Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022

Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

Prof.aa
Dr. Ir. Dr. h. c. Joost-Pieter Katoen, Tim Quatmann Alexander Bork, Jip Spel

Exercise Sheet 10 – Sample Solution

Hints:
• The exercise sheet can be submitted until 13.07.2022 at 16:30 online via RWTHmoodle.

• The exercise sheets have to be solved in groups of 3-4. Submissions with other group sizes might not be
corrected. Use the forum in RWTHmoodle to find group-mates.

• Submissions will be graded only for the sake of giving feedback to you. The points are not a precondition
for admittance to the exam.

• However, we strongly advice you to solve the exercises and submit your solutions.

• Sample solutions will be presented in the exercise class and published in RWTHmoodle.

• Questions can be asked either during the lecture or exercise class or in the general discussion board on
RWTHmoodle.

• This sheet covers lectures 19-21.

Exercise 1 (Boolean Function Representation): 15+5=20 Points

Consider the ROBDD depicted below.

x1

x2 x2

x3 x3 x3 x3

y3 y3 y3 y3 y3

y2 y2

y1

0 1

a) We consider a new variable ordering ℘ given by y3 <℘ x3 <℘ x2 <℘ y2 <℘ x1 <℘ y1 . Give the resulting
℘-ROBDD.

b) Determine the boolean function f (x1 , x2 , x3 , y1 , y2 , y3 ) that the ROBDD represents as a propositional for-
mula.

1
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

Sample Solution

For reference, we depict the truth table (this is not necessary for this exercise)

No. x1 x2 x3 y3 y2 y1 f
33. 1 0 0 x x 0 0
No. x1 x2 x3 y3 y2 y1 f
37. 1 0 0 x x 1 1
1. 0 0 0 x x x 0
41. 1 0 1 0 x 0 0
9. 0 0 1 0 x x 0
43. 1 0 1 0 x 1 1
13. 0 0 1 1 x x 1
45. 1 0 1 1 x x 0
17. 0 1 0 1 x x 0
49. 1 1 0 x 0 0 0
21. 0 1 0 0 0 x 0
51. 1 1 0 x 0 1 1
23. 0 1 0 0 1 x 1
53. 1 1 0 x 1 x 1
25. 0 1 1 0 0 x 0
57. 1 1 1 0 0 0 0
27. 0 1 1 0 1 x 1
58. 1 1 1 0 0 1 1
29. 0 1 1 1 x x 1
59. 1 1 1 0 1 x 1
61. 1 1 1 1 x x 1

a) One approach for this exercise would be to draw the binary decision diagram with the new variable
ordering and then reduce it. Alternatively, variable swapping can be applied. Here, we do the latter.
1) Swap x2 and y3 . An OBDD for the ordering x1 < y3 < x3 < x2 < y2 < y1 is given below.

x1

y3 y3

x3 x3 x3 x3

x2 x2 x2 x2 x2 x2 x2 x2

y2 y2

y1

0 1 0 1

Merging duplicate leafs yields:

2
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

x1

y3 y3

x3 x3 x3 x3

x2 x2 x2 x2 x2 x2 x2 x2

y2 y2

y1

0 1

Eliminating isomorphic subtrees yields:

3
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

x1

y3 y3

x3 x3 x3 x3

x2 x2 x2 x2 x2

y2 y2

y1

0 1

Eliminating the don’t care vertices yields the following ROBDD:

4
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

x1

y3 y3

x3 x3

x2 x2 x2

y2 y2

y1

0 1

2) Bring x1 to the correct position. The new ROBDD for the desired ordering is given below.

5
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

y3

x3

x2 x2 x2

y2 y2

x1 x1 x1

y1

0 1

b) As one can see from the minimal ROBDD or even better from the truth table the function f is
true in most cases if xi ∧ yi for one i = 1, 2, 3. The only exceptions are given in the truth table for
numbers 17 and 45. Excluding these case we get the following Boolean function:
3
_
f (x1 , x2 , x3 , y1 , y2 , y3 ) = ( (xi ∧ yi )) ∧ ¬(y3 ∧ x3 ∧ ¬x2 ∧ x1 ) ∧ ¬(y3 ∧ ¬x3 ∧ x2 ∧ y2 ∧ ¬x1 )
i=1

Hint: Alternatively, we could use the ROBDD to directly read off the formula in disjunctive
normal form. This is done by considering one clause for each path from the root node to the
1-leaf.
Another alternative is to determine a function for every node of a ROBD in a bottom-up
manner. For example, using the ℘-ROBDD from the previous exercise, the very left y1 , x1 ,
and y2 nodes are represented by the functions fy1 ,1 := y1 , fx1 ,1 := x1 ∧ fy1 ,1 , and fy2 ,1 :=
y2 ∨ (¬y2 ∧ fx1 ,1 ), respectively.

Exercise 2 (Operations on ROBDDS): 8+8+14=30 Points

Perform the following operations on ROBDDs. Your result should always be a reduced OBDD. Provide the
intermediate steps of your computations. In particular, indicate which of the three rules for reducing OBDDs
(slide 29) you apply. The variable ordering is given by a < b < c < d.
a) Compute F ∨ G for the following ROBDDs F and G.

Hint: Recall the similarities between ROBDDs and DFAs. A (possibly non-reduced) OBDD for F ∨ G
can be constructed similarly to the well-known product construction for DFAs.

6
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

F : a G: a

c c

d d

0 1 0 1

b) Compute H|b=1 for the ROBDD H given below

H: a

b b

c c

0 1

c) Compute ∃a.(∃d.f (a, b, c, d)) in the form of an ROBDD for the function f defined by the ROBDD below.

Hint: ∃a.g(a, . . . ) ≡ g(0, . . . ) ∨ g(1, . . . )

f : a

b b

d d

0 1

Sample Solution

a) The resulting BDD for F ∨ G is depicted on the left. We eliminate the duplicated 1-leafs. After
that, we eliminate the resulting “don’t care” vertex c. The ROBDD for F ∨ G is shown on the
right.

7
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

a a

b b

c c c

d d
1 1 1

0 1 0

b) We redirect incoming edges of any b-node w to succ1 (w ) (left). So Then, we erase nodes that are
not reachable anymore to obtain a proper BDD (middle). Finally, we erase the “don’t care” vertex
a (right ).
a a

b b

c c c c

0 1 0 1 0 1

c) First consider the computation of ∃d.f (a, b, c, d) which corresponds to f (a, b, c, 0) ∨ f (a, b, c, 1).
f (a, b, c, 0): f (a, b, c, 1):

a a

b b b b

c c

0 1 0 1

8
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

f (a, b, c, 0) ∨ f (a, b, c, 1) as ROBDD

f (a, b, c, 0) ∨ f (a, b, c, 1) as OBDD:
(after erasing “don’t care” vertex c):

a a

b b b b

0 1 0 1

Let g(a, b, c) = ∃d.f (a, b, c, d)). Next, we compute the ROBDD for ∃a.(g(a, b, c)) ≡ g(0, b, c) ∨
(g(1, b, c, )).
g(0, b, c): g(1, b, c):

b b

0 1 0 1

g(0, b, c) ∨ g(1, b, c) as ROBDD

g(0, b, c) ∨ g(1, b, c) as OBDD:
(after erasing “don’t care” vertex b):

1 1

Exercise 3 (Transition System Encoding): 10+10=20 Points

Consider the following transition system.
a) Define the switching functions that represent the transition system using propositional logic over variables
x̄ = (x0 , x1 ). More precisely, provide
• ∆(x̄, x̄ 0 ) for the transition function, and
• fa (x̄) for the satisfaction sets for each atomic proposition a ∈ AP

9
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

s1 ∅

{a}
s0 s3
{b}

s2 {a, b}

(a) TS (b) Legend

States are encoded according to the binary representation of their index, e.g., enc(s1 ) = (x0 , x1 ) = (0, 1).

b) Encode the switching functions from part (a) using ROBDDs. Use variable ordering x0 < x1 for the
satisfaction sets and interleave it (x0 < x00 < x1 < x10 ) for the transition relation.

fa (x̄) = (x0 ∧ ¬x1 ) ∨ (x0 ∧ x1 ) (= x0 )

fb (x̄) = (¬x0 ∧ x1 ) ∨ (x0 ∧ x1 ) (= x1 )

∆(x̄, x̄ 0 ) =(¬x0 ∧ ¬x1 ∧ ¬x00 ∧ x10 ) ∨ (¬x0 ∧ ¬x1 ∧ x00 ∧ ¬x10 )

∨(¬x0 ∧ x1 ∧ ¬x00 ∧ x10 )
∨(x0 ∧ ¬x1 ∧ ¬x00 ∧ x10 ) ∨ (x0 ∧ ¬x1 ∧ x00 ∧ x10 )
∨(x0 ∧ x1 ∧ ¬x00 ∧ x10 ) ∨ (x0 ∧ x1 ∧ x00 ∧ x10 )

(=(¬x0 ∧ ¬x00 ∧ x10 ) ∨ (¬x0 ∧ ¬x1 ∧ x00 ∧ ¬x10 ) ∨ (x0 ∧ x10 ))

Sample Solution

(a) We begin with switching functions for the atomic properties. Property a is satisfied in states
s2 = (1, 0) and s3 = (1, 1). The corresponding switching function is:

fa (x̄) = (x0 ∧ ¬x1 ) ∨ (x0 ∧ x1 ) (= x0 )

Property b is satisfied in states s1 = (0, 1) and s3 = (1, 1). The corresponding switching function
is:
fb (x̄) = (¬x0 ∧ x1 ) ∨ (x0 ∧ x1 ) (= x1 )
The switching function for the transition relation is:

∆(x̄, x̄ 0 ) =(¬x0 ∧ ¬x1 ∧ ¬x00 ∧ x10 ) ∨ (¬x0 ∧ ¬x1 ∧ x00 ∧ ¬x10 )

∨(¬x0 ∧ x1 ∧ ¬x00 ∧ x10 )
∨(x0 ∧ ¬x1 ∧ ¬x00 ∧ x10 ) ∨ (x0 ∧ ¬x1 ∧ x00 ∧ x10 )
∨(x0 ∧ x1 ∧ ¬x00 ∧ x10 ) ∨ (x0 ∧ x1 ∧ x00 ∧ x10 )

(=(¬x0 ∧ ¬x00 ∧ x10 ) ∨ (¬x0 ∧ ¬x1 ∧ x00 ∧ ¬x10 ) ∨ (x0 ∧ x10 ))

10
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

(b) The (R)OBDDs for the switching functions look as follows.

fa (x̄):

x0 x0

x1 x1

0 1 0 1

fb (x̄):

x0 x0

x1 x1 x1 x1

0 1 0 1 0 1

OBDD for ∆(x̄, x̄ 0 )

11
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

x0

x00 x00

x1 x1 x1 x1

x10 x10 x10 x10 x10 x10 x10 x10

0 1

OBDD for ∆(x̄, x̄ 0 ):

12
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

x0

x00 x00

x1 x1 x1 x1

x10 x10 x10 x10

0 1

ROBDD for ∆(x̄, x̄ 0 ):

x0

x00

x1

x10 x10

0 1

13
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

Exercise 4 (Bounded Model Checking): 10+15+5=30 Points

Perform bounded model checking on the following transition system T S.

00 11 ∅

{a}
01 10

(c) TS (d) Legend

a) Let a state s be represented as s = (s[0], s[1]). Give the SAT representation of the transition relation
T (s, s 0 ), the initial state(s) I(s) and the atomic proposition a(s).
b) Given the property p :=  (¬a ∨ ¬a) and the bound k := 3 generate the SAT encoding for the bounded
model checking problem JT S, ¬pK3 by especially specifying:
• The unfolding of the transition relation: JT SK3
• The loop condition: L3
• The translation for paths without loops: J¬pK03
• The translation for paths with loops: J¬pK0`,3 (for variable `)
c) Try to find a satisfying assignment for the SAT encoding and give the resulting counterexample if one can
be found.

Sample Solution

(a) The translation relation is:

T (s, s 0 ) := (¬s[0] ∧ ¬s[1] ∧ ¬s 0 [0] ∧ s 0 [1])

∨ (¬s[0] ∧ s[1] ∧ ¬s 0 [0] ∧ ¬s 0 [1])
∨ (¬s[0] ∧ s[1] ∧ s 0 [0] ∧ ¬s 0 [1])
∨ (s[0] ∧ ¬s[1] ∧ ¬s 0 [0] ∧ ¬s 0 [1])
∨ (s[0] ∧ ¬s[1] ∧ s 0 [0] ∧ s 0 [1])
∨ (s[0] ∧ s[1] ∧ ¬s 0 [0] ∧ ¬s 0 [1])
∨ (s[0] ∧ s[1] ∧ s 0 [0] ∧ s 0 [1])
= (¬s[0] ∧ ¬s[1] ∧ ¬s 0 [0] ∧ s 0 [1])
∨ (¬s[0] ∧ s[1] ∧ ¬s 0 [1])
∨ (s[0] ∧ ¬s 0 [0] ∧ ¬s 0 [1])
∨ (s[0] ∧ s 0 [0] ∧ s 0 [1])

The initial state is: I(s) := ¬s[0] ∧ ¬s[1].

The encoding of the atomic proposition is: a(s) := s[0] ∧ s[1].
(b) The negation of the property p is ¬p ≡ ♦ (a ∧ a).
The unfolding of the transition relation is:

JT SK3 = I(s0 ) ∧ T (s0 , s1 ) ∧ T (s1 , s2 ) ∧ T (s2 , s3 )

14
 Lehrstuhl für Informatik 2 Model Checking Summer Semester 2022
Softwaremodellierung und Verifikation Exercise Sheet 10 – Sample Solution

The loop condition is:

L3 := T (s3 , s0 ) ∨ T (s3 , s1 ) ∨ T (s3 , s2 ) ∨ T (s3 , s3 )

The translation for paths without a loop is:

3
_
J♦ (a ∧ a)K03 := J(a ∧ a)Ki3
i=0
3
_
= (JaKi3 ∧ J aKi3 )
i=0
= JaK03 ∧ J aK03 ∨ JaK13 ∧ J aK13 ∨ JaK23 ∧ J aK23 ∨ JaK33 ∧ J aK33









= a(s0 ) ∧ a(s1 ) ∨ a(s1 ) ∧ a(s2 ) ∨ a(s2 ) ∧ a(s3 ) ∨ a(s3 ) ∧ 0)




= a(s0 ) ∧ a(s1 ) ∨ a(s1 ) ∧ a(s2 ) ∨ a(s2 ) ∧ a(s3 )

The translation for paths with a loop is:

3
_
J♦ (a ∧ a)K0`,3 := J(a ∧ a)Kj`,3
j=min(0,`)

=J(a ∧ a)K0`,3 ∨ J(a ∧ a)K1`,3 ∨ J(a ∧ a)K2`,3 ∨ J(a ∧ a)K3`,3

= JaK0`,3 ∧ J aK0`,3 ∨ JaK1`,3 ∧ J aK1`,3 ∨ JaK2`,3 ∧ J aK2`,3 ∨ JaK3`,3 ∧ J aK3`,3

= a(s0 ) ∧ JaK1`,3 ∨ a(s1 ) ∧ JaK2`,3 ∨ a(s2 ) ∧ JaK3`,3 ∨ a(s3 ) ∧ JaK``,3

= a(s0 ) ∧ a(s1 ) ∨ a(s1 ) ∧ a(s2 ) ∨ a(s2 ) ∧ a(s3 ) ∨ a(s3 ) ∧ a(s` )

The complete SAT encoding is:

 3
 _ 
JT S, ♦ (a ∧ a)K3 :=JT SK3 ∧ ¬L3 ∧ J♦ (a ∧ a)K03 ∨ L3 ∧ J♦ (a ∧ a)K0`,3
`=0
=I(s0 ) ∧ T (s0 , s1 ) ∧ T (s1 , s2 ) ∧ T (s2 , s3 )

∧ ¬T (s3 , s0 ) ∧ ¬T (s3 , s1 ) ∧ ¬T (s3 , s2 ) ∧ ¬T (s3 , s3 )




∧ a(s0 ) ∧ a(s1 ) ∨ a(s1 ) ∧ a(s2 ) ∨ a(s2 ) ∧ a(s3 )
_ 3 
0
∨ L3 ∧ J♦ (a ∧ a)K`,3
`=0

As an example the encoding for paths with a loop and ` := 3:



L3 ∧J♦ (a∧ a)K03,3 := T (s3 , s3 )∧ a(s0 )∧a(s1 ) ∨ a(s1 )∧a(s2 ) ∨ a(s2 )∧a(s3 ) ∨ a(s3 )∧a(s3 )

(c) A satisfying assignment is:

s0 := 00, s1 := 01, s2 := 10, s3 := 11

This corresponds to the path:

00 → 01 → 10 → 11 → 11 → 11 → ...

15