## Another Look at LTL Model Checking (1994)

### Cached

### Download Links

- [reports.adm.cs.cmu.edu]
- [www.cs.technion.ac.il]
- DBLP

### Other Repositories/Bibliography

Venue: | FORMAL METHODS IN SYSTEM DESIGN |

Citations: | 111 - 11 self |

### BibTeX

@INPROCEEDINGS{Clarke94anotherlook,

author = {E. Clarke and O. Grumberg and K. Hamaguchi},

title = {Another Look at LTL Model Checking},

booktitle = {FORMAL METHODS IN SYSTEM DESIGN},

year = {1994},

pages = {415--427},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We show how LTL model checking can be reduced to CTL model checking with fairness constraints. Using this reduction, we also describe how to construct a symbolic LTL model checker that appears to be quite efficient in practice. In particular, we show how the SMV model checking system developed by McMillan [16] can be extended to permit LTL specifications. The results that we have obtained are quite surprising. For the examples we considered, the LTL model checker required at most twice as much time and space as the CTL model checker. Although additional examples still need to be tried, it appears that efficient LTL model checking is possible when the specifications are not excessively complicated.

### Citations

3027 | Graph-based algorithms for boolean function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...d to extend SMV for testing inclusion between various types of !-automata. 2 Binary Decision Diagrams Ordered binary decision diagrams (OBDDs) are a canonical form representation for boolean formulas =-=[3]-=-. They are often substantially more compact than traditional normal forms such as conjunctive normal form or disjunctive normal form, and they can be manipulated very efficiently. An OBDD is similar t... |

1208 | Automatic verification of finite-state concurrent systems using temporal logic specifications
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ... let R be an n-ary relation over the finite domain D. Using an appropriate binary encoding of D, we can represent R by an OBDD. 3 Computation Tree Logics We begin by describing the temporal logic CTL =-=[8, 9, 12], which can express -=-both lineartime and branching-time properties. In this logic, a path quantifier, either A ("for all computation paths") or E ("for some computation paths") can prefix an assertion ... |

604 |
an automata-theoretic approach to automatic program verification
- vardi, Wolper
(Show Context)
Citation Context ...ze of the formula, but linear in the size of the model. Based on this result, they argued that the high complexity of LTL model checking might still be acceptable for short formulas. Vardi and Wolper =-=[18]-=- obtained a different algorithm based on !-automata with roughly the same complexity. Unfortunately, the LTL algorithms appeared significantly more difficult to implement. Because of this, very few LT... |

517 |
Symbolic model checking: An approach to the state explosion problem
- McMillan
- 1992
(Show Context)
Citation Context ...eduction, we also describe how to construct a symbolic LTL model checker that appears to be quite efficient in practice. In particular, we show how the SMV model checking system developed by McMillan =-=[16]-=- can be extended to permit LTL specifications. The results that we have obtained are quite surprising. For the examples we considered, the LTL model checker required at most twice as much time and spa... |

459 | Efficient Implementation of a BDD Package
- Brace, Rudell, et al.
- 1990
(Show Context)
Citation Context ...e complexity of these operations is linear in the size of the argument OBDDs [3]. Furthermore equivalence checking of two boolean functions can be done in constant time, by using a hash table properly=-=[2]-=-. OBDDs are extremely useful for obtaining concise representations of relations over finite domains [4, 16]. If R is n-ary relation over f0; 1g then R can be represented by the OBDD for its characteri... |

326 |
Symbolic Model Checking: 10 States and Beyond
- Burch, Clarke, et al.
- 1992
(Show Context)
Citation Context .... We have developed a translator T that takes an LTL formula f and constructs an SMV program T (f) to build the tableau for f . The tableau construction that we use is similar to the one described in =-=[4]-=-. To check that f holds for some SMV program M , we combine the text of T = T (:f) with the text of M to obtain a new SMV program P = P(T; M ). We add CTL fairness constraints to P in order to make su... |

239 | A.: Checking that finite state concurrent programs satisfy their linear specification
- Lichtenstein, Pnueli
- 1985
(Show Context)
Citation Context ...le to develop such tools has been argued for many years. Sistla and Clarke [17] showed in 1982 that the model checking problem for LTL was, in general, PSPACE complete. Later, Pnueli and Lichtenstein =-=[14]-=- gave an LTL model checking algorithm that was exponential in the size of the formula, but linear in the size of the model. Based on this result, they argued that the high complexity of LTL model chec... |

197 |
Synthesis of synchronization skeletons for branching time temporal logic
- Clarke, Emerson
- 1981
(Show Context)
Citation Context ... let R be an n-ary relation over the finite domain D. Using an appropriate binary encoding of D, we can represent R by an OBDD. 3 Computation Tree Logics We begin by describing the temporal logic CTL =-=[8, 9, 12], which can express -=-both lineartime and branching-time properties. In this logic, a path quantifier, either A ("for all computation paths") or E ("for some computation paths") can prefix an assertion ... |

168 |
The temporal logic of branching time
- Ben-Ari, Pnueli, et al.
- 1983
(Show Context)
Citation Context ...ks0 such that �� k j= g 2 and for all 0sj ! k, �� j j= g 1 . The following abbreviations are used in writing CTL formulas: ffl fsg j :(:fs:g) ffl F f j true U f ffl A(f ) j :E(:f ) ffl G f j :=-=F:f CTL [1, 8]-=- is a restricted subset of CTL that permits only branching-time operators--- each of the linear-time operators G, F, X, and U must be immediately preceded by a path quantifier. More precisely, CTL is ... |

122 | Verification tools for finite-state concurrent systems
- Clarke, Grumberg, et al.
- 1993
(Show Context)
Citation Context ...king, binary decision diagrams 1 Introduction Over the past thirteen years there has been considerable research on efficient model checking algorithms for branching-time temporal logics like CTL (See =-=[5]-=- for a survey). Verification tools based on these algorithms have discovered non-trivial design errors in sequential circuits and protocols [10] and are now beginning to be used in industry. There has... |

97 | Verification of the futurebus+ cache coherence protocol
- Clarke, Grumberg, et al.
- 1995
(Show Context)
Citation Context ...orithms for branching-time temporal logics like CTL (See [5] for a survey). Verification tools based on these algorithms have discovered non-trivial design errors in sequential circuits and protocols =-=[10]-=- and are now beginning to be used in industry. There has been relatively little research, however, on efficient model checking algorithms for linear-temporal logic (LTL), and practical verification to... |

94 |
Symbolic model checking: states and beyond
- Burch, Clarke, et al.
- 1992
(Show Context)
Citation Context .... We have developed a translator T that takes an LTL formula f and constructs an SMV program T (f) to build the tableau for f . The tableau construction that we use is similar to the one described in =-=[4]-=-. To check that f holds for some SMV program M , we combine the text of T = T (:f) with the text of M to obtain a new SMV program P = P rod(T; M ). We add CTL fairness constraints to P in order to mak... |

92 |
sometimes" and "not never" revisited: on branching versus linear time temporal logic
- Emerson, Halpern
- 1983
(Show Context)
Citation Context ... let R be an n-ary relation over the finite domain D. Using an appropriate binary encoding of D, we can represent R by an OBDD. 3 Computation Tree Logics We begin by describing the temporal logic CTL =-=[8, 9, 12], which can express -=-both lineartime and branching-time properties. In this logic, a path quantifier, either A ("for all computation paths") or E ("for some computation paths") can prefix an assertion ... |

65 |
Modalities for model checking: Branching time strikes back
- Emerson, Lei
- 1985
(Show Context)
Citation Context ...n about linear-time and branching-time properties in the same logic (say, CTL ). We believe this goal can potentially be realized by extending the techniques discusssed in this paper. Emerson and Lei =-=[13]-=- have shown how to reduce CTL model checking to LTL model checking. If the transformation outlined in this paper can be extended to incorporate their reduction, then it should be possible to develop a... |

61 |
Verifying temporal properties of sequential machines without building their state diagrams
- Coudert, Madre, et al.
(Show Context)
Citation Context ...ess specification for the DME circuit ffl At each step in the forward search, the transition relation is restricted to the set of reachable states. The Restrict function of Coudert, Madre and Berthet =-=[11]-=- is used for this purpose. Table 1 summarizes the experimental results for the safety specification, and Table 2 summarizes the results for the liveness specification. The columns show the number of t... |

48 |
The design of a self-timed circuit for distributed mutual exclusion
- Martin
- 1985
(Show Context)
Citation Context ...nnecessary to modify SMV (or even understand how SMV is actually implemented). We have evaluated the approach on several standard SMV programs (including Martin's distributed mutual exclusion circuit =-=[15]-=- and the synchronous arbiter described in McMillan's thesis [16]). In order to make sure that the experiments were unbiased, we deliberately chose specifications which could be expressed in both CTL a... |

24 |
A unified approach for showing language containment and equivalence between various types of w-automata
- Draghicescu, Kurshan
(Show Context)
Citation Context ...ly complicated. This does not mean that LTL will take the place of CTL in model checking applications. Many other problems, like testing inclusion and equivalence between various types omega-automata =-=[7]-=-, can also be reduced to CTL model checking. LTL, on the other hand, does not appear to have this flexibility. Moreover, in many of the applications of model checking to verification, it is important ... |

18 | Complexity of propositional temporal logics - Sistla, Clarke - 1985 |

9 |
Expressibility results for linear time and branching time logics
- Clarke, Draghicescu
(Show Context)
Citation Context ...arbiter CTL formula AGEF start (Regardless of what state the program enters, there exists a computation leading back to the start state). Neither this formula nor its negation can be expressed in LTL =-=[6]-=-, so LTL model checking techniques cannot be used to decide whether the formula is true or not. Idealy, it should be possible to reason about linear-time and branching-time properties in the same logi... |