Alternating Automata and Program Verification Moshe Y. Vardi Rice University Department of Computer Science P.O. Box 1892 Houston, TX 77251-1892, U.S.A. Email: vardi@cs.rice.edu URL: http://www.cs.rice.edu/ vardi Abstract. We describe an automata-theoretic approach to the automatic verifi- cation of finite-state programs. The basic idea underlying this approach is that for any temporal formula we can construct an alternating automaton that accepts precisely the computations that satisfy the formula. For linear temporal logics the automaton runs on infinite words while for branching temporal logics the automa- ton runs on infinite trees. The simple combinatorial structures that emerge from the automata-theoretic approach decouple the logical and algorithmic compo- nents of finite-state-program verification and yield clear and general verification algorithms. 1 Introduction Temporal logics, which are modal logics geared towards the description of the temporal ordering of events, have been adopted as a powerful tool for specifying and verifying concurrent programs [Pnu77, MP92]. One of the most significant developments in this area is the discovery of algorithmic methods for verifying temporal logic properties of finite-state programs [CES86, LP85, QS81]. This derives its significance from the fact that many synchronization and communication protocols can be modeled as finite-state programs [Liu89, Rud87]. Finite-state programs can be modeled by transition systems where each state has a bounded description, and hence can be characterized by a fixed number of Boolean atomic propositions. This means that a finite-state program can be viewed as a finite propositional Kripke structure and that its properties can be specified using propositional temporal logic. Thus, to verify the correctness of the program with respect to a desired behavior, one only has to check that the program, modeled as a finite Kripke structure, is a model of (satisfies) the propositional temporal logic formula that specifies that behavior. Hence the name model checking for the verification methods derived from this viewpoint. Surveys can be found in [CG87, Wol89, CGL93]. We distinguish between two types of temporal logics: linear and branching [Lam80]. In linear temporal logics, each moment in time has a unique possible future, while in branching temporal logics, each moment in time may split into several possible futures. For both types of temporal logics, a close and fruitful connection with the theory of automata on infinite structures has been developed. The basic idea is to associate with Part of this work was done at the IBM Almaden Research Center.