Decidability of invariant validation for paramaterized systems

parameterized systems ?

Pas alFontaineandE. Pas alGribomont

UniversityofLiege(Belgium)

fpfontain,gribomontgmontefio re.ul g.a .be

Abstra t. The ontrol part of many on urrent and distributed

pro-gramsredu estoaset=fp1;:::;pngofsymmetri pro esses

ontain-ingmainlyassignmentsandtestsonBooleanvariables.However,the

as-signments,theguardsandtheprograminvariants anbe-quantied,so

the orrespondingveri ation onditionsalsoinvolve-quanti ations.

We propose a systemati pro edure allowing the elimination of su h

quanti ations for a large lass of program invariants. At the ore of

this pro edure is a variant of the Herbrand Theorem for many-sorted

rst-orderlogi withequality.

1 Introdu tion

Attheheartof on urrentsoftwareare ontrol-intensive on urrentalgorithms,

whi h solve a large lass of problems, in luding mutual ex lusion,

termina-tiondete tion,reliable ommuni ationthroughunreliable hannels,syn hronous

ommuni ationthroughasyn hronous hannels,fault toleran e,leaderele tion,

Byzantine agreement, on urrentreading and writing, and so on. (See e.g.[8,

25℄formanyexamples,with ommentsandformalorinformalproofs).Manyof

thosesystemsare omposedofaparameterizednumberofidenti alpro essesor

nearlyidenti al pro esses 1

. Most variablesare Booleans orarraysofBooleans,

and operations on the remaining variables are elementary. The veri ation of

su hparameterized on urrentsystemsisthesubje tofmanyre entpapers[1,

4,7,11,17,23,24,31℄.

Requirementsofsu halgorithmsusuallyfallinsafetyproperties(\something

badneverhappens") andliveness properties(\somethinggoodeventually

hap-pens"). It is often possible to view a liveness property as the onjun tion of

a safety property and a fairness hypothesis (\progress is made") so, in

pra -ti e,theveri ationofsafetypropertiesisthemainpartofformalmethodsand

tools.The lassi alinvariantmethod allowsto redu e theveri ationof safety

propertiesto thevalidityproblemforrst-orderlogi .It ouldhappenthatthe

?

Thisworkwas fundedbyagrantof the\Communautefran aisedeBelgique -

Di-re tiondelare her hes ientique-A tionsdere her he on ertees"

1

burgerarithmeti ), butthisisrarelythe asebe auseBooleanarrays(modeled

by uninterpreted predi ates) are oftenused in these algorithms, together with

interpretedpredi ates 2

.

Quantier-freerst-orderlogi satisability he kingis de idableforavery

widerangeofformulaswithnon-interpretedandinterpretedpredi atesand

fun -tions.Thusde idabilityis oftenrea hed throughquantierelimination.We

in-trodu e hereasimple quantierelimination method for alarge lass of

veri- ation onditions. It is based on a many-sorted logi with equality variant of

theHerbrandTheoremwhi hallowstohavesomekindofnitemodelproperty

[12℄ even when somefun tions (interpreted or not) and interpreted predi ates

areusedin formulas.Wethengive riteriaforveri ation onditionstobenet

from thisproperty.Those riteriaallowtoeliminatequantiersin theproofby

invariantofmanyrea tivealgorithms, andparti ularly forparameterized

algo-rithms,leadingtoapowerfulinvariantvalidationpro edure.Itallowstoredu e

theinvariantvalidationforasystemwith aparameterizednumberofpro esses

to the invariant validation for asystem with aknown number of pro essesn

0

(Theorem2).Ourmethod anbeseenasanextensionoftheinvariantvalidation

pro edure presentedin [3℄: ourapproa hdoesnotrestri t theuse offun tions

andpredi atestounaryones,andisnotrestri tedtobounded variables.

Ourimplementationhasgivengoodresultsonseveralalgorithms;in

parti -ular, it hasbeensu essful in provingallveri ation onditionsfora

parame-terizedrailroad rossingsystem[21℄usedasben hmarkforSTeP,whereasSTeP

itselfrequiresintera tiveveri ationforsomeofthem[6℄.

WerstpresentourvariantoftheHerbrandTheorem. Next,thisvariantis

usedtoeliminatethequantiersinveri ation onditionsfrominvariant

valida-tionofparameterizedsystems.Last,twoexamplesarepresented.

2 Herbrand on many-sorted logi

In this se tion, Theorem 1 and its ontext is introdu ed. This theorem will

be used to eliminate quantiers in veri ation onditions, whi h will lead to

Theorem2.

Amany-sortedrst-orderlanguage(amore ompleteintrodu tionto

many-sorted logi an befound in [13℄) is atuple L =hT;V;F;P;r;disu h that T

is a nite set of sorts (or types), V is the (nite) union of disjoint nite sets

V

of variables of sort , F andP aresets of fun tion and predi ate symbols,

r (F[P !N) assigns an arityto ea h fun tion and predi atesymbol,and d

(F[P!T ?

)assignsasortinT r(f)+1

toea hfun tionsymbolf 2Fandasort

in T r(p)

to ea h predi ate symbol p 2P. Nullary predi ates are propositions,

andnullaryfun tionsare onstants.

Thesets of-termsonlanguageL ontainallvariablesinV

,andforevery

fun tion symbolf 2F of sort h 

1 ;::: n ;i ,f(t 1 ;:::t n ) isa-termif t 1 ;:::t n are 1 ;::: n

-termsrespe tively.Sort(t)= ift isa-term.

Anatomi formulaiseithert=t wheretandt aretermsofthesamesort,or

apredi atesymbolappliedtoargumentsofappropriatesorts.Formulasarebuilt

(asusual)fromatomi formulas, onne tors(:,^,_,),),andquantiers(8,

9). Theset of allvariablesused in formula isnotedVars(),and Free() is

thesetofallfreevariablesin.Aformulais losedifFree()=;.Aformula

is-universallyquantiedifitisoftheform8x withx avariableoftype.

A formula is in prenex form if it is of the form Q

1 x 1 :::Q n x n () where Q 1 ;:::Q n 2 f9;8g, x 1 ;:::x n

2 V, and  is quantier-free. A formula is in

Skolemformifitisinprenexformwithoutexistentialquantier.

A(normal)interpretationofaformulaonamany-sortedrst-orderlanguage

L=hT;V;F;P;r;diisapairI=hD;Iiwhere

{ Dassignsanon-emptydomainD

(set)toea htype 2T.Thosesetsare

notne essarilydisjoint;

{ I assignsanelementin D

toea hvariable ofsort;

{ I assignsafun tionD  1 :::D  n !D 

toea hfun tionsymbolf 2F of

sorth 1 ;::: n ;i ; { Iassignsafun tionD  1 :::D  n

!f>;?gtoea hpredi atesymbolp2P

ofsorth 

1 ;:::

n i ;

{ theidentityisassigned totheequalitysign(=).

I assigns avalue in D

to every -term t.This valueis notedI[t℄. Similarly,

interpretation I assigns a valuein f>;?g to everyformula , whi h is noted

I[℄. An interpretation I is amodel for formula  if I[℄ =>. A formula is

satisableifthereexists amodelforit.

Given aninterpretation I, the ongruen e C

I;= = f(t i ;t 0 i )jI[t i ℄=I[t 0 i ℄g

isare exive,symmetri andtransitiverelationonthesetof termsof language

L. Thisrelationisimportantfortheproofofthefollowingtheorem.

Theorem1. Given

{ a losedformula S inSkolemformon the languageL=hT;V;F;P;r;di;

{  2T su hthatthereisnofun tion symbol f 2F of sorth 

1 ;::: n ;iwith n>0, 1 ;::: n 2T; the set H 

isthe set of onstant symbols of sort  (H

=f 2 Fjd( ) =g).

If f 2Fjd( )=g=;, thenH

=fag,wherea isanarbitrary new onstant

symbol su hthata62F anda62V.

For everymodel I=hD;Iiof S,thereisamodel I 0 =hD 0 ;I 0 isu hthat { D 0 

isthe quotientof the setH

 by ongruen eC I;= ; { D 0  0 =D  0 for every 0 6=; { I 0

[f℄=I[f℄ forevery fun tionsymbol f 2F ofsort h

1 ;::: n ; 0 isu hthat  1 6=;:::  n 6=; 0 6= (n0); { I 0

[p℄ = I[p℄ for every fun tion symbol p 2 P of sort h

1 ;::: n i su h that  1 6=;:::  n 6= (n0). 0

{ forevery onstantsymbol ofsort in F,I [ ℄is the lassof inD

 ;

{ for everyfun tion symbol f 2 F of sort h 

1 ;::: n ; 0 i (n > 0), and every d 0 1 2 D 0 1 ;:::d 0 n 2 D 0 n , I 0 [f℄(d 0 1 ;:::d 0 n ) = I[f℄(d 1 ;:::d n ) where d i = d 0 i if  i 6=.If i =,d i =I(d 00 i )whered 00 i

isanyelementofthe lassd 0

i 2D

 ;

{ for every predi ate symbol p 2 P of sort h 

1 ;:::

n

i, and every elements

d 0 1 2 D 0 1 ;:::d 0 n 2 D 0 n , I 0 [p℄(d 0 1 ;:::d 0 n ) = I[p℄(d 1 ;:::d n ) where d i = d 0 i if  i 6=.If i =,d i =I(d 00 i )whered 00 i

isanyelementofthe lassd 0

i 2D

 .

ItremainstoshowthatI 0

isamodelofS.Letusrstintrodu eanotation:

given aninterpretationJ =hD;Ji,theinterpretation J

x1=d1;:::xn=dn =hD;J 0 i (wherex 1 ;:::x n

arevariables)issu hthatJ 0 [x i ℄=d i foreveryx i 2fx 1 ;:::x n g andJ 0 [t℄=J[t℄ift62fx 1 ;:::x n g

FormulaSisoftheform8x

1 :::8x

n

().Thusforallelementsd 0 1 ;:::d 0 n su h that d 0 i belongstoD 0  0 ifx i isavariableofsort 0

,thefollowingequalityhold:

I 0 x 1 =d 0 1 ;:::x n =d 0 n [℄=I x 1 =d 1 ;:::x n =d n [℄ with d i =I[d 00 i ℄where d 00 i

isanyelement ofthe lass d 0 i 2D 0  ifx i is ofsort, d i =d 0 i otherwise.

InterpretationI isamodel offormulaS,that meansI

x1=d1;:::xn=dn

[℄=>

forallelementsd

1 ;:::d n whered i belongstoD  0 ifx i isavariableofsort 0 .It followsthatI 0 x1=d 0 1 ;:::xn=d 0 n

[℄=>forallelementsd 0 1 ;:::d 0 n su hthatd 0 i belongs toD 0  0 ifx i isavariableofsort 0 . SoI 0 isamodelofS. ut

Thistheoremisnotexa tlyanextensionoftheHerbrandtheoremto

many-sortedrst-orderlogi .ItisstrongerthantheHerbrandtheorem(seeforexample

[14℄ for thestandardHerbrandtheorem, or [16℄for aversionwith equality)in

thesense that the domaindoesnot ne essarilybe ome innitein thepresen e

of fun tions. On the other hand, its restri tion to one-sorted rst-order logi

givesba ktheHerbrandtheorem,butrestri tedtotheniteHerbranduniverse

ase.Neverthelessthis aseis themostinterestingone:havinganite domain

meansthatquantiereliminationispossible.Considerthesimple(unsatisable)

formula

8i8j[f(i)>g( j)℄ ^ g(a)=3 ^ 9i[f(i)<4℄ (1)

where\<"and\>"aretheusualorderpredi atesonNN.Variablesiandj

and onstantsaandbareofsort 6=Nwhereasf andgarefun tionsfrom to

N.Inthis ontext,thepre edingtheoremstatesthatformula(1)issatisableif

andonlyifformula

f(a)>g(a) ^ f(a)>g(b) ^ f(b)>g(a) ^

f(b)>g(b) ^ g(a)=3 ^ f(b)<4

is. Thislast formulabelongs to thede idable lass ofquantier-freerst-order

logi withlineararithmeti sonN anduninterpretedfun tionsymbols.

Corollary 1. A -universally quantied formula 8x(x) verifying the

ondi-tionsofTheorem1issatisableif andonly ifthenite onjun tion V

2H ( )

A formula ontaininginterpreted predi ates and fun tions is satisable if and

onlyifithasamodelinarestri tedsubsetofallinterpretations,thatistheset

whereinterpretationsasso iateaxeddomaintogivensortsandaxedmeaning

tothoseinterpretedpredi atesandfun tions.InTheorem1,bothinterpretations

IandI 0

asso iatethesamedomaintoeverysortbut,andgivethesame

mean-ingtoeverypredi ateandfun tion,providednoneoftheirargumentsisofsort.

Inotherwords,Theorem 1is ompatible withtheuseofinterpretedpredi ates

andfun tionsprovidednoneoftheirargumentsisofsort.Forinstan e,inthe

pre edingexample(i,jandaareofsort)theargumentsoftheorderpredi ates

(f(i),g(j),...)arenotofthesort.UsingTheorem1,interpretationI andI 0

are su h that I[<℄=I 0

[<℄and I[>℄=I 0

[>℄. Andthis allowsto eliminatethe

quantiersonthesort inpresen eofinterpretedpredi ateswithnoargument

ofsort.

Butitisalsopossibletouseorder predi atesonthesortofquantied

vari-ables.Let'beaformulawith orderpredi ates(\",...)onsort, and be

the onjun tionoftheaxiomsoftotalordertheory,

= 8x(xx)

^8x8y( (xy^yx))x=y)

^8x8y8z((xy^yz))xz)

^8x8y( xy_yx)

withvariablesx;y;z ofsort.An interpretationisamodelof ^'ifandonly

ifitis amodelof'interpreting\",... astheusual orderpredi atesonD

 .

Putting ^' in Skolem form does notintrodu e new Skolemfun tions. The

onditions of Theorem 1are met for ^' ifthey are met for '. Theorem 1

anbeapplied alsoifsome omparisonsaremadebetweentermsof thesortof

quantiedvariables 3

.

4 Quantier elimination in invariant validation

In order to verify that the assertion H is an invariant of the transition

sys-temS,onehastovalidatetheHoaretriplefHgfHgforea htransition 4

2S.

This isrstredu edtorst-order logi proving,usingDijkstra [9℄weakest

pre- ondition (wp) operator:Hoare tripefHgfHg is valid ifand only if formula

H ) wp[;H℄ an be proved.Weakest pre ondition al ulus is easy, provided

3

Asin[3℄,\+1"and\1"fun tions ansometimesbeeliminatedwithoutintrodu ing

newSkolemfun tions,bynoti ingthath=i+1 !i<h^8j(ji_hj)and

h=i1 ![i<h^8j(ji_hj)℄_[h<i^8j(hj_ji)℄:

4

Anexampleoftransitionis(s0[p℄s0[q℄;C !A;s1[p℄s1[q℄)whi hallowsthepro esses

pandq togofrom ontrolpoints0 to ontrolpoints1,exe utingthestatementsin

ditionmoduleinCaveata eptsassignments, onditionalstatements,sequen es

ofstatements,andsomekindofquantiedassignments.Thisisenoughtomodel

rea tivealgorithmsfrom oarsetone-grainedversions.

Ingeneral,theinvariantisa onjun tion (H= V k 2K h k )ofrelativelysmall assertionsh k

.Inparameterizedsystems,theseassertionsareoftenquantiedover

the(parameterized)setofpro esses.Inordertoavoidtheappearan eofSkolem

fun tions when veri ation onditions are put in Skolemform, an assumption

ismadeaboutthesequantiedassertions:they anbeputbothin prenexform

9 ?

8 ?

( alledhypothesis form in the following,be ause this will be the allowed

formintheante edentofformulasoftheformA)B)andinprenexform8 ?

9 ?

( alled on lusionforminthefollowing,be ausethiswillbetheallowedformin

the on lusionofformulasoftheformA)B).Inpra ti e,twoparti ular ases

ofsu hformulasaremetfrequently:

{ formulasin prenexform ontainingonetypeofquantier;

{ formulas ontainingonlymonadi predi ates(andnoequality) 5

.

Thereisalsoanassumptionforguards:guardsmustbeformulasinhypothesis

form.Guards metin pra ti efulll this assumption astheyare quantier-free

formulasorsinglyquantiedformulas.

Takingthepre eding onditionsonquantiersintoa ount,provingformula

H )wp[;H℄ (withH = V

k 2K h

k

) redu es to proveaset offormulas ( alled

veri ation onditions) oftheform

(h 1 ^:::h k ^G))C j

where G is the guard of . All formulas h

1 :::h

k

;G are in hypothesis form.

Thereisoneveri ation onditionforea hh

k (k2K).FormulaC k omesfrom hypothesish k : C k wp[ A;h k

℄, whereA isthe statementpartof .C

k anbe

putin on lusionform:indeed,h

k

anbeputin on lusionform,andtheweakest

pre onditionoperatordoesnotmodifythequantierstru tureofaformula,in

thelanguagea eptedbyCaveat.

Thelastrequirementisaboutfun tions:werequirethatnofun tionusedin

theinvariantH,orinthetransitionsystemShasthepro esssetasdomain.This

mayseemratherrestri tive,butasrea tivealgorithmsmainlyuseBooleanarrays

(modeled bypredi ates,notfun tions), thisrequirementremainsa eptablein

pra ti e.

Underthose onditions,Theorem1 anbeusedto eliminatethequantiers:

Theorem2. If H isa onjun tive formula, and isatransition systemwith

aparameterizednumbernof pro esses,where

{ allquantied variables in H andin the guardof the transitions of range

overtheset ofpro esses;

5

Indeedevery monadi formula is logi ally equivalent to a Boolean ombination of

{ every onjun t inH an be putboth inhypothesis form (9 8) andin on- lusionform(8 ? 9 ? );

{ everytransitionguard anbeputinhypothesisform;

{ nointerpretedpredi ate other thanequality andorder is usedon the set of

pro esses,neitherinH nor in;

{ nofun tion hasthe pro ess setasdomain, neitherin H norin ;

then H is an invariant of  if andonly if H isan invariant of the system 0 with atmostn 0 pro esses,wheren 0 isthe sum of

{ thenumber ofexistentialquantiers inH whenputin hypothesis form;

{ themaximumnumberofexistentialquantiersinguardsoftransitionsin;

{ the maximum number of universal quantiers in the onjun tsof H,when

putin on lusion form;

{ thenumber of onstants inH;

{ themaximumnumber ofpro essestaking part inatransition 6

.

Proof. Indeedfromthetheorem onditions,everyveri ation onditionisofthe

form ( h 1 ^:::h k ^G))C whereformulash 1 ;:::h k

;Gareinhypothesisform,andCisin on lusionform.

Whenputprenexform,thisformulaisoftheform

8x 1 :::8x p 9y 1 :::9y q '(x 1 ;:::x p ;y 1 ;:::y q ); (2)

wherepisthenumberofexistentialquantiersinh

1 ^:::h

k

^Gplusthenumber

ofuniversalquantiersin C.Otherwisestated,p annotex eedthesumof

{ thenumberofexistentialquantiersinH(h

1 ^:::h

k

)whenputinhypothesis

form;

{ themaximumnumberofexistentialquantiersin guards(G) oftransitions

in;

{ the maximum number of universal quantiers in the onjun ts (h

k from

whi hC is omputed)ofH,whenputin on lusion form.

Formula(2)isprovableifand onlyifformula

9x 1 :::9x p 8y 1 :::8y q :'(x 1 ;:::x p ;y 1 ;:::y q ) (3)

isunsatisableor,usingSkolemization,ifandonlyifformula

8y 1 :::8y q :'(a 1 ;:::a p ;y 1 ;:::y q ) (4) is unsatisable, where a 1 ;:::a p

are Skolem onstants, i.e. onstants whi h do

notappearin'(x 1 ;:::x p ;y 1 ;:::y q

).UsingTheorem1,formula(4)issatisable

ifandonlyifthereisamodelwithanitepro essset,whi h ontainsallpro ess

onstantsin '(a 1 ;:::a p ;y 1 ;:::y q ),in ludinga 1 ;:::a p .Son 0 isthesumof 6

{ thenumberof onstants omingfrom H in ';

{ themaximumnumberof onstants omingfrom thetransitions throughG

and C, whi h is the maximum number of pro esses involved at the same

timeinatransition.

u t

Comment. The satisability problem for the S hnnkel-Bernays lass, that is,

the lassoffun tion-freerst-orderformulasoftheform

9x 1 :::9x p 8y 1 :::8y q '(x 1 ;:::x p ;y 1 ;:::y q );

hasrstbeenshowntobede idablebyBernaysandS hnnkelwithoutequality

[5℄ and by Ramsey with equality [29℄.Theorem 1extends this de idable lass

to allow the use of some fun tions (interpreted or not) and some interpreted

predi ates.

Corollary 2. When onditions of Theorem 2 aremet, he king if  preserves

theinvariantH isredu edtoaquantier-freerst-orderlogi satisability

he k-ingproblem.

The quantier-free satisability he king module [15℄ in Caveat is based

on amodiedversionoftheNelson-Oppenalgorithm [26,27℄. Ita eptslinear

arithmeti , as well as uninterpreted predi ates and fun tions. When Theorem

2applies,andwhenthequantier-freeformulasuseonlylineararithmeti , and

uninterpretedpredi ates andfun tions, theinvariantvalidation problem is

de- idable.This is the asefornumerous algorithms.Inthe nextse tionasimple

oneis presented.

5 Parameterized Burns algorithm

Inthiswell-knownsimpleexampleonlyonetypeofvariableisused. Theorem1

thusredu es to theHerbrand theorem(with equality, withoutfun tions). This

simpleexampleallowsto learlyexhibittheunderlyingfa twhi henables

quan-tierelimination:anite Herbranduniverse.

Burns algorithm [22℄, [25, p. 294℄ guarantees ex lusive a ess to a riti al

se tion for aset of n identi al pro esses. Ea h pro ess p an be in one of six

dierentlo ationstates(i.e.s

0 ...s

5

).Aruleexpressesthetrivialpropertythat

ea hpro essisinoneandonlyonestateatea htime:oneandonlyonevariable

in s

0

[p℄,..., s

5

[p℄ istrue(forea hp). Apro esspbeingins

5 (i.e.s

5

[p℄istrue)

isin the riti alse tion.

Twelvetransitionsarepossiblebetweenthesixstates:

s0[p℄; ag [p℄:= false ; s1[p℄
s1[p℄;:S[p;q℄ ^ q<p ^ ag [q℄ ! 8q:S[p;q℄:=false; s0[p℄
s1[p℄;:S[p;q℄ ^ q<p ^ : ag[q℄ ! S[p;q℄:=true; s1[p℄
s [p℄;8q q<p)S[p;q℄
! 8q:S[p;q℄:= false ; s [p℄

s2[p℄; ag [p℄:= true; s3[p℄ s3[p℄;:S[p;q℄ ^ q<p ^ ag [q℄ ! 8q:S[p;q℄:=false; s0[p℄
s 3 [p℄;:S[p;q℄ ^ q<p ^ : ag[q℄ ! S[p;q℄:=true; s 3 [p℄
s3[p℄;8q q<p)S[p;q℄
! 8q:S[p;q℄:= false ; s4[p℄
s4[p℄;:S[p;q℄ ^ p<q ^ ag [q℄ ! 8q:S[p;q℄:=false; s4[p℄
s 4 [p℄;:S[p;q℄ ^ p<q ^ : ag[q℄ ! S[p;q℄:=true; s 4 [p℄
s 4 [p℄;8q p<q)S[p;q℄
! 8q:S[p;q℄:= false ; s 5 [p℄
s5[p℄; ag [p℄:= false ; s0[p℄

Mutualex lusionisobtainedusingtwowaitingrooms(s

3 ands

4

).Therst

one ensures that when a pro ess p has rea hed s

4

, any other pro ess q with

q < p and ag [q℄ = true (trying to get a ess to riti al se tion, or in the

riti alse tion)hasgonethroughtransitions

2 !s

3

afterp.These ondwaiting

roomguaranteesthat this pro essq (withq<p)will beblo kedin s

4

at least

untilpresets ag[p℄tofalse.Onlythehighestpro ess(the onewiththehighest

identier)willthusgeta essto riti alse tion 7

.

Thealgorithmusesonesingle-writersharedregisterperpro ess: ag[p℄isset

to true by pro ess p when it wants to a ess to riti al se tion. Ea h pro ess

palso usesalo al arrayvariable S[p℄.This variable isused in three loops(s

1 , s 3 , s 4

).In theloops forpro ess p thevalueof the ag[q℄ variableof the other

pro essesqis he ked(pro essesqsu hthatq<porq>p).S[p℄isusedtokeep

tra kofpro essesalready he kedandthosewhi hstillhavetobe he ked.The

algorithmmakesalsoextensiveuseofatotalorderrelationbetweenpro esses.

FormulaH = def 8pH 1 (p)^8p8q[ H 2 (p;q)^H 3 (p;q)℄,with H1(p)= def : ag[p℄)(s0[p℄_s1[p℄_s2[p℄) H2(p;q)=def s2[p℄):S[p;q℄ H3(p;q)=def  q<p ^ ag [q℄ ^ (s5[p℄_s4[p℄_(s3[p℄^S[p;q℄))  )  :s 5 [q℄^:(s 4 [q℄^S[q;p℄)  isaninvariant.Itentails 8

themutualex lusionproperty:

8p8q  p6=q)(:s 5 [p℄_:s 5 [q℄)  :

Every onditionismetforTheorem2to beused. Indeed:

{ nofun tion (atall)isused;

{ everyguardisinhypothesisform.Infa t,everyguardisatmoston e

quan-tied;

7

A essto riti alse tionwillbeeasierforpro esseswithhighidentiers.This

algo-rithmdoesnotguaranteehigh-level-fairness.

8

on lusionform,astheyareuniversallyquantied;

{ the only interpreted predi ates are equality and order; obje ts ompared

belongto anite,but parameterized,domain:thesetofpro esses.

FromTheorem2,ifH isaninvariantofthisalgorithmforn

0

=4pro essesthen

H willbeaninvariantofthisalgorithmfor any numberofpro esses.

Let's see how this work for a given veri ation ondition: if H is an

in-variant, it is preserved by every transition, and in parti ular, by transition

 1!2 from s 1 to s 2 . Hoare triple fHg 1!2

fHgmust be provable, so must be

fHg 1!2 f8pH 1 (p)g, fHg 1!2 f8p8qH 2 (p;q)g and fHg 1!2 f8p8q H 3 (p;q)g. Inparti ular,fromfHg 1!2 f8p8qH 2

(p;q)g omestheveri ation ondition

'= def (h 1 ^h 2 ^h 3 ^g 1 ^g 2 ^l 1 ^l 2 ^l 3 ^l 4 ^l 5 ))C with { h 1 = def 8pH 1 (p) { h 2 = def 8p8qH 2 (p;q) { h 3 = def 8p8qH 3 (p;q) { g 1 = def s 1 [p℄ { g 2 = def 8q  q<p)S[p;q℄  { l 1 = def 8p  s 0 [p℄):(s 1 [p℄_s 2 [p℄_s 3 [p℄_s 4 [p℄_s 5 [p℄)  { l 2 = def 8p  s 1 [p℄):(s 2 [p℄_s 3 [p℄_s 4 [p℄_s 5 [p℄)  { l 3 = def 8p  s 2 [p℄):(s 3 [p℄_s 4 [p℄_s 5 [p℄)  { l 4 = def 8p  s 3 [p℄):(s 4 [p℄_s 5 [p℄)  { l 5 = def 8p  s 4 [p℄):s 5 [p℄  { C= def 8s8r  (s6=p)s 2 [s℄)):(s6=p ^ S[s;r℄)  Hypothesesh 1;2;3

omefromtheinvariant,g

1;2

fromthetransitionguards 9

.

For-mulasl

1;:::5

statethatea hpro essisin oneandonlyonestate.The on lusion

C istheresultofapplyingtheweakestpre onditionoperator,i.e.,

Cwp[8q:S[p;q℄:=false;s 1 [p℄:=false;s 2 [p℄:=true;8p8qH 2 (p;q)℄

Everyformulafromh

1 tol

5

isinhypothesisform,andCisin on lusionform.

The Herbrand universe for the negation of this veri ation ondition ontains

fourelements(p,q,andthenew onstants omingfromtheSkolemizationofC).

Everyuniversalquantierinhypotheseswillthengiverisetofourinstan es,for

atotalof61hypotheses 10

.

Caveat took 5 se onds on a Pentium 1 GHz, to generate and verify 40

veri ation onditions.Thisin ludesthetimetoverifythattheinvariantentails

themutualex lusionproperty,andalsothattheinvariantismadetruebyinitial

onditions.

9

g1 omesfromtheoriginofthetransition.Transition(l1;C !A;l2)withoriginl1

anddestinationl2 anbewrittenastransition((C^l1) !A;l1:=false;l2:=true).

10

ea h formula h1, g2, l1:::5 generates four instan es, whereas formulas h2 and h3

TheGeneralizedRailroadCrossingben hmark[21℄usespredi atesandfun tions

fromarithmeti . Itgivesageneralideaofwhat Theorem1allowstodealwith.

A ontrolleroperateson agateof arailroad rossingprote tingN parallel

railroadtra ks.Thegatemustbedownwheneveratraintakestheinterse tion,

so that the interse ting road is losed. Ea h of the N trains an be in three

dierentregions:intheinterse tion(I),inthese tionpre edingtheinterse tion

(P),oranywhereelse(not here).Thearrayvariable\trains"re ordstheposition

ofea htrain:trains[i℄ anbeoneofthethreevaluesI;P;nothere.Thegate an

be in four states: the value of variable \gate" an be down;up;goingdown or

going up,withobviousmeanings.Thesystemshouldverifythesafetyproperty,

whi hexpressesthefa tthat thegatemustbedownwhenanyoftheN trains

ispassingtheinterse tion:

8i(trains[i℄=I )gate=down):

Thegatetakessometime to go from the state\up" to \down".This time

must notex eed\gateRiseTime".Similarlythetimeto gofrom the\down"to

the \up"states must notex eed \gateDownTime". Trains gettingin P would

takeaminimumtime\minTimeToI"andamaximumtime\maxTimeToI"toget

to theinterse tion.Itisthe ontrollerjobto knowwhentolowerthegate,and

whentoraiseit.Initially,thegateisup,andnotrainiseitherintheinterse tion

orin these tionpre edingtheinterse tion.

The system transitions are given on Figure 1. The rst three transitions

model the position hanges of the train i. The twofollowing ones express the

ontrollerde isiontolowerorraisethegate.Thenexttwomeanthegaterea hes

theupor downstates.Thelastonemodelsthetime ow.

Onlytwotransitionguardsarenotquantier-free.Butthey aneasilybeput

in prenexform with asingle quantier.Fun tions are used (trains,rstEnter,

lastEnter,s hedTime,+)buttheydonotrangeoverthepro essset.All

require-ments are thus met for Theorem 2to be used, aslong asthe invariantsto be

he kedalsoverify therequirementsaboutquantiers.

Figure2showsseveralinvarian epropertiesofthesystem.Togetherwiththe

safetyproperty,theygiveaninvariantforthesystem.Asthesafetypropertyis

one onjun t ofthe invariant, it is triviallyentailedby theinvariant.In order

to validate the invariant, it is ne essary to take into a ount the onstraints

on onstants(Figure 3) aswell asthe progressaxioms 11

(Figure 4). They are

supplementaryhypothesestobeput intheveri ation onditions.

Inthe whole proof, only two properties (or guards) are existentially

quan-tied, propertiesare at most on e quantied, and at most onetraintakepart

in a transition. From Theorem 2, if the invariant (whi h guarantees that the

algorithmissafe)ispreservedfor four trains,thealgorithmwillbesafefor any

numberof trains.

11

trains[i℄:=P; rstEnter[i℄:=T+minTimeToI; lastEnter[i℄:=T+maxTimeToI; s hedTime[i℄:=T+ onMinI ; trainHere[i℄:=true end

trains [i℄=P ^ T rstEnter[i℄ ! trains [i℄:=I

trains [i℄=I ! begintrains [i℄:=nothere; trainHere[i℄:=false end

(gate=up _ gate=going up) ^ gstatus=up

^9i(trainHere[i℄ ^ s hedTime[i℄T+ down+)

! begin

gate=going down;

lastDown:=T+gateDownTime ;

gstatus:=down

end

(gate=down _ gate=goingdown) ^ gstatus=down

^8i(trainHere [i℄)s hedTime[i℄>T +

down

+ up+ arPassingTime)

! begin

gate:=going up;

lastUp:=T+gateRiseTime ;

gstatus:=up

end

gate=goingup ! gate:=up

gate=goingdown ! gate:=down

T :=T+"

T 1 = def 8i T <rstEnter[i℄)trains[i℄6=I T2=def 8i trains[i℄=P)

(rstEnter[i℄T+minTimeToI ^ T lastEnter [i℄

^lastEnter [i℄ rstEnter[i℄=maxTimeToI minTimeToI)

C1=def gstatus=up)8i trainHere[i℄)T <s hedTime[i℄ down

GC

1 =

def

gstatus=down(gate=goingDown _ gate=down)

GC

2 =

def

gstatus=down)lastDownT+gateDownTime

GC

3 =

def

gstatus=up)8i trainHere [i℄)lastDown<s hedTime[i℄

TC1=def 8i trainHere[i℄trains [i℄6=notHere

TC2=def 8i trainHere[i℄)s hedTime[i℄<rstEnter[i℄

Fig.2.Invarian eproperties

AC 1 = down < onMinI ACT 1 = onMinI<minTimeToI AGC 1 =gateDownTime< down

AGC2=gateRiseTime< up

Fig.3.Constraintson onstants

G1 =def gate=goingDown)T lastDown

G2 =def gate=goingUp)T lastUp

P1 =def 8i(trains [i℄=P )TlastEnter [i℄)

P

2 =

def

gstatus=up)8i trainHere [i℄)T <s hedTime[i℄

down
P 3 = def gstatus=down)

9i trainHere [i℄ ^ s hedTime[i℄T+

up

+ arPassingTime+

down

ne essaryto provethesafetyproperty.

7 Con lusions and future work

Theinvariantvalidation pro essoftenhasan intera tivepartaswellasan

au-tomati part[6,30℄.This intera tiveaspe t(evenif itisoften easy)makesthe

proofpro esslongerandtedious.Thisworkisonestepfurthertomaketheproof

byinvariantsmoreappli able,eitherasamethod byitself, orasanelementof

anautomati veri ationpro ess.

Theveri ation onditionsobtainedinthe ontextofveri ationof

parame-terizedalgorithmareoftenquantiedoverthesetofpro esses.Wehavepresented

hereaquantierelimination pro edurebased onanenhan edHerbrand

Theo-rem,anadaptationofthe lassi alHerbrandTheoremtomany-sortedlogi with

equality.Thisquantiereliminationpro edureissuitableforalarge lassof

veri- ation onditionsin ludingformulas omingfromveri ationofparameterized

systems.It hasbeensu essfullyapplied to theinvariant validationfor several

algorithmsin luded thebakeryalgorithm(withorwithoutbounded ti kets),a

railroad rossingsystem, Burns,Dijkstra, Ri art&Agrawala, Szymanski...As

thequantier-freevalidityproblemisusuallyde idable,thisquantier

elimina-tionpro edureisakeytoautomati validationofinvariants.

Withbiggeralgorithms,instantiationitselfmaybe omeaproblem. Finding

simple and ee tiveheuristi s to sele tivelyinstantiateformulas is also in our

on ern. A rigorous hypothesis sele tion and elimination method has already

been found in the pure propositional ase [19℄, and the results are promising.

Weplantoadapt ittothepresentframework.

Referen es

1. P.A.Abdulla,A.Bouajjani, B.Jonsson,andM.Nilsson. Handlingglobal

ondi-tionsinparametrizedsystemveri ation.InComputerAidedVeri ation

Confer-en e,volume1633ofLe tureNotesinComputerS ien e,pages134{145.

Springer-Verlag,July1999.

2. K.R.AptandD. C.Kozen. Limitsfor automati veri ationofnite-state

on- urrentsystems. InformationPro essingLetters,22(6):307{309,May1986.

3. T.Arons,A.Pnueli,S.Ruah,J.Xu,andL.Zu k.Parameterizedveri ationwith

automati ally omputedindu tiveassertions.InComputerAidedVeri ation,

vol-ume2102 ofLe tureNotesin ComputerS ien e,pages221{234.Springer-Verlag,

July2001.

4. K.Baukus,Y.Lakhne h,and K.Stahl. Veri ationofParameterizedProto ols.

JournalofUniversalComputer S ien e,7(2):141{158,Feb.2001.

5. P.Bernays and M. S hnnkel. Zuments heidungsproblem der mathematis hen

logik. Math.Annalen,99:342{372,1928.

Computer AidedVeri ation, volume1855 ofLe tureNotesinComputer S ien e,

pages403{418.Springer-Verlag,July2000.

8. K.M.ChandyandJ.Misra. ParallelProgramDesign. Addison-Wesley,Reading,

Massa husetts,1988.

9. E.W.Dijkstra. ADis iplineofProgramming. Prenti e-Hall,1976.

10. B.DrebenandW.D.Goldfarb. TheDe isionProblem:SolvableClassesof

Quan-ti ational Formulas. Addison-Wesley,Reading,Massa husetts,1979.

11. E.A.EmersonandK.S.Namjoshi. Automati veri ationofparameterized

syn- hronous systems. In Computer Aided Veri ation, volume 1102, pages 87{98.

Springer-Verlag,July1996.

12. H.-D.EbbinghausandJ.Flum.FiniteModelTheory.Perspe tivesinMathemati al

Logi .Springer-Verlag,Berlin, 1995.

13. H. B. Enderton. A Mathemati al Introdu tion to Logi . A ademi Press, In .,

Orlando,Florida,1972.

14. M. Fitting. First-Order Logi andAutomated TheoremProving. Springer-Verlag,

Berlin, 1990.

15. P. Fontaine and E. P. Gribomont. Using BDDs with ombinations of theories.

InLogi forProgramming, Arti ialIntelligen e,andReasoning,volume2514 of

Le ture NotesinComputer S ien e.Springer,2002.

16. J.Gallier,P.Narendran,S.Raatz,andW.Snyder. Theoremprovingusing

equa-tional matingsandrigidE{uni ation. Journalofthe ACM,39(2):377{429, Apr.

1992.

17. S.M. Germanand A. P.Sistla. Reasoningabout systemswithmany pro esses.

JournaloftheACM,39(3):675{735,July1992.

18. S.Graf and H. Sadi. Verifying invariants usingtheorem proving. In Computer

AidedVeri ation,volume1102ofLe tureNotesinComputerS ien e,pages196{

207. SpringerVerlag,1996.

19. E. P. Gribomont. Simpli ation of boolean veri ation onditions. Theoreti al

Computer S ien e,239(1):165{185,May2000.

20. J.Y.Halpern. Presburgerarithmeti withunarypredi atesis 1

1

omplete. The

JournalofSymboli Logi ,56(2):637{642, June1991.

21. C.HeitmeyerandN.A.Lyn h. Thegeneralizedrailroad rossing|a asestudy

informalveri ation ofreal-timesystems. InPro eedings 15th IEEE Real-Time

SystemsSymposium,SanJuan,PuertoRi o,pages120{131,De .1994.

22. H.E.JensenandN.A.Lyn h.Aproofofburnsn-pro essmutualex lusion

algo-rithmusing abstra tion. InTools andAlgorithms forConstru tion andAnalysis

of Systems, volume 1384 of Le ture Notes in Computer S ien e, pages 409{423.

Springer-Verlag,Mar.1998.

23. Y. Kesten, O. Maler, M. Mar us, A. Pnueli, and E. Shahar. Symboli model

he kingwithri hassertionallanguages. InComputer AidedVeri ation, volume

1254ofLe tureNotesinComputerS ien e,pages424{435.Springer-Verlag,1997.

24. R.P.KurshanandK.M Millan. Astru turalindu tiontheoremforpro esses. In

Prin iples ofDistributedComputing,pages239{248.ACMPress,Aug.1989.

25. N.Lyn h.DistributedAlgorithms. MorganKaufmann,SanFran is o,CS,1996.

26. G. C. Ne ula. Compilingwith Proofs. PhD thesis,Carnegie Mellon University,

O t.1998. AvailableasTe hni alReportCMU-CS-98-154.

27. G.Nelson andD.C.Oppen. Simpli ations by ooperatingde isionpro edures.

invariants.InToolsandAlgorithmsfortheConstru tionandAnalysisofSystems,

Le tureNotesinComputerS ien e,pages82{97,2001.

29. F.Ramsey.OnaProblemofFormalLogi .Pro eedingsoftheLondonMathemati al

So iety,30:264{286, 1930.

30. N. Shankar. Veri ationof Real-Time SystemsUsing PVS. InComputer Aided

Veri ation, volume 697 of Le ture Notes in Computer S ien e, pages 280{291.

Springer-Verlag,June1993.

31. P.Wolperand V.Lovinfosse. Verifyingproperties oflarge setsof pro esseswith

networkinvariants. InAutomati Veri ationMethodsfor Finite State Systems,

volume407of Le ture Notes inComputer S ien e,pages 68{80.Springer-Verlag,