# Lecture 2: CTL Model Checking - What is model checking? - State transition systems - Computation Tree Logics - The logic CTL - Typical CTL formulas - Structure of the SMV model checker - SMV examples # Temporal Logic Model Checking **Specification Language:** A propositional temporal logic Verification Procedure: Exhaustive search of the state space of the concurrent system to determine truth of specification. - E. M. Clarke and E. A. Emerson. Synthesis of synchronization skeletons for Springer-Verlag, 1981 Heights, NY, May 1981, volume 131 of Lecture Notes in Computer Science. branching time temporal logic. In Logic of programs: workshop, Yorktown - J.P. Quielle and J. Sifakis. Specification and verification of concurrent systems Springer-Verlag, 1981 Programming, volume 137 of Lecture Notes in Computer Science. in CESAR. In Proceedings of the Fifth International Symposium in #### **Temporal Logic** (Unwind State Graph to obtain Infinite Tree) ## **Computation Tree Logics** Formulas are constructed from path quantifiers and temporal operators: #### 1. Path quantifier: - A—"for every path" - E—"there exists a path" #### 2. Temporal Operator: - **X***p*—*p* holds next time. - **F***p*—*p* holds sometime in the future - Gp—p holds globally in the future - pUq-p holds until q holds #### The Logic CTL operators are illustrated below. ( $s_0$ is the root of each computation tree.) This lecture will deal primarily with CTL. The four most widely used CTL ### **Typical CTL Formulas** - **EF**( $Started \land \neg Ready$ ): it is possible to get to a state where Started holds but Ready does not hold. - $\mathbf{AG}(Req \Rightarrow \mathbf{AF}Ack)$ : if a *Request* occurs, then it will be eventually Acknowledged. - **AG**(**AF** *DeviceEnabled*): *DeviceEnabled* holds infinitely often on every computation path. - $\mathbf{AG}(\mathbf{EF}\ Restart)$ : from any state it is possible to get to the *Restart* state. ## **Model Checking Problem** Let M be the state—transition graph obtained from the concurrent system. Let f be the specification expressed in temporal logic. Find all states s of M such that $$M, s \models f$$ . and check if initial states are among these. Efficient model checking algorithms exist for CTL. E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of Programming Languages and Systems, 8(2):pages 244–263, 1986. finite-state concurrent systems using temporal logic specifications. ACM Trans. # **Symbolic Model Checking** Method used by most "industrial strength" model checkers: - uses boolean encoding for state machine and sets of states. - can handle much larger designs hundreds of state variables. - BDDs traditionally used to represent boolean functions. ## **Model Checker Structure** ### Symbolic Model Verifier (SMV) ### A Simple SMV Example ``` SPEC VAR MODULE main ASSIGN state : {ready,busy}; request : boolean; next(state) AG(request -> AF state = busy) init(state) .. II := ready; case esac; 1 : \{ready, busy\}; state = ready & request : busy; ``` ### A Three Bit Counter ``` VAR SPEC VAR DEFINE MODULE counter_cell(carry_in) SPEC AG(!bit2.carry_out) ASSIGN MODULE main value : boolean; bit1 AG AF bit2.carry_out bit2 : counter_cell(bit1.carry_out); bit0 next(value) := (value + carry_in) mod 2; carry_out := value & carry_in; init(value) := 0; : counter_cell(1); counter_cell(bit0.carry_out); ``` #### **Inverter Ring** ``` VAR VAR FAIRNESS MODULE inverter(input) ASSIGN SPEC MODULE main output : boolean; gate1 : gate3 : process inverter(gate2.output); gate2 next(output) := !input; running init(output) := 0; (AG AF gate1.output) & (AG AF !gate1.output) process inverter(gate3.output); process inverter(gate1.output); ```