A system of concurrently executing processes generates a set of causal structures. The system satisfies a requirement given as a formula of ISTL, if every causal structure generated by satisfies. The model checking problem, then, is to check whether or not satisfies. The decision procedure outlined in the previous section can be employed to obtain an automata-theoretic solution to the model checking problem of ISTL. From , we first construct an automaton that accepts linearizations of the causal structures of (see, for instance, [2] for more details). Then, we construct the automaton that accepts the linearizations of the causal structures satisfying. The system satisfies the specification iff the intersection of the languages of the two automata and is empty. The complexity of model checking algorithm is linear in the size of the program automaton , and doubly exponential in the size of the specification. Model checking using representatives outlined in [5, 12, 21] can now be used as a heuristic improvement. We know that the language of the automaton is closed, that is, it does not distinguish among the linearizations of the same causal structure. Hence, the automaton need not generate all linearizations, but at least one linearization of every causal structure. The known on-the-fly depth-first-search algorithms that avoid generating unnecessary interleavings can be combined with the construction of the automaton for model checking. Design and synthesis of synchronization skeletons using branching time temporal logic. [8] O. Lichtenstein and A. Pnueli. Checking that finite-state concurrent programs satisfy their linear specification. A logical study of distributed transitions systems. The fragment ISTL contains the modalities and. The construction of the previous section for ISTL relies on (1) it suffices to consider only boolean combinations of normal form formulas, and (2) the set of configurations satisfying a normal form formula can be characterized by a maximal configuration. Both these properties continue to hold even after the introduction of the next-time operator, after appropriately modifying the definition of the normal form. Undecidability of ISTL We show here that some natural extension to ISTL are undecidable. In [15] it was shown that ISTL is undecidable (a similar proof for related temporal logics appears in [9]). We sharpen the result of [15] by showing that the until operator is sufficient to prove undecidability. Theorem 3 The logic ISTL is undecidable. Proof Sketch: It is possible to show that one can encode in ISTL two processes which …
[1]
Gerard J. Holzmann,et al.
The State of SPIN
,
1996,
CAV.
[2]
Rajeev Alur,et al.
Model-checking of correctness conditions for concurrent objects
,
1996,
Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.
[3]
Wojciech Penczek,et al.
Model-checking of causality properties
,
1995,
Proceedings of Tenth Annual IEEE Symposium on Logic in Computer Science.
[4]
P. S. Thiagarajan,et al.
A Logical Study of Distributed Transition Systems
,
1995,
Inf. Comput..
[5]
Kenneth L. McMillan,et al.
Using Unfoldings to Avoid the State Explosion Problem in the Verification of Asynchronous Circuits
,
1992,
CAV.
[6]
Pierre Wolper,et al.
A partial approach to model checking
,
1991,
[1991] Proceedings Sixth Annual IEEE Symposium on Logic in Computer Science.
[7]
Doron A. Peled,et al.
Interleaving set temporal logic
,
1987,
PODC '87.
[8]
Amir Pnueli,et al.
Checking that finite state concurrent programs satisfy their linear specification
,
1985,
POPL.
[9]
Edmund M. Clarke,et al.
Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic
,
1981,
Logic of Programs.