TY - JOUR
T1 - Vacuity detection in temporal model checking
AU - Kupferman, Orna
AU - Vardi, Moshe Y.
PY - 2003
Y1 - 2003
N2 - One of the advantages of temporal-logic model-checking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most model-checking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness as to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a system with respect to the specification φ{symbol}=AG(req?AFgrant) ("every request is eventually followed by a grant"), we say that φ{symbol} is satisfied vacuously in systems in which requests are never sent. An interesting witness for the satisfaction of φ{symbol} is then a computation that satisfies φ{symbol} and contains a request. Beer et al. considered only specifications of a limited fragment of ACTL, and with a restricted interpretation of vacuity. In this paper we present a general method for detection of vacuity and generation of interesting witnesses for specifications in CTL*. Our definition of vacuity is stronger, in the sense that we check whether all the subformulas of the specification affect its truth value in the system. In addition, we study the advantages and disadvantages of alternative definitions of vacuity, study the problem of generating linear witnesses and counterexamples for branching temporal logic specifications, and analyze the complexity of the problem.
AB - One of the advantages of temporal-logic model-checking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most model-checking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness as to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a system with respect to the specification φ{symbol}=AG(req?AFgrant) ("every request is eventually followed by a grant"), we say that φ{symbol} is satisfied vacuously in systems in which requests are never sent. An interesting witness for the satisfaction of φ{symbol} is then a computation that satisfies φ{symbol} and contains a request. Beer et al. considered only specifications of a limited fragment of ACTL, and with a restricted interpretation of vacuity. In this paper we present a general method for detection of vacuity and generation of interesting witnesses for specifications in CTL*. Our definition of vacuity is stronger, in the sense that we check whether all the subformulas of the specification affect its truth value in the system. In addition, we study the advantages and disadvantages of alternative definitions of vacuity, study the problem of generating linear witnesses and counterexamples for branching temporal logic specifications, and analyze the complexity of the problem.
KW - Model checking
KW - Vacuous satisfaction
UR - http://www.scopus.com/inward/record.url?scp=84896693498&partnerID=8YFLogxK
U2 - 10.1007/s100090100062
DO - 10.1007/s100090100062
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:84896693498
SN - 1433-2779
VL - 4
SP - 224
EP - 233
JO - International Journal on Software Tools for Technology Transfer
JF - International Journal on Software Tools for Technology Transfer
IS - 2
ER -