Vacuity in practice: temporal antecedent failure

Different definitions of vacuity in temporal logic model checking have been suggested along the years. Examining them closely, however, reveals an interesting phenomenon. On the one hand, some of the definitions require highcomplexity vacuity detection algorithms. On the other hand, studies in the literature report that not all vacuities detected in practical applications are considered a problem by the system verifier. This brings vacuity detection into an undesirable situation where the user of the model checking tool may find herself waiting a long time for results that are of no interest for her. In this paper we restrict our attention to practical usage of vacuity detection. We define Temporal Antecedent Failure, an extension of antecedent failure to temporal logic, which refines the notion of vacuity. According to our experience, this type of vacuity always indicates a problem in the model, environment or property. We show how vacuity information can be derived from the automaton built for the original property, and we introduce the notion of vacuity explanation. Our experiments demonstrate that this type of vacuity as well as its reasons can be computed with a negligible increase in the overall runtime. S. Ben-David The Hebrew University, Jerusalem, Israel. E-mail: [email protected] Shoham Ben-David is grateful to the Azrieli Foundation for the award of an Azrieli Fellowship. F. Copty IBM Systems and Technology Group, Mount Carmel, Haifa 31905, Israel. E-mail: [email protected] D. Fisman Weizmann Institute of Science and IBM Research, Mount Carmel, Haifa 31905, Israel. E-mail: [email protected] S. Ruah IBM Research, Mount Carmel, Haifa 31905, Israel. E-mail: [email protected] 2 Shoham Ben-David et al.