? Logic Programming and Mo del Checking Bao qiu Cui, Yifei Dong, Xiao qun Du, K. Narayan Kumar, C. R. Ramakrishnan, I. V. Ramakrishnan, Abhik Roychoudhury, Scott A. Smolka,David S. Warren Department of Computer Science SUNY at Stony Bro ok Stony Bro ok, NY 11794{4400, USA http://www.cs.sunysb.edu/lmc Abstract. We rep ort on the current status of the LMC pro ject, which seeks to deploy the latest developments in logic-programmin g technology to advance the state of the art of system sp eci cation and veri cation. In particular, the XMC mo del checker for value-passing CCS and the mo dal mu-calculus is discussed, as well as the XSB tabled logic programming system, on which XMC is based. Additionally, several ongoing e orts aimed at extending the LMC approachbeyond traditional nite-state mo del checking are considered, including comp ositional mo del checking, the use of explicit induction techniques to mo del check parameterized systems, and the mo del checking of real-time systems. Finally, after a brief conclusion, future research directions are identi ed. 1 Intro duction In the summer of 1997, C.R. Ramakrishnan, I.V. Ramakrishnan, Smolka, and Warren were awarded a four-year NSF Exp erimental Software Systems ESS 1 grant to investigate the idea of combining the latest developments in concur- rency research and in logic programming to advance the state-of-the art of sys- tem sp eci cation and veri cation. This was the rst year of the ESS program at NSF, and its goal is to supp ort exp erimental investigations by research teams dedicated to making fundamental progress in software and software engineering. The ESS program director is Dr. William W. Agresti. The current primary fo cus of our ESS-sp onsored pro ject is model check- ing [CE81,QS82,CES86], the problem of determining whether a system sp eci ca- tion p ossesses a prop erty expressed as a temp oral logic formula. Mo del checking has enjoyed wide success in verifying, or nding design errors in, real-life sys- tems. An interesting account ofanumb er of these success stories can b e found in [CW96b]. ? Research supp orted in part by NSF grants CDA{9303181, CCR{9404921, CCR{ 9505562, CDA{9504275, CCR{9705998, CCR{9711386 and AFOSR grants F49620- 95-1-0508 and F49620-96-1-0087. 1 There are two additional co-Principal Investigators on the grant who are no longer at Stony Bro ok: Y.S. Ramakrishna of Sun Microsystems and Terrance Swift lo cated at the University of Maryland, College Park. We call our approach to mo del checking logic-programming-basedmodel checking , or LMC for short, and it is centered on two large software sys- tems develop ed indep endently at SUNY Stony Bro ok: the Concurrency Fac- tory [CLSS96] and XSB [XSB98]. The Concurrency Factory is a sp eci cation and veri cation environment supp orting integrated graphical/textual sp eci ca- tion and simulation, and mo del checking in the mo dal mu-calculus [Koz83] tem- p oral logic. XSB is a logic programming system that extends Prolog-style SLD resolution with tabledresolution . The principal merits of this extension are that XSB terminates on programs having nite mo dels, avoids redundant sub compu- tations, and computes the well-founded mo del of normal logic programs. Veri cation systems equipp ed with mo del checkers ab ound. For exam- ple, http://www.csr.ncl.ac.uk:80/projects/FME/InfRes/tools lists over 50 sp eci cation and veri cation to olkits, most of which supp ort some form of mo del checking. Although these to ols use di erent system-sp eci cation languages and prop erty-sp eci cation logics, the semantics of these logics and languages are typically sp eci ed via structural recursion as least, greatest, alternating xed p oints of certain typ es of functionals. It is therefore interesting to note that the semantics of negation-free logic programs are given in terms of minimal mo dels, and Logic Programming LP systems attempt to compute these mo dels. The minimal mo del of a set of Horn clauses is equivalent to the least xed p oint of the clauses viewed as equations over sets of atoms. Hence, mo del checking problems involving least xed p oints can b e naturally and concisely cast in terms of logic programs. Problems in- volving greatest xed-p oint computations can b e easily translated into least xed-p oint computations via the use of logical negation. However, Prolog-style resolution is incomplete, failing to nd minimal mo d- els even for datalog function-free programs. Moreover, the implementation of negation in Prolog di ers from the semantics of logical negation in the mo del theory. Consequently, traditional Prolog systems do not o er the needed supp ort to directly implement mo del checkers. As alluded to ab ove, evaluation strate- gies such as tabling [TS86,CW96a]overcome these limitations see Section 2.2. Hence, tabled logic programming systems app ear to o er a suitable platform for implementing mo del checkers. The p ertinent question is whether one can con- struct a mo del checker using this approach that is ecient enough to b e deemed practical. The evidence wehave accumulated during the rst year of our LMC pro ject indicates that the answer to this question is most de nitely \yes." In particular, + wehave develop ed XMC [RRR 97], a mo del checker for Milner's CCS [Mil89] and the alternation-free fragment [EL86] of the mo dal mu-calculus. The full value-passing version of CCS is supp orted, and a generalized pre x op erator is used that allows arbitrary Prolog terms to app ear as computational units in XMC system sp eci cations. Full supp ort for value-passing is essential in a sp eci cation language intended to deal with real-life systems such as telecom- munications and security proto cols. XMC is written in approximately 200 lines of XSB tabled-logic-programming Prolog co de, and is primarily intended for the mo del checking of nite-state systems, although it is capable of handling certain kinds of in nite-state sys- tems, such as those exhibiting \data indep endence" [Wol86]. With regard to the eciency issue, XMC is highly comp etitive with state-of-the-art mo del check- ers hand-co ded in C/C++, such as SPIN [HP96] and the Concurrency Fac- tory [CLSS96]. This p erformance can b e attributed in part to various asp ects of the underlying XSB implementation, including its extensive supp ort of tabling and the use of trie data structures to enco de tables. In [LRS98]we describ e how XMC can b e extended to the full mo dal mu-calculus. Buoyed by the success of XMC, we are currently investigating ways in which the LMC approach can b e extended b eyond traditional nite-state mo del check- ing. In particular, the following e orts are underway. { An LMC-style sp eci cation of a mo del checker is given at the level of seman- tic equations, and is therefore not limited to any sp eci c system-sp eci cation language or logic. For example, wehave built a compositional mo del checker, simply by enco ding the inference rules of the pro of system as Horn clauses Section 4.1. { Traditionally, mo del checking has b een viewed as an algorithmic technique, although there is a urry of recent activity on combining mo del checking with deductive metho ds. Observe that optimized XSB meta-interpreters can b e used to execute arbitrary deductive systems. Hence, the LMC ap- proach o ers a unique opp ortunity to fully and exibly integrate algorithmic and deductive mo del checking, arguably the most interesting problem b eing currently researched by the veri cation community.Tovalidate this claim, wehave b een exp erimenting with ways of augmenting XMC with the p ower of induction, with an eyetoward the veri cation of parameterized systems Section 4.2. { By using constraints as in Constraint LP [JL87] to nitely represent in nite sets and tabled resolution to eciently compute xed p oints over these sets, we are lo oking at how tabled constraint LP can b e used to verify real-time systems Section 4.3. The rest of the pap er is structured follows. Section 2 shows how mo del check- ing can b e essentially viewed as a problem of xed-p oint computation, and how xed p oints are computed in XSB using tabled resolution. Section 3's fo cus is our XMC mo del checker, and Section 4 describ es ongoing work on extending the XMC technology b eyond traditional nite-state mo del checking. After a brief conclusion, Section 5 identi es several promising directions for future research. 2 Preliminaries In this section we describ e the essential computational asp ects of mo del check- ing and tabled logic programming. This side-by-side presentation exp oses the primary rationale for the LMC pro ject. 2.1 Mo del Checking As remarked in the Intro duction, mo del checking is essentially a problem of xed- p oint computation. To substantiate this view, consider an example. Supp ose we have a transition system T transition systems are often used to mo del systems in the mo del-checking framework and we wish to check if the start state of T satis es the CTL branching-time temp oral logic formula EF p.