Simple CTL Model Checking in CBMC

Shreejit Bandyopadhyay & Souvik Ash

May 12, 2014

1 Introduction

Computation tree logic or CTL is a type of branching-time logic and describesproperties of a computation tree. In CTL, formulas can reason about many exe-cutions at once and semantics is defined in terms of states. CTL has applicationsin model-checkers which determine if a given transition system possesses safetyand liveness properties. In this project, we implement a simple CTL model-checking in CBMC.

2 Project Overview

In our project, we take the case of the toy example given in Figure 1 below. Wefirst write two codes- the first of which checks if a particular property is truefor all paths and the other checks if a particular property is true for some pathin the given transition system. Since in particular AX checks for a propertyholding for all paths and EX checks for it holding along some path, we caninvoke functions for checking AX and EX directly from the already definedfunctions of ′safetya′ and ′safetye′ as in the code. Since AG checks if someproperty p holds for all paths starting from the initial node, we have to usethe function ′safetya′ while defining AG. Looking at the code, we note thatthe inner loop has k + 1 iterations, where k is the re-occurrence diameter of

Figure 1: Toy example in CBMC

1

the transition system, 3 in this case. The definition of EG is exactly similarexcept that we now invoke ′safetye′, noting that EG checks if some propertyholds for some path starting from the initial. Again, noting that AF checksif the property p holds for all paths starting from the initial node and for onei and EF checks if p holds for some path starting from the initial node andfor one i, we similarly write their definitions, invoking ′safetya′ and ′safetye′

respectively. In this case also, the loop runs until the variable k becomes equalto the initialised reoccurrence diameter which, for the toy example, is againequal to 3. Formally, we just invoke the following definitions of AX, EX, AG,EG, AF and EF on the toy example and write the codes in CBMC.

Definition. s |=AXg iff π(1)|=g for all π with π(0)=s.

Definition. s |=EXg iff ∃π with π(0)=s and π(1)|=g.

Definition. s |=AGg iff π (i)|=g for all π with π(0)=s and for all i.

Definition. s |=EGg iff ∃π with π(0)=s and π(i)|=g for all i.

Definition. s |=AFg iff π (i)|=g for all π with π(0)=s and for one i.

Definition. s |=EXg iff ∃π with π(0)=s and π(i)|=g for one i.

From these definitions, it’s clear that the loops in the codes for AG, EGand AF, EF will be similar except for the fact that for AG and EG, we willadditionally have to check for all i.

3 Other Checkable Connectives and ImprovedBounds for k

In addition to the senmantics defined above, we may additionally be interstedin checking connectives like AX.EXg etc. For such cases, we haven’t writtenthe code explicitly but we give below wht needs to be checked. Note that inour code, the assert function has single states as arguments. However, whilechecking AX.EX and other similar terms, we need to have arguments like AG(s1)&& EX(s0), for pairs of states s0 and s1 in the transition system. Again, wewill the following semantics for U.

Definition. s |= AgUh iff ∀paths π with π(0)=s, ∃i such that π(i)|=h and

∀j < i, π(j)|=g.

Definition. s |= EgUh iff ∃path π with π(0)=s and ∃i such that π(i)|=h and

∀j < i, π(j)|=g.

Apart from these, we can also use the following while implementing semanticslike AX.EX etc.

2

Figure 2: Reachable Diameter is 2 but Longest Path Between ConnectedStates before Re-Occurrence (Re-Occurrence Diameter) is K.

Definition. De-Morgan’s identities for temporal connectives:

¬EX φ ≡ AX ¬φ¬EF φ ≡ AG ¬φ¬EG φ ≡ AF ¬φ

We also have the following identities:

AF φ ≡ A[>U φ]EF φ ≡ E[>U φ]A φ1U φ2 ≡ ¬(E[¬φ2U (¬φ1 ∧ ¬φ2)] ∨ EG ¬φ2)

Using these and other common properties of these temporal connectiveswe can easily extend our definitions for checking connectives like AG.EX etc.The only thing we still need to keep in mind, as already mentioned, is that inthis case, the assert function in the code will need arguments like AG(s1) &&EX(s0) etc.

Note that while writing our codes, we have everywhere allowed the loopto run until our k became equal to the initialised reoccurrence diameter. Wecan however greatly reduce the number of required iterations by appealing toK − induction, for which the worst-case iteration depth will be equal to theinitial reachable diameter. Our goal in that case will be to check a particularproperty by deriving inductive inavariants. In general, the reachable diameterwill be much smaller than the reoccurrence diameter, and the complexity andefficiency of our code will improve on using K − induction. For example, inthe example in the above figure, the initial reachable diameter is 2 but thereoccurrence diameter is k.

3

Figure 3: Transition System of Peterson’s Mutual Exclusion Algorithm

4 Conclusion and Implementation in Other Pos-sible Transition Systems

In our code, we have checked the various properties for the toy example inCBMC. For a different transition system, like the one for Peterson’s MutualExclusion Algorithm depicted in Figure 2 above, the same things work, exceptthat we have to change the definition of the system itself. Also, some of the se-mantics may become trivial in some cases, as can be easily seen for the Petersonexample. All in all, we’ve presented the implementation of the properties likeAX, EX, AG, EG etc. for the toy example in our code and have said how andusing what properties and modifications we may check temporal connectiveslike AX.EX etc. for the same example using CBMC. The only thing left to noteis that once the definition of the transition system is changed accordingly, thesame functions will check the various properties for any other transition systemequally well.

4