Model checking primer

Why model checking is useful

When a system is concurrent, behaviour is not a single linear story. Different interleavings, schedules, and environment actions can produce different outcomes. Model checking gives you a disciplined way to explore this space. The goal is not to “simulate a run” but to explore all reachable behaviours of an abstract model and check whether a property holds across that space.

Two practical benefits stand out. First, counterexamples are actionable: if a property fails, the checker typically produces a trace showing how it fails. Second, the method rewards good modelling: if your model makes assumptions explicit, the exploration becomes a structured way to ask “what if” questions about ordering, failure semantics, and resource limits.

The basic ingredients

A model checker needs two things: a model of behaviour and a property to check.

• ModelTypically a transition system: states and transitions describing what actions are possible.
• PropertyA statement about traces or reachable states: safety (“never”), liveness (“eventually”), or refinement/compatibility.

Most real workflows also include a third ingredient: an interpretation layer. The checker runs on an abstract model, so you need a disciplined way to interpret results. If a property holds, what does that say about the implementation? If it fails, which assumptions were violated?

Diagram: model → explore → property

Modelling choices that matter

The hardest part of model checking is not the algorithm; it is choosing the right model. In practice, a good model isolates the behaviour you care about and makes environment assumptions explicit.

• GranularityToo fine and the state space explodes; too coarse and you lose the property you meant to check.
• EnvironmentModel what the system assumes about inputs, scheduling, and failures. Unmodelled assumptions become surprises.
• Data vs controlOften you can abstract data while keeping control structure (ordering, branching) intact.
• Concurrency semanticsInterleaving vs true concurrency; which actions can happen independently?

The most common modelling error is to accidentally make the environment “too nice”. If the environment never fails, never delays, and never reorders, properties will appear to hold for uninteresting reasons.

Key definitions

• StateA snapshot of the variables and control locations relevant to the model.
• TransitionA possible step from one state to another, usually labelled by an action.
• ReachabilityA state is reachable if there exists a sequence of transitions from the initial state.
• Safety propertyA “never happens” statement; violations have finite counterexamples.
• Liveness propertyAn “eventually happens” statement; violations are often infinite behaviours.
• AbstractionA simplified model intended to preserve the property of interest while shrinking the state space.

Common pitfalls

• Checking the wrong propertyA property that is too weak can pass while the intended behaviour is still wrong.
• Over-constraining the modelIf you bake the property into the model, you will “prove” it by construction.
• Ignoring fairness and schedulingLiveness depends on assumptions about scheduling; state them explicitly.
• Misreading counterexamplesA trace is about the model; if it is unrealistic, your modelling assumptions need adjustment.

Where to go next (internal)

• Research: verification workflowsHow model checking fits into repeatable loops.
• Behavioural contractsAssumptions and guarantees as interfaces.
• HARQ05 detail pageA publication-style summary that emphasises modelling choices.