We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.

Temporal logic model checking is an automatic technique for verifying finite-state concurrent systems. Specifications are expressed in a propositional temporal logic, and the concurrent system is modeled as a state-transition graph. An efficient search procedure is used to determine whether or not the state-transition graph satisfies the specification. When the technique was first developed ten years ago, it was only possible to handle concurrent systems with a few thousand states. In the last few years, however, the size of the concurrent systems that can be handled has increased dramatically. By representing transition relations and sets of states implicitly using binary decision diagrams, it is now possible to check concurrent systems with more than 10 120 states. In this paper we describe in detail how the new implementation works and

Abstract-Verifying the correctness of sequential circuits has been an important problem for a long time. But lack of any formal and efficient method of verification has prevented the creation of practical design aids for this purpose. Since- all the known techniques of simulation apd prototype testing are time consuming and not very reliable, there is an acute need for such tools. In this paper we describe an automatic verification system for sequential circuits in which specifications are expressed in a propositional temporal logic. In contrast to most other mechanical verification systems, our system does not require any user assistance and is quite;fast-experimental results show that state machines with several hundred states can be checked for correctness in a matter of seconds! The verification system uses a simple and efficient algorithm, called a model checker. The algorithm works in two steps: in the first step, it builds a labeled state-transition graph; and in the second step, it determines the truth of a temporal formula with. respect to the state-transition graph. We discuss two different techniques that we thave implemented for automatically generating the state-transition graphs: The first involves extracting the state graph directly feom the circuit by exhaustive simulation. The second obtains the state graph by compilation from an HDL specification of the original circuit. Index Terms-Asynchronous circuits, hardware verification, sequential circuit verification, temporal logic, temporal logic model checking. I.

We identify the computational complexity of the satisfiability problem for FO², the fragment of first-order logic consisting of all relational first-order sentences with at most two distinct variables. Although this fragment was shown to be decidable a long time ago, the computational complexity of its decision problem has not been pinpointed so far. In 1975 Mortimer proved that FO² has the finite-model property, which means that if an FO²-sentence is satisfiable, then it has a finite model. Moreover, Mortimer showed that every satisfiable FO²-sentence has a model whose size is at most doubly exponential in the size of the sentence. In this paper, we improve Mortimer's bound by one exponential and show that every satisfiable FO²-sentence has a model whose size is at most exponential in the size of the sentence. As a consequence, we establish that the satisfiability problem for FO² is NEXPTIME-complete.

We describe BDD-based decision procedures for the modal logic K. Our approach is inspired by the automata-theoretic approach, but we avoid explicit automata construction. Instead, we compute certain fixpoints of a set of types---which can be viewed as an on-the-fly emptiness of the automaton. We use BDDs to represent and manipulate such type sets, and investigate different kinds of representations as well as a "level-based" representation scheme. The latter turns out to speed up construction and reduce memory consumption considerably. We also study the effect of formula simplification on our decision procedures. To proof the viability of our approach, we compare our approach with a representative selection of other approaches, including a translation of to QBF. Our results indicate that the BDD-based approach dominates for modally heavy formulae, while search-based approaches dominate for propositionally heavy formulae.

The vital role that real-time embedded systems are playing and will continue to play in our world, coupled with their increasingly complex and critical nature, demand a rigorous and systematic treatment that recognizes their unique requirements. The Time-constrained Reactive Automaton (TRA) is a formal model of computation that admits these requirements. Among its salient features is a fundamental notion of space and time that restricts the expressiveness of the model in a way that allows the specification of only reactive, spontaneous, and causal computations. Using the TRA formalism, there is no conceptual distinction between a system and a property; both are specified as formal objects. This reduces the verification process to that of establishing correspondences -- namely preservation and implementation relationships -- between such objects. In this paper, we present the TRA model and briefly overview our experience in using it in the specification and verification of real-time embedded systems.

Up to a few years ago, the approaches taken to check whether a hardware component works as expected could be classified under one of two styles: hardware engineers in the industry would tend to exclusively use simulation to (empirically) test their circuits, whereas computer scientists would tend to advocate an approach based almost exclusively on formal verification. This thesis proposes a unified approach to hardware design in which both simulation and formal verification can co-exist. Relational Duration Calculus (an extension of Duration Calculus) is developed and used to define the formal semantics of Verilog HDL (a standard industry hardware description language). Relational Duration Calculus is a temporal logic which can deal with certain issues raised by the behaviour of typical hardware description languages and which are hard to describe in a pure temporal logic. These semantics are then used to unify the simulation of Verilog programs, formal verification and the use of algebraic laws during the design stage.

A syntax directed mapping is presented from Propositional Temporal Logic (PTL) formulae to Müller type finite automata. This is a direct and much more elegant and easier to implement approach than previously described methods. Most of these methods are based on tableau methods for satisfiability checking, and after that a Buchi type of automaton is extracted. Büchi and Müller automata are equally expressive. However, Müller automata have nicer properties than Büchi automata, for instance deterministic Müller automata are expressive as non-deterministic ones, while this is not true for Büchi automata. Also deterministic Büchi automata are not closed under complement. This transformation is the first step in a decision procedure, since the resulting Müller automaton represents the models of the temporal logic formula, and on which further verification and analysis can be performed.

Our Department is currently engaged in a project to validate the correctness of reactive systems, specifically operating system kernels. Model checking is used as a validation technique. A model checker was implemented using transition systems as a modelling formalism and computation tree logic (CTL) to specify correctness requirements. Although transition systems are powerful enough to specify the behaviour of reactive systems, it is inconvenient to use because it is too low level. Therefore a high-level validation language is required. Since the behaviour of an operating system kernel is often dependent on the manipulation of complex data the validation language must support complex data structures. This thesis describes the design and implementation...

Specification, Simulation, and Verification of Timing Behavior by Tod Amon Chairperson of the Supervisory Committee: Professor Gaetano Borriello Department of Computer Science and Engineering Temporal behavior needs to be formally specified, validated, and verified, if systems that interface with the outside world are to be synthesized from high-level specifications. Due to the high level of abstraction, the work presented in this thesis applies to systems that ultimately can be implemented using hardware, software, or a combination of both. In the area of specification, a generalization of the event-graph specification paradigm is presented. The model supports the expression of complex functionalty using an operational semantics and cleanly integrates structure into the event-based paradigm. Temporal relationships between systems events are specified using a denotational semantics that relies on both chronological and causal relationships to identify the discrete event occurrences bei...