\documentclass[11pt,twoside]{scrartcl}

%opening
\newcommand{\lecid}{15-414}
\newcommand{\leccourse}{Bug Catching: Automated Program Verification}
\newcommand{\lecdate}{} %e.g. {October 21, 2013}
\newcommand{\lecnum}{22}
\newcommand{\lectitle}{CTL model checking}
\newcommand{\lecturer}{Matt Fredrikson}

\usepackage{lecnotes}

\usepackage[irlabel]{bugcatch}

\usepackage{tikz}
\usetikzlibrary{automata,shapes,positioning,matrix,shapes.callouts,decorations.text,patterns,trees}


%% \traceget{v}{i}{\zeta} is the state of trace v at time \zeta of the i-th discrete step
\newcommand{\traceget}[3]{{#1}_{#2}(#3)}
\def\limbo{\mathrm{\Lambda}}
%% the last state of a trace
\DeclareMathOperator{\tlast}{last}
%% the first state of a trace
\DeclareMathOperator{\tfirst}{first}

\begin{document}
%% the name of a trace
\newcommand{\atrace}{\sigma}%
%% the standard interpretation naming conventions
\newcommand{\stdI}{\dTLint[state=\omega]}%
\newcommand{\Ip}{\dTLint[trace=\atrace]}%
\def\I{\stdI}%
\let\tnext\ctnext
\let\tbox\ctbox
\let\tdiamond\ctdiamond

\maketitle
\thispagestyle{empty}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\section{Introduction}

Linear temporal logic is a very important logic for model checking \cite{DBLP:books/el/leeuwen90/Emerson90,ClarkeGrumberg_MC_1999,BaierKL08} but has the downside that its verification algorithms are rather complex.
To get a good sense of how model checking works, we, thus, consider the closely related but different(!) Computation Tree Logic (CTL) instead.
Both LTL and CTL are common in model checking even if they have different advantages and downsides.

The main point about LTL is that its semantics fixes a trace and then talks about temporal properties along that particular trace.
CTL instead switches to a new trace every time a temporal operator is used.
CTL has the advantage of having a pretty simple model checking algorithm.

\section{CTL Model Checking}
\newcommand{\model}[1]{\lenvelope#1\renvelope}
\newcommand{\ctmodel}[1]{\model{#1}}%{M(#1)}
\newcommand{\somenextop}[1]{\tau_{\mathbf{EX}}(#1)}
\newcommand{\allnextop}[1]{\tau_{\mathbf{AX}}(#1)}

The idea behind model checking is to exploit finiteness of the state spaces to directly compute the semantics of the formulas.
Given a \emph{finite} computation structure \(K=(W,\stepto,v)\)
the CTL model checking algorithm computes the set of all states of $K$ in which CTL formula $\phi$ is true:
\[
\model{\phi} \mdefeq \{ s\in W \with s \models \phi\}
\]
The CTL model checking algorithm for a computation structure \(K=(W,\stepto,v)\) computes this set $\model{\phi}$ by directly following the semantics in a recursive function along the equations in this lemma.

The main hurdle that we need to overcome is what to do for operators like $\mathbf{F}$, $\mathbf{G}$, and $\mathbf{U}$, which specify that certain facts must hold on states encountered arbitrarily far into the future on paths.
To address this, we will use some machinery having to do with \emph{fixpoints} of monotone functions.

\paragraph{Monotone fixpoints.}

The model checking algorithm operates over sets of states, working towards computing $\model{\phi}$.
When working with these sets, we adopt the same notational convention for set union $\cup$ and intersection $\cap$ as we did for logical disjunction $\lor$ and conjunction $\land$, namely that $\cap$ and $\land$ bind more closely than $\cup$ and $\lor$.

Let $\powerset{W}$ denote the set of all subsets of $W$, and let $f$ be a function from $\powerset{W}$ to $\powerset{W}$.
We say that $f$ is \emph{monotone} if and only if it preserves subset ordering, i.e.:
\begin{equation}
U \subseteq V~\text{implies that}~f(U) \subseteq f(V)
\end{equation}
Note that this property is exactly like the monotone functions over real numbers, with the subset relation in place of numeric inequality.

A \emph{fixpoint} of $f$ is an element $Z \in \powerset{W}$ that is mapped to itself by $f$, i.e. $f(Z) = Z$.
A given function may have many fixpoints; for example, every element is a fixpoint of the identity function.
Two special cases that we will make use of for model checking are the \emph{least} and \emph{greatest} fixpoints.
We denote the least fixpoint $\lfp{Z}{f(Z)}$ to be the \textbf{unique} fixpoint that is a subset of any other fixpoint, and the greatest fixpoint $\gfp{Z}{f(Z)}$ similarly.
Note that a function need not have a least or greatest fixpoint.
The particular special case of the seminal Knaster-Tarski fixpoint theorem shown in Theorem~\ref{thm:tarski} says that monotone functions have both, and provides a recipe for finding them.

\begin{theorem}[Knaster-Tarski]
\label{thm:tarski}
  Every monotone function \(f:\powerset{W}\to\powerset{W}\) has a least and a greatest fixpoint and both can be found by iteration:
  \[
  \lfp{Z}{f(Z)} = \cupfold_{n\geq1} f^n(\emptyset)
  \qquad
  \gfp{Z}{f(Z)} = \capfold_{n\geq1} f^n(W)
  \]
\end{theorem}
In Theorem~\ref{thm:tarski}, $f^n$ is the $n$-fold composition of $f$. So $f^{n+1}$ is the function mapping $Z$ to $f(f^n(Z))$ and $f^1$ is $f$, and for example, $f^3$ is the function mapping $Z$ to $f(f(f(Z)))$ .

For complicated functions on infinite sets, the above unions and intersections range over more than just all natural numbers and may not be directly useful in an algorithm.
But model checking is typically done when the computation structure is finite.
In that case, it is entirely obvious that the union and intersection only range over finitely many natural numbers.
Every time we consider an additional iteration $f^n(\emptyset)$, we either find a new state that was not in the union yet.
Or we do not find such a state but then, since nothing changed, the iterate $f^{n+1}(\emptyset)$ will not find anything new either.
Since there are only finitely many different states in a finite state set $W$ of a finite computation structure, we can only find new states finitely often so that the computation terminates.
The argument for the intersection is correspondingly.

\subsection{The algorithm}

The following lemma exploits the fact that every state has a successor in computation structures, so some next state is always defined.

\begin{lemma}[Next remainders]
\label{lem:expansion}
The following are sound axioms for the computation structures of CTL:

\begin{calculus}
%\cinferenceRule[allbox|AG]{}
%{\allpath{\tbox{\ausfml}} \lbisubjunct \ausfml \land \allpath{\tnext{\allpath{\tbox{\ausfml}}}}}
%{}
\cinferenceRule[somebox|EG]{}
{\somepath{\tbox{\ausfml}} \lbisubjunct \ausfml \land \somepath{\tnext{\somepath{\tbox{\ausfml}}}}}
{}
\cinferenceRule[somedia|EF]{}
{\somepath{\tdiamond{\ausfml}} \lbisubjunct \ausfml \lor \somepath{\tnext{\somepath{\tdiamond{\ausfml}}}}}
{}
\cinferenceRule[someuntil|EU]{}
{\somepath{\tuntil{\ausfml}{\busfml}} \lbisubjunct \busfml \,\lor\, \ausfml\land \somepath{\tnext{\somepath{\tuntil{\ausfml}{\busfml}}}}}
{}
\cinferenceRule[alluntil|AU]{}
{\allpath{\tuntil{\ausfml}{\busfml}} \lbisubjunct \busfml \,\lor\, \ausfml\land \allpath{\tnext{\allpath{\tuntil{\ausfml}{\busfml}}}}}
{}
\end{calculus}
\end{lemma}

To compute the set of states that satisfy a CTL formula $\phi$, we apply the expansion laws in Lemma~\ref{lem:expansion} directly to the set of states that satisfy subformulas of $\phi$. 
Whenever the expansion results in the same formula being on both the left and right side of an equality, the algorithm computes a fixpoint.
The main question that remains is for which cases we should use least or greatest fixpoints.
The proof of Theorem~\ref{thm:CTL-MC} sorts this matter out. 

\begin{theorem}[CTL model checking] \label{thm:CTL-MC}
  In computation structures, the set $\model{\phi}$ of all states that satisfy CTL formula $\phi$ satisfies the following equations:
\begin{enumerate}
\item \(\ctmodel{p} = \{s\in W \with v(s)(p)=\mtrue\}\) for atomic propositions $p$

\item \(\ctmodel{\lnot\ausfml} = W \setminus \ctmodel{\ausfml}\)

\item \(\ctmodel{\ausfml\land\busfml} = \ctmodel{\ausfml} \cap \ctmodel{\busfml}\)

\item \(\ctmodel{\ausfml\lor\busfml} = \ctmodel{\ausfml} \cup \ctmodel{\busfml}\)

\item \label{case:comput-somenext}
\(\ctmodel{\somepath{\tnext{\ausfml}}} = \somenextop{\ctmodel{\ausfml}}\)
using the existential successor function $\somenextop{}$ defined as follows:
\[
\somenextop{Z} \mdefeq \{s\in W \with t\in Z ~\text{for some state}~t~\text{with}~ s\stepto t\}
\]

\item \label{case:comput-allnext}
\(\ctmodel{\allpath{\tnext{\ausfml}}} = \allnextop{\ctmodel{\ausfml}}\)
using the universal successor function $\allnextop{}$ defined as follows:
\[
\allnextop{Z} \mdefeq \{s\in W \with t\in Z ~\text{for all states}~t~\text{with}~ s\stepto t\}
\]

\item \(\ctmodel{\somepath{\tdiamond{\ausfml}}} = \lfp{Z}{(\ctmodel{\ausfml} \cup \somenextop{Z})}\)
where $\lfp{Z}{f(Z)}$ denotes the least fixpoint $Z$ of the operation $f(Z)$, that is, the smallest set of states satisfying $Z=f(Z)$.

\item \(\ctmodel{\somepath{\tbox{\ausfml}}} = \gfp{Z}{(\ctmodel{\ausfml} \cap \somenextop{Z})}\)
where $\gfp{Z}{f(Z)}$ denotes the greatest fixpoint $Z$ of the operation $f(Z)$, that is, the largest set of states satisfying $Z=f(Z)$.

\item \(\ctmodel{\allpath{\tdiamond{\ausfml}}} = \lfp{Z}{(\ctmodel{\ausfml} \cup \allnextop{Z})}\)

\item \(\ctmodel{\allpath{\tbox{\ausfml}}} = \gfp{Z}{(\ctmodel{\ausfml} \cap \allnextop{Z})}\)

\item \(\ctmodel{\somepath{\tuntil{\ausfml}{\busfml}}} = \lfp{Z}{\big(\ctmodel{\busfml} \cup (\ctmodel{\ausfml}\cap \somenextop{Z})\big)}\)

\item \(\ctmodel{\allpath{\tuntil{\ausfml}{\busfml}}} = \lfp{Z}{\big(\ctmodel{\busfml} \cup (\ctmodel{\ausfml}\cap \allnextop{Z})\big)}\)
\end{enumerate}
\end{theorem}
The correctness argument for the verification algorithm uses the axioms \irref{somedia+someuntil} together with the insight that the respective set of states that they characterize are the \emph{smallest} set satisfying the respective equivalence.
The largest set for $\somepath{\tdiamond{\ausfml}}$ satisfying the equivalence in \irref{somedia} would simply be the entire set of states, which is futile.
Likewise, the smallest set of states for $\somepath{\tbox{\ausfml}}$ satisfying the equivalence in \irref{somebox} would simply be the empty set of states, since every state has a successor in a computation structure.


\begin{proof}[Proof of \rref{thm:CTL-MC}]
The proof is \emph{not} by induction on the number of states or on the formula because the resulting formulas are not any easier than the original formulas.
Instead, it handles each equation separately.
While the proof was left as an exercise originally \cite{DBLP:conf/popl/ClarkeES83}, some cases are already proved in \cite{ClarkeGrumberg_MC_1999}, some more in \cite{BaierKL08}, and a much more comprehensive proof including the nontrivial case \(\allpath{\tuntil{\ausfml}{\busfml}}\) that uses K\"onig's lemma is in \cite{Schmitt_2003}.

The first cases immediately follow the semantics of atomic propositions, propositional operators, and $\somepath{\tnext{}}$.
The remaining cases separately argue that the solution is a fixpoint and then that it is the largest or smallest, as indicated by Theorem~\ref{thm:CTL-MC}.
\begin{enumerate}
\addtocounter{enumi}{5}
\item By axiom \irref{somedia} and \rref{case:comput-somenext}, the formula \(\somepath{\tdiamond{\ausfml}}\) satisfies the indicated fixpoint equation:
\[\ctmodel{\somepath{\tdiamond{\ausfml}}} =
\ctmodel{\ausfml \lor \somepath{\tnext{\somepath{\tdiamond{\ausfml}}}}}
= \ctmodel{\ausfml} \cup \somenextop{\ctmodel{\somepath{\tdiamond{\ausfml}}}}\]
Showing that it is the least fixpoint is left as an exercise.

\item By axiom \irref{somebox} and \rref{case:comput-somenext}, the formula \(\somepath{\tbox{\ausfml}}\) satisfies the fixpoint equation:
\[\ctmodel{\somepath{\tbox{\ausfml}}} =
\ctmodel{\ausfml \land \somepath{\tnext{\somepath{\tbox{\ausfml}}}}}
= \ctmodel{\ausfml} \cap \somenextop{\ctmodel{\somepath{\tbox{\ausfml}}}}\]
In order to show that \(\ctmodel{\somepath{\tbox{\ausfml}}}\) is the greatest fixpoint, consider another fixpoint \(H=\ctmodel{\ausfml} \cap \somenextop{H}\) and show that \(H\subseteq\ctmodel{\somepath{\tbox{\ausfml}}}\) 
by considering any state $s_0\in H$ and showing that \(s_0\in\ctmodel{\somepath{\tbox{\ausfml}}}\).
Since \(H\subseteq\ctmodel{\ausfml}\), it is enough to show that there is a path $s_0,s_1,s_2,\dots$ such that \(s_i \in H\) for all $i$ by induction on $i$, implying \(s_i \models \ausfml\).
\begin{enumerate}
\item[n=0:]
The base case follows from \(s_0 \in H\).
\item[n+1:]
By induction hypothesis $s_n\in H$.
Thus, \(s_n \in H=\ctmodel{\ausfml} \cap \somenextop{H}\), so there is a state $s_{n+1}$ with $s_n\stepto s_{n+1}$ and $s_{n+1}\in H$.
\end{enumerate}


\item By axiom \irref{someuntil} and \rref{case:comput-somenext}, the formula \(\somepath{\tuntil{\ausfml}{\busfml}}\) satisfies the fixpoint equation:
\[\ctmodel{\somepath{\tuntil{\ausfml}{\busfml}}} =
\ctmodel{\busfml \,\lor\, \ausfml \land \somepath{\tnext{\somepath{\tuntil{\ausfml}{\busfml}}}}}
= \ctmodel{\busfml} \,\cup\, \ctmodel{\ausfml} \cap \somenextop{\ctmodel{\somepath{\tuntil{\ausfml}{\busfml}}}}\]
In order to show that \(\ctmodel{\somepath{\tuntil{\ausfml}{\busfml}}}\) is also the least fixpoint, consider another fixpoint
\(H=\ctmodel{\busfml} \,\cup\, \ctmodel{\ausfml} \cap \somenextop{H}\)
and show that \(\ctmodel{\somepath{\tuntil{\ausfml}{\busfml}}} \subseteq H\).
So consider any \(s_0 \in \ctmodel{\somepath{\tuntil{\ausfml}{\busfml}}}\) and show that \(s_0\in H\).
By \(s_0 \in \ctmodel{\somepath{\tuntil{\ausfml}{\busfml}}}\), there is a path $s_0,s_1,s_2,\dots$ and an $n$ such that
\(s_n \models \busfml\)
and \(s_j \models \ausfml\) for all $0\leq j<n$.
We prove that $s_i \in H$ for all $0 \le i \le n$ by backwards induction on $i$.
\begin{enumerate}
\item[$i=n$:]
The base case where $i=n$ follows from \(s_n \in \ctmodel{\busfml} \subseteq \ctmodel{\busfml} \,\cup\, \ctmodel{\ausfml} \cap \somenextop{H}=H\).

\item[$n-1$:]
By induction hypothesis, \(s_n\in H\).
In order to show that \(s_{n-1}\in H = \ctmodel{\busfml} \,\cup\, \ctmodel{\ausfml} \cap \somenextop{H}\),
we use that \(s_{n-1} \models \ausfml\) and that $s_{n-1}$ has a successor $s_n \in H$.
Thus, 
\(s_{n-1}\in \ctmodel{\ausfml} \cap \somenextop{H} \subseteq H\).
\end{enumerate}
This induction ends at $s_0$, as there are no more predecessors in the path $s_0, s_1, \ldots$ to consider, leaving us with $s_0 \in H$.


\item By axiom \irref{alluntil} and \rref{case:comput-allnext}, the formula \(\allpath{\tuntil{\ausfml}{\busfml}}\) satisfies the fixpoint equation:
\[\ctmodel{\allpath{\tuntil{\ausfml}{\busfml}}} =
\ctmodel{\busfml \,\lor\, \ausfml \land \allpath{\tnext{\allpath{\tuntil{\ausfml}{\busfml}}}}}
= \ctmodel{\busfml} \,\cup\, \ctmodel{\ausfml} \cap \allnextop{\ctmodel{\allpath{\tuntil{\ausfml}{\busfml}}}}\]
In order to show that \(\ctmodel{\allpath{\tuntil{\ausfml}{\busfml}}}\) is also the least fixpoint, consider another fixpoint
\(H=\ctmodel{\busfml} \,\cup\, \ctmodel{\ausfml} \cap \allnextop{H}\)
and show that \(\ctmodel{\allpath{\tuntil{\ausfml}{\busfml}}} \subseteq H\).
So consider any \(s_0 \in \ctmodel{\allpath{\tuntil{\ausfml}{\busfml}}}\) and show that \(s_0\in H\).
By \(s_0 \in \ctmodel{\allpath{\tuntil{\ausfml}{\busfml}}}\), all paths $s^i_0,s^i_1,s^i_2,\dots$ starting in $s^i_0=s_0$ have an $n_i$ such that
\(s^i_{n_i} \models \busfml\)
and \(s^i_j \models \ausfml\) for all $0\leq j<n_i$.
Could there be infinitely many such paths?

%\clearpage

Only the prefix of a path till $n_i$ matters (because no statement is made beyond $n_i$).
Each such prefix is finite, because the strong until requires $\busfml$ to eventually happen and cannot be postponed forever.
Without loss of generality, the smallest respective $n_i$ can be assumed on each path, though.
So it can be shown that only finitely many such paths exist as follows.
By K\"onig's lemma\footnote{
K\"onig's lemma says: every infinite tree has an infinite path or a node with infinitely many branches.},
there can only be finitely many paths till the respective $n_i$, because if there were infinitely many finite paths of length at most $n_i$, then there would have to be infinite branching so infinitely many states, but $W$ is finite.
For example, there can only be finitely many paths of length, say, $n_i=10$ in a finite Kripke structure.

Consequently, since there are only finitely many such paths, the maximum $n_i$ is still a finite natural number $n\in\naturals$, as well (the supremum of infinitely many finite numbers can be infinite).
So we will prove the conjecture that $s_0 \in H$ by backwards induction similar to the previous case.

We prove that $s_0 \in H$ by induction on $n$.
\begin{enumerate}
\item[$j=n$:]
The base case where $j=n$ follows from \(s_n \in \ctmodel{\busfml} \subseteq \ctmodel{\busfml} \,\cup\, \ctmodel{\ausfml} \cap \allnextop{H}=H\).

\item[$n-1$:]
By induction hypothesis, all of the \emph{finitely many(!)} path numbers $i$ satisfy \(s^i_{n}\in H\).
Since we also have \(s_{n-1} \models \ausfml\) and that $i$ ranges over \emph{all} successors of $s_{n-1}$ that
\(s_{n-1}\in \ctmodel{\ausfml} \cap \allnextop{H} \subseteq H\).
\end{enumerate}
Note that this correctness proof crucially depends on the until condition $\busfml$ eventually happening, so each of the paths is actually finite.
The proof does not work for the weak until, which is also true if $\busfml$ never becomes true as long as $\ausfml$ is true all the time then.
\qedhere
\end{enumerate}
\end{proof}

Since the successor function can be computed by checking off the corresponding states along the computation structure, the only remaining question is how the least and greatest fixpoints can be computed.
Note all the functions in \rref{thm:CTL-MC} are monotone, in the sense that if their parts are true in more states then the expressions themselves are true in more states, too.

\begin{theorem}[Complexity]
  The CTL model checking problem is linear in the size of the state space \(K=(W,\stepto,v)\) and in the size of the formula $\phi$ in the sense that it is in \(O(|K| \cdot |\phi|)\)
  where \(|K| = |W| + |{\stepto}|\).
\end{theorem}


\section{Example: Mutual Exclusion}

Recall the mutal exclusion example introduced in the previous lecture.

The notation in the following transition diagram is $nt$ for: the first process is in the noncritical section while the second process is trying to get into its critical section.
\begin{tabular}{ll}
  n & noncritical section of an abstract process\\
  t & trying to enter critical section of an abstract process\\
  c & critical section of an abstract process
\end{tabular}
\\
Those atomic propositional letters are used with suffix $1$ to indicate that they apply to process 1 and with suffix $2$ to indicate process 2.
For example the notation $nt$ indicates a state in which \(n_1 \land t_2\) is true (and no other propositional letters).
Consider Kripke structure

%MUTEX
\begin{center}
\begin{tikzpicture}[thick,->,> =stealth,
   every node/.style={draw,black,circle,fill=blue!10,minimum width=12pt},
   every label/.style={draw=none,fill=none,text=red!140},
   level 1/.style={sibling distance=30mm},
   level 2/.style={sibling distance=20mm},
   level 3/.style={sibling angle=-30}]
  \node[label=above right:0] (m) {nn}
  child {
    node[label=above:1] {tn}
    child { node[label=left:2] {cn} child[missing] {node{}} child {node[label=below:4] {ct}} }
    child { node[label=below:3] {tt} }
  }
  child {
    node[label=above:5] {nt}
    child { node[label=below:6] {tt} child[missing] {node{}}  child {node[label=below:8] {tc}}  }
    child { node[label=below:7] {nc} }
  };
  \draw[<-] (m) -- +(90:1);
  \draw (m-1-2) -- (m-1-1-2);
  \draw (m-2-2) -- (m-2-1-2);
  \draw (m-1-1) to[bend left=40] (m);
  \draw (m-2-2) to[bend right=40] (m);
  \draw (m-1-1-2) to[bend left=40] (m-2);
  \draw (m-2-1-2) to[bend right=40] (m-1);
\end{tikzpicture}
\end{center}

\begin{enumerate}
  \item Safety: \(\lnot\somepath{\tdiamond{(c_1\land c_2)}}\) is trivially true since there is no state labelled $cc$x.
  \item Liveness: \(\allpath{\tbox{(t_1 \limply \allpath{\tdiamond{c_1}})}} \land \allpath{\tbox{(t_2 \limply \allpath{\tdiamond{c_2}})}}\)
\end{enumerate}

Checking \(1 \models t_1 \limply \allpath{\tdiamond{c_1}}\) alias \(1 \models \lnot t_1 \lor \allpath{\tdiamond{c_1}}\) first computes subformulas.
\begin{align*}
  \ctmodel{t_1} &= \{1,3,6,8\}\\
  \ctmodel{c_1} &= \{2,4\}\\
  \ctmodel{\lnot t_1} &= \{0,2,4,5,7\}\\
  \ctmodel{\allpath{\tdiamond{c_1}}} &= \lfp{Z}{(\ctmodel{c_1} \cup \allnextop{Z})} =: \lfp{Z}{f(Z)}\\
  & \quad f^1(\emptyset) = \ctmodel{c_1} &&= \{2,4\}\\
  & \quad f^2(\emptyset) = \ctmodel{c_1} \cup \allnextop{\{2,4\}} &&= \{1,2,3,4\}\\
  & \quad f^3(\emptyset) = \ctmodel{c_1} \cup \allnextop{\{1,2,3,4\}} &&= \{1,2,3,4,8\}\\
  & \quad f^4(\emptyset) = \ctmodel{c_1} \cup \allnextop{\{1,2,3,4,8\}} &&= \{1,2,3,4,6,8\}\\
  & \quad f^5(\emptyset) = \ctmodel{c_1} \cup \allnextop{\{1,2,3,4,6,8\}} &&= \{1,2,3,4,6,8\}= f^4(\emptyset)\\
    \ctmodel{\allpath{\tdiamond{c_1}}} &= \{1,2,3,4,6,8\}\\
    \ctmodel{\lnot t_1 \lor \allpath{\tdiamond{c_1}}} &= \{0,1,2,3,4,5,6,7,8\}
\end{align*}
Since \(1 \in \ctmodel{\lnot t_1 \lor \allpath{\tdiamond{c_1}}}\) CTL model checking confirms 
\(1 \models \lnot t_1 \lor \allpath{\tdiamond{c_1}}\).
Since every state \(\ctmodel{\lnot t_1 \lor \allpath{\tdiamond{c_1}}}\) equals the set of all states, it is easy to see that model checking will also eventually find 
\(0 \in \ctmodel{\allpath{\tbox{(\lnot t_1 \lor \allpath{\tdiamond{c_1})}}}}\).
Consequently it confirms that the initial state 0 satisfies 
\(0 \models \allpath{\tbox{(\lnot t_1 \lor \allpath{\tdiamond{c_1})}}}\).

%% Matt's example
%\begin{tikzpicture}
%[
%  shorten >=1pt,
%  node distance=2.5cm,
%  on grid,
%  auto,
%  /tikz/initial text={},
%  font=\footnotesize
%] 
% \node[state,circle,align=center] (s0) {$s_0$};
% \node[state,circle,align=center] (s2) [below=of s0] {$s_2$};
% \node[state,initial,circle,align=center] (s1) [right=5cm of s2] {$s_1$};
% \node[state,circle,align=center] (s3) [above=of s1] {$s_3$};
% \node[state,circle,align=center] (s5) [right=of s1,yshift=1.25cm] {$s_5$};
% \node[state,circle,align=center] (s7) [above=of s5] {$s_7$};
% \node[state,circle,align=center] (s6) [left=5cm of s7] {$s_6$};
% \node[state,circle,align=center] (s4) [below=of s6] {$s_4$};
%
% \node[draw=none] (dummy) [below=3em of s1] {};
% 
% \path[->] 
%  (s0) edge[bend right] (s2)
%  (s2) edge[bend right] (s0)
%  (s2) edge (s1)
%  (s4) edge (s0)
%  (s4) edge (s1)
%  (s1) edge (s3)
%  (s6) edge (s4)
%  (s7) edge (s6)
%  (s7) edge (s3)
%  (s5) edge (s7)
%  (s5) edge (s1)
%  (s3) edge (s0)
%  (dummy) edge (s1);
%
% \node[draw=none,align=center] (s0p) [left=3em of s0] {$\{a,b,c\}$};
% \node[draw=none,align=center] (s2p) [left=3em of s2] {$\{b,c\}$};
% \node[draw=none,align=center] (s1p) [right=3em of s1] {$\{a,b\}$};
% \node[draw=none,align=center] (s5p) [right=3em of s5] {$\{a,c\}$};
% \node[draw=none,align=center] (s3p) [right=2.5em of s3] {$\{a\}$};
% \node[draw=none,align=center] (s4p) [right=2.5em of s4] {$\{b\}$};
% \node[draw=none,align=center] (s6p) [above=2em of s6] {$\{c\}$};
% \node[draw=none,align=center] (s7p) [above=2em of s7] {$\varnothing$};
%\end{tikzpicture}

\bibliography{platzer,bibliography}
\end{document}