Automatic verification of finite state concurrent system using temporal logic specifications

E. M. Clarke, E. A. Emerson, A. P. Sistla
1983 Proceedings of the 10th ACM SIGACT-SIGPLAN symposium on Principles of programming languages - POPL '83  
Ahstract:We give an cfticicnt procedure for verifying that a t%ute state concurrent systcm meets a specification expressed in a (propositional) branchingtirm temporal logic. Our algorithm has complexity linear in both the size of the specification and the size of the global transition graph for the concurrent system. Wc also show how the logic and our algorithm can be modified to handle fairness. We argue that this tcchniquc can provide a practical alternative to imanuai proof construction or
more » ... e of a mechanical theorem prover for verifying many finite state concurrent systems. 1. lntntduction. lri the traditional approach to concurrent program verification, the proof that a program meets its specifications is constructed by hand using various axioms and inference rules in a deductive system such as temporal logic ( [8], [6], [10]). The task of proof construction is in general qtute tedious, and a good deaf of ingenuity may be I equired to organize the proof in a manageable fashion. Mechatucal theorem provers have failed to be of much help due to the inherent complexity of even the simplest logics. We argue that proof construction is unnecessary in the case of finite state cmrcurrcnt systems and can be replaced by a model --. ------_____ ___ ___ theoretic approach which will mechanically determine if the systenl meets a specification expressed in propositional temporal logic. The global s~te graph of the concurrent system can be viewed as a fimte Kripke structure, and an efflcicnt algorithm can be given to determine whether a gwen structure is a model of a particular formula -i.e. to determine if the program meets its specification. The algorlthm, which we call a model checker, is similar to the global flow analysis algoritlrms used in compiler optimization and has complexity linear in both the size of the structure and the size of the specdication. When the number of global states is not excessive (i.e. not more than a few thousand) we believe that our technique may provide a usefid new approach only considers fair compu[ut{ons is given in section 4. Section 5 describes an experimcnta] rmplemcntotlon of the extended model checking algorithm and shows how it can be used to verify the correctness of the Alternating Blt Protocol. In section 6 we consider extensions of our logic that are more expressive and investigate the complexity of model checkers for chcsc logics. The paper concludes with a discussion of related work and remaining open problems. The Specification Lanqtraqe. The syntax for CTL is given below. AP is the underlying set of alomic propositions. 1. Every atomic proposition p .s AP is a CTL formula. 2. If fl and f2 are CTL formulae, then so are = fl, fl A f2, AXfl, EXfl, A[fl U fJ, and E [fl U f2]. The symbols A and = have their usual meanings.
doi:10.1145/567067.567080 dblp:conf/popl/ClarkeES83 fatcat:3jsmcmnpbzfb3b6f76da26gauy