Software model checking based on game semantics and CSP

http://wrap.warwick.ac.uk/

Original citation:

Dimovski, A. and Lazic, Ranko (2004) Software model checking based on game

semantics and CSP. University of Warwick. Department of Computer Science.

(Department of Computer Science Research Report). CS-RR-403

Permanent WRAP url:

http://wrap.warwick.ac.uk/61318

Copyright and reuse:

The Warwick Research Archive Portal (WRAP) makes this work by researchers of the

University of Warwick available open access under the following conditions. Copyright ©

and all moral rights to the version of the paper presented here belong to the individual

author(s) and/or other copyright owners. To the extent reasonable and practicable the

material made available in WRAP has been checked for eligibility before being made

available.

Copies of full items can be used for personal research or study, educational, or

not-for-profit purposes without prior permission or charge. Provided that the authors, title and

full bibliographic details are credited, a hyperlink and/or URL is given for the original

metadata page and the content is not changed in any way.

A note on versions:

Software Model Cheking Based on

Game Semantis and CSP

1

Aleksandar Dimovski and Ranko Lazi

Department of Computer Siene

University of Warwik Coventry CV4 7AL,UK

Abstrat

We present an approah for software model heking based on game semantis

and CSP.OpenprogramfragmentsareompositionallymodelledasCSPproesses whihrepresenttheirgamesemantis. Thistranslationisperformedbyaprototype ompiler. Observational equivalene and veriation of properties are heked by

traesrenementusingtheFDRtool. Theeetivenessofourapproahisevaluated on several examples.

Key words: Softwaremodel heking, Gamesemantis,CSP

proessalgebra, FDR renement heker

1 Introdution

Modelheking[6℄ isa system veriation tehnique based onsemantis: the

verierhekswhetherthesemantisofagivensystemsatisessomeproperty.

It has gained industrial aeptane beause, in ontrast to the approahes of

simulation,testingandtheoremproving,modelhekingoersautomatiand

exhaustive veriation, and italsoreports ounter-examples.

Thesuess of modelhekinghas been mainlyfor hardware and

ommu-niationprotools. Reently,modelhekingofsoftware hasbeomeanative

and importantarea of researh and appliation (e.g. [5℄). Unfortunately,

ap-plying model heking to software is ompliated by several fators, ranging

fromthe diÆulty tomodelprograms, due totheomplexityof programming

languages as ompared to hardware desription languages, to diÆulties in

speifying meaningful properties of software using the usual temporallogial

formalisms. Another reason is the state explosion problem: industrial

pro-grams are large and modelheking is omputationallydemanding.

1

Weaknowledgesupport bytheEPSRC(GR/S52759/01). Theseond author wasalso supportedbytheIntelCorporation.

Manyof the problems aboveare due todiÆulties inobtainingsound and

omplete semantimodels ofsoftware and expressing suh models inan

algo-rithmifashionsuitableforautomatianalysis. Gamesemantishas potential

tooverome theseproblems, sine ithas produedthe rst aurate, i.e.fully

abstrat and fully omplete, models for a variety of programming languages

and logial systems (e.g. [1℄). Reently, it was shown that the fully abstrat

game-basedmodelofseond-order nitaryIdealisedAlgol(i.e.withnitedata

typesandwithoutreursion)with iterationanberepresentedusingonly

reg-ular expressions [10℄,and that this an beused for eÆient programanalysis

and veriation [3℄.

Gamesemantishasseveralverysuitablefeaturesforsoftwaremodel

hek-ing. It produes observationally fully abstrat models with a maximum level

ofabstration,sineinternalstatehangesduringomputationareabstrated

away. It an ompositionally modelterms-in-ontext, i.e. open program

frag-ments. Thisabilityisessentialinanalysingpropertiesofsoftwareomponents

whih ontain undened(free) variablesand proedures.

We present an approah for ompositional software modelling and

veri-ation, based on game semantis and the CSP proess algebra (e.g. [15℄).

We fous on seond-order nitary Idealised Algol with iteration. The game

semantis of any term-in-ontext is represented as a CSP proess.

Observa-tional equivalene between terms, and veriation of regular properties, are

deidable by hekingtraes renement between CSP proesses.

Comparedwith the regular expressions approah[10℄,this CSP based

ap-proah oers several benets. Using the wide range of operators available in

CSP,programtermsarerepresented asproessesinalear andompositional

way. The proess whihmodels a term isdened asa parallelomposition of

proesses whih model its subterms, with synhronisation events being

hid-den. Traes renement between CSP proesses an be automatially heked

by the FDR tool [9℄, whih is highly optimised for veriation of parallel

networks of proesses. FDR also oers a range of ompositional state-spae

redution algorithms[14℄, enabling smaller models to be generated before or

during renement heking.

We have implemented a prototype ompiler whih, given any

term-in-ontext, outputs a CSP proess representing its game semantis. The output

an beloadedintothe ProBetoolforinterativeexploration,orthe FDRtool

for automati analysis. FDR alsoontains aninterative debugger, when the

answer toa renement query isnegative.

Eetivenessofour approahisevaluatedonseveral variantsoftwo

exam-ples: a sorting algorithm, and an abstrat data type implementation. Some

of the experimentalresults showthat, for minimalmodelgeneration, we

out-perform the approahbased on regularexpressions [3℄.

The paper is organised as follows. Setions 2and 3 briey reall the

pro-gramming language, the CSP representation of its game semantis, and

ompanion paper [7℄ whih onentrates on theory, whereas this paper is

de-voted to appliations and property veriation. Setion 4 shows how

proper-ties given inalineartemporallogionnitetraes,orasniteautomata, an

beveried. In Setions5and 6,wepresentthe ompilerandtwoasestudies.

2 The programming language

The input to our ompiler is a term-in-ontext of seond-order nitary

Ide-alised Algol with iteration. Idealised Algol [12℄ is a ompat programming

language, similar to Core ML, whih ombines the fundamental features of

imperative languages with afull higher-order proeduremehanism.

The languagehas basi data types , whih are the booleans and a nite

subset of the integers. The phrase types of the language are expressions,

ommands and variables,plus rst-order funtion types.

::= int j bool

::= exp[℄ j omm j var[℄

::= j !

Terms are introdued using type judgements of the form ` M : , where

=f 1

: 1

;; k

: k

g.

Expression-typeterms arebuilt fromonstantsandarithmeti/logi

oper-ators (E 1

E 2

). Command-type terms are built by the standard imperative

operators: assignment (V := E), onditional (if B then M 1

else M 2

), while

loop(whileBdoC),sequening (C o 9

M,notethatommandsanbesequened

not onlywithommandsbut alsowithexpressions orvariables),no-op(skip),

and a non-terminating ommand (diverge). There are also term formers for

dereferening variables (!V), appliation of rst-order free identiers to

ar-guments(M 1

M k

), loalvariabledelaration(new[℄in C),and funtion

denition onstrutor (let ( 1

: 1

;:::; k

: k

) = N in M). Full typing

rules an befound in[7℄.

3 The CSP model

Here we reallthe main propertiesof the CSP representation of game

seman-tis of program terms. The details of this representation and some examples

an be found in [7℄. An introdution togame semantis is availablein [2℄. A

omprehensivetext onCSP is[15℄.

3.1 Interpretations of types and terms

With eah type , we assoiate a set of possible events, the alphabet A

.

The alphabet of a type ontains events q 2 Q

appended to hannel with name Q, and for eah question q, there isa set of

eventsa2A q

alledanswers, whihare appendedto hannel with nameA.

A int

=f0;;N max

1g; A bool

=ftrue;falseg

Q exp[℄

=fqg; A q exp[℄ =A Q o mm

=frung; A run om m

=fdoneg

Q var[℄

=fread;write:x j x 2A

g; A read va r[℄

=A

; A w rite:x var[℄

=fokg

Q 1 k ! 0

=fj:q j q2Q

j

;0j kg;

A j:q 1 k ! 0

=fj:a j a2A q j

g; for 0j k

A =Q:Q [A: S q2Q A q

We interpret any typed term-in-ontext ` M : by a CSP proess

[[ `M :℄℄ CSP

whoseset of terminated traes

L CSP

( `M :)=ft j tbhXi2traes([[ `M :℄℄ CSP

)g

is the set of all omplete plays of the game strategy for the term. Events of

this proess are from the alphabetA `

,dened as:

A :

=:A

=f: j 2A g A = S :2 A : A `

=A [A

The ompositional denition of the proesses [[ ` M : ℄℄ CSP

is given in

Appendix A.

3.2 Observationalequivalene

Two terms M and N are observationally equivalent,written M

N, if and

only iffor any ontextC[ ℄ suh that both C[M℄and C[N℄ are losedterms

of type omm, C[M℄ onverges if and only if C[N℄ onverges. It was proved

in [1℄ that this oinides toequality of sets of omplete plays of strategies for

M and N, i.e.that the games modelis fully abstrat.

Fortheprogramminglanguagefragmenttreatedinthispaper,itwasshown

in [7℄ that observational equivalene isaptured by two traes renements:

Theorem 3.1 (Observational equivalene) We have:

`M

N , [[ `M :℄℄ CSP 2 RUN A ` v T

[[ `N :℄℄ CSP

^

[[ `N :℄℄ CSP 2 RUN A ` v T

[[ `M :℄℄ CSP (1)

where RUN A

=?x :A!RUN A

. 2

Itisalsoproved in[7℄thattheproessrepresentinganytermisnitestate,

and so observational equivalene isdeidable using FDR.

4 Property veriation

In additionto heking observational equivalene of two program terms, itis

` M : , the CSP proess [[ ` M : ℄℄ CSP

has the property that its set of

terminated traes

L CSP

( `M :)=ft j tbhXi2traes([[ `M :℄℄ CSP

)g

is the set of all omplete plays of the strategy for ` M : . We therefore

fous onproperties ofnite traes, and takethe viewthat `M : satises

suh a property if and only if alltraes in L CSP

( `M :) satisfyit.

4.1 Linear temporal logi

Astandardwayofwritingpropertiesoflinearbehaviours isbylineartemporal

logi. Given anite set , we onsider the followingformulas. In addition to

propositional onnetives, linear logi ontains the temporal operators

`next-time' and `until'.

::= true j a 2 j : j 1

_ 2

j j

1 U

2

We all this logi LTL f

, beause we give it semantis over nite traes (i.e.

sequenes) ofelementsof. Inpartiular,formulasa,and 1

U 2

require

the trae tobe non-empty. Forany trae t of length k, wewrite its elements

as t 1

, ..., t k

, and we write t i

for its i th

suÆx ht i

;:::;t k

i.

t j=true

t j=a i t 6=hi and t 1

=a

t j=: i t 6j=

t j= 1

_ 2

i t j= 1

ort j= 2

t j= i t 6=hi and t 2

j=

t j= 1

U 2

i there exists i 2f1;:::;jt j+1gsuh that t i

j= 2

and for all j 2f1;:::;i 1g; t j

j= 1

The boolean onstant false, and boolean operators suh as ^ and ! an

bedened asabbreviations. Thesameistrueofthetemporaloperators

`even-tually'and `always':

3=trueU 2=:3:

Dualsof the `next-time'and `until'operators are alsouseful:

=::

1 V

2

=:(: 1

U: 2

)

Their semantis isas follows:

t j= i t =hi ort 2

j=

t j= 1

V 2

i eitherfor all i 2f1;:::;jt j+1g; t i

j= 2

;

orthere exists i 2f1;:::;jt j+1gsuh that t i

j= 1

and for allj 2f1;:::;ig; t j

Q.run

b.Q.q

A.done

_ü

C.Q.run

b.A.true

b.A.false

C.A.done

Fig.1. Modelof whilebdoC

A term `M : satises a formula of LTL A

` f

if and only if for every

trae t 2L CSP

( `M :),t j=.

Example 4.1 Consider the following term:

b :bool; C :omm ` whilebdoC :omm

The transitionsystem of the CSP proess for this term is shown in Figure1.

Sine both b and C are free identiers, the suessfully terminated traes of

this proess are all those orresponding to exeuting C zero or more times

while the value of b istrue, and nishingwhen the value of b is false.

Therefore, this term satises 3b:A:false, but does not satisfy 3C:Q:run.

It also satises 2(b:A:true ! 3C:Q:run), but does not satisfy 2(b:Q:q !

3C:Q:run).

Thereis analgorithmwhih, given any formula of LTL f

, onstruts:

aCSP proess P

suh that t j= if and onlyif tbhXi2traes(P

);

anite transition system whih has the same nitetraes as P .

This issimilar toonstrutinga niteautomaton whih aepts anite trae

t if and onlyif t j=. The details an be found inAppendix B.

We therefore have a deision proedure whih, given a program term

` M : and a formula of LTL A

` f

, heks satisfation. It works by

onstruting the CSP proesses [[ `M :℄℄ CSP

and P A

`

, and heking the

traes renement

2

P A

`

2RUN A

` v

T

[[ `M :℄℄ CSP (2)

4.2 Finite automata

More generally,anypropertysuhthatthe setofallnitetraeswhihsatisfy

it is regular, an be represented in CSP. Suppose A is an automaton with

nite alphabet , nite set of states Q, transition relation T Q Q,

initial states Q 0

Q, and aepting states F Q. For any q 2 Q nF, we

2

IfontainstheU operator,thestandardFDRproedure foronstrutingatransition system for P

A `

may not terminate. In this ase, the traes renement above an be heked by FDR either byrepresenting asa CSP proess the nite transition systemfor P

A `

b

a,c

a,b,c

Fig. 2. Aniteautomaton

dene

P q

= 2

(q;a;q 0

)2T

a !P q

0

For any q 2F, we dene

P q

=( 2

(q;a;q 0

)2T

a !P q

0

)2SKIP

This is a validsystem of reursive CSP proess denitions, sowe an let

P A

= 2

q2Q 0

P q

We then have that P A

has nitely many states and

t is aepted by A i tbhXi2traes(P A

)

Example 4.2 Consider the automaton A in Figure 2, whose alphabet is

fa;b;g. It aepts anite trae t if and onlyif t j=3b.

The CSP proess P A

is dened as:

P A

=P 1

P 1

=(a !P 1

)2(b !P 2

)2( !P 1

)

P 2

=(a !P 2

)2(b !P 2

)2( !P 2

)2SKIP

Therefore,givenaprogramterm `M : andaniteautomatonAwith

alphabet A `

, we an deide whether A aepts eah omplete play of the

strategy for `M : by heking (e.g. using FDR)the traesrenement

P A

2RUN A

` v

T

[[ `M :℄℄ CSP (3)

This also provides another way of deiding satisfation of a formula of

LTL A

` f

: onstrut anite automatonA whihaepts a nitetrae t if and

only if t j=, and then hek the traes renement above.

5 Compiler

We have implemented a ompiler in Java [4℄, whih automatially onverts

a term-in-ontext(i.e. anopen program fragment) into a CSP proess whih

representsitsgamesemantis. Theinputisode,withsimpletypeannotations

to indiate sizes of nite integer data types. The resulting CSP proess is

dened byasript inmahine-readableCSP[15℄whihthe ompileroutputs.

Thesriptsoutputby theompileranbeloadedintothetoolsProBEfor

interativeexplorationoftransitionsystems, andFDRforautomati analysis

and interativedebugging [9℄. One of the funtions of FDRis tohek traes

used to deide observational equivalene between two terms (1), satisfation

of a lineartemporallogi formula(2),and ontainmentin aregular language

(3).

FDRoersanumberofhierarhialompressionalgorithms,whihanbe

applied during either model generation or renement heking. The sripts

whihour ompilerprodues normallyontain instrutions toapply diamond

eliminationand strongbisimulation quotienting to subproesses whih model

loalvariabledelarationsubterms. Thisexploitsthefatthatgamesemantis

hidesinterationsbetween aloalvariableand thesubterm whihisitssope.

These interationsbeomesilent(i.e.)transitions, enablingthemodeltobe

redued.

Insteadof theinnitedata type ofallintegers,the programminglanguage

fragmentonsidered inthis paperhas nite datatypes. We workwith sets of

integers modulo k. Eah integer variable is delared to be of type int%k for

somek,anddierentvaluesofk anbeusedfordierentvariables. Operations

betweenvariableswith distintintegertypesint%k1 and int%k2 are interpreted

as modulo the minimum of k 1

and k 2

.

6 Appliations

We now onsider appliation of the approah proposed above and disuss

experimental results for two kinds of examples: a sorting algorithm,and an

abstrat data type implementation.

6.1 A sorting algorithm

In this setion we analyse the bubble-sort algorithm, whose implementation

is given in Figure3. The ode inludesa meta variable n, representing array

size, whihwillbereplaed by several dierent values. The integers storedin

the array are of type int%3 , whih onsists of values 0, 1 and 2. The type of

index i isint%n+1 , i.e.one more than the size of the array.

The implementation of bubble-sort is standard. The programrst opies

the inputarrayx[℄intoaloalarraya[℄,whihisthensortedandopiedbak

intox[℄. Thearraybeingeetivelysorted,a[℄,isnotvisiblefromtheoutside

of the programbeause it isloallydened, and onlyreads and writes of the

non-loal array x[℄ are seen in the model. A transition system of the model

CSP proess for n = 2 is shown in Figure 4. The left-hand half represents

readsofallpossibleombinationsofvaluesfromx[℄,whilethe right-handhalf

represents writes of the same values in sortedorder.

Table 1 ontains the experimental results for minimal model generation.

The experiment onsisted of running the ompiler on the bubble-sort

imple-mentation,andthenlettingFDRgenerateatransitionsystemfortheresulting

proess. The latter stage involved a number of hierarhial ompressions, as

x[n℄ : varint%3 `

newint%3a[n℄in newint%n+1 i in

while(i <n) fa[i℄:=x[i℄; i :=i +1; g

newbool ag :=true in while(ag)f

i :=0; ag :=false;

while(i <n 1) f if (a[i℄>a[i+1℄) f

ag :=true;

new int%3temp in temp :=a[i℄; a[i℄:=a[i+1℄;

a[i+1℄:=temp; g i :=i+1; g g

i :=0;

while(i <n) fx[i℄:=a[i℄; i :=i +1; g :omm

Fig.3. Implementationof bubblesort

Q.run

x.0.Q.q

x.0.A.1

A.done

_ü

x.1.Q.q

x.1.A.0

x.1.A.1

x.1.A.2

x.1.A.2

x.1.A.1

x.1.A.0

x.1.A.1

x.1.A.0

x.1.A.2

x.0.Q.write.2

x.0.Q.write.1

x.0.Q.write.0

x.0.Q.write.1

x.0.Q.write.0

x.0.Q.write.0

x.0.A.ok

x.0.A.ok

x.0.A.ok

x.1.Q.q

x.1.Q.q

x.0.A.2

x.0.A.0

x.1.Q.write.2

x.1.Q.write.0

x.1.Q.write.1

x.1.A.ok

Fig. 4. Transition systemof themodelforn =2

largestgeneratedtransitionsystem,andthesizeofthenaltransitionsystem.

We ran FDR on a Researh Mahines 2.5 GHz Xeon with 2GB RAM. The

results from the tool based on regular expressions were obtained on a

Sun-Blade 100 with 2GB RAM [3℄. The results onrm that the two approahes

give isomorphi models, where the CSP models have an extra state due to

representing termination by a X event.

Furtherinformationabout minimalmodelgeneration for n =20is shown

inFigure5. FDRrst produesatransitionsystem forthesubprogramwhih

isthesopeofthedelarationoftheloalarraya[℄. Eahomponentofa[℄has

anindexfrom0to19andisrepresentedbyaproesswhihkeepsitsvalue,and

Table 1

Experimentalresultsforbubble-sortminimalmodel generation

n CSP Regular expressions

Time(m) Max. st. Modelst. Time (m) Max. st. Model st.

5 6 1775 164 5 3 376 163

10 20 18 752 949 10 64776 948

15 50 115 125 2 859 120 352 448 2858

20 110 378 099 6 394 240 1 153 240 6393

30 750 5204 232 20339 failed

0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

400,000

a.1

a.3

a.5

a.7

a.9

a.11

a.13

a.15

a.17

a.19

Before compression

After compression

Fig.5. Eetsof ompressionsforbubblesort withn =20

taking thetransitionsystem forthesopeofa[℄and omposingit(by parallel

omposition and hiding) with transition systems for the omponents of a[℄

in turn. At eah step, ompression algorithms are applied. In the gure, we

show numbers of states beforeand after ompression, afterevery twosteps.

WeexpetFDRtoperformeven betterinpropertyveriation. For

hek-ing renement by a omposite proess, FDR does not need to generate an

expliit modelof it, but only models of its omponent proesses. A modelof

the omposite proess is then generated on-the-y, and its size is not limited

by available RAM, but by disk size.

6.2 An abstrat data type implementation

Figure6ontainsanimplementationofaqueueofmaximumsize n asa

iru-lar array. There are four free identiers: ommands empty() and overow(),

empty():omm;

overow():omm; p :exp int%m;

ANALYSE(omm;exp int%m) : omm `

new int%m buer[n℄in new int%n front in new int%n tail in

new int%n+1 queue size in

let exp bool isempty() freturnqueue size ==0; g in let exp bool isfull() freturnqueue size==n; g in let omm add(exp int%m x) f

if (isfull())overow(); else f

buer[tail℄:=x;

tail :=tail+1;

queue size :=queue size+1; g g in

let exp int%m next() f if (isempty()) f

empty();

return 0; g else f

front :=front+1;

queue size :=queue size 1; return buer[front 1℄; g g in

ANALYSE(add(p);next()) :omm

Fig. 6. A queue implementation

takes two arguments. After implementing the queue by a sequene of loal

delarations,weexportthefuntionsadd andnext byallingANALYSE with

arguments add(p)and next(). Game semantis willthereforegiveusa model

whih ontains all interleavings of alls to add(p) and next(), orresponding

to allpossible behaviours of the non-loalfuntion ANALYSE. Sine the

ex-pression p is also non-loal, the value of p an be dierent eah time add is

alled. The queue implementationuses the non-loalommands empty()and

overow()forhandlingalls tonext onthe empty queue, respetivelyadd on

a full queue.

Atransitionsystem ofthe modelCSP proessfor adata set ofsize m =1

and maximumqueue size n =2isshown inFigure7. Forlarity,labelsADD

and NEXT are used insteadof ANALYSE:1and ANALYSE:2.

Table 2 ontains results for minimal model generation for a data set of

size m = 3 and several maximum queue sizes. For maximum size n = 10,

further information is displayed in Figure 8. Similar to the orresponding

ü

Q.run

ANALYSE.0

.Q.q

ANALYSE.0

.A.done

A.done

NEXT

.Q.q

empty.0.Q.run

empty.0.A.done

NEXT

.A.0

ADD.Q.run

p.Q.read

p.A.0

_ADD.A.done

NEXT

.Q.q

ANALYSE.0

_.A.done

ADD.Q.run

p.Q.read

p.A.0

_ADD.A.done

ADD.Q.run

overflow.0.Q.run

overflow.0.A.done

NEXT

.Q.q

NEXT

.A.0

ANALYSE.0

.A.done

Fig.7. Transition systemof themodelforn =2and m =1

Table 2

Experimentalresultsforqueue minimalmodelgenerationwithm =3

n Time Modelstates Max. states

2 5 se 70 237

5 18se 1825 12351

10 80 min 442 870 5225 757

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

buf.0 buf.1 buf.2 buf.3 buf.4

buf.5 buf.6 buf.7 buf.8 buf.9

Before compression

After compression

Fig.8. Eets ofompressions forqueue implementationwithn =10

after ompression,when transitionsystems for omponentsof the loalarray

buer[℄ are omposed in turn with the transition system for the rest of the

program.

Using the tehniques in Setion 4, we an hek a range of properties

of the queue implementation. For example, linear temporal logi

Table 3

Experimentalresultsforveriation ofproperties(s=se, m=min)

n :3empty :3overow

not min. model min. model not min. model min. model

10 67s+46s+0s 67s+80m+0s 50s+46s+97s 50s+80m+0s

12 103s+61s+0s failed 77s+61s+18m failed

13 127s+70s+0s failed 93s+70s+58m failed

writes to full queues and reads from empty queues are never alled. As

ex-peted, heking them returns that they are not satised. Counter-example

traes whih the FDR debugger gives orrespond to n +1 onseutive alls

of ADD after whih overow is alled, and a single NEXT all after whih

empty is alled.

Speially, the CSP proess P :3empty

, where is the alphabet of events

for the queue implementationterm, isequivalent to

p(?w :nfjempty jg!p) 2 SKIP

Cheking the traes renement (2) on FDR produes the following

ounter-example trae:

1 Q:run 6 NEXT:A:0

2 ANALYSE:0:Q:run 7 ANALYSE:0:A:done

3 NEXT:Q:q 8 A:done

4 empty:0:run 9 X

5 empty:0:done

Table 3 shows some experimental results for heking the two formulas.

We ompared renement heking without rst generating a minimal model

against renement heking preeded by minimal model generation. In the

formerase,ompressionsarenotappliedwhenomponentsofthearraybuer

are omposed with the rest of the program. Instead, a omposite model is

generated on-the-yduringrenement heking. Thisenabledustohek the

two properties up to maximum queue size n = 13, whereas minimal model

generation did not sueed for n > 10. The times shown are sums of times

whih FDR took to proess the speiation, to proess the implementation,

and to perform the renement hek.

Inadditiontohekingpropertiesofexternalbehavioursofgiventerms,we

anhekassertions whihrefertointernaldata. Assertionsanbeaddedtoa

term usinga loalfuntionassert whoseargument isabooleanexpression. If

the argumentis true, the assert funtion does nothing,but otherwise it alls

a non-loal funtion error. In the game semantis of the augmented term,

any ourrene ofevents error:0:run anderror:0:done represents anassertion

violation.

Forexample,wean hek that wheneveravaluey isaddedtothe queue,

andthenallitemsexeptoneareremoved fromthequeue, theremainingitem

Figure 6by the followingode:

let omm assert(exp bool b) f if b then skip;

else error();

g in

let exp bool validate() f new int%n y in y =p;

add(y);

while (queue size>1) next();

return (next()==y); g in

ANALYSE(add(p);next();assert(validate())) :omm

where error() and ANALYSE(omm;int%n;omm) are non-loalommands.

We then hek whether this modied queue implementation satises the

property :3error. We performed this on FDR for a data set of size m = 2

and for maximum queue size n = 2. As expeted, a ounter-example trae

was produed, showing that this partiular assertion is violated after n alls

of ADD, i.e. when the queue is full. When the assertion is orreted so that

it applies onlytonon-full queues, the hek sueeds.

7 Conlusion

In thispaper, weextended the approahtosoftware modelhekingproposed

in [7℄ to heking properties given as formulas of linear temporal logi or as

nite automata, and we evaluated it on two kinds of examples: a sorting

algorithm,and an abstrat data type implementation.

The experimental results show that open program fragments with large

internalstate spaes an be veried, partly due toeÆieny of the FDRtool

for on-the-y heking of parallel networks of proesses. They alsoshow that

this approahan outperform the approah based onregular expressions [3℄.

As future work, we intend to extend the ompiler so that parameterised

programterms(suhas parametriallypolymorphiprograms)are translated

tosingleparameterisedCSPproesses. Suhproessesouldthenbeanalysed

by tehniques whih ombine CSP and data speiation formalisms (e.g.

[8,13℄) orby algorithmsbased ondata independene [11℄.

Referenes

[2℄S.Abramsky, Algorithmi game semantis: A tutorial introdution, Leture notes, Marktoberdorf International SummerShool, 2001.

[3℄S.Abramsky,D.Ghia,A.MurawskiandC.-H.L.Ong,ApplyingGameSemantis to Compositional Software Modeling and Veriations. In Proeedings of TACAS, LNCS2988,421{435, 2004.

[4℄A.W.Appel and J.Palsberg, Modern Compiler Implementation in Java, 2nd edition.Cambridge UniversityPress, 2002.

[5℄T.Ball and S.K.Rajamani, The SLAM Projet: Debugging System Software via Stati Analysis. In Proeedings of POPL, ACM SIGPLAN Noties 37(1),

January 2002.

[6℄E.M.Clarke,O.Grumbergand D.Peled,Model Cheking. MITPress, 2000.

[7℄A.Dimovski and R.Lazi, CSP Representation of Game Semantis for Se ond-order Idealized Algol.InProeedingsof ICFEM,LNCS, November2004.

[8℄A.Farias, A.Mota and A.Sampaio, EÆient CSP-Z Data Abstration. In Proeedingsof IFM,LNCS2999, 108{127, April2004.

[9℄FormalSystems(Europe)Ltd,Failures-DivergeneRenement:FDR2 Manual,

2000.

[10℄D.Ghia and G.MCusker, The Regular-Language Semantis of Seond-order

Idealized Algol.TheoretialComputer Siene309(1{3), 469{502, 2003.

[11℄R.Lazi, A Semanti Study of Data Independene with Appliations to Model Cheking. DPhilthesis,Computing Laboratory,OxfordUniversity,1999.

[12℄J.C.Reynolds, The essene of Algol. In Proeedings of ISAL, 345{372, Amsterdam, Holland,1981.

[13℄M.Roggenbah, CSP-CASL | A new Integration of Proess Algebra and Algebrai Speiation. InProeedingsof AMiLP,TWLT21, 2003.

[14℄A.W.Rosoe,P.H.B.Gardiner,M.H.Goldsmith,J.R.Hulane,D.M.Jakson and J.B.Sattergod, Hierarhial ompression for model-heking CSP or how to hek 10

20

dining philosophers for deadlok. In Proeedings of TACAS, LNCS

1019, 133{152, 1995.

A Proesses for terms

Expression onstruts

[[ `v :exp[℄℄℄ CSP

=Q:q !A:v !SKIP, v 2A

isa onstant

[[ `not B :exp[bool℄℄℄ CSP

=

[[ `B :exp[bool℄℄℄ CSP

[Q 1

=Q;A 1 =A℄ k fjQ 1 ;A 1 jg

(Q:q !Q 1

:q !A 1

?v :A bool

!A:(not v)!SKIP)n fjQ 1

;A 1

jg

[[ `E 1

E 2

:exp[℄℄℄ CSP

=

[[ `E 1

:exp[℄℄℄ CSP

[Q 1

=Q;A 1

=A℄ k fjQ1;A1jg

([[ `E 2

:exp[℄℄℄ CSP

[Q 2

=Q;A 2 =A℄ k fjQ 2 ;A 2 jg

(Q:q !Q 1

:q !A 1

?v1:A

!Q 2

:q !A 2

?v2:A

!

A:(v1v2)!SKIP) n fjQ 2

;A 2

jg) n fjQ 1

;A 1

jg

[[ `:exp[℄℄℄ CSP

=Q:q !:Q:q !:A?v :A

!A:v !SKIP

Command onstruts

[[ `skip :omm℄℄ CSP

=Q:run !A:done !SKIP

[[ `diverge :omm℄℄ CSP

=STOP

[[ `C o 9

M :℄℄ CSP

=

[[ `C :omm℄℄ CSP

[Q 1

=Q;A 1 =A℄ k fjQ 1 ;A 1 jg

([[ `M :℄℄ CSP

[Q 2

=Q;A 2

=A℄ k fjQ2;A2jg

(Q?q:Q

!Q 1

:run !A 1

:done !Q 2

:q!A 2

?a:A q

!A:a!SKIP)

nfjQ 2

;A 2

jg)n fjQ 1

;A 1

[[ `if B thenM 1 elseM 2 :℄℄ CSP =

[[ `B :exp[bool℄℄℄ CSP

[Q 0

=Q;A 0 =A℄ k fjQ 0 ;A 0 jg

([[ `M 1

:℄℄ CSP

[Q 1

=Q;A 1

=A℄2SKIP) k fjQ 1 ;A 1 jg

(([[ `M 2

:℄℄ CSP

[Q 2

=Q;A 2

=A℄2SKIP) k fjQ 2 ;A 2 jg

(Q?q:Q

!Q 0

:q !A 0

?v :A bool

!(Q 1

:q!A 1

?a:A q

!A:a!SKIP

<j v >jQ 2

:q!A 2

?a:A q

!A:a!SKIP))

nfjQ 2 ;A 2 jg)nfjQ 1 ;A 1 jg nfjQ 0 ;A 0 jg

[[ `whileBdoC :omm℄℄ CSP

=

(p 0

:([[B :omm℄℄ CSP

[Q 1

=Q;A 1 =A℄ o 9 p 0

)2(A:done !SKIP)) k fjQ 1 ;A 1 ;Ajg

(p 00

:([[C :omm℄℄ CSP [Q 2 =Q;A 2 =A℄ o 9 p 00

)2(A:done !SKIP)) k fjQ2;A2;Ajg

(Q:run !p:Q 1

:q !A 1

?v :A bool

! (Q 2

:run !A 2

:done !p <j v >j

A:done ! SKIP))n fjQ 2

;A 2

jg

n fjQ 1

;A 1

jg

[[ `:omm℄℄ CSP

=Q:run !:Q:run !:A:done !A:done !SKIP

Variable onstruts

[[ `:var[℄℄℄ CSP

=

(Q:read !:Q:read !:A?v :A

!A:v !SKIP) 2

(Q:write?v :A

!:Q:write:v !:A:ok !A:ok !SKIP)

[[ `V :=M :omm℄℄ CSP

=

[[ `M :exp[℄℄℄ CSP

[Q 1

=Q;A 1

=A℄ k fjQ1;A1jg

([[ `V :var[℄℄℄ CSP

[Q 2

=Q;A 2 =A℄ k fjQ 2 ;A 2 jg

(Q:run !Q 1

:q !A 1

?v :A

!Q 2

:write:v !A 2

:ok

!A:done !SKIP) n fjQ 2

;A 2

jg) n fjQ 1

;A 1

jg

[[ `!V :exp[℄℄℄ CSP

=

[[ `V :var[℄℄℄ CSP

[Q 1

=Q;A 1 =A℄ k fjQ 1 ;A 1 jg

(Q:q !Q 1

:read !A 1

?v :A

!A:v !SKIP)n fjQ 1

;A 1

[[ ` new[℄ in M :omm℄℄ CSP

=

([[ ` M :omm℄℄ CSP

k fj;Ajg

U

:var[℄;a

)n fjjg

where a int

=0,a bool

=false, and:

U

:var[℄;v

=(:Q:read !:A!v !U

:var[℄;v ) 2

( :Q:write?v 0

:A

!:A:ok !U :var[℄;v

0 ) 2

( A:done !SKIP )

Appliation and funtions

[[ `(M 1

:::M k

):℄℄ CSP

=Q?q:Q

!:0:Q:q!

L:( 2

k

j=1

([[ `M j : j ℄℄ CSP k fjQ;Ajg

:j:Q?q:Q

j

!Q:q!A?a:A q j

!:j:A:a !SKIP)nfjQ;Ajg o 9

L)2SKIP

o 9

:0:A?a:A q

!A:a!SKIP

[[ `let ( 1 : 1 ;:::; k : k

) = N in M :℄℄ CSP

=

[[ `M :℄℄ CSP

k fjjg

(p:([[ `N : 0

℄℄ CSP

[:0:Q=Q;:1= 1

;:::;:k= k ;:0:A=A℄ o 9 p)2SKIP)

n fjjg

B Proesses for formulas

We show how, given any formula of LTL f

, toonstrut:

aCSP proess P

suh that t j= if and onlyif tbhXi2traes(P

);

anite transition system whih has the same nitetraes as P .

Considerthe followingvariantofLTL f

,whereonlyatomsanbenegated,

and operators ^ , and V are basi ratherthan derived. We allitLTL+ f

.

::= true jfalse ja j:a j 1 _ 2 j 1 ^ 2

jj j 1 U 2 j 1 V 2

Any formula of LTL f

an be transformed into an equivalent formula 0

ofLTL+ f

,sine ^ , and V are dualsof_,andU. Thesizeof 0

islinear

in the size of .

For formulas of LTL+ f

, we dene CSP proesses P

as follows, by

strutural reursion on:

P true =RUN X P false =STOP P a

=a !RUN X

P :a

=(?w :nfag!RUN X

P 1

_ 2

=P

1 2P

2

P 1

^ 2

=P

1 k

P

2

P

=?w :!P

P

=(?w :!P

)2SKIP

P

1 U

2

=pP

2 2(P

1 k

(?w :!p))

P 1V2

=p(P 2

k

P 1

)2(P 2

k

((?w :!p)2SKIP))

where RUN X

=(?w :!RUN X

)2SKIP.

Now, for any formula of LTL f

, we dene P

= P

0

, where 0

is the

equivalent formulaof LTL+ f

.

Proposition B.1 For any formula of LTL f

, we have that t j= if and

only if tbhXi 2 traes(P

). A nite transition system whih has the same

nite traes as P

an be onstruted.

Proof. It suÆes to prove the proposition for formulas of LTL+ f

. The

proof is by strutural indution on .