starMC: an automata based CTL* model checker

Model-checking of temporal logic formulae is a widely used technique for the verification of systems. CTL \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{upgreek} \usepackage{mathrsfs} \setlength{\oddsidemargin}{-69pt} \begin{document} }{}$^*$\end{document}∗ is a temporal logic that allows to consider an intermix of both branching behaviours (like in CTL) and linear behaviours (LTL), overcoming the limitations of LTL (that cannot express “possibility”) and CTL (cannot fully express fairness). Nevertheless CTL \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{upgreek} \usepackage{mathrsfs} \setlength{\oddsidemargin}{-69pt} \begin{document} }{}$^*$\end{document}∗ model-checkers are uncommon. This paper presents (1) the algorithms for a fully symbolic automata-based approach for CTL \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{upgreek} \usepackage{mathrsfs} \setlength{\oddsidemargin}{-69pt} \begin{document} }{}$^*$\end{document}∗, and (2) their implementation in the open-source tool starMC, a CTL \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{upgreek} \usepackage{mathrsfs} \setlength{\oddsidemargin}{-69pt} \begin{document} }{}$^*$\end{document}∗ model checker for systems specified as Petri nets. Testing has been conducted on thousands of formulas over almost a hundred models. The experiments show that the fully symbolic automata-based approach of starMC can compute the set of states that satisfy a CTL \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{upgreek} \usepackage{mathrsfs} \setlength{\oddsidemargin}{-69pt} \begin{document} }{}$^*$\end{document}∗ formula for very large models (non trivial formulas for state spaces larger than 10480 states are evaluated in less than a minute).


INTRODUCTION
Temporal logics like LTL (Pnueli, 1977), for linear behaviour, and CTL (Clarke & Emerson, 1981), for branching behaviour, have been successfully used to specify sequential and concurrent systems, and have been widely adopted in many industrial contexts: see, e.g. (Eisner & Fisman, 2016) or the success stories of the model checkers SPIN (Holzmann, 2004) and nuSMV (Cavada et al., 2014). Although LTL and CTL model-checking procedures are known to be quite expensive, since they incur in the so-called "state-space explosion" problem, the use of techniques based on decision diagrams allows, in many cases, to solve industrial-size systems (Burch et al., 1992). In this paper we use "symbolic" to refer to any technique based on some form of decision diagram.
CTL Ã (Emerson & Halpern, 1983) is a temporal logic that allows to express linear and branching behaviours in a single property. CTL Ã allows to go beyond the linear/ branching dichotomy (or LTL/CTL), and it is considered a powerful specification language for discrete events dynamic systems. CTL Ã is known to be strictly more expressive than CTL and LTL. Rozier, in her 2011 survey (Rozier, 2011). Considers CTL Ã as an adequate logic to overcome LTL and CTL limitations, and in that survey she observes that "the lack of industrial model-checking tools that accept CTL Ã specifications is a deterrent to the use of this logic" (Rozier, 2011, p.175, end of Sec. 3.2.3), and indeed the situation has not changed much since then. CTL Ã properties are of practical interest, and CTL Ã model checking has been extensively studied in the past. However, as pointed out in Amparore, Donatelli & Gallà (2020b), very few CTL Ã model checkers exist today, despite its usefulness in specifying both recurrent behaviours and possibility in the same property (something happening infinitely often and for all behaviour, a certain event/state is reachable), or to explicitly express fairness constraints. LTL can express both fairness constraints and recurrent behaviours, but this is not possible in CTL. Instead, CTL can express possibility, which is not possible in LTL.
There are different ways of verifying CTL Ã properties: with an ad-hoc model-checker based on the identification and verification of LTL sub-formulae (Emerson & Lei, 1987); or through a translation from CTL Ã to μ-calculus (Kozen, 1983), as defined in Dam (1990Dam ( , 1994 and revised in Cranen, Groote & Reniers (2011). μ-calculus is indeed known to subsume CTL Ã , but translated formula may be unintuitive to understand, and the translation could lead to an exponential growth of the expression terms.
The Petri net (or PN for short) is a formalism well-suited for the description and the analysis of Discrete Events Dynamic System (DEDS). They have been successfully used in a large variety of application fields, including industrial production (Zurawski & Zhou, 1995;van der Aalst, 1994), business workflow (Aalst, 1998), digital circuits synthesis and analysis (Kondratyev et al., 1998) and system biology (Koch, 2019). This success is mainly due to the particular mixture of ease of specification and good support for the analysis. Analysis techniques can prove properties using only the structure of the PN, or its state space (which is typically exponential in the size of the structure and of its initial state).
The model checking of temporal properties for Petri nets is supported by numerous tools (Kordon et al., 2019). In the last decade the model checking of PN has seen a boost in interest, possibly motivated by the lively Model Checking Competition (MCC) (Kordon et al., 2019) and advances in DD-based implementation of state space exploration based on saturation (Ciardo, Lüttgen & Siminiceanu, 2001).
The contribution of this paper is to clearly identify the algorithms and the steps of a fully symbolic procedure for computing the sat-set of a CTL Ã formula (the set of states of a given model that satisfy the formula). The implementation of such a procedure for systems specified as Petri nets results in starMC, a tool that computes the sat-set of a CTL Ã formula using a Büchi-based model checking algorithm. Given a CTL Ã formula, the algorithm identifies the LTL sub-formulae of maximal length and uses the Spot library (Duret-Lutz, 2014;Duret-Lutz et al., 2016) to translate each of them into a Büchi automaton. The sat-set of each LTL sub-formula is then built from the sat-set of the E fair G(true) on the synchronized product of the model state space and the generated automaton. States, transitions among states, and the synchronized products are all encoded as Decision Diagrams, using the Meddly (Babar & Miner, 2010) library. starMC can be run as a standalone tool or as part of the GreatSPN (Amparore et al., 2016) tool suite through the built-in graphical interface (Amparore, 2014).
We could only find another Petri net tool that can deal directly with CTL Ã : LTSmin (Kant et al., 2015). This tool translates CTL Ã into μ-calculus, using the procedures defined in Dam (1990). The search for a CTL Ã model-checker was not more successful when considering input languages other than Petri Nets.
Validation of starMC has been achieved taking advantage of the MCC benchmark (Kordon et al., 2019) that comprises models, LTL and CTL formulae, and associated truth values for the models' initial state.
The benchmark has been enriched with CTL Ã formulae, derived from the available CTL ones by randomly omitting path quantifiers. Sat-sets of the LTL, CTL, and CTL Ã formulae have been compared against the sat-sets obtained from the CTL Ã module of LTSmin. Sat-sets of CTL formulae have also been checked against the CTL model checker in the distribution of GreatSPN.
A motivation for building starMC was teaching and training: to provide students with a uniform environment in which to reason on, and to experiment with, LTL, CTL and CTL Ã specifications. This motivation follows an earlier re-shaping of GreatSPN to support teaching (Amparore & Donatelli, 2018b). But the main motivation was to investigate a number of open research questions: R1: it is possible to realize an efficient and fully symbolic implementation of CTL Ã based on Büchi automata that can check models of industrial interest? R2: the approach of R1 is any better than a translation to μ-calculus? R3: variable ordering techniques that exploits the PN structure, like the ones developed in Amparore et al. (2019) for state-space exploration, can be successfully applied to CTL Ã model-checking? R4: can a Büchi-based approach favour the formulation of counterexamples and witnesses? This paper addresses R1 and R2, and uses the techniques presented in Amparore et al. (2019) for variable ordering. An extensive comparison of different variable order heuristics, as well as the counter-examples generation of R4, are left for future work.
The starMC tool basic principles and structure were first presented in a (demo) paper (Amparore, Donatelli & Gallà, 2020b): here we take a deeper, and at the same time broader, view on CTL Ã model-checking and on its implementation in starMC. We provide distinct logical and implementation views of the model-checker, thus separating the algorithms from their fully symbolic implementation. The two views and the chosen level of detail, together with a fully open-source code, are meant to ease the scientific and implementation work needed to extend other verification engines with a CTL Ã model-checker, or to add to starMC additional techniques, for example for optimization or parallelization. We have also added a deeper investigation on previous work to precisely link the approach used with their original sources of inspiration. This paper also introduces a user view-point on starMC, for those interested only in using the tool. Finally, the tool validation has been improved, including less stringent execution time limits, more models and properties, and a deeper investigation of the obtained results.
The paper is organized as follows: "Background" introduces basic definitions and background, "starMC: the outer view" provides an overview of starMC from an user view-point, "starMC: the logical view" describes, at a logical level, the CTL Ã modelchecking procedure, followed by, in "Previous Work", a discussion and comparison with previous work. The DD-based implementation of the algorithms of "starMC: the logical view" is discussed in "starMC: The Inner View". "Testing Results" describes the tests that have been conducted, and "Conclusion" concludes the paper.

BACKGROUND
This section briefly recalls the PN formalism and the CTL Ã logic. It also introduces the main feature of the GreatSPN tool and of the Meddly and Spot libraries.

Petri nets
A place-transition (P/T) Petri net N is defined (Murata, 1989) as a tuple N ¼ hP; T; A; Wi, where P is the set of places, T is the set of transitions, A ðP Â TÞ [ ðT Â PÞ is the set of arcs, W : A ! N !1 is the arc weight function. A Petri net system is the pair NS ¼ hN; m init i where m init : P ! N is the initial marking. Markings represent states of the system, i.e. assignments of tokens to places. A transition t ∈ T is enabled if and only if all input places p of t contain at least W(p, t) tokens. The firing of t removes W(p, t) from all input places p and adds W(t, p′) to each output place p′. Notation m ! t m 0 indicates the firing of t in marking m, which leads to marking m′. A firing sequence σ for marking m is a sequence of transitions t 0 , t 1 ,… for which it exists a sequence of markings m 0 , m 1 ,… such that m = m 0 and, 8i ≥ 0 : m i ! t m iþ1 . Accordingly, the sequence of markings π = m 0 , m 1 ,… identifies a path of NS starting in m 0 , with π[i] = m i . We indicate with π[i··] the suffix of π starting in m i . We define P 1 M ðmÞ as the set of all infinite paths starting in m. From now on we shall interchangeably use the terms "marking" and "state". The reachability set (RS) of a Petri net system NS is the set of all markings reachable from m init , RSðNSÞ ¼ fm j 9 r2TÃ m init ! r mg: A reachability graph (RG) of a PN is a tuple RGðNSÞ ¼ hRS; E; m init i where: RS is the set of all markings reachable from m init , E ¼ fðm; t; m 0 Þ 2 RS Â T Â RS j m; m 0 2 S; t 2 T; m ! t m 0 g is the set of state transitions.
If there is no risk of confusion, the NS indication is usually dropped and we write RS and RG. Figure 1A shows a Petri net with 3 places and 4 transitions, the RS built from the initial state m init = m 1 , in Fig. 1B, and the corresponding RG, in Fig. 1C. A colored Petri net is a P/T net in which tokens have identities, to allow for a parametric and more compact description of systems. Each colored Petri net can be unfolded into a P/T net of isomorphic RG.

Decision diagrams for state space representation
Decision Diagrams (DD) are a well-known data structure to efficiently encode functions as well as large sets of structured data through their characteristic function. A Binary DD (BDD) encodes a boolean function and a Multivalued DD (MDD) encodes an integer function. A MDD can be used to encode a RS by associating each place of the net to a level in the MDD and ensuring that each path in the MDD corresponds to a reachable state (and vice-versa). Given the example Petri net of Fig. 1A, the MDD of the initial state m 1 is depicted in Fig. 2A, and the one of RS in Fig. 2D. DD levels encode the token counts of each Petri net place, and appear in the order P2, P1, P0 (top-down). So the rightmost path in the MDD of RS corresponds to the reachable state [m(P2) = 1, m(P1) = 0, m(P0) = 0], or [1, 0, 0] for short. The depicted MDDs are fully-reduced (when all edges out of a node lead to the same down node, the node is removed and by-passed), so the leftmost path of this MDD encodes both [0, 0, 0] (no token in any place) and [0, 0, 1] (one token in P0).
A DD encoding a relation function is called matrix diagrams (M×D). These kind of DDs are used in starMC to represent transitions among states due to the firing of Petri net transitions. An M×D has twice the levels of an MDD, and each pair of levels (also called the unprimed and primed levels for a variable) encodes the before/after relations of a variable (i.e. a place of a Petri net or a location of an automaton). Each of the four M×Ds in Fig. 2B encodes the transformation performed by a single transition of the example net while the M×D in Fig. 2D is the Next-State-Function (NSF), the union of all the single transition M×Ds. The depicted M×D are identity-reduced, i.e. skipping a level pair means that the encoded before-after relation is the identity. The image of this M×D applied to an MDD encoding a state m returns an MDD with all states that can be reached from m by the firing of a single transition. Its fixed point application results in the MDD of the RS. In practice the more efficient saturation technique (Ciardo, Lüttgen & Siminiceanu,  2001), also based on the NSF, is usually preferred. Note that usually the M×D of the RG is never built and stored, as any info in the RG can be retrieved through the DDs of NSF and RS. In Fig. 2 places are allocated to MDD (and M×D) levels in alphabetical order. It is well known that the DD variable order (the order in which variables are assigned to levels) may greatly influence the size of the resulting DD. The interested reader may find in Amparore, Donatelli & Ciardo (2020a) a recent study on various variable order heuristics that have been successfully applied to encode state spaces of Petri nets.
The temporal logic CTL Ã CTL Ã (Emerson & Halpern, 1983) is a temporal logic in which path operators can be quantified or not, and it therefore allows to freely mix linear and branching reasoning. It subsumes the linear logic LTL (Pnueli, 1977) and the branching logic CTL (Clarke & Emerson, 1981), that are known to have a different expressive power, although with non-empty intersection.
Definition 1 (CTL Ã syntax). CTL Ã formulae are the formulae É inductively defined by: where a ∈ AP and AP is a set of atomic propositions. The rules É and ϕ define state and path formulae, respectively. Note that in principle just one type of quantification is needed, as Aϕ = :E: ϕ. The BNF grammar of CTL Ã is ambiguous, as boolean expressions appear both as state and path formulae. For instance, the expression a 1 ∧ a 2 , with a 1 , a 2 ∈ AP, is both a state formula (rule É ∧ É) and a path formula (rule ϕ ∧ ϕ where ϕ ⇝ É and É ⇝ a).
The satisfaction relation for a CTL Ã formula is given over a Kripke model M = (S, E, L) with an associated set AP of atomic propositions, where S is a finite and non-empty set of states, E : S ! 2 S is the total successor function, L : S ! 2 AP is a labelling function, and L(s) is the set of atomic propositions that holds in s. The set of paths starting in s, P 1 M ðsÞ is defined as for Petri nets. It is straightforward to map a reachability graph into a Kripke model.
Definition 2 (Kripke model of an RG). The Kripke model of a reachability graph RG ¼ hRS; E; m init i is the Kripke model MðRGÞ ¼ hRS; E 0 ; Li, with E 0 ¼ E [ fðm; mÞ : 8 deadlock states m 2 RSg being the stuttering of E, and L a labelling function defined over the markings.
Stuttering of deadlock states ensures that the paths in the RG are infinite, as required by a Kripke model. Figure 1D shows the Kripke model derived from the RG in Fig. 1C when considering a set of atomic propositions AP = {β: (#P1 > 0 or #P2 > 0)} and the labelling function depicted next to the states. The two states s 3 and s 4 are stuttered, since they correspond to the deadlock markings m 3 and m 4 .
Definition 3 (CTL Ã semantics). The satisfaction relation of CTL Ã state formulae is defined by: while the satisfaction relation of path formulae for a path π is: A CTL Ã formula in which all path operators are prefixed by a quantifier is also a CTL formula. To express the relation between CTL Ã and LTL it is convenient to introduce the following definitions: Definition 4 (LTL formula). An LTL formula φ is inductively defined by: It is usually assumed that path formulae over a Kripke model are "implicitly universally quantified". To avoid any confusion we assume that the quantifier is explicitly indicated.
Definition 5 (Quantified LTL formula). Given an LTL formula φ a quantified LTL formulae É is defined by É :: = Eφ | Aφ The GreatSPN tool GreatSPN (Amparore et al., 2016;Amparore & Donatelli, 2018b) is a collection of Petri nets tools that are integrated in a common framework, with a unified graphical user interface (Amparore, 2014). Initially developed for performance evaluation of stochastic Petri nets, the tool was enriched over the years with algorithms for qualitative analysis.
From the graphical interface it is possible to draw a Petri net (colored or P/T), to compose Petri nets, to play the token game to familiarize with the net behaviour, and to verify the model using techniques specific to Petri nets (structural properties like P-and T-semiflows) or to check standard Petri net properties (like absence of deadlocks, boundedness and liveness) as well as CTL properties. The state space exploration algorithm and the CTL model-checker are fully symbolic, built using the MDD library Meddly (Babar & Miner, 2010), and a large set of heuristics for variable ordering (Amparore, Donatelli & Ciardo, 2020a) that exploit the net structure. Qualitative verification can be integrated by a stochastic verification, as GreatSPN includes a model-checker (Amparore & Donatelli, 2018a) for the stochastic logic CSL TA (Donatelli, Haddad & Sproston, 2009), and the computation of standard performance indices based on efficient analytical solutions of Markov chains and Markov Regenerative Processes, as well as simulation. The tool is open source and it is available from GitHub (https://github. com/greatspn/SOURCES).

The supporting libraries: meddly and spot
Spot 2.0 (Duret-Lutz et al., 2016) is a framework which provides, among other features, a wide range of tools to manipulate automata over infinite words and to translate them from LTL propositions. The framework has been maintained for decades and can be considered the state-of-the-art of LTL-to-Büchi translation. Our model checker uses the Spot library to construct a Generalized Büchi Automaton with state-based acceptance (SGBA) from each LTL formula encountered during the verification process. We chose to use the Hanoi-Omega Automata (HOA) format (Babiak et al., 2015) to represent such automata. The HOA format is a text-based encoding which supports various derivation of ω-automata. Spot can be downloaded from its home page (https://gitlab.lrde.epita.fr/ spotandspot.lrde.epita.fr).
Meddly (Babar & Miner, 2010), Multi-terminal and Edge-valued Decision Diagram LibrarY, is an open-source library (https://github.com/asminer/meddly) for decision diagrams, developed at Iowa State University. It supports the construction and manipulation of various kinds of decision diagrams: Binary and Multivalued decision diagrams, matrix diagrams (M×D) and edge-valued DDs, including a built-in function to support efficient state-space construction based on saturation.

STARMC: THE OUTER VIEW
This section describes how to use the tool for checking CTL Ã properties. We do so through an example, adapted from (Emerson & Halpern, 1986) and meant to underline the differences between LTL, CTL, and CTL Ã , and the advantage of being able to specify and verify CTL Ã properties. These differences are sometimes subtle and it is indeed convenient to be able to express properties in the three logics in the same tool (and actually from the same window).
The starMC tool accepts a CTL Ã syntax (Amparore, Donatelli & Gallà, 2020b) that is more expressive than the minimal one in Definition 1, as it includes more boolean connectors, and the path operators F (in the Future, for some state in the path) and G (globally, for all states in the path). Since CTL Ã formulae are written in textual mode in the tool, the symbols: &&, ||, !, ,>=, <=, == are used for ∧, ∨, :, ≥, ≤, =, leading to: AP is the grammar element for atomic propositions, which are formulated over the Petri net elements. AP are defined as boolean expressions over the enabling of transitions and the marking of the places.
AP ::¼ true j false j deadlock j initial j enðT 0 Þ j Â ffl Â Â ::¼ n j #p j boundsðP 0 Þ j À Â j Â Â where n 2 N, p ∈ P, P 0 P, T 0 T, ffl ∈ {==, <, <=, >, >=} is a comparison operator, and ∘ ∈ {+, −, Ã , /} is an arithmetic operator. The state formula deadlock evaluates to true for all states that do not enable any transition; initial is true in the initial state of the system; en (T′) is satisfied in all states enabling at least one transition t ∈ T′; #p evaluates to the cardinality of place p in the current marking; bounds(P′) is the maximum sum of token counts of all places in P′ in every reachable marking. Figure 3 is a screen-shot of the GreatSPN GUI while editing a Petri net model. The model represents the abstract behaviour for a mutual exclusion algorithm in which two processes 1 may either stay out of the critical section at will (place NonCS i and self-loop with transition StayNonCS i ) or may receive an interrupt (firing of transiton recIRQ i ) to then proceed to request access to the mutually exclusive resource (place TryCS i ).
The relevance of this example to CTL Ã is pointed out very clearly in the work (Emerson & Halpern, 1986) of Emerson and Halpern, that proposes the following verification steps. If we want to specify that the mutual exclusion system should have both behaviours (either process i never tries to access, or at a certain point it will try to access), we may write the quantified LTL formula: The model does indeed satisfy the specification of Prop1. Note that the formula is satisfied also if no process is allowed to stay forever in place #NotCS i , given that on all paths it is possible to try to access the critical section. If we want instead to be more specific and add the more stringent requirement that both behaviours should be present (even if on different paths), we can write: Prop2 Prop2 is not an LTL formula, and no equivalent LTL formula exists, as proved in Emerson & Halpern (1986). Prop2 is not a CTL formula either since the third term has no equivalent CTL. Prop2 is also true, but if we modify the net model to include a singular behaviour for process 1, so that it never receives an interrupt (modelled by removing transition recIRQ 1 ) then for process 2 both properties are true, but for process 1 Prop1 holds while Prop2 does not. So Prop1 (an LTL formula) is not able to discriminate (and therefore to specify) the modified behaviour.
starMC is available both as a command line tool or from inside the GUI. Figure 4 shows a screenshot of the query interface of the GreatSPN GUI when checking the above propositions for the modified mutual exclusion model. The model checker receives a list of queries to be verified, with their language type (LTL, CTL, CTL Ã ) explicitly specified. LTL formulae are implicitly quantified as "forall paths". The queries tagged as STAT and DD provide statistics and a pdf graphical representation of the DD of the RS. The queries tagged CTL are checked with the standard CTL model checker of GreatSPN (Amparore, Beccuti & Donatelli, 2014), while the queries tagged as LTL and CTL Ã are checked with starMC. Once a query is computed, the GUI shows if it holds in the initial state (true/false), as well as the cardinality of the sat-set (together with the RS size). For the modified mutual exclusion model being examined, |RS| = 3.
Indeed Prop1 is true for both processes, while Prop2 is false for the first process and true for the second one, showing the higher discriminating power of CTL Ã .

Background: LTL model checking
It is well-known, as in Vardi (1995) or Baier & Katoen (2008, p. 429), that for every LTL formula Aφ it is possible to generate a Generalized Büchi Automaton that accepts all and only the paths that satisfy ϕ, so we shall define them next. Definition 6 (GBA). A Generalized Büchi Automaton (GBA) is a tuple A ¼ hQ; AP; d; Q 0 ; Fi, where Q is a finite set of locations, AP is a set of atomic proposition labels, d Q Â AP Â Q is a total transition relation, Q 0 Q is the set of initial locations, and F ¼ fF i j F i Qg n i¼1 is the set of accepting sets of locations. A GBA in which there is a single accepting set (jFj ¼ 1) is called a Büchi automaton (BA tout-court).
The language L(A) of a GBA A is the set of infinite words on AP recognized by a run of A that visits infinitely often at least one location in each F i 2 F.
The standard automata-theoretic approach for model checking LTL formulae over a Kripke model M, following the schema of Vardi & Wolper (1986, 1994 is outlined in Algorithm 1, that checks if the quantified LTL formula Aϕ is satisfied for all paths π starting in the initial state m 0 . To do so it builds the GBA A of :ϕ (line 3), the BA M of the Kripke model M (line 4), and the synchronized product GBA M A (line 5), whose language is the intersection of the languages of M and A. If this language is empty, no path π satisfies :ϕ and therefore ϕ holds on all paths p 2 P 1 M ðmÞ. When dealing with Petri nets, the model to be checked is a stuttered RG, which is translated into the Kripke model M(RG) according to Definition 2. The corresponding automaton M is then built (line 4). Note that Büchi automata recognize words over edges, while Kripke models define a language of sequence of states (and associated atomic propositions). The transformation takes as accepting set F ¼ fRSg and moves the labelling function of a state to all the incoming arcs, which requires a translation, based on Vardi & Wolper (1986), for the initial state (that has no incoming arc) that consists in adding a fictitious initial state s pre , leading to the following definition.
Algorithm 1 Check LTL m init |= Aφ as: 8p 2 P 1 M ðm init Þ: π|= φ. We now define a simplified synchronized product of Büchi automata, for the case in which one automaton is a GBA and the other is a BA derived from a Kripke model (therefore with a single acceptance set that includes all states). Definition It is known (e.g. Baier & Katoen, 2008, p. 156 Fig. 5B; its synchronized product with the Büchi automaton in Fig. 5A is shown in Fig. 5C. The product BA has always a single initial state (s pre , q 0 ). The set of accepting subsets F for the example is F ¼ fF 1 g, with F 1 = {(s, q 1 ), ∀s ∈ RS}. Since, indeed, there is an infinite path that starts in (s pre , q 0 ) and that visits infinitely often at least one state in F 1 , then L (M A) is not empty and therefore the initial state of the net does not satisfy the LTL formula G : β. Note that the initial state of the net is the successor of the initial state of M A.

From LTL to SAT∃LTL
A limitation of Algorithm 1 is that it only computes if the initial state m init satisfies the formula Aφ. For CTL Ã , we shall need instead the entire sat-set. Moreover, we switch to existentially-quantified LTL formulae, since they are easy to compute in symbolic form, noting that a state (s |=Aφ) ≡ (s |=:E :φ). In this section we describe the extension of Algorithm 1 for sat-set computation as SAT∃LTL(M, φ).
A remarkable result of Clarke, Grumberg & Hamaguchi (1997), Theorem 2, p. 54) shows that LTL model checking can be actually performed using a fair CTL model checker, not on the Kripke structure M but on the product GBA M A. In particular, only a single CTL operator, E fair G true, is needed to check arbitrary LTL formulae.
We briefly recall the definitions of CTL fairness. A fairness condition F is a subset of states that must be visited infinitely often. A path p 2 P 1 M ðsÞ satisfies a fairness condition F if the states of F appear infinitely often on π. A fairness set F is a set of fairness condition F, that must all be met together. A path π is a fair path w.r.t. F iff π statisfies all fairness conditions of F. A state s satisfies the fair CTL formula Eϕ w.r.t. fairness set F iff (1) it satisfies the CTL formula Eϕ, and (2) 9p 2 P 1 M ðsÞ that is a fair path w.r.t. F. A state s satisfies a quantified LTL formula Eφ if in the product GBA M A there is a path from s, q 0 that visits infinitely often the states in the acceptance sets F, i.e. the same definition of the fairness condition acceptance in fair CTL. Thus if we consider the GBA as a Kripke structure, finding the states that satisfy Eφ becomes equivalent to finding the locations that originate fair paths, i.e. finding the states on the equivalent Kripke structure that satisfy E fair G true w.r.t. the fairness set F. The definition of SAT∃LTL(M, φ) that performs LTL model checking using fair CTL is described in Algorithm 2.
The procedure first translates the path formula φ into a GBA A (line 2), it then builds the BA M of the input model M (line 3), described by its RG. Note that, since the goal is the sat-set computation, we need to consider all states as possible initial states, by taking S 0 = RS in definition 7. Figures 6A and 6B show the BA M built from the RG of Algorithm 2 Sat-set of a quantified LTL formula Eφ. The M A of the example is shown in Fig. 6C: there is a single initial state (s pre , q 0 ) and the accepting set is F ¼ fF 1 g, where F 1 = {(s,q 1 ), ∀s ∈ RS}, therefore, in this case, M A is a BA. The Kripke model M(M A) of the synchronized product M A is shown in Fig. 6D, together with all the sets computed by Algorithm 2.
Some aspects of this procedure need a deeper explanation, in particular the three different ways of computing the sat-set (lines 8-14) and the Z 0 construction and its use (lines 6 and 15).
[Lines 8-14] This part computes the set of states that originate an infinite path accepted by the M A BA. Line 14 is the general case: the results in Burch et al. (1992) and Clarke, Grumberg & Hamaguchi (1997) show how to compute the sat-set through the modelchecking of the fair CTL formula E fair Gðtrue; fair ¼ FÞ on M A. The procedure for the sat-set computation of E fair Gðtrue; fair ¼ FÞ for a Kripke model is reported in Algorithm 3. Line 10 and 12 correspond to two specific cases, as it was shown (Bloem, Ravi & Somenzi, 1999) that if M A is a weak or terminal BA, the computation of E fair G true can be simplified.
A BA is weak if (1) it is possible to find a partition {Q i } of its set of locations Q so that each Q i is either contained in the accepting set or it is disjoint from it and (2) the {Q i } are partially ordered s.t. the transitions of the automaton never move from Q i to Q j unless Q i ≤ Q j . In this case the only way for a path to visit infinitely often a state of the accepting set F 1 is to eventually be confined inside one Q i F 1 , and an accepting run is a witness for the CTL formula EF EG F 1 . A terminal BA is a weak BA in which the {Q i } are maximal elements in the partial order. In this case an accepting run is a witness for the CTL formula EF F 1 . The time complexity for model checking the two CTL formulae is linear in the size of the model, while the cost for the general case in line 14 is instead quadratic. Note that Algorithm 2 tests the weak and terminal condition on A, and not on the (usually) much larger M A, as it was proven in Bloem, Ravi & Somenzi (1999) that if A is weak (terminal) so is M A. When this is the case the simplified procedure obviously applies also to M(M A), as we do.
[Lines 6 and 15]. Z 0 computed in line 6 is the set of immediate successor of the initial state(s) of the M A. This step is needed because of the fictitious s pre state introduced in M by the translation of Definition 7. The map operation in line 15 maps pairs (s i , q j ) onto the marking of s i .
The sat-set of the EFβ for the Petri net system of the example is also listed in Fig. 6D. Note that (s 3 , q 1 ) |= E fair G true, as there is indeed an infinite loop on the (s 3 , q 1 ) state, which is an accepting state. But s 3 corresponds to the Petri net marking m 3 , a deadlock state that does not satisfies β, so certainly s 3 6 EFb. Indeed (s 3 , q 1 ) ∉ Z 0 since the witness path of E fair G true for (s 3 , q 1 ) corresponds to a path in the automata of the formula that does not start from the initial location q 0 .
The work in Emerson & Lei (1987) gives a symbolic algorithm (known as Emerson-Lei algorithm) for model checking fair CTL properties, while (Burch et al., 1992) provides its fixed point characterization. Its time complexity is quadratic in the size of the automaton being checked. Algorithm 3 is an high-level view of the this fixed point characterization for the sat-set computation of E fair Gψ formulae for a Kripke model M, with a set of fairness constraints F. In the algorithm, the call to SATCTL(M, Φ) returns the sat-set of the CTL formula Φ (without fairness constraints) on the Kripke model M. The Until and next path operators at line 6 and 7 use sets instead of atomic propositions or state formulae, for simplicity. To understand the CTL Ã model checking procedure of starMC, we have to explain how a single CTL Ã formula is divided into multiple quantified LTL formulae that can be checked using SAT∃LTL only. It may be worth starting from an example. Let's consider the CTL Ã formula É ¼ EFGEða UðAXbÞÞ where a; b are atomic propositions, and define the following (sub-)formulae: Let Sat(Ψ) be the sat-set of Ψ. Assume that we have a model checking procedure SATLTL(Ψ) that computes Sat(Ψ) if Ψ is a quantified LTL formula. Similarly, assume that a procedure SATCTL(Ψ) computes Sat(Ψ) if Ψ is a CTL formula. Formulae Ψ 1 and Ψ 3 can be considered as both quantified LTL and CTL formulae, while Ψ 2 is not LTL, and Ψ 4 is not CTL. If we assume that aΨ i is an atomic proposition that holds in state s iff s |= Ψ i , then we can compute Sat(Ψ) using only SATLTL on the sequence of formulae: Ψ 1 , Ψ 3 and Ψ 4 . Vice-versa, Sat(Ψ) cannot be computed using only SATCTL, since SATCTL(Ψ 2 ) allows to rewrite Ψ into Ψ 4 which is an LTL formula for which it is well-known that no equivalent CTL one exists. According to Emerson & Lei (1987), the idea of substitution was already present in Emerson & Sistla (1984) and it was later used in Visser & Barringer (2000).
Algorithm 4 is the logical view of the CTL Ã model-checking procedure implemented in starMC. The algorithm follows the ideas in Emerson & Lei (1987), and builds a CTL Ã model-checker based on SAT∃LTL. It contains one case per type of state formula (by definition a CTL Ã formula is a state formula). The only non-trivial case of Algorithm 4 is Eφ in line 7: if φ is an LTL path formula, SAT∃LTL can be directly applied to the formula, if instead φ contains additional quantifications, we first have to rewrite φ as an LTL path formula (by substituting quantified sub-formulae with newly created atomic propositions). Both cases are treated in a unified manner through the call of SAT∃LTL (REWRITE(φ)). Each formula identified for the substitution is a Maximal Proper Quantified  (Baier & Katoen, 2008), def.6.86. Definition 9 (Maximal Proper State Sub-formula). State formula É is a MPSS of q whenever É is a sub-formula of q that differs from q and that is not contained in any other proper state sub-formula of ρ.
Let's consider this second example: than É 2 is a MPSS of É 1 and É 3 is a MPSS of É 2 . In our model-checking procedure we consider instead a refinement of the MPSS definition, that we call Maximal Proper Quantified Sub-formula (MPQS). The motivations for introducing MPQS with respect to previous work and MPSS is given in "MPSS vs. MPQS". Definition 10 (MPQS). A Maximal Proper Quantified Sub-formula (MPQS) É of a formula q is a MPSS of q which is a quantified state formula; i:e: either É ¼ Ef or É ¼ Af.
The MPQS decomposition maximises the length of path formulae whenever possible. The MPQS decomposition of the example CTL Ã formula is: The state sub-formula É 2 cannot be a MPQS of É 1 ; since É 2 is not a quantified state formula. REWRITE is the procedure to identify MPQS; its logical view is described in Algorithm 5, which is based on the syntactical recognition of the input formula ρ. Operators and atomic propositions are left unchanged (lines 3-9), when q ¼ Ef (line 10) the formula ρ is rewritten as the atomic proposition a q and to appropriately assign a q , the sat-set of ρ is computed through the indirect recursive call to SATCTL Ã (ρ).

PREVIOUS WORK
While the main sources of inspiration for the CTL Ã model checking procedure presented in "StarMC: The Logical View" have already been introduced, in this section we discuss and compare with previous work with a broader view. We shall first discuss the different approaches to CTL Ã model-checking and report on past and existing CTL Ã modelcheckers. Since the CTL Ã model-checking procedure of starMC is based on LTL modelchecking, we also provide a summary of the main approaches to LTL model-checking.
CTL Ã model-checking approaches CTL Ã model checking procedures can be distinguished depending on whether they are conducted on the model itself or on an extended model (as in case of the synchronized product).

Model-checking the model itself
An example of this approach is when the CTL Ã formula is first translated into μ-calculus and then the μ-calculus model-checking procedure is applied. This can be just a straightforward implementation of the fixed-point definition of the full μ-calculus or the more efficient algorithm proposed in Emerson & Lei (1986) for μ 2 -calculus, based on the observation that the formula translated from CTL Ã belong to the μ 2 fragment of the μ-calculus. The efficacy of symbolic techniques for model checking of μ-calculus was shown in Burch et al. (1992). In this approach the whole CTL Ã formula is translated into a single μ-calculus property: this translation is exponential in the size of the formula (Bhat & Cleaveland, 1996). A linear translation from of CTL Ã to first order μ-calculus, a form of μ-calculus with data, is proposed in Cranen, Groote & Reniers (2011). Note that, in this case, a CTL Ã formula may not produce a single first-order μ-calculus expression.

Model-checking an extended model
The model is extended to incorporate the formula information. The extended model is therefore constructed ad-hoc for each formula being checked. This approach may be further refined according to how the formula structure is encoded/exploited.

1.
Recursive descendent approaches based on formula substitution. As in the original papers by Emerson & Lei (1985, p. 90) and Emerson & Lei (1987), sub-formulae are identified and substituted, thus reducing the sat-set computation for CTL Ã to a sequence of sat-set computations for LTL. The complexity of this CTL Ã model-checking procedure is of the same order as that of LTL. It is well-known (Baier & Katoen, 2008) that for CTL Ã , as for LTL, the model-checking problem is PSPACE-complete, with a cost linear in the size of the system and exponential in the size of the formula (because of the Tableau or the Büchi automaton construction).

Hesitating alternating tree automata (HAA). A different approach is presented in
Visser & Barringer (2000), where CTL Ã formulae are translated into HAA. It is mentioned that to build the HAA for the CTL Ã formula, when an ∃φ sub-formula is encountered it is necessary to build the Büchi automata that accepts all infinite words recognized by φ. The synchronized product of the HAA of the formula with the Kripke model is again an HAA, and checking that the original formula is satisfied on the Kripke model corresponds to checking that the language of the synchronized product HAA is empty. Also this approach is based on the idea of MPSS (or MPQS) substitution with a label. Although described in a different manner, it seems that the approach based on HAA shares many similarities with the approach described in "StarMC: The Logical View". It basically does in an implicit manner what the SATCTL Ã in Algorithm 4 does in an explicit one. In the same paper the authors also propose a model checking procedure based on games, where the objective is to find a winning strategy for the non-emptiness game on the synchronized product of the Kripke model and the HAA of the formula (Theorem 2 in Visser & Barringer (2000)).

Sat-set computation for E fair G Ψ
The work in Emerson & Lei (1986), already mentioned for its contribution in proving that μ 2 -calculus can be efficiently model-checked, also provides a succinct translation from fair-CTL to μ 2 -calculus, paving the way to efficient model checking of fair-CTL, in particular for the sat-set computation of E fair GΨ. The algorithm is provided in an abstract form, regardless of the specific data structures choice. It is readily suitable for a symbolic implementation, which is what we have used for starMC.
A different symbolic solution for the computation of a fair cycle is provided by the OWCTY algorithm (Černá & Pelánek, 2003), which does not compute sat-sets but aims at  Vardi & Wolper (1986), as recalled in "StarMC: The Logical View". The paper in Burch et al. (1992) shows a symbolic model checking procedure for LTL. It is based on an implicit tableau construction and on its symbolic representation. It is then shown that the sat-set of an LTL formula can be reduced to the fair CTL symbolic model-checking for the μ-calculus expansion of EG true, under appropriate fairness constraints.

Buchi-based model checking of LTL of a formula Φ is defined in
A later work (Clarke, Grumberg & Hamaguchi, 1997) encodes the tableau of the LTL formula along with the model variables in a single SMV (Clarke et al., 1996) model, and explicitly reduces the LTL model checking to a fair-CTL formula, using the existing and unmodified CTL model checker of SMV. Model checking fair CTL is based on the Emerson-Lei algorithm (Emerson & Lei, 1986). This procedure, together with its implementation in BDD is well explained in the survey paper by Rozier (2011). The survey also cover many other related topics, including a comparison of the expressiveness of LTL, CTL and CTL Ã both in theory and in practical applications.
starMC exploits the Buchi-based approach in Vardi & Wolper (1986), that makes the synchronized product of the Büchi automaton and the model, and uses the algorithm in Emerson & Lei (1986) for the detection of the accepting runs and the consequent construction of the set of states that satisfy the formula. The library Spot (Duret-Lutz, 2014; Duret-Lutz et al., 2016) provides different, efficient, ways to build a Büchi automaton from an LTL formula. The generated automaton may have state-based or transition-based acceptance. This latter choice, based on the translation defined in Couvreur (1999), implemented in Spot using decision diagrams, is usually the most efficient. starMC nevertheless uses state-based automata, since it allows an easier re-use of the SATCTL module of GreatSPN.
A number of possible optimizations have been presented in the literature for LTL model-checking. For example in Duret-Lutz et al. (2011) a modified algorithm called Self-Loop Aggregation Product (SLAP) is proposed, where instead of building a synchronized product in an extended space (model and automaton), the joint state is kept into separate aggregates. Accepting runs are then searched only in those aggregates that may contain cyclic runs over the accepting states. For the time being starMC does not include this kind of algorithmic optimization, although a certain attention has been taken to avoid inefficiencies in the symbolic implementation.
We do not review here the numerous techniques for the on-the-fly model-checking of LTL, since these techniques concentrate on establishing the truth value of a formula in the initial state, while the SAT∃LTL procedure needed for CTL Ã model checking requires the construction of the sat-sets of the LTL sub-formulae.

CTL Ã model checkers
According to a relatively old paper (Barringer et al., 2002) there was a CTL Ã model-checker available in the Rainbow verification system (Barringer et al., 2002): the tool is not available any longer and we could find no published details on how the model checker was built, only that it was based on HAA. Previous papers by the same authors evaluated whether it was the case to enhance the tool SPIN with CTL Ã (Visser & Barringer, 1998;Visser & Barringer, 2000), but apparently it was never done and/or reported in the literature.
There is an implementation of μ-calculus for the nuXmv tool (Cavada et al., 2014), which, according to its website, could lead to a CTL Ã model-checker but, for the time being, only CTL Ã formulae that are either LTL or CTL are actually processed.
The LTSmin tool (Kant et al., 2015) includes a CTL Ã model checker. It allows to model check a Petri net by translating the CTL Ã formula to be checked into an equivalent μ-calculus one, using the procedures defined in Dam (1990). A model checker of μ-calculus for Petri nets is available also in TINA (Berthomieu, Ribet & Vernadat, 2004), but no translator from CTL Ã to μ-calculus is provided.

MPSS vs. MPQS
In the literature there have been slightly different definitions of the CTL Ã sub-formulae to be substituted and, although they are all correct and adequate for CTL Ã model-checking based on SAT∃LTL, different definitions may lead to a different number and/or to a different structure of the Büchi automata being built. The work in Emerson & Lei (1987) does not contain a definition in strict sense of the formulae to be substituted, but it states that, for each formula Eϕ, where ϕ is a path formula, then the set of formulae to be substituted by atomic propositions are the "top-level proper existential sub-formulae Eq i of ϕ that are not sub-formulae of any other sub-formula Er of Eϕ, where Er is different from Eϕ and from Eq i ". The Eq i are therefore the largest quantified sub-formulae of the formula ϕ.
In later times the substitution of formulae with atomic propositions was based on the definition of MPSS (Visser & Barringer, 2000), which is equivalent to the one given by def.6.86 in Baier & Katoen (2008), reported in this paper as Definition 9. The definition of MPSS encounters two problems when deriving an algorithm, it may re-label more formulae than strictly necessary, and it may result in a non-deterministic algorithm since the CTL Ã grammar is ambiguous. Indeed in the considered example: Since ψ 2 is both a state and a path formula due to the ambiguity of the CTL Ã language, there are two evaluation strategies: 1. Evaluate Ψ 1 as E (αUaψ 2 ); 2. Evaluate Ψ 1 as E (αU(α ∧ aψ 3 )); Both strategies are correct, but they are not equivalent. The former strategy is based on the identification of MPSS sub-formulae. While correct, it inhibits possible reductions and optimizations for Büchi Automata generation, since the label aψ 2 clearly carries less information than the (α ∧ aψ 3 ) formula. This example also shows that MPSS are different from "top-level proper existential sub-formulae" which are at the base of the CTL Ã model checking algorithm in Emerson & Lei (1987) and that we have formally defined as MPQS in Definition 10. The MPQS decomposition of the example CTL Ã formula is: The state sub-formula ψ 2 cannot be a MPQS of Ψ 1 , since Ψ 2 is not a quantified state formula.

STARMC: THE INNER VIEW
This section provides an insight on the implementation of starMC, which consists in a DD-based implementation on the algorithms of "StarMC: The Logical View". The implementation relies on the Meddly and Spot libraries, and on the symbolic CTL model checker already available in GreatSPN.
In starMC DDs are used to encode all data structures, but for the BA of the (sub-) formulae, that are instead represented in explicit form. Petri net state spaces, Kripke models and Büchi automata are all expressed in DD forms using the M×D of the NSF and the MDD of the states (when needed). Most computations of the model checker work with DDs that encode "potential" states. Potential states are a superset of RS that arise because the NSF, which is built before the RS, may include the firing of transitions also from states that are not reachable for the given initial marking. Algorithms (like state space generation) that work forward, from the initial marking onward, never generate unreachable states, but this is not the case in the implementation of some path operators, that works backwards (e.g. the neXt). Working on potential states is a standard choice for DD-based model-checkers, and intersections with the RS are done only when strictly needed.

Implementation of SATCTL Ã and REWRITE
We do not provide a detailed implementation view of Algorithm 4 for the sat-set computation for CTL Ã , but we simply identify the data structures used. SAT∃LTL returns an MDD, RS in line 6 is an MDD and the set operations in line 5 and 6 are also implemented as MDD operations. The value returned by REWRITE (ϕ) is an LTL expression following Definition 4. An implementation choice worth noticing is whether S M in line 3 and 6 of the algorithm refers to the MDD of the actual RS or of the set of potential states (PS). This part is common to the CTL model-checker of GreatSPN, for which the default choice is to manipulate potential states. Intersection with reachable states is done only for negation (line 6) (set difference from RS) and for the sat-set of true, for which RS is used. Atomic propositions (line 3) are also defined on the PS.

Implementation of M A construction
The generation of the decision diagrams that encode the M A automaton is summarized in Algorithm 6. The MDD (M×D) of M A is defined to have n + 1 (2n + 2 resp.) levels: one level each for the n places of the net and one for the location of A. We indicate with hm; qi a joint state of M A, where m is a model state and q is an automaton location.
The algorithm builds the MDD and the M×D of M A taking as input a graph description of the formula automaton A and the M×D for the NSF of M. There is no MDD for the initial states of M since all states are considered as initial ones. The algorithm implements at the same time the translation of M into a Büchi automaton (Definition 7) and the M A construction (Definition 8). The algorithm directly builds the Kripke model, without passing through the M A BA as described in "StarMC: The Logical View". The DD representation of the M A automaton of Algorithm 6 consists of three elements: M×D NSF for the δ function; an array S F of MDDs of the accepting sets; and the MDD for the set Z 0 of states as defined by Algorithm 2.
Figures 7B-7G shows the DDs built by Algorithm 6 for the net of Fig. 1A and for the formula expressed by the Büchi automaton in Fig. 7A. These DDs represent the symbolic encoding of the information (models and sat-sets) of Fig. 6.

Construction of Z 0 (lines 4-8)
If q 0 is an initial state of A with an outgoing arc ðq 0 ! a q 0 Þ then Z 0 should include all states hs; q 0 i for all states s that satisfy a (s ∈ Sat(a)). The function AddLoc(d, q) takes a MDD d and sets the location level to q. Figure 7B shows the MDD of Z 0 .

Construction of the NSF (lines 9-14)
The M×D for NSF is built by modifying the M×D NSF M of the input model M to include only "appropriate states" of M and to add the locations of A. For each edge q ! a q 0 of A a new M×D is created (line 12), by modifying the NSF of M to reach only Sat M (a) markings (the states of M that satisfies a), and at the same time by moving the GBA location from q to q′. Function AddLocX(v, q, q′) takes a M×D v and adds a relation q ! q 0 for the first primed and unprimed levels (automata locations). The transition relation δ of M A is encoded as a NSF from the union of all the edge M×Ds (line 13). Figure 7C shows the M×D of the NSF of the M A of the example.

Identification of the array of accepting subsets S F (lines 15-19)
The set S F is simply implemented by the array S F of MDDs, one entry per F i . According to Definition 8, each accepting subsets F i is the Cartesian product of F A i the i-th subset of final locations of A with all the states of M. The Cartesian product F i can be realized by adding one level on top of an MDD v that encodes the states of M. The node of this top level has a down-arrow to v for each location q 2 F A i . A more efficient solution is actually implemented in Algorithm 6, based on the observation that we can consider "potential" states of M by considering any combinations of tokens in any place. The corresponding 1 Figure 7 (A-G) A Büchi automaton of a CTL Ã formula and the DDs generated by its evaluation for the net in Fig. 1A.
Full-size  DOI: 10.7717/peerj-cs.823/ fig-7 MDD, in fully reduced form, is very compact: it has n + 1 levels, the node of the top level carries the F A i elements, all other levels are skipped. This MDD can be built by taking (line 17) the union of MDDs created by the Meddly function edgeForVar(q, n + 1), which creates a fully reduced MDD in which level n + 1 is set to q and all other levels are skipped.
In the automaton of the example F ¼ fF 1 g, with F 1 = {q 1 }, therefore S F is an array with a single element, the MDD that combines the value 1 (encoding of q 1 ) for the location level with any combination of tokens in all places. The MDD is depicted, in fully reduced form, in Fig. 7D.

Implementation of SAT∃LTL
SAT∃LTL computes the set of states of M that satisfy the quantified LTL formula Eφ. Algorithm 7 provides an implementation view of Algorithm 2. Line 2 is a call to Spot for formula φ, that builds a Büchi automaton in textual HOA form. The DDs of M A are built by the call in line 3. The set of reachable states S in M A is then generated in line 4 using saturation (Ciardo, Lüttgen & Siminiceanu, 2001). Figure 7A is the automaton built by Spot for the formula Fβ, to be evaluated for the net in Fig. 2A, with β = (#P1 > 0 or #P2 > 0)}. Figures 7B-7D are the three DDs returned by the call of BUILDSYNCHPRODUCT in line 3, while Fig. 7E is the result of the Saturation procedure on M A.
Note that in the M A construction of Algorithm 6 all informations on edge labelling is lost, since it is now irrelevant, and, to find the set of accepting states (AS) of the formulae in lines 9, 11, and 13, we can consider hS, NSFi as a Kripke model (line 5). Lines 7 to 13 follow the same logic of Algorithm 2. As for Algorithm 2 the computed AS set is not the accepting set of the original formula: the operations in line 14 build the MDD intersection of the MDDs of AS and Z 0 and applies to the resulting MDD the RemLoc function, that removes the DD level that stores the location index, thus obtaining an MDD that encodes the reachable states of the Petri net model that satisfy Eφ.
The MDD of the AS set for the example is given in Fig. 7F. It has been computed by the call to the CTL model-checker in line 11, since A is a terminal automaton. Note that DD represents AS in the potential state space. Moreover not all the accepting states in AS are in the sat-set of Eφ, either because they are not reachable (are in PR\RS) or because they are not "aligned" with the initial conditions of A, otherwise said, they have to belong to Z 0 . The result of the intersection and RemLoc operations in line 14 is shown in Fig. 7G, that encodes the 3 satisfying markings (all markings of RS except the one where all places have zero tokens). Note that M A states (q 0 , 1, 1, 0) and (q 1 , 0, 0, 0), are in the DD of the AS but nor (1, 1, 0) nor (0, 0, 0) are in the DD of Sat(EFβ). The first one is a state which is not in the RS of M A, the second one is not in Z 0 . Both are removed by the intersection in line 14.

Implementation of E fair G
The logical view for the sat-set computation of E fair G given in Algorithm 3 is quite close to its DD-based implementation. The E fair G is called by Algorithm 7 on a Kripke model encoded with an M×D for its NSF, a MDD for its states, and an array of MDDs for the set of fairness constraints F. All DDs are for n + 1 variables, the n places of the Petri net model and the location of the automaton of the formula. The SATCTL calls in line 6 and 7 of Algorithm 3 have been implemented with the pre-existing DD-based CTL model checker of GreatSPN, modified so as to treat n + 1 levels. The intersections in lines 6 and 7 are straightforward MDD intersections.

TESTING RESULTS
We have tested the correctness of the results and the performance of the tool. All tests were performed using the publicly available (mcc.lip6.fr/2019/archives/2019-mcc-models.tar. gz) MCC2019 benchmark (Kordon et al., 2019). The MCC2019 benchmark includes 1,018 model instances, that are parametric variations (in structure or in the initial marking) of 94 distinct colored and P/T models. There are both academic (e.g. Philosophers, Kanban, Erathostenes, etc.) as well as relevant industrial models (ARM processor cache, biochemical networks, UML models, CAN bus models, etc.). For each model instance different properties are defined: basic Petri net properties (like cardinality of the state space, absence of deadlock, boundedness and liveness), 32 LTL properties and 32 CTL properties, for a total of about 60 k LTL and CTL formulae. The benchmark includes all known formula evaluations (truth value in the initial marking), making MCC data a valuable benchmark for (Petri net) tools. The tests use Spot version 2.9.6, the latest Meddly (tag 7a31ca8 on gitHub), LTSmin version 3.0.2. and GreatSPN (tag 4439bde).
The semantics of LTL and CTL is defined over infinite paths, but Petri net models with deadlocks also feature finite paths. For MCC, CTL is directly defined on RG and not on Kripke structures, hence the successor function may not be total. In that case, the CTL semantics is axiomatically defined (Lichtenstein, Pnueli & Zuck, 1985) for the set S d of deadlock states as: EX S d = Ø, and EG S d = S d . LTL and CTL Ã properties are interpreted considering a proper Kripke structure (i.e. stuttered) built on the RG according to Def. 2.
The benchmark does not include any CTL Ã property for the MCC models (and for any other models we could find). Therefore we have algorithmically generated a set of CTL Ã formulae from the MCC CTLCardinality queries by randomly deleting path quantifiers with a probability of 70%. The top-most quantifiers are always kept, in order to preserve consistency with the CTL Ã grammar. The sat-set cardinalities of the LTL and CTL formulae are also missing in the benchmark. We have therefore conducted the comparison tests on the cardinalities of the produced sat-sets by checking consistency between multiple tools.
Resource setting. All experiments have been performed on dedicated cpu cores (Intel Xeon CPU E5-2630 v3 at 2.40 GHz) with a limit of 2 GB of memory and a 60 s timeout for state space generation and another 60 s to check each formula. Variable orders were pre-computed using the state-of-the-art heuristic of Amparore, Donatelli & Ciardo (2020a).
Examined models. Within the 60 s limit, starMC is able to build the RS of 434 model instances, from 77 different models. This set includes many very large model instancess, both in terms of places and transitions (up to thousands) and number of states. Figure 8 shows a chart of the distribution of the sizes of the 434 model instances. Two of these instances have a state space of the order of 10 478 , one in the order of 10 603 (numbers not even representable in a double precision floating point). The 67 model instances with more than 10 21 states (the two rightmost columns in Fig. 8) correspond to 29 different models.
Analysis' objectives. The characteristics that have been tested are: CT: Correct Truth value of the formula for the initial state  None of the query evaluation generated a not-enough-memory error. For 7 of these 434 models, the query format was corrupted due to bad namings. These 7 models were thus dropped. We found no mismatch w.r.t. the MCC published values for the remaining 427 models.
To get a better accuracy we need to verify more precise information like the sat-set cardinalities (the CC test), as in the next steps, but before proceeding to sat-set computation we have investigated the possible overhead caused by the (exponential) size of the Büchi automata. We have computed the size of the Büchi automata for about 14 k LTL queries. The largest automata produced by Spot has 70 locations and 356 edges. The average number of locations (edges) is 3.95 (7.7). This correspond to a maximum and average number of path operators equal to 12 and 4.7 respectively. Note that starMC may build more than one Büchi automata per formula when model-checking CTL and CTL Ã formulae, due to nesting.

CC and PE tests based on RGMeDD
This test compares the results of starMC and RGMeDD on CTL formulae. RGMeDD is the CTL model checker (Amparore, Beccuti & Donatelli, 2014) of GreatSPN, based on the standard recursive sat-set computation of CTL. The test therefore compares two different approaches to CTL model checking: a standard fixed point implementation (RGMeDD), and an automata-based implementation (starMC). Both tools use the same library for DD manipulation, moreover the same variable orders have been used. The benchmark is again on 427 instances, for a total of 13,664 CTL queries (427 Ã 32). Table 1 summarizes the behaviour of the two tools, while the plots in Fig. 9 report the execution times in linear form Fig. 9A and log form Fig. 9B: dots below the diagonal are queries for which RGMeDD is faster than starMC and vice-versa. Executions that have timed out are marked as TO. RGMeDD completes 10,740 queries (79%) from 427 different model instances, while starMC completes 10,223 queries (75%) from 399 different model instances. All the 9,747 queries completed by both tools (71%) produced sat-sets of equal cardinality (CC test).
We have also analyzed the different behaviour in terms of solved queries and model instances, with RGMeDD being able to solve more queries but especially for more diverse instances.
Moreover, on the queries completed by both tools (blue dots in the plot), RGMeDD was faster than starMC on 87% of the queries, slower on the 10% and equal time (up to millisec) on 3%. There are a number of cases in which the execution times are rather different (values close to only the x or the y axis). This result for the PE test is somehow unexpected: considering that the same DD library is used, and the same variable orders, the differences are possibly due to the different model-checking approaches, and we actually expected the standard CTL procedure of RGMeDD to be more efficient in almost all practical cases. Factors that could make starMC faster than RGMeDD are the optimization of the formula done by Spot when building the Büchi automaton and a different use of the potential state space in the two implementations.

Tests based on LTSmin
The last tool assessment is based on a comparison with LTSmin (Kant et al., 2015): CC and PE are assessed for LTL, CTL and CTL Ã formulae. LTSmin is run using the pins2lts-sym interface with the -ctlstar option, which first converts the input formula into μ-calculus and then applies the μ-calculus model-checker of LTSmin. It is worth noting that this translation may incur an exponential cost since LTSmin uses the translation described in Dam (1990), which is in theory less efficient than using Büchi automata. LTSmin is also based on decision diagrams, provided by the multi-core library Sylvan (van Dijk & van de Pol, 2017). To make a meaningful comparison, for each model instance we have enforced the use of the same variable order for the two tools. We have initially checked that both tools, when given the same variable order, produce exactly the same DD in output. Thus the choice of the variable order does not penalize one tool or the other, as long as it is the same for both tools. We give LTSmin the same time constraints as the other tools, i.e. 60 s to generate the state space, and 60 s to translate the formula in μ-calculus and perform the model checking. Since we have experienced inconsistencies of the LTSmin tool when dealing with models with deadlocks, we have considered deadlock-free models only. Moreover, only P/T models have been included in the analysis, since LTSmin does not treat colored models, leaving 222 model instances from 29 distinct models. For what concerns the type of queries, only LTL/CTL/CTL Ã queries of the "Cardinality" category have been checked, since LTSmin cannot express atomic propositions based on the enabling of transitions. We did not consider model instances for which none of the two tools was able to compute the state space, leaving 123 model instances from 28 different models. Of the 123 models, LTSmin builds the state space of 86 and starMC of 116. In all tests, LTSmin ran on four cores (to allow it to exploit the parallelism of the Sylvan library) and starMC on a single one, similar to the settings used for the MCC competition.
The first test (CC and PE for LTL and CTL formulae) compares the sat-set cardinalities and the execution times for LTL and CTL formulae, while the second test (CC and PE for CTL Ã formulae) extends the analysis to CTL Ã formulae, the final target of the whole testing procedure.

CC and PE for LTL and CTL formulae
We computed the sat-sets generated by starMC and LTSmin (running in -ctlstar mode) on LTL and CTL formulae on the 123 model instances selected as explained above, with 16 CTL formulae and 16 LTL ones for each model instance. The objective is to check the performance of the two model checkers (PE) and, for all queries solved by both tools, check that the same sat-sets' cardinalities are computed (CC). The results are summarized in Table 2, while a comparison of the execution times in log and linear form (as for the previous experiment) is reported in Fig. 10.
PE results: in the 60 s limits, starMC solves 50% more queries than LTSmin, although, in the subset of queries solved by both, LTSmin is faster than starMC on 2 out of 3 queries. CC results: of the 1,708 queries computed by both tools, we have a mismatch in the cardinalities of the sat-sets of 7 formulae (from different model instances). These are all LTL formulae. All results computed by starMC are consistent with the MCC known truth values. Since truth values of MCC are assigned according to majority of the output of the tools that participate in the competition, they may not be 100% reliable. We have therefore computed the sat-sets of the sub-formulae, which indicate that LTSmin is computing the wrong sat-sets, most likely due to a wrong translation to μ-calculus. For example, the sat-set of the formula named LTLCardinality-08 for the model BART-PT-002 has a structure "XFGFa", where a is an atomic proposition and the formula is implicitly quantified for all paths. LTSmin reports that the formula has an empty sat-set, although the sat-set of the formula "FGFa" is equal to the full state space, which clearly indicates contradictory results. The translation in μ-calculus of the former query leads to a recursive formula with 7 μ and 18 ν fixed point operators, and it is not trivial to assess whether there is an error in the translation of the formula into μ-calculus or in the model-checking procedure. This behaviour has been reported to the LTSmin developers.  The tests of "CC and PE for LTL and CTL formulae" are here repeated for the set of generated CTL Ã formulae. The results are summarized in Table 3, while a comparison of the execution times in log and linear form (as for the previous experiments) is reported in Fig. 11. PE: in the 60 s limits, starMC solves the highest number of queries (73%), almost twice those solved by LTSmin. In the subset of queries solved by both, LTSmin is faster than starMC on almost 4 out of 5 queries.
CC: of the 753 queries computed by both tools, we have a mismatch in the cardinalities of the sat-sets of 10 formulae (from different model instances). We have checked these formulae one by one, by computing the sat-set of sub-formulae, when meaningful and useful. In all but one case, the two tools differ radically: the sat-set being the whole state space for one and the empty set for the other, or vice-versa. In these cases it was not difficult to check that LTSmin is computing results that are inconsistent with the sat-sets of the sub-formulae computed by the tool itself. For the remaining case a special procedure was put in place that indicates that it is likely that LTSmin is computing the wrong result 2 .

CONCLUSION
starMC is a CTL Ã model-checker that computes the set of reachable states that satify a CTL Ã formula. To the best of our knowledge it is the only available CTL Ã model-checker based on Büchi automata for Petri nets, and also the only available CTL Ã model-checker that does not require a translation into μ-calculus. 2 There is a query of a model (named FMS-PT-00020 in MCC) for which the two sat-sets differ for a "small" portion: for LTSmin the sat-set is the whole RS, for starMC is a strict subset of RS (with a difference of 10 4 states out of the 10 12 states in RS). Due to the complexity of model and formula we had to build a reduced model (applying standard Petri net reduction rules) with only 32 states, and a reduced formula, for which the two sat-sets differ by four states. In this case it was possible to check by hand that the 4 should not be in the sat-set, as computed by starMC.
starMC provides CTL Ã and LTL model-checking capabilities to the GreatSPN tool, improving the existing CTL model-checker. starMC is fully integrated into the GreatSPN GUI.
The implementation leverages two libraries: Spot for the translation from LTL sub-formulae to Büchi automata, and Meddly for decision diagram manipulation. The tool also includes the existing CTL model-checker of GreatSPN, modified to verify M A structures.
Although many of the ideas behind the construction of starMC have been around for decades, there was not, as far as we know, a fully developed description on the algorithms for a (symbolic) implementation of a CTL Ã model-checker, that we consider to be a significant contribution of this paper. The availability of such a tool is also very important: for educational purposes both in university and in industries, and for application in reallife contexts. The testing section has shown that, even on reduced resources (2 GB of memory and execution time with a 60 s time-out) starMC can model-check very large state spaces (we reached 10 480 states) for formulae with equivalent Büchi automata of more than 70 locations and 350 edges.

Petri nets only?
starMC has been developed for Petri nets, either in GreatSPN format or in the PNML standard format. Although having a model-checker fully integrated into a specification and verification tool is an advantage for the user, it may hamper its reuse in the research community. There are indeed tools like LTSmin that try to be as general as possible, by providing a (formalism agnostic) intermediate language. starMC exploits Petri nets to collect useful information: computation of place bounds (so the user does not have to identify them beforehand) and heuristics for variable orders, which are based on P-semiflows (a structural property of the Petri net). Both issues relates to performance and do not hamper the application of the results presented in this paper to other formalisms for DEDS; nevertheless the tool is not currently structured for direct reuse as a stand-alone multi formalism model-checker.
Tool's limitations starMC builds the whole state space beforehand even for properties that could be proved by inspection of a part of the state space (no on-the-fly verification), and it does not build counter-examples.
Answer to research questions (R1): our testing campaign has shown that it is possible to realize an efficient and fully symbolic implementation of the computation of sat-sets of LTL and CTL Ã properties based on Büchi automata. (R2): the experiments conducted in the testing phase indicate that starMC can solve (significantly) more formulae than LTSmin, although, on the formulae solved by both tools, LTSmin is generally faster. (R3): an extensive comparison of different variable order heuristics has not been conducted yet, but the size of the system that we were able to solve show that, indeed, the variable order heuristic used, that was the best one for state-space exploration, as reported in Amparore et al. (2019), is at least adequate for CTL Ã model-checking. (R4): the construction of counter-examples and witnesses has not been addressed in this paper.
Current and future work starMC builds the whole state space beforehand even for properties that could be proved by inspection of a part of the state space (no on-the-fly verification). We are working on a model-checker that keeps the NSF in implicit form: the M×D of the NSF is substituted by a function that performs the firing of the Petri net transitions by directly manipulating the MDD of the state space being built. With a NSF in implicit form it is possible to implement an on-the-fly approach, in which the state space is built incrementally up to the point where the property can be (dis-)proven. The results could be extended to CTL Ã following the work in Bhat, Cleaveland & Grumberg (1995), that develops an on-the-fly procedure for LTL and then extends it to CTL Ã .
No model-checker is fully useful if it does not produce meaningful counter-examples. GreatSPN already produces CTL counter-examples or witnesses for the initial state. Extending the current approach to CTL Ã may require a definite shift in the approach, for example by looking into the creation of evidence for μ-calculus (Cranen, Luttik & Willemse, 2015), while keeping an eye on the efficiency of the construction, as in Jiang & Ciardo (2018).
Although CTL Ã allows to express fairness constraints in the formula, we plan to develop also a model checker for the fair variant of CTL. Although this may seem a straightforward task, considering the already existing implementation of E fair G ψ, further analysis is needed to understand the most adequate form of fairness, in particular if we want to consider not only fairness based on visited states (and therefore among enabled actions), but also fairness of taken actions, to include, for example, the "Fairness running" clause of the NuSMV tool (Cavada et al., 2014).
The example in "CTL Ã Model-checking Procedure" points out that a CTL Ã modelchecker could be realized based on a mixture of SAT∃LTL and SATCTL. Beyond the theoretical differences in complexity, the construction of such a CTL Ã model-checker requires more experiments to understand if there is a practical advantage in doing so. Our comparison in "CC and PE Tests Based on RGMeDD" points out that it could be so.

Availability
A virtual machine, with the reproducible benchmark (scripts, models, tools, instructions) is available as a Zenodo permalink. The provided benchmark can be run either in quick or in full mode, which will take about 30 minutes/10 days, respectively, to complete. Instructions are provided inside the VM, available at: https://zenodo.org/ record/5752419 with the name starMC-benchmark.ova. A second virtual machine with the starMC tool pre-installed can also be found at the same link, with the name starMC.ova.