http://www.cs.cmu.edu/~emc/papers/Papers%20In%20Refereed%20Journals/Automatic%20verification%20of%20finite-state%20concurrent%20systems%20using%20temporal%20logic%20specifications.pdf
Automatic Verification of Finite-State
Concurrent Systems Using Temporal Logic
Specifications
E. M. CLARKE
Carnegie Mellon University
E. A. EMERSON
University of Texas, Austin
and
A. P. SISTLA
GTE Laboratories, Inc.
We give an efficient procedure for verifying that a finite-state concurrent system meets a specification
expressed in a (propositional, branching-time) temporal logic. Our algorithm has complexity linear
in both the size of the specification and the size of the global state graph for the concurrent system.
We also show how this approach can be adapted to handle fairness. We argue that our technique can
provide a practical alternative to manual proof construction or use of a mechanical theorem prover
for verifying many finite-state concurrent systems. Experimental results show that state machines
with several hundred states can be checked in a matter of seconds.
Categories and Subject Descriptors: D.1.3 [Programming Techniques]: Concurrent Programming;
D.2.4 [Software Engineering]: Program Verification; F.3.1 [Logics and Meanings of Programs]:
Specifying and Verifying, and Reasoning about Programs; F.4.1 [Mathematical Logic and Formal
Languages]: Mathematical Logic
General Terms: Verification
Additional Key Words and Phrases: Computation tree logic, finite-state concurrent systems, model
checking, temporal logic
1. INTRODUCTION
In the traditional approach to concurrent program verification, the proof that a
program meets its specification is constructed by hand using various axioms and
inference rules in a deductive system such as temporal logic [9, 13, 151. The task
of proof construction is in general quite tedious, and a good deal of ingenuity
The first and third authors were supported in part by NSF grant MCS-815553. The second author
was supported in part by a University of Texas Summer Research Award, a departmental grant from
IBM, and NSF grant MCS-8302878.
Authors’ addresses: E. M. Clarke, Department of Computer Science, Carnegie-Mellon University,
Schenley Park, Pittsburgh, PA 15213; E. A. Emerson, Computer Science Department, University of
Texas, Austin, TX 78712; and A. P. Sistla, GTE Research Laboratories, 40 Sylvan Road, Waltham,
MA 02254.
Permission to copy without fee all or part of this material is granted provided that the copies are not
made or distributed for direct commercial advantage, the ACM copyright notice and the title of the
publication and its date appear, and notice is given that copying is by permission of the Association
for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific
permission.
0 1986 ACM 0164-0925/86/0400-0244 $00.75
ACM Transactions on Programming Languages and Systems, Vol. 8, No. 2, April 1986, Pages 244-263.
Automatic Verification of Finite-State Concurrent Systems
245
may be required to organize the proof in a manageable fashion. Mechanical
theorem provers have failed to be of much help due to the inherent complexity
of testing validity for even the simplest logics.
We argue that proof construction is unnecessary in the case of finite-state
concurrent systems, and can be replaced by a model-theoretic approach which
will mechanically determine if the system meets a specification expressed in
propositional temporal logic. The global state graph of the concurrent system
can be viewed as a finite Kripke structure, and an efficient algorithm can be
given to determine whether a structure is a model of a particular formula (i.e., to
determine if the program meets its specification). The algorithm, which we call
a model checker, is similar to the global flow analysis algorithms used in compiler
optimization, and has complexity linear in both the size of the structure and the
size of the specification. When the number of global states is not excessive (i.e.,
not more than a few thousand), we believe that our technique may provide a
useful new approach to the verification of finite-state concurrent systems.
Our approach is of wide applicability, since a large class of concurrent program-
ming problems have finite-state solutions, and the interesting properties of many
such problems can be specified in propositional temporal logic. For example,
many network communication protocols (e.g., the Alternating Bit Protocol [2])
can be modeled at some level of abstraction by a finite state system. A typical
requirement for such systems is that every transmitted message must ultimately
be received; this can easily be expressed in the logic we use.
Our specification language is a propositional, branching-time temporal logic
called computation tree logic (CTL) and is similar to the logical systems described
in [ 11, [3], and [4]. Since our goal is to specify concurrent systems, we must be
able to assert that a correctness property only holds on fair execution sequences.
It follows from the results of [4] and [5] that CTL cannot express such a property.
The alternative of using a linear time logic is ruled out because any model checker
for such a logic must have high complexity [ 181. We overcome this problem by
moving fairness requirements into the semantics of CTL. Specifically, we change
the definition of our basic modalities so that only fair paths are considered. Our
previous model checking algorithm is modified to handle this extended logic
without changing its complexity.
Our paper is organized as follows: Section 2 contains the syntax and semantics
of our logic. In Section 3 we describe the basic model checking algorithm and
illustrate its use to establish absence of starvation for a solution to the mutual
exclusion problem. An extension of the model checking algorithm which only
considers fair computations is given in Section 4. Section 5 describes an experi-
mental implementation of the extended model checking algorithm and shows
how it can be used to verify the correctness of the Alternating Bit Protocol. In
Section 6 we consider extensions of our logic that are more expressive and
investigate the complexity of model checkers for these logics. The paper concludes
with a discussion of related work and remaining open problems.
2. THE SPECIFICATION LANGUAGE
The formal syntax for CTL is given below. AP is the underlying set of atomic
propositions.
ACM Transactions on Programming Languages and Systems, Vol. 8, No. 2, April 1986.
246
l
E. M. Clarke et al.
(1) Every atomic proposition
p
E AP is a CTL formula.
(2) Iffr and
f2
are CTL formulas, then so are
lfi,
fi A f2, AXf2, EXfi, A[f, U fi],
and E[fi U
f2.1.
The symbols A and 1 have their usual meanings. X is the nexttime operator;
the formula
AXfi(EXfi)
intuitively means that
fi
holds in every (in some)
immediate successor of the current program state.
U is
the
until
operator; the
formula
A[ fi
U
f2](E[ fi
U
f2])
intuitively means that for every computation path
(for some computation path) there exists an initial prefix of the path such that
f2
holds at the last state of the prefix and
fi
holds at all other states along the
prefix.
We define the semantics of CTL formulas with respect to a labeled state-
transition graph. Formally, a CTL structure is a triple M = (S,
R, P)
where
(1) S is a finite set of states.
(2)
R
is a binary relation on
S(R
G S
x
S) which gives the possible transitions
between states and must be total; that is, Vxl E S 3y E S[(x, y) E
R].
(3) P:S + 2AP
assigns to each state the set of atomic propositions true in that
state.
A
path
is an infinite sequence of states (so, ~1, sp, . . .) such that
Vi[(s, si+l) E
R].
For any structure
M
= (S,
R,
P) and state so E S, there is an
infinite
computation tree
with root labeled so such that s +
t
is an arc in the tree iff
(s,
t)
E
R.
Figure
1
shows a CTL structure and the associated computation tree
rooted at so.
We use the standard notation to indicate truth in a structure:
M,
so I=
f
means
that formula
f
holds at state so in structure
M.
When the structure
M
is
understood, we simply write so I=
f.
The relation I= is defined inductively as
follows:
so b=P
iff
p E P(s0).
so I= If
iff not(so k
f).
so I= fi A A
iff
so~fiandso~f2.
so I= AXf,
iff for all states
t
such that (so,
t)
E
R, t I= fi.
so i= EXfi
iff for some state
t
such that (so,
t)
E
R, t I= fi.
so I= A[fi
Ufil
iff for all paths (so, sl, . . .),
3i[i 1 0 A si k fz A Vj[O I j < i + sj F fi]].
so I= Nfl
Uf21
iff for some path (so, sl, . . .),
3i[i 2 0 A si I= f2 A Vj[O 5 j < i + si k fi]].
We also use the following abbreviations in writing CTL formulas:
AF( f)
= A[True
U f]
intuitively means that
f
holds in the future along every
path from so; that is,
f is inevitable.
EF( f) =
E[True
U f ] means
that there is
some
path from so that leads to a
state at which
f
holds; that is,
f potentially
holds.
ACM Transactions on Programming Languages and Systems, Vol. 8, No. 2, April 1986.
Automatic Verification of Finite-State Concurrent Systems 247
/“\
Sl s2
1 I
s,~so~s2
i
. . .
. . .
. . .
(a) (b)
Fig.
1.
(a) A structure. (b) The corresponding tree for start state SO.
A
: :
.
: :
..:.
:
:: :
. . . . .
(4
(b)
(cl
Fig. 2. (a) AGp: p is invariant. (b) AFp: p is inevitable. (c) EFp: p potentially holds. 0 = p, 0 = 1~.
EG(
f)
= lAF(lf) means that there is some path from so on which
f
holds at
every state.
AG(
f)
= lEF(lf) means that f holds at every state on every path from so;
that is, f holds globally.
Figure 2 shows how some simple correctness properties would be represented
using these operators.
ACM Transactions on Programming Languages and Systems, Vol. 8, No. 2, April 1986.
248 - E. M. Clarke et al.
Fig. 3. Global state transition graph for the two-process mutual exclusion problem.
The global state transition graphs of many concurrent programs can be modeled
as CTL structures. For example, Figure 3 shows the CTL structure for a simple
solution to the
mutual exclusion problem
for two processes PI and Pz. In this
solution each process is always in one of three regions of code:
Ni the Noncritical region,
Ti the Trying region, or
Ci
the Critical region.
Note that we only record transitions between different regions of code; moves
entirely within the same region are not considered at this level of abstraction.
Also, each transition is due to the execution of a step of exactly one process. It
is easy to see, in this case, that AF(C1) is true in state one and that EF(CI A CJ
is false in state zero.
3. MODEL CHECKER
Assume that we wish to determine whether formula f,, is true in the finite
structure M = (S, R, P). We design our algorithm to operate in stages: the first
stage processes all subformulas of fO of length 1, the second stage processes all
subformulas of length 2, and so on. At the end of the ith stage, each state will be
labeled with the set of all subformulas of length less than or equal to
i
that are
true in the state. We let the expression label(s) denote this set for state s. When
the algorithm terminates at the end of stage n = length(f& we see that for all
states s, M, s C= f iff f E label(s) for all subformulas f of fO.
We use the following primitives for manipulating formulas and accessing the
labels associated with states:
- argl( f) and arg2(f) give the first and second arguments of a two-argument
temporal operator; thus, if
f
is A[
fi
U
f2],
then argl(
f)
=
fi
and arg2(
f) = fi.
- labeled (s,
f)
will return true (false) if state s is (is not) labeled with formula
f.
-
add-label (s,
f)
adds formula
f
to the current label of state s.
ACM Transactions on Programming Languages and Systems, Vol. 8, No. 2, April 1986.
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
1
/
20
100%
![[PDF File]](http://s1.studylibfr.com/store/data/008201380_1-219d7b6e826254d77b69f7abf0acb8f8-300x300.png)
![[Slides]](http://s1.studylibfr.com/store/data/008279121_1-1da960554f0adf18481a69e21cd2ed05-300x300.png)
