Vacuity Detection in Temporal Model Checking

  • Orna Kupferman
  • Moshe Y. Vardi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1703)


One of the advantages of temporal-logic model-checking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most model-checking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications.

For example, verifying a system with respect to the specification ϕ = AG(req → AFgrant) (“every request is eventually followed by a grant”), we say that ϕ is satisfied vacuously in systems in which requests are never sent. An interesting witness for the satisfaction of ϕ is then a computation that satisfies ϕ and contains a request. Beer et al. considered only specifications of a limited fragment of ACTL, and with a restricted interpretation of vacuity. In this paper we present a general method for detection of vacuity and generation of interesting witnesses for specifications in CTL✶. Our definition of vacuity is stronger, in the sense that we check whether all the subformulas of the specification affect its truth value in the system. In addition, we study the advantages and disadvantages of alternative definitions of vacuity, study the problem of generating linear witnesses and counterexamples for branching temporal logic specifications, and analyze the complexity of the problem. Supported in part by the NSF grants CCR-9628400 and CCR-9700061, and by a grant from the Intel Corporation.


Model Check Temporal Logic Atomic Proposition Tree Automaton Linear Temporal Logic Formula 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. BB94.
    D. Beaty and R. Bryant. Formally verifying a microprocessor using a simulation methodology. In Proc. 31st DAC, pp. 596–602. IEEE Computer Society, 1994.Google Scholar
  2. BBER97.
    I. Beer, S. Ben-David, C. Eisner, and Y. Rodeh. Efficient detection of vacuity in ACTL formulas. In Proc. 9th CAV, LNCS 1254, pp. 279–290, 1997.Google Scholar
  3. BRS99.
    R. Bloem, K. Ravi, and F. Somenzi. Efficient decision procedures for model checking of linear time logic properties. In Proc. 11th CAV, LNCS, 1999.Google Scholar
  4. CD88.
    E. M. Clarke and I. A. Draghicescu. Expressibility results for linear-time and branching-time logics. In Proc. Workshop on Linear Time, Branching Time, and Partial Order in Logics and Models for Concurrency, LNCS 354, pp. 428–437, 1988.CrossRefGoogle Scholar
  5. CE81.
    E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletons using branching time temporal logic. In Proc. Workshop on Logic of Programs, LNCS 131, pp. 52–71, 1981.CrossRefGoogle Scholar
  6. CES86.
    E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8(2):244–263, 1986.zbMATHCrossRefGoogle Scholar
  7. CGL93.
    E. M. Clarke, O. Grumberg, and D. Long. Verification tools for finite-state concurrent systems. In Decade of Concurrency-Reflections and Perspectives (Proceedings of REX School), LNCS 803, pp. 124–175, 1993.Google Scholar
  8. CGMZ95.
    E. M. Clarke, O. Grumberg, K. L. McMillan, and X. Zhao. Efficient generation of counterexamples and witnesses in symbolic model checking. In Proc. 32nd DAC, pp. 427–432. IEEE Computer Society, 1995.Google Scholar
  9. Cla97.
    E. Clarke. Private communication, 1997.Google Scholar
  10. EJ88.
    E. A. Emerson and C. Jutla. The complexity of tree automata and logics of programs. In Proc. 29th FOCS, pp. 368–377, White Plains, 1988.Google Scholar
  11. EL87.
    E. A. Emerson and C.L. Lei. Modalities for model checking: Branching time logic strikes back. Science of Computer Programming, 8:275–306, 1987.zbMATHCrossRefMathSciNetGoogle Scholar
  12. Eme90.
    E. A. Emerson. Temporal and modal logic. Handbook of Theoretical Computer Science, pp. 997–1072, 1990.Google Scholar
  13. Fra86.
    N. Francez. Fairness. Texts and Monographs in Computer Science. Springer-Verlag, 1986.Google Scholar
  14. KGG99.
    S. Katz, D. Geist, and O. Grumberg. “Have I written enough properties ?” a method of comparison between specification and implementation. In 10th CHARME, LNCS, 1999.Google Scholar
  15. Kur98.
    R. P. Kurshan. FormalCheck User’s Manual. Cadence Design, Inc., 1998.Google Scholar
  16. KV95.
    O. Kupferman and M. Y. Vardi. On the complexity of branching modular model checking. In Proc. 6th CONCUR, LNCS 962, pp. 408–422, 1995.Google Scholar
  17. KV98a.
    O. Kupferman and M. Y. Vardi. Freedom, weakness, and determinism: from linear-time to branching-time. In Proc. 13th LICS, pp. 81–92, 1998.Google Scholar
  18. KV98b.
    O. Kupferman and M. Y. Vardi. Relating linear and branching model checking. In PROCOMET, pp. 304–326, 1998. Chapman & Hall.Google Scholar
  19. LP85.
    O. Lichtenstein and A. Pnueli. Checking that finite state concurrent programs satisfy their linear specification. In Proc. 12th POPL, pp. 97–107, 1985.Google Scholar
  20. MS95.
    D. E. Muller and P. E. Schupp. Simulating alternating tree automata by nondeterministic automata: New results and new proofs of theorems of Rabin, McNaughton and Safra. Theoretical Computer Science, 141:69–107, 1995.zbMATHCrossRefMathSciNetGoogle Scholar
  21. Pnu81.
    A. Pnueli. The temporal semantics of concurrent programs. Theoretical Computer Science, 13:45–60, 1981.zbMATHCrossRefMathSciNetGoogle Scholar
  22. PP95.
    B. Plessier and C. Pixley. Formal verification of a commercial serial bus interface. In Proc. of 14th Annual IEEE International Phoenix Conf. on Computers and Communicat ions, pp. 378–382, March 1995.Google Scholar
  23. QS81.
    J. P. Queille and J. Sifakis. Specification and verification of concurrent systems in Cesar. In Proc. 5th International Symp. on Programming, pp. 337–351, LNCS 137, 1981.Google Scholar
  24. SC85.
    A. P. Sistla and E. M. Clarke. The complexity of propositional linear temporal logic. Journal ACM, 32:733–749, 1985.zbMATHCrossRefMathSciNetGoogle Scholar
  25. VS85.
    M. Y. Vardi and L. Stockmeyer. Improved upper and lower bounds for modal logics of programs. In Proc 17th STOC, pp. 240–251, 1985.Google Scholar
  26. VW86a.
    M. Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program verification. In Proc. 1st LICS, pp. 322–331, 1986.Google Scholar
  27. VW86b.
    M. Y. Vardi and P. Wolper. Automata-theoretic techniques for modal logics of programs. Journal of Computer and System Science, 32(2):182–221, April 1986.CrossRefMathSciNetGoogle Scholar
  28. VW94.
    M. Y. Vardi and P. Wolper. Reasoning about infinite computations. Information and Computation, 115(1):1–37, November 1994.zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Orna Kupferman
    • 1
  • Moshe Y. Vardi
    • 2
  1. 1.Hebrew UniversityThe institute of Computer ScienceJerusalemIsrael
  2. 2.Rice UniversityDepartment of Computer ScienceHoustonUSA

Personalised recommendations