?

Logic Programming and Mo del Checking

Bao qiu Cui, Yifei Dong, Xiao qun Du, K. Narayan Kumar,

C. R. Ramakrishnan, I. V. Ramakrishnan, Abhik Roychoudhury,

Scott A. Smolka,David S. Warren

Department of Computer Science

SUNY at Stony Bro ok

Stony Bro ok, NY 11794{4400, USA

http://www.cs.sunysb.edu/lmc

Abstract. We rep ort on the current status of the LMC pro ject, which

seeks to deploy the latest developments in logic-programmin g technology

to advance the state of the art of system sp eci cation and veri cation. In

particular, the XMC mo del checker for value-passing CCS and the mo dal

mu-calculus is discussed, as well as the XSB tabled logic programming

system, on which XMC is based. Additionally, several ongoing e orts

aimed at extending the LMC approachbeyond traditional nite-state

mo del checking are considered, including comp ositional mo del checking,

the use of explicit induction techniques to mo del check parameterized

systems, and the mo del checking of real-time systems. Finally, after a

brief conclusion, future research directions are identi ed.

1 Intro duction

In the summer of 1997, C.R. Ramakrishnan, I.V. Ramakrishnan, Smolka, and

Warren were awarded a four-year NSF Exp erimental Software Systems ESS

1

grant to investigate the idea of combining the latest developments in concur-

rency research and in logic programming to advance the state-of-the art of sys-

tem sp eci cation and veri cation. This was the rst year of the ESS program at

NSF, and its goal is to supp ort exp erimental investigations by research teams

dedicated to making fundamental progress in software and software engineering.

The ESS program director is Dr. William W. Agresti.

The current primary fo cus of our ESS-sp onsored pro ject is model check-

ing [CE81,QS82,CES86], the problem of determining whether a system sp eci ca-

tion p ossesses a prop erty expressed as a temp oral logic formula. Mo del checking

has enjoyed wide success in verifying, or nding design errors in, real-life sys-

tems. An interesting account ofanumb er of these success stories can b e found

in [CW96b].

?

Research supp orted in part by NSF grants CDA{9303181, CCR{9404921, CCR{

9505562, CDA{9504275, CCR{9705998, CCR{9711386 and AFOSR grants F49620-

95-1-0508 and F49620-96-1-0087.

1

There are two additional co-Principal Investigators on the grant who are no longer

at Stony Bro ok: Y.S. Ramakrishna of Sun Microsystems and Terrance Swift lo cated

at the University of Maryland, College Park.

We call our approach to mo del checking logic-programming-basedmodel

checking , or LMC for short, and it is centered on two large software sys-

tems develop ed indep endently at SUNY Stony Bro ok: the Concurrency Fac-

tory [CLSS96] and XSB [XSB98]. The Concurrency Factory is a sp eci cation

and veri cation environment supp orting integrated graphical/textual sp eci ca-

tion and simulation, and mo del checking in the mo dal mu-calculus [Koz83] tem-

p oral logic. XSB is a logic programming system that extends Prolog-style SLD

resolution with tabledresolution . The principal merits of this extension are that

XSB terminates on programs having nite mo dels, avoids redundant sub compu-

tations, and computes the well-founded mo del of normal logic programs.

Veri cation systems equipp ed with mo del checkers ab ound. For exam-

ple, http://www.csr.ncl.ac.uk:80/projects/FME/InfRes/tools lists over

50 sp eci cation and veri cation to olkits, most of which supp ort some form of

mo del checking. Although these to ols use di erent system-sp eci cation languages

and prop erty-sp eci cation logics, the semantics of these logics and languages are

typically sp eci ed via structural recursion as least, greatest, alternating xed

p oints of certain typ es of functionals.

It is therefore interesting to note that the semantics of negation-free logic

programs are given in terms of minimal mo dels, and Logic Programming LP

systems attempt to compute these mo dels. The minimal mo del of a set of Horn

clauses is equivalent to the least xed p oint of the clauses viewed as equations

over sets of atoms. Hence, mo del checking problems involving least xed p oints

can b e naturally and concisely cast in terms of logic programs. Problems in-

volving greatest xed-p oint computations can b e easily translated into least

xed-p oint computations via the use of logical negation.

However, Prolog-style resolution is incomplete, failing to nd minimal mo d-

els even for datalog function-free programs. Moreover, the implementation of

negation in Prolog di ers from the semantics of logical negation in the mo del

theory. Consequently, traditional Prolog systems do not o er the needed supp ort

to directly implement mo del checkers. As alluded to ab ove, evaluation strate-

gies such as tabling [TS86,CW96a]overcome these limitations see Section 2.2.

Hence, tabled logic programming systems app ear to o er a suitable platform for

implementing mo del checkers. The p ertinent question is whether one can con-

struct a mo del checker using this approach that is ecient enough to b e deemed

practical.

The evidence wehave accumulated during the rst year of our LMC pro ject

indicates that the answer to this question is most de nitely \yes." In particular,

+

wehave develop ed XMC [RRR 97], a mo del checker for Milner's CCS [Mil89]

and the alternation-free fragment [EL86] of the mo dal mu-calculus. The full

value-passing version of CCS is supp orted, and a generalized pre x op erator

is used that allows arbitrary Prolog terms to app ear as computational units

in XMC system sp eci cations. Full supp ort for value-passing is essential in a

sp eci cation language intended to deal with real-life systems such as telecom-

munications and security proto cols.

XMC is written in approximately 200 lines of XSB tabled-logic-programming

Prolog co de, and is primarily intended for the mo del checking of nite-state

systems, although it is capable of handling certain kinds of in nite-state sys-

tems, such as those exhibiting \data indep endence" [Wol86]. With regard to the

eciency issue, XMC is highly comp etitive with state-of-the-art mo del check-

ers hand-co ded in C/C++, such as SPIN [HP96] and the Concurrency Fac-

tory [CLSS96]. This p erformance can b e attributed in part to various asp ects of

the underlying XSB implementation, including its extensive supp ort of tabling

and the use of trie data structures to enco de tables. In [LRS98]we describ e how

XMC can b e extended to the full mo dal mu-calculus.

Buoyed by the success of XMC, we are currently investigating ways in which

the LMC approach can b e extended b eyond traditional nite-state mo del check-

ing. In particular, the following e orts are underway.

{ An LMC-style sp eci cation of a mo del checker is given at the level of seman-

tic equations, and is therefore not limited to any sp eci c system-sp eci cation

language or logic. For example, wehave built a compositional mo del checker,

simply by enco ding the inference rules of the pro of system as Horn clauses

Section 4.1.

{ Traditionally, mo del checking has b een viewed as an algorithmic technique,

although there is a urry of recent activity on combining mo del checking

with deductive metho ds. Observe that optimized XSB meta-interpreters

can b e used to execute arbitrary deductive systems. Hence, the LMC ap-

proach o ers a unique opp ortunity to fully and exibly integrate algorithmic

and deductive mo del checking, arguably the most interesting problem b eing

currently researched by the veri cation community.Tovalidate this claim,

wehave b een exp erimenting with ways of augmenting XMC with the p ower

of induction, with an eyetoward the veri cation of parameterized systems

Section 4.2.

{ By using constraints as in Constraint LP [JL87] to nitely represent in nite

sets and tabled resolution to eciently compute xed p oints over these sets,

we are lo oking at how tabled constraint LP can b e used to verify real-time

systems Section 4.3.

The rest of the pap er is structured follows. Section 2 shows how mo del check-

ing can b e essentially viewed as a problem of xed-p oint computation, and how

xed p oints are computed in XSB using tabled resolution. Section 3's fo cus is

our XMC mo del checker, and Section 4 describ es ongoing work on extending the

XMC technology b eyond traditional nite-state mo del checking. After a brief

conclusion, Section 5 identi es several promising directions for future research.

2 Preliminaries

In this section we describ e the essential computational asp ects of mo del check-

ing and tabled logic programming. This side-by-side presentation exp oses the primary rationale for the LMC pro ject.

2.1 Mo del Checking

As remarked in the Intro duction, mo del checking is essentially a problem of xed-

p oint computation. To substantiate this view, consider an example. Supp ose we

have a transition system T transition systems are often used to mo del systems

in the mo del-checking framework and we wish to check if the start state of T

satis es the CTL branching-time temp oral logic formula EF p. This will prove

to b e true just in case there is a run of the system in which a state satisfying

the atomic prop osition p is encountered.

Let S b e the set of states of T that satisfy EF p. If a state s satis es p,

0

written s ` p, then clearly it satis es EF p.Further if s and t are states such

that t ` EF p and s has a transition to t, then s ` EF p as well. In other words,

T T

if S is a set of states each of that satis es EF p and EFp :2 !2 is the

function given by

EFpS =fs js ` pg[ fsjs!t ^t2Sg

then EFpS  S . As a matter of fact, S is the least xed p ointofEFp.

0 0

Thus, one way to compute the set of states that satisfy EF p is to evaluate the

least xed p oint of the function EFp. Assuming that T is nite-state, by the

Knaster-Tarski theorem, it suces to start with the empty set of states and

rep eatedly apply the function EFp till it converges.

There is a straightforward Horn-clause enco ding of the de ning equation of

EFp.Tabled LP systems can evaluate such programs eciently, and hence yield

an ecient algorithm for mo del checking EF p. This observation forms the basis

for the XMC mo del checker Section 3.

Other temp oral logic prop erties of interest mayinvolve the computation of

greatest xed p oints. For example, consider the CTL formula AGp asserting that

p holds at all states and along all runs. The set of states satisfying this formula

which turns out to b e the negation of the formula EF :p is the greatest xed

p oint of the function AGp given by:

AGpS =fs js ` pg\fsjs!t  t2Sg

Once again, using Knaster-Tarski, the set of states satisfying the prop erty AGp

may b e computed by starting with the set of all states and rep eatedly applying

the function AGp till it converges.

More complicated prop erties involve the nesting of least and greatest xed-

p oint prop erties and their computation b ecomes a more complex nesting of iter-

ations. The mo dal mu-calculus, the logic of choice for XMC, uses explicit least

and greatest xed-p oint op erators and consequently subsumes virtually all other

temp oral logics in expressivepower.

2.2 The XSB Tabled Logic Programming System

The fundamental theorem of logic programming [Llo84] is that, given a set of

Horn clauses i.e., a \pure" Prolog program, the set of facts derivable by SLD

resolution the computational mechanism of Prolog is the same as the set of

facts logically implied by the Horn clauses, which is the same as the set of facts

in the least xed p oint of the Horn clauses considered as set equations. From

this result it might seem obvious that logic programming is well suited to solving

general xed-p oint problems and could b e directly applied to mo del checking

This, however, is not the case. The foundational theorem on xed p oints

is weak in that it ensures only the existence of successful computations SLD

derivations; but there may b e in nitely many computations that do not lead to

success. This means that while a standard Prolog engine may b e able to show

that a particular fact is in the least xed p oint of its rules, it can never show

that a fact is not in the xed p oint when there are in nitely many unsuccessful

computation paths, which is the case for the xed p oints needed for mo del

checking. And even if the fact is in the xed p oint, Prolog's search strategy

may not nd it. So even though the semantics of logic programming is a useful

semantics for mo del checking, its computation mechanism of SLD is to o weak

to b e practical.

The XSB system implements SLG resolution [CW96a], which to a rst ap-

proximation can b e understo o d as a tabled version of SLD resolution. This means

that XSB can avoid rederiving a fact that it has previously tried to derive. In

the pro cedural interpretation of Horn clauses, this means that XSB will never

maketwo calls to the same pro cedure passing the same arguments. It is easy to

see that for a system that has only nitely many p ossibly derivable facts, as for

example in a nite-state mo del checking problem, XSB will always terminate.

To see how this works in practice, consider the following logic program:

reachX,Y :- transX,Y.

reachX,Y :- transX,Int, reachInt,Y.

which de nes reachability in a transition system. We assume that the predicate

transX,Y de nes a transition relation, meaning that the system can make

a direct transition from state X to state Y. Given a de nition of the trans

relation, these rules de ne reach to b e true of a pair X,Y if the system can

make a nonempty sequence of transitions starting in state X and ending in

state Y. trans could b e de ned byany set of facts and/or rules, but for our

motivating example, we'll assume it is de ned simply as:

transa,b.

transb,c.

transc,b.

Given a query of reacha,X, which asks for all states reachable starting from

state a, Prolog using SLD resolution will search the tree indicated in Figure 1.

The atoms to the left of the :- symb ols in the tree no des capture the answers; the

list of atoms to the right are waiting to b e resolved away. Each path from the ro ot

to a leaf is a p ossible SLD derivation, or in the pro cedural interpretation of Prolog

programs are computation paths through the nondeterministic Prolog program.

Notice that the correct answers are obtained, in the three leaves. However, the reach(a,X) :- reach(a,X)

reach(a,X) :- trans(a,X) reach(a,X) :- trans(a,Intb),reach(Intb,X)

reach(a,b) :- reach(a,X) :- reach(b,X)

reach(a,X) :- trans(b,X) reach(a,X) :- trans(b,Intc),reach(Intc,X)

reach(a,c) :- reach(a,X) :- reach(c,X)

reach(a,X) :- trans(c,X) reach(a,.X) :- trans(c,Intd),reach(Intd,X)

reach(a,b) :- reach(a,X) :- reach(b,X)

o o o

o

Fig. 1. In nite SLD tree for reacha,X

p oint of more interest is that this is an in nite tree, branching in nitely to the

lower right. Notice that the lower right no de is identical to an ancestor four

no des ab ove it. So the pattern will rep eat in nitely, and the computation will

never come backtosay it has found all answers. A query suchasreachc,a

would go into an in nite lo op, never returning to say that a is not reachable

from c.

Now let us lo ok at the same example executed using SLG resolution in XSB.

The program is the same, but we add a directive :- table reach/2. to indicate

that all subgoals of reach should b e tabled. In this case during execution, an

invo cation of a reach subgoal creates a new subtree with that subgoal at its

ro ot if there is no such tree already. If there is such a tree, then the answers

from that tree are used, and no new duplicate tree is created. Figure 2 shows

the initial partial computation of the same query to the p oint where the subgoal

reachb,X is ab out to b e invoked, at the lower right no de of that tree. Since

reach(a,X) :- reach(a,X)

reach(a,X) :- trans(a,X) reach(a,X) :- trans(a,Intb),reach(Intb,X)

reach(a,b) :- reach(a,X) :- reach(b,X)

Fig. 2. Initial SLG subtree for reacha,X

there is no subtree for this sub query, a new one is created and computation

continues with that one yielding another subtree, as shown in Figure 3. Now here

reach(b,X) :- reach(b,X)

reach(b,X) :- trans(b,X) reach(b,X) :- trans(b,Intc),reach(Intc,X)

reach(b,c) :- reach(b,X) :- reach(c,X)

Fig. 3. Partial SLG subtree for reachb,X

reach(c,X) :- reach(c,X)

reach(c,X) :- trans(c,X) reach(c,X) :- trans(c,Intc),reach(Intc,X)

reach(c,b) :- reach(c,X) :- reach(b,X)

Fig. 4. Partial SLG subtree for reachc,X

again a new subgoal, reachc,X,isinvoked, leading to a new subtree, which

is shown in Figure 4. Here again wehave encountered a subgoal invo cation, this

time of reachb,X, and a tree for this subgoal already exists; it is in Figure 3. So

no more trees are created at least at this time. Nowwe can use answers in the

subtrees to answer the queries in the trees that generated them. For example we

can use the answer reachc,b in Figure 4 to answer the query of reachc,X

generated in the lower rightmost no de of Figure 3. This results in another answer

in Figure 3, reachb,b.Now the two answers in the tree for reachb,X can

b e returned to the call that is the lower rightmost no de of Figure 4, as well as

to the lower rightmost no de of Figure 2.

After all these answers have b een returned, no new subgoals are generated,

and the computation terminates, having reached a xed p oint. The nal state of

the tree of Figure 2 is shown in Figure 5. The nal forms of the other subtrees

reach(a,X) :- reach(a,X)

reach(a,X) :- trans(a,X) reach(a,X) :- trans(a,Intb),reach(Intb,X)

reach(a,b) :- reach(a,X) :- reach(b,X)

reach(a,c) :- reach(a,b) :-

Fig. 5. The nal SLG subtree for reacha,X

are similar.

This very simple example shows how tabling in XSB terminates on compu-

tations that would b e in nite in Prolog. All recursive de nitions over nite sets

will terminate in a similar way. Finite-state mo del checkers are essentially more

complicated versions of this simple transitive closure example.

3 Mo del Checking of Finite-State Systems

In this section we present XMC, our XSB-based mo del checker for CCS and

the mo dal mu-calculus. We rst fo cus on the alternation-free fragment of the

mo dal mu-calculus, to illustrate the strikingly direct enco ding of its semantics

as a tabled logic program. The full mo dal mu-calculus is treated next using a

sophisticated semantics for negation develop ed within the logic-programming

community. Finally,we showhow the structural op erational semantics of CCS,

with full value-passing supp ort, can also b e naturally captured as a tabled logic

program.

3.1 Mo del Checking the Alternation-Free Mo dal Mu-Calculus

The mo dal mu-calculus [Koz83] is an expressive temp oral logic whose semantics

is usually describ ed over sets of states of lab eled transition systems. We enco de

the logic in an equational form, the syntax of whichisgiven by the following

grammar:

F ! Z j tt j ff j F _ F j F ^ F j diamA, F  j boxA, F 

D ! Z += F least xed p oint

j Z -= F greatest xed p oint

In the ab ove, Z is a set of formula variables enco ded as Prolog atoms and A

is a set of actions; tt and ff are prop ositional constants; _ and ^ are standard

logical connectives; and diamA, F  p ossibly after action A formula F holds

and boxA, F  necessarily after action A formula F holds are dual mo dal

op erators. For example, a basic prop erty, the absence of deadlo ck, is expressed

free de ned as: in this logic by a formula variable deadlock

deadlock_free -= box-, deadlock_free /\ diam-, tt

where the `-'inbox and diam formulas stand for any action. The formula states,

essentially, that from every reachable state box-,deadlock free a transition

is p ossible diam-,tt.

We assume that the lab eled transition system corresp onding to the pro cess

sp eci cation is given in terms of a set of facts transSrc, Act, Dest, where

Src, Act, and Dest are the source state, lab el and target state, resp ectively,of

each transition. The semantics of the mo dal mu-calculus is sp eci ed declaratively

in XSB by providing a set of rules for each of the op erators of the logic, as follows:

modelsState_S, tt.

modelsState_S, F1 \/ F2 :- modelsState_S, F1.

modelsState_S, F1 \/ F2 :- modelsState_S, F2.

modelsState_S, F1 /\ F2 :- modelsState_S, F1, modelsState_S, F2.

modelsState_S, diamA, F :- transState_S, A, State_T,

modelsState_T, F.

modelsState_S, boxA, F :- findallT, transState_S, A, T, States_L,

map_modelsStates_L, F.

Consider the rule for diam. It declares that a state State S of a pro cess

satis es a formula of the form diamA, F if State S has an A transition to

some state State T and State T satis es F.

The semantics of logic programs are based on minimal mo dels, and accord-

ingly XSB directly computes least xed p oints. Hence, the semantics of the

mo dal mu-calculus's least xed-p oint op erator can b e directly enco ded as:

modelsState_S, Z :- Z += F, modelsState_S, F.

To compute greatest xed p oints in XSB, we exploit its capability to handle

normal logic programs: programs with rules whose right-hand side literals may

b e negated using XSB's tnot, which p erforms negation by failure in a tabled en-

vironment. In particular, we make use of the duality X:F X= :X ::F :X ,

and enco de the semantics of greatest xed-p oint op erator as:

modelsState_S, Z :- Z -= F, negateF, NF,

tnotmodelsState_S, NF.

The auxiliary predicate negateF, NF is de ned such that NF is a p ositive

formula equivalentto:F.

For alternation-free formulas, the enco ding yields dynamically strati ed pro-

grams i.e., a program whose evaluation do es not involve traversing lo ops with

negation, and has a two-valued minimal mo del. In [SSW96]itwas shown that

the evaluation metho d underlying XSB correctly computes this class of pro-

grams. Tabling ensures that each explored system state is visited only once in

the evaluation of a mo dal mu-calculus formula. Consequently, the XSB program

will terminate under XSB's tabling metho d when there are a nite number of

states in the transition system.

3.2 Mo del Checking the Full Mo dal Mu-Calculus

Intuitively, the alternation depth of a mo dal mu-calculus formula [EL86] f is the

level of nontrivial nesting of xed p oints in f with adjacent xed p oints b eing

of di erenttyp e. When this level is 1, f is said to b e \alternation-free". When

this level is greater than 1, f is said to \contain alternation." The full mo dal

mu-calculus refers to the class of formulas of all p ossible alternation depths.

In contrast to the alternation-free fragment of the mo dal mu-calculus, when

a formula contains alternation, the resultant XSB program is not dynamically

strati ed, and hence the well-founded mo del may contain literals with unknown

values [vRS91]. For such formulas, we need to evaluate one of the stable mo d-

els of the resultant program [GL88], and the choice of the stable mo del itself

dep ends on the structure of alternation in the formula. Such a mo del can b e

computed by extending the well-founded mo del. When the well-founded mo del

has unknown values, XSB constructs a residual program which captures the de-

p endencies b etween the predicates with unknown values.

We compute the values of these remaining literals in the preferred stable

mo del byinvoking the stable mo del generator smo dels [NS96] on the residual

program. The algorithm used in smo dels recursively assigns truth values to lit-

erals until all literals have b een assigned values, or an assignment is inconsistent

with the program rules. When an inconsistency is detected, it backtracks and

tries alternate truth assignments for previously encountered literals. By appro-

priately cho osing the order in which literals are assigned values, and the default

values, we obtain an algorithm that correctly computes alternating xed p oints.

Initial exp eriments indicate that XMC computes alternating xed p oints very

eciently using the ab ove strategy,even outp erforming existing mo del checkers

crafted to carry out the same kind of computation. Details app ear in [LRS98].

3.3 On-the-Fly Construction of Lab eled Transition Systems

The ab ove enco ding assumes that pro cesses are given as lab eled transition sys-

tems. For pro cesses sp eci ed using a pro cess algebra such as CCS [Mil89], we can

construct the lab eled transition system on the y, using CCS's structural op er-

ational semantics. In e ect, we can treat trans as a computed IDB relation

instead of as a static EDB relation, without changing the de nition of models.

Below, wesketchhow the trans relation can b e obtained for pro cesses sp eci-

ed in XL a syntactically sugared version of value-passing CCS, the pro cess

sp eci cation language of XMC.

The syntax of pro cesses in our value-passing language is describ ed by the

following grammar:

E ! PN j inA j outA j codeC  j ifC , E , E 

E o E j E '||' E j E  E j E n L j E @ F



Def ! PN ::= E

In the ab ove, E is a pro cess expression; PN is parameterized pro cess name,

represented as a Prolog term; C is a computation, e.g., X is Y+1; Pro cess

inat inputs a value over p ort a and uni es it with term t; outat out-

puts term t over p ort a. Pro cess ifC , E , E  b ehaves like E if computation

1 2 1

C succeeds and otherwise like E . Op erator o is generalized pre xing. The re-

2

maining op erators are like their CCS counterparts mo dulo o ccasional changes

in syntax to avoid clashes with Prolog lexicon. For example,  is nondetermin-

istic choice; '||' is parallel comp osition; @ is relab eling, where F is a list of

substitutions; and `n' is restriction, where L is a list of p ort names. Recursion is

provided by a set of de ning equations , Def, of the form PN ::= E .

The formal semantics of our language is given using structural op erational

semantics, closely paralleling that of CCS [Mil89]. Due to space limitations, we

present here the axioms and inference rules for only a few key constructs. In order

to emphasize the highly declarative nature of our enco ding, these are presented

exactly as they are enco ded in the Prolog syntax of XSB.

transinA, inA, nil.

transoutA, outA, nil.

transcodeX, _, code :- callX.

transP1 o P2, A, Q :- transP1, A, Q1,

Q1 == code -> transP2, A, Q;

Q1==nil->Q =P2;Q=Q1oP2.

transifX, P1, P2, A, Q :- callX -> transP1, A, Q ; transP2, A, Q.

trans P '||' Q, A, P1 '||' Q  :- transP, A, P1.

trans P '||' Q, A, P '||' Q1 :- transQ, A, Q1.

trans P '||' Q, tau, P1 '||' Q1 :- transP, A, P1,

transQ, B, Q1, compA, B.

compinA, outA.

compoutA, inA.

transP, A, Q :- P ::= R, transR, A, Q.

In the ab ove, A->B;Cis Prolog syntax for if A then B else C. The trans

predicate is of the form transP, A, Q meaning that pro cess P p erforms an A

transition to b ecome pro cess Q. The axiom for input says that inA can execute

an inA transition and then terminate; similarly for the output axiom. The

axiom for internal computation forces the evaluation of X and then terminates

without exercising any transition. The rule for generalized pre x states that

P1oP2b ehaves like P1 until P1 terminates; at that p oint it b ehaves as P2. The

conditional pro cess ifX, P1, P2 b ehaves like P1 if evaluation of X succeeds,

and like P2 otherwise. Finally, the rules for parallel comp osition state that P

'||' Q can p erform an autonomous A transition if either P or Q can the rst

two rules, and P '||' Q can p erform a synchronizing tau transition if P and

Q can p erform \complementary" actions the last rule; i.e., actions of the form

inA and outA. The nal rule ab ove captures recursion: a pro cess P b ehaves

as the pro cess expression R used in its de nition.

To illustrate the syntax and semantics of XL, our value-passing language,

consider the following sp eci cation of a channel chan with input p ort get and

output p ort give implemented as a b ounded bu er of size N.

chanN, Buf ::= codelengthBuf, Len o

if Len == 0

, receive_onlyN, Buf

, if Len == N

, send_onlyN, Buf

, receive_onlyN, Buf  send_onlyN, Buf

.

receive_onlyN, Buf ::= ingetMsg o chanN, [Msg|Buf].

send_onlyN,Buf ::= coderm_lastBuf,Msg,RBufo

outgiveMsg o chanN,RBuf.

In the ab ove de nition rm lastBuf,Msg,RBuf is a computation, de ned in

Prolog, that removes the last message Msg from Buf, resulting in a new smaller

bu er RBuf.

3.4 Implementation and Performance

The implementation of the XMC system consists of the de nition of two pred-

icates models/2 and trans/3; in addition, it contains a compiler to translate

input XL representation to one with smaller terms that is more appropriate for

ecient runtime pro cessing. Overall the system consists of less than 200 lines of

well-do cumented tabled Prolog co de.

Preliminary exp eriments show that the ease of implementation do es not p e-

nalize the p erformance of the mo del checker. In fact, XMC has b een shown

+

see [RRR 97] to consistently outp erform the Concurrency Factory's mo del

checker [CLSS96] and virtually match the p erformance of SPIN [HP96]ona

well-known set of b enchmarks.

We recently obtained results from XMC on the i-proto col, a sophisticated

sliding-window proto col used for le transfers over serial lines, such as telephone

lines. The i-proto col is part of the proto col stack of the GNU UUCP package

available from the Free Software Foundation, and consists of ab out 300 lines of

C co de.

Table 1 contains the execution-time and memory-usage requirements for

XMC, SPIN, COSPAN [HHK96], and SMV [CMCHG96] applied to the i-proto col

to detect a non-trivial livelo ck error that can o ccur under certain message-loss

conditions. This livelo ck error was rst detected using the Concurrency Factory.

Run-time statistics are given for window sizes W = 1 and W = 2, with the

livelo ck error present~ xed and not present  xed. All results were obtained

on an SGI IP25 Challenge machine with 16 MIPS R10000 pro cessors and 3GB

of main memory. Each individual execution of a veri cation to ol, however, was

carried out on a single pro cessor with 1.8GB of available main memory.

As can b e observed from Table 1, XMC p erforms exceptionally well on this

demanding b enchmark. This can b e attributed to the p ower of the underlying

Prolog data structuring facility the i-proto col makes use of non-trivial data

structures such as arrays and records, and the fact that data structures in XSB

are evaluated lazily.

Version Tool Completed? Memory Time

MB min:sec

W=1 ~ xed COSPAN Yes 4.9 0:41

SMV Yes 4.0 41:52

SPIN Yes 749 0:10

XMC Yes 18.4 0:03

W=1 xed COSPAN Yes 116 24:21

SMV Yes 5.3 74:43

SPIN Yes 820 1:02

XMC Yes 128 0:46

W=2 ~ xed COSPAN Yes 13 1:45

SMV No 28 >35 hrs

SPIN Yes 751 0:12

XMC Yes 68 0:11

W=2 xed COSPAN Yes 906 619:49

SMV No | |

SPIN Yes 1789 6:23

XMC Yes 688 3:48

Table 1. i-proto col mo del-checking results.

4 Beyond Finite-State Mo del Checking

In Section 3 we provided evidence that nite-state mo del checking can b e ef-

ciently realized using tabled logic programming.We argue here that tabled

LP is also a p owerful and versatile vehicle for verifying in nite-state systems.

In particular, three applications of tabled logic programming to in nite-state

mo del checking are considered. In Section 4.1, we showhow an XMC-style mo del

checker can b e extended with comp ositional techniques. Comp ositional reason-

ing can b e used to establish prop erties of in nite-state systems that dep end

only on some nite subpart. Section 4.2 treats parameterized systems. Finally,

in Section 4.3, the application of tabled LP to real-time systems is discussed.

4.1 Comp ositional Mo del Checking

Consider the XL pro cess A o nil. Clearly it satis es the prop erty diamA,tt.

We can use this fact to establish that A o nil  T also satis es diamA,tt,

without consideration of T. This observation forms the basis for compositional

model checking , which seeks to solve the mo del checking problem for complex

systems in a mo dular fashion. Essentially, this is accomplished by examining the

syntactic structure of pro cesses rather than the transition relation. Recall, that

the XMC mo del checker, presented in Section 3, do es exactly the latter in its

computation of the predicate trans/3. Besides yielding p otentially signi cant

eciency gains, the comp ositional approachisintriguing also when one considers

that the T in our example maywell have b een in nite-state or even unde ned.

Andersen, Stirling and Winskel [ASW94] present an elegant comp ositional

pro of system for the veri cation of pro cesses de ned in a synchronous pro cess

calculus similar to Milner's SCCS [Mil83] with resp ect to prop erties expressed

in the mo dal mu-calculus. A useful feature of their system is the algorithmic

nature of the rules. The only nondeterminism in the choice of the next rule to

apply arises from the disjunction op erator in the logic and the choice of action

in the pro cess. Both of these sources of nondeterminism are unavoidable. In this

resp ect, it di ers from many systems rep orted in literature which require a clever

choice of intermediate assertions to guide the choice of rules.

Andersen et al. in [ASW94] also present an enco ding of CCS into their syn-

chronous pro cess calculus and consequently it is p ossible to use their pro of sys-

tem to verify CCS pro cesses. This enco ding, however, has two disadvantages.

First, the size of the alphab et increases exp onentially with the numb er of paral-

lel comp onents, and, secondly, the translation of the CCS parallel comp osition

op erator is achieved via a complex nesting of synchronous parallel, renaming,

and restriction op erators.

To mitigate the problems with their pro of system in the context of CCS,

wehave adapted it to work directly for CCS pro cesses under the restriction

that relab eling op erators use only injective functions. Our system retains the

algorithmic nature of their system, yet incorp orates the CCS parallel comp osition

op erator and avoids the costly alphab et blowup.

This adaptation is achieved by providing rules at three levels as opp osed to

two in [ASW94]. The rst level deals with pro cesses that are not in the scop e of a

parallel comp osition op erator, the second for pro cesses in the scop e of a parallel

comp osition op erator, and the third for pro cesses app earing in the scop e of

relab eling and parallel comp osition op erators.

A Level-1 Rule:

modelsP1  P2, boxA,F :- modelsP1, boxA,F,

modelsP2, boxA,F.

A Level-2 Rule:

modelsP1  P2 '||' P3, boxA,F :-

modelsP1 '||' P3, boxA, F,

modelsP2 '||' P3, boxA, F.

A Level-3 Rule:

modelsB o P1 @ R '||' P2, boxA,F :-

mapsR,B,C, modelsC o P1 @ R '||' P2, boxA,F.

Our system is sound for arbitrary pro cesses and complete for nite-state

pro cesses. It has b een implemented using XSB in the same declarative fashion

as our XMC mo del checker. The comp ositional system is exp ected to improve

on XMC's space eciency byavoiding the calculation of intermediate states and

by reusing subpro ofs, though worst-case b ehavior is unchanged. Performance

evaluation is ongoing.

Our comp ositional system can indeed provide pro ofs for prop erties of par-

tially de ned pro cesses as illustrated by the following example from [ASW94].

Let p ::= tau o p  T and q ::= tau o q  T where T is an unsp eci-

ed pro cess. The formula x += boxtau, x expresses the impossibility of di-

vergence. The following is a pro of that p '||' q may p ossibly diverge.

modelsp '||' q, x

?- modelsp '||' q, boxtau, x

?- modelstau o p  T '||' q, boxtau, x

?- modelstau o p '||' q, boxtau, x

?- modelsp '||' q, x

?- fail.

4.2 Mo del Checking Parameterized Systems using Induction

Wehavethus far describ ed how inference rules for a varietyofveri cation sys-

tems can b e enco ded and evaluated using XSB. These inference systems sp ecify

pro cedures that are primarily intended for mo del checking nite-state systems.

Wenowsketchhow more p owerful deductiveschemes o er alb eit incomplete

ways to verify prop erties of parameterized systems . A parameterized system rep-

resents an in nite family of nite-state systems; examples include an n-bit shift

register and a token ring containing an arbitrary numb er of pro cesses.

An in nite family of shift registers can b e sp eci ed in XL as follows:

reg0 :== bit

regsN :== bit @ [get/temp] || regN @ [give/temp] \ {temp}

bit :== inget o outgive o bit

In the ab ove sp eci cation, natural numb ers are represented using successor no-

tation 0, s0, ss0, ::: and regn de nes a shift register with n +1

bits.

Now consider what happ ens when the query modelsregM, , for some

nontrivial prop erty  and M unb ound thereby representing an arbitrary instance

of the family, is submitted to an XMC-style mo del checker. Tabled evaluation of

this query will attempt to enumerate all values of M such that regM mo dels the

formula . Assuming there are an in nite numberofvalues of M for which this is

the case, the query will not terminate. Hence, instead of attempting to enumerate

the set of parameters for which the query is true, we need a mechanism to derive

answers that compactly describe this set.

For this purp ose, we exploit XSB's capability to derive conditional answers:

answers whose truth has not yet b een or cannot b e indep endently established.

This mechanism is used already in XSB for handling programs with non-strati ed

negation under well-founded semantics. For instance, for the program fragment

p :- q. q :- tnot r. r :- tnot q. XSB generates three answers: one for p that

is conditional on the truth of q, and one each for q and r, b oth conditional on

the falsity of the other. Now, if r can b e proven false indep endently, conditional

answers for q and p can b e simpli ed : b oth can b e marked as unconditionally

true.

Our approachtomodelchecking parameterized systems is to implementa

scheme to uncover the inductive structure of a veri cation pro of based on the

ab ove mechanism for marking and simplifying conditional answers. Consider,

again, the query modelsregM, . When resolving this query,we will en-

counter two cases, corresp onding to the de nition of the reg family: i M=0,

and ii M = sN, corresp onding to the base case and the recursive case, re-

sp ectively.For the base case, the mo del checking problem is nite-state and the

query modelsreg0,  can b e completely evaluated by tabled resolution.

For the recursive case, we will eventual ly encounter a subgoal of the form

0 0

modelsregN,  , where  is some subformula of .For simplicity of ex-

0

p osition, consider the case in which  =  . Under tabled resolution, since

this subgoal is a variant of one seen b efore, we will b egin resolving answers

to modelsregN,  from the table of modelsregM, , and eventually

add new answers to modelsregM, . This naive strategy leads to an in-

nite computation. However, instead of generating enumerating answers for

modelsregN,  for adding answers to modelsregM, ,we can gener-

ate one conditional answer, of the form:

modelsregM,  :- M = sN, modelsregN, .

which captures the dep endency b etween the two sets of answers. In e ect, we

haveevaluated away the nite parts of the pro of, \skipping over" the in nite

parts while retaining their structure. For instance, in the ab ove example, we

skipp ed over modelsregN,  i.e., did not attempt to establish its truth in-

dep endently, and retained the structure of the in nite part by marking the truth

of modelsregsM,  as conditional on the truth of modelsregN, .

Using this mechanism, we are left with a residual program, a set of conditional

answers that re ects the structure of the inductive pro of. The residual program,

in fact, computes exactly the set of instances of the family for which the prop erty

holds, and hence compactly represents a p otentially in nite set.

Resolution as sketched ab ove, by replacing instances of heads left-hand sides

of rules by the corresp onding b o dies right-hand sides unfolds the recursive

structure of the sp eci cation. In order to make the structure of induction explicit,

it is often necessary to p erform folding steps, where instances of rule b o dies

are replaced by the corresp onding heads. In [RRRS98]we describ e how tabled

resolution's ability to compute conditional answers, and folding mechanisms can

b e combined to reveal the structure of induction.

It should b e noted that although wehave a representation for the in nite

set of instances for which the prop erty holds, the pro of is not yet complete; we

still need to show that the set of instances wehave computed covers the entire

family. What wehave done is to simply evaluate away the nite parts, leaving

b ehind the core induction problem, which can then b e p ossibly solved using

theorem provers. In many cases, however, the core induction problem is simple

enough that the pro of can b e completed by heuristic metho ds that attempt to

nd a counter example, i.e., an instance of the family that is not generated by the

residual program. For example, wehave successfully used this counter-example

technique to verify certain liveness prop erties of token rings and chains shift

registers, and soundness prop erties of carry lo ok-ahead adders.

4.3 Mo del Checking Real-Time Systems

Another kind of in nite-state system we are interested in is real-time systems .

Most emb edded systems suchasavionics b oxes and medical devices are required

to satisfy certain timing constraints, and real-time system sp eci cations allowa

system designer to explicitly capture these constraints.

Real-time systems are often sp eci ed as timed automata [AD94]. A timed

automaton consists of a set of locations analogous to states in a nite automa-

ton, and a set of edges b etween lo cations denoting transitions. Lo cations as

well as transitions may b e decorated with constraints on clocks . An example of

a timed automaton app ears in Figure 6. A state of a timed automaton comprises

a lo cation and an assignmentofvalues to clo ckvariables. Clearly, since clo cks

range over in nite domains, timed automata are in nite-state automata.

Real-time extensions to temp oral logics, such as timed extensions of the

mo dal mu-calculus [ACD93,HNSY94,SS95], are used to sp ecify the prop erties

of interest.

Traditional mo del-checking algorithms do not directly work in the case of

real-time systems since the underlying state-space is in nite. The key then is to

consider only nitely many regions of the state space. In [AD94]itisshown that

when the constraints on clo cks are restricted to those of the form X

where X and Y are clo ckvariables and c is a constant, the state space of a

timed automaton can b e partitioned into nitely many stable regions|sets of

indistinguishable elements of the state space.

For example, in the automaton of Figure 6, states hL ;t =3iand hL ;t =

0 0

4i are indistinguishable. States hL ;t =4iand hL ;t =6i,however, can b e

0 0

distinguished, since only from the latter can we make a transition to hL ;t =6i,

1

where an a-transition is enabled.

bt>2 a LL01 t>1

adc

reset t t>5 L2

t<8

Fig. 6. Timed Automaton

In [SS95], we presented a local algorithm for mo del checking real-time sys-

tems, where the nite discretization of the state space is done on demand, and

only to the extent needed to prove or disprove the formula at hand. We can

enco de the essence of this algorithm with three predicates: models/2, which ex-

presses when a region satis es a timed temp oral formula, refinesto/2, which

relates a region with its partitions obtained during nite discretization, and

edge/3, which captures the transitions b etween regions.

Re nement adds a new inference rule to mo dels:

R refinesto fR g; 8i R ` F

i i

R ` F

which is captured by the following Horn clause:

modelsR, F :- refinestoR, Refinements, map_modelsRefinements, F.

Re nement creates new regions, and hence intro duces new edges. The pres-

ence or absence of such edges may force further re nement. Therefore, refinesto

and edge are mutually recursive predicates. Regions themselves are represented

as a set of linear constraints, and op erations on regions such as splitting, which

is needed when two p oints in a region can b e distinguished manipulate these

constraints. Thus the resultant program is a tabled constraint logic program.

Such programs can b e evaluated in XSB using a meta interpreter, without mo d-

ifying XSB's SLG-resolution engine. For b etter p erformance, however, we plan

to directly augment the engine with a constraint-handling facility.

5 Conclusions

Wehave surveyed the current state of the LMC pro ject, which seeks to use the

latest developments in logic-programming technology to advance the state of

the art of system sp eci cation and veri cation. In particular, the XMC mo del

checker was discussed as well as several directions in whichwe are extending the

LMC approachbeyond traditional nite-state mo del checking.

Additional eciency and ease-of-use issues are worthy of future investiga-

tion. First, since mo del checkers are sp eci ed at the level of semantic equations,

equations of abstract semantics [CC77] can b e enco ded with equal ease. These

can b e used to incorp orate pro cess and formula abstractions, whichhave b een

used successfully to ameliorate state explosion in mo del checking [Dam96], into

an LMC-style mo del checker. Secondly, the programmability of an LP system

allows for direct enco ding of traditional mo del-checking optimizations, suchas

partial order reduction [HPP96]. Finally, the high level at which mo del checking

is sp eci ed corresp ondingly elevates the level at which erroneous system sp eci -

cations can b e diagnosed and debugged.

References

[ACD93] R. Alur, C. Courcoub etis, and D. Dill. Mo del-checking for real-time sys-

tems. Information and Computation, 1041:2{34, 1993.

[AD94] R. Alur and D. Dill. The theory of timed automata. Theoretical Computer

Science, 1262, 1994.

[AH96] R. Alur and T. A. Henzinger, editors. Computer AidedVeri cation CAV

'96,volume 1102 of Lecture Notes in Computer Science, New Brunswick,

New Jersey, July 1996. Springer-Verlag.

[ASW94] H. R. Andersen, C. Stirling, and G. Winskel. A comp ositional pro of

system for the mo dal mu-calculus. In Proceedings of the Ninth Annual

IEEE Symposium on Logic in Computer Science, pages 144{153, Paris,

France, July 1994.

[CC77] P. Cousot and R. Cousot. Abstract interpretation: A uni ed lattice mo del

for static analysis of programs by construction or approximation of x-

p oints. In ACM Symposium on Principles of Programming Languages,

pages 238{252. ACM Press, 1977.

[CE81] E. M. Clarke and E. A. Emerson. Design and synthesis of synchroniza-

tion skeletons using branching-time temp oral logic. In D. Kozen, editor,

Proceedings of the Workshop on Logic of Programs, Yorktown Heights,

volume 131 of Lecture Notes in Computer Science, pages 52{71. Springer-

Verlag, 1981.

[CES86] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic veri cation of

nite-state concurrent systems using temp oral logic sp eci cations. ACM

TOPLAS, 82, 1986.

[CLSS96] R. Cleaveland, P. M. Lewis, S. A. Smolka, and O. Sokolsky. The Con-

currency Factory: A developmentenvironment for concurrent systems. In

Alur and Henzinger [AH96], pages 398{401.

[CMCHG96] E. M. Clarke, K. McMillan, S. Camp os, and V. Hartonas-GarmHausen.

Symb olic mo del checking. In Alur and Henzinger [AH96], pages 419{422.

[CW96a] W. Chen and D. S. Warren. Tabled evaluation with delaying for general

logic programs. Journal of the ACM, 431:20{74, January 1996.

[CW96b] E. M. Clarke and J. M. Wing. Formal metho ds: State of the art and

future directions. ACM Computing Surveys, 284, Decemb er 1996.

[Dam96] D. Dams. Abstract Interpretation and Partition Re nement for Model

Checking. PhD thesis, Eindhoven UniversityofTechnology, 1996.

[EL86] E. A. Emerson and C.-L. Lei. Ecient mo del checking in fragments of the

prop ositional mu-calculus. In Proceedings of the First Annual Symposium

on Logic in Computer Science, pages 267{278, 1986.

[GL88] M. Gelfond and V. Lifschitz. The stable mo del semantics for logic pro-

gramming. In International ConferenceonLogic Programming, pages

1070{1080, 1988.

[HHK96] R. H. Hardin, Z. Har'El, and R. P. Kurshan. COSPAN. In Alur and

Henzinger [AH96], pages 423{427.

[HNSY94] T. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symb olic mo del

checking for real-time systems. Information and Computation, 1112,

1994.

[HP96] G. J. Holzmann and D. Peled. The state of SPIN. In Alur and Henzinger

[AH96], pages 385{389.

[HPP96] G. Holzmann, D. Peled, and V. Pratt, editors. Partial-Order Methods in

Veri cation POMIV '96, DIMACS Series in Discrete Mathematics and

Theoretical Computer Science, New Brunswick, New Jersey, July 1996.

American Mathematical So ciety.

[JL87] J. Ja ar and J.-L. Lassez. Constraint logic programming. In ACM Sym-

posium on Principles of Programming Languages, pages 111{119, 1987.

[Koz83] D. Kozen. Results on the prop ositiona l -calculus. Theoretical Computer

Science, 27:333{354, 1983.

[Llo84] J. W. Lloyd. Foundations of Logic Programming. Springer, 1984.

[LRS98] X. Liu, C. R. Ramakrishnan, and S. A. Smolka. Fully lo cal and ecient

evaluation of alternating xed p oints. In Proceedings of the Fourth In-

ternational ConferenceonTools and Algorithms for the Construction and

Analysis of Systems TACAS '98, Lecture Notes in Computer Science.

Springer-Verlag, 1998.

[Mil83] R. Milner. Calculi for synchrony and asynchrony. Theoretical Computer

Science, 25:267{310, 1983.

[Mil89] R. Milner. Communication and Concurrency. International Series in

Computer Science. Prentice Hall, 1989.

[NS96] I. Niemela and P. Simons. Ecient implementation of the well-founded

and stable mo del semantics. In Joint International Conference and Sym-

posium on Logic Programming, pages 289{303, 1996.

[QS82] J. P. Queille and J. Sifakis. Sp eci cation and veri cation of concurrent

systems in Cesar. In Proceedings of the International Symposium in Pro-

gramming,volume 137 of Lecture Notes in Computer Science, Berlin,

1982. Springer-Verlag.

+

[RRR 97] Y. S. Ramakrishna, C. R. Ramakrishnan, I. V. Ramakrishnan, S. A.

Smolka, T. W. Swift, and D. S. Warren. Ecient mo del checking us-

ing tabled resolution. In Proceedings of the 9th International Confer-

ence on Computer-AidedVeri cation CAV '97, Haifa, Israel, July 1997.

Springer-Verlag.

[RRRS98] A. Roychoudhury, C. R. Ramakrishnan, I. V. Ramakrishnan, and S. A.

Smolka. Tabulation-based induction pro ofs with applicati ons to auto-

mated veri cation. In Workshop on Tabulation in Parsing and Deduction,

1998.

[SS95] O. Sokolsky and S. A. Smolka. Lo cal mo del checking for real-time systems.

In Proceedings of the 7th International Conference on Computer-Aided

Veri cation. American Mathematical So ciety, 1995.

[SSW96] K. Sagonas, T. Swift, and D. S. Warren. An abstract machine to compute

xed-order dynamicall y strati ed programs. In International Conference

on AutomatedDeduction CADE, 1996.

[TS86] H. Tamaki and T. Sato. OLDT resolution with tabulation. In Interna-

tional ConferenceonLogic Programming, pages 84{98. MIT Press, 1986.

[vRS91] A. van Gelder, K. A. Ross, and J. S. Schlipf. The well-founded semantics

for general logic programs. Journal of the ACM, 383, 1991.

[Wol86] P.Wolp er. Expressing interesting prop erties of programs in prop ositional

temp oral logic. In Proc. 13th ACM Symp. on Principles of Programming,

pages 184{192, St. Petersburgh, January 1986.

[XSB98] XSB. The XSB logic programming system v1.8, 1998. Available from

http://www.cs.sunysb.edu/sbprolog.