VaqUoT: A Tool for Vacuity Detection

This paper presents VaqUoT – a University of Toronto tool for vacuity detection, built on top of NuSMV. In one model-checking pass, VaqUoT establishes the truth value of a CTL formula as well as the largest set of nonoverlapping subformulas in which that formula is vacuous. We describe the tool and evaluate its performance. During model-checking, properties are sometimes satisfied by models for the wrong reasons. Suppose a CTL formula ψ = AG (r ∨ y ∨ g) is checked against a model of a traffic-light controller, where atomic propositions r, y, and g stand for the colors of the light: red, yellow, and green, respectively. The formula is intended to express that in every state the light has one of these colors. This requirement may not be satisfied, even if ψ passes the check: it is possible for the model to be overconstrained so that the light always stays red. In such cases, an answer “true”, given usually by modelcheckers, is insufficient; a user needs to know why the formula is satisfied. Vacuity detection [2] can help, by determining whether some parts of the formula do not matter for the verification, i.e., are vacuous. For instance, y and g should be reported as vacuous in ψ. Although various approaches to vacuity detection have been proposed (e.g., [1, 2, 6]), few implementations have been reported [1, 7], and to our knowledge none are publicly available. Our tool VaqUoT is publicly available as a patch for the open-source model-checker NuSMV. VaqUoT is based on techniques described in [5], where a multivalued lattice is introduced for the detection of all vacuous subformulas. Since this lattice does not immediately lead to an efficient implementation, here we consider a simpler lattice, but a similar approach. Given a model and a CTL formula, VaqUoT checks whether the formula is true in the model, and reports all the vacuous atomic propositions. Following [6], we consider a proposition vacuous if it can be replaced by a constant (True or False) without affecting the value of the formula in the model. We treat different occurrences of the same atomic proposition as different propositions. When the formula is true, VaqUoT reports whether all of its atomic propositions are vacuous (Vacuously True), none of them are vacuous (Non-Vacuously True), or some of the atomic propositions are vacuous (Vacuously True followed by a list of the vacuous propositions). Similar answers are given when the formula is false. Implementation. The basis of VaqUoT is a multi-valued “vacuity” lattice and a translation of CTL formulas into this lattice. Instead of the formulas begin interpreted over the Boolean lattice ({True,False},≤), they are interpreted over the vacuity lattice LV = ({True,False} × 2,v), where 2 is the powerset of the set A of atomic propositions. Lattice LV is determined only by the number of atomic propositions