The use of Alternating Automata for the Efficient Model Checking of Linear-Time Logics

Traditional LTL model checking forms the product of a Büchi automaton — representing the negation of the specification — and a formal model of the (finite-state) system being verified. The resulting automaton is then checked for emptiness. An accepting run describes an execution of the model that violates the specification. Conversely, emptiness implies correctness. Many techniques have been developed to improve the performance of this approach. Symbolic techniques have employed BDDs to increase greatly the number of manageable states [7] and SAT-based techniques have exploited advances in SAT-solving technology to provide an alternative symbolic approach [1]. Other work on simulation and partial-order reduction has provided methods of reducing the size of both the model and the automaton to expand further the range of solvable problems [5, 8]. Construction of a Büchi automaton from a given LTL formula entails an exponential blow-up. That is, the number of states in the automaton may be exponential in the size of the specification. However, LTL permits a more succinct automaton representation: Linear Weak Alternating Automata [4]. These automata are linear in the size of the specification, with an exponential translation into Büchi automata. A translation of LTL into Büchi automata that uses LWAA as an intermediate representation permits an extra opportunity for minimisation. Reduction of the intermediate LWAA is beneficial for two reasons: firstly, we do not have to construct the large Büchi automaton before performing optimisation; secondly, the removal of states at this early stage will pay off exponentially during the final translation. Recent work by Merz et al provides an emptiness checking algorithm for LWAA [11]. Because runs of the LWAA are analogous to the subset construc-