We describe a framework for compositional verification of finite state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition; and a preorder on structures which captures the relation between a component and a system containing the component. Satisfaction of a formula in the logic corresponds to being below a particular structure (a tableau for the formula) in the preorder. We show how to do assume-guarantee style reasoning within this framework. In addition, we demonstrate efficient methods for model checking in the logic and for checking the preorder in several special cases. We have implemented a system based on these methods, and we use it to give a compositional verification of a CPU controller. 1 Introduction Temporal logic model checking procedures are useful tools for the verification of finite state systems [3, 12, 20]. However, these procedures have traditionally suffered from the state explosion proble...

The µ-calculus can be viewed as essentially the "ultimate" program logic, as it expressively subsumes all propositional program logics, including dynamic logics, process logics, and temporal logics. It is known that the satisfiability problem for the µ-calculus is EXPTIME-complete. This upper bound, however, is known for a version of the logic that has only forward modalities, which express weakest preconditions, but not backward modalities, which express strongest postconditions. Our main result in this paper is an exponential time upper bound for the satisfiability problem of the µ-calculus with both forward and backward modalities. To get this result we develop a theory of two-way alternating automata on infinite trees.

This paper describes a procedure, based around the construction of tableau proofs, for determining whether finite-state systems enjoy properties formulated in the propositional mu-calculus. It presents a tableau-based proof system for the logic and proves it sound and complete, and it discusses techniques for the efficient construction of proofs that states enjoy properties expressed in the logic. The approach is the basis of an ongoing implementation of a model checker in the Concurrency Workbench, an automated tool for the analysis of concurrent systems. 1 Introduction One area of program verification that has proven amenable to automation involves the analysis of finite-state processes. While computer systems in general are not finite-state, many interesting ones, including a variety of communication protocols and hardware systems, are, and their finitary nature enables the development and implementation of decision procedures that test for various properties. Model checking has p...

We develop a model-checking algorithm that decides for a given context-free process whether it satisfies a property written in the alternation-free modal mu-calculus. The central idea behind this algorithm is to raise the standard iterative model-checking techniques to higher order: in contrast to the usual approaches, in which the set of formulas that are satisfied by a certain state are iteratively computed, our algorithm iteratively computes a property transformer for each state class of the finite process representation. These property transformers can then simply be applied to solve the model-checking problem. The complexity of our algorithm is linear in the size of the system's representation and exponential in the size of the property being investigated.

ions for Value-Passing Systems ? Rance Cleaveland ?? and James Riely ??? 1 Dept. of Computer Science, N.C. State University, Raleigh, NC 27695-8206, USA 2 Dept. of Computer Science, University of N.C., Chapel Hill, NC 27599-3175, USA email: rance@csc.ncsu.edu, riely@cs.unc.edu Abstract. This paper presents a framework for the abstract interpretation of processes that pass values. We define a process description language that is parameterized with respect to the set of values that processes may exchange and show that an abstraction over values induces an abstract semantics for processes. Our main results state that if the abstract value interpretation safely/optimally approximates the ground interpretation, then the resulting abstracted processes safely/optimally approximate those derived from the ground semantics (in a precisely defined sense). As the processes derived from an abstract semantics in general have far fewer states than those derived from a concrete sem...

Tableau-based proof systems can be elegantly specified and directly executed by a tabled Logic Programming (LP) system. Our experience with the XMC model checker shows that such an encoding can be used to search for the existence of a proof very efficiently. However, the users of a tableau system are often interested in getting sufficient evidence (in terms of the tableau proof rules) on why a proof does or does not exist. In this paper, we address the problem of constructing such an evidence without introducing any additional computational overhead to the proof search. A tabled LP system maintains a memo table of "lemmas" that were tried and possibly proved during query evaluation. We propose the concept of justifier for extracting sufficient evidence for the truth or falsehood of literals in a logic program, by post-processing the memo tables created during query evaluation. Based on this logic program justifier, we showhow to construct evidence for the presence/absence of tableau in a tableau-based proof system. Weprovide experimental results showing the effectiveness of the justifier in constructing succinct evidence of the evaluation performed by the XMC model checker. Finally we discuss the role of the justifier as a programming abstraction for encoding efficient algorithms as tabled logic programs.

We present a proof system for determining satisfaction between processes in a fairly general process algebra and assertions of the modal µ-calculus. The proof system is compositional in the structure of processes. It extends earlier work on compositional reasoning within the modal µ-calculus and combines it with techniques from work on local model checking. The proof system is sound for all processes and complete for a class of finite-state processes.

. Interactive theorem proving gives a general approach for modelling and verification of both hardware and software systems but requires significant human efforts to deal with many tedious proofs. To be used in practical, we need some automatic tools such as model checkers to deal with those tedious proofs. In this paper, we formalise a verification system of both CCS and an imperative language in LEGO which can be used to verify both finite and infinite problems. Then a model checker, LegoMC, is implemented to generate the LEGO proof terms of finite models automatically. Therefore people can use LEGO to verify a general problem and throw some finite sub-problems to be verified by LegoMC. On the other hand, this integration extends the power of model checking to verify more complicated and infinite models as well. 1 Introduction Interactive theorem proving gives a general approach for modelling and verification of both hardware and software systems but requires significant human effor...

With the increasing complexity of digital systems, testing of digital systems is becoming increasingly important. Perhaps, the most popular method for testing hardware is simulation. The incompleteness of simulation based testing methods has spurred the recent surge in the research on formal veri cation. In formal veri cation, one builds a precise model of the hardware under scrutiny and proves that the model satis es a speci cation of interest. For example, suppose one wants to verify that a router chip does not deadlock. In this case the user will build a precise model of the router and the speci cation will express the property of deadlock freedom. The two approaches to formal veri cation are model checking and theorem proving. In this thesis we will only discuss model checking. Most model checking procedures su er from the state explosion problem, i.e., the size of the state space of the system can be exponential in the number of state variables of the system. For certain systems, exploiting the inherent symmetry

. We report on the formalisation and correctness proof of a model checker for the modal -calculus in Coq's constructive type theory. Using Coq's extraction mechanism we obtain an executable Caml program, which is added as a safe decision procedure to the system. An example illustrates its application in combination with deduction. 1 Introduction There is an obvious advantage in combining theorem proving and model checking techniques for the verification of reactive systems. The expressiveness of the theorem prover's (often higher-order) logic can be used to accommodate a variety of program modelling and verification paradigms, so infinite state and parametrised designs can be verified. However, using a theorem prover is not transparent and may require a fair amount of expertise. On the other hand, model checking is transparent, but exponential in the number of concurrent components. Its application is thus limited to systems with small state spaces. A combination of the two techn...