This section introduces Ordered Binary Decision Diagrams (obdds), and presents how the problem of model checking a CTL formula in a model M can be reduced to the problem of comparing two obdds.
A Boolean variable x is a variable whose value is either 0 or 1. A Boolean function of n Boolean variables is a function f : {0, 1}n → {0, 1}. Boolean formulae can be seen as
Boolean functions. For instance, the Boolean formula x1∧ (x2∨ x3) can be seen as the
Boolean function f (x1, x2, x3) = x1∧ (x2∨ x3).
A rooted, directed graph G can be associated to every Boolean function f (x1, . . . , xn)
by imposing an ordering on the variables x1, . . . , xn, and by reducing the graph (in the
sense explained below) [Bryant, 1986]. The graph G is called the Ordered Binary Decision Diagrams of f . For instance, the reduced graph associated with the Boolean function f(x1, x2, x3) = x1 ∧ (x2∨ x3) is depicted in Figure 2.8 (b), by “simplifying” the graph
depicted in Figure 2.8 (a). Formally, a graph is reduced by iteratively eliminating the vertices which are the root of two isomorphic subgraphs, and by merging isomorphic subgraphs. A graph is said to be reduced if it contains no isomorphic subgraphs and no vertices v and v′ such that the sub-graphs rooted at v and v′ are isomorphic. Notice that
every vertex, except the final leaves, has two children. In the remainder, it is assumed that the left child of a vertex corresponds to the choice of the value 0 (i.e., false) for the variable preceding it, while the right child correspond to the choice of the value 1 (i.e.,
1 0 x3 x2 x1 0 0 0 0 0 1 1 1 x1 x2 x2 x3 x3 x3 x3 (a) (b)
Figure 2.8: obdd example for f = x1∧ (x2∨ x3).
true). Thus, the leftmost path of Figure 2.8 (a) corresponds to an assignment of 0 to all variables and, consequently, to the value 0 to the expression f (x1, x2, x3) = x1∧ (x2∨ x3).
It is shown in [Bryant, 1986] that, given a fixed ordering of the Boolean variables x1, . . . , xn,
the reduced graph of any Boolean function f : {0, 1}n→ {0, 1} is unique (i.e., obdds are
a canonical representation for Boolean functions).
Boolean operators can be applied to Boolean functions; for instance the disjunc- tion operator ∨ can be applied to two Boolean functions f1 and f2 to obtain a
third Boolean function f3 = f1 ∨ f2. Boolean functions can be composed, too:
given two Boolean functions f and g, the composition of f and g is defined by fxi=g = f (x1, . . . , xi−1, g(x1, . . . , xn), xi+1, . . . , xn). These operators are denoted with
apply(f, g,<operator>), and with compose((f, g, xi).
The operation of Boolean quantification is particularly important for the purposes of model checking. Formally, given a Boolean function f (x1, . . . , xn), the operation
∃xi.f(x1, . . . , xn) is defined as the application of the disjunction operator to the com-
position of f with a constant function, i.e., ∃xi.f(x1, . . . , xn) = fxi=0(x1, . . . , xn) ∨
fxi=1(x1, . . . , xn). The definition of Boolean quantification can be extended to the quan-
tification over a set of variables ¯x= (x1, . . . , xn) (see [Clarke et al., 1999] for more details).
Boolean quantification of a Boolean function f can be implemented for the obdd represent- ing f ; the complexity of this operation, together with the complexity of other operations on obdds, is presented in Section 2.2.5.
Ordered binary decision diagrams have been particularly successful in Computer Science because they offer, on average, a much more compact representation of Boolean functions
State Boolean vector Boolean formula s1 (1, 1) x1∧ x2
s2 (1, 0) x1∧ ¬x2
s3 (0, 1) ¬x1∧ x2
Table 2.6: Boolean encoding for the states of S = {s1, s2, s3} (N = ⌈log2(3)⌉ = 2).
with respect to other canonical forms, e.g. conjunctive/disjunctive normal forms. The application of obdds techniques to model checking for CTL has been investigated from the beginning of the 1990s by various authors, [Burch et al., 1992, McMillan, 1993]. Intuitively, given a CTL formula ϕ and a CTL model M = (S, R, V ), the idea of model checking using obdds is to associate an obdd to the formula ϕ, and an obdd to the set of states S. By comparing the two obdds it is possible to establish whether or not M |= ϕ17. The details of this technique are presented below.
Encoding sets of states. The key idea of model checking using obdds is to represent states (and set of states) as Boolean formulae which, in turn, can be encoded as obdds. Let S be the set of states of a CTL model M = (S, R, V ) (notice: it is assumed that the set of states of M is finite), and let N = ⌈log2|S|⌉. Each element s ∈ S is associated with
a vector of Boolean variables ¯x= (x1, . . . , xN), i.e., each element of s is associated with a
tuple of {0, 1}N. Each tuple ¯x = (x
1, . . . , xN) is then identified with a Boolean formula,
represented by a conjunction of literals, i.e., a conjunction of variables or their negation18.
It is assumed that the value 0 in a tuple corresponds to a negation. An example of Boolean encoding for the set S = {s1, s2, s3} is given in Table 2.6.
Sets of states are encoded by taking the disjunction of the Boolean formulae encoding the single states. For instance, the set of states {s1, s3} from the example in Figure 2.6 is
encoded by the Boolean formula f = (x1∧ x2) ∨ (¬x1∧ x2).
Encoding the transition relation. Given a model M = (S, R, V ), and given an encod- ing of the set of states S using N Boolean variables (x1, . . . , xN), the transition relation
R ⊆ S × S may be encoded as a Boolean function. To this end, a new set of “primed” variables (x′
1, . . . , x′N) is introduced to encode the relation between two states s, s′∈ S. In
particular, if sRs′ holds, then s is encoded using the non-primed variables, s′ is encoded using the primed variables, and the transition step sRs′ is expressed as a Boolean formula
by taking the conjunction of the encoding for s and s′. The whole relation R ⊆ S × S is
17
This technique is traditionally identified with the term symbolic model checking. More precisely, [McMillan, 1993] defines symbolic model checking as a technique that “avoids building a state graph by using Boolean formulas to represent sets and relations”. Some authors [Schnoebelen, 2003] use the term “symbolic model checking” in a more general sense to denote any technique in which the model is not given “explicitly”, but by means of some “compact” representation (Boolean functions being one possible choice). To avoid confusion, this thesis employs the term “symbolic model checking” in the stricter sense, to denote model checking techniques based on Boolean functions.
18
By slight abuse of notation, the same symbols xi(i ∈ {1, . . . , N }) are used to denote Boolean variables
encoded as a Boolean formula by taking the disjunction of all the transition steps. As an example, let R = {(s1, s2), (s2, s3), (s3, s1)} be a transition relation for the states of
the example in Figure 2.6. This transition relation is encoded by the following Boolean formula fR:
fR(x1, x2, x′1, x′2) = [(x1∧x2)∧(x′1∧¬x2′)]∨[(x1∧¬x2)∧(¬x′1∧x′2)]∨[(¬x1∧x2)∧(x′1∧x′2)].
The labelling algorithm and Boolean formulae. The algorithm presented in Fig- ure 2.4 returns the set of states satisfying a formula ϕ in a given model M = (S, R, V ). The algorithm operates recursively on the structure of ϕ and builds the set of states [[ϕ]] using the following operations on sets: union, intersection, complementation, existential quan- tification. When sets of states are encoded using Boolean formulae, all these operations on sets may be translated into operations on Boolean formulae:
• the union of two sets corresponds to the disjunction of the Boolean formulae encoding the two sets;
• the intersection of two sets corresponds to the conjunction of the Boolean formulae encoding the two sets;
• the complementation of a set P with respect to a given set Q (i.e., P \Q) is the conjunction of the Boolean formula encoding Q with the negation of the Boolean formula encoding P ;
• the existential quantification of an element x in a set P is the (quantified) Boolean formula ∃ ¯vx.fP, where ¯vx are the Boolean variables required to encode x, and fP is
the Boolean formula encoding P .
In the basic case (i.e., when ϕ is an atomic proposition) the algorithm returns a set of states: by encoding this set of states as a Boolean formula, the algorithm of Figure 2.4 can operate entirely on the Boolean representation of a model M = (S, R, V ) to return a Boolean formula encoding the set of states [[ϕ]].
The labelling algorithm and model checking using obdds. All the Boolean formulae mentioned in the previous step can be represented using obdds. Thus, the algorithm of Figure 2.4 provides a methodology to build the obdd corresponding to the set of states [[ϕ]] in which a formula ϕ holds for a given model M . The problem of model checking is reduced in this way to the problem of comparing the obdds for [[ϕ]] and for M . As obdds offer a canonical representation for Boolean formulae, this last step is limited to the verification that the two obdds are equal. The proof of the correctness of this approach can be found in [Clarke et al., 1999, Huth and Ryan, 2004].
Notes
• The process of translating the problem of model checking into the comparison of two obdds may seem to increase the complexity of model checking. However, as it will become clear in Section 2.2.3, the models are not built explicitly in model checking tools; instead, the obdds representing the various parameters in the models are obtained incrementally from a dedicated programming language, thereby permitting the verification of models whose size would be intractable.
• The problem of verifying that a formula ϕ holds in a given model M is defined by some authors with the term global model checking, as opposed to the problem of local model checking, which is the problem of establishing whether or not a formula is true at a given state in a given model. The algorithm presented in Figure 2.4 can be employed for local model checking as well: indeed, it is sufficient to check that the state in which a formula ϕ has to be verified is included in the set [[ϕ]].
• As mentioned in Section 2.1.4, in certain cases a CTL model includes a set of initial states: M = (S, R, V, I). The evolution of the system is described by the transition function R, and it may happen that not all states of S are reachable. In this case, formulae need to be evaluated in the set of reachable states only, and complementation must be limited to the set of reachable states. Reachable states can be encoded as an obdd (Section 3.3 explores this issue in more detail).