28
| Date post: | 12-Nov-2023 |
| Category: |
Documents |
| Upload: | independent |
| View: | 0 times |
| Download: | 0 times |
Formal Methods in System Design, ?, 1{28 (1998)c 1998 Kluwer Academic Publishers, Boston. Manufactured in The Netherlands.Deductive Model Checking *HENNY B. SIPMA, TOM�AS E. URIBE AND ZOHAR MANNA sipma,uribe,[email protected] Science Department, Stanford University, Stanford, CA. 94305Received ???, 1997Abstract. We present an extension of classical tableau-based model checking procedures tothe case of in�nite-state systems, using deductive methods in an incremental construction of thebehavior graph. Logical formulas are used to represent in�nite sets of states in an abstractionof this graph, which is repeatedly re�ned in the search for a counterexample computation, rulingout large portions of the graph before they are expanded to the state-level. This can lead to largesavings, even in the case of �nite-state systems. Only local conditions need to be checked at eachstep, and previously proven properties can be used to further constrain the search. Although theresulting method is not always automatic, it provides a exible, general and complete frameworkthat can integrate a diverse number of other veri�cation tools.Keywords: Deductive veri�cation, model checking, reactive systems1. IntroductionWe present a model checking procedure for verifying temporal logic properties ofin�nite-state systems. It extends the classical tableau-based model checking pro-cedure for verifying linear-time temporal logic speci�cations of reactive systemsdescribed by fair transition systems . To verify that a system S satis�es a temporalspeci�cation ', the classical procedure checks whether the (S;:') behavior graphadmits any counterexample computations. This behavior graph is the product ofthe temporal tableau for :' and the state transition graph for S, which makes theprocedure essentially applicable to �nite-state systems only.Our procedure starts with the temporal tableau for :' and repeatedly re�nesand transforms this graph until a counterexample computation is found or it isdemonstrated that such a computation cannot exist. Even for �nite-state systems,this can lead to signi�cant savings, since portions of the behavior graph can beeliminated long before they are fully expanded to the state level.For in�nite-state systems, the procedure is not guaranteed to terminate, in gen-eral. However, we show that it is a complete method for proving general state-quanti�ed temporal properties, relative to the underlying �rst-order reasoning. InSection 4, we illustrate the procedure by model checking an accessibility propertyfor the Bakery algorithm. Expansion to 16 nodes su�ces to verify this property* This research was supported in part by the National Science Foundation under grant CCR-95-27927, the Defense Advanced Research Projects Agency under NASA grant NAG2-892, AROunder grant DAAH04-95-1-0317, ARO under MURI grant DAAH04-96-1-0341, and by Armycontract DABT63-96-C-0096 (DARPA).
2 SIPMA, URIBE AND MANNAover this in�nite-state system. Even when the procedure does not terminate, partialresults can still be valuable, giving a representation of all potential counterexamplecomputations, which can be used for further veri�cation or testing.Like standard model checking, our procedure does not require user-provided auxil-iary formulas and allows the construction of counterexamples; the process is guidedby the search for such computations. Like deductive methods, it only needs tocheck local conditions, and allows the veri�cation of in�nite-state systems throughthe use of powerful representations to describe sets of states (e.g. �rst-order formu-las). We also accommodate the use of previously established invariants and simpletemporal properties.We present our procedure in the framework of [34], where deductive methods areused to verify linear-time temporal logic speci�cations for reactive systems describedby fair transition systems. However, the main ideas can be easily adapted to othertemporal logics and system speci�cation languages as well.2. Related workModel Checking: Most approaches to temporal logic model checking [12, 39]have used explicit state enumeration, or specialized data structures to representthe transition relation and compute �xpoints over it, as in BDD-based \symbolic"model checking [10, 35]. While automatic, and particularly successful for hardwaresystems, these approaches require that the system, or a suitable abstraction ofit, conform to the particular data structure used. Most often, the system must be�nite-state. Furthermore, even in the �nite-state case these techniques can generaterepresentations whose size is proportional to the reachable state space.The \on-the- y model checking" for CTL* presented in [1] constructs only aportion of the state-space as required by the given formula, but is still restrictedto �nite-state systems. Our procedure is similarly need-driven, but expands thestate-space in a top-down manner as well, moving from an abstract representationto a more detailed one as necessary.A method for generating an abstract representation of a possibly in�nite state-space is presented in [5], using partitioning operations similar to the ones we de-scribe below. However, the abstraction in [5] is independent of any particulartemporal property to be veri�ed. Finally, the local model checking algorithm forreal-time systems in [43] can be seen as a specialized variant of our procedure; it toore�nes a �nite representation of an in�nite behavior graph, consecutively splittingnodes to satisfy constraints that arise from the formula and system being checked.Deductive Methods: A complete deductive system for temporal veri�cation ofbranching-time properties is presented in [22], while [6] presents a proof system forthe modal mu-calculus. Manna and Pnueli [34] present a deductive framework forthe veri�cation of fair transition systems based on veri�cation rules , which reducetemporal properties of systems to �rst-order premises. Veri�cation diagrams [33,7, 8] provide a graphical representation of the veri�cation conditions needed toestablish a particular temporal formula.
DEDUCTIVE MODEL CHECKING 3All of these methods apply to in�nite-state systems and enjoy relative complete-ness, but can require substantial user guidance to succeed. These methods yield adirect proof of the system-validity of a property, but do not produce counterexamplecomputations when the property fails.A di�erent deductive veri�cation method based on transforming a graphical rep-resentation of transition systems is presented in [19]. In this approach, the system istransformed gradually until an abstraction is produced that can be model checked,or corresponds directly to the speci�cation. Thus, it presents a direct proof, whereaswe proceed by showing that counterexample computations cannot exist.The procedure presented in [3] for automatically establishing temporal safetyproperties is based on an assertion graph similar to the falsi�cation diagram weuse, and can also produce counterexamples. Our approach is a dual one: instead ofchecking that all computations satisfy the temporal tableau of the formula � beingproved, we check that no computations satisfy the tableau for :�. In Section 4.6we discuss how some of the abstraction and propagation techniques in [3] can beadapted to this setting.Abstraction: Property-preserving abstractions for the �-calculus are investigatedin [31] and [15]. An algorithm for producing abstracted state spaces which preservevarious fragments of CTL* is presented in [18]. Like our procedure, this algorithmconstructs a quotient of the state space, splitting equivalence classes (sets of states)according to the value of di�erent subformulas. The abstraction can be computedwith respect to the particular formula to be model checked, enhancing the degreeof abstraction. Dams et. al. [17, 16] show how this quotient construction can becombined with abstract interpretation [13] of the program being veri�ed.Similarly, [23] uses deduction to construct an abstract state graph that can bemodel checked. A given set of subformulas determines the sets of states in theabstraction; these subformulas are atomic assertions in the property being veri�ed,obtained from the control structure of the program, or provided by the user. Theabstraction can be re�ned, by adding new subformulas, if it fails to prove or disprovethe property being veri�ed. In contrast, we construct the abstraction dynamically,re�ning an abstract behavior graph.Other Combinations: Other methods for combining theorem proving and modelchecking have been proposed. Most of them rely on decomposing the veri�catione�ort into subgoals which can be model checked, where the decomposition is jus-ti�ed using deductive methods. Hungar [25] and Kurshan and Lamport [28] usedeductive modular decomposition to reduce the correctness of a large system tothat of smaller components that can be model checked. In [40] and [21], abstrac-tion is used to obtain subgoals that can be model checked; the correctness of theabstraction is proved deductively. A similar approach is advocated by Ostro� [36]in the case of real-time systems.The PVS system [37] includes a decision procedure to model check propositional�-calculus expressions, which can appear as subgoals in a veri�cation e�ort. TheSTeP system [2] uses deductive veri�cation rules, but can also model check subgoalsover the given system speci�cation whenever possible. Pnueli and Shahar [38]
4 SIPMA, URIBE AND MANNAuse BDD-based tools to perform deductive veri�cation, and show how deductivelyobtained invariants can constrain the BDD-based symbolic model checking process.Finally, [14] presents a combination of model checking and deduction, similar inspirit to the one we present, for the �rst-order branching-time logic ACTL. Localmodel checking is carried out relative to �rst-order veri�cation conditions, whichmakes the veri�cation of in�nite-state systems possible.3. PreliminariesFair Transition Systems: The computational model, following [34], is a fairtransition system (FTS). An FTS S is a triple hV ;�; T i, where V is a set of variables,� is the initial condition, and T is a �nite set of transitions . A �nite set of systemvariables V � V determines the possible states of the system. The state-space, �,is the set of all possible valuations of the system variables.We use a �rst-order assertion language A to describe � and the transitions inT . (This language can be augmented with features such as interpreted symbolsand constraints, or specialized to the �nite-state case, e.g. using BDDs.) � is anassertion over the system variables V . A transition � is described by a transitionrelation �� (~x; ~x0), an assertion over the set of system variables ~x and a set of primedvariables ~x0 indicating their values at the next state. T includes an idling transition,Idle, whose transition relation is ~x = ~x0.A run is an in�nite sequence of states s0; s1; : : : such that s0 satis�es �, andfor each i � 0, there is some transition � 2 T such that �� (si; si+1) evaluates totrue. We then say that � is taken at si, and that state si+1 is a �-successor of s. Atransition is enabled if it can be taken at a given state. Such states are characterizedby the formulaenabled (�) def= 9~x0:�� (~x; ~x0) :As usual, we de�ne the strongest postcondition post(�; �) and the weakest precon-dition wpc(�; �) of a formula � relative to a transition � as follows:post(�; �) def= 9~x0: (�� (~x0; ~x) ^ �(~x0))wpc(�; �) def= 8~x0: (�� (~x; ~x0)! �(~x0)) :We also use the notation f�g � f g def= (�(~x) ^ �� (~x; ~x0))! (~x0).Fairness: The transitions in T can be optionally marked as just or compassionate.A just (or weakly fair) transition cannot be continually enabled without ever beingtaken; a compassionate (or strongly fair) transition cannot be enabled in�nitelyoften but taken only �nitely many times. A computation is a run that satis�esthese fairness requirements.Example: Figure 1 shows a program that implements Lamport's [29] bakery algo-rithm for mutual exclusion. Each of the statements in the program corresponds to
DEDUCTIVE MODEL CHECKING 5a transition, denoted by its label; thus, T = fIdle; `0::`4;m0::m4g. All transitionsare just, except for m0 and `0, which have no fairness requirements.This is an in�nite-state program, since the value of the integer variables y1 and y2can grow arbitrarily large. The program ensures mutual exclusion: control is neverat locations `3 and m3 at the same time; in Section 4 we will also see that it ensuresaccessibility : if control resides at `1 (resp. m1), it will always eventually reach `3(resp. m3). Note that since the noncritical statement is not fair, we cannot claimthe same if control is initially at `0 (resp. m0). Another property of this programis 1-bounded overtaking : if a process has expressed interest in entering the criticalsection, the other process can enter the critical section at most once before the �rstprocess can enter.The STeP (Stanford Temporal Prover) veri�cation system translates programssuch as bakery into the corresponding fair transition systems [2]. To each processcorresponds a control variable, which ranges over its distinct locations. The asser-tions `i and mj indicate that control resides at locations i and j for each of the twoprocesses. local y1; y2 : integer where y1 = y2 = 026666664loop forever do266664`0: noncritical`1: y1 := y2 + 1`2: await (y2 = 0 _ y1 � y2)`3: critical`4: y1 := 0 37777537777775jj 26666664loop forever do266664m0: noncriticalm1: y2 := y1 + 1m2: await (y1 = 0 _ y2 < y1)m3: criticalm4: y2 := 0 37777537777775Figure 1. Program bakery for mutual exclusion.Linear-time Temporal Logic: As speci�cation language we use linear-time tem-poral logic (LTL) over the assertion language A, where no temporal operator isallowed to appear within the scope of a quanti�er. Such temporal formulas arecalled state-quanti�ed [34]. We use the usual future and past temporal operators,such as 2;3; ; U ; W (future) and their past-time counterparts. A formula withno temporal operators is called a state-formula or an assertion. A safety propertyis one that can be expressed as 2p for a past temporal formula p; in the specialcase where p is a state-formula, the property is called an invariance. We say that
6 SIPMA, URIBE AND MANNAa formula ' is S-valid , written as S j= ', if all the computations of S satisfy '.Mutual exclusion for bakery can be expressed as the invariance 2(:(`3^m3)), andaccessibility as 2(`1 ! 3`3) (a response property). For details on LTL and tableauconstructions, we refer the reader to [27, 34], and de�ne only the basic concepts weneed.The Formula Tableau: Given an LTL formula �, we can construct its tableau��, a �nite graph that describes all of its models [34]. Brie y, each node in thetableau is labeled with an atom, which is a set of state- and temporal formulasexpected to hold whenever a model resides at this node. Two nodes A1 and A2 areconnected with a directed edge hA1; A2i if the formulas in A2 can hold at a statefollowing one that satis�es the formulas in A1.An atom is called initial if its formulas can hold at the initial state of a model. �is satis�able only if there is a strongly connected subgraph (SCS) (a subgraph withat least one edge in which each node is reachable from every other node) in ��that is reachable from an initial atom. Furthermore, if a model satis�es, e.g., 3pat some point, it must in fact satisfy p at this or another point later on. A ful�llingSCS is one where all such eventualities are satis�ed.Proposition 1 � is satis�able i� there is a ful�lling, reachable SCS in ��.The atomic formulas in the tableau are those appearing in �; normally, theseare treated as propositional constants. However, we will combine them togetherinto a single formula f of the assertion language A, which is always rewritten andsimpli�ed as much as possible.The size of the tableau is exponential in the size of the formula. We can oftenreduce the size of the tableau (although it remains exponential in the worst case)by introducing nondeterminism, where sequences of states may be mapped intomultiple paths in the tableau, resulting in a so-called particle tableau [34].The classic model checking algorithm for �nite-state systems builds the productbetween the state transition graph of S and �:', and checks whether this behaviorgraph contains an SCS that is ful�lling and also satis�es the fairness requirementsassociated with S. If such an SCS is reachable from a node that is initial withrespect to both S and �:', a counterexample computation can be produced; oth-erwise, ' is S-valid.4. Deductive Model CheckingWe now present an alternate approach to the veri�cation of temporal properties ofreactive systems, deductive model checking .Instead of building the (S;:') behavior graph explicitly, we will start with ageneral skeleton of the behavior graph and progressively re�ne it. This graph willalways contain all the possible computations of S that violate ', and we will callit the falsi�cation diagram for S and '. (In [42], this graph is called the S-re�nedtableau.)
DEDUCTIVE MODEL CHECKING 7De�nition 1. (falsi�cation diagram) Given an FTS S and a temporal property ',a falsi�cation diagram for S and ' is a directed graph G whose nodes are labeledwith pairs (A; f), where A is a temporal tableau atom for :' and f is a state-formula. Edges of G are labeled with subsets of T , the set of transitions of S. FornodesM and N , we write � 2 hM;Ni if transition � is in the label of the edge fromM to N , or simply say that � labels hM;Ni. A subset of the nodes in G is markedas initial .A falsi�cation diagram can be seen as a �nite abstraction of the behavior graph.The state-formula f in a node (A; f) describes a superset of the states reachableat that node; similarly, the transitions that label an edge h(A1; f1) ; (A2; f2)i are asuperset of those that can be taken from an f1-state to reach an f2-state. We willsee that any path through a falsi�cation diagram corresponds to a path throughthe corresponding temporal tableau. That is, for any path (A0; f0) ; (A1; f1) ; : : :through G, the underlying path A0; A1; : : : will be a path in �:'.4.1. The DMC ProcedureStarting with the tableau graph �:', we construct an initial falsi�cation diagramG0 as follows:1. Replace each node label A by (A; fA), where fA is the conjunction of the state-formulas in the tableau atom A.2. For each node N : (A; f) such that A is initial in the tableau �:', add a newnode N0 : (A; f ^�), with no incoming edges, whose outgoing edges go to ex-actly the same nodes as those ofN . A self-loop hN;Ni becomes an edge hN0; Niin the new graph. These new nodes are the initial nodes in the falsi�cation di-agram.3. Label each edge in G0 with the entire set of transitions T .Example: Figure 2 presents an example of an initial falsi�cation diagram to proveaccessibility, ' : 2(`1 ! 3`3), for the bakery program of Figure 1. This diagramis based on the particle tableau for :' : 3(`1^2:`3). Nodes 3 and 4 correspond tothe initial nodes in the :' tableau. Node 1 results from adding the initial conditionto node 4. The initial node derived from node 3 is immediately pruned since `1 ^�is unsatis�able. The SCS f4g is not ful�lling, but f2g is.Subsequent examples will show how this property is veri�ed with a DMC imple-mentation based on the STeP system [2]. The simpli�cation mechanisms providedby STeP are used to transform state-formulas into simpler, logically equivalent ones,using decision procedures for built-in theories such as linear arithmetic, equality,datatypes and �nite domains.STeP also provides general �rst-order validity checking procedures [4], as well as acomplete, interactive theorem-proving environment. However, these tools were not
8 SIPMA, URIBE AND MANNA3 : `1 TT2 : :`3
T4 : true T1(� :)`0 ^m0 ^ y1 = 0 ^ y2 = 0T
T
Figure 2. Initial falsi�cation diagram for bakery accessibility.needed in the examples we give below, since the required validities were all provedautomatically by STeP's simpli�er.The main data structure maintained by the procedure is a falsi�cation diagramGi and a list Li of strongly connected subgraphs (SCS's) of this graph. We presentthe deductive model checking (DMC) procedure as a set of transformations on thispair. Initially, the SCS list contains all the maximal strongly connected subgraphs(MSCS's) of G0.Deductive model checking proceeds by repeatedly applying one of transforma-tions 1{13 described below. The process stops if we �nd a reachable, ful�lling andadequate SCS (see Section 4.5), in which case we have a counterexample computa-tion, or if we obtain an empty SCS list, indicating that ' is S-valid.Basic Transformations:� 1 (remove edge label). If an edge h(A1; f1) ; (A2; f2)i is labeled with a tran-sition � and the assertionf1(~x) ^ f2(~x0) ^ �� (~x; ~x0)is unsatis�able, remove � from the edge label.� 2 (empty edge). If an edge is labeled with the empty set, remove the edge.� 3 (unsatis�able node). If f is unsatis�able for a node (A; f), or if a nodehas no successors, remove the node.� 4 (unreachable node). Remove a node unreachable from an initial node.
DEDUCTIVE MODEL CHECKING 9� 5 (unful�lling SCS). If an SCS is not ful�lling, remove it from the SCS list.(An SCS is ful�lling if its underlying tableau SCS is ful�lling.)� 6 (SCS split). If an SCS becomes disconnected (because a node or an edge isremoved from the graph), replace it by its constituent MSCS's.These basic transformations should be applied whenever possible. Except for (1)and (3), which require checking the satis�ability of formulas in the assertion lan-guage, they can all be easily automated (see Section 7).Node Splitting: In the following, we will have the opportunity to replace a nodeN by new nodes N1 and N2. Any incoming edge hM;Ni is replaced by edgeshM;N1i and hM;N2i with the same label, for M 6= N . Similarly, any outgoingedge hN;Mi is replaced by edges hN1;Mi and hN2;Mi with the same label as theoriginal edge.If a self-loop hN;Ni was present, we add edges hN1; N1i, hN2; N2i, hN1; N2i andhN2; N1i, all with the same label as hN;Ni. If an initial node is split, the two newnodes are also labeled as initial. If the split node was part of an SCS in the SCSlist, this SCS is updated accordingly.Basic Re�nement Transformations:� 7 (postcondition split). Consider an edge from node N1 : (A1; f1) to N2 :(A2; f2) whose label includes transition � . If f2^:post(�; f1) is satis�able (thatis, f2 does not imply post(�; f1)), then replace (A2; f2) by the two nodesN2;1 = (A2; f2 ^ post(�; f1))N2;2 = (A2; f2 ^ :post(�; f1)) :We can immediately apply the remove edge label transformation to the edgebetween N1 and N2;2, removing transition � from its label.Nodes N1 and N2 need not be distinct. If N1 = N2 then we split the node intotwo new nodes as above, but now the self-loop for N2;2 and the edge from N2;1to N2;2 will not contain the transition � .� 8 (precondition split). Consider an edgehN1; N2i = h(A1; f1) ; (A2; f2)ilabeled with transition � . If f1 ^ :(enabled (�) ^ wpc(�; f2)) is satis�able, thenreplace (A1; f1) by the two nodesN1;1 = (A1; f1 ^ enabled (�) ^ wpc(�; f2))N1;2 = (A1; f1 ^ :(enabled (�) ^ wpc(�; f2))) :Example: Figure 3 presents the result of applying a precondition split on edgeh2; 2i and transition `0 of the initial falsi�cation diagram, replacing node 2 bynodes 6 and 5. Basic transformations have been applied where applicable, forinstance, removing all transitions except `4 from edge h6; 5i. The underlying sim-pli�cations are performed automatically by STeP.
10 SIPMA, URIBE AND MANNA
TT2 : :`3:' : 3(`1 ^ 2:`3)3 : `1T T T
1(� :)`0 ^m0 ^ y1 = 0 ^ y2 = 04 : true 3 : `1T T T4 : true1(� :)`0 ^m0 ^ y1 = 0 ^ y2 = 0`05 : `06 : :`0 ^ :`3Idle;m0::m4; `1
Idle; m0::m4Idle;m0::m4; `1Prec. `4`4Prec. `0T T
Figure 3. First splitting step for bakery accessibility.The conditions for applying these transformations can be weakened if the requiredsatis�ability checks are too expensive (see Section 7).Variants of these transformations, such as n-ary splits according to possible con-trol locations, are convenient in practice. In general, arbitrary conditions can beused to split nodes: if �1; : : : ; �n are assertions, one can split a node hA; fi into then+ 1 nodeshA; f ^ �1i ; : : : ; hA; f ^ �ni ; hA; f ^ :(�1 _ : : : _ �n)i :For example, �1; : : : ; �n can correspond to the set of relevant control locations, andthe n-ary split would be a shortcut for a sequence of (binary) precondition splits.Our basic re�nement transformations are motivated by the general structure of thesystem and property being checked, and can be automated as well.Known invariants can be used to strengthen all (or only some) of the assertionsin the falsi�cation diagram; if 2p is a known invariant, for a state-formula p, thenwe can replace any node (A; f) by the node (A; f ^ p). This use of invariants canalso be very valuable in �nite-state symbolic model checking [38]. Similarly, simpletemporal properties of S can be used to rule out paths in the diagram. For example,if we know that 2(p! 3q) is S-valid, then we can require that any candidate SCSfeaturing a state-formula that implies p also contain a state-formula compatiblewith q. (Before model checking begins, :' could always be conjoined with all otherknown temporal properties of S, but at the risk of greatly increasing the size of thetemporal tableau.)
DEDUCTIVE MODEL CHECKING 114.2. Fairness TransformationsTogether, transformations 1-8 are su�cient for the analysis of temporal safety prop-erties, which do not depend on the fairness constraints of the system. If an adequateSCS is found (see Section 4.5), a counterexample is produced. If the set of SCS's(all of which are actually MSCS's, in this case) becomes empty, then we know thereis no counterexample computation. However, to account for just and compassionatetransitions we need the following extra transformations:� 9 (enabled split). Consider a just or compassionate transition � containing anode N : (A; f) such that f ^ :enabled (�) is satis�able.Then replace N by the two nodesN1 = (A; f ^ enabled(�))N2 = (A; f ^ :enabled (�)) :De�nition 2. A transition � is fully enabled at a node (A; f) if f ! enabled(�) isvalid; � is fully disabled at a node (A; f) if f ! (:enabled (�)) is valid. A transitionis taken on an SCS S if it is included in an edge-label in S. An SCS S is just (resp.compassionate) if every just (resp. compassionate) transition is either taken in Sor not fully enabled at some node (resp. all nodes) in S.That is, an SCS S is unjust (resp. uncompassionate) if some just (resp. compas-sionate) transition is never taken in S and fully enabled at all nodes (resp. somenode) in S.The motivation for these de�nitions is the following: if an SCS S is unjust oruncompassionate, then we know that a computation cannot visit each node in Sin�nitely often, never leaving S, since a fairness constraint would be violated. Notethat if an SCS is not just, then all of its subgraphs are not just; but an SCS thatis not compassionate may have a compassionate subgraph. This leads us to thenext two transformations, which, like the basic ones, should be applied wheneverpossible:� 10 (unjust SCS). If an SCS is not just, remove it from the SCS list.� 11 (uncompassionate SCS). If an SCS S is not compassionate, then let�1; : : : ; �n be all the compassionate transitions that are not taken in S. ReplaceS by all the MSCS's of the subgraph resulting from removing all the nodes inS where one of these transitions is fully enabled.Note that these transformations do not change the underlying graph G, but onlythe SCS's under consideration. However, unjust or unful�lling SCS's can be fullyremoved from the graph if they have no outgoing edges, since they will never bepart of a counterexample computation.Example: Figure 4 shows the result of an `4-precondition split on h6; 5i of Figure 3,which yields nodes 8 and 7. At this point, nodes 5 and 7 are unreachable from the
12 SIPMA, URIBE AND MANNAinitial node and can be removed. The only candidate SCS is thus f8g. An `1-postcondition split for h8; 8i yields nodes 9 and 10. The only ful�lling SCS is f10g,since f9g is unjust for `1.Post. `1 3 : `1T T T4 : true1(� :)`0 ^m0 ^ y1 = 0 ^ y2 = 0
10 : `2Idle;m0::m49 : `1Idle;m0::m4Idle;m0::m4`1 T`1
Enabled `23 : `1T T T4 : true1(� :)`0 ^m0 ^ y1 = 0 ^ y2 = 0
5 : `0Idle;m0::m4; `1Idle;m0::m4; `18 : `1 _ `2
Idle;m0::m4`4 7 : `4`0Idle;m0::m4T
Figure 4. Second and third splitting steps for bakery accessibility.Example: Figure 5 shows the �nal three splits for the bakery veri�cation. Anenabled split for node 10 and transition `2 produces nodes 11 and 12. The SCSf11g is unjust for `2. Node 12 is now strengthened with the invariant (y2 6= 0) !(m2 _m3 _m4). (Such invariants are generated automatically by STeP based onthe program text.) An m3-precondition split on h12; 12i produces nodes 13 and 14.SCS f13g is unjust for m3. Finally, an m2-precondition split on h14; 13i resultsin 15 and 16. SCS f16g is unjust for m4, while f15g is unjust for m2. Since nocandidate SCS's remain, we have established that ' is S-valid.4.3. Termination TransformationTransformations 1-11 are su�cient for the analysis of transition systems that have�nite abstractions relative to the property to be proved. For example, the bak-ery program has a �nite abstraction relative to accessibility and mutual exclusion.However, consider the property' : 32:((`0 _ `1) ^ (m0 _m1)) ! 3(max(y1; y2) > N)
DEDUCTIVE MODEL CHECKING 13
11
`1
m4
12 : `2 ^ :(y1 � y2 _ y2 = 0)Idle;m0::m411 : `2 ^ (y1 � y2 _ y2 = 0)m1;m43 : `1 Idle;m0::m4Idle;m0::m4
Idle;m0::m4
Idle;m0::m4Prec. m315 : `2 ^m2 ^ :(y1 � y2 _ y2 = 0)Idle; m0::m4`1
Idle14 : `2 ^ :m1 ^ :m3 ^ :(y1 � y2 _ y2 = 0)
Idle13 : :(y1 � y2 _ y2 = 0) ^ `2 ^m3m3IdleEnabled `210 : `216 : `2 ^m4 ^ :(y1 � y2 _ y2 = 0)
9 : `1
m2Idle 13 Idle Prec. m2m2m3Figure 5. Last splitting steps for bakery accessibility.where N is an arbitrary integer. This property states that max(y1; y2) will growbeyond N , provided the two processes are never at locations `0 or `1 (resp. m0 orm1) at the same time. bakery has no �nite-state abstraction that can prove ' foran arbitrary N .To verify such properties, we introduce a transformation that allows the user toassign a well-founded order to an SCS of the graph to prove, deductively, thatin�nite computations cannot forever reside in this SCS and visit all nodes.De�nition 3. (terminating SCS) An SCS S is terminating if there is no run thatvisits every node of S in�nitely often.We say that a binary relation � is well-founded over some domain D if there areno in�nite descending chains, that is, no in�nite sequences of elements e1; : : : ; en; : : :in D such that e1 � e2 � : : : � en � : : :. We write x � y i� x � y or x = y.De�nition 4. (terminating edge) An edge et in an SCS S is terminating if thereexist a well-founded domain D and a ranking function �(n; s), mapping pairs ofnodes and states into D, such that
14 SIPMA, URIBE AND MANNA1. for every edge e = hN1; N2i = h(A1; f1); (A2; f2)i in S and every � 2 ef1(~x) ^ �� (~x; ~x0) ^ f2(~x0)! �(N1; ~x) � �(N2; ~x0)and2. for every � 2 et, with et = hN1; N2i = h(A1; f1); (A2; f2)if1(~x) ^ �� (~x; ~x0) ^ f2(~x0)! �(N1; ~x) � �(N2; ~x0) :Clearly, no computation that resides in the SCS from some point onwards cantraverse et in�nitely many times. This leads to the following transformation (whichwas not included in [42]):� 12 (terminating SCS). If e is a terminating edge in an SCS S, then replaceS by all the MSCS's of the subgraph obtained by removing e from S.Again, this transformation does not change the underlying graph, but only theSCS's that may participate in a counterexample. However, as with unjust andunful�lling SCS's, a terminating SCS may be removed from the graph if it has nooutgoing edges.The ranking functions can be part of an extended assertion language that is notnecessarily the state-assertion language A, e.g. it could include the �-calculus [44].D can be the set of ordinals or a lexicographic combination of well-founded orders,for example.4.4. Unfolding SCS'sUnfortunately, the terminating SCS transformation is not applicable to everyterminating SCS, as illustrated by the following example.Example: Consider the transition system xyz shown in Figure 6. Starting withx > 0, y > 0 and z equal to 0 or 1, this system repeatedly decreases x or y by 1,until x = 0 if z = 0, or until y = 0 if z = 1. At this point, the system movesto loc = 2. We want to prove 3loc = 2 for this system. Figure 7 shows theinitial falsi�cation diagram and the result of performing a split on the disjunction(t = 1 _ t = 2 _ t = 3), followed by the basic transformations. Clearly, theSCS S = f4; 5; 6g is terminating. However, we cannot apply the terminating edgetransformation, since (ignoring fairness) the loops (4; 6), and (5; 6) can each betaken in�nitely many times, depending on the value of z.To obtain completeness, we add one more transformation. The purpose of thistransformation is to reduce a terminating SCS S with n nodes, in which no singleedge can be proved to decrease the ranking function for every run, to a ring of nSCS's, S1; : : : ; Sn. Each Si is a copy of S, with node i removed. If S is terminating,
DEDUCTIVE MODEL CHECKING 15V = fx; y; z; t; locg� = x > 0 ^ y > 0 ^ (z = 0 _ z = 1) ^ loc = 0 ^ t = 0T = f�1; �2; �3; �idleg where��1 = loc = 0 ^ loc0 = 1 ^ x0 = x� 1 ^ t0 = 1��2 = loc = 0 ^ loc0 = 1 ^ y0 = y � 1 ^ t0 = 2��3 = loc = 1 ^ t0 = 3 ^((z = 0 ^ x = 0) _ (z = 1 ^ y = 0) ^ loc0 = 2) _(:((z = 0 ^ x = 0) _ (z = 1 ^ y = 0)) ^ loc0 = 0)J = f�3gC = f�1; �2gFigure 6. Fair transition system xyz.1 : �6 : t = 33 : t = 04 : t = 1 5 : t = 21 : �Idle Idle
Idle�3 �1 �2 �3�2�1 IdleIdle2 : :loc = 2T T
Figure 7. First two falsi�cation diagrams for xyz example.then the edges constituting the ring can be taken only �nitely many times. Thus,the terminating SCS transformation is applicable. When applied, it disconnectsthe ring and leaves n new SCS's on the SCS list, all of which are strictly smallerthan S.� 13 (unfold SCS). Consider an SCS S : fN1; : : : ; Nng. Remove S from thediagram and replace it with S1; : : : ; Sn, constructed as follows, where Ni(Sj)refers to the node that is a copy of Ni 2 S and is part of Sj :1. S1 is identical to S except that every edge e : hNk; N1i 2 S is replaced byan edge e� : hNk(S1); N1(S2)i. For all edges e : hNx; Nki where Nx 62 S
16 SIPMA, URIBE AND MANNAand Nk 2 S, there exists an edge e� : hNx; Nk(S1)i, and for all edgese : hNk; Nxi, where Nk 2 S and Nx 62 S, there exists an edge hNk(S1); Nxi.2. Si; 1 < i � n is identical to S except that node Ni is removed along withevery edge entering and leaving Ni, and for every edge e : hNk; Nii ; 1 � k �n; k 6= i, there is an edge e� : hNk(Si); Ni(Si�1)i, where i�1 = i+1 if i < nand 1 otherwise. All edges e : hNx; Nki ; Nx 62 S;Nk 2 S are removed. Forall edges e : hNk; Nxi, Nk 2 S, Nx 62 S, there exists an edge hNk(Si); Nxi.The above transformation also replaces S on the SCS list with the single SCScontaining S1; : : : ; Sn.Example: Figure 8 illustrates the application of the unfold SCS transformationto the terminating SCS f4; 5; 6g of Figure 7. The result is a ring of three com-ponents: in the �rst component, node 6 was removed from the SCS and nodes 7and 8 correspond to nodes 4 and 5 in Figure 7. In the second and third com-ponents, nodes 4 and 5 are removed, respectively. We can then apply the ter-minating SCS transformation to this ring, with edge h9; 11i as the terminatingedge, as justi�ed by the ranking function shown in Figure 8. It is easy to showthat 2((if z = 0 then x else y) � 0) is an invariant of system xyz, so this rankingfunction is well-founded.After thus breaking the ring, eliminating the remaining SCS's, namely f8g, f9; 10gand f11; 12g, is straightforward using the fairness transformations.1 : �
if z = 0 then x else yif z = 0 then x else y + 1if z = 0 then x else y + 1�1 �2Idle �3Idle �3�1 �1�3Idle �2 �37 : t = 19 : t = 3 8 : t = 210 : t = 211 : t = 1 12 : t = 3
Idle3 : t = 0
�2IdleIdle
IdleIdle
Figure 8. Result of the unfold SCS rule and ranking function for terminating SCS rule.
DEDUCTIVE MODEL CHECKING 17The unfold SCS and terminating SCS transformations can be combined, yield-ing transformations that use additional veri�cation conditions and auxiliary asser-tions, and do not generate intermediate nodes that are to be discarded later. Such atransformation is presented in [20]. However, the two transformations given here aresu�cient for completeness and facilitate the completeness proof itself (Section 6).4.5. Obtaining CounterexamplesThe process of transforming the falsi�cation diagram can continue until there areno SCS's under consideration, in which case the original property ' is guaranteedto hold for the system S.In the case that S does not satisfy ', �nding a counterexample computationrequires some additional work. The above transformations remove from considera-tion SCS's that are known to be unreachable because they are disconnected froman initial node. However, no provisions ensure that a node is indeed reachable in anactual computation, or that a (in�nite) computation can in fact reside inde�nitelywithin an SCS. To identify portions of the behavior graph that are guaranteed tobe reachable, we do some additional bookkeeping:� (executable transition). Given an edge h(A1; f1) ; (A2; f2)i labeled with tran-sition � , mark � as executable if the following formula is valid:f1(~x)! 9~x0: (�� (~x; ~x0) ^ f2(~x0)) :That is, � is labeled as executable if it can always be taken at states satisfy-ing f1 to reach a state that satis�es f2. For example, the idling transition canbe marked as executable on all self-loops. (A stronger condition, the validity of(f1 ! enabled (�)) ^ (ff1g � ff2g), can be used if existential quanti�ers are to beavoided.)De�nition 5. (fully just and compassionate) A transition is fully taken at an SCSif it is marked as executable for an edge in the SCS. An SCS S is fully just (resp.fully compassionate) if every just (resp. compassionate) transition is either fullytaken in S or fully disabled at some node (resp. all nodes) in S.If S is a fully just and compassionate SCS, a computation that resides inde�nitelywithin S cannot violate any fairness requirements. If we can guarantee that such acomputation exists, we have a counterexample:De�nition 6. (adequate SCS) An SCS S is adequate if after removing all edgesnot marked with executable transitions we obtain a subgraph S0 where:1. S0 is still strongly connected;2. S0 is fully just and fully compassionate;
18 SIPMA, URIBE AND MANNA3. there is a path of executable transitions from a satis�able initial node to a nodein S0;4. the state-formulas in S0 and the path that leads to S0 are satis�able.An adequate SCS guarantees the existence of a computation of S that satis�es :'(see Section 5).4.6. Propagation and StrengtheningIt is possible to obtain a reachable SCS that includes a counterexample computa-tion, such that not all of its edges can be labeled with an executable transition. Inthis case, we are in danger of re�ning the SCS ad in�nitum (e.g. with forwardspropagation from an initial state), �nding ever longer fragments of the counterex-ample computation. In such cases, the methodology presented by Bj�rner, Browneand Manna [3] to automatically establish invariants can be used as a heuristic tostrengthen a candidate SCS into an adequate one.We say that S0 strengthens an SCS S if S0 can be obtained by replacing each node(A; f) in S by a node (A; f 0) such that f 0 implies f . By computing the greatest�xpoint of an appropriate monotonic operator de�ned on S based on weakest pre-conditions, we can �nd formulas �n for each node n such that (1) �n implies fn foreach node (A; fn), and (2) each transition � in N can be marked as executable ifwe replace each fn by �n. That is, the strengthened SCS S0 is adequate, providedit is just and compassionate and one of its nodes is known to be reachable.Note that justice and compassion for an SCS are preserved by strengthening,but reachability is not. To check if a strengthened node is reachable, backwardpropagation through the graph to reach an initial state can be carried out, usingthe weakest precondition operator.To make �xpoint computations more feasible and e�cient, di�erent abstractiondomains can be used, such as linear equations or convex polyhedra, based on ab-stract interpretation techniques [13]. While the above use of strengthening is meantto obtain a counterexample as a �nal step in model checking, abstract backward andforward propagation through the graph can always be used to soundly strengthenthe formulas in the falsi�cation diagram, whenever such propagation converges.Forward propagation can be used to strengthen the formulas while preserving thecomputations of S, while backward propagation preserves those that satisfy :'.Unlike the counterexample computation above, such strengthening can be done ina purely automatic and incremental fashion, interleaved with our transformationson the falsi�cation diagram. See [3] for more details.On the other hand, we may choose to approximate nodes by weakening them.Here, we replace an assertion f in a node by an assertion f 0 such that f ! f 0 is valid.If the procedure terminates after �nding no adequate SCS in the weakened graph,we are sure that the original property was S-valid. However, a counterexamplefound in the weakened graph may not be an actual computation of the original
DEDUCTIVE MODEL CHECKING 19system or a model of :'. (We may also choose to weaken a node if the particularrepresentation of f becomes too expensive to maintain.)5. SoundnessWe now outline the proof of soundness for our deductive model checking procedure.It is easy to see that our requirements for a counterexample are sound: at any point,any ful�lling path through the falsi�cation diagram is also a ful�lling path throughthe temporal tableau, and thus a model of :'. That it is a computation of Sfollows from the justice and compassion requirements on adequate SCS's, and bythe executable transition labels, which ensure consecution.Thus, we now show that if the procedure discards all SCS's, then the originalproperty ' is S-valid:De�nition 7. (computation follows G) A computation s0; s1; : : : of S follows afalsi�cation diagram G i� there is a path N0; N1; : : : in G such that1. N0 is an initial node in G,2. for each node Ni = (Ai; fi), si satis�es fi, for all i � 0, and3. (consecution) each edge hNi; Ni+1i is labeled by a transition � such that si+1is a � -successor of si.Theorem 1 Let G0 be the initial falsi�cation diagram. Then any computation ofS that satis�es :' follows G0.Proof: Any sequence that satis�es :' corresponds to a path in the underlyingtemporal tableau. If it is a computation of S, then it must satisfy the initialcondition; all other states are constrained only by the state-formulas in the tableauatom. Since it is a computation, the consecution requirement holds, since all edgesin G0 are labeled by all transitions in S.Theorem 2 Let G0 be the result of applying any of the DMC transformations to afalsi�cation diagram G, and let c be a computation of S. Then c follows G if andonly if c follows G0.Proof: Of the basic transformations, only remove edge label, empty edge,unsatis�able node and unreachable node change the underlying graph. But theconditions for removing an edge label, an edge, or a node ensure that the removedcomponent could not have participated in any computation of S that followed G.The remaining transformations are the three splitting rules. For these, any com-putation in G that reaches the split node can be converted to a computation in G0by choosing which of the two new nodes it satis�es. Conversely, any computationin G0 can be converted to a computation in G by replacing any use of the two newnodes by the original one in G.
20 SIPMA, URIBE AND MANNANote that for the soundness of the procedure we only need the \only if" directionof Theorem 2. Approximation transformations can add new computations and stillbe useful for proving the S-validity of ', at the risk of reporting false counterex-amples.Corollary 1 At any point of the procedure, any computation of S that satis�es:' follows the current falsi�cation diagram Gi.De�nition 8. (fully adequate) An SCS in a falsi�cation diagram G is fully adequatei� there is a computation of S that follows G that eventually remains within thenodes of the SCS.Note that testing whether an SCS is fully adequate may be a non-trivial endeavor;our de�nition of an adequate SCS in Section 4.5 gives su�cient, but not necessary,criteria that can be established incrementally.Theorem 3 There is a computation that follows G if and only if G has a fullyadequate SCS.Proof: The \if" direction is part of the de�nition of fully adequate. For the\only if", consider a computation that follows G, and consider the nodes that occurin�nitely often in G. These must form an SCS.Theorem 4 Any fully adequate SCS in the initial graph must be a subgraph of anSCS in the initial SCS list.Proof: A computation that follows the initial graph must be a model of :'. If anSCS is fully adequate, then it must be an SCS in the underlying temporal tableau,and therefore a subset of one of its MSCS's.Theorem 5 Let G; L be the graph and SCS list before a transformation is applied,and G0; L0 be those afterwards. Then any fully adequate SCS in G that is subgraphof an element of L corresponds to a fully adequate SCS in G0 that is a subgraph ofan element of L0.Proof: If � does not label an edge, then we can be sure that it is not taken whenthat edge is traversed, which justi�es our de�nition of when a transition is not takenin an SCS.Any adequate SCS must be ful�lling, just and compassionate. If an SCS is notful�lling or just, none of its subgraphs is, so this justi�es the unful�lling SCSand unjust SCS rules. For the uncompassionate SCS rule, the removed nodescould not have been used in�nitely often in a computation of S, since the untakentransition is known to be always enabled at that point. Similarly, for the termi-nating SCS rule, the removed edge could not have been traversed in�nitely oftenin a computation of S.The SCS split rule preserves the property since any SCS which is a subgraphof the split SCS must be a subgraph of one of its MSCS's. The other basic rules
DEDUCTIVE MODEL CHECKING 21and the node-splitting rules preserve the computations that follow the graph anddo not split an SCS.The unfold SCS transformation is sound since it preserves the set of computa-tions that follows the graph; that is, if a computation follows the original graph,then it also follows the graph after the SCS has been unfolded. This is clear fromthe construction of the unfolded SCS.We can now conclude the following:Corollary 2 If the list of SCS's becomes empty, then no computation of S sat-is�es :'.6. CompletenessWith the addition of the terminating SCS and unfold SCS transformations, theDMC procedure is complete, as expressed by the following theorem:Theorem 6 If S satis�es ', then a falsi�cation diagram whose SCS list is emptycan be obtained from the initial falsi�cation diagram by a �nite number of trans-formations (possibly using strengthening with invariants and augmentation of theprogram).This completeness result is, as usual, relative to the underlying assertional reason-ing. The proof is adapted from the completeness proof for generalized veri�cationdiagrams [7], and incorporates ideas from [32].De�nition 9. (Deterministic diagram) A falsi�cation diagram G is deterministicif any sequence of states follows at most one path in G.Before we prove the main theorem we present some supporting lemmas.Lemma 1 Let S be an fts and G a falsi�cation diagram. Then there exists amapping acc from nodes to assertions such that s j= acc(N) i� there exists a com-putation segment � : s0; : : : ; sk = s of S and a path segment � : N0; : : : ; Nk = Nin G such that s0 j= �, N0 is an initial node, and � follows �. That is, acc(N)characterizes the states that are accessible at node N .Justi�cation. Such an assertion can always be constructed in an assertion lan-guage that is su�ciently expressive to encode �nite sequences [34].Theorem 7 (from [30]) Let � be a well-founded ordering over a set W. Then thereexists a function � into the ordinals, � :W ! O, such that:(W1) w � w0 implies �(w) > �(w0).(W2) If w � w00 implies w0 � w00 for every w00 2W , then �(w) � �(w0).
22 SIPMA, URIBE AND MANNALemma 2 Let S be an fts and S a reachable SCS in a deterministic falsi�cationdiagram, such that there is no run of S that follows a path that traverses edge etin S in�nitely often. Then there exists a well-founded domain D and a rankingfunction �(n; s), mapping pairs of nodes and states into D, such that:1. for every edge e = hN1; N2i = h(A1; f1); (A2; f2)i and every � 2 e,f1(~x1) ^ f2(~x2) ^ �� (~x1; ~x2)! �(N1; ~x1) � �(N2; ~x2) ;2. for edge et = hN1; N2i = h(A1; f1); (A2; f2)i and for all � 2 et,f1(~x1) ^ f2(~x2) ^ �� (~x1; ~x2)! �(N1; ~x1) � �(N2; ~x2) :Proof: Let � be the order on S ��(~x) given by (Na; ~xa) � (Nb; ~xb) i� there is acomputation segment ~xa; : : : ; ~xb that follows a path Na; : : : ; Nb that traverses et.� is a partial order. It is clearly re exive and transitive. To show that itis also antisymmetric, suppose that (Na; ~xa) � (Nb; ~xb), (Nb; ~xb) � (Na; ~xa) and(Na; ~xa) 6= (Nb; ~xb). By Lemma 1 there exists a computation segment s0; : : : ; ~xathat follows n0; : : : ; Na. But then there exists an in�nite run that follows a pathn0; : : : ; (Na; : : : ; Nb; : : : ; Na�1)!that traverses et in�nitely often, a contradiction.� is well-founded. Suppose that (Na; ~xa) � (Nb; ~xb) � : : : Then, as before, wecan construct a run of S (that goes through ~xa; ~xb; : : :) which follows a path thattraverses et in�nitely often.By Theorem 7, there exists a function � : S ! O that satis�es W1 and W2. Wehave to show that � satis�es conditions 1 and 2.(1) Suppose hN1; N2i 2 S and �� (~x1; ~x2) ^ f1(~x1) ^ f2(~x2). For any (Nc; ~xc),if (N2; ~x2) � (Nc; ~xc) then also (N1; ~x1) � (Nc; ~xc), since if the path N2; : : : ; Nctraverses et then the path N1; : : : ; Nc also traverses et. Thus, by W2, �(N1; ~x1) ��(N2; ~x2).(2) Suppose et = hN1; N2i and f1(~x1)^f2(~x2)^�� (~x1; ~x2) holds. Then (N1; ~x1) �(N2; ~x2), and thus by W1,f1(~x1) ^ f2(~x2) ^ �� (~x1; ~x2)! �(N1; ~x1) � �(N2; ~x2) :Lemma 3 Every terminating SCS S on the list can be reduced to a set of SCS's onthe list that are all strictly smaller than S.Justi�cation. Suppose SCS S is terminating, i.e. there is no run that visits allnodes of S in�nitely often. We consider two cases: (1) If S has a terminating edge,by Lemma 2 there exists a well-founded domain D and a ranking function �(n; s)that justify the application of the terminating SCS transformation, resulting inthe replacement of S by strict subgraphs of S on the list. (2) If S has no terminatingedge, the application of unfold SCS to S results in an SCS S0 that consists of a
DEDUCTIVE MODEL CHECKING 23unidirectional ring of SCS's, each of which is a copy of S minus one node, suchthat the size of each constituent SCS Si is at least one less than the size of theoriginal SCS. By construction, a path that follows the entire ring must visit everynode in the original SCS S. Therefore, none of the edges connecting the Si's canbe taken in�nitely often, and hence they can be removed by the terminating edgetransformation, and S can be replaced by the strictly smaller SCS's Si.Finally, we can now outline the proof of the completeness claim:Proof of Theorem 6: For an fts S and property ', assume S j= '. From aninitial falsi�cation diagram G0 construct a falsi�cation diagram as follows:1. Apply enabled splits (followed by basic transformations) to each node of thediagram to obtain a diagram such that every node of the initial diagram is splitinto 2jT j nodes, one node for each subset of transitions T � T and labeled by�̂2T enabled (�) ^ ^�2T�T :enabled (�) :2. Apply postcondition splits to obtain a diagram in which each edge is labeled byexactly one transition. This assumes that for two transitions �1; �2, post(�1) ^post(�2) is unsatis�able. This may be obtained by augmenting the original tran-sition system with a new variable a and adding to each transition the conjuncta0 = i� , where i� is unique for every transition � . (Clearly, this augmentationwill not a�ect the validity of the property to be proved). Note that the resultingdiagram has the property that each node can be reached by only one transition.3. Strengthen every node of the diagram with acc(N).4. Remove all SCS's that are not ful�lling from the list.5. Repeat application of unfold to terminating SCS's (followed by application ofterminating edge) and removal of unfair SCS's (possibly decomposing the re-maining part of an uncompassionate or terminating SCS into new MSCS's) untilno SCS's can be removed.Claim. The SCS list for the resulting falsi�cation diagram is empty.Justi�cation. Suppose not, i.e., there exists an SCS S that is fair and not ter-minating. From nontermination we can conclude that there exists a run of S thatfollows a path � that visits every node in S in�nitely often. Since S j= ', thisrun cannot be fair. Suppose it is not fair with respect to some just transition � ,that is, � is always enabled beyond a certain point but never taken. This meansthat � cannot label any edge in S, since the run visits every node in S, and by theproperty that each node is reached by only one transition, every transition mustbe taken in order to reach every node. But if � is always enabled beyond a certainpoint then it must be fully enabled at every node of the SCS (because of the way
24 SIPMA, URIBE AND MANNAthe enabled splits were done). But then the SCS is not just and would have beenremoved. A similar argument can be given for a compassionate transition.Note that as with most completeness results, the above is not intended as aguideline to be used in the construction of all proofs, but rather as a indication ofwhat machinery is su�cient to obtain them in the worst case.7. AnalysisAs presented, the model checking procedure constructs the entire formula tableaubefore the exploration of the state space begins. The procedure can be madeincremental in the tableau construction itself. The tableau �' can be exponentialin the size of '; however, properties to be model checked are usually simple, so thetableau is small when compared with the system's state space (even for �nite-statesystems).We can use encapsulation conventions such as those used in veri�cation diagrams[33, 24]: if f1 implies f2, for two nodes (A1; f1) ; (A2; f2), then we can make themsubnodes (A1; f1) and (A2; true) of a larger node labeled with f2.In the case of a temporal safety property ' : 2p, the only ful�lling SCS in thetableau for :' is a trivial one, labeled with true, which follows :p-states. Theveri�cation question then reduces to reachability, where fairness constraints are notrelevant. The basic transformations (1 through 8), together with strengtheningwith auxiliary assertions, are su�cient in this case (the equivalent of the assertiongraph of [3] can be built). If ' is an invariance, the trivial tableau for :' is not ofmuch help; however, for general safety properties (where p is a past formula), thetableau does provide greater constraints on the state-space to be explored.For progress properties, where fairness is relevant, we can incrementally identifytransitions that are known to be enabled and disabled at each node. Similarly, wecan incrementally mark the transitions that are known to be executable at eachedge. Some of this work (but not all) may have to be repeated after each split.Proposition 2 For a �nite-state system S, the exhaustive application of transfor-mations 1{11 terminates, deciding the S-validity of '.Proof: If S is �nite-state, we can use a �nite-state assertion language A withnormal forms (such as that provided by OBDDs). The satis�ability tests requiredat the splitting steps are now all decidable, and there will only be a �nite numberof distinct nodes. Since every transformation reduces the size of the graph orreplaces a node with more speci�c nodes (that is, nodes covering strictly fewerstates), the process must terminate. If the SCS list is empty, the original property' is S-valid; otherwise, any remaining SCS must be adequate, and thus provide acounterexample.In this case, the formulas can be encoded using OBDDs [9] or any other �nite-domain constraint language. Representations that combine OBDDs with otherconstructs can be used if the OBDD size is problematic.
DEDUCTIVE MODEL CHECKING 25In the general case of in�nite-state systems, the model checking problem is un-decidable. Indeed, we are faced with a potentially undecidable satis�ability checkwhen applying many of the DMC transformations. However, the satis�ability testused in the DMC rules does not have to be complete. The available theorem-provingand simpli�cation techniques are not required to give a de�nite answer at any giventime: if the validity of a formula is hard to decide, additional splits can make sub-sequent questions easier. (This was, in e�ect, the approach taken in our example,where formulas were only known to be unsatis�able when STeP's simpli�cationmechanisms reduced them to false .)The specialized constraint languages used in Constraint Logic Programming [26]are usually designed to facilitate such an incremental satis�ability test. Concurrentconstraint programs are reactive programs based on such constraint languages [41],so they may be particularly amenable to our veri�cation framework. We expectconstraint-solving and propagation techniques to play a central role in the deductivemodel checking of large systems, which is yet to be explored in practice.Deductive SupportThe DMC procedure bene�ts from user guidance in two forms (apart from providingranking functions). First, the choice of which re�nement transformation to performnext determines how the state space is explored. Second, the process can be spedup considerably by re�nement steps based on auxiliary formulas provided by theuser, using the general node splitting described in Section 4.1. However, many ofthe steps can be performed automatically, with user guidance required only whenthe size of the falsi�cation diagram becomes a problem. Decision procedures forparticular domains, such as those used in the PVS [37] and STeP [2] systems, arevery useful in this setting.Partial ResultsEven when the model checking e�ort is not completed, the resulting falsi�cationdiagram can be used to restrict the search for a counterexample. As is clear from thesoundness proof of Section 5, at any given point the falsi�cation diagram containsall the possible counterexample computations to the property being checked. Thesystem can be executed (or simulated) following only paths through the falsi�cationdiagram, in the search for a computation that violates the property. Backwardpropagation (possibly approximated|see Section 4.6) can be used to �nd a smallerset of initial states that can generate a counterexample computation. A similarapproach is used in [11] to generate test cases for processor designs.
26 SIPMA, URIBE AND MANNAAcknowledgmentsWe thank Nikolaj Bj�rner, Anca Browne, Michael Col�on, Luca de Alfaro, ArjunKapur and the anonymous reviewers for their comments. We thank Luca de Alfarofor pointing out a aw in an earlier version of the completeness proof.References1. G. Bhat, R. Cleaveland, and O. Grumberg. E�cient on-the- y model checking for CTL*. InProc. 10th IEEE Symp. Logic in Comp. Sci., pages 388{397, 1995.2. N.S. Bj�rner, A. Browne, E. Chang, M. Col�on, A. Kapur, Z. Manna, H.B. Sipma, and T.E.Uribe. STeP: Deductive-algorithmic veri�cation of reactive and real-time systems. In Proc.8th Intl. Conference on Computer Aided Veri�cation, volume 1102 of LNCS, pages 415{418.Springer-Verlag, July 1996.3. N.S. Bj�rner, A. Browne, and Z. Manna. Automatic generation of invariants and intermediateassertions. Theor. Comp. Sci., 173(1):49{87, February 1997.4. N.S. Bj�rner, M.E. Stickel, and T.E. Uribe. A practical combination of �rst-order reasoningand decision procedures. In 14th Intl. Conference on Automated Deduction, volume 1249 ofLNCS, pages 101{115. Springer-Verlag, July 1997.5. A. Bouajjani, J-C. Fernandez, and N. Halbwachs. Minimal model generation. In Proc. 2ndIntl. Conference on Computer Aided Veri�cation, volume 531 of LNCS, pages 197{203, 1990.6. J. C. Brad�eld. Verifying Temporal Properties of Systems. Birkh�auser, 1992.7. A. Browne, Z. Manna, and H.B. Sipma. Generalized temporal veri�cation diagrams. In 15thConference on the Foundations of Software Technology and Theoretical Computer Science,volume 1026 of LNCS, pages 484{498. Springer-Verlag, 1995.8. A. Browne, Z. Manna, and H.B. Sipma. Hierarchical veri�cation using veri�cation diagrams.In 2nd Asian Computing Science Conf., volume 1179 of LNCS, pages 276{286. Springer-Verlag, December 1996.9. R.E. Bryant. Graph-based algorithms for Boolean function manipulation. IEEE Transactionson Computers, C-35(8):677{691, August 1986.10. J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang. Symbolic model check-ing: 1020 states and beyond. In Proc. 5th IEEE Symp. Logic in Comp. Sci., pages 428{439.IEEE Computer Society Press, 1990.11. A.K. Chandra, V.S. Iyengar, R.V. Jawalekar, M.P. Mullen, I. Nair, and B.K. Rosen. Archi-tectural veri�cation of processors using symbolic instruction graphs. In Intl. Conference onComputer Design: VLSI in Computers and Processors, pages 454{459. IEEE Press, 1994.12. E.M. Clarke and E.A. Emerson. Design and synthesis of synchronization skeletons usingbranching time temporal logic. In Proc. IBM Workshop on Logics of Programs, volume 131of LNCS, pages 52{71. Springer-Verlag, 1981.13. P. Cousot and R. Cousot. Abstract interpretation: A uni�ed lattice model for static analysisof programs by construction or approximation of �xpoints. In 4th ACM Symp. Princ. ofProg. Lang., pages 238{252. ACM Press, 1977.14. W. Damm, O. Gr�umberg, and H. Hungar. What if model checking must be truly symbolic. InFirst Intl. Workshop on Tools and Algorithms for the Construction and Analysis of Systems(TACAS 95), volume 1019 of LNCS, pages 230{244. Springer-Verlag, May 1995.15. D. Dams, R. Gerth, and O. Gr�umberg. Abstract interpretation of reactive systems. ACMTransactions on Programming Languages and Systems, 19(2):253{291, 1997.16. D.R. Dams. Abstract Interpretation and Partition Re�nement for Model Checking. PhDthesis, Eindhoven University of Technology, Eindhoven, July 1996.17. D.R. Dams, R. Gerth, G. D�ohmen, R. Herrmann, P. Kelb, and H. Pargmann. Model checkingusing adaptive state and data abstraction. In Proc. 6th Intl. Conference on Computer AidedVeri�cation, volume 818 of LNCS, pages 455{467. Springer-Verlag, June 1994.18. D.R. Dams, O. Gr�umberg, and R. Gerth. Generation of reduced models for checking frag-ments of CTL. In Proc. 5th Intl. Conference on Computer Aided Veri�cation, volume 697of LNCS, pages 479{490. Springer-Verlag, June 1993.
DEDUCTIVE MODEL CHECKING 2719. L. de Alfaro and Z. Manna. Temporal veri�cation by diagram transformations. In Proc.8th Intl. Conference on Computer Aided Veri�cation, volume 1102 of LNCS, pages 287{299,July 1996.20. L. de Alfaro, Z. Manna, H.B. Sipma, and T.E. Uribe. Visual veri�cation of reactive systems.In Third Intl. Workshop on Tools and Algorithms for the Construction and Analysis ofSystems (TACAS 97), volume 1217 of LNCS, pages 334{350. Springer-Verlag, April 1997.21. J. Dingel and T. Filkorn. Model checking of in�nite-state systems using data abstraction,assumption-commitment style reasoning and theorem proving. In Proc. 7th Intl. Conferenceon Computer Aided Veri�cation, volume 939 of LNCS, pages 54{69, July 1995.22. L. Fix and O. Gr�umberg. Veri�cation of temporal properties. J. Logic and Computation,6(3):343{362, 1996.23. S. Graf and H. Saidi. Construction of abstract state graphs with PVS. In Proc. 9th Intl.Conference on Computer Aided Veri�cation, volume 1254 of LNCS, pages 72{83. Springer-Verlag, June 1997.24. D. Harel. Statecharts: A visual approach to complex systems. Technical Report CS84-05,Dept. of Applied Mathematics, Weizmann Institute of Science, 1984.25. H. Hungar. Combining model checking and theorem proving to verify parallel processes.In Proc. 5th Intl. Conference on Computer Aided Veri�cation, volume 697 of LNCS, pages154{165. Springer-Verlag, 1993.26. J. Ja�ar and J.-L. Lassez. Constraint logic programming. In Proc. 14th ACM Symp. Princ.of Prog. Lang., pages 111{119, January 1987.27. Y. Kesten, Z. Manna, H. McGuire, and A. Pnueli. A decision algorithm for full propositionaltemporal logic. In Proc. 5th Intl. Conference on Computer Aided Veri�cation, volume 697of LNCS, pages 97{109. Springer-Verlag, 1993.28. R. Kurshan and L. Lamport. Veri�cation of a multiplier: 64 bits and beyond. In C. Cour-coubetis, editor, Proc. 5th Intl. Conference on Computer Aided Veri�cation, volume 697 ofLNCS, pages 166{179. Springer-Verlag, 1993.29. L. Lamport. A new solution of Dijkstra's concurrent programming problem. Communicationsof the ACM, 17(8):435{455, 1974.30. D. Lehmann, A. Pnueli, and J. Stavi. Impartiality, justice and fairness: The ethics ofconcurrent termination. In Proc. 8th Int. Colloq. Aut. Lang. Prog., volume 115 of LNCS,pages 264{277. Springer-Verlag, 1981.31. C. Loiseaux, S. Graf, J. Sifakis, A. Bouajjani, and S. Bensalem. Property preserving abstrac-tions for the veri�cation of concurrent systems. Formal Methods in System Design, 6:1{35,1995.32. Z. Manna and A. Pnueli. Completing the temporal picture. Theor. Comp. Sci., 83(1):97{130,1991.33. Z. Manna and A. Pnueli. Temporal veri�cation diagrams. In Proc. Int. Symp. on TheoreticalAspects of Computer Software, volume 789 of LNCS, pages 726{765. Springer-Verlag, 1994.34. Z. Manna and A. Pnueli. Temporal Veri�cation of Reactive Systems: Safety. Springer-Verlag,New York, 1995.35. K.L. McMillan. Symbolic Model Checking. Kluwer Academic Pub., 1993.36. J.S. Ostro�. A visual toolset for the design of real-time discrete event systems. IEEE Trans.on Control Systems Technology, May 1997.37. S. Owre, S. Rajan, J.M. Rushby, N. Shankar, and M. Srivas. PVS: Combining speci�cation,proof checking, and model checking. In Proc. 8th Intl. Conference on Computer AidedVeri�cation, volume 1102 of LNCS, pages 411{414. Springer-Verlag, July 1996.38. A. Pnueli and E. Shahar. A platform for combining deductive with algorithmic veri�cation.In Proc. 8th Intl. Conference on Computer Aided Veri�cation, volume 1102 of LNCS, pages184{195. Springer-Verlag, 1996.39. J.P. Queille and J. Sifakis. Speci�cation and veri�cation of concurrent systems in CESAR. InM. Dezani-Ciancaglini and U. Montanari, editors, Intl. Symposium on Programming, volume137 of LNCS, pages 337{351. Springer-Verlag, 1982.40. S. Rajan, N. Shankar, and M.K. Srivas. An integration of model checking with automatedproof checking. In Proc. 7th Intl. Conference on Computer Aided Veri�cation, volume 939of LNCS, pages 84{97, July 1995.
28 SIPMA, URIBE AND MANNA41. V.A. Saraswat. Concurrent Constraint Programming. MIT Press, 1993.42. H.B. Sipma, T.E. Uribe, and Z. Manna. Deductive model checking. In Proc. 8th Intl.Conference on Computer Aided Veri�cation, volume 1102 of LNCS, pages 208{219. Springer-Verlag, 1996.43. O.V. Sokolsky and S.A. Smolka. Local model checking for real-time systems. In Proc. 7thIntl. Conference on Computer Aided Veri�cation, volume 939 of LNCS, pages 211{224, July1995.44. F.A. Stomp, W.-P. de Roever, and R.T. Gerth. The �-calculus as an assertion language forfairness arguments. Inf. and Comp., 82:278{322, 1989.
