## Formula-Dependent Equivalence for Compositional CTL Model Checking (1994)

Citations: | 30 - 4 self |

### BibTeX

@INPROCEEDINGS{Aziz94formula-dependentequivalence,

author = {Adnan Aziz and Thomas R. Shiple and Vigyan Singhal and Alberto L. Sangiovanni-vincentelli},

title = {Formula-Dependent Equivalence for Compositional CTL Model Checking},

booktitle = {},

year = {1994},

pages = {324--337},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

. We present a state equivalence that is defined with respect to a given CTL formula. Since it does not attempt to preserve all CTL formulas, like bisimulation does, we can expect to compute coarser equivalences. We use this equivalence to manage the size of the transition relations encountered when model checking a system of interacting FSMs. Specifically, the equivalence is used to reduce the size of each component FSM, so that their product will be smaller. We show how to apply the method, whether an explicit representation is used for the FSMs, or BDDs are used. Also, we show that in some cases our approach can detect if a formula passes or fails, without composing all the component machines. The method is exact and fully automatic, and handles full CTL. 1 Introduction Formal design verification is the process of verifying that a design has certain properties that the designer intended. A well known verification technique is computation tree logic (CTL) model checking. In this app...

### Citations

3278 | Communication and Concurrency - Milner - 1989 |

2525 | Model Checking
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...nes. This technique has been used by [3]. Clarke et al. presented the interface rule, which can be applied when a CTL formula refers to the atomic propositions of just one machine, the "main"=-=; machine [7]. In this -=-case, the outputs of the other machines that cannot be sensed by the main machine, can be "hidden". After hiding such outputs, some states in the other machines may become equivalent, and he... |

1208 | Automatic verification of finite-state concurrent systems using temporal logic specifications
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context .... In this approach, a design is modeled as a finite state machine (FSM), properties are stated using CTL formulas, and a "model checker" is used to prove that the FSM satisfies the given CTL=-= formulas [6]-=-. The complexity of model checking a formula is linear in the number of states of the FSM. Oftentimes, large designs are constructed by linking together a set of FSMs. The straightforward approach to ... |

1134 | Temporal and Modal Logic
- Emerson
- 1990
(Show Context)
Citation Context ... were defined in such a way that the converse of Proposition 2 did hold, then FAIL OE would be EXPTIME-hard to compute. The reduction is from CTL satisfiability, which is known to be EXPTIME-complete =-=[10]-=-. To check if a formula OE is satisfiable, compute FAIL OE for the component M shown in Figure 4, where p is some atomic proposition not in OE. We can show that x 2 FAIL OE if and only if OE is not sa... |

278 | Model Checking and modular verification
- Granberg, Long
(Show Context)
Citation Context ... and not observable by other machines, can be hidden. Grumberg et al. defined a subset of CTL, known as ACTL, which permits only universal path quantification, and not existential path quantification =-=[11]-=-. They go on to develop an approach to compositional model checking for ACTL. If an ACTL formula is true of one component in a system, then it is true of the entire system. Thus, in some cases the ful... |

161 | Verification of synchronous sequential machines based on symbolic execution
- Coudert, Berthet, et al.
(Show Context)
Citation Context ...sition between equivalent states (e.g. if s a ! s 0 is in T and E OE (x; s) and E OE (x 0 ; s 0 ), then x a ! x 0 is added). The lower bound is T itself. Given these bounds, a heuristic like restrict =-=[8]-=- is used to find a small BDD between T and T max . It can be shown that any transition relation between T and T max can be used without altering the result returned by the model checker. Alternatively... |

36 |
Generation of reduced models for checking fragments of CTL
- Dams, Grumberg, et al.
- 1993
(Show Context)
Citation Context ...formula is false, then the product machine must always be formed. An asset of this approach is that it handles fairness constraints on the system. Dams et al. have also devised an approach using ACTL =-=[9]-=-. Like our method, they compute an equivalence with respect to a single formula. Although they are limited to formulas of ACTL, it may turn out that coarser equivalences are possible by restricting to... |

28 | Minimal state graph generation
- Bouajjani, Fernandez, et al.
- 1992
(Show Context)
Citation Context ...ed in the introduction, bisimulation preserves the truth of all CTL formulas, and hence can be used to identify equivalent states to derive smaller component machines. This technique has been used by =-=[3]. Clarke e-=-t al. presented the interface rule, which can be applied when a CTL formula refers to the atomic propositions of just one machine, the "main" machine [7]. In this case, the outputs of the ot... |

19 |
Characterizing Kripke structures in temporal logic
- Browne, Clarke, et al.
- 1987
(Show Context)
Citation Context ...e taking their product, thus leading to a smaller product machine. It is well known that bisimulation equivalencesis the coarsest (or weakest) equivalence that preserves the truth of all CTL formulas =-=[4]-=-. However, in general we are interested in model checking a system with respect to just a few formulas, and hence preserving all CTL formulas is stronger than needed. Thus, we investigate a formula-de... |

11 | Verifying Interacting Finite State Machines
- Aziz, Brayton
- 1993
(Show Context)
Citation Context ...rdered binary decision diagrams (BDDs). As it turns out, we cannot hope to do better than this in the worst case, because the problem of model checking a system of interacting FSMs is PSPACE-complete =-=[1]-=-. Our goal is to develop an algorithm that alleviates the explosion problem by identifying equivalent states in each component machine. These equivalent states are then used to simplify the components... |

7 | Automatic compositional minimization in CTL model checking
- Chiodo, Shiple, et al.
- 1992
(Show Context)
Citation Context ...g if the environment for a system has been correctly modeled so that it can produce the stimuli of interest. Hence, we are interested in techniques that can handle full CTL. The work of Chiodo et al. =-=[5]-=- has similar aims as ours, and the current work can be seen as an outgrowth of that work. Both approaches are exact, fully automatic, and formula dependent. We have extended Chiodo's method (see Secti... |