## Automated Temporal Reasoning about Reactive Systems (1996)

Citations: | 38 - 2 self |

### BibTeX

@INPROCEEDINGS{Emerson96automatedtemporal,

author = {E. Allen Emerson},

title = {Automated Temporal Reasoning about Reactive Systems},

booktitle = {},

year = {1996},

pages = {41--101},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

. There is a growing need for reliable methods of designing correct reactive systems such as computer operating systems and air traffic control systems. It is widely agreed that certain formalisms such as temporal logic, when coupled with automated reasoning support, provide the most effective and reliable means of specifying and ensuring correct behavior of such systems. This paper discusses known complexity and expressiveness results for a number of such logics in common use and describes key technical tools for obtaining essentially optimal mechanical reasoning algorithms. However, the emphasis is on underlying intuitions and broad themes rather than technical intricacies. 1 Introduction There is a growing need for reliable methods of designing correct reactive systems. These systems are characterized by ongoing, typically nonterminating and highly nondeterministic behavior. Examples include operating systems, network protocols, and air traffic control systems. There is w...

### Citations

2930 | Graph-based algorithms for Boolean function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...0 100 states and even considerably larger. The key idea is represent the state graph in terms of a boolean characteristic function which is in turn represented by a Binary Decision Diagram (BDD) (cf. =-=[Br86]-=-). BDD-based model checkers have been remarkably effective and useful for debugging and verification of hardware circuits. For reasons not well understood, BDDs are able to exploit the regularity that... |

1501 |
The Temporal Logic of Reactive and Concurrent Systems: Specifications. The Temporal Logic of Reactive and Concurrent Systems
- Manna, Pnueli
- 1992
(Show Context)
Citation Context ...al subtleties associated with reactive systems in particular a great deal of of effort has gone into developing formal methods for reasoning about program correctness. There is a vast literature (cf. =-=[MP92]) on the u-=-se of manual "proof systems", where a program's behavior is specified in some formal assertion language or logic, often a dialect of temporal logic, and then a rigorous mathematical proof is... |

1204 |
The temporal logic of programs
- Pnueli
- 1977
(Show Context)
Citation Context ... intended to terminate, and are thus based on initial state -- final state semantics are of little value when trying to reason about reactive systems, since there is in general no final state. Pnueli =-=[Pn77]-=- was the first to recognize the importance of ongoing reactive systems and the need for a formalism suitable for describing nonterminating behavior. Pnueli proposed the use of temporal logic as a lang... |

1108 | Temporal and Modal Logic - Emerson - 1990 |

741 | Petri Nets: Basic Concepts, Analysis Methods and Practical Use - Jensen - 1997 |

585 |
An automata-theoretic approach to automatic program verification
- Vardi, Wolper
- 1986
(Show Context)
Citation Context ...ch less exponential time (cf. [KP83], [SE84]). Secondly, automata can provide a general, uniform framework encompassing essentially all aspects temporal reasoning about reactive systems (cf. [VW84]], =-=[VW86]-=-, [Va87], [AKS83], [Ku94]). Automata themselves have been proposed as a potentially useful specification language. Automata, moreover, bear an obvious relation to temporal structures, the state transi... |

500 |
Symbolic Model Checking: An Approach to the State Explosion Problem
- McMillan
- 1993
(Show Context)
Citation Context ...ving just 10 local states, could yield a global state graph of astronomical size amounting to about 10 100 states. A major advance has been the introduction of symbolic model checking techniques (cf. =-=[McM92]-=-, [Pi90], [CM90]) which are -- in practice-- often able to succinctly represent and model check over state graphs of size 10 100 states and even considerably larger. The key idea is represent the stat... |

476 | Automata on infinite objects - Thomas - 1990 |

414 |
Computer-Aided Verification of Coordinating Processes
- Kurshan
- 1994
(Show Context)
Citation Context ... ameliorating this state explosion problem, including symbolic model checking and state reduction techniques, have been explored in the literature and remain a topic of current research interest (cf. =-=[Ku94]). In the -=-case of testing satisfiability, for the rather simple logic CTL, a tableau construction suffices to obtain the Small Model Theorem, which asserts that any satisfiable formula f has a "small"... |

411 | Introduction to VLSI Systems - Mead, Conway - 1980 |

358 |
Propositional dynamic logic of regular programs
- Fischer, Ladner
- 1979
(Show Context)
Citation Context ...possible formulation is to use EX i p for "there exists a successor state satisfyingsp, reached by some step of process i". Dually, we then also have AX i p. The classical notation, going ba=-=ck to PDL [FL79]-=-, would write !i? p and [i]p, respectively. Discussion We can get some intuition for the the Mu-Calculus by noting the following extremal fixpoint characterizations for CTL properties: EFP j Z:PsEXZ A... |

336 |
On a decision method in restricted second order arithmatic. In Proceeding of the 1960 international Congress on Logic, Methodology. and Philosophy of Science
- Büchi
- 1962
(Show Context)
Citation Context ...plemented pairs acceptance condition can given formally by a temporal logic formula \Phi = V i2[1:k] 1 Fgreen i ) 1 Fred i . A special case of both pairs and complemented pair conditions is the Buchi =-=[Bu62]-=- 24 acceptance condition. Here there is a single green light and OE = 1 Fgreen. A final acceptance condition that we mention is the parity acceptance condition [Mo84] (cf. [EJ91]). Here we are given a... |

334 |
On the Synthesis of a Reactive Module
- Pnueli, Rosner
- 1989
(Show Context)
Citation Context ...te diagram turns out to be significant in applications to testing satisfiability as explained below. Related results on the complexity of testing nonemptiness of tree automata may be found in [EJ88], =-=[PR89]-=-, [EJ91]. Decision Procedure for CTL* For branching time logics with richer modalities such as CTL*, the tableau construction is not directly applicable. Instead, the problem reduces to constructing a... |

271 | Automatic Verification of finite state concurrent systems using temporal logic specifications - Clarke, Emerson, et al. |

246 |
Sometimes’ and ’not never’ revisited: on branching versus linear time
- Emerson, Halpern
- 1986
(Show Context)
Citation Context ...ators where the path quantifiers(A or E) is followed by an arbitrary linear time formula, allowing boolean combinations and nestings, over F , G, X, and U . It was proposed as a unifying framework in =-=[EH86], subsumin-=-g a number of other systems, including both CTL and PLTL. The system PLTL (Propositional Linear temporal logic) is the "standard" linear time temporal logic widely used in applications (cf. ... |

240 | Tense logic and the theory of linear order - Kamp - 1968 |

235 |
Checking that finite state concurrent programs satisfy their linear specification
- Lichtenstein, Pnueli
- 1985
(Show Context)
Citation Context ...be shown to be PSPACE-hard; it then follows that PLTL satisfiability testing is also PSPACE-hard. An important multi-parameter analysis of PLTL model checking was performed by Lichtenstein and Pnueli =-=[LP85]-=-, yielding a bound of O(jM j \Delta exp(jhj)) for an input structure M and input formula h. The associated algorithm is simple and elegant. We wish to check whether there is a path starting at a given... |

231 | On the temporal analysis of fairness - Gabbay, Pnueli, et al. - 1980 |

230 |
Introduction to logic
- Rescher
- 1964
(Show Context)
Citation Context ...ral logic as a language for specifying and reasoning about change over time. Temporal logic in its most basic form corresponds to a type of modal tense logic originally developed by philosophers (cf. =-=[RU71]-=-). It provides such simple but basic temporal operators as Fp (sometime p) and Gp (always p), that, Pnueli argued, can be combined to readily express many important correctness properties of interest ... |

226 |
Counter-free automata
- McNaughton, Papert
- 1971
(Show Context)
Citation Context ... be translated into an equivalent !-- regular expression ff. Thus, the basic modality Eh of CTL* maps to Eff in PDL--\Delta. Because !--regular expressions are strictly more expressive than PLTL (cf. =-=[MP71]-=-, [Wo83]), there are properties expressible in PDL-\Delta that cannot be captured by any CTL* formula. E(P ; true) ! is perhaps the classic example of such a property. It is worth noting that CTL* syn... |

218 | An automata-theoretic approach to linear temporal logic - Vardi |

212 | Tree automata, mu calculus and determinacy
- Emerson, Jutla
- 1991
(Show Context)
Citation Context ...nditions is the Buchi [Bu62] 24 acceptance condition. Here there is a single green light and OE = 1 Fgreen. A final acceptance condition that we mention is the parity acceptance condition [Mo84] (cf. =-=[EJ91]-=-). Here we are given a finite list (C 1 ; : : : ; C k ) of sets of states which we think of as colored lights. The condition is that the highest index color C i which flashes infinitely often should b... |

205 |
Automata-Theoretic Techniques for Modal Logics of Programs
- VARDI, WOLPER
- 1986
(Show Context)
Citation Context ...ted by the automaton.) General automata-theoretic techniques for reasoning about a number of relatively simple logics, including CTL, using Buchi tree automata have been described by Vardi and Wolper =-=[VW84]-=-. However, it is for richer logics such as CTL* that the use of tree automata become essential. 25 Tree Automata We describe finite automata on labeled, infinite binary trees (cf. [Ra69]). 8 The set f... |

194 | Modal and Temporal Logics, in - Stirling - 1992 |

185 | Better verification through symmetry - Ip, Dill - 1993 |

179 | What good is temporal logic - Lamport |

177 |
Using branching time temporal logic to synthesize synchronization skeletons
- Emerson, Clarke
- 1982
(Show Context)
Citation Context ...omial in jT 0 j, yielding an exponential time upper bound. A matching lower bound can be established by simulating alternating polynomial space Turing machines (cf. [FL79]) Thus, we have (cf. [EH85], =-=[EC82]-=-) Theorem 4.2. CTL satisfiability is deterministic exponential time complete. 5 Decision Procedures II: Automata-theoretic Approach There has been a resurgence of interest in finite state automata on ... |

166 | Symmetry and model checking
- Emerson, Sistla
- 1996
(Show Context)
Citation Context ...PsAXZ) E(P U Q) j Z:Qs(PsEXZ) For these properties, as we see, the fixpoint characterizations are simple and plausible. It is not too difficult to give rigorous proofs of their correctness [EC80], 14 =-=[EL86]-=-. However, it turns out that it is possible to write down highly inscrutable Mu-calculus formulae for which there is no readily apparent intuition regarding their intended meaning. As discussed subseq... |

164 |
The temporal logic of branching time
- Ben-Ari, Pnueli, et al.
- 1983
(Show Context)
Citation Context ... ("nexttime"), or U ("until"). It corresponds to what one might naturally first think of as a branching time logic. CTL is closely related to branching time logics proposed in [La8=-=0], [EC80], [QS82], [BPM83]-=-, and was itself proposed in [CE81]. However, its syntactic restrictions limit its expressive power so that, for example, correctness under fair scheduling assumptions cannot be expressed. We therefor... |

160 | Synthesis of communicating processes from temporal logic specifications - Manna, Wolper - 1984 |

149 | Myths about the mutual exclusion problem - Peterson - 1981 |

147 | Temporal Semantics of Concurrent Programs - Pnueli - 1981 |

142 | Decision Procedures and Expressiveness in the Temporal Logic of Branching Time
- EMERSON, HALPERN
- 1985
(Show Context)
Citation Context ...me polynomial in jT 0 j, yielding an exponential time upper bound. A matching lower bound can be established by simulating alternating polynomial space Turing machines (cf. [FL79]) Thus, we have (cf. =-=[EH85]-=-, [EC82]) Theorem 4.2. CTL satisfiability is deterministic exponential time complete. 5 Decision Procedures II: Automata-theoretic Approach There has been a resurgence of interest in finite state auto... |

141 | Proving liveness properties of concurrent programs - Owicki, Lamport - 1982 |

136 | The Glory of the Past - Lichtenstein, Pnueli, et al. - 1985 |

135 |
Application of temporal logic to the specification and verification of reactive systems: a survey of current trends
- Pnueli
- 1986
(Show Context)
Citation Context ...lly, some concluding remarks are given in section 7. 2 Preliminaries 2.1 Reactive Systems The ultimate focus of our concern is the development of effective methods for designing reactive systems (cf. =-=[Pn86]-=-). These are computer hardware and/or computer software systems that usually exhibit concurrent or parallel execution, where many individual processes and subcomponents are running at the same time, p... |

131 |
The complementation problem for Büchi automata with applications to temporal logic
- Sistla, Vardi, et al.
- 1987
(Show Context)
Citation Context ... model of f . The nodes of T 7 It seems that in most cases complementation is what is really needed. Complementation for infinite string automata can be accomplished without determinization (cf. e.g. =-=[SVW87]-=-). However, for automata on infinite trees it is not clear that complementation can be performed without determinization of !-string automata. 19 thus correspond to a partitioning/covering of the stat... |

128 | Reasoning about systems with many processes - German, Sistla - 1992 |

121 |
Characterizing correctness properties of parallel programs as
- Emerson, Clarke
- 1981
(Show Context)
Citation Context ... ("sometime"), X ("nexttime"), or U ("until"). It corresponds to what one might naturally first think of as a branching time logic. CTL is closely related to branching ti=-=me logics proposed in [La80], [EC80]-=-, [QS82], [BPM83], and was itself proposed in [CE81]. However, its syntactic restrictions limit its expressive power so that, for example, correctness under fair scheduling assumptions cannot be expre... |

117 | Expressing interesting properties of programs in propositional temporal logic - Wolper - 1986 |

114 |
Decidability of second order theories and automata on infinite trees
- Rabin
- 1969
(Show Context)
Citation Context ...s of states. Letting In r denote the set of states in Q that appear infinitely often along r, we say that run r meets the Muller condition provided that In r 2 F . For a pairs automaton (cf. [McN66], =-=[Ra69]-=-) acceptance is defined in terms of a finite list ((red 1 ; green 1 ); : : : ; (red k ; green k )) of pairs of sets of automaton states (which may be thought of as pairs of colored lights where A flas... |

109 | A Linear-time model-checking algorithm for the alternation-free modal mu-calculus
- Cleaveland, Steffen
- 1993
(Show Context)
Citation Context ... basic monotonicity considerations, a time bound of O((jM j \Delta jf j) k+1 ) can be shown (cf. [EL86]). Subsequent work has addressed improving the degree of the polynomial to simply k (cf. [An93], =-=[CS93]-=-). In fact, this can be improved to about O((jM j \Delta jf j) k=2 ) (cf. [Lo+94]) by a technique that trades time for space and stores, roughly, all intermediate results. However, this method also us... |

94 | Reasoning about networks with many identical finite state processes - Clarke, Grumberg, et al. - 1989 |

91 |
Testing and generating infinite sequences by a finite automaton
- McNaughton
- 1966
(Show Context)
Citation Context ... F of sets of states. Letting In r denote the set of states in Q that appear infinitely often along r, we say that run r meets the Muller condition provided that In r 2 F . For a pairs automaton (cf. =-=[McN66]-=-, [Ra69]) acceptance is defined in terms of a finite list ((red 1 ; green 1 ); : : : ; (red k ; green k )) of pairs of sets of automaton states (which may be thought of as pairs of colored lights wher... |

91 | The tableau method for temporal logic: An overview. Logique et Analyse - Wolper |

86 | METATEM: A framework for programming in temporal logic
- Barringer, Fisher, et al.
- 1989
(Show Context)
Citation Context ... synthesis of a program M meeting a temporal specification p using a decision procedure for testing satisfiability (cf. [EC82, MW84, PR89]). 3. Executable temporal logic specifications. This approach =-=[BFGGO89]-=- may be viewed as an elegant variation of the synthesis approach. While synthesis might be seen as a process of compiling temporal logic specifications, in contrast, this approach amounts to interpret... |

81 | A Temporal Fixpoint Calculus - Vardi - 1988 |

78 |
A theory and implementation of sequential hardware equivalence
- Pixley
- 1992
(Show Context)
Citation Context ... 10 local states, could yield a global state graph of astronomical size amounting to about 10 100 states. A major advance has been the introduction of symbolic model checking techniques (cf. [McM92], =-=[Pi90]-=-, [CM90]) which are -- in practice-- often able to succinctly represent and model check over state graphs of size 10 100 states and even considerably larger. The key idea is represent the state graph ... |

77 | A really abstract concurrent model and its temporal logic - Barringer, Kuiper, et al. - 1986 |

77 | A.: “Verification of concurrent programs: The temporal framework”; in The correctness problem in computer science - Manna, Pnueli - 1981 |