## Vacuity Detection in Temporal Model Checking (1999)

Citations: | 60 - 14 self |

### BibTeX

@MISC{Kupferman99vacuitydetection,

author = {Orna Kupferman and Moshe Y. Vardi},

title = {Vacuity Detection in Temporal Model Checking},

year = {1999}

}

### Years of Citing Articles

### OpenURL

### Abstract

One of the advantages of temporal-logic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most model-checking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a sy...

### Citations

1179 | Automatic Verification of Finite-State Concurrent Systems using Temporal Logic Specifications
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ...tion for the problem of deciding whether affects ' in M . Formally, the problem can be solved in time O(CM (j'j)). In particular, when ' is in CTL, the problem can be solved in time linear in M and ' =-=[CES86]-=-. When has several occurrences, Theorem 1 is no longer valid. This is because different occurrences of may have different polarities. We now show that in this case the problem of deciding whether affe... |

1108 | Temporal and Modal Logic
- Emerson
- 1990
(Show Context)
Citation Context ... ' yet M has no path �� such that �� j= ', then there also exists such an M with branching degree bounded by j'j. The proof of the claim is similar to the proof of the bounded-degree property =-=for CTL [Eme90]-=-. Give ', let A' be a nondeterministic Buchi tree automaton that accepts exactly all trees of branching degree at most j'j that satisfy ' [VW86b], and let A 0 ' be nondeterministic Buchi word automato... |

794 | Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic - CLARKE, EMERSON - 1982 |

585 |
An automata-theoretic approach to automatic program verification
- Vardi, Wolper
- 1986
(Show Context)
Citation Context ...m for CTL formulas [CGMZ95], ours go through the counterexample mechanism for LTL formulas, which uses an automata-theoretic reduction (exponential in the worst case) to CTL counterexample generation =-=[VW86a]-=-. Our experience with this comparison teaches us that, in practice, standard LTL model checkers perform nicely on most formulas. In fact, for formulas that can be expressed in both LTL and CTL, LTL mo... |

328 |
The complexity of propositional linear temporal logic
- Sistla, Clarke
- 1985
(Show Context)
Citation Context ...ess(') in M . Thus, the generation can proceed as in the case of LTL formulas, replacing :witness(') by (:witness(')) d . In both cases, the lower bound follows by a reduction from LTL model checking =-=[SC85]-=-. The lower bound in Theorem 9 implies that the generation of interesting witnesses may require, at the worst case, space that is polynomial in the length of the specification, which in practice means... |

250 | Reasoning about infinite computations
- Vardi, Wolper
- 1994
(Show Context)
Citation Context ... trees of branching degree at most j'j that satisfy ' [VW86b], and let A 0 ' be nondeterministic Buchi word automaton that accepts exactly all words (i.e., trees of branching degree 1) that satisfy ' =-=[VW94]-=-. We expand A 0 ' to a Buchi tree automaton A 00 ' that accepts a tree iff the tree has a path accepted by A 0 ' (in each state, A 00 ' guesses a direction in which it follows A 0 ' ). We prove that '... |

237 | Specification and verification of concurrent systems in Cesar - Queille, Sifakis - 1981 |

235 | Checking that finite state concurrent programs satisfy their linear specification - Lichtenstein, Pnueli - 1985 |

205 |
Automata-Theoretic Techniques for Modal Logics of Programs
- VARDI, WOLPER
- 1986
(Show Context)
Citation Context ...ar to the proof of the bounded-degree property for CTL [Eme90]. Give ', let A' be a nondeterministic Buchi tree automaton that accepts exactly all trees of branching degree at most j'j that satisfy ' =-=[VW86b]-=-, and let A 0 ' be nondeterministic Buchi word automaton that accepts exactly all words (i.e., trees of branching degree 1) that satisfy ' [VW94]. We expand A 0 ' to a Buchi tree automaton A 00 ' that... |

147 |
Temporal Semantics of Concurrent Programs
- Pnueli
- 1981
(Show Context)
Citation Context ...duction Temporal logics, which are modal logics geared towards the description of the temporal ordering of events, have been adopted as a powerful tool for specifying and verifying concurrent systems =-=[Pnu81]-=-. One of the most significant developments in this area is the discovery of algorithmic methods for verifying temporal-logic properties of finite-state systems [CE81,CES86,LP85,QS81,VW86a]. This deriv... |

146 | C.: The complexity of tree automata and logics of programs - Emerson, Jutla - 1988 |

117 | Verification tools for finitestate concurrent systems. This volume
- Clarke, Grumberg, et al.
(Show Context)
Citation Context ...ystem with respect to a desired behavior by checking whether a labeled state-transition graph that models the system satisfies a temporal logic formula that specifies this behavior (for a survey, see =-=[CGL93]-=-). Beyond being fully-automatic, an additional attraction of model-checking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of th... |

80 |
Modalities for model checking: Branching time logic strikes back
- Emerson, Lei
- 1987
(Show Context)
Citation Context ... get that M 6j= A(:') d iff M has a path �� such that �� j= '. It follows that ' is linearly witnessable in M iff M j= ' ! E' d . Membership in PSPACE then follows from CTL ? modelchecking com=-=plexity [EL87]-=-. Given a system M and an ACTL formula ', it is shown in [KV98b] that the model-checking problem M j= A' d ! ' is PSPACE-complete. Equivalently, given a system M and an ECTL formula ', the model-check... |

67 | Automatic veri of concurrent systems using temporal logic speci State/Event-based Software Model Checking 19 - Clarke, Emerson, et al. - 1986 |

63 | Simulating alternating tree automata by nondeterministic automata: new results and new proofs of the theorems of - Muller, Schupp - 1995 |

54 |
Efficient generation of counterexamples and witnesses in symbolic model checking
- McMillan, Grumberg, et al.
- 1995
(Show Context)
Citation Context ...h a negative answer, the model checker returns some erroneous execution of the system. These counterexamples are very important and they can be essential in detecting subtle errors in complex designs =-=[CGMZ95]-=-. On the other hand, when the answer to the correctness query is positive, most model-checking tools provide no witness for the satisfaction of the specification in the system. Since a positive answer... |

43 |
Determinism: From Linear-time to Branching-time
- Freedom
- 1998
(Show Context)
Citation Context ...ound and an EXPTIME lower bound [KV98b]), the complexity of determining whether an LTL formula has an equivalent alternation-free ��-calculus formula (an EXPSPACE upper bound and a PSPACE lower bo=-=und [KV98a]-=-), and several more problems. Essentially, in all the problems above we check the equivalence between a set of trees that satisfy A', for an LTL formula ', and a set of trees that is defined directly ... |

42 | Formally verifying a microprocessor using a simulation methodology
- Beaty, Bryant
- 1994
(Show Context)
Citation Context ...ts are possible errors in the modeling of the system or of the behavior. Early work on "suspecting a positive answer" concerns the fact that temporal logic formulas can suffer from anteceden=-=t failure [BB94]. For exam-=-ple, verifying a system with respect to the specification ' = AG(req ! AF grant) ("every request is eventually followed by a grant"), one should distinguish between vacuous satisfaction of '... |

41 | Efficient Detection of Vacuity in ACTL Formulas
- Beer, Ben-David, et al.
- 1997
(Show Context)
Citation Context ...ion was expected to be satisfied. Several years of experience in practical formal verification have convinced the verification group in IBM Haifa Research Laboratory that vacuity is a serious problem =-=[BBER97]. To -=-quote from [BBER97]: "Our experience has shown that typically 20% of specifications pass vacuously during the first formal-verification runs of a new hardware design, and that vacuous passes alwa... |

35 | Improved upper and lower bounds for modal logics of programs - VARDI, STOCKMEYER - 1985 |

34 |
Expressibility results for linear-time and branching-time logics
- Clarke, Draghicescu
- 1988
(Show Context)
Citation Context ...ollowing notation. For a branching temporal logic formula ' in a positive normal form, let ' d be the LTL formula obtained from ' by eliminating its path quantifiers. For example, (AGEFp) d = GFp. By =-=[CD88], ' has -=-an equivalent LTL formula iff ' is equivalent to A' d . Theorem 6. For a branching temporal logic formula ' and a system M , we have that M 6j= A' d iff M has a path �� such that �� 6j= '. Pro... |

33 | Coverage estimation for symbolic model checking - Hoskote, Kam, et al. - 1999 |

27 | Coverage metrics for temporal logic model checking. In Tools and algorithms for the construction and analysis of systems, number 2031 - Chockler, Kupferman, et al. - 2001 |

19 | On the Complexity of Branching Modular Model Checking - KUPFERMAN, Y - 1995 |

19 | Relating linear and branching model checking
- Kupferman, Vardi
- 1998
(Show Context)
Citation Context ...unds in Theorem 4 is similar to gaps in related problems such as the complexity of determining whether a CTL ? formula has an equivalent LTL formula (a 2EXPTIME upper bound and an EXPTIME lower bound =-=[KV98b]), t-=-he complexity of determining whether an LTL formula has an equivalent alternation-free ��-calculus formula (an EXPSPACE upper bound and a PSPACE lower bound [KV98a]), and several more problems. Es... |

15 | Reasoning about in computations - Vardi, Wolper - 1994 |

14 | Characterizing Kripke structures in propositional temporal logic. Theoretical Computer Science - Browne, Clarke, et al. - 1988 |

13 | private communication - Clarke, Dandl |

13 |
FormalCheck User’s Manual. Cadence Design
- Kurshan
- 1998
(Show Context)
Citation Context ...rification process. We mention here two recent related approaches. An approach that is closely related to vacuity is taken in the process of constraint validation in the verification tool FormalCheck =-=[Kur98]-=-. In order to validate a set of constraints about the environment, the constraints are converted into specifications and are checked with respect to a model of the environment. Sometimes, however, the... |

8 | Formal verification of a commercial serial bus interface - Plessier, Pixley - 1995 |

7 | Checking that nite state concurrent programs satisfy their linear speci cation - Lichtenstein, Pnueli - 1985 |

5 | Ecient generation of counterexamples and witnesses in symbolic model checking - Clarke, Grumberg, et al. - 1995 |

3 |
Have I written enough properties ?" a method of comparison between specification and implementation
- Katz, Geist, et al.
- 1999
(Show Context)
Citation Context ...ks for constraint validation. This includes a search for enabling conditions that are never enabled, and a replacement of all or some of the constraints by false. A different approach is described in =-=[KGG99]-=-, where the authors extend the notion of coverage from testing to model checking. Given a specification and its implementation, bisimulation is used in order to check whether the specification covers ... |

2 | Veri cation tools for concurrent systems - Clarke, Grumberg, et al. - 1994 |

1 | Efficient decision prcedures for model checking of linear time logic properties - Bloem, Ravi, et al. - 1999 |

1 | Ecient decision prcedures for model checking of linear Orna Kupferman and Moshe Y. Vardi: Vacuity Detection in Temporal Model Checking time logic properties - Bloem, Ravi, et al. - 1999 |

1 | Formal veri of a commercial serial bus interface - Plessier, Pixley - 1995 |

1 | Speci and veri cation of concurrent systems in Cesar - Queille, Sifakis - 1981 |