a compositional approach to ctl veriﬁcation · in the model-checking method we ... science...

Theoretical Computer Science 331 (2005) 397–428www.elsevier.com/locate/tcs

A compositional approach to CTL∗ verification�

Yonit Kestena, Amir Pnuelib,∗aBen Gurion University, Israel

bWeizmann Institute of Science, Israel

Communicated by F.S. De Boer

Abstract

The paper presents a compositional approach to the verification ofCTL∗ properties over reactivesystems. Both symbolic model-checking (SMC) and deductive verification are considered. Bothmeth-ods are based on two decomposition principles.Ageneral state formulais decomposed intobasic stateformulaswhich areCTL∗ formulas with no embedded path quantifiers. To deal witharbitrary basicstate formulas, we introduce another reduction principle which replaces eachbasic path formula, i.e.,path formulas whose principal operator is temporal and which contain no embedded temporal opera-tors or path quantifiers, by a newly introduced boolean variable which is added to the system. Thus,both the algorithmic and the deductive methods are based on twostatificationtransformations whichsuccessively replace temporal formulas by assertions which contain no path quantifiers or temporaloperators. Performing these decompositions repeatedly, we remain withbasic assertional formulas,i.e., formulas of the formEf p andAf p for some assertionp. In the model-checking method wepresent a single symbolic algorithm to verify both universal and existential basic assertional proper-ties. In the deductive method we present a small set of proof rules and show that this set is sound andrelatively complete for verifying universal and existential basic assertional properties over reactivesystems. Together with two proof rules for the decompositions, we obtain a sound and relativelycomplete proof system for arbitraryCTL∗ properties. Interestingly, the deductive approach forCTL∗presented here, offers a viable new approach to the deductive verification of arbitraryLTL formulas.© 2004 Elsevier B.V. All rights reserved.

� This research was supported in part by the Minerva Center for Verification of Reactive Systems, the IsraelScience Foundation (grant no. 106/02-1), and NSF grant CCR-0205571.

∗ Corresponding author.E-mail addresses:[email protected](Y. Kesten),[email protected](A. Pnueli).

0304-3975/$ - see front matter © 2004 Elsevier B.V. All rights reserved.doi:10.1016/j.tcs.2004.09.023

http://www.elsevier.com/locate/tcs

mailto:[email protected]

mailto:[email protected]

398 Y. Kesten, A. Pnueli / Theoretical Computer Science 331 (2005) 397–428

1. Introduction

Thepaper presents a compositional approach to the verificationofCTL∗ properties over re-active systems.We present both an algorithmicmethod based on symbolic model-checking,for the verification of finite-state systems and a deductivemethod for the verification of pos-sibly infinite-state systems.The logicCTL∗ is a temporal logicwhich canexpress linear-timeaswell as branching-time

temporal properties, and combinations thereof, and contains bothLTL andCTL as sub-logics.Acompletedeductiveproof system for linear-time temporal logic (LTL) hasbeenpresented in[15] and further elaborated in[16,17]. This proof systemhas been successfully implementedin the Stanford temporal verifier STEP [1]. The deductive proof system presented here canbe viewed as an extension of the approach of[15] to the logicCTL∗.A deductive proof system forCTL∗ is valuable for several reasons. In spite of the impres-

sive progress in the various versions of model-checking and other algorithmic verificationtechniques, they are still restricted to finite-state systems. The only verification methodknown to be complete for all programs is still the method of deductive verification. Thereare special benefits to the extension of the deductive methodology from the linear-timeframework to the more expressive branching semantics ofCTL∗:(1) Some important systempropertiesareexpressible inCTL∗ but not inLTL.Typically, these

are “possibility” properties, such as theviability of a system, stating that any reachablestate can spawn a fair computation. This is strongly related to the non-zeno’ness ofreal-time and hybrid systems.

(2) As shown in[21], the problem of synthesis of a reactive module can be solved bychecking for validity of a certainCTL∗ formula, even if the original specification is apureLTL formula.

Deductive verificationofCTL∗ formulas is valuable even in the context of finite-state systemswhich can be model-checked:(3) Acounter-exampleof evensimpleCTL formulassuchasE �p is no longerasimple finite

printable trace. A convincing evidence of a counter-example could be an automaticallyproducedproofof its existence.

(4) In general, model-checking is useful if it produces a counter-example. However, whenit terminates declaring the property to be valid, the user is not always convinced. Adeductive proofcan provide a convincing argument of such a validity[18,19].

A generalCTL∗ formula is composed of state sub-formulas that are interpreted over statesandpath sub-formulas that are interpreted over paths. Both the algorithmic and the deductivemethods forCTL∗ verification are based on the same basic decomposition principles. Ageneral state formulais decomposed intobasic state formulaswhich areCTL∗ formulaswith no embedded path quantifiers. A basic state formula has the formQ�, whereQ isa path quantifier and� is ageneral path formula(according to theCTL∗ terminology) or,equivalently, can be described as anLTL formula. Ageneral path formulais decomposedinto basic path formulaswhich are path formulas whose principal operator is temporal andwhich contain no embedded temporal operators or path quantifiers.Thus, as a first step, we reduce the problem of verifying an arbitraryCTL∗ formula into

a set of verification tasks of the formpi ⇒ �i in the deductive case (pi ⇔ �i in thealgorithmic case), wherepi is an assertion and�i is a basic state formula. This reduction

Y. Kesten, A. Pnueli / Theoretical Computer Science 331 (2005) 397–428 399

is based on the following observation: letf (�) be aCTL∗ formula which contains one ormore occurrences of the basic state formula�. Then, a sufficient condition forf (�) to bevalid over the computation tree of systemD (D-valid) is theD-validity of the formulasp ⇒ � andf (p), for some assertionp, wheref (p) is obtained fromf (�) by replacingall occurrences of� by the assertionp. By repeated application of such replacements (forappropriately designed assertionsp), we reduce the verification problem of an arbitraryCTL∗ formula to a set of verification problems, each requiring the proof of a formula of theform pi ⇒ �i .In the context of finite-state model checking, this decomposition of the verification task

based on the path quantifiers has been first proposed by Emerson and Lei in[6]. It hasbeen used again in[11] for the construction of a symbolic model checker (SMC) for CTL∗properties over finite state systems.To deal witharbitrary basic state formulas, we introduce another reduction principle

which replaces eachbasic path formulaby a newly introduced boolean variable which isadded to the systemD. This reduction can be viewed as a simplified version of the tableauconstruction proposed in[14] and later referred to as the construction of atester[10].Thus, both the algorithmic and the deductive methods are based on twostatification

transformations which successively replace temporal formulas by assertions which containno path quantifiers or temporal operators. The first transformation replaces a basic stateformula� by an assertionp, provided that we can independently establish theD-validityof the entailmentp ⇒ �. The second transformation replaces the basic path formula� bythe single boolean variablex� (which is also a trivial assertion) at the price of augmentingthe systemD by a temporal testerT�.It is interesting to compare the general structure of theCTL∗ deductive proof system

presented here with theLTL proof system presented in[15] and elaborated in[16,17,1].In [15], the system lists first useful rules for special form formulas, the most importantof which are formulas of the formp ⇒ � q, p ⇒ ♦ q, and�♦ p ⇒ �♦ q, wherepandq are arbitrarypast formulas. To deal with the general case,[15] invokes a generalcanonic-form theorem, according to which every (quantifier-free)LTL formula is equivalentto a conjunction of formulas of the form�♦ pi ⇒ �♦ qi , for some past formulaspi andqi . While this approach is theoretically adequate, it is not a practically acceptable solutionto the verification of arbitraryLTL formulas. This is because the best known algorithmsfor converting an arbitraryLTL formula into canonic form are at least exponential (e.g.,[7] which is actually non-elementary). A better approach to the verification of arbitraryLTL formulas is based on the notion ofdeductive model checking[23], which can also bedescribed as a tableau-based construction.The approach presented here, gives a small set of proof rules that is sound and rela-

tively complete for proving basic assertional formulas, which are formulas of the formQp whereQ is a path quantifier andp is an assertion. To deal with the general case,a general path formula is decomposed to basic path formulas based on successive elim-ination of temporal operators. This decomposition, which proceeds all the way to basicassertional formulas, can be viewed as an incremental tableau construction which offers aviable new approach to the deductive verification of arbitraryLTL formulas, even though itis presented as part of a deductive proof system forCTL∗, which is a more complex logicthanLTL.


There have been two earlier complete axiomatizations of propositionalCTL∗. The workreported in[22] provides (the first) complete axiomatization of pure propositionalCTL∗,thus solving a long standing open problem in branching-time temporal logic. Comparingthis impressive result with our work, we should remind the reader of our motivation whichis to provide a deductive system to verify first-orderCTL∗ expressible properties of reactivesystems, where the computational model includes a full fledged set of weak and strongfairness assumptions. Our goal is to derive a deductive system forCTL∗ which extends theLTL deductivemethodology expounded in[17] and provides realistic tools for verifying non-trivial reactive systems, such as those implemented in the STeP system[1]. Theoretically,this goal can be implemented even within the pure-logic axiomatization of[22], becauseCTL∗ (being more expressive thanLTL) can certainly capture the computation tree of areactive system including all fairness assumptions. This allows us to reduce the verificationproblemD�� into the pure validity problem�SD → �, whereSD is theCTL∗ formulacharacterizing the computation tree of systemD.While this is possible in theory, it is highlyimpractical and leads to very obscure and unreadable proofs. A similar dichotomy existsin finite-stateLTL verification. On one hand, one can use the specialLTL model checkingtechniqueproposed in[14] for verifyingD��whose complexity is exponential in�but onlylinear inD. On the other hand, one can reduce this to the problem of checking the validityof the implicationSD → � which is exponential in both� andD. It is obvious that thespecialized technique which does not transform the system into a formula is (exponentially)better than the reductionist approach.While theanalogybetweenfinite-statemodel checkingand deductive verification is not perfect, this argument serves to indicate the inherent risein complexity when using pure temporal logic techniques for practical verification.Another related work is that of Sprenger[24]. This approach is much closer to our own,

because it preserves the distinction between the system and the formula, and contains aspecial treatment of the different kinds of fairness. The advantage of our approach is that itproceeds at a coarser level of granularity, and therefore yields amuch simpler proof system.Sprenger’s method of local model checking proceeds at steps analogous to the basic stepsof a tableau construction, including step by step handling of the boolean connectives. Ourapproach attempts to get rid of one temporal operator at each step, applying the appropriaterule for this operator, with no need to trace cycles and close leaves in the tableau. Webelieve that our proof system and its application to be significantly more succinct andeffective and, therefore, more amenable to the construction of support systems for seriousreactive verification.The paper is organized as follows. In Section2 we present theFDScomputation model.

In Section3, we present the logicCTL∗ with past operators. In Section4 we present thenotion of atesterwhich is anFDS constructed for a basic path formula (i.e., a simpleLTL

formula) and identifies the positions in a computation at which the formula holds. Testersare constructs which are central to our method of decomposing a verification of a largeCTL∗ formula into subtasks of verifying smaller sub-formulas. In Section5 we present amethod for model checking an arbitraryCTL∗ formula, using the decomposition principlesand the singleFEASIBLE algorithm used to verify basic assertional formulas. Finally, inSection6we present a deductive proof system for the verification of generalCTL∗ formulas.The presentation starts by presenting a proof rule for the elimination of state formulasembedded within a generalCTL∗ formula. Next, we present a set of proof rules for some


basic state properties which is sound and relatively complete for verifying basic assertionalformulas. Finally we give a proof rule for the elimination of temporal operators from anarbitrary state formula, using a tester for this purpose We prove soundness and relativecompleteness of the deductive system for verifying arbitraryCTL∗ formulas over reactivesystems.The algorithmic method forCTL∗ verification has been presented in[11] and is given

here for the completeness of the presentation.A conference version of the deductivemethodappeared in[9].It should be noted that both the algorithmic and deductive methods forCTL∗ verification

are presented here in terms of a decomposition of an arbitraryCTL∗ formula all the way tobasic assertional formulas. Obviously this is not the most efficient method, and is presentedhere mainly for the simplicity of the presentation. For better efficiency, the decompositionof a general state formula should stop atCTL formulas, namely refrain from eliminatingthe outermost temporal operator. In the algorithmic method, this requires augmenting theproof system with a set of algorithms for allCTL operators. This option is discussed in[20].In the deductive method, the proof system has to be augmented to be sound and relativelycomplete forCTL.

2. The computational model

As a computational model for reactive systems, we take the model offair discrete system(FDS). An FDSD : 〈V,�,�,J , C〉 consists of the following components.• V = {u1, ..., un} : A finite set of typedstate variablesover possibly infinite domains.We define astates to be a type-consistent interpretation ofV , assigning to each variableu ∈ V a values[u] in its domain. We denote by� the set of all states.

• � : The initial condition. This is an assertion characterizing all the initial states of theFDS. A state is calledinitial if it satisfies�.

• � : A transition relation. This is an assertion�(V , V ′), relating a states ∈ � to itsD-successors′ ∈ � by referring to both unprimed and primed versions of the statevariables. The transition relation�(V , V ′) identifies states′ as aD-successorof statesif 〈s, s′〉��(V , V ′), where〈s, s′〉 is the joint interpretation which interpretsx ∈ V ass[x], andx′ ass′[x].

• J = {J1, . . . , Jk} : A set of assertions expressing thejustice(weak fairness) require-ments. Intentionally, the justice requirementJ ∈ J stipulates that every computationcontains infinitely manyJ -states (states satisfyingJ ).

• C = {〈p1, q1〉, . . . , 〈pn, qn〉} : A set of assertions expressing thecompassion(strongfairness) requirements . Intentionally, the compassion requirement〈p, q〉 ∈ C stipulatesthat every computation containing infinitely manyp-states also contains infinitely manyq-states.Let � : s0, s1, . . . , be a sequence of states,� be an assertion, andj�0 be a natural

number. We say thatj is a�-position of� if sj is a�-state, i.e.,sj satisfies the assertion�. For the case that� is infinite, we define|�| = � and the range[m..|�|) denotes the setof all integersj�m. For the case that� : s0, . . . , sk, |�| = k + 1 and the range[m..|�|)denotes the set of all integersj ,m�j�k.


Let D be anFDS for which the above components have been identified. Arun of D is amaximalsequence of states� : s0, s1, . . ., satisfying the requirements of• Initiality: s0 is initial, i.e.,s0��.•Consecution:For eachj + 1 ∈ [1..|�|), sj+1 is aD-successor ofsj .The sequence� being maximal means that either� is infinite, or� = s0, . . . , sk andsk

has noD-successor.We denote byruns(D) the set of runs ofD. An infinite run ofD is called acomputation

if it satisfies the following:• Justice:For eachJ ∈ J , � contains infinitely manyJ -positions.•Compassion:For each〈p, q〉 ∈ C, if � contains infinitely manyp-positions,it must also contain infinitely manyq-positions.

We denote byComp(D) the set of all computations ofD.A states is said to bereachableif it participates in some run ofD. States is feasibleif it

participates in some computation ofD. An FDSD is calleddeadlock-freeif every reachablestate has aD-successor. Note that all runs of a deadlock-freeFDS are infinite. It can beshown that allFDS’s derived from programs are deadlock-free. AnFDS D is feasibleif ithas at least one computation, i.e., ifComp(D) �= ∅. We say that anFDSD is viableif everyreachable state is feasible. It is not difficult to see that every viableFDS is deadlock-free.

2.1. Parallel composition ofFDS’S

Fair discrete systems can be composed in parallel. LetDi = 〈Vi,�i ,�i ,Ji , Ci〉, i ∈{1,2}, be two fair discrete systems. Two versions of parallel composition are used. Asyn-chronous composition is used to assemble an asynchronous system from its components(see[8]). We define theasynchronousparallel composition of twoFDS’s to be

D = 〈V,�,�,J , C〉 = 〈V1,�1,�1,J1, C1〉 ‖ 〈V2,�2�2,J2, C2〉,where

V = V1 ∪ V2 � = �1 ∧�2,

� = �1 ∧ pres(V2− V1) ∨ �2 ∧ pres(V1− V2),J = J1 ∪ J2, C = C1 ∪ C2.

For a set of variablesU , the predicatepres(U) is an abbreviation of the conjunction∧x∈U(x′ = x), implying that all variables inU preserve their values in the current transi-

tion.The execution ofD = D1‖D2 is theinterleaved executionof D1 andD2.Another mode of parallel composition is that ofsynchronous parallel composition. Syn-

chronous composition is used in some cases, to assemble a system from its components (inparticular when considering hardware designs which are naturally synchronous). However,our primary use of synchronous composition is for combining a system with atesterT� fora basic path formula�, as described, for example, in Section5.4.We define thesynchronousparallel composition of twoFDS’s to be

D = 〈V,�,�,J , C〉 = 〈V1,�1,�1,J1, C1〉 ||| 〈V2,�2�2,J2, C2〉,


where

V = V1 ∪ V2, � = �1 ∧�2, � = �1 ∧ �2,

J = J1 ∪ J2, C = C1 ∪ C2.

We can view the execution ofD as thejoint executionof D1 andD2.

2.2. FromFDS to JDS

An FDSwith no compassion requirements is called ajust discrete system(JDS).Let D : 〈V,�,�,J , C〉 be anFDSsuch thatC = {(p1, q1), . . . , (pm, qm)} andm > 0.

We define aJDSDJ: 〈V

J,�

J,�

J,J

J,∅〉 equivalent toD, as follows:

• VJ= V ∪ {n_pi : boolean| (pi, qi) ∈ C} ∪ {xc}. That is, for every compassion require-

ment(pi, qi) ∈ C, we add toVJa boolean variablen_pi . Variablen_pi is intended to

turn true at a point in a computation from which the assertionpi remains false forever.Variablexc, common to all compassion requirements, is intended to turn true at a pointin a computation satisfying

∨mi=1(pi ∧ n_pi).

• �J= � ∧ xc = 0 ∧ ∧

(pi ,qi )∈C n_pi = 0.That is, initially all the newly introduced boolean variables are set to zero.

• �J= � ∧ �n_p ∧ �c, where

�n_p : ∧(pi ,qi )∈C

(n_pi → n_p′i )

�c : x′c =(xc ∨ ∨

(pi ,qi )∈C(pi ∧ n_pi)

).

The augmented transition relation allows each of then_pi variables to change non-deterministically from 0 to 1. Variablexc is set to 1 on the first occurrence ofpi ∧ n_pi ,for somei, 1� i�m. Once set, it is never reset.• J

J= J ∪ {¬xc} ∪ {n_pi ∨ qi | (pi, qi) ∈ C}.

The augmented justice set contains the additional justice requirementn_pi ∨ qi for each(pi, qi) ∈ C. This requirement demands that eithern_pi turns true sometime, implying thatpi is continuously false from that time on, or thatqi holds infinitely often.The justice requirement¬xc ensures that a run with one of the variablesn_pi set prema-

turely, will not be accepted as a computation.The transformation of anFDS to a JDS follows the transformation of Streett automata

to generalized Büchi Automata (see[2] for finite state automata,[26] for infinite state au-tomata). The reactive systems we want to verify can have both weak (justice) and strong(compassion) fairness requirements. In the case of algorithmic verification we use an algo-rithm that deals with the compassion requirements of the system directly. We show in[11]that this approach is more efficient. However in the deductive case, although[15] presentsanLTL proof rule that deals directly with compassion, and can easily be adapted forCTL∗,the application of the rule initiates a tree of additional rules to be included, resulting in acomplex proof system. To keep the presentation reasonable, we prefer in the exposition ofthe deductive approach to transform theFDSrepresentation of the verified system into aJDS,prior to the verification, and present rules which only deal with justice.


3. The branching temporal logicCTL∗

In the following we define the branching temporal logicCTL∗ with both future and pastoperators.We denote the fragment ofCTL∗ without the past operators as thefuture fragmentof CTL∗ (see[4] for the future fragment).We assume a finite set of variablesV over possiblyinfinite domains, and an underlying assertion languageL which contains the predicate cal-culus augmented with fix-point operators.1 We assume thatL contains interpreted symbolsfor expressing the standard operations and relations over some concrete domains, such asthe integers.In practice, our assertional language is a first-order language over the integers. Anasser-

tion is a formula in that language. We will rarely use fix-point operators in assertions andtheir inclusion is merely for the sake of claims of relative completeness.A CTL∗ formula is constructed out of assertions to which we apply the boolean operators,

temporal operators and path quantifiers. The basic temporal operators are:© – Next, � – Previous, ©∼ –Weak Previous.U – Until, S – Since,W –Waiting-for (Unless), B – Back-to,Additional temporal operators may be defined as follows:

♦ p = TUp − Eventuallyp,�p = pWF − Always, henceforthp,♦- p = TSp − Sometimes in the pastp,�- p = pBF − Always in the pastp.

The path quantifiers areE, A, Ef andAf . We refer toEf andAf as thefair pathquantifiers and toE andA as theunrestrictedpath quantifiers. In the following, we presentthe syntax and semantics of the logic which is interpreted over the computation graphgenerated by anFDS. We use the termspathand fair path as synonymous to arun and acomputationrespectively, over anFDS. Let � : s0, s1, . . ., be a run ofD. Then, we write�[j ] to denotesj , thej th state in�.

3.1. The logicCTL∗

There are two types of sub-formulas inCTL∗: state formulasthat are interpreted overstates, andpath formulasthat are interpreted over paths. The syntax of aCTL∗ formula isdefined inductively as follows.

State formulas:• Every assertion inL is a state formula.• If p is apath formula, thenEp, Ap, Ef p andAf p are state formulas.• If p andq are state formulas then so arep ∨ q andp ∧ q.

Path formulas:• Every state formula is a path formula.

1As is well known[13], a first-order language is not adequate for (relative) completeness of a temporal proofsystem for infinite state reactive programs. The use of minimal and maximal fix-points for relative completenessof the liveness rules is discussed in[15], based on[25].


• If p andq are path formulas then so arep ∨ q, p ∧ q,©p, pUq, pWq, �p,©∼p,pSq, andpBq.The formulas ofCTL∗ are all the state formulas generated by the above rules.A formula of the formQ, whereQ ∈ {E,A,Ef ,Af } is a path quantifier and is a

path formula containing no other path quantifier, is called abasic state formula. A basicstate formula of the formA orAf (E orEf) is called a basicuniversal(existential)state formula.A basic state formulaQp wherep is an assertion is called abasic assertionalformula.We define abasic path formulato be a path formula� whose principal operator is

temporal, and such that� contains no other temporal operators or path quantifiers.We referto the set of variables that occur in a formulap as thevocabulary ofp.The semantics of aCTL∗ formulap is definedwith respect to anFDSD over the vocabulary

of p. The semantics is defined inductively as follows. State formulas are interpreted overstates inD. We define the notion of aCTL∗ formulap holding at a states in D, denoted(D, s)�p, as follows:• For an assertionp,(D, s)�p ⇔ s�p

• For state formulasp andq,(D, s)�p ∨ q ⇔ (D, s)�p or (D, s)�q(D, s)�p ∧ q ⇔ (D, s)�p and(D, s)�q

• For a path formulap,(D, s)�Ep ⇔ (D,�, j)�p for some path� ∈ runs(D) and position

j ∈ [0..|�|) satisfying�[j ] = s.(D, s)�Ap ⇔ (D,�, j)�p for all paths� ∈ runs(D) and positions

j ∈ [0..|�|) satisfying�[j ] = s.The semantics ofEf p andAf p are defined similarly toEp andAp, respectively,

replacingpath(run) byfair path (fair runs or computations).Path formulas are interpreted over runs ofD. We denote the notion of aCTL∗ for-

mula p holding at positionj of a run � ∈ runs(D), by (D,�, j)�p. When j = 0,we use the shorthand notation(D,�)�p. The semantics of path formulas is defined asfollows:• For a state formulap,(D,�, j)�p ⇔ (D,�[j ])�p.

• For path formulasp andq,(D,�, j)�p ∨ q ⇔ (D,�, j)�p or (D,�, j)�q(D,�, j)�p ∧ q ⇔ (D,�, j)�p and(D,�, j)�q(D,�, j)�© p ⇔ j + 1< |�| and(D,�, j + 1)�p(D,�, j)�pUq ⇔ (D,�, k)�q for somek ∈ [j..|�|), and(D,�, i)�p

for all i ∈ [j..k)(D,�, j)�pWq ⇔ (D,�, j)�pUq, or (D,�, i)�p for all i ∈ [j..|�|)(D,�, j)��p ⇔ j > 0 and(D,�, j−1)�p(D,�, j)�©∼p ⇔ j = 0 or (D,�, j−1)�p(D,�, j)�pSq ⇔ (D,�, k)�q for somek, 0�k�j

and(D,�, i)�p for everyi, k < i�j(D,�, j)�pBq ⇔ (D,�, j)�pSq, or (D,�, i)�p for everyi, 0� i�j


Letp beaCTL∗ formula.Wesay thatp holdsonD (p isD-valid), denotedD�p, if (D, s)�p,for every initial states inD.A CTL∗ formulap is calledsatisfiableif it holds on somemodel.A CTL∗ formula is calledvalid if it holds on all models.

We refer to a state which satisfiesp as ap-state. Let p andq be CTL∗ formulas. Weintroduce the abbreviation

p⇒ q for A� (p→ q).

wherep→ q is the logical implication equivalent to¬p ∨ q. Thus, the formulap ⇒ q

holds atD if the implicationp→ q holds at all reachable states.LetV be a set of variables and be aCTL∗ formula overV .We denote by′ the formula

in which every variablev ∈ V is replaced by the primed variablev′.The restricted subset ofCTL∗ in which each temporal operator is immediately preceded

by a path quantifier is calledComputation Tree Logic(CTL).A state formula whose principaloperators are a pairQT (whereQ is a path quantifier andT is a temporal operator) andwhich does not contain any additional temporal operators or path quantifiers is called abasicCTL formula.We refer to path formulas which do not contain any path quantifiers asLTL formulas.

3.2. The verification problem

Having presented our model for systems and the specification language ofCTL∗, we canformulate the problem this paper intends to solve.Given a viableFDSD and aCTL∗ formula�, our goal is to verify that� isD-valid, i.e.,

all computations ofD satisfy�.With no loss of generality, we assume that formula� is given inpositive normal form, i.e.

contains negations only as part of assertions. It is straightforward to transform an arbitraryCTL∗ formula into a positive formCTL∗ formula which is equivalent to over every viableFDS.

4. Temporal testers

In this section we present a construction oftemporal testers[10] which are central toour verification process. Given a path formula�, a testerT [�] for � is an FDS with adistinguished boolean variablex�, such thatx� = 1 at all positions in aT [�]-computationin which� is true.We often refer to the variablex� as theoutput variableof T [�]. Temporaltesters present a modular and symbolic version of the construction of a temporal tableau[14].

4.1. Testers for basic path formulas

We first present a construction of testers for the basic path formulas. These will serve asthe building blocks for the construction of a tester for a general path formula. We define atester for each of the temporal operators©, U , W ,�,©∼, S , andB.


The set of variables of a testerT [�] for a basic path formula consists of the vocabularyof � augmented by the variablex� .The testerT [©p] for the basic path formula©p is defined as follows:

T [©p] :

V : Vp ∪ {x◦}� : T

� : x◦ = p′J : ∅C : ∅.

The testerT [pUq] for the basic path formulapUq:

T [pUq] :

V : Vp ∪ Vq ∪ {xU }� : T

� : xU = q ∨(p ∧ x′U

)J : {¬xU ∨ q}C : ∅.

The testerT [pW q] for the basic path formulapW q:

T [pW q] :

V : Vp ∪ Vq ∪ {xW }� : T

� : xW = q ∨(p ∧ x′W

)J : {xW ∨ (¬p ∧ ¬q)}C : ∅.

The testerT [�p] for the basic path formula�p:

T [�p] :

V : Vp ∪ {x�}� : x� = F

� : x′�= p

J : ∅C : ∅.

The testerT [©∼p] for the basic path formula©∼p:

T [©∼p] :

V : Vp ∪ {x©∼}� : x©∼ = T

� : x′©∼ = p

J : ∅C : ∅.

The testerT [pSq] for the basic path formulapSq:

T [pSq] :

V : Vp ∪ xS� : xS = q

� : x′S = q ′ ∨ (p′ ∧ xS )J : ∅C = : ∅.


The testerT [p B q] for the basic path formulap B q:

T [p B q] :

V : Vp ∪ xB� : xB = p ∨ q

� : x′B = q ′ ∨ (p′ ∧ xB )J : ∅C : ∅.

Note that, in general, testers are not guaranteed to be deadlock-free. Consider, for example,a tester for the basic path formula�p.While we did not present such a tester in the precedinglist, it can be derived from the tester for the formulapW F. This tester is given by

T [� p] :

V : Vp ∪ {x�}� : T

� : x� = p ∧ x′�J : {x� ∨ ¬p}C : ∅.

This tester has the run

s0 : 〈p : 0, x� : 1〉

which cannot be extended. Thus, it has some finite runs and is, therefore, not deadlock-free.

4.2. Testers for generalLTL formulas

Next, we present an incremental construction of a tester for a generalLTL formula. First,we restrict our attention toLTL formulas whose principal operator is temporal (rather thanboolean).For anLTL formula, we denote byT [] the temporal tester for. Let f (�) be a

principally temporal path formula containing one or more occurrences of the basic pathformula�.We denote byf (x) the formula obtained fromf by replacing all occurrences of� by the boolean variablex. Then the construction principle is presented by the followingrecursive reduction formula:

T [f ] = T [f (x�)] ||| T [�]. (1)

That is, we conjoin the tester for� to the recursively constructed tester for the simplerformulaf (x�).We illustrate this construction on theLTL formula�♦ p for the case thatp is a simple

proposition (boolean variable). Application of the reduction principle leads to

T [�♦ p] = T [� x♦] ||| T [♦ p].


ComputingT [♦ p] andT [� x♦] separately and forming their synchronous parallel compo-sition yields the following tester whose output variable isx�.

T [�♦ p] :

V : {p, x♦, x�}� : T

� :(x♦ = p ∨ x′♦

)∧ (

x� = x♦ ∧ x′�)

J : {¬x♦ ∨ p, x� ∨ ¬x♦}C : ∅.

In general, for a principally temporal formula, T [] = T1 ||| · · · ||| Tk, whereT1, . . . , Tkare the temporal testers constructed for the principally temporal sub-formulas of. T []containsk auxiliary boolean variables, and the output variable ofT [] is the output variableof T1—the last constructed tester.In general, we carry the recursive reduction described by Eq. (1) until we obtain the tester

T1 which is a tester for a basic path formula. We can carry it one step further and obtainan assertion which contains no further temporal operators. We refer to this assertion as thereduxof the originalLTL formula, denoted byredux(). For the case that is principallytemporal,redux() is the single output variablex. If we apply the recursive constructionEquation (1) to anLTL formula which is not principally temporal, we may obtain a morecomplex assertion as the resulting redux.Consider, for example, theLTL formula : � p ∨ ♦ q. The corresponding tester is given

by:

T [] = T [� p] ||| T [♦ q]while redux() = x�∨x♦, wherex� andx♦ are the output variables ofT [� p] andT [♦ q],respectively.

5. Symbolic model checkingCTL∗ properties

In this section we present symbolic model checking of aCTL∗ formula over a finite-stateFDS. The variables of both theFDSand theCTL∗ formula are restricted to finite domains.

Let D : 〈V,�,�,J , C〉 be anFDSandp = p(V ) be an assertion overV. We define thepre-imageof p in D to be the assertion

�♦p = ∃V ′ : �(V , V ′) ∧ p(V ′).

Every reachable state inD satisfying�♦p has a successor satisfyingp. Thus,�♦p charac-terizes all the predecessors ofp-states.In a symmetricway,wedefine thepost-imageof anassertionp = p(V ) to be theassertion

p♦� = ∃V0 : �(V0, V ) ∧ p(V0).The post-imagep♦� characterizes all the successors ofp-states.


Example 1. Consider the following system:

1 :p 2 :p0 :p

The correspondingFDS is given by

D :

V : {� : [0..2], p : boolean}� : � = 0 ∧ p

� : � = 0 ∧ (�′ = 0 ∧ p′ ∨ �′ = 1 ∧ ¬p′) ∨

� �= 0 ∧ (�′ = 2 ∧ p′)

J = C : ∅.

Computing the pre-image�♦¬p, we obtain

∃�′, p′ : � ∧ ¬p′ = (� = 0).

Thus, the set of states having a successor satisfying¬p includes the single state� = 0.

To capture the set of states that can reach ap-state in a finite number of�-steps, we define

�∗♦p = p ∨ �♦p ∨ �♦(�♦p) ∨ �♦(�♦(�♦p)) ∨ · · · .In a similar way, we define

p♦�∗ = p ∨ p♦� ∨ (p♦�)♦� ∨ ((p♦�)♦�)♦� ∨ · · · ,which capture the set of all states reachable in a finite number of�-steps from ap-state.

5.1. Statification

For a state formula�, we denote by‖� ‖ the assertion characterizing the set of allD-states satisfying�. For the case that� is an assertion,‖� ‖ = �. For the cases that weneed to specify explicitly the system over which the formula is statified, we write‖�, D ‖to denote the statification of� overFDSD.

Claim 1 (Model checking state formulas). For a state formula�,D�� iff � → ‖� ‖.It only remains to provide a recipe for the computation of‖� ‖ for the various state

formulas.As discussed in the introduction, our proof method is based on two decomposition prin-

ciples as follows: a general state formula is decomposed into basic state formulas, and ageneral path formula is decomposed into basic path formulas. When these reductions areperformed repeatedly, we remain with basic assertional formulas of the formEf p andAf pwherep is an assertion. These assertional formulas are statified by the symbolic algorithmFEASIBLE presented in Section5.4.2.


5.2. Eliminating nested state formulas

Let f (�) be a state formula containing one or more occurrences of the nested stateformula�, and letq = ‖� ‖.

Claim 2 (Elimination of a nested state formulas).

‖f (�) ‖ = ‖f (q) ‖,

wheref (q) is obtained by substitutingq for all occurrences of� in f .

Consider ageneralCTL∗ formula.Claim2enablesus toeliminateall nestedstate formulas,starting with the innermost ones, until we end up with basic state formulas. Basic stateformulas are statifiedbyeither temporal operator elimination (Section5.4) or by statificationof basic assertional formulas (Section5.4.2).

Example 2. Consider the following system:

1 :p 2 :p0 :p

Assume we wish to model check the formulaf = A♦ A� p︸︷︷︸�

over this system. Following

Claim2, we compute first

‖� ‖ = ‖A� p ‖ = (� = 2).

Next, we compute

‖f (‖� ‖) ‖ = ‖A♦ (� = 2) ‖ = (� > 0).

Now, it remains to check

� → ‖f ‖ = (� = 0∧ p → � > 0) = 0,

which shows thatA♦A� p does not hold onD.

5.3. Fair and unfair basic state formula

Abasic state formula� is called afair state formulaif the single path quantifier appearingin� is eitherEf orAf . Otherwise, it is called anunfair state formula. Given an unfair state


formula�, we denote byfair(�) the formula obtained from� by replacing occurrences ofE byEf and occurrences ofA byAf .LetD = 〈V,�,�,J , C〉 be anFDS. We denote byDunfair theFDS

Dunfair : 〈V,�,�,∅,∅〉obtained fromD by removing all justice and compassion requirements.The following claim shows that, with no loss of generality, we can restrict our attention

to fair basic state formulas.

Claim 3 (Sufficient to deal with fair basic state formulas). For an unfair basic stateformula� and deadlock-freeFDSD,

D�� iff Dunfair � fair(�)

5.4. Statification of fair basic state formulas

In this subsection we show how to compute the statification of a fair basic state formulaof the formQf�, whereQf ∈ {Ef ,Af } is a fair path quantifier, and� is anLTL formula.This is done in two steps: in5.4.1we show how to reduce a fair basic formula into a basicassertional formula, i.e., a formula of the formQf p, wherep is an assertion. Then, in5.4.2we show how to compute the statification of basic assertional formulas.

5.4.1. Reduction into basic assertional formulasThe modularity ofCTL which enables us to model check a formula by successively

computing‖� ‖ for all of its nested basic formulas has, for a long time, been considered aunique feature ofCTL, and amajor argument in thebranchingvs.linear debate (e.g.[12,5]).A similar modularity (though for a higher price) exists for theLTL component of a general

basic state formula, as shown by the following:

Claim 4 (Elimination of temporal operators). Let Qf f () be a fair basic state formulacontaining one or more occurrences of the basic path formula, whereQf ∈ {Ef ,Af }.Then, we can compute

‖Ef f (), D ‖ = ∃ x : (‖Ef f (x), D ||| T [] ‖),‖Af f (), D ‖ = ∀ x : (‖Af f (x), D ||| T [] ‖),

whereT [] is the temporal tester for, x is the fresh variable introduced byT []. Theexpression‖Qf f (x), D ||| T [] ‖ stands for the statification ofQf f (x) computed overthe augmentedFDSD ||| T [].

Example 3. Reconsider the system

1 :p 2 :p0 :p


Fig. 1. SystemD+.

Wewish to compute the statification‖Af♦ � p ‖ over this system. Following the reductionsof Claim4, we obtain

‖Af♦ � p , D ‖ = ∀ x� : ‖Af♦ x�, (D ||| T [� p]) ‖= ∀ x♦, x� : ‖Af x♦, (D ||| T [� p] ||| T [♦ x�]) ‖.

First, we construct the testerT [� p].

T [� p] :

V : {p, x�}� : T

� : x� = p ∧ x′�J : x� ∨ ¬pC : ∅

px�px�

px� px�

The justice requirementx�∨¬p is intended to guarantee thatwewill not havea computationin which continuouslyp = 1, whilex� = 0.Next, we form the parallel compositionD+ : D ||| T� as presented in Fig.1.Next, we construct the testerT [♦ x�] given by

T [♦ x�] :

V : {x� , x♦}� : T

� : x♦ = x� ∨ x′♦J : x� ∨ ¬x♦C : ∅.


Fig. 2. SystemD++.

We form the parallel compositionD++ = D+ ||| T [♦ x�] = D ||| T [� p] ||| T [♦ x�]. Thissystem is presented in Fig.2. The justice requirements associated withD++ are

J1 : x� ∨ ¬p, J2 : ¬x♦ ∨ x�.

In the diagram we denote the justice requirements satisfied by each state according to thefollowing conventions: every state is represented by a double oval. If the state satisfiesJ1then the inner oval is drawn in a “dash–dot” line style. Otherwise, the inner oval is drawnin a “solid” line style. Similarly, if the state satisfiesJ2 then the outer oval is drawn in a“dash–dot” line style. Otherwise, the outer oval is drawn in a “solid” line style.Using the methods of Section5.4.2, we can evaluate‖Af x♦ ‖ over D++, obtaining

‖Af x♦ ‖ = 1. We can therefore conclude that the originalFDSD satisfiesAf♦ � p.A summary version of the reduction. Consider a fair basic state formulaQf. Systematic

application of the reductions presented inClaim4performs successive augmentations of theFDSD by temporal testers corresponding to basic path sub-formulas of, and successivereplacements in of these sub-formulas by the output variables of their correspondingtesters.Tracing these successive augmentations and replacements, we see that they are identical

to the transformations used when computing the temporal tester of theLTL formula, asprescribed in Section 4.2. This observation leads to the following summary version ofClaim 4 which, in one step, reduces a fair basic state formula into a basic assertionalformula:


Claim 5 (From basic state formulas to basic assertional formulas). LetQf be a fair ba-sic state formula. Then, we can compute

‖Ef, D ‖ = ∃ vars : (‖Ef redux(), D ||| T [] ‖),‖Af, D ‖ = ∀ vars : (‖Af redux(), D ||| T [] ‖),

whereT [] is the temporal tester for, and redux() is the redux of when constructingT [].The expression‖Qf redux(), D ||| T [] ‖ stands for the statification ofQf redux()computed over the augmentedFDS D ||| T []. The variablesvars are all the auxiliaryvariables introduced by the construction ofT [].

This one-step reduction from basic state formulas to basic assertional formulas was firstpresented in[11].Note that quantifying out the variablesvars guarantees that, when the computation

is done, the statification‖Qf, D ‖ is an assertion overD. Thus,FDS’s which are notdeadlock-free arise only at intermediate stages in the statification ofQf but never at astage where we may want to apply Claim3 in order to convert an unfair path quantifier intoa fair one.

Example 4. We can apply the reduction of Claim5 in order to compute the statification‖Af♦ � p ‖ over systemD of Example3.We start by computing the testerT [♦ � p]whichis given by

T [♦ � p] :

V : {p, x�, x♦}� : T

� : (x� = p ∧ x′�) ∧

(x♦ = x� ∨ x′♦

)J : {x� ∨ ¬p, ¬x♦ ∨ x�}C : ∅.

The redux ofT [♦ � p] is the output variablex♦. It only remains to form the synchronousparallel composition ofT [♦ � p] with D which yields systemD++, as presented in Fig.2.Thus, Claim5 yields the following reduction:

‖Af♦ � p, D ‖ = ∀x�, x♦ : Stat (Af x�,D++).

5.4.2. Statifying basic assertional formulasThe statification of both types of basic assertional formulas, i.e., formulas of the form

Ef p andAf p for some assertionp, are based on the singleFEASIBLE symbolic algorithmpresented in Fig.3.The algorithm starts by placing innew the set of all reachable states. It then removes

from this set all state which are obviously infeasible. For example, the assignment

new := new ∧ (�♦new)

removes fromnew all states which do not have a successor innew.AlgorithmFEASIBLEevaluates an assertion characterizing the set of allD-feasible states.

LetU be the assertion evaluated byFEASIBLE (D), ands be a state inD.


Fig. 3. Algorithm FEASIBLE.

Claim 6. States is D-feasible iffs�U .

Proof. See[11].

The computation described in the algorithm of Fig.3 can also be described more suc-cinctly by the following fix-point formula:

FEASIBLE = �∗♦ �

�♦�∗ ∧ �♦� ∧ ∧

J∈J(� ∧ �)∗♦(� ∧ J ) ∧∧

(p,q)∈C¬p ∨ (� ∧ �)∗♦(� ∧ q)

. (2)

We can now evaluate the assertion characterizing the set ofD-states satisfying an existentialand universal basic assertional formula, as follows:

‖Ef p, D ‖ = p ∧ FEASIBLE(D),‖Af p, D ‖ = FEASIBLE(D)→ p.

Example 5. Reconsider systemD++ of Fig. 2 over which we wish to compute the stat-ification ‖Af x♦ ‖. Applying algorithmFEASIBLE, we obtain the following set of feasible


states:

{〈0 :px�x♦〉, 〈0 :px�x♦〉, 〈1 :px�x♦〉, 〈2 :px�x♦〉}.Since each of these states contains (and hence satisfies)x♦, we conclude

‖Af x♦, D++ ‖ = feasible(D++)→ x♦ = 1

implying that statification of‖Af x♦ ‖ overD++ contains all reachable states. From this,according to Example3, we can conclude that systemD satisfiesAf♦ � p.

6. A deductive proof system forCTL∗ properties

The deductive method can be used to verifyCTL∗ properties over infinite-state systems.Recall our assumption thatCTL∗ formulas are given in positive normal form. To simplifythe presentation and get simpler proofs, we assume that theFDSrepresenting the system istransformed intoaJDSprior to theverification.We thusconsider systemswithnocompassionrequirements, and deal only with thejusticerequirements (J ).Before proceeding, we remind the reader some of the previously introduced definitions:

• A basic path formulais a path formulawhose principal operator is temporal, and suchthat contains no additional temporal operators or path quantifiers.

• A basic state formulais a formula of the formQ, whereQ ∈ {E,A,Ef ,Af } is a pathquantifier and is a path formula containing no additional path quantifier. In the casethatQ ∈ {Ef ,Af }, we refer toQ also as afair basic state formula.

• A basicCTL state formulais a basic state formula of the formQ where is a basicpath formula.

• A basic assertional formulais a basic state formula of the formQ where is anassertion.

6.1. Decomposing a formula into basic state formulas

Consider aCTL∗ formula� which we wish to verify over anFDSD. As a first step, weshow how to reduce the task of verifying the formula� into simpler subtasks, each requiredto verify a basic state formula overD. This reduction repeatedly applies ruleBASIC-STATEwhich is presented in Fig.4.The rule considers an arbitraryCTL∗ formulaf which contains one or more occurrences

of the basic state formula�. The rule calls for an identification of an assertionp whichunder-approximates the set of states that satisfy the formula�. It then reduces the task ofverifying f (�) into the two simpler tasks of verifying the entailmentp ⇒ �, where� isa basic state formula, and verifying the formulaf (p), obtained fromf by substituting theassertionp for all occurrences of�.

Claim 7 (Basic state). RuleBASIC-STATE is sound and relatively complete for proving thatCTL∗ formulaf is valid overFDSD.


Fig. 4. BASIC-STATE.

Proof (Sketch). Relative completeness implies that, for every basic state formula�, thereexists an assertionp such thatp ⇒ � is D-valid. In fact, we claim that for every such�, there exists an assertion, called thestatificationof � and denoted by‖� ‖, such that‖� ‖ holds at precisely those states which satisfy�. The notion of statification used hereis identical to the one introduced in Section5. The difference in the usage of this notion isthat in Section5we provided a recipe showing how to compute‖� ‖ over a finite-stateFDSusing symbolic model checking techniques. Here we only claim that‖� ‖ can be expressedby an assertion, provided our underlying assertional language is expressive enough.Theproof of this fact proceedsby inductionon thenumber of temporal operatorswithin�.

Westartwith thecase that� is abasicCTL state formula.For thecases that thepathquantifiersare unrestricted, these assertion can be expressed by a first-order formula, provided we canquantify over finite sequences of states. For example, the assertion expressing‖E♦r‖ foran assertionr can be written as

‖E♦r‖ = �s : ∃n ∈ N, a : [1..n] !→ � :a[1] = s ∧ r(a[n]) ∧ ∀i : [1..n−1] : �(a[i], a[i+1]). (3)

This assertion claims the existence of a sequence of statesa[1..n], such thata[1] coincideswith s, eacha[i+1] is a�-successor ofa[i], and the final statea[n] satisfiesr.For the case of fair path quantifiers such asAf orEf , we need to use fix-point operators

as shown in Eq. (2) in order to capture fair sequences.Next, we consider the general case of a basic state formulas with more than a single

temporal operator. According to Claim3, it is sufficient to consider the case of fair basicstate formulas of the formQf. We can then use the reduction techniques presented inClaim4 by which

‖Ef f (), D ‖ = ∃ vars : (‖Ef f (x), D ||| T [] ‖),‖Af f (), D ‖ = ∀ vars : (‖Af f (x), D ||| T [] ‖),

whereT [] is the temporal tester for, vars are all the auxiliary variables introducedby the construction ofT [], andx ∈ vars is the principal output variable ofT []. Thecomputation of the statifications‖Ef f (x), (D ||| T []) ‖ and‖Af f (x), (D ||| T []) ‖canbeexpressedby themethodsofSection5.4.2.All of thesecomputations canbeexpressedusing first-order quantification over the state variables, and fix-points for the computation ofFEASIBLE. Note that even thoughwe are dealing herewith systemswith potentially infinitelymany states, the structure of the temporal testers remains the same, and it is only requiredto add a single boolean variable as an auxiliary variable for each temporal operator.�


Fig. 5. An example systemD.

Note that ruleBASIC-STATE is actually sound (and relatively complete) for an arbitrarystate formula. However, we recommend its use for the restricted case of basic state formulas.This recommendation suggests a systematic proof methodology by which one always dealswith the innermost nested basic state formula, replacing it by an assertion, before continuingto deal with the rest of the formula.

Example 6. Consider the systemD presented in Fig.5.This system has a single state variabley and no fairness conditions. For this system we

wish to prove the propertyf : E�E♦(y = 1), claiming the existence of a run from eachof whose states it is possible to reach a state at whichy = 1.Using ruleBASIC-STATE, it is possible to reduce the task of verifying the non-basic formula

E�E♦F(y = 1) into the two tasks of verifying

R1. (y = 0)⇒ E♦(y = 1),R2. E�(y = 0).

Note that, as the assertionp, we have choseny = 0. The design of an appropriate assertionp which characterizes states satisfying� is the part which requires creativity and ingenuityin the application ofBASIC-STATE. �

In the rest of the section, we will present rules and methods which can be used to proveentailments of the formp⇒ � for an assertionp and basic state formula�.

6.2. Preliminary inference rules

We introduce two basic inference rules as part of the deductive system. LetD be anFDS andp, q be assertions. The first rule isgeneralization, presented in Fig.6. The ruletransforms a state validity (denoted by�) into a temporal validity (denoted by�). Thepremise � p states that assertionp holds at every possible state, implying thatp is atautology. Then obviously,p holds at every reachable state of every model, and thereforethe basic universal state formulaA� p holds at the initial state of everymodel (equivalently,D�A� p for everyFDSD).The second rule isentailment modus ponens, presented in Fig.7. The rule states that if

every reachable state satisfies bothp and the implicationp→ q (i.e.,D satisfiesA� p andA� (p→ q)), thenq holds at every reachable state (D satisfiesA� q).Most of the rules in the proof system have the formp ⇒ �, wherep is an assertion.

RuleINIT presented in Fig.8 enables us to derive thecD-validity of the formula� from theentailment� ⇒ �, where� is the initial condition ofD.


Fig. 6. GEN (generalization). Fig. 7. EMP (entailment modus ponens).

Fig. 8. Rule INIT.

In the following, we present a set of proof rules all having a common structure. Premisesare stated above the line and the conclusion is presented below the line. Each rule claimsthat if the premises hold overD, then so does the conclusion. When the validities of thepremises and the conclusion are over differentFDS’s, the relevantFDSare stated explicitly,otherwise the commonFDS is omitted.

6.3. Safety rules

First we consider safety formulas of the formQ� q, whereq is an assertion andQ ∈{A,Af ,E,Ef } is a path quantifier. We refer to such formulas asinvarianceformulas. Weuse the termsuniversalandexistentialinvariance for theCTL∗ formulas{A� q,Af� q} and{E� q,Ef� q}, respectively.

6.3.1. Universal invarianceIn Fig. 9, we present the rule for universal invariance, which is similar to the rule for

LTL invariance. RuleA-INV states that if the set of premises I1–I3 areD-valid, then theconclusion isD-valid. Premise I1 and I2 are shorthand notations forD�A� (p→�) andD�A� (�→ q), respectively. Premise I1 states that every reachablep-state is also a�-state. Similarly, premise I2 states that every reachable�-state is aq-state. Assertion�is introduced to strengthen assertionq in caseq is not inductive, namely, in caseq doesnot satisfy I3 (see[17] for a discussion on inductive assertions). Premise I3 is a shorthandnotation forD�A� (�(V ) ∧ �(V , V ′)→�(V ′)). The premise states that every�-successorof a reachable�-state is a�-state (equivalently, all transitions ofD preserve�). RuleA-INVestablishes the invariance formulaA� q over all reachablep-states, for some assertionp.

Claim 8 (Universal invariance). LetD be anFDS.RuleA-INV is sound and relatively com-plete, for proving unrestricted universal(state) invariance overD.


Fig. 9. A-INV (universal invariance).

Fig. 10. E-NEXT.

Proof (Sketch). The proof of completeness is based on the identification of an assertion�, expressible in our assertional language, which satisfies the premises of ruleA-INV. Wefollow the construction of[15] (further elaborated in[16]) to show the existence of anassertion characterizing all the states that can appear in a finite run of a systemD. �

6.3.2. Existential invarianceWe define awell-founded domain(A,") to consist of a setA and awell-founded order

relation" on A. The order relation" is calledwell-foundedif there does not exist aninfinitely descending sequencea0, a1, . . ., of elements ofA such that a0 " a1 " · · · .

Next, we present three proof rules which together constitute a sound and (relatively)complete set for proving existential (state) invariance. The first rules,E-NEXT andE-UNTILpresented in Figs.10and11, prove the validity of theCTL∗ propertiesE© q andqE U r,respectively, over all reachablep-states, wherep, q andr are assertions. Both rules aredefined for the unrestricted existential path quantifierE which quantifies over any path, notnecessarily a fair path (recall thatE is weaker thanEf ). While not being invariance rulesby themselves, theE-NEXT andE-UNTIL rules are included in this subsection because theyare essential for the invariance ruleEf -INV presented in Fig.12. The premise of ruleE-NEXTis a shorthand notation forD�A� (p(V )→∃V ′ : �(V , V ′) ∧ q(V ′)). The premise statesthat from every reachablep-state, there exists aD-transition into aq-state.The ruleE-UNTIL uses a well-founded domain(A,"), and an intermediate assertion�,

associated with a ranking function�. Function� maps states into the setA and is intendedto measure the distance of the current state to a state satisfying the goalr. The third rule,Ef -INV presented in Fig.12, is the existential invariance rule. We use the notation(i ⊕m 1)


Fig. 11. E-UNTIL.

Fig. 12. Ef -INV.

for (i + 1)modm. RuleEf -INV proves a temporal property using three premises. PremisesI1 and I2 use state reasoning, and premise I3 requires temporal reasoning. Premise I3 isresolved by the rulesE-NEXTandE-UNTILwhich transform the temporal reasoning into statereasoning. For the special case thatp = � andq = T, ruleEf -INV provesfeasibilityof D.For the case thatp = q = T, the rule provesviability of D.

Claim 9 (Existential invariance). LetD be anFDS.RulesE-NEXT, E-UNTIL,andEf -INV aresound and relatively complete, for proving their respective conclusions.

Proof (Sketch). For ruleE-NEXT, it is straightforward to write a first-order assertion�whichcharacterizes all the reachable states which have a successor satisfyingp. For ruleE-UNTIL,we can construct an assertion� which characterizes all the statess from which there existsa q-path leading to anr-state. This assertion is similar to the assertion described in Eq.(3), except that we have to add the requirement that all states encoded ina[1], . . . , a[n−1]satisfyq. We can then use a ranking function� which measures the length of the shortestq-path leading to anr-state. It only remains to show that these two constructs are expressiblewithin our assertional language. For ruleEf -INV, we can use amaximal fix-point expressionsimilar to Eq. (2) to construct an assertion� characterizing all accessible states initiating acontinuous-q fair path. For the sub-assertions�i , we can take� ∧ Ji . �


Fig. 13. Rule Af -EVENT (universal well-founded eventuality under justice).

6.4. Liveness properties

6.4.1. Universal liveness under justiceIn Fig. 13, we present the rule foruniversal eventualityproperties of the formp ⇒

Af♦ r. The rule uses a well-founded domain(A,"), a ranking function�, and a set ofintermediate assertions�1, . . . ,�m. The function� is intended to measure the distance ofthe current state to a state satisfying the goalq. PremiseW1 states that everyp-state satisfiesq or one of�1, . . . ,�m. PremiseW2 states that for everyi, 1� i�m, a�i-state with rank� = u is followed by either aq-state or a�i-state that does not satisfyJi and has the sameranku, or by a�j -state (1�j�m) with a smaller rank (i.e.,u " �). The rule claims that ifpremiseW1, and the set ofm premisesW2 areD-valid, then the (fair) universal eventualitypropertyAf♦ q is satisfied by all reachablep-states.

Claim 10 (Universal eventuality). RuleAf -EVENT is sound and relatively complete, forproving theD-validity of universal eventuality formulas.

Proof (Sketch). This rule is semantically equivalent to theLTL rule for the propertyp ⇒♦ q. We refer the reader to[15] for the non-trivial proof of relative completeness of thisrule. �

6.5. Basic assertional formulas

As the last rules for special cases, we present two rules dealing with the entailmentsp⇒ Qq, wherep andq are assertions andQ ∈ {Af ,Ef } is a fair path quantifier.

RuleAf -ASRT, presented in Fig.14, can be used in order to establish the validity of theentailmentp⇒ Af q, for the case thatp andq are assertions.The rule claims that, in order to prove the validity ofp ⇒ Af q, it is sufficient to show

that no fair runs can depart from a reachable state satisfyingp ∧ ¬q. This is shown byproving (using ruleAf -EVENT) that every fair run departing from a reachable(p∧¬q)-statesatisfiesAf♦ F (“eventually false”), which is obviously impossible. Thus there can be no


Fig. 14. Af -ASRT. Fig. 15. Ef -ASRT.

fair runs departing from such a state and, therefore, no such states are reachable as part ofa computation.The dual ruleEf -ASRT is presented in Fig.15.This rule claims that, in order to provep ⇒ Ef q, it is sufficient to show that every

reachablep-state satisfiesq and initiates at least one fair run.

6.6. Basic state formulas

Finally, we present our general approach to the verification of an entailment of the formp⇒ � for an assertionp and a basic state formula�.

6.6.1. Unfair basic state formulasThe case that the basic state formula has the form� = Q, whereQ ∈ {A,E} is an

unrestricted path quantifier, is treated in a way similar to Claim3. That is, we convert unre-stricted path quantifiers to their fair version. This is summarized in ruleUNFAIR, presentedin Fig. 16.Consequently, it only remains to deal with formulas of the formp⇒ Qf.

6.6.2. Fair basic state formulasThe approach to the verification of a formulap ⇒ Qf is based on a successive elim-

ination of temporal operators from the formulaQf until it becomes a basic assertionalformula, to which we can apply rulesAf -ASRT or Ef -ASRT. Elimination of the temporaloperators is based on the construction of temporal testers, as presented in Section4.Let f (�) be a fair basic state formula containing one or more occurrences of the path

formula�. In Fig. 17, we present the ruleBASIC-PATH which reduces the proof off (�)to the proof off (x�) overD ||| T [�], whereT [�] is a temporal tester for�, x� is theoutput variable ofT [�], andf (x�) is obtained fromf (�) by replacing every occurrence of� by x�.

Example 7. Reconsider systemD first introduced in Fig.5. For convenience, we duplicateit in Fig. 18. For this system we wish to prove the propertyT ⇒ Af♦ � even(y), statingthat every computation eventually stabilizes with an even value of the state variabley.Following are the first steps of the deductive proof for this property. The proof is presented

in a goal-oriented style, where we identify for each goal the subgoals which are necessaryin order to establish the goal and the rule which justifies the deductive step.


Fig. 16. Rule UNFAIR. Fig. 17. BASIC-PATH.

Fig. 18. An example systemD.

D � T ⇒ Af♦ � even(y) A tester forx� = � even(y)D ||| T� � T ⇒ Af♦ x� A tester forx♦ = ♦ x�D ||| T� ||| T♦ � T ⇒ Af x�

These proof steps reduce the task of verifying the formulaT ⇒ Af♦ � even(y) over systemD to theverificationof thesimpler formulaT ⇒ Af x� over thesystemD∗ = D ||| T� ||| T♦.The transition relation of systemD∗ is presented in Fig.19.The justice requirements associated withD∗ are

J1 : x� ∨ ¬even(y), J2 : ¬x♦ ∨ x�.

Wemark the states by double ovals, where the inner (respectively, outer) oval is drawn in a“dash–dot” line style iff the state satisfiesJ1 (respectively,J2).We now use ruleAf -ASRT in order to reduce the goalD∗�T ⇒ Af x� into the goal

D∗�¬x� ⇒ Af♦ F. This goal is proven using ruleAf -EVENT with the followingchoices:

p : ¬x♦q : F

� : 2− y�1 : ¬x♦ ∧ even(y)�2 : ¬x♦ ∧ ¬even(y).

6.7. Summary version of ruleBASIC-PATH

RuleBASIC-PATH eliminates one temporal operator at a time. It is possible to reduce afair basic state formulaQf into a basic assertional state formula in a single step, using


Fig. 19. The augmented systemD∗.

Fig. 20. Rule LTL-REDUCE.

the temporal tester for the entireLTL formula. This is presented in ruleLTL-REDUCE ofFig. 20.

7. Conclusions

In this paper, we presented a uniform approach tomodel checking and deductive verifica-tion ofCTL∗ formulas over reactive systems. This approach iscompositionalin the structureof the verified formula. That is, the task of verifying a complexCTL∗ formula� over a sys-tem is broken into subtasks of verifying sub-formulas of�. Modularity in the treatment oftheLTL fragment ofCTL∗ is based on the construction oftemporal testerswhich introducesauxiliary boolean variables which are true whenever theLTL formula holds. This approachhas close relation to[3] which encodesLTL fragments withinCTL. The deductive system is


sound and complete for verifyingCTL∗ properties of reactive systems. The model-checkingpart has been implemented as reported in[11]. The deductive system is currently beingimplemented as a theory withinPVS.

Acknowledgements

We gratefully acknowledge the continuous support, helpful suggestions, and critical as-sessment of the evolution of thiswork byTamarahAronswho, in parallel with the theoreticaldevelopments reported here, implemented theCTL∗ deductive system as aPVStheory. Theseresults will be reported in a separate publication. This research was supported in part by theMinerva Center for Verification of Reactive Systems, the Israel Science Foundation (Grantno. 106/02-1), and NSF Grant CCR-0205571.

References

[1] N. BjZrner, I. Browne, E. Chang, M. Colón, A. Kapur, Z. Manna, H. Sipma, T. Uribe, STeP: the Stanfordtemporal prover, User’s Manual, Technical Report STAN-CS-TR-95-1562, Computer Science Department,Stanford University, November 1995.

[2] Y. Choueka, Theories of automata on�-tapes: a simplified approach, J. Comp. Systems Sci. 8 (1974)117–141.

[3] E. Clarke, O. Grumberg, K. Hamaguchi, Another look at LTL model checking, in: D.L. Dill (Ed.), Proc. 6thConf. on ComputerAidedVerification, Lecture Notes in Computer Science, Vol. 818, Springer, Berlin, 1994,pp. 415–427.

[4] E. Emerson, Temporal and modal logics, in: J. van Leeuwen (Ed.), Handbook of Theoretical ComputerScience, Vol. B, Elsevier, Amsterdam, 1990, pp. 995–1072.

[5] E. Emerson, J. Halpern, ‘Sometimes’and ‘not never’ revisited: on branching time versus linear time, J.ACM.33 (1986) 151–178.

[6] E.A. Emerson, C. Lei, Modalities for model checking: branching time logic strikes back, Sci. Comput.Program. 8 (1987) 275–306.

[7] D. Gabbay, The declarative past and imperative future, in: B. Banieqbal, H. Barringer, A. Pnueli (Eds.),Temporal Logic in Specification, Lecture Notes in Computer Science, Vol. 398, Springer, Berlin, 1987, pp.407–448.

[8] Y. Kesten, A. Pnueli, Verification by augmented finitary abstraction, Inf. Comp. 163 (2000) 203–243.[9] Y. Kesten, A. Pnueli, A deductive proof system for CTL∗, 13th Int. Conf. on Concurrency Theory

(CONCUR02), Lecture Notes in Computer Science, Vol. 2421, Springer, Berlin, 2002, pp. 24–39.[10] Y. Kesten, A. Pnueli, L. Raviv, Algorithmic verification of linear temporal logic specifications, in: K. Larsen,

S. Skyum, G. Winskel (Eds.), Proc. 25th Int. Colloq. Aut. Lang. Prog., Lecture Notes in Computer Science,Vol. 1443, Springer, Berlin, 1998, pp. 1–16.

[11] Y. Kesten, A. Pnueli, L. Raviv, E. Shahar, LTL model checking with strong fairness, Formal Methods SystemDes., 2004, to appear.

[12] L. Lamport, ‘Sometimes’ is sometimes ‘not never’: a tutorial on the temporal logic of programs, in: Proc. 7thACM Symp. Princ. Prog. Lang., 1980, pp. 174–185.

[13] D. Lehmann, A. Pnueli, J. Stavi, Impartiality, justice and fairness: the ethics of concurrent termination, in:Proc. 8th Int. Colloq.Aut. Lang. Prog., Lecture Notes in Computer Science, Vol. 115, Springer, Berlin, 1981,pp. 264–277.

[14] O. Lichtenstein, A. Pnueli, Checking that finite state concurrent programs satisfy their linear specification,in: Proc. 12th ACM Symp. Princ. Prog. Lang., 1985, pp. 97–107.

[15] Z. Manna, A. Pnueli, Completing the temporal picture, Theoret. Comp. Sci. 83 (1) (1991) 97–130.[16] Z. Manna, A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems: Specification, Springer-

Verlag, NewYork, 1991.


[17] Z. Manna, A. Pnueli, Temporal Verification of Reactive Systems: Safety, Springer, NewYork, 1995.[18] K. Namjoshi, Certifying model checkers, in: G. Berry, H. Comon, A. Finkel (Eds.), Proc. 13th Int. Conf.

on Computer Aided Verification (CAV’01), Lecture Notes in Computer Science, Vol. 2102, Springer, Berlin,2001.

[19] D. Peled, A. Pnueli, L. Zuck, From falsification to verification, FTTCS, Lecture Notes in Computer Science,Vol. 2245, Springer, Berlin, 2001, pp. 292–304.

[20] A. Pnueli, Y. Kesten, Models, Algebras and Logic of Engineering Software, Chapter Algorithmic andDeductive Verification Methods for CTL∗. NATO Science Series: Computer and Systems Science, IOSPress, Vol. 191, 2003.

[21] A. Pnueli, R. Rosner, A framework for the synthesis of reactive modules, in: F. Vogt (Ed.), Proc . Int. Conf.on Concurrency: Concurrency 88, Lecture Notes in Computer Science, Vol. 335, Springer, Berlin, 1988, pp.4–17.

[22] M. Reynolds, An axiomatization of full computation tree logic, J. Symb. Logic 66 (3) (2001) 1011–1057.[23] H. Sipma, T. Uribe, Z. Manna, Deductive model checking, Formal Methods in System Des. 15 (1) (1999)

49–74.[24] C. Sprenger, On the verification of CTL∗ properties of infinite-state reactive systems, Ph.D. Thesis, Swiss

Federal Institute of Technology, Lausanne, 2000.[25] F. Stomp, W.-P. de Roever, R. Gerth, The -calculus as an assertion language for fairness arguments, Inf.

Comput. 82 (1989) 278–322.[26] M.Y. Vardi, Verification of concurrent programs—the automata-theoretic framework, Ann. PureAppl. Logic

51 (1991) 79–98.

a compositional approach to ctl veriﬁcation · in the model-checking method we ... science...

Documents