Mo del Checking and the Mucalculus E Allen Emerson University of Texas at Austin Austin Tx USA Abstract There is a growing recognition of the need to apply formal mathematical metho ds in the design of high condence computing systems Such systems op erate in safety critical contexts eg air traf c control systems or where errors could have ma jor adverse economic consequences eg banking networks The problem is esp ecially acute in the design of many reactive systems which must exhibit correct on going b ehavior yet are not amenable to thorough testing due to their inherently nondeterministic nature One useful approach for sp ecifying and reasoning ab out correctness of such systems is temp oral logic model checking which can provide an ecient and expressive to ol for automatic verication that a nite state system meets a correctness sp ecication formulated in temp oral logic We describ e mo del checking algorithms and discuss their applicatio n To do this we fo cus attention on a particularly imp ortant typ e of temp oral logic known as the Mucalculus Intro duction There is a growing need for reliable metho ds of designing correct reactive sys tems These systems are characterized by ongoing typically nonterminating and highly nondeterministic b ehavior Often such systems amount to parallel or dis tributed programs Examples include op erating systems network proto cols and air trac control systems There is nowadays widespread agreement that some typ e of temp oral logic Pn provides an extremely useful framework for reasoning ab out reactive pro grams Basic temp oral op erators such as sometimes F always G and nexttime X make it p ossible to easily express many imp ortant correctness prop erties eg Gsent F received asserts that whenever a message is sent it is eventually received When we intro duce path quantiers A E meaning for all p ossible fu ture computations and for some p ossible future computation resp ectively we can distinguish b etween the inevitability of events AF P and their p oten tiality EFP Such a system is referred to as a branching time temp oral logic One commonly used branching time logic is CTL Computation Tree Logic cf EC CE Another branching time logic is the prop ositional Mucalculus Ko cf EC Pr The Mucalculus may b e thought of as extending CTL with a least xp oint and greatest xp oint op erator We note that EFP P EXEFP so that EFP is a xed p oint also known as a xp oint of the expression Y P EXY In fact EFP is the least xp oint ie the least Y P EXY The least xp oint of Y is ordinarily denoted as Y Y As this example suggests not all of CTL is needed as a basis for the Mu calculus which can instead b e dened in terms of atomic prop osition constants and variables P Y b o olean connectives nexttime op erators AX E X and nally least and greatest xp oint op erators The rest of the CTL op erators can b e dened in terms of these surprisingly simple primitives In fact most mo dal and temp oral logics of interest can b e dened in terms of the Mucalculus In this way it provides a single simple and uniform framework subsuming most other logics of interest for reasoning ab out reactive systems cf EL The classical approach to the use of temp oral logic for reasoning ab out reactive programs is a manual one where one is obliged to construct by hand a pro of of program correctness using axioms and inference rules in a deductive system A desirable asp ect of some such pro of systems is that they may b e for mulated so as to b e comp ositional which facilitates development of a program hand in hand with its pro of of correctness by systematically comp osing together pro ofs of constituent subprograms Even so manual pro of construction can b e extremely tedious and error prone due to the large numb er of details that must b e attended to Hence correct pro ofs for large programs are often very dicult to construct and to organize in an intellectually manageable fashion It seems clear that it is unrealistic to exp ect manual pro of construction to b e feasible for largescale reactive systems For systems with millions or even just tens of thousands of lines of co des transcription and other clerical errors guarantee that the task of pro of construction is b eyond the ability of humans by themselves Hence we have historically advo cated an alternative automated approach to reasoning ab out reactive systems cf Em CE One of the more useful approaches for sp ecifying and reasoning ab out correctness of such systems has turned out to b e temp oral logic model checking cf CE Em QS which can provide an ecient and expressive to ol for automatic verication that a nite state reactive system meets a correctness sp ecication formulated in prop ositional temp oral logic Empirically it turns out that many systems of interest either are or can b e usefully mo deled at some level of abstraction as nite state systems Moreover the prop ositional fragment of temp oral logic 1 suces to sp ecify their imp ortant correctness prop erties The mo del checking problem can b e formalized as The Mo del Checking Problem Given a nite state transition graph M an initial state s of M and a temp oral logic sp ecication formula f 0 do es M s j f ie is M at s a mo del of f 0 0 Variant formulations of the mo del checking problem stipulate calculating the set of all such states s in M where f is true 0 The remainder of this pap er is organized as follows Section denes the Mucalculus Section denes certain related logics including CTL The ex pressiveness of the Mucalculus is discussed in section Algorithms for mo del checking in the Mucalculus are describ ed in section Section gives some concluding remarks The Mucalculus The prop ositional MuCalculus cf Pa EC Ko provides a least xpoint op erator and a greatest xpoint op erator which make it p ossible to give extremal xpoint characterizations of correctness prop erties Intuitively the MuCalculus makes it p ossible to characterize the mo dalities in terms of recursively dened treelike patterns For example the assertion that along all computation paths p will b ecome true eventually can b e characterized as Z p AX Z the least xp oint of the functional p AX Z where Z is an atomic prop osition variable intuitively ranging over sets of states and AX denotes the universal nexttime op erator We rst give the formal denition of the MuCalculus Syntax The formulae of the prop ositional MuCalculus L are those generated by rules Atomic prop osition constants P Q Atomic prop osition variables Y Z E X p where p is any formula p the negation of formula p p q the conjunction of formulae p q 1 These two assertions are related Most prop ositiona l temp oral logics satisfy the nite mo del prop erty if a sp ecication is satisable it has a nite mo del which may b e viewed as a system meeting the sp ecication Y pY where pY is any formula syntactically monotone in the prop osi tional variable Y ie all o ccurrences of Y in pY fall under an even numb er of negations The set of formulae generated by the ab ove rules forms the language L The other connectives are intro duced as abbreviations in the usual way p q abbreviates pq p q abbreviates pq p q abbreviates p q q p AX p abbreviates EX p Y pY abbreviates Y pY etc Intuitively Y pY Y pY stands for the least greatest resp xp oint of pY E X p AX p means p is true at some every successor state reachable from the current state means and etc We use jpj to denote the length ie numb er of symb ols of p We say that a formula q is a subformula of a formula p provided that q when viewed as a sequence of symb ols is a substring of p A subformula q of p is said to b e proper provided that q is not p itself A toplevel or immediate subformula is a maximal prop er subformula We use SF p to denote the set of subformulae of p The xp oint op erators and are somewhat analogous to the quantiers and Each o ccurrence of a prop ositional variable Y in a subformula Y pY or Y pY of a formula is said to b e bound All other o ccurrence are free By renaming variables if necessary we can assume that the expression Y pY or Y pY o ccurs at most once for each Y A sentence or closed formula is a formula that contains no free prop ositional variables ie every variable is b ound by either or A formula is said to b e in positive normal form PNF provided that no variable is quantied twice and all the negations are applied to atomic prop ositions only Note that every formula can b e put in PNF by driving the negations in as deep as p ossible using DeMorgans Laws and the dualities Y pY Y pY Y pY Y pY This can at most double the length of the formula Subsentences and proper subsentences are dened in the same way as subformulae and prop er subformulae Let denote either or If Y is a b ound variable of formula p there is a unique or subformula Y q Y of p in which Y is quantied Denote this subformula by Y Y is called a variable if Y Y otherwise Y is called a variable A subformula subsentence resp is a subformula subsentence whose main connective is either or We say that q is a toplevel subformula of p provided q is a prop er subformula of p but not a prop er subformula of any other subformula of p Finally a basic modality is a sentence that has no prop er subsentences Semantics We are given a set of atomic prop osition constants and a set of atomic prop osition variables We let AP denote Sentences of the prop ositional MuCalculus L are interpreted with resp ect to a structure M