Many different methods have been devised for automatically verifying finite state systems by examining state-graph models of system behavior. These methods all depend on decision procedures that explicitly represent the state space using a list or a table that grows in proportion to the number of states. We describe a general method that represents the state space symbolical/y instead of explicitly. The generality of our method comes from using a dialect of the Mu-Calculus as the primary specification language. We describe a model checking algorithm for Mu-Calculus formulas that uses Bryant’s Binary Decision Diagrams (Bryant, R. E., 1986, IEEE Trans. Comput. C-35) to represent relations and formulas. We then show how our new Mu-Calculus model checking algorithm can be used to derive efficient decision procedures for CTL model checking, satistiability of linear-time temporal logic formulas, strong and weak observational equivalence of finite transition systems, and language containment for finite w-automata. The fixed point computations for each decision procedure are sometimes complex. but can be concisely expressed in the Mu-Calculus. We illustrate the practicality of our approach to symbolic model checking by discussing how it can be used to verify a simple synchronous pipeline circuit.

We describe a framework for compositional verification of finite state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition; and a preorder on structures which captures the relation between a component and a system containing the component. Satisfaction of a formula in the logic corresponds to being below a particular structure (a tableau for the formula) in the preorder. We show how to do assume-guarantee style reasoning within this framework. In addition, we demonstrate efficient methods for model checking in the logic and for checking the preorder in several special cases. We have implemented a system based on these methods, and we use it to give a compositional verification of a CPU controller. 1 Introduction Temporal logic model checking procedures are useful tools for the verification of finite state systems [3, 12, 20]. However, these procedures have traditionally suffered from the state explosion proble...

Translating linear temporal logic formulas to automata has proven to be an effective approach for implementing linear-time model-checking, and for obtaining many extensions and improvements to this verification method. On the other hand, for branching temporal logic, automata-theoretic techniques have long been thought to introduce an exponential penalty, making them essentially useless for model-checking. Recently, Bernholtz and Grumberg have shown that this exponential penalty can be avoided, though they did not match the linear complexity of non-automata-theoretic algorithms. In this paper we show that alternating tree automata are the key to a comprehensive automata-theoretic framework for branching temporal logics. Not only, as was shown by Muller et al., can they be used to obtain optimal decision procedures, but, as we show here, they also make it possible to derive optimal model-checking algorithms. Moreover, the simple combinatorial structure that emerges from the a...

Abstract The Concurrency Workbench is an automated tool for analyzing networks of finite-state processes expressed in Milner's Calculus of Communicating Systems. Its key feature is its breadth: a variety of different verification methods, including equivalence checking, preorder checking, and model checking, are supported for several different process semantics. One experience from our work is that a large number of interesting verification methods can be formulated as combinations of a small number of primitive algorithms. The Workbench has been applied to the verification of communications protocols and mutual exclusion algorithms and has proven a valuable aid in teaching and research. 1 Introduction This paper describes the Concurrency Workbench [11, 12, 13], a tool that supports the automatic verification of finite-state processes. Such tools are practically motivated: the development of complex distributed computer systems requires sophisticated verification techniques to guarantee correctness, and the increase in detail rapidly becomes unmanageable without computer assistance. Finite-state systems, such as communications protocols and hardware, are particularly suitable for automated analysis because their finitary nature ensures the existence of decision procedures for a wide range of system properties.

This paper describes a procedure, based around the construction of tableau proofs, for determining whether finite-state systems enjoy properties formulated in the propositional mu-calculus. It presents a tableau-based proof system for the logic and proves it sound and complete, and it discusses techniques for the efficient construction of proofs that states enjoy properties expressed in the logic. The approach is the basis of an ongoing implementation of a model checker in the Concurrency Workbench, an automated tool for the analysis of concurrent systems. 1 Introduction One area of program verification that has proven amenable to automation involves the analysis of finite-state processes. While computer systems in general are not finite-state, many interesting ones, including a variety of communication protocols and hardware systems, are, and their finitary nature enables the development and implementation of decision procedures that test for various properties. Model checking has p...

We develop a model-checking algorithm that decides for a given context-free process whether it satisfies a property written in the alternation-free modal mu-calculus. The central idea behind this algorithm is to raise the standard iterative model-checking techniques to higher order: in contrast to the usual approaches, in which the set of formulas that are satisfied by a certain state are iteratively computed, our algorithm iteratively computes a property transformer for each state class of the finite process representation. These property transformers can then simply be applied to solve the model-checking problem. The complexity of our algorithm is linear in the size of the system's representation and exponential in the size of the property being investigated.

We introduce a temporal logic for the polyadic ß-calculus based on fixed point extensions of Hennessy-Milner logic. Features are added to account for parametrisation, generation, and passing of names, including the use, following Milner, of dependent sum and product to account for (unlocalised) input and output, and explicit parametrisation on names using lambda-abstraction and application. The latter provides a single name binding mechanism supporting all parametrisation needed. A proof system and decision procedure is developed based on Stirling and Walker's approach to model checking the modal ¯-calculus using constants. One difficulty, for both conceptual and efficiency-based reasons, is to avoid the explicit use of the !-rule for parametrised processes. A key idea, following Hennessy and Lin's approach to deciding bisimulation for certain types of value-passing processes, is the relativisation of correctness assertions to conditions on names. Based on this idea a proof system and ...

. This paper presents a prefixed tableaux calculus for Propositional Dynamic Logic with Converse based on a combination of different techniques such as prefixed tableaux for modal logics and model checkers for ¯-calculus. We prove the correctness and completeness of the calculus and illustrate its features. We also discuss the transformation of the tableaux method (naively NEXPTIME) into an EXPTIME algorithm. 1 Introduction Propositional Dynamic Logics (PDLs) are modal logics introduced in [10] to model the evolution of the computation process by describing the properties of states reached by programs during their execution [15, 24, 27]. Over the years, PDLs have been proved to be a valuable formal tool in Computer Science, Logic, Computational Linguistics, and Artificial Intelligence far beyond their original use for program verification (e.g. [4, 12, 14, 15, 24, 23]). In this paper we focus on Converse-PDL (CPDL) [10], obtained from the basic logic PDL by adding the converse operat...

Baeten, Bergstra, and Klop (and later Caucal) have proved the remarkable result that bisimulation equivalence is decidable for irredundant context-free grammars. In this paper we provide a much simpler and much more direct proof of this result using a tableau decision method involving goal-directed rules. The decision procedure also provides the essential part of the bisimulation relation between two processes which underlies their equivalence. We also show how to obtain a sound and complete sequent-based equational theory for such processes from the tableau system and how one can extract what Caucal calls a fundamental relation from a successful tableau.

Given a formula of the propositional µ-calculus, we construct a tableau of the formula and define an infinite game of two players of which one wants to show that the formula is satisfiable, and the other seeks the opposite. The strategy for the first player can be further transformed into a model of the formula while the strategy for the second forms what we call a refutation of the formula. Using Martin's Determinacy Theorem, we prove that any formula has either a model or a refutation. This completeness result is a starting point for the completeness theorem for the µ-calculus to be presented elsewhere. However, we argue that refutations have some advantages of their own. They are generated by a natural system of sound logical rules and can be presented as regular trees of the size exponential in the size of a refuted formula. This last aspect completes the small model theorem for the µ-calculus established by Emerson and Jutla [3]. Thus, on a more practical side, refutations can be...