CTL Model Checking

Fixed-point Theory

Complete Lattice

Complete lattice is a partially-ordered set which has join ($\cup$) and meet ($\cap$) operators. The former generates the least lower bound and the latter the greatest upper bound. The state space of a Kripke model forms a complete lattice under containment, i.e. $(2^S, \subseteq)$ is a complete lattice.

Monotonic Function

$F$ is monotonic if $\forall a < b$, $F(a) < F(b)$.

Tarski's Theorem

A monotonic function over a complete lattice has the least and the greatest fixed point.

Kleene's Theorem

The mentioned fixed points can be calculated this way. Assume $F$ is a monotonic function and $\cup$-continuous (increments), the least fixed point must be reached (this chain converges): $$\emptyset \subseteq F(\emptyset) \subseteq F(F(\emptyset)) \subseteq \ldots$$

Instead, if $F$ is $\cap$-continuous (decrements), the greatest fixed point is obtained by, $$S \supseteq F(S) \supseteq F(F(S)) \supseteq \ldots$$

Formula Rewriting

All CTL formulae can be rewritten in terms of $\neg, \wedge, \mathbf{EX}, \mathbf{EU}, \mathbf{EG}$ only.

• $\mathbf{AG}\phi = \neg \mathbf{EF} \neg \phi$
• $\mathbf{EF}\phi = \mathbf{E}(\top \mathbf{U} \phi)$
• $\mathbf{A}(\phi_1 \mathbf{U} \phi_2 ) = \neg \mathbf{E}(\neg \phi_2 \mathbf{U} (\neg \phi_1 \wedge \neg \phi_2 )) \wedge \neg \mathbf{EG}\neg \phi_2$
• $\mathbf{AX} \phi = \neg \mathbf{EX} \neg \phi$

Although irrelevant at this context, but it is worthy to note that $\mathbf{EG}\phi = \mathbf{E}(\bot \mathbf{R} \phi)$, this is to say $\phi$ is never released (has to be true forever).

Tableaux Rules

• $\mathbf{EF}\phi = \phi \vee \mathbf{EXEF}\phi$
• $\mathbf{EG}\phi = \phi \wedge \mathbf{EXEG}\phi$
• $\mathbf{E}(\phi \mathbf{U} \psi) = \psi \vee (\phi \wedge \mathbf{EXE}(\phi \mathbf{U} \psi))$

Pre-Image

In CTL model checking, the calculating unit is a set of states that satisfy some formula $\phi$, noted as denotation $[\phi]$. Pre-Image maps the image (in the range) back to the domain (its pre-image). It is thus defined, $$\mathsf{PreImage}([\phi]) = \{s | \exists (s, s') \in R \wedge s' \in [\phi]\}$$

$\mathsf{PreImage}$ is a monotonic function over the complete lattice $(2^S, \subseteq)$, thus Kleene's theorem applies. Pre-Image matches the idea of $\mathbf{EX}$, i.e. $[\mathbf{EX}\phi]$ is the pre-image of $[\phi]$.

Fixed points for CTL Model Checking

According to tableaux rules, $\mathbf{EG}$, $\mathbf{EF}$, $\mathbf{EU}$s are written in the form of fixed points ($\nu$: greatest, $\mu$: least.).

• $[\mathbf{EG}\phi] = \nu Z. ([\phi] \cap [\mathbf{EX}Z])$
• $[\mathbf{EF}\phi] = \mu Z. ([\phi] \cup [\mathbf{EX}Z])$
• $[\mathbf{E}(\phi \mathbf{U} \psi)] = \mu Z. ([\psi] \cup ([\phi] \cap [\mathbf{EX}Z]))$

So given a CTL formula $\phi$, after rewriting, we apply the set operations for negations (complement the set) and disjunctions (union), and fixed points for temporal formulas. We say $M \models \phi$ iff $I \subseteq [\phi]$.