Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequences, based on infinite traces such that for each equivalence class, either all or none of the sequences satisfy the checked formula. We present an algorithm for constructing a state graph that contains at least one representative sequence for each equivalence class. This allows applying existing model checking algorithms to the reduced state graph rather than on the larger full state graph of the program. It also allows model checking under fairness assumptions, and exploits these assumptions to obtain smaller state graphs. A formula rewriting technique is presented to allow coarser equivalence relation among sequences, such that less representatives are needed. 1

A temporal logic for causality (Tlc) is introduced. The logic is interpreted over causal structures corresponding to partial order executions of programs. For causal structures describing the behavior of a finite fixed set of processes, a Tlc-formula can, equivalently, be interpreted over their linearizations. The main result of the paper is a tableau construction that gives a singly-exponential translation from a Tlc formula ' to a Streett automaton that accepts the set of linearizations satisfying '. This allows both checking the validity of Tlc formulas and model-checking of program properties. As the logic Tlc does not distinguish among different linearizations of the same partial order execution, partial order reduction techniques can be applied to alleviate the state-space explosion problem of model-checking. 1 Introduction One of the most successful techniques for automatic verification of finite-state systems has been model-checking . A model-checking algorithm decides wheth...

We investigate an extension of CTL (Computation Tree Logic) by past modalities, called CTLP , interpreted over Mazurkiewicz's trace systems. The logic is powerful enough to express most of the partial order properties of distributed systems like serializability of database transactions, snapshots, parallel execution of program segments, or inevitability under concurrency fairness assumption. We show that the model checking problem for the logic is NPhard, even if past modalities cannot be nested. Then, we give a one exponential time model checking algorithm for the logic without nested past modalities. We show that all the interesting partial order properties can be model checked using our algorithm. Next, we show that it is possible to extend the model checking algorithm to cover the whole language and its extension to CTL*P . Finally, we prove that the logic is undecidable and we discuss consequences of our results on using propositional versions of partial order temporal logics to s...

A verification method for proving the correctness of specification transformations is presented. This makes it possible to prove just once that a specification transformation corresponds to a program transformation, removing the need to prove separately the correctness of each transformed program. Keywords: Parallel Algorithms, Distributed Algorithms, Fault-Tolerance, Specification, Verification.

Kahn's principle states that if each process in a dataflow network computes a continuous input/output function, then so does the entire network. Moreover, in that case the function computed by the network is the least fixed point of a continuous functional determined by the structure of the network and the functions computed by the individual processes. Previous attempts to generalize this principle in a straightforward way to "indeterminate" networks, in which processes need not compute functions, have been either too complex or have failed to give results consistent with operational semantics. In this paper, we give a simple, direct generalization of Kahn's fixed-point principle to a large class of indeterminate dataflow networks, and we prove that results obtained by the generalized principle are in agreement with a natural operational semantics. 1 Introduction Dataflow networks are a parallel programming paradigm in which a collection of concurrently and asynchronously executing s...

In concurrent constraint programming, divergence (i.e. an infinite computation) and failure are often identified. This is undesirable when modelling systems in which infinite behaviour arises naturally. This paper sets out a framework for an axiomatic and denotational view of concurrent constraint programming, and considers the relationship of both views as an instance of Stone duality. We propose a construction of a constraint system which allows both finite and infinite constraints. Subsequently, we provide semantic, topological definitions of safety, liveness and fairness properties in a given constraint system. The process language considered is parametrized by the constraint system. It allows the actions ask and tell, the prefix operator !, the (angelic) non-deterministic choice operator \Phi, the procedure call p(X), and the concurrency operator k. Keywords: concurrent constraint programming, liveness, fairness, semantic properties. This paper was partly written when the autho...

It has been observed that the behavioural view of concurrent systems that all possible sequences of actions are relevant is too generous; Not all sequences should be considered as likely behaviours. By taking progress fairness assumptions into account one obtains a more realistic behavioural view of the systems. In this paper we consider the problem of performing model checking relative to this behavioural view. We present a CTL-like logic which is interpreted over the model of concurrent systems labeled 1-safe nets. It turns out that Mazurkiewicz trace theory provides a useful setting in which the progress fairness assumptions can be formalized in a natural way. We provide the first, to our knowledge, set of sound and complete tableau rules for a CTL-like logic interpreted under progress fairness assumptions. keywords: fair progress, labeled 1-safe nets, local model checking, maximal traces, partial orders, inevitability 1 Introduction Recently attention has focused on behavioural v...

Partial order temporal logics interpreted on trace systems have been shown not to have finitary complete axiomatizations due to the fact that the complexity of their decidability problem is in \Pi 1 1 . This paper gives infinitary complete proof systems for several temporal logics on trace systems e.g. Computation Tree Logic with past operators and an essential subset of Interleaving Set Temporal Logic. 1 Introduction Partial order temporal logics are becoming an important formalism used for specification and verification of concurrent systems [KP87, PP94, Pe90, Pe91, PKP91, Re89, Si90]. These logics are more expressive than linear and branching time temporal logics. They allow for expressing and proving important properties of concurrent systems as serializability of database transactions [PP94, PKP91], inevitability under concurrency fairness assumption [Pe90, Pe93a], causal successor [Re89], layering of a program [PP94], snapshots or the concurrency of program segments [PP94, Pe93...

The effective (re)use of components requires languages for the precise description of observable behaviour, along with methods for checking the compatibility of component interfaces in a design. This is even more challenging in the presence of concurrency. In previous work we have considered a set-based model of components and their composition, in a concurrent setting. In this paper, we present a class of automata, called Σ-automata, in which true-concurrency is treated as an explicit structural property. We show how an automaton can be derived from a component and that every such automaton generates back a component. Apart from determining a usage protocol for the underlying component, this extension to our model provides useful insights on component composition.

Partial order (p.o.) reduction techniques are a popular and effective approach for tackling state space explosion in the verification of concurrent systems. These techniques generate a reduced search space that could be exponentially smaller than the complete state space. Their major drawback is that the amount of reduction achieved is highly sensitive to the properties being verified. For the same program, different properties could result in very different amounts of reduction achieved. We present a new approach which combines the benefits of p.o. reduction with the added advantage that the size of the constructed state space is completely independent of the properties being verified. As in p.o. reduction, we use the notion of persistent sets to construct a representative interleaving for each maximal trace of the program. However, we retain concurrency information by assigning vector timestamps to the events in each interleaving. Our approach hinges upon the use of efficient algorithms that parse the encoded concurrency information in the representative interleaving to determine whether a safety violation exists in any interleaving of the corresponding trace. We show that, for some types of predicates, reachability detection can be performed in time that is polynomial in the length of the interleaving. Typically, these predicates exhibit certain characteristics that can be exploited by the detection algorithm. We implemented our algorithms in the popular model checker SPIN, and present experimental results that demonstrate the effectiveness of our techniques. For example, we verified a distributed dining philosophers protocol in 0.03 seconds, using 1.253 MB of memory. SPIN, using traditional p.o. reduction techniques, took 759.71 seconds and 439.116 MB of memory.