First-Order-CTL Model Checking

This work presents a first-order model checking procedure that verifies systems with potentially infinite data spaces with respect to first-order CTL specification. The procedure relies on a partition of the system variables into control and data. While control values are expanded into BDD-representations, data values enter in form of their properties relevant to the verification task. The algorithm is completely automatic. If the algorithm terminates, it has generated a first-order verification condition on the data space which characterizes the system’s correctness. Termination can be guaranteed for a class that properly includes the data independent systems, defined in [6]. The procedure works like a symbolic model checker on the control part. The data part is handled by annotating each control-expanded state of the system by a first-order formula. These formulas characterize, for each state, the set of data valuations that altogether make the specification true for the system. A novel part of our work is that the first-order annotations are represented as BDDs and are manipulated symbolically. Since the formulas are represented by BDDs, we get ”for free” propositional simplifications. Moreover, the canonical representation provided by BDDs makes it easier to detect termination of our model checking procedure. Finally, the encoding of predicates as boolean variables enables sharing of subformulas among the formulas produced by the model checking procedure. This work improves [2], where we extended explicit model checking algorithms. In contrast, this paper shows how to cast first-order model checking into BDD-based representations. Thus, for complex control aspects of the design the full power of symbolic model checking is provided, while at the same time temporal reasoning is supported by the generation of a verification condition in cases where the data complexity is too high for ordinary procedures.