Modelchecking of CTL formulae under liveness assumptions
Our aim is a modular verification method for concurrent systems. To verify a module separated from the other components we have to assume some (correct) behaviour of these components concerning the interactions with the module under consideration. These reactions of the other modules can be described by liveness properties. Hence in a modular verification method we have to prove a formula under some liveness assumptions. A logic which is able to express the correctness of a subsystem under some liveness assumptions is e.g. CTL* or only its linear time part TL. But modelchecking for CTL* is exponential in the size of a given formula. Hence, often CTL is used instead of CTL* in specifications of concurrent systems as this logic has a linear modelchecking algorithm. But CTL has a restricted expressive power, e.g. it is not expressible that some property holds under some liveness assumption. But, as an algorithm which is exponential in the size of a given specification is too expensive, we are interested in an extension of CTL which is able to express our specifications for modules but whose modelchecking algorithm is better than exponential in the size of a given formula. In this paper we define a logic LCTL, which is an extension of CTL, where quantifications over paths are interpreted with respect to some liveness assumptions. i.e., formulae of LCTL are pairs (l,f) where I is a liveness assumption (expressed in TL) and f is a CTL formula. In that case the time complexity of the modelchecking algorithm has certainly an exponential factor, but it is better than the algorithm for CTL* since it is only exponential in the number of liveness assumptions and not in the length of the whole formula. As the number of liveness assumptions is small in real systems, this logic is useful for practical purposes. Furthermore, as liveness assumptions require a tracing of the history, there is no better modelchecking algorithm nor a smaller logic possible. For our logic LCTL we develop a modelchecker whose time complexity is O(|M|·|f|·exp(n)), where M is a given structure, (i,f) the given formula where I is a conjunction of n liveness assumptions.
KeywordsModel Check Temporal Logic Atomic Proposition Concurrent System Fairness Constraint
Unable to display preview. Download preview PDF.
- [CES83]E.M. Clarke, E.A. Emerson, A.P. Sistia: Automatic verification of finite-state concurrent systems using temporal logic specifications: a practical approach. Tenth ACM Symposium on Principles of Programming Languages, 117–126 (1983)Google Scholar
- [EH83]E.A. Emerson, J.Y. Halpern: Sometimes and not never revisted: On branching time versus linear time. 10th ACM Symposium on Principles of Programming Languages, 127–140 (1983)Google Scholar
- [EL85]E.A. Emerson, C.L. Lei: Modalities for model checking: branching time logic strikes back. Technical Report, Dep. of Computer Sciences, University of Texas (1985)Google Scholar
- [EL86]E.A. Emerson, C.L. Lei: Temporal reasoning under generalized fairness constraints. Proceedings STACS 86, Lecture Notes in Computer Science 210, 21–36 (1986)Google Scholar
- [Jo86]B. Josko: Modelchecking of CTL formulae under liveness assumptions. Schriften zur Informatik und Angewandten Mathematik Nr. 124, RWTH Aachen (1986) (Full version of this paper)Google Scholar
- [Jo]B. Josko: Modular verification of concurrent systems. Technical Report, RWTH Aachen (To appear)Google Scholar
- [LP85]O. Lichtenstein, A. Pnuell: Checking that finite state concurrent programs satisfy their linear specification. 12th Annual ACM Symposium on Principles on Programming Languages, 97–107 (1985)Google Scholar
- [SC82]A.P. Sistia, E.M. Clarke: The complexity of propositional temporal logic. 14th ACM Symposium on Theory of Computing, 159–167 (1982)Google Scholar
- [Ta72]R. Tarjan: Depth-first search and linear graph algorithms. SIAM Journal of Computing 1, 146–160 (1972)Google Scholar
- [VME82]VMEbus, Specification manual (1982)Google Scholar