Graded CTL Model Checking for Test Generation

Recently there has been a great attention from the scientific community towards the use of the model-checking technique as a tool for test generation in the simulation field. This paper aims to provide a useful mean to get more insights along these lines. By applying recent results in the field of graded temporal logics, we present a new efficient model-checking algorithm for Hierarchical Finite State Machines (HSM), a well established symbolism long and widely used for representing hierarchical models of discrete systems. Performing model-checking against specifications expressed using graded temporal logics has the peculiarity of returning more counterexamples within a unique run. We think that this can greatly improve the efficacy of automatically getting test cases. In particular we verify two different models of HSM against branching time temporal properties.

💡 Research Summary

The paper addresses the growing interest in using model checking not only for verification but also as a source of test cases in simulation environments. It proposes a novel approach that combines graded Computation Tree Logic (graded‑CTL) with Hierarchical Finite State Machines (HSM) and their more expressive variant, Scope‑dependent Hierarchical State Machines (SHSM), to generate multiple counterexamples in a single model‑checking run.

Graded‑CTL extends classical CTL by adding quantitative modalities to the existential and universal path quantifiers. The operator E > k requires at least k + 1 pairwise distinct paths satisfying a sub‑formula, while A ≤ k (the dual) limits the number of violating paths. This allows a specification to demand several independent failure scenarios simultaneously, something ordinary CTL cannot express. The paper recalls the formal syntax and semantics of graded‑CTL, showing that its model‑checking complexity remains linear in the size of the Kripke structure and the formula, independent of the numeric constants k.

HSMs are hierarchical state machines where “boxes” encapsulate sub‑machines, preserving a compact representation of large systems. SHSMs further associate each box with a set of atomic propositions (a scope) that are inherited by all states inside the box, enabling a clean representation of scope‑dependent properties. The authors define the semantics of an SHSM by recursively flattening it into a Kripke structure M_F: each box is replaced by a copy of the Kripke structure of its sub‑machine, and the labeling of states is the union of the box’s scope and the inner state’s label. Although the flat structure can be exponentially larger, the verification algorithm works directly on the hierarchical description, avoiding explicit construction.

The core technical contribution is an algorithm for graded‑CTL model checking on HSMs, which is then lifted to SHSMs. The algorithm proceeds as follows: (1) perform a standard CTL fix‑point computation on the hierarchical model; (2) for each graded operator E > k, search for k + 1 distinct evidences by exploring the transition graph and pruning paths that share prefixes already used as evidence; (3) the search for distinct paths incurs only a logarithmic factor log K, where K is the largest grading constant appearing in the formula. Consequently, the overall time complexity is O(|M|·|φ|·log K), matching the classical CTL bound up to the harmless log factor. The authors prove that this bound holds for both HSMs and SHSMs, with the extra factor arising solely from the need to distinguish paths.

To validate the approach, the authors apply their tool to two case studies: (i) a simple communication protocol modeled as an SHSM, and (ii) a timed event‑driven system where failures can occur in multiple ways. For each case they formulate graded‑CTL properties such as “there exist at least three distinct executions where a failure occurs after a timeout” and run the checker. The results show that a single execution yields several distinct counterexamples, each of which can be directly translated into a test scenario (including timing information for DEVS simulations). Compared with traditional CTL model checking, which would produce only one counterexample per run, the graded approach dramatically reduces the number of required verification runs and enriches the test suite.

The paper also discusses practical aspects: the logarithmic overhead is negligible in experiments, the algorithm integrates smoothly with existing model‑checking frameworks, and the hierarchical abstraction preserves enough detail to be useful for downstream simulation while keeping the state space manageable.

In conclusion, the authors demonstrate that graded‑CTL combined with hierarchical (scope‑dependent) state machines provides a powerful, theoretically sound, and practically efficient method for generating multiple test cases from a single model‑checking run. This bridges the gap between formal verification and test generation, offering a scalable solution for large‑scale discrete‑event systems and opening avenues for further integration with timed simulation environments such as DEVS.