A NuSMV Extension for Graded-CTL Model Checking

Graded-CTL is an extension of CTL with graded quantifiers which allow to reason about either at least or all but any number of possible futures. In this paper we show an extension of the NuSMV model-checker implementing symbolic algorithms for graded-CTL model checking. The implementation is based on the CUDD library, for BDDs and ADDs manipulation, and includes also an efficient algorithm for multiple counterexamples generation. 1 Description and Architecture In this paper we introduce a new model-checker which is an extension of NuSMV [CCG02], an efficient and easy to extend re-implementation and integration of the SMV model-checker [McM93, CMCH96]. Our tool implements symbolic algorithms for graded-CTL model checking. Graded-CTL [FNP08, FNP09a] is an extension of CTL with graded quantifiers that allow to reason about either at least or all but any number of possible futures. For example, the formula E>kF(critic1 ∧ critic2) expresses that there are more than k possibilities (i.e. k different paths in the Kripke structure modeling the system) to violate the mutual exclusion property. Formulas of these types cannot be expressed in CTL and not even in μ-calculus (though they can be easily reduced, in exponential time, to equivalent graded μ-calculus formulas, [KSV02]). Graded-CTL formulas can be used to determine whether there are more than a given number of bad behaviors of a system: this, in the model-checking framework, means that one can verify the existence of a user-defined number of counterexamples for a given specification and can generate them, in a unique run of the model-checker. Symbolic Model Checking [BCM90] applied to CTL is known to behave efficiently, especially in hardware verification, and has been widely studied and implemented in a lot of well known model-checkers. In [FNP09b] symbolic algorithms to solve the graded-CTL model checking problem are shown. GradedCTL NuSMV includes a smart implementation of these algorithms based on 1 For better readability, we call this extension Graded-CTL NuSMV. T. Touili, B. Cook, and P. Jackson (Eds.): CAV 2010, LNCS 6174, pp. 670–673, 2010. c © Springer-Verlag Berlin Heidelberg 2010 A NuSMV Extension for Graded-CTL Model Checking 671 Fig. 1. The architecture of Graded-CTL NuSMV. Light-gray and dark-gray modules are NuSMV modules with some minor and major modifications, respectively. Modules with bold borders are new modules added to support graded-CTL model checking. the CUDD library [Som05], which is used for an efficient manipulation of sets and multi-sets via Binary Decision Diagrams (BDDs) and Algebraic Decision Diagrams (ADDs). NuSMV is a versatile tool, implementing BDD-based and SAT-based model checking, and processing files written in an extension of the SMV language. With this language it is possible to describe finite-state machines (declaration and instantiation of modules and processes are used to describe synchronous and asynchronous composition) and to express specifications in CTL and LTL. NuSMV works either in batch or in interactive mode, with a textual interactive shell. Our tool preserves the structure and the modularity of NuSMV: each module implements a set of functionalities and communicates with the others via a precisely defined interface. Fig. 1 shows the architecture of Graded-CTL NuSMV pointing out the modified and the completely new modules. The Interactive Shell, the Parser and the Compiler modules are responsible for processing command lines and input files (including syntactic correctness check) and also for building the resulting parse tree and the BDD representation. They have been integrated with the functions and the commands to handle and represent graded-CTL formulas, as well. TheKernel module provides the low level functionalities to handle data structures (BDDs, etc.) and memory allocation. It has been modified with a re-implementation and an extension of the cache to store the grading values. The Model Checking module is the core of the NuSMV tool: it provides all the functionalities to solve the verification problem. We chose to preserve the structure of NuSMV, and thus we only modified the functions responsible for the invocation of the low level model checking routines, and implemented the graded-CTL model checking algorithms in a new module calledGraded-CTL Model Checking. The implementation of these algorithms required also modifications to the basic operators of the CUDD package. In particular, an implementation of theAddAndAbstract operation onADDs and a bounded leaf-value implementation of the other 672 A. Ferrante et al. operations on ADDs have been included in the package. The latter has led to a considerable improvement in terms of speed and space. A remarkable feature of the symbolic algorithms we implemented is that they have been explicitly designed to efficiently derive multiple counterexamples for a given path formula, see [FNP09b] for other deeper arguments. In our implementation, we fully exploit this characteristic by using the partial results of the verification phase to derive the needed counterexamples. To do that, the Graded-CTL Model Checking module works interacting with the other new module, Graded-CTL Explain, responsible for the generation of the counterexamples (see Sect. 2). Although no absolute criteria are available to evaluate our tool (since, at the best of our knowledge, no tools for similar computations are currently available), the experimental results are very promising. Indeed, our experiments evidenced that no substantial overhead, both in the time and in the number of BDDs, is required to process graded-CTL formulas, with respect to the classical CTL ones, even by increasing the values of the grading constants in the formulas. We are also collaborating with the NuSMV development team to include our extension in the official release. The list of our experiments and the package for graded-CTL can be found at http://gradedctl.dia.unisa.it.