations are handled by recursive

descent

Iterative Fixp oint Algorithms Building on this simple idea of iterative x

p oint calculation using the TarskiKnaster Theorem we can get a numb er of

successively faster global mo del checking algorithms

Naive Algorithm We give b elow an algorithm to calculate given structure

M formula f and valuation V setf fs M s j f V g the set of states in

M where formula f is true under valuation V

k +1

A straightforward implementation runs in time complexity O jM jjf j

for input structure M and input formula p with formulas nested k deep

Basic Algorithm The naive algorithm can b e signicantly improved by utiliz

ing the monotonicity among consecutive least xp oints and consecutive greatest

xp oints together with a simple generalization of the TarskiKnaster theorem

The original algorithm for mo del checking in the Mucalculus cf EL ex

ploited this basic optimization

Initialize all atomic prop osition constants P and variables Y

setP fs M s j P g

setY V Y

Inductively calculate setf using

recursive pro cedure setf

case on the form of f

f P return setf unchanged

f Y return Y unchanged

f E X g return setf fs t S s t R and t setg g

f AX g return setf fs t S s t R implies M t setg g

f g h return setf setg seth

f g return setf S n setg

f Y g Y Y false

repeat

Y Y

Y setg Y

until Y Y

return setf Y

f Y g Y Y true

repeat

Y Y

Y setg Y

until Y Y

return setf Y

endcase

Fig The Naive Algorithm

S S

Theorem Generalized TarskiKnaster Let b e a monotonic

functional Then

a Y Y Y for any Y Y Y Y where i ranges over all

i 0 0 0

ordinals of cardinality at most that of the state space S so that when S is

nite i ranges over jS j Y Y is the union of the following ascending

chain of approximations

Y Y Y and

0 0 0

b Y Y Y for any Y Y Y Y where i ranges over

i 0 0 0

all ordinals of cardinality at most that of the state space S so that when

S is nite i ranges over jS j Y Y is the intersection of the following

descending chain of approximations Y Y Y

0 0 0

Let us rst consider a formula with alternating s and s For example

Y f Y Z g Y Z can take jM j iterations of Y Initially Y true Each sub

i+1 i i

sequent iteration Y f Y Z g Y Z involves calculating an ascending

chain of iterations of Z starting with Z false of length up to jM j Thus in

total Z is iterated jM j times

Now consider Y f Y Z g Y Z where there are consecutive nested s

but no alternation of s and s It can b e computed as ab ove resetting Z

to false each time the outer Y changes In the ab ove case this resetting is

apparently essential b ecause Y is shrinking while Z is growing In this case

however monotonicity ensures that b oth Y and Z are growing so that it is

unnecessary to reset Z to false when Z changes Let

Y false

i+1 i i

Y f Y Z g Y Z

i0 i

Z the initial value of Z in the context of Y

ij +1 i j

Z g Y Z

i i+1

We use Y to denote the rst Y Y where Y stabilizes and similarly

for Z

0 00

The computation pro ceeds as follows Y Z false initially To compute

1 0 0 0 0

Y f Y Z g Y Z one computes Z g Y Z as the limit Z of the

00 01 0 0 +1

ascending chain of approximations false Z Z Z Z

2 1 1

and then applies f To compute Y f Y Z g Y Z one must compute

Z g Y Z One way to do this entails simply computing an ascending chain

10 1 1 1 +1

of approximations false Z Z Z Z and then ap

0 1

plies f having reinitialized Z to false However since Y Y by mono

0 0 1 0 0 0

tonicity Z Z g Y Z Z g Y Z Moreover Z g Y Z

1 0

g Y Z Hence by the generalized TarskiKnaster Theorem we are p ermit

1 10 0

ted to start the computation of Z g Y Z with Z Z In general we

i i+1 i i i i+1 i

have Z g Y Z Z g Y Z and Z g Y Z g Y Z so

i+10 i

that we can take Z Z On this basis we see that not only are at most

jM j iterations required for Y but also at most jM j iterations for Z

This algorithm can b e straightforwardly implemented to run in time O jM j

ad+1 ad

jf j and space O jM j jf j This can b e improved to O jM j jf j by

i+1

n avoiding redundant computation computing the successive dierences Y

i 2

Deluxe Algorithm More extensive monotonicity considerations can b e ex

ploited cf Lo for yet more improvement The key idea is that in a formula

f such as

Y Z Y Z Y g Y Z Y Z Y

1 1 2 2 n 1 1 2 2 n

of alternation depth ad n the variables turn out to b e monotonic with

With b etter accounting we can obtain sharp er multiparameter b ounds such as

ad1

O jS j jRj jf j but these are adequate for our exp osition

resp ect to each other and the innermost variable is monotonic in its various

instantiations For instance in computing the formula Y Z Y g Y Z Y

1 1 2 1 2 2

ij i+1j

i+1

with ad we have Y g Y Z Y Y g Y Z Y and we can

2 2 2 2

1 1 1 1

i+10 i

avoid reinitializing Y by taking Y Y What varies as the computation

2 2

pro ceeds are the numb er of iterations of surrounding variables For a xed

tuple of variable indices the numb er of iterations of the innermost variable

ad2

is jM j The numb er of such tuples is ab out jM j So the dominant term in the

1+ad2

complexity corresp onds to ab out jM j iterations This can b e implemented

2+ad2

to run in time at most O jM j jf j However a careful examination

reveals that an exp onential numb er of intermediate results roughly prop ortional

to the numb er of tuples of indices must b e stored Thus the space complexity

is also exp onential

While this algorithm is of theoretical interest it should b e noted that the

O (ad)

time complexity is still jM j jf j as is the basic algorithm ab ove Moreover

the exp onential space complexity here do es not compare favorably with the p oly

nomial space complexity of the basic algorithm Exp onential space complexity

is esp ecially problematic in practice b ecause it is usually the space complexity

rather than the time complexity that is the limiting factor For most applica

tions if the computation will not even t within main computer memory then

p erforming it quickly is out of the question For formulas of alternation depth

or this algorithm thus yields no advantage Since no practical example of

a correctness prop erty requiring alternation depth or more is known it is not

clear that there is ever an actual situation where the algorithm could b e helpful

Still it provides mathematical insight into the nature of the Mucalculus

Other Algorithms There are a variety of other typ es of extensional mo del

checking algorithms which we will just briey discuss In contrast to the b ottom

up iterative approaches ab ove which are asso ciated with global mo del checking

in which satisfaction of xp oints radiates outward we also have top down

approaches which are asso ciated with lo cal mo del checking For instance given

a sp ecic state s in structure M if we wish to know whether M s j AF Q

0 0

we p erform a depth rst search starting at s keeping on the stack the sequence

of states visited if a cycle is detected without seeing Q then AF Q is false

Otherwise the search will eventually return AF Q to b e true

A related approach is to form the pro duct of jM j with the syntax diagram of

jf j and view the result as a tree automaton Then test the tree automaton for

nonemptiness Testing it for nonemptiness can b e done by mo del checking cer

tain restricted formulas EJS cf BVW The tree automaton approach

captures the essence of the boolean graph approach cf CS An since

the b o olean ANDOR graphs corresp ond to the transition diagrams of tree au

tomata

Complexity of Explicit State Mo del Checking

The complexity results we summarize here are for explicit state mo del checking

The b est known algorithm corresp onds to the deluxe algorithm ab ove It is exp o

nential time in the worst case but p olynomial time for any b ounded alternation

depth Since all practical correctness prop erties seem to b e of alternation depth

or we have a low order p olynomial time algorithm as explained ab ove

Litchenstein and Pnueli advanced the following argument cf LP in

practice it is typically the structure size rather than the formula size that is the

dominant factor in the complexity b ecause structures are usually extremely large

while sp ecications are often rather short Hence it is highly desirable to have

an algorithm whose complexity grows linearly in the structure size while even

exp onential growth in the sp ecication size may b e tolerable For CTL and L

we can get algorithms of time and space complexity O jM j jf j which is linear in

the size of b oth inputs cf CES CS For CTL the problem is PSPACE

complete and we can get a mo del checker of time complexity O jM j expjf j

EL cf LP

Among signicant unsolved problems with practical implications we thus

have

Op en Question Is there a mo del checking algorithm for L that runs in

time linear in the structure size

Finally terms of complexity classes we have this following result EJS cf

BVW Lo Va

Prop osition Mo del checking in the Mucalculus is in NP coNP

Pro of idea Given structure M and formula f guess an annotation of M with

the subformulae of f true at each state this annotation also provides a rank for

each variable Y indicating how many times the asso ciated formula Y g Y

is unwound These ranks corresp ond to the indices in the TarskiKnaster se

quence of approximations Thus we might have ranked variable Y which is

4 4 3

equivalent to g Y at state s dep ending on Y equivalent to g Y at state t

dep ending on Y at state u and so forth the dep ending on relation should b e

wellfounded as Y g Y is a least xp oint and can only b e unwound a a b ounded

viz jM j times In general the ranks will b e tuples of natural numb ers each

tuple is of length at most jf j and each tuple comp onent is a natural numb er of

value at most jM j The ranks are ordered lexicographically After guessing the

ranked threaded annotation simply verify that it is wellfounded This shows

memb ership in NP Memb ership in coNP follows from the fact that the Mu

calculus is trivially closed under complementation ut

Op en Question Is there a p olynomial mo del checking algorithm for the

entire Mucalculus over extensionally represented structures

State Explosion

We emphasize that the ab ove discussion fo cuses on extensional mo del checking

where it is assumed that the structure M including all of its no des and arcs

explicitly represented using data structures such as adjacency lists or adjacency

matrices An obvious limitation then is the combinatorial state explosion prob

lem Given a reactive system comp osed on n sequential pro cesses running in

parallel its global state graph will b e essentially the pro duct of the individual

lo cal pro cess state graphs The numb er of global states thus grows exp onentially

in n For particular systems it may happ en that the nal global state graph is of

a tractable size say a few hundred thousand states plus transitions A numb er of

practical systems can b e mo deled at a useful level of abstraction by state graphs

of this size and extensional mo del checking can b e a helpful to ol

On the other hand it can quickly b ecome infeasible to represent the global

state graph for large n Even a banking network with automatic teller ma

chines each having just lo cal states could yield a global state graph of astro

100

nomical size amounting to ab out states

Plainly for such astronomical size systems it is out of the question to p erform

mo del checking over them even using algorithms that run in time and space linear

in the size of the state space Various approaches to ameliorating state explo

sion are currently under investigations One approach is to use abstraction The

basic idea here is to replace a large detailed system M by a small less detailed

system M where inessential information has b een suppressed If an appropriate

corresp ondence b etween the large and small systems can b e established then

correctness of the small system may b e used to ensure correctness of the large

system For instance supp ose there is a homomorphism h M M such that

s and hs agree on atomic prop ositions in linear time formula f and such that if

s t is a transition in M then hs ht is a transition in M We may then

conclude that if there is a path satisfying f in M then there is an image path

0 0

satisfying f in M Hence if in the small system M hs j Af then in the

large system M s j Af Another approach is to represent transition relations

and sets of states symb olically as decrib ed b elow

Symb olic Approaches

A noteworthy advance has b een the intro duction of symbolic mo del checking

techniques cf McM BCMDH Pi CM which are in practice

often able to succinctly represent and mo del check over state graphs of size

100

states and even considerably larger The basic algorithms used for sym

b olic mo del checking are the same as those used for extensional mo del checking

and are based on iterative calculation of a representation of the set of states

where each temp oral basic mo dality holds using xp oint computation justied

by the TarskiKnaster Theorem The key distinction is that the state graph of

the Kripke structure and sets of states where formulae are true in it are repre

sented in terms of a b o olean characteristic function which is in turn represented

by an ordered Binary Decision Diagram BDD cf Br These BDDs can

in practice b e extremely succinct BDDbased mo del checkers have b een remark

ably eective and useful for debugging and verication of hardware circuits For

reasons not well understo o d BDDs are often able to exploit the regularity that is

readily apparent even to the human eye in many hardware designs Because soft

ware typically lacks this regularity BDDbased mo del checking seems much less

helpful for software verication We refer the reader to McM for an extended

account of the utility of BDDs in hardware verication

It should b e emphasized however that BDD based mo del checking metho ds

are in worst case still intractably inecient On the one hand for some struc

tures M of astronomical size there are small BDDs representing them and this

is exploited in applications as noted ab ove But for other structures M some

times those derived from applications such as software the BDD representation

is intractably large Plainly a counting argument shows that most structures do

not have a small BDD representation In any event checking simple graph reach

ability in a structure M e g M s j EFQ where M is represented by a BDD

is PSPACEcomplete cf GW Br The disparity b etween theoretical

worst case results for symb olic checking and its surprisingly go o d p erformance

in practice has so far militated against the development of an asso ciated com

plexity theory for this application

Debugging versus Verication

Mo del checkers are a typ e of decision pro cedure and provide yesno answers It

turns out that in practice mo del checkers are often used for debugging as well

as verication In industrial environments it seems that the capacity of a mo del

checker to function as a debugger is p erhaps b etter appreciated than their utility

as a to ol for verifying correctness

Consider the empirical fact that most designs are initially wrong and must

go through a sequence of correctionsrenements b efore a truly correct design is

nally achieved Supp ose one asp ect of correctness that we wish to check is that

a simple invariance prop erty of the form AGgood holds provided the system M

is started in the obviously good initial state s It seems quite likely that the

invariance may in fact not hold of the initial faulty design due to conceptually

minor but tricky errors in the ne details Thus during many iterations of the

design pro cess we have that in fact M s j EF good

It would b e desirable to circumvent the global strategy of examining all of

M to calculate the set EF good and then checking whether s is a memb er of

that set If there do es exist a good state reachable from s once it is detected it

is no longer necessary to continue the search examining M This is the heuristic

motivating lo cal mo del checking algorithms Many of them involve searching

from the start state s lo oking for conrming or refuting states or cycles once

found the algorithm can terminate often prematurely having determined that

the formula must b e true or must b e false at s on the basis of the p ortion M

examined during the limited search

Of course it may b e that all states must b e examined b efore nding a refu

tation to AGgood Certainly once a truly correct design is achieved all states

reachable from s must b e examined But in many practical cases a refutation

may b e found quickly after limited search

We note in passing that some symb olic mo del checkers have b een adapted to

provide some sort of counter example facility for debugging

Conclusion

Reactive systems are b ecoming increasingly imp ortant in our so ciety There is

an undeniable and growing need to nd eective metho ds of constructing cor

rect reactive systems One factor these systems have in common b eyond their

nondeterministic ongoing reactive nature is that they are highly complex even

though they are typically nite state While it may b e relatively easy to express

informally and in general terms what such a system is supp osed to do eg pro

vide an air trac control system it app ears quite dicult to provide a formal

sp ecication of correct b ehavior and to prove that the implementation actually

satises the sp ecication The Mucalculus and asso ciated temp oral logics such

as CTL provide a go o d handle on precisely stating just what b ehavior is to o ccur

when at a variety of levels of detail The fully automated typ e of reasoning pro

vided by mo del checking provides a convenient to ol for b oth verifying correctness

and for automatic debugging Moreover a numb er of interesting mathematical

problems arise in connection with mo del checking in the Mucalculus

Acknowledgments This work was supp orted in part by NSF grant CCR

and by SRC contract DP

We thank Neil Immerman Kedar Namjoshi Richard Treer and Moshe Vardi

for most helpful comments

References

An Anderson H R Verication of Temp oral Prop erties of Concurrent Sys

tems Ph D Dissertation Computer Science Department Aarhus Univ

Denmark June

BVW Bernholtz O Vardi M and Wolp er P An Automatatheoretic Ap

proach to Branching Time Mo del Checking Computer Aided Verication

Conference CAV pp June

Br Bradeld J The Mucalculus Alternation Hierarchy is Strict to app ear

in CONCUR

BFHRR Boua jjani A Fernandez J Halbwichs N Raymond P and Ratel C

Minimal State Graph Generation Science of Computer Programming

BS Bradeld J and Stirling C Lo cal Mo del Checking for Innite State

Spaces Theor Comp Sci vol pp

BCD Browne M Clarke E M and Dill D Checking the Correctness of

sequential Circuits Pro c IEEE Int Conf Comput Design Port

Chester NY pp

BCDMa Browne M Clarke E M and Dill D and Mishra B Automatic ver

ication of sequential circuits using Temp oral Logic IEEE Trans Comp

C pp

Br Bryant R Graphbased algorithms for b o olean function manipulatio n

IEEE Trans on Computers C

BCMDH Burch J Clarke E McMillan M Dill D and Hwang L Symb olic

Mo del Checking States and Beyond Pro ceedings of th Annual

IEEECS Symp osium on Logic in Computer Science pp June

CE Clarke E M and Emerson E A Design and Synthesis of Synchroniza

tion Skeletons using Branching Time Temp oral Logic Logics of Programs

Workshop IBM Yorktown Heights New York Springer LNCS no

pp May

CES Clarke E M Emerson E A and Sistla A P Automatic Verication

of Finite State Concurrent System Using Temp oral Logic th ACM

Symp on Principles of Prog Lang Jan journal version app ears in

ACM Trans on Prog Lang and Sys vol no pp April

CFJ Clarke E M Filkorn T Jha S Exploiting Symmetry in Temp oral

Logic Mo del Checking th International Conference on Computer Aided

Verication Crete Greece June

CS Cleaveland R and Stean B A LinearTime Mo delChecking Algorithm

for the AlternationFree Mo dal Mucalculus Formal Metho ds in System

Design vol no pp April

Cl Cleaveland R Analyzing Concurrent Systems using the Concurrency

Workb ench Functional Programming Concurrency Simulation and Au

tomated Reasoning Springer LNCS no pp

CM Coudert O and Madre J C Verifying Temp oral Prop erties of Sequen

tial Machines without building their State Diagrams Computer Aided

Verication E M Clarke and R P Kurshan eds DIMACS Series

pp June

DGG Dams D Grumb erg O and Gerth R Generation of Reduced Mo dels

for checking fragments of CTL CAV Springer LNCS no

DC Dill D and Clarke EM Automatic Verication of Asynchronous Cir

cuits using Temp oral Logic IEEE Pro c Pt E pp

Em Emerson E A Branching Time Temp oral Logics and the Design of

Correct Concurrent Programs Ph D Dissertation Division of Applied

Sciences Harvard University August

EC Emerson E A and Clarke E M Characterizing Correctness Prop

erties of Parallel Programs as Fixp oints Pro c th Int Collo quium on

Automata Languages and Programming Lecture Notes in Computer

Science SpringerVerlag

EH Emerson E A and Halp ern J Y Sometimes and Not Never Revis

ited On Branching versus Linear Time Temp oral Logic JACM vol

no pp Jan

EJ Emerson E A and Jutla C S Tree Automata MuCalculus and

Determinacy Proc rd IEEE Symp on Found of Comp Sci

EJS Emerson E A Jutla C S and Sistla A P On Mo del Checking for

Fragments of the Mucalculus Pro c of th Inter Conf on Computer

Aided Verication Elounda Greece Springer LNCS no pp

EL Emerson E A and Lei CL Ecient Mo del Checking in Fragments

of the Mucalculus IEEE Symp on Logic in Computer Science LICS

Cambridge Mass June

EL Emerson E A and Lei CLm Mo dalities for Mo del Checking Branch

ing Time Strikes Back pp ACM POPL journal version app ears

in Sci Comp Prog vol pp

ES Emerson E A and Sistla A P Symmetry and Mo del Checking th

International Conference on Computer Aided Verication Crete Greece

June full version to app ear in Formal Methods in System Design

ES Emerson E A and Sistla A P Deciding Branching Time Logic Logics

of Programs Workshop Springer LNCS no pp

Em Emerson E A Temp oral and Mo dal Logic in Handb o ok of Theoretical

Computer Science vol B J van Leeuwen ed ElsevierNorthHoll and

GW Galp erin H and Wigderson A Succinct Representation of Graphs In

formation and Control vol pp

GS German S M and Sistla A P Reasoning ab out Systems with many

Pro cesses Journal of the ACM July Vol No pp

Ho Hoare C A R Communicating Sequential Pro cesses CACM vol

no pp

JT Jard C and Thierron J Online mo del checking for Finite Linear Time

Sp ecications International Workshop on Automatic Verication Meth

o ds for Finite State Systems LNCS

Ko Kozen D Results on the Prop ositiona l MuCalculus Theor Comp Sci

pp Dec

KT Kozen D and Tiuryn J Logics of Programs in Handb o ok of Theoretical

Computer Science J van Leeuwen ed ElsevierNorthHoll an d

Ku Kurshan R P Testing Containment of omegaregular Languages Bell

Labs Tech Rep ort conference version in R P

Kurshan Reducibil i ty in Analysis of Co ordination LNCIS

SpringerVerlag

Ku Kurshan R P ComputerAided Verication of Coordinating Processes

The AutomataTheoretic Approach Princeton University Press Princeton

New Jersey

LR Ladner R and Reif J The Logic of Distributed Proto cols in Pro c of

Conf On Theor Asp ects of reasoning ab out Knowledge ed J Halp ern

pp Los Altos Cal Morgan Kaufmann

La Lamp ort L Sometimes is Sometimes Not Neveron the Temp oral

Logic of programs th Annual ACM Symp on Principles of Programming

Languages pp

La Lamp ort L What Go o d is Temp oral Logic Pro c IFIP pp

Le Lenzi G A Hierarchy Theorem for the Mucalculus to app ear ICALP

LP Litchtenstein O and Pnueli A Checking That Finite State Concurrent

Programs Satisfy Their Linear Sp ecications POPL pp Jan

Lo Long D Browne A Clarke E Jha S Marrero W An Improved

Algorithm for the Evaluation of Fixp oint Expressions Pro c of th Inter

Conf on Computer Aided Verication Stanford Springer LNCS no

June

MP Manna Z and Pnueli A Temp oral Logic of Reactive and Concurrent

Systems Sp ecication SpringerVerlag

McM McMillan K Symb olic Mo del Checking An Approach to the State Ex

plosion Problem Ph D Thesis CarnegieMellon University

Niw Niwinski D unpublish ed manuscript

Niw Niwinski D Fixed Points versus Innite Generation Pro c rd IEEE

Symp on Logic in Computer Science pp

Pa Park D Fixp oint Induction and Pro of of Program Semantics in Machine

Intelligence eds B Meltzer and D Michie vol pp Edinburgh

Univ Press Edinburgh

Pi Pixley C A Computational Theory and Implementation of Sequen

tial Hardware Equivalence CAV DIMACS series vol also DIMACS

Tech Rep ort June

Pi Pixley C A Theory and Implementation of Sequential Hardware Equiv

alence IEEE Transactions on ComputerAided Design pp

vol no

Pn Pnueli A The Temp oral Logic of Programs th annual IEEECS Symp

on Foundations of Computer Science pp

Pn Pnueli A The Temp oral Semantics of Concurrent Programs Theor

Comp Sci vol pp

Pr Pratt V A Decidable MuCalculus nd Annual IEEECS Symp osium

on Foundations of Computer Science pp May

QS Queille J P and Sifakis J Sp ecication and verication of concurrent

programs in CESAR Pro c th Int Symp Prog Springer LNCS no

deR de Ro ever W P Recursive Program Schemes Semantics and Pro of The

ory Math Centre Tracts no Amsterdam

SW Stirling C and Walker D Lo cal Mo del Checking in the Mucalculus

pp Springer LNCS no

St Stirling C Mo dal and Temp oral Logics in Handb o ok of Logic in Com

puter Science D Gabbay ed Oxford

Ta Tarksi A A LatticeTheoretical Fixp oint Theorem and its Application s

Pacic J Math pp

Va Vardi M On the Complexity of Bounded Variable Queries Pro ceedings

of the th ACM Sympsium on Principles of Database Symp osium June

Va Vardi M Why is Mo dal Logic So Decidable This Volume

VW Vardi M Y and Wolp er P Yet Another Pro cess Logic Logics of Pro

grams Workshop Springer LNCS no pp June

VW Vardi M Y and Wolp er P Automata Theoretic Techniques for Mo dal

Logics of Programs STOC journal version in JCSS vol pp

VW Vardi M Y and Wolp er P An Automatatheoretic Approach to Au

tomatic Program Verication Pro c IEEE LICS pp

This article was pro cessed using the L T X macro package with LLNCS style