1

## Control and Data Abstraction: The Cornerstones of

## Practical Formal Verication.

### Yonit Kesten

^{1}

### , Amir Pnueli

^{2}

1 Dept. of Communication Systems Engineering, Ben Gurion University, Beer-Sheva, Israel, e-mail:ykesten@bgumail.bgu.ac.il

2 Dept. of Applied Mathematics and Computer Science, the Weizmann Institute of Science, Rehovot, Israel, e-mail:amir@wisdom.weizmann.ac.il

The date of receipt and acceptance will be inserted by the editor

### Abstract.

In spite of the impressive progress in the de- velopment of the two main methods for formal veri- cation of reactive systems { Symbolic Model Checking and Deductive Verication, they are still limited in their ability to handle large systems. It is generally recognized that the only way these methods can ever scale up is by the extensive use of abstraction and modularization, which break the task of verifying a large system into several smaller tasks of verifying simpler systems.In this paper, we review the two main tools of com- positionality and abstraction in the framework of lin- ear temporal logic. We illustrate the application of these two methods for the reduction of an innite-state system into a nite-state system that can then be veried using model checking.

The technical contributions contained in this paper are a full formulation of abstraction when applied to a system with both weak and strong fairness requirements and to a general temporal formula, and a presentation of a compositional framework for shared variables and its application for forming network invariants.

### Key words:

Formal verication - Linear temporal logic - Data abstraction - Control abstraction - Network in- variant - Model checking - Safety and liveness property - Weak and strong fairness### 1 Introduction

In spite of the impressive progress in the development of the two main methods for formal verication of reac- tive systems { Model Checking (in particular symbolic)

? This research was supported in part by a gift from Intel, a grant from the U.S.-Israel bi-national science foundation, and an

Infrastructure grant from the Israeli Ministry of Science and the Arts.

and Deductive Verication, they are still limited in their ability to handle large systems. It is generally recognized that the only way these methods can ever scale up to handle industrial-size designs is by the extensive use of abstraction and modularization, which break the task of verifying a large system into several smaller tasks of verifying simpler systems.

In this paper, we review the two main tools of com- positionality and abstraction in the framework of lin- ear temporal logic. We illustrate the application of these two methods for the reduction of an innite-state system into a nite-state system that can then be veried using model checking.

To simplify matters, we have considered two special classes of innite-state systems for which the combina- tion of compositionality and abstraction can eectively simplify the systems into nite-state ones. The rst class is where the unboundedness of the system results from its structure. These are parameterized designs consist- ing of a parallel composition of nite-state processes, whose number is a varying parameter. For such systems, the source of complexity is the control or the architec- tural structure. We describe the techniques useful for such systems as control abstraction, since it is the con- trol component that we try to simplify. Another source for state complexity is having data variables which range over innite domains such as the integers. We refer to the techniques appropriate for simplifying such systems as data abstraction.

Many methods have been proposed for the uniform verication of parameterized systems, which is the sub- ject of our control abstraction. These include explicit induction ([12], [33]) network invariants, which can be viewed as implicit induction ([20], [35], [15], [23]), meth- ods that can be viewed as abstraction and approximation of network invariants ([4], [32], [6]), and other methods that can be viewed as based on abstraction ([16], [13]). The approach described here is based on the idea of net-

work invariants as introduced in [35], and elaborated in [20] into a working method.

There has been extensive study of the use of data
abstraction techniques, mostly based on the notions of
abstract interpretation ([9], [10]). Most of the previous
work was done in a branching context which complicates
the problem if one wishes to preserve both existential
and universal properties. On the other hand, if we re-
strict ourselves to a universal fragment of the logic, e.g.
actl^{}, then the conclusions reached are similar to our
main result for the restricted case that the property
contains negations only within assertions.

The paper [7] obtains a similar result for the frag-
ment actl^{}. However, instead of starting with a con-
crete property_{} and abstracting it into an appropriate
, they start with an abstractactl^{}formula evalu-
ated over the abstract system^{D}^{}and show how to trans-
late (concretize) it into a concrete formula = ^{C}( ).
The concretization is such that^{?}( ) = .

The survey in [8] considers an even simpler case in
which the abstraction does not concern the variables on
which the property depends. Consequently, this is the
case in which ^{}= .

A more elaborate study in [11] considers a more com- plex specication language {L, which is a positive ver- sion of the-calculus.

None of these three articles considers explicitly the question of fairness requirements and how they are af- fected by the abstraction process.

Approaches based on simulation and studies of the properties they preserve are considered in [24] and [14]. A linear-time application of abstract interpretation is proposed in [3], applying the abstractions directly to the computational model of fair transition systems which is very close to the fds model considered here. However, the method is only applied for the verication of safety properties. Liveness, and therefore fairness, are not con- sidered.

### 2 A Computational Model: Fair Discrete

### Structure

As a computational model for reactive systems, we take the model of fair discrete system (fds), which is a slight variation on the model of fair transition system [28]. The fds model was rst introduced in [19] under the name

\Fair Kripke Structure".

Anfds^{D}:^{h}V;W;^{O};;;^{J};^{Ci}consists of the follow-
ing components.

_{V} _{=}f_{u}
1_{;:::;u}_{n}

g: A nite set of typed system vari- ables, containing data and control variables. The set of states (interpretation) over V is denoted by . Note thatcan be both nite or innite, depending on the domains ofV.

The variables inV are classied as follows:

_{W} _{=} f_{w}

1_{;:::;w}_{n}

g _{V} : A nite set of owned
variables. These are the variables that only the
system itself can modify. All other variables can
also be modied by the environment. A system is
said to be closed if W =V.

O _{=} f_{o}

1_{;:::;o}_{n}

g _{V} : A nite set of observ-
able variables. These are the variables which the
environment can observe.

It is required thatV =W ^{[}^{O}, i.e., for every system
variableu^{2}V,uis owned, observable, or both.

_{} : The initial condition { an assertion (rst-order
state formula) characterizing the initial states.

_{} : A transition relation { an assertion(V;V^{0}), re-
lating the valuesV of the variables in states^{2}to
the valuesV^{0} in a^{D}-successor states^{0}^{2}.

J _{:} f_{J}

1_{;:::;J}_{k}

g : A set of justice (weak fairness)
requirements. The justice requirement J ^{2} ^{J} is an
assertion, intended to guarantee that every compu-
tation contains innitely manyJ-state (states satis-
fyingJ).

C_{:}fh_{p}
1_{;q}1

i_{;:::}h_{p}_{n}_{;q}_{n}ig: A set of compassion (strong
fairness) requirements. The compassion requirement

h_{p;q}i 2 C is a pair of assertions, intended to guar-
antee that every computation containing innitely
manyp-states also contains innitely many q-states.
We require that every state s^{2} has at least one^{D}-
successor. This is often ensured by including in the
idling disjunctV =V^{0} (also called the stuttering step).
In such cases, every statesis its own^{D}-successor.

Let:s^{0};s^{1};s^{2};:::;be an innite sequence of states,
'be an assertion, and let j ^{}0 be a natural number.
We say thatj is a'-position of ifsj is a'-state.

Let ^{D} be an fds for which the above components
have been identied. We dene a computation of^{D}to be
an innite sequence of states :s^{0};s^{1};s^{2};:::; satisfying
the following requirements:

Initiality: s^{0}is initial, i.e., s^{0}^{j}=.

Consecution: For eachj = 0;1;:::, the statesj^{+1} is
a^{D}-successor of the statesj.

_{Justice:} _{For each}_{J} 2J_{,} _{} contains innitely
manyJ-positions

Compassion: For each ^{h}p;q^{i} ^{2} ^{C}, if contains in-
nitely manyp-positions, it must also
contain innitely manyq-positions.
For anfds^{D}, we denote by^{C}omp(^{D}) the set of all com-
putations of^{D}. Anfds^{D}is called feasible if^{C}omp(^{D})^{6}=

;, namely, if^{D}has at least one computation.

An innite state sequence is called a run of ^{D} if
it satises the requirements of initiality and consecution
but not, necessarily, any of the fairness requirements.
System ^{D} is said to be viable if every nite run can
be extended into a computation. One of the dierences
between the model of fair transition systems and thefds
model is that everyftsis viable by construction, while
it is easy to dene an fds which is not viable, e.g., by
having the justice list include the assertion false. On the

other hand, everyfdswhich is derived from a program is viable.

All our concrete examples are given inspl (Simple Programming Language), which is used to represent con- current programs (e.g., [28], [26]). Every spl program can be compiled into an fdsin a straightforward man- ner. In particular, every statement in an spl program contributes a disjunct to the transition relation. For ex- ample, the assignment statement

`^{0}:y:=x+ 1; `^{1}:

can be executed when control is at location `^{0}. When
executed, it assignsx+ 1 toy while control moves from

`^{0} to`^{1}. This statement contributes tothe disjunct

`^{0}: at^{?}`^{0} ^{^} at^{?}`^{1}^{0} ^{^} y^{0} =x+ 1 ^{^} x^{0}=x:
The predicates at^{?}`^{0} and at^{?}`^{0}^{1} stand, respectively, for
the assertionsi= 0 and_{i}^{0}= 1, whereiis the control
variable denoting the current location within the process
to which the statement belongs.

Every variable declared in ansplprogram is specied as having one of the modes in, out, in-out, or local. This specication determines whether the variable is consid- ered to be owned or observable or both according to the following table

Mode Owned? Observable?

in N Y

out Y Y

in-out N Y

local Y N

### 3 Operations on

^{fds}

### 's

There are several important operations, one may wish to apply tofds's.

The rst useful set of operations on programs and
systems is forming their parallel composition, implying
that the two systems execute concurrently. Consider the
two fair discrete systems^{D}^{1}=^{h}V^{1};W^{1};^{O}^{1};^{1};^{1};^{J}^{1};^{C}^{1}^{i}
and ^{D}^{2} = ^{h}V^{2};W^{2};^{O}^{2};^{2};^{2};^{J}^{2};^{C}^{2}^{i}. We consider two
ways of forming the parallel composition of^{D}^{1}and^{D}^{2}.
3.1 Asynchronous Parallel Composition

The systems ^{D}^{1} and ^{D}^{2} are said to be composable if
W^{1}^{\}W^{2} = ^{;}; V^{1}^{\}V^{2} =^{O}^{1}^{\}^{O}^{2} and neither system
modies the variables owned by the other, i.e.,

^{1}^{!} pres(W^{2}^{\} V^{1}) and ^{2}^{!} pres(W^{1}^{\} V^{2}):
The rst condition requires that a variable can only be
owned by one of the systems. The second condition re-
quires that variables known to both systems must be
observable in both.

For composable systems ^{D}^{1} and ^{D}^{2}, we dene their
asynchronous parallel composition, denoted by^{D}^{1}^{kD}^{2},
to be the system^{D}=^{h}V;W;^{O};;;^{J};^{Ci}, where

V = V^{1}^{[}V^{2} W = W^{1}^{[}W^{2}

O _{=} O
1

[O

2 _{} _{=} _{}1

^_{}
2

J _{=} J
1

[J

2

C _{=} C
1

[C

2

=

^{1}^{^}pres(V^{2}^{?}V^{1}) ^{_}

^{2}^{^}pres(V^{1}^{?}V^{2})

For a set of variables U ^{} V, the predicate pres(U)
stands for the assertionU^{0} = U, implying that all the
variables inU are preserved by the transition.

Obviously, the basic actions of the composed system

Dare chosen from the basic actions of its components,
i.e., ^{D}^{1} and^{D}^{2}. Thus, we can view the execution of^{D}
as the interleaved execution of^{D}^{1} and^{D}^{2}.

As seen from the denition, ^{D}^{1} and ^{D}^{2} may have
disjoint as well as common system variables, and the
variables of^{D}are the union of all of these variables. The
initial condition of ^{D} is the conjunction of the initial
conditions of ^{D}^{1} and ^{D}^{2}. The transition relation of ^{D}
states that at any step, we may choose to perform a step
of ^{D}^{1} or a step of ^{D}^{2}. However, when we select one of
the two systems, we should also take care to preserve
the private variables of the other system. For example,
choosing to execute a step of^{D}^{1}, we should preserve all
variables inV^{2}^{?}V^{1} and all the variables owned by^{D}^{2}.

The justice and compassion sets of ^{D}are formed as
the respective unions of the justice and compassion sets
of the component systems.

Asynchronous parallel composition corresponds to the
spl parallel operator ^{k} constructing a program out of
concurrent processes.

3.2 Synchronous Parallel Composition

We dene the synchronous parallel composition of ^{D}^{1}
and^{D}^{2}, denoted by^{D}^{1}^{k}^{jD}^{2}, to be the system

D_{:} h_{V;W;}O_{;;;}J_{;}Ci_{;}

where

V = V^{1}^{[}V^{2} W = W^{1}^{[}W^{2}

O _{=} O
1

[O

2 _{} _{=} _{}1

^_{}
2

J _{=} J
1

[J

2

C _{=} C
1

[C

= ^{1} ^{^} ^{2} 2

As implied by the denition, each of the basic actions of
system^{D} consists of the joint execution of an action of

D

1and an action of^{D}^{2}. Thus, we can view the execution
of^{D}as the joint execution of^{D}^{1} and^{D}^{2}.

The main, well established, use of the synchronous parallel composition is for coupling a system with a tester which tests for the satisfaction of a temporal formula, and then checking the feasibility of the combined sys- tem. In this work, synchronous composition is also used for coupling the system with a progress monitor, used to ensure completeness of the data abstraction methodol- ogy presented in section 7.

3.3 Modularization of an fds

LetP be ansplprogram and^{D}its correspondingfds.
The standard compilation of a program into an fds
views the program as a closed system which has no in-
teraction with its environment. In the context of com-
positional verication, we need an open system view of
an fds, which takes into account not only actions per-
formed by the system but also actions (in particular,
variable changes) performed by the environment.

Let ^{D}:^{h}V;W;^{O};;;^{J};^{Ci}be anfdsand s^{62}V be
a fresh boolean variable. The modular version of ^{D}, is
given by^{D}^{M}:^{h}V^{M};W;^{O}^{M};;^{M};^{J};^{Ci}, where,

V^{M} =V ^{[}^{f}s^{g} ^{O}^{M} = ^{O}^{[}^{f}s^{g}

^{M} = (^{^}s^{0}) ^{_} (W^{0} =W^{^}^{:}s^{0}):

That is, ^{D}^{M} the modular version of^{D}admits as an ad-
ditional action a transition which preserves the values of
all variables owned by^{D}but allows all other shared vari-
ables to change in an arbitrary way. This provides the
most general representation of an environment action.
The scheduling variable s is used to ensure interleaving
between the module and its environment. We refer to

D

M as the modular or open version of system^{D}.
We dene a modular computation of ^{D} to be any
computation of^{D}^{M}.

3.4 Restricting an Open Shared Variable

When constructing a system out of smaller components, it is often the case that all processes within the system are allowed to access a certain shared variable, but only a subset of the processes is allowed to modify its value. For example, we may have a system

D_{=}D
1

kD

2 kD

3_{;}

in which all processes are allowed to access variable x,
but only processes^{D}^{1}and ^{D}^{2} are allowed to modify its
value.

We provide a special restriction (sealing-o) oper- ation, which moves one of the system variables to the category of owned variables, thereby disallowing its mod- ication by the environment.

Let ^{D}:^{h}V;W;^{O};;;^{J};^{Ci} be an fds and let U ^{}
V ^{?}W be a set of variables which are not owned by^{D}.
The result of restrictingU in^{D}, denoted by^{Dn}U is the
fds^{D}^{R}:^{h}V;W^{R};^{O};;;^{J};^{Ci}, whereW^{R} =W^{[}U.

Thus, to represent a system consisting of sub-systems

D

1_{,}
D

2_{, and}
D

3_{, in which}
D

3 is not allowed to modify variablex, we may write

D _{= ((}D
1

kD

2_{)}

n_{x}_{)} k D
3_{:}

To represent the closing o of an entire system ^{D},
we write^{D}^{R}, which is an abbreviation for ^{Dn}(V ^{?}W).
This restricts the environment from writing on any of
the system variables. A system such that W = V is
often described as a closed system, because it can have
no interaction with its environment.

### 4 Specication Language: Temporal Logic

As a requirement specication language for reactive sys- tems we take temporal logic (tl) [27]. For simplicity, we consider only the future fragment oftl. Extending the approach to the full logic is straightforward.

We assume an underlying assertion language^{L}which
contains the predicate calculus and interpreted symbols
for expressing the standard operations and relations over
some concrete domains. A temporal formula is constructed
out of state formulas (assertions) to which we apply the
boolean operators ^{:} and ^{_} (the other boolean opera-
tors can be dened from these), and the basic temporal
operators^{2} (next) and ^{U} (until).

A model for a temporal formula p is an innite se-
quence of states : s^{0};s^{1};:::; where each state sj pro-
vides an interpretation for the variables mentioned in
p.

Given a model, we present an inductive denition
for the notion of a temporal formulapholding at a po-
sitionj ^{}0 in, denoted by (;j)^{j}=p.

For a state formulap, (;j)^{j}=p ^{(}^{)} sj^{j}=p
That is, we evaluateplocally, using the

interpretation given bysj.

_{(}_{;j}_{)}j_{=}:_{p} () _{(}_{;j}_{)}6j_{=}_{p}

_{(}_{;j}_{)}j_{=}_{p}__{q} () _{(}_{;j}_{)}j_{=}_{p}_{or (}_{;j}_{)}j_{=}_{q}

_{(}_{;j}_{)}j_{=}2 _{p} () _{(}_{;j}_{+ 1)}j_{=}_{p}

_{(}_{;j}_{)}j_{=}_{p}U_{q} () _{for some} _{k}_{j;}_{(}_{;k}_{)}j_{=}_{q;}

and for everyisuch thatj^{}i < k;(;i)^{j}=p
Additional temporal operators can be dened by

1 _{p}_{= true} U _{p}(eventually)

0 _{p}_{=}:1 :_{p}(henceforth)

For a temporal formula p and a position j ^{} 0 such
that (;j)^{j}= p, we say that j is a p-position (in ). If
(;0) ^{j}=p, we say that p holds on, and denote it by

^{j}=p. A formulapis called satisable ifpholds on some
model. A formulapis called valid, denoted by^{j}=p, ifp
holds on all models.

Given an fds ^{D} and a temporal formulap, we say
that p is ^{D}-valid, denoted by ^{D} ^{j}= p, if pholds on all
models which are computations of ^{D}. A property ' is
said to be modularly valid overfds^{D}, denoted^{D}^{j}=^{M} ',
if'is^{D}^{M}-valid, i.e.,^{D}^{M} ^{j}='.

An algorithm for model checking whether a temporal
formulapis valid over a nite-statefds^{D}is presented in
[19]. The paper presents a version of the algorithm using
explicit state enumeration methods as well as a symbolic
version. Based on the ideas developed in [22] and [5],
the approach calls for the construction of a tester for the
negation of p. This is an fds ^{D}^{:}_{p} whose computations
are all the sequences which satisfy the negated formula

:_{p}. Then, we form the synchronous parallel composition

D_{comb =}DkjD

:_{p} and check for feasibility. If ^{D}_{comb is}
found to be feasible, this implies that^{D} has a compu-
tation which violatespand thereforepis not valid over

D_{. If}Dcomb is found to be infeasible, we can conclude
that pis^{D}-valid.

### 5 Control Abstraction

Let U ^{} V be a subset of the system variables. For
a V-state s, we denote by s^{+}U the U-state obtained
by projecting s onto U. That is, the interpretation s
restricted to the domainU.

The state sequence^{e} :s^{e}^{0};s^{e}^{1};::: is dened to be an
observation of thefds ^{D}: ^{h}V;W;^{O};;;^{J};^{Ci}if^{e} is a
stuttering variant of the ^{O}-projection

^{+}^{O}=s^{0}^{+}^{O}; s^{1}^{+}^{O}; :::;

where : s^{0};s^{1};:::is a computation of^{D}. Let Obs(^{D})
denote the set of all observations of system^{D}.

The two fds's ^{D}^{A} : ^{h}V^{A};W^{A};^{O}^{A};^{A};^{A};^{J}^{A};^{C}^{A}^{i}
and ^{D}^{C} : ^{h}V^{C};W^{C};^{O}^{C};^{C};^{C};^{J}^{C};^{C}^{C}^{i} are dened to
be comparable, if^{O}^{A} =^{O}^{C} and ^{O}^{A}^{\}W^{A} =^{O}^{C} ^{\}W^{C}.
Thefds^{D}^{A} is an abstraction of the comparable^{D}^{C}, de-
noted by ^{D}^{C} ^{v}^{D}^{A}, if Obs(^{D}^{C}) ^{}Obs(^{D}^{A}), i.e., every
observation of^{D}^{C} is also an observation of^{D}^{A}. We refer
to ^{D}^{C} and ^{D}^{A} as the concrete and abstract systems, re-
spectively. The abstraction relation is obviously re
exive
and transitive.

It would have been very useful if the abstraction
relation as dened above, would have been composi-
tional with respect to (asynchronous) parallel compo-
sition. That is, if ^{D}^{C} ^{v}^{D}^{A} would have implied (^{D}^{C} ^{k}
Q)^{v}(^{D}^{A} ^{k}Q) for everyfds Q. Unfortunately, this is
not the case.

Consider, for example, thefds's correponding to pro- grams incxand incy presented in Fig. 1. Up to stut- tering and idling, both of these fds's have the unique observation

h_{x}_{: 0}_{; y} _{: 0}i_{;} h_{x}_{: 1}_{; y}_{: 1}i_{;} h_{x}_{: 2}_{; y}_{: 2}i_{; :::}

It follows that incxand incyhave the same set of ob-
servations. In particular, this implies thatincx^{v}incy.
However, when we consider the programQgiven by

### in-out

^{x}

^{:}

### integer

### loop forever do

m^{0}: x:= 0
we nd out that the observation

h_{x}_{: 0}_{; y}_{: 0}i_{;}h_{x}_{: 1}_{; y}_{: 1}i_{;}h_{x}_{: 0}_{; y}_{: 1}i_{;}h_{x}_{: 1}_{; y}_{: 1}i_{; :::}

belongs to Obs(incx^{k}Q) but does not belong to the set
Obs(incy^{k}Q). Consequently, whileincx^{v} incy,

(incx^{k}Q)^{6v}(incy^{k}Q);

which shows that the abstraction relation^{v}is not com-
positional.

Obviously, the problem lies in the fact that the rela-
tion^{v}is based on the set of observations of the closed-
system fds semantics of programs. The dierence be-
tween programs incx and incy can be observed only
when we take into account actions of the environment,
such as resetting variablex to 0. In the denition of the
compuatations (and therefore observations) of the fds
assigned to these programs, such actions are not repre-
sented.

Once we diagnose the malady, the remedy is quite
straightforward. We say that fds ^{D}^{A} is a modular ab-
stractionof the comparable^{D}^{C}, denoted by^{D}^{C} ^{v}^{M} ^{D}^{A},
if Obs((^{D}^{C})^{M})^{}Obs((^{D}^{A})^{M}), i.e., every observation of
(^{D}^{C})^{M} the modularized version of^{D}^{C} is also an obser-
vation of (^{D}^{A})^{M} the modularized version of^{D}^{A}.

Note that, whileincyis a plain abstraction ofincx, it is not a modular abstraction of incx. To see this we point to

h_{s}_{: 0}_{;x}_{: 0}_{; y}_{: 0}i_{;}h_{s}_{: 1}_{;x}_{: 1}_{; y}_{: 1}i_{;}h_{s}_{: 0}_{;x}_{: 0}_{; y}_{: 1}i_{;}
h_{s}_{: 1}_{;x}_{: 1}_{; y}_{: 1}i_{; :::;}

which is an observation ofincx^{M} but not ofincy^{M}.
When we upgrade from plain abstraction to modu-
lar abstraction, we obtain the desired property of com-
positionality of the abstraction relation with respect to
the operations of parallel composition and restriction, as
stated by the following claim:

Claim 1. Let^{D}^{C} and^{D}^{A}be two comparablefds's such
that ^{D}^{C} ^{v}^{M} ^{D}^{A}. Then, for everyfds Q, and temporal
formula',

1. (^{D}^{C} ^{k}Q)^{v}^{M} (^{D}^{A} ^{k}Q)
2. (^{D}^{C})^{R}^{v}^{M} (^{D}^{A})^{R}
3. ^{D}^{A}^{j}='implies^{D}^{C} ^{j}='

We describe these compositionality properties by saying that the operations of parallel composition and restric- tion are monotonic with respect to modular abstraction, while temporal validity is anti-monotonic.

This indicates how we propose to use abstraction in
order to simplify the verication task. Namely, given a
property p to be veried over a complex system ^{D}^{C},
we use modular abstraction in order to derive a simpler
system^{D}^{A} and then verify thatpis^{D}^{A}-valid. Note that
the implication is still in one direction. Namely, validity
over the abstract system implies concrete validity but
not, necessarily, vice versa. The most striking applica-
tions of this strategy are when ^{D}^{C} is an innite-state
system, while its abstraction^{D}^{A} is nite-state and thus
amenable to verication by model checking.

The comparable fds's P and Q are dened to be
modularly equivalent, denotedP^{}^{M} Q, if bothP ^{v}^{M} Q
andQ^{v}^{M} P.

### 6 Verication by Abstract Network Invariants

In this section, we concentrate on cases in which the
system is a parallel compositionP(n): (P^{1}^{k}^{}^{}^{}^{k}P_{n})^{R},

in-out x:integer wherex= 0

outy:integer wherey= 0

loop forever do

`^{0}: (x;y) := (x+ 1;x+ 1)

? _{incx} ?

in-out x:integer where x= 0

outy:integer where y= 0

loop forever do

`^{0}: (x;y) := (y+ 1;y+ 1)

? _{incy} ?
Fig.1._{Programs}_{incx}_{and}_{incy}

where eachPi is a nite-state system. The nal restric- tion of the parallel composition guarantees that no fur- ther interference from the environment is possible. The unbounded number of states for systemP(n) comes from the fact that we consider an innite family of systems, and yet wish to verify uniformly (i.e., for every value of n >1) that the propertypis valid.

The general principles of the method and one of the examples presented in this section are shared with [20]. The main dierences between the two presentations are that, while [20] considers processes communicating by synchronous message passing, we focus here on commu- nication by shared variables, and we nd the abstraction we use somewhat simpler to comprehend, perhaps due to the dierent communication mechanisms.

For simplicity, assume that the propertyponly refers
to the observable variables ofP^{1}and that processes

P^{2};:::;Pn

are identical (up to renaming). The strategy we propose can be summarized as follows:

Verication by Abstract Network Invariants

1. Devise a network invariant ^{I}, which is an fds in-
tended to provide a modular abstraction for the par-
allel compositionP^{2}^{k}^{}^{}^{}^{k}Pn for anyn.

2. Conrm that ^{I} is indeed a network invariant, by
model checking thatP^{2}^{v}^{M} ^{I} and that (^{I} ^{k}^{I}) ^{v}^{M}

I. The technique of model checking a modular ab- straction is presented in Subsection 6.3.

3. Model check ^{D}^{R} ^{j}= p, where ^{D}^{R} is the restricted
system (P^{1}^{k}^{I})^{R}.

We argue that this strategy is sound. Namely, if^{D}^{R}^{j}=p
then P(n)^{j}=pfor every n > 1. Step 2 of the strategy
establishes P^{2} ^{k}^{}^{}^{}^{k}Pn^{v}^{M} ^{I}. By monotonicity of the
parallel composition (Claim 1), it follows that

P^{1}^{k}^{}^{}^{}^{k}P_{n} ^{v}^{M} (P^{1}^{k}^{I}):

By monotonicity of the restriction operation, we can con- clude that

P(n) = (P^{1}^{k}^{}^{}^{}^{k}Pn)^{R} ^{v}^{M} (P^{1}^{k}^{I})^{R} = ^{D}^{R}:
Due to the anti-monotonicity of the validity relation, it
follows that^{D}^{R} ^{j}=pimpliesP(n)^{j}=p, establishing that
the proposed strategy is sound.

localy: natural wherey= 1

n
i^{=1} ^{P}^{[}^{i}^{] ::}

2

6

4

loop forever do"

Ni:NonCritical Ti: request y

Ci:_{Critical}; _{release}_{y}

# 3

7

5

Fig.2. _{Program}_{mux-sem}_{.}

Step 1 in the strategy is the only one requiring inge- nuity and which cannot be fully mechanized. However, while presenting the examples, we will provide some ex- planations and clues for the choices we made.

6.1 Mutual Exclusion by Semaphores

As our rst running example, we use programmux-sem presented in Fig. 2. The program consists ofnprocesses. Each processP[i] cycles through three possible locations: Ni, Ti, and Ci. Location Ni represents the non-critical activity which the process can perform without coor- dination with the other processes. Location Ti, is the

\trying" location, at which a process decides it needs to
access its critical location. At the trying location, the
process waits for the semaphore variableyto become 1.
On entering the critical section C_{i}, the process sets y
to 0. Finally,C_{i} is the critical location which should be
reachable only exclusively by one process at a time. On
exit from the critical section, variabley is reset to 1.

The mode

### local

specied for variableyidentiesyas being owned by the entire system but not by any of the individual processes. This specication ensures that he variabley cannot be modied by an enviornment agent external to the program. By the standard compilation of splprograms, each processP[i] is associated with a jus- tice requirement^{J}i:

^{:}Ciand a compassion requirement

C_{i} _{: (}_{T}_{i} ^_{y >} _{0}_{;C}_{i}). The justice requirement ensures
that processP[i] does not remain stuck forever at loca-
tionCi. The compassion requirement ensures thatP[i]
does not remain stuck forever at locationTiwhileyturns
positive innitely many times. Note that a process may
choose to stay forever atNi or may get stuck at Ti if
y turns positive only nitely many times and then re-
mains zero forever. The latter behavior cannot occur in
programmux-sembut this can be established only by a
global analysis of the complete system.

C

release^{y}

N

request^{y}

J _{:} :_{C}

Fig.3. _{Process}_{inv-cand}, a candidate for a network invariant.
In Fig. 3, we present process inv-cand, which is
our rst candidate for the network invariant abstracting
P[2] ^{k} ^{}^{}^{} ^{k} P[n]. In this section we choose to repre-
sentfds's by transition diagrams, in which we explicitly
list the fairness requirements. Processinv-candcan be
obtained by simpilfying a single copy of the concrete
P[2]. The simplication consists of merging locationsN
and T into a single location N and relaxing the fair-
ness requirements associated with this combined loca-
tion. This simplication is suggested by noting that the
main liveness requirement of accessibility is studied only
for processP[1]. The only liveness properties we require
from the environment processes P[2];:::;P[n], is that
they eventually exit their critical sections and release
the semaphore. Thus, while being at location N, pro-
cessinv-candmay choose non-deterministically to stay
at N or move to C if y equals 1. There is no justice
requirement associated with location N, due the possi-
bility that the process may choose to remain there. On
the other hand, with location C, we associate the jus-
tice requirement^{:}C which excludes behaviors in which
inv-candget stuck at C. Let us denote by C_{a} thefds
corresponding toinv-cand .

A useful heuristic that often leads to the generation of network invariants is forming the sequence of fds's

I

1_{=}_{C}_{a}_{,}
I

2_{=}_{C}_{a}

k_{C}_{a}_{,}I
3_{=}

I

2

k_{C}_{a}_{;:::;}and compar-
ing every two successive^{I}i's, hoping that the sequence
will converge. Convergence means that we identify an
index j ^{} 0 such that ^{I}j ^{}^{M} ^{I}j^{+1}. Trying this ap-
proach with the fds C_{a} fails. Comparing ^{I}^{2}:C_{a} ^{k} C_{a}
with^{I}^{1}:Ca, we nd that (^{I}^{2})^{M} can generate the obser-
vation

h_{y}_{: 1}_{; s}_{: 0}i_{;} h_{y}_{: 0}_{; s}_{: 1}i_{;} h_{y}_{: 1}_{; s}_{: 0}i_{;} h_{y}_{: 0}_{; s}_{: 1}i_{;}
h_{y}_{: 1}_{; s}_{: 1}i_{;} h_{y}_{: 0}_{; s}_{: 0}i_{;} h_{y}_{: 1}_{; s}_{: 1}i_{;} _{;}

which cannot be generated by (^{I}^{1})^{M}. Such a behav-
ior can be explained as a scenario in the behavior of
P[2] ^{k} P[3] under an unrestricted environment. First,
P[2] enters its critical section according to the step^{h}y :
1; s : 0^{i} ^{!} ^{h}y : 0; s : 1^{i}. Then, while P[2] is still in
its critical section, the environment raises y to 1, ac-
cording to the step ^{h}y : 0; s : 1^{i} ^{!} ^{h}y : 1; s : 0^{i} (we
know that this is an environmet step because s^{0} = 0.
ThenP[3] enters its own critical section, as recorded in

h_{y} _{: 1}_{; s}_{: 0}i!h_{y} _{: 0}_{; s}_{: 1}i. Following that,P[2] exits
its critical section (^{h}y : 0; s : 1^{i};^{!} ^{h}y : 1; s : 1^{i}), the
environment resetsyto 1 (^{h}y : 1; s: 1^{i}^{!}^{h}y: 0; s: 0^{i}),

request^{y}

N C

release^{y}

y>0

y:=0

y:=1

J_{:} :_{C}

Fig.4._{The}_{fds}I_{mux}, a network invariant formux-sem.
and nallyP[3] exits (^{h}y: 0; s: 0^{i}; ^{h}y: 1; s: 1^{i}). What
is special about this behavior is that ^{I}^{2} exits twice in
succession without an observable entry between these
two exits. In all behaviors of ^{I}^{1} =Ca, which has only
one copy ofP[2], every two exits must be separated by
an observable entry.

In a similar way, we nd that^{I}^{3} can exit its critical
sections three times in succession, if the environment
cooperates, which cannot be done by ^{I}^{2}. This shows
that the sequence^{I}^{1};^{I}^{2};:::will never converge.

Looking closer at this example, we realize that the
factor that dierentiates between^{I}^{1}and^{I}^{2}and between

I

2_{and}
I

3is their response to a behavior of the environ-
ment which will never be realized in the closed system,
namely raising the semaphore variable to 1 while one of
the processes is in its critical section. This leads us to the
next (and nal) abstraction^{I}mux, presented in Fig. 4.

The system^{I}mux behaves asCa as long as the envi-
ronment behaves properly. However, once it detects that
the environment raised the value ofy from 0 to 1 while
the system was in the critical section, it goes into a chaos
control state in which \anything goes". That is, all arbi-
trary sequences of values for the observable variables will
be accepted from this point on. It is obvious that^{I}mux

is an abstraction ofC_{a} because it diers from C_{a} in all
the additional behaviors it is ready to generate once it
reached the chaos state.

It is not dicult to verify that ^{I}mux is a network
invariant. We model checked thatC_{a} ^{v}^{M} ^{I}_{mux} and that
(^{I}mux^{k}^{I}mux)^{v}^{M} ^{I}mux.

It only remains to perform step 3 in the abstrac-
tion strategy presented in the beginning of the section.
We form the closed system fds ^{D} = (P^{1} ^{k} ^{I})^{R} and
use model checking to verify the liveness property^{D}^{j}=

0 _{(}_{N}
1

! 1 _{C}

1). This has been done and established that processP[1] of programmux-semhas the property of accessibility for any number of processes.

6.2 The Dining Philosophers Problem

As a more advanced example, we applied the technique described above to the problem of the dining philoso- phers. As originally described by Dijkstra, n philoso- phers are seated at a round table. Each philosopher al- ternates between a thinking phase and a phase in which he becomes hungry and wishes to eat. There arenchop- sticks placed around the table, one chop-stick between

release^{L}

request^{L}

L R

request^{R}
release^{R}

N

r

release^{R}

C

r

request^{R}
release^{L}

C

`

request^{L}

N

`

J_{:} :_{C}_{r}_{;} C_{: (}_{R;} :_{C}_{`}_{)}
Fig.6._{The}_{fds}I

contr, the network invariant for programdine- contr.

every two philosophers. In order to eat, each philoso- pher needs to acquire the chop-sticks on both sides. A chop-stick can be possessed by only one philosopher at a time.

A solution to the dining philosophers problem, us- ing semaphores, is presented by program dine-contr of Fig. 5.

In this program, philosophers P[2];:::;P[n] reach
rst for the chop-stick on their left, represented by sema-
phore variable c[j] for philosopherj, and then for their
right chop-stick (semaphorec[j^{}n1]). PhilosopherP[1]
behaves dierently, reaching rst for his right chop-stick
(c[2]) and only later for his left chop-stick (c[1]). We wish
to prove the liveness property of accessibility for each of
the philosophers, which can be specied by the temporal
formula

acc_{:}

0 _{(at}

?_{`}2_{[}_{j}_{]}

! 1 _{(at}

?_{`}4_{[}_{j}_{]))}_{;}

for everyj= 1;:::;n. This property ensures that every hungry philosopher eventually gets to eat.

Proceeding through a sequence of abstraction steps
similar to the previous example, we nally wind up with
theThe diagram of Fig. 6 consists of two componentsfds^{I}contr presented in Fig. 6.
that operate in parallel, one taking care of the left sema-
phoreLand the other handling the right semaphoreR.
Whenever an environment fault is detected, i.e. the en-
vironment raises a semaphore that has been lowered by
the system, both components escape to the chaos state
after which all behaviors are possible. By the graphical
conventions, the transitions to a chaos state have prior-
ity over internal transitions such as the one connecting
(Nr;R) to (Cr;^{:}R).

Since ^{I}contr is intended to abstract behaviors of a
string of consecutive philosophers

P[i]^{k}P[i+ 1]^{k}^{}^{}^{}^{k}P[j];

we should not be surprised that the behavior of the left semaphore L is only loosely coupled with that of the

right semaphoreR. This is becauseLstands forc[i] (as-
sumingi >1) the left semaphore of processP[i] the left-
most process in the string, whileR stands forc[j^{}n1]
the right semaphore ofP[j], the rightmost philosopher.
There is still a weak coupling which is expressed through
the fairness requirement. For ordinary philosophers, who
take the right chop-stick last, the obligation to release
semaphoreRonce it is taken, can be guaranteed locally,
independently of the environment. This is expressed by
the justice requirement^{:}Crforbidding the system to re-
main forever inCrwith the semaphoreRoccupied. The
situation is dierent with the left semaphoreL. No sub-
system (modeled by ^{I}contr) can unconditionally guar-
antee release of L once it is taken. Consequently, the
fairness requirement guaranteeing the release ofLis for-
mulated as the compassion requirement (R;^{:}C`) making
the release ofL(as implied by being atN`) conditional
on the innite recurrence of an availableR. Already at
the level of a single philosopher, after acquiring L the
system proceeds to acquireR. IfR is not available with
sucient frequency, the system will fail in obtaining it,
and will keepLoccupied forever.

It is straightforward to verify (using model checking)
that ^{I}contr modularly abstracts any of the processes
P[2];:::;P[n] and that (^{I}_{contr} ^{k}^{I}_{contr)}^{v}^{M} ^{I}_{contr.}
It follows that^{I}contr is a network invariant for any se-
quence of regular philosophers. We can combine^{I}_{contr}
withP[1] to establish the accessibility properties of the
contrary philosopherP[1].

We can also verify the accessibility property for all
ordinary philosophers. To do so, we consider the combi-
nationP[1]^{k}^{I}_{contr} ^{k}P[ordinary]^{k}^{I}contr, in which
we use the network invariant^{I}contr as an abstraction
for the sequence of philosophers separating P[1] from
P[ordinary] and then again as an abstraction for the se-
quence of philosophers separatingP[ordinary] fromP[1]
in the other direction.

In all of these combinations, we should remember to close the ring by identifying the leftmost semaphore of the combination with the rightmost semaphore.

6.3 Model Checking Modular Abstraction

When carrying out the abstraction process as described
in this section, we are repeatedly required to verify that
onefdsmodularly abstracts another. Most of the avail-
able computer aided verication (cav) tools forltl(e.g.,
step[2] andtlv-basic[31]) are designed to support ver-
ication tasks. That is, they accept as inputs a system
description, equivalent to anfds^{D}, and a temporal for-
mula'and attempt to establish (or refute) that^{D}^{j}='.
In this subsection, we show how the modular abstrac-
tion problem^{D}^{C} ^{v}^{M} ^{D}^{A} can be reduced into a verica-
tion problem. This reduction can be used in order to
establish the modular abstraction relation between sys-
tems while using the availableltlverication tools.