Hindawi Publishing Corporation Advances in Software Engineering Volume 2011, Article ID 869182, 13 pages doi:10.1155/2011/869182 Research Article Towards Support for Software Model Checking: Improving the Efficiency of Formal Specifications Salamah Salamah, 1 Ann Q. Gates, 2 Steve Roach, 2 and Matthew Engskow 1 1 Department of Electrical, Computer, Software, and Systems Engineering, Embry-Riddle Aeronautical University (ERAU), Daytona Beach, FL 32114, USA 2 Department of Computer Science, University of Texas at El Paso (UTEP), El Paso, TX 79968, USA Correspondence should be addressed to Salamah Salamah, salamahs@erau.edu Received 10 December 2010; Accepted 3 March 2011 Academic Editor: Phillip Laplante Copyright © 2011 Salamah Salamah et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. The Property Specification (Prospec) tool uses patterns and scopes defined by Dwyer et al., to generate formal specifications in Linear Temporal Logic (LTL) and other languages. The work presented in this paper provides improved LTL specifications for patterns and scopes over those originally provided by Prospec. This improvement comes in the efficiency of the LTL formulas as measured in terms of the number of states in the B¨ uchi automaton generated for the formula. Minimizing the size of the B¨ uchi automata for an LTL specification provides a significant improvement for model checking software systems using such tools as the highly acclaimed Spin model checker. 1. Introduction The process of model checking a system consists of devel- oping a model of the system to be verified and writing specifications in a temporal logic such as Linear Temporal Logic (LTL) [1] or Computational Tree Logic (CTL) [2]. In automata-based model checking, both the model M and the complement of the temporal specification S are represented by a special type of state machine called a B¨ uchi Automaton (BA) [3]. To check the consistency of M with S, the model checker calculates the intersection of M and S ′ where S ′ is the complement of S. If the intersection is empty, then M is consistent with S. In other words, if M and S ′ each represent a set of specifications and if M ∩ S ′ =∅, then the system satisfies the specification; otherwise, the system is inconsistent with the specification and a counter-example is returned. The process of writing formal specifications is not easy because of the required mathematical sophistication and depth of knowledge in the specification language. For this reason, tools that simplify the creation of formal specifi- cations in logics such as LTL are of interest to the model checking community and others. In the case of automata- based model checkers such as Spin [4], it is important that these tools generate efficient formulas, since the model checker complements the formulas, translates the result into a BA, and intersects the BA with the automaton of the system. The size of the automaton that results from the intersection of two automata has as its upper bound the product of the number of states in each of the two. One way to avoid the classical problem of state space explosion is to minimize the number of states generated by the negation of the specification. This will reduce the number of states generated by the automaton of the intersection, and as a result, it will reduce the time required to model check a software system. The Property Specification (Prospec) [5–7] builds on the Property Specification Patterns system (SPS) [8, 9], and it uses property pattern and scope to assist in the specification of formal properties in LTL as well as other languages. Patterns are high-level abstractions that provide descriptions of common properties, and scopes describe the extent of program execution over which the property holds. Prospec also introduces the notion of composite propositions to allow