An automata-theoretic approach to modular model checking

Orna Kupferman*, Moshe Y. Vardi

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

41 Scopus citations


In modular verification the specification of a module consists of two parts. One part describes the guaranteed behavior of the module. The other part describes the assumed behavior of the system in which the module is interacting. This is called the assume-guarantee paradigm. In this paper we consider assume-guarantee specifications in which the guarantee is specified by branching temporal formulas. We distinguish between two approaches. In the first approach, the assumption is specified by branching temporal formulas too. In the second approach, the assumption is specified by linear temporal logic. We consider guarantees in ∀CTL and ∀CTL*, the universal fragments of CTL and CTL*, and assumptions in LTL, ∀CTL, and ∀CTL*. We develop two fundamental techniques: building maximal models for ∀CTL and ∀CTL* formulas and using alternating automata to obtain space-efficient algorithms for fair model checking. Using these techniques we classify the complexity of satisfiability, validity, implication, and modular verification for ∀CTL and ∀CTL*. We show that modular verification is PSPACE-complete for ∀CTL and is EXPSPACE-complete for ∀CTL*. We prove that when the assumption is linear, these bounds hold also for guarantees in CTL and CTL*. On the other hand, the problem remains EXPSPACE-hard even when we restrict the assumptions to LTL and take the guarantee as a fixed ∀CTL formula.

Original languageAmerican English
Pages (from-to)87-128
Number of pages42
JournalACM Transactions on Programming Languages and Systems
Issue number1
StatePublished - Jan 2000


  • Algorithms
  • Automata
  • D.2.4 [Software Engineering]: Software/Program Verification
  • Modular verification
  • Temporal logic
  • Verification


Dive into the research topics of 'An automata-theoretic approach to modular model checking'. Together they form a unique fingerprint.

Cite this