CTL Model-Checking over Logics with Non-Classical Negations Marsha Chechik Department of Computer Science University of Toronto Toronto, ON, Canada M5S 2E4 chechik@cs.toronto.edu Wendy MacCaull Department of Mathematics, Statistics and Computer Science St. Francis Xavier University Antigonish, NS, Canada B2G 2W5 wmaccaul@stfx.ca Abstract In earlier work [9], we defined CTL model-checking over finite-valued logics with De Morgan negation. In this pa- per, we extend this work to logics with intuitionistic, Ga- lois and minimal negations, calling the resulting language CTL. We define CTL operators and show that they can be computed using fixpoints. We further discuss how to ex- tend our existing multi-valued model-checker Chek [8] to reasoning over these logics. 1 Introduction Logics with non-classical negation have a number of ap- plications in modeling and reasoning about systems. For ex- ample, intuitionistic logic can be used for program analysis and optimization [2] and for investigating safety properties of behaviours of reactive systems [1]. Such logics provide a setting for the study of composition and refinement rules, and a framework for the use of the modular specification methods. Further, De Morgan logics with finite number of elements can be used for aggregating information coming from different sources [14], for reasoning about partial sys- tems [5, 16], for compiler optimization [24], and for query- checking [15]. In [6, 7], Chechik et al. introduced model-checking over quasi-boolean logics. They built Chek [8] – a multi- valued symbolic model-checker which generalizes an ex- isting symbolic model-checking algorithm to allow reason- ing over a multi-valued extension of CTL ( CTL). Given a system expressed as a Kripke structure – a multi-valued extension of a classical Kripke structure – and a CTL property, Chek returns the degree to which the system satisfies the property. The original work considered those logics where the truth values form a finite quasi-boolean distributive lattice and the conjunction and disjunction are interpreted as the meet and join operations, respectively, of the lattice. Further, the negation in this logic was De Morgan, ensuring the preservation of involution of negation ( ) and De Morgan laws. In this paper, we extend CTL model-checking to rea- soning over other logics with non-classical negation, in par- ticular, intuitionistic, minimal and Galois. Such logics are often used for specification and reasoning, and our plan is to develop an automatic verification procedure for cases when the number of truth values is finite. The goals of this paper are: (1) to define CTL operators directly; (2) to establish relationships between them; and (3) to ensure that these op- erations can be computed using fixpoint operations. Our results allow us to extend Chek to reasoning over these logics. Further, this work sets the stage for model-checking over various other non-classical logics. The rest of this paper is organized as follows: Section 2 gives a short introduction to classical CTL model-checking. Section 3 defines the non-classical logics used in this paper. Section 4 formally defines Kripke structures and CTL operators and studies their properties. The main result of this paper is given in Section 5, where we show that our definitions of CTL operators satisfy classical fixpoint for- mulations of their CTL counterparts and discuss adequate sets for CTL. We conclude in Section 6 with a summary of the paper and directions for future work. 2 Classical CTL Model-Checking In this section, we give a brief overview of classical CTL model checking. CTL model-checking is an automatic technique for verifying properties expressed in a proposi- tional branching-time temporal logic called Computation Tree Logic (CTL) [11]. The language of CTL is the language of propositional logic augmented with unary temporal operators , , , , , and , and binary temporal operators and : 1. Constants TRUE and FALSE are CTL formulas. 2. Every propositional variable is a CTL formula. 3. If and are CTL formulas, then so are , , , , , , , , , , . 1