Vacuity detection in temporal model checking

Orna Kupferman, Moshe Y. Vardi

Research output: Contribution to journalArticlepeer-review

138 Scopus citations


One of the advantages of temporal-logic model-checking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most model-checking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness as to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a system with respect to the specification φ{symbol}=AG(req?AFgrant) ("every request is eventually followed by a grant"), we say that φ{symbol} is satisfied vacuously in systems in which requests are never sent. An interesting witness for the satisfaction of φ{symbol} is then a computation that satisfies φ{symbol} and contains a request. Beer et al. considered only specifications of a limited fragment of ACTL, and with a restricted interpretation of vacuity. In this paper we present a general method for detection of vacuity and generation of interesting witnesses for specifications in CTL*. Our definition of vacuity is stronger, in the sense that we check whether all the subformulas of the specification affect its truth value in the system. In addition, we study the advantages and disadvantages of alternative definitions of vacuity, study the problem of generating linear witnesses and counterexamples for branching temporal logic specifications, and analyze the complexity of the problem.

Original languageAmerican English
Pages (from-to)224-233
Number of pages10
JournalInternational Journal on Software Tools for Technology Transfer
Issue number2
StatePublished - 2003


  • Model checking
  • Vacuous satisfaction


Dive into the research topics of 'Vacuity detection in temporal model checking'. Together they form a unique fingerprint.

Cite this