Language-Emptiness Checking of Alternating Tree Automata Using Symbolic Reachability Analysis  by Qian, Kairong & Nymeyer, Albert
Language-Emptiness Checking of Alternating
Tree Automata Using Symbolic Reachability
Analysis
Kairong Qian Albert Nymeyer
School of Computer Science & Engineering
University of New South Wales
Sydney, Austrlia
Abstract
Alternating tree automata andAND/OR graphs provide elegant formalisms that enable branching-
time logics to be veriﬁed in linear time. The seminal work of Kupferman et al. [7] showed that 1)
branching-time model checking is reducible to the language non-emptiness checking of the product
of two alternating automata representing the model and property under veriﬁcation, and 2) the
non-emptiness problem can be solved by performing a search on an AND/OR graph representing
this product. Their algorithm, however, can only be implemented in an explicit-state model checker
because it needs stacks to detect accept and reject runs. In this paper, we propose a BDD-based
approach to check the language non-emptiness of the product automaton. We use a technique called
“state recording” from Schuppan and Biere [17] to emulate the stack mechanism from explicit-state
model checking. This technique allows us to transform the product automaton into a well-deﬁned
AND/OR graph. We develop a BDD-based reachability algorithm to eﬃciently determine whether
a solution graph for the AND/OR graph exists and thereby solve the model-checking problem.
While “state recording” increases the size of the state space, the advantage of our approach lies in
the memory saving BDDs can oﬀer and the potential it opens up for optimisation of the reachability
analysis. We remark that this technique always detects the shortest counter-example.
Keywords: alternating tree automata, language emptiness checking, model checking, AND/OR
graph, reachability analysis
1 Email: kairongq@cse.unsw.edu.au
2 Email: anymeyer@cse.unsw.edu.au
Electronic Notes in Theoretical Computer Science 149 (2006) 33–49
1571-0661 ©  2 006  Else vier B.V. 
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2005.07.025
Open access under CC BY-NC-ND license.
1 Introduction
Model checking is an automatic veriﬁcation technique that exhaustively enu-
merates all states of a model of a system [2,3,19]. This method allows a user to
detect property violations in a fully automated manner, and verify the system
as a whole. Among the various model checking frameworks, symbolic model
checking [9] and the automata-theoretic [19] approaches are prominent success
stories and many tools have been built based on these approaches [1,6].
Vardi and Wolper [19] used an automata-theoretic approach on linear-
time temporal logic (LTL). Coupled with a memory-eﬃcient algorithm, the
approach was implemented in the popular tool SPIN [6]. Much more recently,
Kupferman et al [7] presented a comprehensive automata-theoretic approach
for a branching-time temporal logic. Also in that paper, memory-eﬃcient
model-checking algorithms were presented for a number of branching-time
temporal logics, including computation tree logic (CTL). From an implementa-
tion point of view, automata-theoretic algorithms can be readily incorporated
into explicit-state model checkers, where each state of the automata is repre-
sented explicitly using a block of memory bits. In symbolic model checking, a
sets of states can be represented by a symbolic data structure such as a BDD.
State-space search using BDDs usually computes all successors, called image,
of a given set of states and therefore individual path information cannot be
distinguished. Hence, the algorithm proposed in [7] cannot be implemented
directly using BDDs. Our work in this paper is to devise a method that uses
BDDs to verify branching-time logics in an automata-theoretic framework.
While branching-time model checking can be solved eﬃciently by using
the ﬁxed-point characterisation of temporal logic formulae, many state-space
search optimisation techniques are only applicable to reachability analysis
[5,15,14]. There also has been much work in recent years integrating AI tech-
niques and model checking. Much of this work has involved heuristic search
algorithms that have been used to reduce the size of the state space of the
model [20,4,13]. These techniques are most eﬀective for a reachability analysis
where only a single ﬁxed-point is calculated. For general LTL or CTL model
checking, it is still not clear how these techniques can be applied. In recent
work, Schuppan and Biere [17] proposed a technique called ‘state-recording’
that transforms LTL model checking into a reachability analysis. In so doing,
liveness properties are translated into safety properties. The satisﬁability of
the liveness properties in the original model and the safety properties in the
transformed model are equivalent. One of our goals is to generalise this tech-
nique and provide a framework to transform branching-time model checking
into a reachability analysis.
In the next section we deﬁne alternating tree automata. In Section 4
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–4934
we describe the automata-theoretic approach, and in particular the concept
of ‘state recording’. The AND/OR search graph formalism we use is brieﬂy
presented in Section 3, together with a ﬁxed-point computation of the solution
graphs of the search graph. Our BDD-based automata-theoretic approach is
explained in Section 5. The implementation is still very much preliminary,
but initial results are shown in Section 6. Finally, in Section 7 we present our
conclusions. The key contributions of our work are:
• Reduce a branching-time model-checking problem to a reachability analysis
by using alternating tree automata and state recording.
• Devise a BDD-based AND/OR-graph search algorithm.
• Generalise the work of Schuppan and Biere [17] by dealing with any type
of property.
• Modify the approach of Kupferman et. al. [7] to work in a symbolic setting.
2 Alternating Tree Automata
The motivation for using an alternating tree automaton (ATA) is that it can be
constructed in linear-time for a branching-time logic. Here we brieﬂy describe
the formal concepts. For a more comprehensive view the readers should refer
to [18,7].
A digraph T = (VT , ET ) is a tree if every node x ∈ VT has exactly one
incoming edge except for the root x0, which has no incoming edges. We denote
(x, y) ∈ ET a directed edge from x to y and call y a successor of x. The degree
of a node x ∈ VT is deﬁned to be the number of successors of x, denoted d(x).
A leaf is a node without successors. A path π of a tree T is a set of nodes
π ⊆ VT such that the root x0 ∈ π and for very node x ∈ π, x is either a leaf
or there exists a unique node y where (x, y) ∈ ET . Note that we allow inﬁnite
trees and inﬁnite paths. Let Σ be an alphabet and W : VT → Σ be a labelling
function that maps each node of a tree to a letter in Σ. The pair (T,W ) is
called a Σ-labelled tree. Given a Kripke structure K = (S,R, s0) where S is
a set of states, R : S → S is a transition relation and s0 ∈ S is an initial
state, one can unwind K from s0 and obtain a possibly inﬁnite (Σ-labelled)
tree where all the labels come from S. This tree is called the computation tree
of K.
Let A = (Σ, Q, δ, Q0, F ) be an automaton where Σ is an alphabet, Q is a
ﬁnite set of states, δ is a transition relation, Q0 ⊆ Q is an initial state and F
the acceptance conditions. In a word automaton, given a state q and input
letter σ, the transition relation δ(q, σ) : Q×Σ → Q maps the pair (q, σ) to a set
{q0, q1, . . . , qk} ⊆ Q. The automaton is deterministic if the set is a singleton,
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–49 35
and non-deterministic otherwise (assuming the transition is total). A run of a
word automaton corresponds to an inﬁnite sequence of states ρ = q0q1q2 . . . . . .
such that q0 ∈ Q0 and ∃σ(qi+1 ∈ δ(qi, σ)).
In a tree automaton, the transition δ maps each state and input letter
to a set {B0, B1, . . . , Bk} where Bi ∈ P(Q). For example, the transition
δ(q, σ) = {{q0, q1, q2}, {q3, q4}} causes a given state q of the automaton to
change, simultaneously and non-deterministically, to one of the two sets.
Hence, unlike word automata, a run of a tree automaton will generate an
(inﬁnite) computation tree. In general, the nodes of the tree have varying
branching degrees. If all degrees of any node is contained in a set D ⊂ N,
then we call the tree a D-tree. Note, if D is a singleton, and the element of
the singleton is 1, then the tree automaton is simply a word automaton.
2.0.1 An alternating tree automaton
generalises a non-deterministic tree automaton deﬁned above by allowing
both universal and existential choices for automata state transitions [10,18].
Consider again a non-deterministic tree automaton with transition δ(q, σ) =
{{q0, q1, q2}, {q3, q4}}. If we express the right-hand side as a Boolean for-
mula, e.g., δ(q, σ) = q0 ∧ q1 ∧ q2 ∨ q3 ∧ q4, we can express both 1) transi-
tions within one group and 2) non-deterministic choice between groups, si-
multaneously. In fact, this Boolean formula is the characteristic function
of the two sets. To accommodate the branching degrees of a tree, we add
an extra argument to the transition δ, and rewrite the above transition as
δ(q, σ, 2) = (0, q0) ∧ (1, q1) ∧ (2, q2) ∨ (0, q3) ∧ (1, q4).
Automata-theoretic model checking allows a range of acceptance condi-
tions to be used to express diﬀerent properties [19]. In this paper, we restrict
our discussion to a Bu¨chi acceptance condition. If we have an inﬁnite word
automaton (Σ, Q, δ, Q0, F ), then F ⊆ Q. If we have some inﬁnite run ρ, then,
because Q is ﬁnite, some Qρ ⊆ Q must appear inﬁnitely often in ρ. A run ρ
is a (Bu¨chi) accept run iﬀ Qρ ∩ F 	= ∅. Because a run in an ATA is actually
a (computation) tree, the acceptance condition is deﬁned over a path in the
run. Paths in an ATA correspond to runs in word automata. If all paths are
accept paths, the run of the automaton is an accept run.
3 Symbolic AND/OR graphs
AND/OR graphs are commonly used in AI to model problem reduction schemes
[11]. To solve a non-trivial problem, one decomposes the problem to a number
of (smaller) subproblems. Successfully solving the subproblems will produce a
ﬁnal solution to the original problem according to the decomposing conditions.
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–4936
p l a y  t e n n i s 
g o o d  w e a t h e r h a v e  a  c o u r t 
p r i v a t e  c o u r t 
b o o k i n g d e p o s i t   p a i d 
p u b l i c   c o u r t 
Fig. 1. An AND/OR graph representing the problem of playing tennis
A simple example of such problem reduction is shown in Figure 1.
To play tennis we must have two conjunctive conditions (1) good weather
and (2) court available. The problem “good weather” is considered to be
an atomic subproblem here so we can treat it as a proposition. The other
condition to play tennis is to have a court available and in this case we may
have to choose between a public court and a private court. Again, a public
court is atomic. A private court can be decomposed into making a booking
and paying the deposit. This is essentially similar to the process of natural
deduction. Thus, we can say in order to solve “play tennis”, we need to solve
the problems “good weather” and “have a court” and so on. Eventually we
reach the terminal nodes that have the value true or false.
Formally, an AND/OR graph is a digraph G = (V,E) deﬁned as follows:
• A designated node n0 ∈ V is called the root.
• There exists a function ζ that maps each node in V to a unique label in
{∧,∨,,⊥}
• Nodes with ζ(n) =  or ζ(n) = ⊥ are called terminal nodes and have no
outgoing edges to other nodes except themselves.
Given an AND/OR graph G = (V,E), a solution graph Gs = (Vs, Es) is a
digraph where:
• Vs ⊆ V , Es ⊆ E and n0 ∈ Vs
• For each node n ∈ Vs, if ζ(n) = ∨, then only one successor of n is in Vs.
• For each node n ∈ Vs, if ζ(n) = ∧, then all successors of n are in Vs.
• All ﬁnite paths must end with a -node and all inﬁnite path must have an
inﬁnite number of -nodes as suﬃx.
The height H(Gs) of a solution graph Gs is the number of states of the
longest preﬁx before the -node. In Figure 1 the AND/OR graph has two
solution graphs, with heights 2 and 3 respectively, indicated by the dotted
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–49 37
and dot-dashed polygons, and they correspond to the two possible solutions
of the problem represented by the root node. The existence of the solution
graph ideally captures the satisﬁability of the property in the model. AND/OR
graphs can be coupled with heuristic search algorithms to produce an eﬃcient
mechanism to solve the model checking problem [16].
3.1 A symbolic algorithm to detect solution graphs
Algorithms for searching for a solution graph in an AND/OR graph has been
studied at great length in AI [11,8]. In general, these algorithms can be
categorised as either top-down or bottom-up. Top-down algorithms construct
the partial solution graph from the root and use bottom-up propagation to
conﬁrm the existence of the solution graph. Bottom-up algorithms construct
the solution graph from the terminal nodes and the existence of the solution
graph can be determined by checking the reachability of the root. Both these
approaches are of course based on explicit-state representations. One of our
goals is however to determine a solution graph of an AND/OR graph that is
represented with BDDs. When the transition relation is represented by BDDs,
it is convenient to compute the predecessor of a given node by computing its
pre-image. Thus, our approach is in fact bottom-up, i.e. it constructs the
graph and checks the reachability of the root in a single run.
Let G = (S, s0, R, L) be a Kripke structure that induces an AND/OR graph.
Here S is set of states, s0 is the root, R ⊆ S × S is a transition relation and
L ⊆ S × {∧,∨,,⊥} is a labelling function. We require L to be total, so
all states in S are labelled. We denote the set of states with label ∧ by S∧.
Similarly for ∨,  and ⊥. To compute the AND/OR graph symbolically, we
need to compute the set of states Ssol ⊆ S for all possible solution graphs
of G, and then check whether s0 ∈ Ssol. The set Ssol is characterised by a
ﬁxed-point formula Ssol = µZ.(S ∪ (EX(Z) ∩ S∨) ∪ (AX(Z) ∩ S∧)).
Theorem 3.1 Ssol contains all states from all solution graphs induced by G.
Proof. The proof follows from the semantics of a ﬁxed-point and the def-
inition of a solution graph. The right-hand side of the ﬁxed-point formula
computes all states of any possible solution graph from the bottom up. It
is easy to see the function of the ﬁxed-point is monotonic. The computa-
tion starts with the set of states S that are true terminals. The component
(EX(Z) ∩ S∨) adds all ∨-nodes into Ssol and (AX(Z) ∩ S∧) adds all ∧-nodes
into Ssol. The convergence of the ﬁxed-point guarantees all nodes of all pos-
sible solution graphs are computed. 
One feature of our work is that the model-checking problem is transformed
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–4938
to a reachability problem. Our approach also generalises the work in [17] and
can deal with any type of property. Since the above formula characterises a
single ﬁxed-point, the checking of the existence of the solution can be per-
formed on-the-ﬂy: i.e. in every iteration of the calculation we check whether
s0 ∈ Z twice after (EX(Z) ∩ S∨) and (AX(Z) ∩ S∧). Of course, checking
on-the-ﬂy means that we can avoid searching the entire state space before we
detect the minimum-height solution graph. In practice, if this optimal graph is
a trace, it usually correspond to the shortest counter-example, which is highly
desirable for diagnosis purposes of course.
4 Transforming Automata-Theoretic Model Checking
to a Reachability Analysis
In this work, we use the automata-theoretic framework to verify CTL formu-
lae. 3 The model-checking problem involves determining whether M, s0 |= ϕ,
where M = (S,R, s0) is a Kripke structure and ϕ a CTL property. In the
automata-theoretic framework proposed in [7], this problem is reduced to a
language-emptiness checking problem. We also use this approach, but need to
transform the language-emptiness checking to an AND/OR graph reachability
analysis.
Let K = (S,R, s0, L, AP ) be a labelled Kripke structure where S is a set
of states, R ⊆ S × S is a transition relation, s0 ∈ S is an initial state (in
general a structure may have a set of initial states) and L ⊆ S × AP is a
labelling function. Let (TK ,WK) be the computation tree of K, where WK
labels each node of the tree with a letter from 2AP . Let ϕ be a CTL formula
in positive normal form so that negations are pushed inside and placed before
atomic propositions by De Morgan’s laws. For convenience, we use semantic
equivalences during the normalisation of the formulae to reduce the number
of operators. Given a formula ϕ, the closure of φ, written cl(ϕ), comprises of
formulae that can be deﬁned inductively as follows:
• ϕ ∈ cl(ϕ), true ∈ cl(ϕ) and false ∈ cl(ϕ).
• if ϕ1 ∧ ϕ2 ∈ cl(ϕ) or ϕ1 ∨ ϕ2 ∈ cl(ϕ), then ϕ1 ∈ cl(ϕ) and ϕ2 ∈ cl(ϕ).
• if AXϕ ∈ cl(ϕ) or EXϕ ∈ cl(ϕ), then ϕ ∈ cl(ϕ).
• if A(ϕ1Uϕ2) ∈ cl(ϕ), then ϕ1, ϕ2, ϕ1 ∧AX(A(ϕ1Uϕ2)) ∈ cl(ϕ).
• if E(ϕ1Uϕ2) ∈ cl(ϕ), then ϕ1, ϕ2, ϕ1 ∧ EX(A(ϕ1Uϕ2)) ∈ cl(ϕ).
• if A(ϕ1Rϕ2) ∈ cl(ϕ), then ϕ1, ϕ2, ϕ1 ∨AX(A(ϕ1Rϕ2)) ∈ cl(ϕ).
• if E(ϕ1Rϕ2) ∈ cl(ϕ), then ϕ1, ϕ2, ϕ1 ∨EX(A(ϕ1Rϕ2)) ∈ cl(ϕ).
The formulae in cl(ϕ) constitute the states of the alternating automaton
3 Our approach is equally applicable to other branching-time logics such as CTL∗,
alternation-free µ-Calculus and full µ-Calculus.
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–49 39
Aϕ for the CTL formula ϕ, and the initial state is ϕ. Following convention,
we denote the outermost temporal operator ∗ as a ∗-formula. For example,
A(falseR (E(trueU (¬p)))) is a R-formula and EXp is an X-formula. All
R-formulae in cl(ϕ) are accept states.
Let Aϕ = (2
AP , Q, q0, δϕ,Lϕ, F ) be an ATA for a CTL formula ϕ. We now
deﬁne the transition relation δϕ. Note that our construction is diﬀerent from
the one in [7] as we use a labelling function Lϕ to label each state of the ATA
with a Boolean connective from the set {∧,∨,,⊥}. This allows us to omit
connectives in the labels of the transitions. We also use the assumption that if
p 	∈ σ then ¬p ∈ σ. The transition relation δϕ and its corresponding labelling
function Lϕ are deﬁned as follows:
ψ δϕ(ψ, σ, k) Lϕ(ψ)
p ∈ σ true 
p 	∈ σ false ⊥
ϕ1 ∧ ϕ2 {δϕ(ϕ1, σ, k), δϕ(ϕ2, σ, k)} ∧
ϕ1 ∨ ϕ2 {δϕ(ϕ1, σ, k), δϕ(ϕ2, σ, k)} ∨
AXϕ {(0, ϕ), (1, ϕ), . . . , (k − 1, ϕ)} ∧
EXϕ {(0, ϕ), (1, ϕ), . . . , (k − 1, ϕ)} ∨
A(ϕ1Uϕ2) {δϕ(ϕ2, σ, k), δϕ(ϕ1 ∧AX(ψ), σ, k)} ∨
E(ϕ1Uϕ2) {δϕ(ϕ2, σ, k), δϕ(ϕ1 ∧EX(ψ), σ, k)} ∨
A(ϕ1Rϕ2) {δϕ(ϕ2, σ, k), δϕ(ϕ1 ∨AX(ψ), σ, k)} ∧
Following [7], the product K × Aϕ of the labelled Kripke structure K =
(S,R, s0, L, AP ) and property Aϕ = (2
AP , Q, q0, δϕ,Lϕ, F ) is deﬁned as a 1-
letter alternating word automaton AK,ϕ = ({a}, S × Q, 〈s0, q0〉, δ,L, S × F ).
If the property transition δϕ(q, L(s), k) = θ and the Kripke transition R(s) =
t0, . . . , tk then the transition relation and labelling function of the word au-
tomaton are δ(〈s, q〉, a) = θ[(c, q′)/〈tc, q
′〉] for each c and L(〈s, q〉) = Lϕ(q).
Having deﬁned the product automaton, we now introduce the state-recording
mechanism. The idea of the state-recording is to use another set of state vari-
ables to copy the state at the beginning of the accept run. The existence of
an accept run can be determined by checking whether the current state has
been recorded. Since we do not know which state will be at the beginning
of an accept cycle, we use a 3-state automaton to guess the beginning of the
cycle. We also use a 2-state automaton to indicate whether the state has been
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–4940
recorded. The essence of state-recording is that accept (reject) cycles are ﬂat-
tened, resulting in a product automaton that is a well-deﬁned AND/OR graph.
Thus, the model-checking problem is transformed to the problem of determin-
ing the existence of a solution graph in an AND/OR graph. The reachability
algorithm of Theorem 3.1 can be used to determine the existence of a solution
graph and thereby solve the model-checking problem.
Let Sr = S be a set of states that we use to save a copy of a state in K
when necessary. Two small Kripke structures Kς and Kχ are used to determine
when the state-recording is necessary, as follows:
S s0 R
Kς = (Sς , s
0
ς , Rς) {T, L,R} T Rς(T ) = {L,R}, Rς(L) = L, Rς(R) = T
Kχ = (Sχ, s
0
χ, Rχ) {0, 1} 0 Rχ(0) = 1, Rχ(1) = 1
The product of AK,ϕ, Kς and Kχ after translation is an automaton A =
({a},S, 〈s0, s0, q0, T, 0〉,R,L) where S = S×Sr×Q×Sς×Sχ. The transition
relation R is deﬁned as follows:
• R(〈s, sr, q, sς , sχ〉, a) = Rς(sς) × 〈s, sr, q, sχ〉 if sς = T , sχ = 0 and q is an
accept state (guess the beginning of a cycle), or
• R(〈s, sr, q, L, 0〉, a) = 〈s, s, q, L, 1〉 (state recording), or
• R(〈s, sr, q, sς , sχ〉, a) = R(s)× 〈sr〉 × δ(q, a)× Rς(sς)× Rχ(sχ).
The corresponding labelling function L is deﬁned as:
• L(〈s, sr, q, T, 0〉) = ∨ if q is an accept state, or
• L(〈s, s, q, L, 1〉) =  if q is an accept state, or
• L(〈s, sr, q, sς , sχ〉) = Lϕ(q).
The labelling of states in A follows the labelling of states in AK,ϕ except that
when we need to guess the beginning of an accept cycle or we have found an
accept cycle.
Lemma 4.1 The graph GA induced by A is a well-deﬁned AND/OR graph.
Proof. It follows directly from the deﬁnition of transition relation that Aϕ
is a well-deﬁned AND/OR graph. The problem is that the product AK,ϕ will
not be well-deﬁned due to the presence of accept (and reject) runs. When the
state-recording automata Kς and Kχ are used, the accept (reject) runs are in
essence ﬂattened, changing from cycles to ﬁnite traces. The beginning of an
accept cycle in A is a ∨-node and another copy, which indicates the existence
of the cycle, is a -node. Thus, the product A induces a well-deﬁned AND/OR
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–49 41
C T L 
f o r m u l a 
A l t e r n a t i n g  t r e e 
a u t o m t o n  ( A T A ) 
S t a t e  r e c o r d i n g 
a u t o m a t a  ( S R A ) 
K r i p k e  s t r u c t u r e 
o f  s y s t e m   m o d e l 
C o n s t r u c t 
p r o d u c t 
a u t o m a t o n 
A N D / O R 
g r a p h 
R e a c h a b i l i t y 
a n a l y s i s   f o r 
t h e  A N D / O R 
g r a p h 
S o l u t i o n  g r a p h  f o u n d , 
i e .  p r o p e r t y  v e r i f i e d 
N o  s o l u t i o n  g r a p h , 
i e .  p r o p e r t y  f a i l e d 
Fig. 2. Overview of the automata-theoretic approach
graph. 
Theorem 4.2 GA has a solution graph iﬀ the language of AK,ϕ is non-empty,
i.e K |= ϕ.
Proof. The key to the proof is that our state-recording automata are capable
of catching all possible accept (reject) cycles. Since we do not know in advance
which state will be at the beginning of a cycle, we use in Kς a non-deterministic
transition Rς(T ) = {L,R} for every accept (reject) state to guess the start-
ing point. Using our construction rules, this state is labelled as a ∨-node.
This consideration ensures every possible accept (reject) cycle will be caught.
Hence, the existence of a solution graph in GA conﬁrms non-emptiness of the
language of AK,ϕ and therefore K |= ϕ. 
5 Our approach
In essence, our approach, illustrated in Figure 2, uses BDD-based algorithms
in an automata-theoretic framework to solve the language non-emptiness prob-
lem for branching-time logic. The process begins with the model, represented
by a Kripke structure, and the property to be veriﬁed, expressed as a CTL for-
mula. Unlike conventional model checking, we also require a state-recording
automaton as input. In the ﬁrst step, the CTL formula is translated to a
(weak) alternating tree automata. Then a product automaton for the three in-
puts is constructed and an AND/OR graph is generated. To determine whether
the AND/OR graph has a solution graph, we use a special reachability analysis
algorithm. If this algorithm ﬁnds a solution graph, the property is veriﬁed
and the solution graph is a witness of the property. Otherwise, the property
is violated. To determine a counter-example, one needs to determine a wit-
ness of the negation of the property. The reachability analysis in the AND/OR
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–4942
s0 s1
s3 s2p
p r o p e r t y  t o   b e  v e r i f i e d : 
      A G   E F p = A ( f a l s e R ( E ( t r u e  U p ) )  ) 
Fig. 3. A Kripke structure and CTL property
graph uses BDDs. We encode the system model, property automaton and
state-recording automaton as BDDs, and compute the product automaton
and AND/OR graph as BDDs.
5.0.1 From an ATA to AND/OR graphs using BDDs
The key to automata-theoretic branching-time model checking is to determine
the language non-emptiness of the product alternating automaton. Kupfer-
man et. al. [7] reduce this problem to a 1-letter automaton non-emptiness
checking. While their algorithm uses AND/OR graphs as underlying data struc-
tures, the run of the 1-letter automaton does not correspond to an AND/OR
graph as we deﬁned above. The serious problem concerns cycle detection.
When their algorithm ﬁrst encounters an accept (or reject) state, it may label
the state a ∧-node or ∨-node. If subsequently a cycle that goes back to an
accept (or reject) state is found, then the same node may be labelled  or ⊥.
If this occurs, the state does not have a unique label. In a explicit-state model
checker, this problem can be avoided by using a stack to memorise the accept
cycle and if the cycle does exist, the algorithm just relabels the state. This
does not work in a BDD-based model checker because states are represented
implicitly and path information cannot be recorded by using a structure like
a stack.
5.0.2 Example
Consider the Kripke structure and CTL property in Figure 3. The structure
has 4 states and s3 is labelled by the only atomic proposition p (assume p
labels all other states). The property is obviously true in this model.
To use the algorithm in [7] to verify the property, we ﬁrst construct the
alternating automaton of AG(EFp) as follows:
q δ(q, {p}, k) δ(q, ∅, k)
AG(EFp) EFp ∧
∧k−1
c=0 (c, AG(EFp)) EFp ∧
∧k−1
c=0 (c, AG(EFp))
EFp true
∨k−1
c=0 (c, EFp)
where q is the state of the property automaton, the state AG(EFp) is an
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–49 43
accept state, and the other state is a reject state. The accept state of the
product automaton is determined by the property automaton. Note that if a
transition has the value true, this means the path leading to that state does
not have a successor in a run of the tree automaton. This corresponds to
-node in AND/OR graph. If the transition has the value false, the run can
never be accepted, i.e. the solution graph can never have a ⊥-node.
We omit the formal description here of the product automaton and instead
depict in Figure 4 the runs that the algorithm in [7] uses to check the non-
emptiness of the language. Each node in the graph is a state of the product
automaton. The initial state of this automaton contains both the initial states
from the Kripke structure and the property automaton. The algorithm begins
with the initial state #1, which states that AG(EFp) is true at state s0. This
means that EFp must be true at s0, which results in node #2, and AG(EFp)
must be true at all successors of s0, namely s1, which results in node #3.
Node #1 is hence a ∧-node. Other states are expanded in a similar manner.
The transition true results in node #7, which is a -node. At this point we
need to back-propagate the label according to the deﬁnition of the solution
graph of an AND/OR graph. Since node #4 is a ∨-node and one of its children
is a -node, node #4 will be labelled as a -node as well. The language is
non-empty iﬀ the initial state (#1) is labelled a -node. The problematic
state in this example is node #6 because one of its successors loops back to
a state that was expanded before. In this situation, the label of node #1 will
be recursively dependant on itself (because of the cycle of node #1, #3 and
#6). This problem occurs when an automaton has an accept or reject run.
In fact, it is easy to see the cycle here is an accept cycle as #1 is an accept
state. To avoid this problem, if during the back-propagation of the labels a
successor of a node leads to an accept cycle, we consider the node has a -
node as successor. Thus, node #6 is a -node as #7 is a -node and node
#1 leads to an accept cycle. Alternatively, if a successor of a node leads to a
reject cycle, we consider the node has a ⊥-node as successor. It is easy to see
#1 will eventually be labelled as a -node and the language of the product
automaton is not empty.
In an explicit-state model checker, the non-emptiness algorithm above de-
tects accept and reject cycles by maintaining two stacks. Our aim is to use
BDD-based algorithms to check for language non-emptiness, and to represent
the model under veriﬁcation and property using BDDs. In general, BDD-
based state-space search does not use a stack to record which states have
been visited, so the above approach cannot be used directly. Instead, state-
recording has been used. The key idea is to use another set of state variables
to record the state that possibly lies in a cycle. The existence of the cycle
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–4944
 
 
Fig. 4. Automata-theoretic CTL model checking
can be determined by checking whether the value of original state variable is
equal to the recorded variable. In eﬀect, state-recording emulates a stack, and
cycles can be detected by reachability algorithms.
We use this approach to detect both accept cycles and reject cycles. Fig-
ure 5 depicts the search graph that uses this technique. In Figure 4 the
state of the product automaton has two components, namely a state of the
Kripke structure and a state of the property automaton. After recording
the state, the state of the product automaton has 5 components: namely
(s, t, ϕ, save, saved), where s is the state of the Kripke structure, t is the state
that copies s when necessary, ϕ is still the state of property automaton, and
ﬁnally save and saved are two variables that are used to determine when to
record a state and whether the state has already been recorded. To detect
an accept cycle, it is suﬃcient to record the state at an accept state. For
example, in Figure 5, node #1 is an accept state and hence save will non-
deterministically split into two branches. The value for save becomes L in #2
and R in #3. If save = L, we will copy s to t in the next transition and set
the ﬂag saved to be 1. Note that the non-deterministic branch leaves open
the question whether that state is the beginning of an accept cycle, so the
label of this ‘split’ node is ∨. While the graphs in Figure 4 and Figure 5 are
similar, the latter contains more nodes. In particular, the shaded node #11
suggests that there is an accept cycle. Node #11 turns out to be a -node.
By applying state-recording, the product automaton becomes an AND/OR
graph in which the label on each state will only depend on its own position.
Using our symbolic reachability algorithm, we can determine whether there
exists a solution graph and thereby determine the emptiness of the language
of the product automaton.
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–49 45
   
Fig. 5. From an automaton to a well-deﬁned AND/OR graph
6 Implementation
We have implemented this approach in the symbolic model checker NuSMV
[1]. The reachability algorithm of the ﬁxed-point formula has been imple-
mented in a separate module and uses both weak pre-image and strong pre-
image routines from NuSMV for the temporal operators EX and AX. We
employ most of the features of BDD-based model checking, such as input
variable ordering and a partitioned transition relation.
The model under veriﬁcation is expressed using the SMV input language.
We require the input model to our algorithm to be a translated automaton
that induces an AND/OR graph. This requires a source-to-source translation
from the original model and property to a new input model. To produce the
experimental results below we needed to do this translation by hand, but we
are developing a tool that can perform this automatically.
The model we experimented on is a gigamax cache consistency protocol.
The property we veriﬁed is AG(EFp0.readable), which states that no matter
what state the system is in, there is a future state from which process p0 is
readable. The property can be veriﬁed by both our automata-based approach
and the CTL model checking algorithm based on a ﬁxed-point characterisa-
tion. A few preliminary results are shown in the following table.
algorithm # BDD vars run-time (s) # BDD nodes iterations
our approach 188 1.370 425748 4
standard 88 0.250 65947 11
As we need to use a set of variables to save a copy of the original states,
our approach uses more than twice the number of Boolean variables than
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–4946
the standard algorithm. Speciﬁcally, we use another 88 variables to copy the
state, and 12 variables to encode the property automaton as well as the state-
recording automata. The net result is a longer run-time and more BDD nodes
(and hence memory). The last column shows the number of iterations of the
ﬁxed-point calculation. This is a measure of how many times the algorithm
calls the pre-image (or image) computation routine, which is normally an
expensive operation in symbolic model checking. In this example we call only
4 pre-image operations, which is substantially lower than the number called
by the standard algorithm.
7 Conclusion and Future Work
In this work we have in essence transformed a branching-time logic problem
into a reachability problem on AND/OR graphs and placed it in a symbolic
setting. The big advantage of this transformation from our point of view is
that we are now in a position to apply symbolic heuristic-search algorithms
during the reachability analysis to reduce the size of the state space. We
already have extensive experience with heuristic search [13,12] and feel that the
combination of symbolic and heuristic search techniques oﬀers much potential.
This work, together with the work of Kupferman et. al. [7], has highlighted
the need for really eﬃcient (heuristic) search algorithms to solve what is a
quint-essentially AI problem representation, AND/OR graphs.
At one level, our approach will lead to worse performance because of the
extra load of the state-recording. Note that this is consistent with Schup-
pan and Biere’s results in [17]. However, in the longer term, the advantage
is that, having transformed branching-time model checking to a reachability
analysis, an arsenal of optimisation techniques can be applied to improve per-
formance. While we do not explore these techniques in this paper, we will in
the near future apply symbolic heuristic search to the reachability analysis of
branching-time properties.
While we have focused on CTL model checking, the approach used in
this paper is applicable to other branching-time logics such as CTL∗ and µ-
Calculus. In our algorithms we have used Bu¨chi acceptance conditions. In
fact, the automata constructed from CTL satisfy ‘weak’ acceptance conditions
and hence these automata are often referred to as weak alternating automata
(WAA). In their automata-theoretic approach, Kupferman et. al. [7] construct
hesitant alternating automata (HAA) for CTL∗ and µ-Calculus. We have also
applied HAA in our symbolic setting to these logics and will report on this
work at a later date.
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–49 47
References
[1] A. Cimatti, E.M. Clarke, F. Giunchiglia, and M. Roveri. NuSMV: A new symbolic model
veriﬁer. In Proc. of the 11th Int. Conf. on Computer Aided Veriﬁcation, CAV’99, Trento,
Italy, volume 1633 of LNCS, pages 495–499. Springer-Verlag, 1999.
[2] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic veriﬁcation of ﬁnite-state concurrent
systems using temporal logic speciﬁcations. ACM Trans. Program. Lang. Syst., 8(2):244–263,
1986.
[3] E. M. Clarke, O. Grumberg, and D.A. Peled. Model Checking. MIT Press, 1999.
[4] S. Edelkamp, A. Lluch-Lafuente, and S. Leue. Directed explicit model checking with HSF–
SPIN. In Proc. of Model Checking Software, 8th Int. SPIN Workshop, Toronto, Canada, volume
2057 of LNCS, pages 57–79. Springer-Verlag, 2001.
[5] Ranan Fraer, Gila Kamhi, Barukh Ziv, Moshe Y. Vardi, and Limor Fix. Prioritized traversal:
Eﬃcient reachability analysis for veriﬁcation and falsiﬁcation. In Proc. of 12th Int. Conf.
on Computer Aided Veriﬁcation, CAV’00, Chicago, IL, USA, volume 1855 of LNCS, pages
389–402. Springer-Verlag, 2000.
[6] Gerard J. Holzmann. The model checker SPIN. Software Engineering, 23(5):279–295, 1997.
[7] Orna Kupferman, Moshe Y. Vardi, and Pierre Wolper. An automata-theoretic approach to
branching-time model checking. J. ACM, 47(2):312–360, 2000.
[8] A. Mahanti and A. Bagchi. AND/OR graph heuristic search methods. Journal of the
Association fro Computing Machinery, 32(1):28–51, January 1985.
[9] K.L. McMillan. Symbolic model checking. Kluwer Academic Publishers, Boston, MA, 1993.
[10] David E. Muller and Paul E. Schupp. Alternating automata on inﬁnite trees. Theor. Comput.
Sci., 54:267–276, 1987.
[11] N. J. Nilsson. Principles of artiﬁcial intelligence. Morgan Kaufmann Publishers Inc., 1980.
[12] K. Qian and A. Nymeyer. Abstraction-based model checking using heuristical reﬁnement. In
Proc. of the 2nd Int. Symp. on Automated Technology for Veriﬁcation and Analysis, ATVA’04,
LNCS, pages 165–178. Springer-Verlag, 2004.
[13] K. Qian and A. Nymeyer. Guided invariant model checking based on abstraction and symbolic
pattern databases. In Proc. of the 10th Int. Conf. on Tools and Algorithms for the Construction
and Analysis of Systems, TACAS’04, Barcelona, Spain,, volume 2988 of LNCS, pages 497–511.
Springer-Verlag, 2004.
[14] K. Ravi and F. Somenzi. High-density reachability analysis. In Proc. of the 1995 IEEE/ACM
international conference on Computer-aided design, ICCAD ’95, San Jose, California, USA,
pages 154–158. IEEE Computer Society, 1995.
[15] K. Ravi and F. Somenzi. Hints to accelerate symbolic traversal. In Proc. of Correct Hardware
Design and Veriﬁcation Methods, CHARME’99, Bad Herrenalp, Germany, volume 1703 of
LNCS, pages 81–92. Springer-Verlag, 1999.
[16] Antonella Santone. Heuristic search + local model checking in selective mu-calculus. IEEE
Transactions on Software Engineering, 29(6):510–523, 2003.
[17] Viktor Schuppan and Armin Biere. Eﬃcient reduction of ﬁnite state model checking to
reachability analysis. Int. Journal on Software Tools for Technology Transfer (STTT), 5(2–
3):185–204, 2004.
[18] Wolfgang Thomas. Automata on inﬁnite objects. In Handbook of Theoretical Computer
Science, Volume B: Formal Models and Sematics (B), pages 133–192. MIT Press, 1990.
[19] M.Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program veriﬁcation
(preliminary report). In Proc. of the Symp. on Logic in Computer Science, LICS’86,
Cambridge, Massachusetts, pages 332–344. IEEE, 1986.
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–4948
[20] C. Han Yang and David L. Dill. Validation with guided search of the state space. In Proc.
of the 35th Conf. on Design Automation, DAC’98, Moscone center, San Francico, CA, USA,
pages 599–604. ACM Press, 1998.
K. Qian, A. Nymeyer / Electronic Notes in Theoretical Computer Science 149 (2006) 33–49 49
