A Sound and Complete Deductive System for CTL* Verification

A Sound and Complete Deductive System for CTL* Verification DOV M. GABBAY, King s College, London. E-mail: dov.gabbay@kcl.ac.uk AMIR PNUELI, New York University, Courant Institute. E-mail: amir@cs.nyu.edu Abstract The paper presents a compositional approach to the verification of CTL* properties over reactive systems. Both symbolic model-checking (SMC) and deductive verification are considered. Both methods are based on two decomposition principles. A general state formula is decomposed into basic state formulas which are CTL* formulas with no embedded path quantifiers. To deal with arbitrary basic state formulas, we introduce another reduction principle which replaces each basic path formula, i.e., path formulas whose principal operator is temporal and which contain no embedded temporal operators or path quantifiers, by a newly introduced boolean variable which is added to the system. Thus, both the algorithmic and the deductive methods are based on two statification transformations which successively replace temporal formulas by assertions which contain no path quantifiers or temporal operators. Performing these decompositions repeatedly, we remain with basic assertional formulas, i.e., formulas of the form E f p and A f p for some assertion p. In the model-checking method we present a single symbolic algorithm to verify both universal and existential basic assertional properties. In the deductive method we present a small set of proof rules and show that this set is sound and relatively complete for verifying universal and existential basic assertional properties over reactive systems. Together with two proof rules for the decompositions, we obtain a sound and relatively complete proof system for arbitrary CTL* properties. Interestingly, the deductive approach for CTL* presented here, offers a viable new approach to the deductive verification of arbitrary LTL formulas. The paper corrects a previous preliminary version of a deductive system for CTL*, in which some of the rules were unsound. The correction is based on the introduction of a new type of temporal testers which are guaranteed to be non blocking. That is, when composed with a deadlock-free system, which is a key operation in the verification process, the resulting composed system is guaranteed to remain deadlock free. 1 Introduction The paper presents a compositional approach to the verification of CTL* properties over reactive systems. We present both an algorithmic method based on symbolic model-checking, for the verification of finite-state systems and a deductive method for the verification of possibly infinite-state systems. The logic CTL* is a temporal logic which can express linear-time as well as branching-time temporal properties, and combinations thereof, and contains both LTL and CTL as sub-logics. A complete deductive proof system for linear-time temporal logic (LTL) has been presented in [MP91a] and further elaborated in [MP91b] and [MP95]. This proof system has been successfully implemented in the Stanford Temporal Verifier STeP [BBC + 95]. The deductive proof system presented here can be viewed as an extension of the approach of [MP91a] to the logic CTL*. This research was supported in part by EPSRC grant GR/D 504457. Vol. 16 No. 6, The Author 2008. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oxfordjournals.org doi:10.1093/jigpal/jzn018

500 A Sound and Complete Deductive System for CTL* Verification A deductive proof system for CTL* is valuable for several reasons. In spite of the impressive progress in the various versions of model-checking and other algorithmic verification techniques, they are still restricted to finite-state systems. The only verification method known to be complete for all programs is still the method of deductive verification. There are special benefits to the extension of the deductive methodology from the linear-time framework to the more expressive branching semantics of CTL*: 1. Some important system properties are expressible in CTL* but not in LTL. Typically, these are possibility properties, such as the viability of a system, stating that any reachable state can spawn a fair computation. This is strongly related to the non-zeno ness of real-time and hybrid systems. 2. As shown in [PR88], the problem of synthesis of a reactive module can be solved by checking for validity of a certain CTL* formula, even if the original specification is a pure LTL formula. Deductive verification of CTL* formulas is valuable even in the context of finite-state systems which can be model-checked: 3. A counter-example of even simple CTL formulas such as E p is no longer a simple finite printable trace. A convincing evidence of a counter-example could be an automatically produced proof of its existence. 4. In general, model-checking is useful if it produces a counter-example. However, when it terminates declaring the property to be valid, the user is not always convinced. A deductive proof can provide a convincing argument of such a validity [Nam01, PPZ01]. A general CTL* formula is composed of state sub-formulas that are interpreted over states and path sub-formulas that are interpreted over paths. Both the algorithmic and the deductive methods for CTL* verification are based on the same two decomposition principles. The first decomposition process decomposes a general state formula into basic state formulas which are CTL* formulas with no embedded path quantifiers. A basic state formula has the form Qϕ, where Q is a path quantifier and ϕ is a general path formula (according to the CTL* terminology) or, equivalently, can be described as an LTL formula. Then, the second decomposition process decomposes a general path formula into basic path formulas which are path formulas whose principal operator is temporal and which contain no embedded temporal operators or path quantifiers. Thus, as a first step, we reduce the problem of verifying an arbitrary CTL* formula into a set of verification tasks of the form p i β i in the deductive case (p i β i in the algorithmic case), where p i is an assertion (non-temporal formula) and β i is a basic state formula. This reduction is based on the following observation: Let f (β) be a CTL* formula (assumed to be in positive normal form i.e., negations are only applied to assertions) which contains one or more occurrences of the basic state formula β. Then, a sufficient condition for f (β) tobe valid over the computation tree of system D (D-valid) is the D-validity of the formulas p β and f (p), for some assertion p, where f (p) is obtained from f (β) by replacing all occurrences of β by the assertion p. By repeated application of such replacements (for appropriately designed assertions p), we reduce the verification problem of an arbitrary CTL* formula to a set of verification problems, each requiring the proof of a formula of the form p i β i, where β i are basic state formulas. In the context of finite-state model checking, this decomposition of the verification task based on the path quantifiers was first proposed by Emerson and Lei in [EL87]. It has been

A Sound and Complete Deductive System for CTL* Verification 501 used again in [KPRS06] for the construction of a symbolic model checker (SMC) for CTL* properties over finite state systems. To deal with arbitrary basic state formulas, we introduce the second reduction principle which replaces each basic path formula by a newly introduced boolean variable which is added to the system D. This reduction can be viewed as a simplified version of the tableau construction proposed in [LP85] and later referred to as the construction of a tester [KPR98]. The idea of allocation of an individual Boolean variable to each sub-formula of a path formula has been considered first in [BCM + 92] in the context of symbolic implementation of a tableau construction. The observation that this boolean variable can replace the sub-formula itself in the context of model checking has been later considered in [CGH94]. Thus, both the algorithmic and the deductive methods are based on two statification transformations which successively replace temporal formulas by assertions which contain no path quantifiers or temporal operators. The first transformation replaces a basic state formula β by an assertion p, provided that we can independently establish the D-validity of the entailment p β. The second transformation replaces the basic path formula ϕ by the single boolean variable x ϕ (which is also a trivial assertion) at the price of augmenting the system D by a temporal tester T ϕ. It is interesting to compare the general structure of the CTL* deductive proof system presented here with the LTL proof system presented in [MP91a] and elaborated in [MP91b, MP95, BBC + 95]. In [MP91a], the system lists first useful rules for special form formulas, the most important of which are formulas of the form p q, p q, and p q, where p and q are arbitrary past formulas. To deal with the general case, [MP91a] invokes a general canonic-form theorem, according to which every (quantifier-free) LTL formula is equivalent to a conjunction of formulas of the form p i q i, for some past formulas p i and q i. While this approach is theoretically adequate, it is not a practically acceptable solution to the verification of arbitrary LTL formulas. This is because the best known algorithms for converting an arbitrary LTL formula into canonic form are at least exponential (e.g., [Gab87] which is actually non-elementary). A better approach to the verification of arbitrary LTL formulas is based on the notion of deductive model checking [SUM99], which can also be described as a tableau-based construction. The approach presented here, gives a small set of proof rules that is sound and relatively complete for proving basic assertional formulas, which are formulas of the form Qp where Q is a path quantifier and p is an assertion. To deal with the general case, a general path formula is decomposed to basic path formulas based on successive elimination of temporal operators. This decomposition, which proceeds all the way to basic assertional formulas, can be viewed as an incremental tableau construction which offers a viable new approach to the deductive verification of arbitrary LTL formulas, even though it is presented as part of a deductive proof system for CTL*, which is a more complex logic than LTL. A preliminary version of the deductive system presented here has been proposed in [KP05]. Unfortunately, some of the rules presented in [KP05] are unsound. This paper corrects the faults in the system of [KP05]. The reason for the unsoundness of the rules in [KP05] is that the temporal testers used there may sometimes be blocking. This means that, when such a tester is composed with a deadlock-free system, there is no guarantee that the composed system remains deadlock free. The main technical contribution of this paper is a new version of temporal testers which are guaranteed to be non-blocking. In view of this improvement, we are now able to provide rigorous arguments for the soundness and completeness of our deductive system, which is presented here, but was missing in [KP05].

502 A Sound and Complete Deductive System for CTL* Verification There have been two earlier complete axiomatizations of propositional CTL*. The work reported in [Rey01] provides (the first) complete axiomatization of pure propositional CTL*, thus solving a long standing open problem in branching-time temporal logic. Comparing this impressive result with our work, we should remind the reader of our motivation which is to provide a deductive system to verify first-order CTL* expressible properties of reactive systems, where the computational model includes a full fledged set of weak and strong fairness assumptions. Our goal is to derive a deductive system for CTL* which extends the LTL deductive methodology expounded in [MP95] and provides realistic tools for verifying non-trivial reactive systems, such as those implemented in the STeP system [BBC + 95]. Theoretically, this goal can be implemented even within the pure-logic axiomatization of [Rey01], because CTL* (being more expressive than LTL) can certainly capture the computation tree of a reactive system including all fairness assumptions. This allows us to reduce the verification problem D = ϕ into the pure validity problem = S D ϕ, where S D is the CTL* formula characterizing the computation tree of system D. While this is possible in theory, it is highly impractical and leads to very obscure and unreadable proofs. A similar dichotomy exists in finite-state LTL verification. On one hand, one can use the special LTL model checking technique proposed in [LP85] for verifying D = ϕ whose complexity is exponential in ϕ but only linear in D. On the other hand, one can reduce this to the problem of checking the validity of the implication S D ϕ which is exponential in both ϕ and D. It is obvious that the specialized technique which does not transform the system into a formula is (exponentially) better than the reductionism approach. While the analogy between finite-state model checking and deductive verification is not perfect, this argument serves to indicate the inherent rise in complexity when using pure temporal logic techniques for practical verification. Another related work is that of Sprenger [Spr00]. This approach is much closer to our own, because it preserves the distinction between the system and the formula, and contains a special treatment of the different kinds of fairness. The advantage of our approach is that it proceeds at a coarser level of granularity, and therefore yields a much simpler proof system. Sprenger s method of local model checking proceeds at steps analogous to the basic steps of a tableau construction, including step by step handling of the boolean connectives. Our approach attempts to get rid of one temporal operator at each step, applying the appropriate rule for this operator, with no need to trace cycles and close leaves in the tableau. We believe that our proof system and its application to be significantly more succinct and effective and, therefore, more amenable to the construction of support systems for serious reactive verification. The paper is organized as follows. In Section 2 we present the FDS computation model. In Section 3, we present the logic CTL* with past operators. In Section 4 we present the notion of a tester which is an FDS constructed for a basic path formula (i.e., a simple LTL formula) and identifies the positions in a computation at which the formula holds. Testers are constructs which are central to our method of decomposing a verification of a large CTL* formula into subtasks of verifying smaller sub-formulas. In Section 5 we present a method for model checking an arbitrary CTL* formula, using the decomposition principles and the single FEASIBLE algorithm used to verify basic assertional formulas. Finally, in Section 6 we present a deductive proof system for the verification of general CTL* formulas. The presentation starts by presenting a proof rule for the elimination of state formulas embedded within a general CTL* formula. Next, we present a set of proof rules for some basic state properties which is sound and relatively complete for verifying basic assertional formulas. Finally we

A Sound and Complete Deductive System for CTL* Verification 503 give a proof rule for the elimination of temporal operators from an arbitrary state formula, using a tester for this purpose We prove soundness and relative completeness of the deductive system for verifying arbitrary CTL* formulas over reactive systems. The algorithmic method for CTL* verification has been presented in [KPRS06] and is given here for the completeness of the presentation. A conference version of the deductive method appeared in [KP02]. It should be noted that both the algorithmic and deductive methods for CTL* verification are presented here in terms of a decomposition of an arbitrary CTL* formula all the way to basic assertional formulas. Obviously this is not the most efficient method, and is presented here mainly for the simplicity of the presentation. For better efficiency, the decomposition of a general state formula should stop at CTL formulas, namely refrain from eliminating the outermost temporal operator. In the algorithmic method, this requires augmenting the proof system with a set of algorithms for all CTL operators. This option is discussed in [PK03]. In the deductive method, the proof system has to be augmented to be sound and relatively complete for CTL. 2 The Computational Model In this paper we refer to a first-order formula as an assertion. As a computational model for reactive systems, we take the model of fair discrete system (FDS). An FDS D : V,,ρ,J,C consists of the following components. V ={u 1,...,u n } : A finite set of typed state variables over possibly infinite domains. We define a state s to be a type-consistent interpretation of V, assigning to each variable u V a value s[u] in its domain. We denote by the set of all states. : The initial condition. This is an assertion characterizing all the initial states of the FDS. A state is called initial if it satisfies. ρ :Atransition relation. This is an assertion ρ(v,v ), relating a state s to its D-successor s by referring to both unprimed and primed versions of the state variables. The transition relation ρ(v,v ) identifies state s as a D-successor of state s if s,s =ρ(v,v ), where s,s is the joint interpretation which interprets x V as s[x], and x as s [x]. J ={J 1,...,J k } : A set of assertions expressing the justice (weak fairness) requirements. Intentionally, the justice requirement J J stipulates that every computation contains infinitely many J -positions (positions j 0, such that s j satisfies J ). C ={ p 1,q 1,..., p n,q n } : A set of assertions expressing the compassion (strong fairness) requirements. Intentionally, the compassion requirement p,q C stipulates that every computation containing infinitely many p-positions also contains infinitely many q-positions. Let σ :s 0,s 1,..., be a sequence of states, ϕ be an assertion, and j 0 be a natural number. We say that j is a ϕ-position of σ if s j is a ϕ-state, i.e., s j satisfies the assertion ϕ. Let D be an FDS for which the above components have been identified. A run of D is an infinite sequence of states σ :s 0,s 1,..., satisfying the requirements of Initiality: s 0 is initial, i.e., s 0 =. Consecution: For each j 0, s j+1 is a D-successor of s j.

504 A Sound and Complete Deductive System for CTL* Verification We denote by runs(d) the set of runs of D. A run of D is called a computation if it satisfies the following: Justice: For each J J, σ contains infinitely many J -positions Compassion: For each p,q C, ifσ contains infinitely many p-positions, it must also contain infinitely many q-positions. We denote by Comp(D) the set of all computations of D. A state s is said to be reachable if it occurs in some run of D. State s is feasible if it occurs in some computation of D. An FDS D is called deadlock free if every reachable state has a D-successor. It can be shown that all FDS s corresponding to programs are deadlock-free. An FDS D is feasible if it has at least one computation, i.e., if Comp(D) =. We say that an FDS D is viable if every reachable state is feasible. It is not difficult to see that every viable FDS is deadlock free. From now on, we assume that all given FDS s are deadlock free. 2.1 Parallel Composition of FDS s Fair discrete systems can be composed in parallel. Let D i = V i, i,ρ i,j i,c i, i {1,2}, be two fair discrete systems. Two versions of parallel composition are used. Asynchronous composition is used to assemble an asynchronous system from its components (see [KP00]). We define the asynchronous parallel composition of two FDS s to be D = V,,ρ,J,C = V 1, 1,ρ 1,J 1,C 1 V 2, 2 ρ 2,J 2,C 2, where V = V 1 V 2 = 1 2, ρ = ρ 1 pres(v 2 V 1 ) ρ 2 pres(v 1 V 2 ), J = J 1 J 2, C = C 1 C 2. For a set of variables U, the predicate pres(u ) stands for an abbreviation of the conjunction x U (x =x), implying that all variables in U preserve their values in the current transition. The execution of D =D 1 D 2 is the interleaved execution of D 1 and D 2. Another mode of parallel composition is that of synchronous parallel composition. Synchronous composition is used in some cases, to assemble a system from its components (in particular when considering hardware designs which are naturally synchronous). However, our primary use of synchronous composition is for combining a system with a tester T ϕ for a basic path formula ϕ, as described, for example, in Subsection 5.4. We define the synchronous parallel composition of two FDS s to be where D = V,,ρ,J,C = V 1, 1,ρ 1,J 1,C 1 V 2, 2 ρ 2,J 2,C 2, V = V 1 V 2 = 1 2, ρ = ρ 1 ρ 2, J = J 1 J 2, C = C 1 C 2. We can view the execution of D as the joint execution of D 1 and D 2.

A Sound and Complete Deductive System for CTL* Verification 505 Claim 1 Let σ be an infinite sequence of (V 1 V 2 )-states. The sequence σ is a computation of D 1 D 2 iff σ V1 is a computation of D 1 and σ V2 is a computation of D 2. In general the composition of D 2 with D 1 may restrict the set of computations of D 1. We therefore say that system D 2 is non-interfering with system D 1 if, for every σ 1 a computation of D 1, there exists a computation σ of D 1 D 2 which agrees with σ 1 on the values of the V 1 -variables. That is, σ V1 =σ 1. 2.2 From FDS to JDS An FDS with no compassion requirements is called a just discrete system (JDS). Let D : V,,ρ,J,C be an FDS such that C ={(p 1,q 1 ),...,(p m,q m )} and m >0. We define a JDS D J : V J, J,ρ J,J J, equivalent to D, as follows: V J =V {n_p i : boolean (p i,q i ) C} {x c }. That is, for every compassion requirement (p i,q i ) C, we add to V J a boolean variable n_p i. Variable n_p i is intended to turn true at a point in a computation from which the assertion p i remains false forever. Variable x c, common to all compassion requirements, is intended to turn true at a point m in a computation satisfying (p i n_p i ). J : x c =0 i=1 m n_p i =0. i=1 That is, initially all the newly introduced boolean variables are set to zero. ρ J =ρ ρ n_p ρ c, where m ρ n_p : (n_p i n_p i ) i=1 ) m ρ c : x c (x = c (p i n_p i ) The augmented transition relation allows each of the n_p i variables to change nondeterministically from 0 to 1. Variable x c is set to 1 on the first occurrence of p i n_p i, for some i, 1 i m. Once set, it is never reset. J J =J { x c } {n_p i q i (p i,q i ) C}. The augmented justice set contains the additional justice requirement n_p i q i for each (p i,q i ) C. This requirement demands that either n_p i turns true sometime, implying that p i is continuously false from that time on, or that q i holds infinitely often. The justice requirement x c ensures that a run with one of the variables n_p i set prematurely, will not be accepted as a computation. The transformation of an FDS to a JDS follows the transformation of Streett automata to generalized Büchi Automata (see [Cho74] for finite state automata, [Var91] for infinite state automata). The reactive systems we want to verify can have both weak (justice) and strong (compassion) fairness requirements. In the case of algorithmic verification we use an algorithm that deals with the compassion requirements of the system directly. We show in [KPRS06] that this approach is more efficient. However in the deductive case, although [MP91a] presents an LTL proof rule that deals directly with compassion, and can easily be i=1

506 A Sound and Complete Deductive System for CTL* Verification adapted for CTL*, the application of the rule initiates a tree of additional rules to be included, resulting in a complex proof system. To keep the presentation reasonable, we prefer in the exposition of the deductive approach to transform the FDS representation of the verified system into a JDS, prior to the verification, and present rules which only deal with justice. 3 The Branching Temporal Logic CTL* In the following we define the branching temporal logic CTL* with both future and past operators. We denote the fragment of CTL* without the past operators as the future fragment of CTL* (see [Eme90] for the future fragment). We assume a finite set of variables V over possibly infinite domains, and an underlying assertion language L which contains the predicate calculus augmented with fix-point operators 1. We assume that L contains interpreted symbols for expressing the standard operations and relations over some concrete domains, such as the integers. In practice, our assertional language is a first-order language over the integers. An assertion is a formula in that language. We will rarely use fix-point operators in assertions and their inclusion is merely for the sake of claims of relative completeness. A CTL* formula is constructed out of assertions to which we apply the boolean operators, temporal operators and path quantifiers. The basic temporal operators are Next Previous Weak Previous U Until S Since W Waiting-for (Unless) B Back-to Additional temporal operators may be defined as follows: p = T U p Eventually p p = p W F Always, henceforth p p = T Sp Sometimes in the past p p = pbf Always in the past p The path quantifiers are E, A, E f and A f. We refer to E f and A f as the fair path quantifiers and to E and A as the unrestricted path quantifiers. In the following, we present the syntax and semantics of the logic which is interpreted over the computation graph generated by an FDS. We use the terms path and fair path as synonymous to a run and a computation respectively, over an FDS. Let π :s 0,s 1,... be a run of D. Then, we write π[j] to denote s j, the j th state in π. 3.1 The Logic CTL* There are two types of sub-formulas in CTL*: state formulas that are interpreted over states, and path formulas that are interpreted over paths. The syntax of a CTL* formula is defined inductively as follows. 1 As is well known ([LPS81],) a first-order language is not adequate for (relative) completeness of a temporal proof system for infinite state reactive programs. The use of minimal and maximal fix-points for relative completeness of the liveness rules is discussed in [MP91a], based on [SdRG89].

A Sound and Complete Deductive System for CTL* Verification 507 State formulas: Every assertion in L is a state formula. If p is a path formula, then Ep, Ap, E f p and A f p are state formulas. If p and q are state formulas then so are p q and p q. Path formulas: Every state formula is a path formula. If p and q are path formulas then so are p q, p q, p, p U q, p W q, p, p, p Sq, and pbq. The formulas of CTL* are all the state formulas generated by the above rules. A formula of the form Qψ, where Q {E,A,E f,a f } is a path quantifier and ψ is a path formula containing no other path quantifier, is called a basic state formula. A basic state formula of the form Aψ or A f ψ (Eψ or E f ψ) is called a basic universal (existential) state formula. A basic state formula Qp where p is an assertion is called a basic assertional formula. We define a basic path formula to be a path formula ϕ whose principal operator is temporal, and such that ϕ contains no other temporal operators or path quantifiers. We refer to the set of variables that occur in a formula p as the vocabulary of p. Apure path formula is a path formula which contains no occurrence of a path quantifier. Note that our inductive definitions did not include the Boolean operation of negation ( ). This implies that negations are allowed only as part of assertions. This causes all of our CTL* formulas to be in positive normal form. This is not a significant restriction, because any other presentation of the logic can be transformed in a straightforward (and linear complexity) manner into a positive normal form presentation. 3.2 Semantics of CTL* The semantics of a CTL* formula p is defined with respect to an FDS D over the vocabulary of p. The semantics is defined inductively as follows. State formulas are interpreted over states in D. We define the notion of a CTL* formula p holding at a state s in D, denoted (D,s) = p, as follows: For an assertion p, (D,s) = p s = p For state formulas p and q, (D,s) = p q (D,s) = p or (D,s) = q (D,s) = p q (D,s) = p and (D,s) = q For a path formula p, (D,s) = Ep (D,π,j) = p for some path π runs(d) and position j 0 satisfying π[j]=s. (D,s) = Ap (D,π,j) = p for all paths π runs(d) and positions j 0 satisfying π[j]=s. The semantics of E f p and A f p are defined similarly to Ep and Ap respectively, replacing path (run) by fair path (fair runs or computations). Path formulas are interpreted over runs of D. We denote the notion of a CTL* formula p holding at position j of a run π runs(d), by (D,π,j) = p. When j =0, we use the shorthand notation (D,π) = p. The semantics of path formulas is presented in Fig. 1.

508 A Sound and Complete Deductive System for CTL* Verification Figure 1: Semantics of path formulas Let p be a CTL* formula. We say that p holds on D (p is D-valid), denoted D = p, if(d,s) = p, for every initial state s in D. A CTL* formula p is called satisfiable if it holds on some model. A CTL* formula is called valid if it holds on all models. We refer to a state which satisfies p as a p-state. Let p and q be CTL* formulas. We introduce the abbreviation p q for A (p q). where p q is the logical implication equivalent to p q. Thus, the formula p q holds at D if the implication p q holds at all reachable states. Let V be a set of variables and ψ be a CTL* formula over V. We denote by ψ the formula ψ in which every variable v V is replaced by the primed variable v. The restricted subset of CTL* in which each temporal operator is immediately preceded by a path quantifier is called Computation Tree Logic (CTL). A state formula whose principal operators are a pair QT (where Q is a path quantifier and T is a temporal operator) and which does not contain any additional temporal operators or path quantifiers is called a basic CTL formula. We refer to path formulas which do not contain any path quantifiers as LTL formulas. 3.3 The Verification Problem Having presented our model for systems and the specification language of CTL*, we can formulate the problem this paper intends to solve. Given a viable FDS D and a CTL* formula ϕ, our goal is to verify that ϕ is D-valid, i.e., all computations of D satisfy ϕ. With no loss of generality, we assume that formula ϕ is given in positive normal form, i.e. contains negations only as part of assertions. It is straightforward to transform an arbitrary CTL* formula ψ into a positive form CTL* formula which is equivalent to ψ over every viable FDS. 4 Temporal Testers In this section we present a construction of temporal testers [KPR98] which are central to our verification process.

A Sound and Complete Deductive System for CTL* Verification 509 Let ϕ be a pure path formula over vocabulary U, and let x U be a boolean variable disjoint from U. Let σ :s 0,s 1,... be an infinite sequence of states which interpret all the variables in U {x}. We say that x matches ϕ in σ if, for every position j 0, the value of x at position j is true iff (σ,j) = ϕ. An FDS T with system variables V T U {x} is defined to be a temporal tester for ϕ, ifit satisfies the following requirements: T1. The variable x matches ϕ in any computation of T. T2. For any σ an infinite sequence of U -states, there exists a computation of T which agrees with σ on the interpretation of the variables in U. That is, any infinite U -sequence can be extended into a computation of T by adding an appropriate interpretation to the variables in V T U. We can view T as a (possibly non-deterministic) transducer which incrementally reads the values of the variables U and outputs in x the current value of ϕ over the infinite sequence. In this section we will present a recipe for constructing, for each pure path formula ϕ, a temporal tester T[ϕ] (sometimes denoted T ϕ ). Temporal testers present a modular and symbolic version of the construction of a temporal tableau [LP85]. The testers we present here are an improvement on the testers introduced in [KP05]. While the testers of [KP05] may produce a system which is not deadlock free when composed with a system under observation D, the testers introduced here are guaranteed to be non-blocking. That is, for every observed deadlock-free system D and tester T ϕ, the composition D T ϕ is guaranteed to be deadlock free. 4.1 Testers for Basic Path Formulas We first present a construction of testers for the basic path formulas. These will serve as the building blocks for the construction of a tester for a general path formula. We define a tester for each of the temporal operators, U, W,,, S, and B. We refer to these tester as basic testers. The set of variables of a tester T[ϕ] for a basic path formula consists of the vocabulary of ϕ (denoted Vars(ϕ)) augmented by the variables x ϕ and Er. 2 For a future path formula ϕ, the variable x ϕ has to determine at each position j 0 whether the formula ϕ holds at this position. We can view this determination as a non-deterministic prediction, whose validity can be confirmed only at positions later than j. Consequently, the variable Er is set to 1 as soon as it is established that one of the earlier prediction was wrong. Once Er is set to 1, it remains 1 for all subsequent positions. Each tester has as one of its justice requirements the requirement Er, demanding that Er = 0 infinitely many times. Due to the one-way behavior of Er this can only happen if Er =0 continuously throughout the computation. A Tester for p The tester T[ p] for the basic path formula p is defined as follows: V : Vars(p) {x,er} : Er T[ p]: ρ : Er (x =p ) Er J : Er C : 2 In the sequel, when the context is clear we write x instead of x p and x U instead of x U(p,q).

510 A Sound and Complete Deductive System for CTL* Verification Consider the tester T[ p]. The core of the tests imposed by the tester is the transition relation x =p. Requiring that the value of x at position j 0 equals the value of assertion p at position j +1. Suppose we are currently at a state in which x =1 and the next observed value of p happens to be 0. A blocking tester will have no successor state compatible with p =0. In our non-blocking version, there always exists the escape option of moving to a next state in which Er =1. Once Er becomes 1, it must stay 1 for the rest of the computation. The tester contains the justice requirement Er which demands that in an acceptable computation of the tester, Er =0 infinitely many times. Due to the transition relation, this is possible only if Er = 0 continuously. Thus, while blocking testers reject an observed sequence by blocking the next transition, the non-blocking variant rejects a sequence σ by setting Er to 1 and then relying on the violation of the justice requirement Er for the rejection of σ. Claim 2 The FDS T[ p] is a temporal tester for the basic path formula p. Proof: To show that T[ p] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[ p]. From the transition relation and the justice requirement Er, it follows that Er =0 at all states in σ. Consequently, the transition relation implies that, for every j 0, s j [x ]=1 iff s j+1 = p, i.e., s j [x ]=1 iff (σ,j) = p. To prove T2, let σ :s 0,s 1,... be an infinite sequence of states over U =Vars(p). We extend σ by letting s j [Er]=0 and setting s j [x ]=1 iff s j+1 = p, for every j 0. It is not difficult to show that the extended sequence is a computation of T[ p]. A Tester for pu q The tester T[p U q] for the basic path formula p U q is given by: V : Vars(p,q) {x U,Er} : Er T[p U q]: ρ : Er (x U =(q p x )) Er U J : { x U q, Er} C : Claim 3 The FDS T[p U q] is a temporal tester for the basic path formula p U q. Proof: To show that T[p U q] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[p U q]. From the transition relation and the justice requirement Er, it follows that Er =0 at all states in σ. Consequently, the transition relation can be simplified to x U =(q p x ). U Let j 0 be any position in σ. Consider first the case that s j [x U ]=1 and we will show that (σ,j) = p U q. According to the transition relation, s j [x U ]=1 implies that either s j = q or s j = p and s j+1 = x U.Ifs j = q then (σ,j) = p U q and we are done. Otherwise, we apply the same argument to position j +1. Continuing in this manner, we either locate a k j such that s k = q and s i = p for all i, j i <k, orwehaves i = ( q p x U ) for all i j. Ifwe locate a stopping k then, obviously (σ,j) = p U q according to the semantic definition of the U operator. The other case in which both q and x U hold over all positions beyond j is impossible since it violates the justice requirement ( x U q) demanding that σ contains infinitely many positions at which either q is true or x U is false. Next, consider the case that σ is a computation of T(p U q) and (σ,j) = p U q, and we have to show that s j [x U ]=1. According to the semantic definition, there exists a k j such that s k = q and s i = p for all i, j i <k. Proceeding from k backwards all the way to j, wecan

A Sound and Complete Deductive System for CTL* Verification 511 show (by induction if necessary) that the simplified transition relation implies that s t = x U for all t =k,k 1,...,j. To establish requirement T2, let σ be an infinite sequence of states over U =Vars(p,q). We extend σ into σ : s 0, s 1,..., by letting s j [Er]=0 and setting s j [x ]=1 iff (σ,j) = p U q, for every j 0. We will show that σ is a computation of T(p U q). From the semantic definition of U it follows that (σ,j) = p U q iff either s j = q or s j = p and (σ,j +1) = p U q. Thus, if x U =(p U q) and Er =0 at all positions of σ, the transition relation Er (x U =(q p x )) Er holds U at all positions. To show that x U satisfies the justice requirement q x U it is enough to consider the case that σ contains only finitely many q-positions. In that case, there must exist a cutoff position c 0 such that no position beyond c satisfies q. In this case, p U q must be false at all positions beyond c. Consequently, x U is false at all positions beyond c and is therefore false at infinitely many positions. Finally, the justice requirement Er is trivially satisfied since Er = 0 at all positions. A Tester for pwq The tester T[p W q] for the basic path formula p W q is given by: V : Vars(p,q) {x W,Er} : Er T[p W q]: ρ : Er (x W =(q p x )) Er W J : {x W p, Er} C : Claim 4 The FDS T[p W q] is a temporal tester for the basic path formula p W q. Proof: To show that T[p W q] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[p W q]. From the transition relation and the justice requirement Er, it follows that Er =0 at all states in σ. Consequently, the transition relation can be simplified to x W =(q p x ). W Let j 0 be any position in σ. Consider first the case that s j [x W ]=1 and we will show that (σ,j) = p W q. According to the transition relation, s j [x W ]=1 implies that either s j = q or s j = p and s j+1 [x W ]=1. If s j = q then (σ,j) = p W q and we are done. Otherwise, we apply the same argument to position j +1. Continuing in this manner, we either locate a k j such that s k = q and s i = p for all i, j i <k, orwehaves i = (p x W ) for all i j. In both cases (σ,j) = p W q according to the semantic definition of the W operator. Next, consider the case that σ is a computation of T(p W q) and (σ,j) = p W q, and we have to show that s j [x W ]=1. According to the semantic definition, there either exists a k j such that s k = q and s i = p for all i, j i <k, ors i = p for all i j. In the first case, we can proceed from k backwards all the way down to j and show (by induction if necessary) that the simplified transition relation implies that s t = x W for all t =k,k 1,...,j. In the second case (i.e. s i = p for all i j), we use the justice requirement x W p to conclude that x W =1at infinitely many positions, in particular some position k j. Going backwards from k down to j, we again infer that s j [x W ]=1. To establish requirement T2, let σ be an infinite sequence of states over U =Vars(p,q). We extend σ into σ : s 0, s 1,..., by letting s j [Er]=0 and setting s j [x ]=1 iff (σ,j) = p W q, for every j 0. We will show that σ is a computation of T(p W q). From the semantic definition of W it follows that (σ,j) = p W q iff either s j = q or s j = p and (σ,j +1) = p W q. Thus, if x W =(p W q) and Er =0 at all positions of σ, the transition relation Er (x W =(q p x )) Er holds W at all positions. To show that x W satisfies the justice requirement x W p it is enough to

512 A Sound and Complete Deductive System for CTL* Verification consider the case that σ contains only finitely many p-positions. In that case, there must exist a cutoff position c 0 such that p holds at all positions beyond c. In this case, p W q must hold at all positions beyond c. Consequently, x W is true at all positions beyond c and is therefore true at infinitely many positions. Finally, the justice requirement Er is trivially satisfied since Er =0 at all positions. 4.2 Testers for Basic Past Path Formulas We now consider testers for basic path formulas whose main temporal operator is one of the past operators:,, S, and B. Unlike the future testers, these testers compute their output in the variable x ϕ based on the part of the sequence that has already been observed. Therefore, the computation is fully deterministic, and the misprediction variable Er is no longer required. Therefore, these testers do not reference the Er variable. A Tester for p The tester T[ p] for the basic path formula p is given by: V : Vars(p) {x } : x =0 T[ p]: ρ : x =p J : C : Claim 5 The FDS T[ p] is a temporal tester for the basic path formula p. Proof: To show that T[ p] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[ p]. According to the semantic definition of p this formula is always false at position 0. The initial condition x =0 guarantees that this is also the value of x at position 0. For every j >0, the transition relation guarantees that the value of x at position j matches the value of assertion p at position j 1. To establish requirement T2, let σ be an infinite sequence of states over U = Vars(p). We extend σ into σ : s 0, s 1,..., by letting s 0 [x ]=0 and, for every j >0 setting s 0 [x ]=1 iff s j 1 = p. It is not difficult to show that σ is a computation of T[ p]. A Tester for p The tester T[ p] for the basic path formula p is given by: V : Vars(p) {x } : x T[ p]: ρ : x =p J : C : Claim 6 The FDS T[ p] is a temporal tester for the basic path formula p. Proof: The proof is similar to that of Claim 5 except that the initial condition sets x 1 at the initial position. to

A Tester for psq A Sound and Complete Deductive System for CTL* Verification 513 The tester T[p Sq] for the basic path formula p Sq is given by: V : Vars(p) x S : x S =q T[p Sq]: ρ : x =q (p x S S ) J : C = : Claim 7 The FDS T[p Sq] is a temporal tester for the basic path formula p Sq. Proof: To show that T[p Sq] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[p Sq]. Let j 0 be any position in σ. Consider first the case that s j [x S ]=1 and we will show that (σ,j) = p Sq. According to the transition relation, s j [x S ]=1 implies that either s j = q or s j = p and s j 1 = x S.Ifs j = q then (σ,j) = p Sq and we are done. Otherwise, j >0 because if j =0, then the initial condition implies that s 0 [x S ]=1 iff s 0 = q. Therefore, if s j = q we may apply the same argument to position j 1. Continuing in this manner, we must eventually locate a k j such that s k = q and s i = p for all i, k <i j. It follows that (σ,j) = p Sq according to the semantic definition of the S operator. Next, consider the case that σ is a computation of T(p Sq) and (σ,j) = p Sq, and we have to show that s j [x S ]=1. According to the semantic definition, there exists a k j such that s k = q and s i = p for all i, k <i j. Proceeding from k all the way up to j, we can show (by induction if necessary) that the transition relation implies that s t = x S for all t =k,k +1,...,j. To establish requirement T2, let σ be an infinite sequence of states over U = Vars(p,q). We extend σ into σ : s 0, s 1,..., by setting s j [x S ]=1 iff (σ,j) = p Sq, for every j 0. It is not difficult to show that σ is a computation of T[p Sq]. A Tester for pbq The tester T[pBq] for the basic path formula pbq is given by: V : Vars(p) x B : x B =p q T[pBq]: ρ : x =q (p x B B ) J : C : Claim 8 The FDS T[pBq] is a temporal tester for the basic path formula pbq. Proof: To show that T[pBq] satisfies requirement T1, let σ :s 0,s 1,... be a computation of T[pBq]. Let j 0 be any position in σ. Consider first the case that s j [x B ]=1 and we will show that (σ,j) = pbq. According to the transition relation, s j [x B ]=1 implies that either s j = q or s j = p and s j 1 = x B.Ifs j = q or j =0 and s 0 = p then (σ,j) = pbq and we are done. Otherwise, j >0 because if j =0, then the initial condition implies that s 0 [x B ]=1 iff s 0 = p q. Therefore, if j >0 we may apply the same argument to position j 1. Continuing in this manner, we must eventually locate a k j such that either s k = q or k =0 and s k = (p q) and, in both cases, s i = p for all i, k <i j. It follows that (σ,j) = pbq according to the semantic definition of the B operator. Next, consider the case that σ is a computation of T(pBq) and (σ,j) = pbq, and we have to show that s j [x B ]=1. According to the semantic definition, there exists a k j such that either

514 A Sound and Complete Deductive System for CTL* Verification s k = q or k =0 and s k = (p q) where, in both cases, s i = p for all i, k <i j. Proceeding from k all the way up to j, we can show (by induction if necessary) that the transition relation implies that s t = x B for all t =k,k +1,...,j. To establish requirement T2, let σ be an infinite sequence of states over U = Vars(p,q). We extend σ into σ : s 0, s 1,..., by setting s j [x B ]=1 iff (σ,j) = pbq, for every j 0. It is not difficult to show that σ is a computation of T[pBq]. 4.3 Testers for General Pure Path Formulas Next, we present an incremental construction of a tester for a general pure path formula. First, we restrict our attention to pure path formulas whose principal operator is temporal (rather than boolean). For a pure path formula ψ, we denote by T[ψ] the temporal tester for ψ. Let f (ϕ) be a principally temporal path formula containing one or more occurrences of the basic path formula ϕ. We denote by f (x) the formula obtained from f by replacing all occurrences of ϕ by the boolean variable x. Then the construction principle is presented by the following recursive reduction formula: T[f ] = T[f (x ϕ )] T[ϕ] (1) That is, we conjoin the tester for ϕ to the recursively constructed tester for the simpler formula f (x ϕ ). We illustrate this construction on the pure path formula p for the case that p is a simple proposition (boolean variable). Application of the reduction principle leads to T[ p] = T[ x ] T[ p] Computing T[ p] and T[ x ] separately and forming their synchronous parallel composition yields the following tester whose output variable is x. V : {p,x,x,er} : Er T[ p]: ρ : ( Er (x =(p x )) Er ) ( Er (x =(x x )) Er ) J : { x p, x x, Er} C : Note that it is not necessary to allocate a separate Er variable to each of the component testers. Component testers may share a single Er variable. In fact, the transition relation of the tester T[ p] can be simplified to ρ : Er (x =(p x )) (x =(x x )) Er In general, for a principally temporal formula ψ, T[ψ]=T 1 T k, where T 1,...,T k are the temporal testers constructed for the principally temporal sub-formulas of ψ. T[ψ] contains k+1 auxiliary boolean variables, and the output variable of T[ψ] is the output variable of T 1 the last constructed tester. According to the recipe, we carry the recursive reduction described by Equation (1) until we obtain the tester T 1 which is a tester for a basic path formula. We can carry it one step

A Sound and Complete Deductive System for CTL* Verification 515 further and obtain an assertion which contains no further temporal operators. We refer to this assertion as the redux of the original pure path formula ψ, denoted by redux(ψ). For the case that ψ is principally temporal, redux(ψ) is the single output variable x ψ. If we apply the recursive construction Equation (1) to a pure path formula which is not principally temporal, we may obtain a more complex assertion as the resulting redux. Consider, for example, the pure path formula ψ : p q. The corresponding tester is given by: T[ψ] = T[ p] T[ q] while redux(ψ)=x x, where x and x are the output variables of T[ p] and T[ q], respectively. 4.4 Properties of Testers Since the main use of testers is their composition with the systems that they observe, it is important to establish for them the properties of non-interference and non-blocking. The problem is not completely trivial due to the fact that we intend to share a single Er variable among all the constituent testers which are incrementally conjoined to the system under observation. A deadlock-free FDS D is defined to be Er-flexible if either Er V D or 1. The variable Er is continuously false in any computation of D. 2. Every reachable state in D has a successor s such that s [Er]=1. An Er-flexible FDS D is called Er-permissive if for every two states s,s which interpret V D {Er}, such that s [Er]=1, state s is a D-successor of s. The following properties can be established: P1. Every tester T ϕ is Er-permissive. P2. If system D is Er-flexible and T ϕ is a tester, then T ϕ does not interfere with D, and D T ϕ is a (deadlock-free) Er-flexible system. Property P1 can be proven by induction on the structure of T ϕ. Property P2 establishes that temporal testers are non-interfering and non-blocking with respect to the systems they observe. 5 Symbolic Model Checking CTL* Properties In this section we present algorithms for symbolic model checking of a CTL* formula over a finite-state FDS. The variables of both the FDS and the CTL* formula are restricted to finite domains. Let D : V,,ρ,J,C be an FDS and p=p(v ) be an assertion over V. We define the pre-image of p in D to be the assertion ρ p = V :ρ(v,v ) p(v ) Every state in D satisfying ρ p has a successor satisfying p. Thus, ρ p characterizes all the predecessors of p-states.