Experimenting acceleration methods for the validation of infinite state systems

Transcription

1 Experimenting acceleration methods for the validation of infinite state systems Jean-Paul Bodeveix Mamoun Filali IRIT - Université Paul Sabatier 118 route de Narbonne F Toulouse fbodeveix,filalig@irit.fr Abstract In this paper, we present a generic validation tool, called FMona. We illustrate its use through the expression of iterative and abstraction methods. These methods are applied for the validation of infinite or parameterized space problems. We propose two techniques to enhance iterative methods by accelerating their convergence. These techniques are expressed in FMona and applied on some examples. Keywords: Verification Technique, Validation tools, parameterized systems. 1. Introduction In recent years, important work has been done in the design and implementation of general specification languages and validation systems. Usually, we distinguish three families of tools: model checkers (SMV [6], SPIN [11]) to build a finite model and check its temporal properties; automatic proof tools (Mona [10] for the WSnS logic, its extension to structured types Lisa [2]), and proof assistants (Coq [3], HOL [8] and PVS [16]) which offer an expressive higher order logic (and thus not decidable) and an assistance to the construction and the validation of formulas expressed in this logic. Our experience in using these tools has led us to the following observations: model checkers are generally easy to use but their validation algorithm is hardwired and the data structures available to the programmer are generally poor, automatic proof tools lack a specification language level to express methods, and proof assistants lack powerful decision procedures and their integration is a delicate operation. Moreover their use is uneasy and require for instance the knowledge of the underlying type theory, the proof tactics, the tactic language and the underlying decision procedures. In this paper, we relate an attempt to overcome these problems. We have chosen an intermediate approach combining an automatic proof tool and higher level aspects so that the expression of validation methods becomes easy. Of course, unlike proof assistants, our tool FMona cannot be used to validate the methods themselves. Encoded methods can only be instantiated on given applications. As our automatic proof tool target, we have chosen Mona as the main proof tool (we also consider propositional solvers). Actually, within its underlying logic (WS1S) we can express a class of transition systems and most of their basic properties without restricting to finite state spaces. Indeed, we can consider parameterized transition systems. We have used FMona to express several validation techniques, e.g. iterative methods with convergence acceleration and abstraction methods over parameterized state systems. The remainder of this paper is organized as follows: section 2 presents validation tools for the formalization of the method and the considered examples. First, in section 3 we introduce basic iterative techniques, then in section 4, we consider convergence acceleration methods. In section 5, we describe the abstraction method. Section 6 resumes our use FMona and presents some ongoing work. 2. Validation tools In this section, we present the family of tools we have used to validate problems with infinite or parameterized state spaces. We have considered the following ones: model checkers to build a finite model and check its temporal properties. automatic proof tools which offer a complete decision procedure if the underlying logic is decidable.

2 proof assistants which offer an expressive higher order logic (and thus not decidable) and an assistance to the construction and the validation of formulas expressed in this logic. It should be noted that the border between these various types of tools tends to grow blurred. As an example, a model checker was integrated into the proof assistant PVS [16]; the decision procedure of linear arithmetic, known as of Presburger, was integrated into most of the proof assistants HOL [8], Coq [3] and PVS. In the following, we present the tools which we actually used for this study: the SMV model checker [6], the MONA WS1S prover [10] Model checkers Most of the model checkers define a model specification language and an assertion language for the expression of properties. The model is generally expressed as a finite state transition system on a finite alphabet. As for the properties, they are generally expressed in temporal logic. Thus, the SMV tool makes it possible to define finite state transition systems that can be composed either synchronously or asynchronously. The transitions are expressed either in an imperative way in terms of assignments between the variables defining the finite state space of the transition system, or in a declarative style in terms of relations between state variables. The properties of the transition system are specified in the branching-time temporal logic CTL which makes it possible to express as well the traditional properties of safety and liveness as that of possibility. We use the SMV system to check efficiently properties of finite abstractions of the considered transition systems. Currently, the interface to the SMV system is done by means of shell scripts for extracting a finite automaton from Mona output and producing SMV source code Monadic second order logic We recall below the definition of the two variants (WS1S and S1S) of the monadic second order logic of one successor [19]. Then, we present the Mona tool deciding WS1S formulas and its high level interface FMona. The monadic second order logic Definition 1 (The S1S and WS1S logics) Let fx 1 ; : : : ; x n g be a family of first order variables and fx 1 ; : : : ; X n g a family of second order monadic variables. A primitive grammar of this logic can be defined as follows: A term t is recursively defined as: t ::= 0 j x i j s(t) A logic formula f is recursively defined as: f ::= X i (t) j :f j f ^ f j 9x i : f j 9X i : f Notice that the successor function s is the only function. Validity of a formula A closed formula is valid in S1S or WS1S if it is valid in the interpretation on the set N of naturals, where s is the successor function, first order quantifiers relate to the naturals and second order quantifiers to the subsets (finite in the case of WS1S) of N. These two logics are decidable [19]. The monadic second order logic naturally supports the method presented since it makes it possible on the one hand to express the concept of sequence of execution on a finite state space and the temporal properties associated, and on the other hand the refinement relation between a parameterized concrete space and a finite abstract space Monadic second order tools The Mona tool The Mona tool [10] implements a decision procedure for WS1S, based on the automata theory. The Mona syntax accepts the constructions of the WS1S logic presented in the preceding section. Mona data types are thus limited to booleans, naturals and finite sets of naturals. Thus, propositional, first order and second order variables are respectively declared, existentially and universally quantified by var i, ex i and all i where i is the order of the variable. The FMona tool The FMona tool [5] is a high level interface for Mona. For instance, it is possible to declare enumerated and record with update types and quantify over them. Furthermore, FMona allows the definition of higher order macros parameterized by types and predicates. FMona source code is type-checked, macro expanded and translated to pure Mona. The following example defines the transition relation req1 between the states st and st. The complete example is given in section 5.4. type PC = fout,req,mutexg; type Sys = recordf pc1,pc2: PC; y1,y2: nat;g; pred req1(var Sys st,st ) = (st.pc1=out) & st =st with fpc1:= req; y1:= st.y2+1;g; Note that the term st =st with fpc1:= req; y1:= st.y2+1;g expresses that st is obtained by updating the fields pc1 and y1 of st. Moreover, we can also express higher order macros. For instance the inverse macro takes as parameter a binary relation and generates its inverse.

3 pred inverse(type State, pred(var State s,s ) tr, var State s,s ) = tr(s,s); We will use the FMona tool to express parameterized transition systems, validation methods as iterative or abstraction based ones. 3. Expression of iterative techniques Most of the classical studied properties can be expressed as fixpoints. However, since the state spaces of the considered problems are not finite, the reachability of the fixed point is not guaranteed. The purpose of this section is to propose techniques, expressed as FMona macros to reach a fixpoint after a finite number of iterations, independently of the size of the considered paramerized problem. Since we have no decidability results, the user must provide an iteration bound to apply the proposed macros FMona expression The backward macro takes as parameters a number n of iterations, the transition system defined by its tr and init predicates and the property to be checked inv. It performs n backward iterations (recursive macro iterate) of the transition tr 1 from the negation of the predicate inv and, after verifying that a fixed point has been reached (checkbwd), checks that no init point is reachable. pred iterate(type State,var nat N, pred(var State s,s ) tr,pred(var State s) init, var State s) = if N = 0 then init(s) else ex State s : iterate(n?1,tr,init,s ) & (s = s j tr(s,s)) endif; pred check bwd(type State,pred(var State s,s ) tr,pred(var State s) bad,pred(var State s) init)= stable(bad,inverse(tr)) & all State s: init(s) ) bad(s); pred backward(type State, var nat N,pred(var State s,s ) tr,pred(var State s) init, pred(var State s) inv)= check bwd(tr,iterate(n,inverse(tr),not(inv)),init); 1 A backward iteration of tr is in fact an iteration of the inverse (defined in x2.3) of tr Application Backward iteration techniques have been successfully applied to mutual exclusion algorithms on ring networks [15]. The following source code illustrates the pattern of such algorithms. First, we declare the number of nodes NProc which is the parameter of the system. Then, the type Proc is the interval associated to valid nodes. A node is defined as the finite record Node. At last, the whole system is defined as array of nodes over Proc. The next step consists in the definition of the transition system through its Init predicate and its transitions Enter, : : :. The specification ends with the always true property Inv Token to be checked. var nat NProc; type Proc =... NProc; type State= fout, req, mutexg; type Node = recordfst:state;token,link:bool;g; type Sys = array Proc of Node; pred Init(var Sys s) = all Proc i: (s[i].link) & s[i].token = (i = 0) & s[i].st = out; pred Enter(var Proc p, var Sys s,s ) = s[p].st = req & s[p].token & s = s with f[p].st := mutex; g ;... pred Trans(var Sys s,s ) = s = s j ex Proc p: Req(p,s,s )j Enter(p,s,s )j Leave(p,s,s ) j R(p,s,s )?? token reception j T(p,s,s );?? token transmission pred Inv Token(var Sys s) = all Proc p,q: (s[p].st=mutex & s[q].st=mutex) ) p=q; For instance, the validation of Inv Token as an always true property is performed by the FMona macro call backward(8,trans,init,inv Token) It is translated to pure Mona and automatically validated. It should be noted that Inv Token is not an invariant but an always true property: reachable states (or some superset) must be considered. In a similar way we have expressed forward analysis. 4. Accelerating iterative techniques Forward and backward analysis fail for some well known problems (e.g. termination detection [7], Dijkstra philosophers, Szymanski mutual exclusion protocol [18]). To overcome such problems, convergence acceleration techniques

4 have been proposed [1]. The basic idea consists in approximating the transitive closure of the transition relation of a parameterized system. More precisely, we pre-calculate the effect of applying in some order N transitions, where N is the size of the parameterized system (recall that N is not fixed). In order to be calculated, this closure must be expressed in Mona. Acceleration techniques can also be interpreted as enriching a transition system by new transitions such that there is a bisimulation between the original system and the new one. Actually, the new transitions are defined by sequential composition of the existing transitions. We have defined two acceleration techniques: the first one consists in firing each node in sequence, the other one consists in firing independent nodes concurrently. It should be noted that acceleration techniques could be either validated once by theorem provers or validated for each use by FMona itself: we show that the fixed point (if reached) obtained by such a technique is actually an invariant of the original transition system Sequential acceleration Sequential acceleration consists in firing each node in turn, from left to right, or from right to left. In order to express this technique within FMona, we restrict to transitions updating two neighbour nodes. Thus, intermediate results can be stored in one auxiliary array. For instance, we define the FMona macro l2r G expressing left to right application of the transitions R i over a ring as follows: pred l2r G(type State, var nat N,pred(var nat i, var State c,n,c,n ) R,var array nat of State S,S ) = ex array nat of State I: (all nat p: (0 < p & p < N?1) ) R(p,I[p],S[p+1],S [p],i[p+1])) & R(N?1,I[N?1],I[0],S [N?1],S [0]) & R(0,S[0],S[1],I[0],I[1]); In the considered examples, we have in fact applied sequential acceleration to the transitive closure of each local transition. Actually, such a transitive closure can be computed (by Mona) since local states are finite Application to the philosophers The invariant of the well known philosophers, stating that two neighbours nodes do not eat simultaneously is expressed as follows. pred Inv Phil(var nat NProc, var Sys S) = all nat p: p < NProc ) ( S[p].pc 6= Critical j S[p+1%NProc].pc 6= Critical); Sequential acceleration has been applied successfully : the invariant is validated after two accelerated iterations. It should be noted that usual forward and backward techniques fail on this problem. To our knowledge, the only automatic proof of this problem is proposed in [12]. Their technique relies on the behavioral equivalence between the composition of two and three philosophers Parallel acceleration Parallel acceleration consists in firing independent transitions concurrently. In order to express this technique within FMona, we only consider transitions that update one node. Furthermore, two transitions can be fired concurrently if the activation condition of one transition is independent from the update performed by the other one. Under such a condition, sequential and parallel execution are equivalent. Local transitions take as input one node number i, the state S of the whole system and the before and after local states n and n. The first macro,enabled(i,tr,s), checks that the local transition tr can be fired. The macro indep(tr,i,j) checks that if tr applies on node i, applying it on j preserves the firing ability from node i. Finally, the GPar(tr,S,S ) macro applies a set of independent local transitions to the global state S so that it becomes S. pred enabled(type Node, type Proc, var Proc i,pred (var Proc i, var array Proc of Node S, var Node n,n ) tr,var array Proc of Node S) = ex Node n : tr(i,s,s[i],n ); pred indep(type Node, type Proc, pred (var Proc i, var array Proc of Node S, var Node n,n ) tr, var Proc i,j) = all Node n : all array Proc of Node S: enabled(i,tr,s) ) tr(j,s,s[j],n ) ) enabled(i,tr,s withf[j]:=n ;g); pred GPar(type Node, type Proc, pred (var Proc i, var array Proc of Node S, var Node n,n ) tr, var array Proc of Node S,S ) = ex set of Proc E: (all Proc i,j: i 2 E ) j 2 E ) i6=j ) indep(tr,i,j)) & (all Proc i: if i 2 E then tr(i,s,s[i],s [i]) else S [i] = S[i] endif); Let us recall that the validation of the method and correctness of the GPar macro could be proved within some theorem prover (given some conditions over local transi-

5 tions 2 ) or validated within FMona on each use of the acceleration technique. This second idea has been applied successfully on the considered examples. It is then useless to check condition of application of the method even if it can effectively be expressed within FMona. Remark: In fact, we can consider transitions which update a neighbourhood which can be expressed in WS1S. From a node i, we can update nodes i + k where k belongs to some fixed sets of integer constants; for instance, for a bidirectional ring, we would have k 2 f?1; 0; 1g Application to Szymanski s mutual exclusion Parallel acceleration technique applies to the validation of Szymanski s mutual exclusion protocol [18] over an indexed family of nodes. Each node has a program counter and two booleans. Each transition reads atomically 3 the state of all other nodes and updates the state of one node. Thus parallel acceleration can be attempted and it succeeds in computing a super-set of the set of reachable states verifying the invariant property. In fact, we get exactly the reachable states, but FMona cannot check it. In [1], another acceleration technique is presented and applied to Szymanski s algorithm. Their specification language is based on finite state transducers which can express an arbitrary number of applications of local actions. The technique is described through a set of constraints connecting the input and output strings of the accelerated transducer and implemented as a new operation over automata. Such a technique could be expressed in FMona at the logic level. 5. Expression of the abstraction technique Let us recall that abstraction consists in defining a finite reduced system starting from a concrete system, a finite state space and a total relation known as the abstraction. It is the reverse of a refinement as the starting system is the concrete one. Moreover, for a refinement, the two transition systems are provided. One generally considers two approaches for the expression of properties to be validated: the first one is based on states: a property is expressed as a temporal logic predicate over the state space (more exactly over the state variables defining the interface of the system). the second one is based on transitions: we are interested in a simulation property between a concrete sys- 2 When not empty, the set of next states of a local transition is independent from the state of the other nodes. 3 We consider the simplified version of [1]. tem and an abstract system (also called the reference system). In the following, we illustrate the abstraction method by applying the first approach to the bakery algorithm Specification and synthesis of the abstract transition system First, we recall the definition of transition system abstraction: Definition 2 (Abstraction) Let C = (E c ; I c ; L;! c ) be a transition system, E a a set of so called abstract states and ' a relation over E c E a. The abstraction of C through ' is the transition system (E a ; I a ; L;! a ) where I a is the image by ' of I c : I a = '(I c ), For each label l, the pairs connected by e a l! a is the set of images through ' of! l c. l! a e 0 a, 9e c e 0 c : '(e c; e a ) ^ '(e 0 ; c e0 a ) ^ e l c! c e 0 c It follows that the abstraction of a transition can be expressed by the generic and higher order FMona macro: pred tr a(type State c, type State a,pred(var State c s c, s c ) tr c,pred(var State c s c, var State a s a) ',var State a e a,e a ) = ex State c e c,e c : '(e c,e a) & '(e c,e a ) & tr c(e c,e c ); The key result is that the abstraction relation is total, a transition system refines its abstraction. Note that the transitions of the abstract transition system are quantified over the domain of the concrete space and thus are not propositional even if the abstract domain is finite. It follows that the existence of a transition between two abstract states is not necessarily decidable. However if the concrete transitions and the refinement relation are WS1S, it becomes possible to synthesize the finite abstract transition system. Let us illustrate this claim by a trivial example. The state space of the concrete transition system is a finite set of naturals of unknown size, the concrete transition is defined by the predicate Init c (S) = (S = f0g) and the transition Tr c (S; S 0 ) = 9 1 x; y : y 2 S ^ S 0 = S n fyg [ fxg. As an abstraction, we consider a state reduced to a unique boolean b, and the abstraction relation '(S; b) = (b, 8 1 x; y : x 2 S ^ y 2 S ) x = y). The abstract transition system is defined by the predicate Init a (b) = 9 2 S : Init c (S) ^ '(S; b) and the transition Tr a (b; b 0 ) = 9 2 S; S 0 :

6 '(S; b) ^ Tr c (S; S 0 ) ^ '(S 0 ; b 0 ). The Mona tool can automatically simplify the previous monadic second order logic formulas to propositional formulas. Actually, we have synthesized the finite transition system defined by: Init a (b) = b and Tr a (b; b 0 ) = b ) b Verification of always true properties Given a total abstraction relation ', the following rules express two equivalent sufficient conditions for a property P to be always true over the concrete system C, denoted C ` P : Abs ' (C) ` '(P ) C ` P '?1 (Acc(Abs ' (C))) ) P C ` P where Abs ' (C) is the abstraction of C and Acc(S) is the set of reachable states of the transition system S. Given these two rules, the validity of P is derived from the properties of the abstract transition system. Let us recall that its synthesis can be expressed in WS1S. Consequently, the two preceding rules give two decidable sufficient conditions. To summarize, given a user defined abstraction relation, we have two automatic verification methods: Method 1 1. Construction of the abstract transition system. 2. Construction of the reachable states Acc of the abstract transition system. 3. Definition of a superset of the reachable states of the concrete transition system as the inverse image by ' of Acc. 4. At the concrete level, we show that '?1 (Acc) ) P. Note that the term '?1 (Acc) can be interpreted as a lemma automatically proven through an exhaustive exploration of the abstract state space. This lemma helps in the validation of P. pred method1(type State c, type State a,pred(var State c s c) init c,pred(var State c s c, s c ) tr c,pred(var State c s c, var State a s a) ',,pred(var State c s c) p) = always true(not(p a(not(p),')),p a(init c,'),tr a(tr c,')); Method 2 1. Construction of the abstract transition system. 2. Computation of the abstraction of P : '(P ). 3. Verification of this abstraction over the reachable states of the abstract transition system. Since the abstract state space is finite, this verification can be performed by a model checker like SMV. This second method uses a dedicated tool for the verification of always true properties Abstraction heuristics To reduce parameterized or infinite data structures, we apply the heuristics presented in the following paragraph. The abstraction function associates a finite approximation with a parameterized or infinite type. We consider three classes of types: integer types, arrays with opaque 4 index and finite values, arrays with natural index and finite value, and arrays with opaque index and values. We have considered the following abstractions which can be expressed in WS1S: 1. We associate with natural state space variables a family of boolean variables coding the comparisons between these variables or the variables and the constants of the problem. Notice that this heuristics is in fact the one used in an automatic way by [13]. 2. We associate with an array with opaque index and finite values within the set fx 1 ; : : : ; x n g a family of bounded counters fc 1 ; : : : ; c n g with value in the set f0; : : : ; k; +g. A counter C i indicates the number of indexes with value x i. This enumeration being bounded by k, a higher number of occurrences is denoted We associate with an array t with natural index and finite values the number of alternations t(i) 6= t(i? 1), counted in the finite set f0; : : : ; k; +g. 4. We associate with an array with opaque index and values the number of different values in the array, counted in the finite set f0; : : : ; k; +g. Notice that these heuristics relate to the construction of an abstraction function, the abstract transition system being automatically built and validated by the FMona tool for the considered class of problems. On the other hand, [4] supposes the existence of an abstraction function and proposes heuristics for the construction of the abstract system. 4 An opaque type supports only the assignment and comparison operations.

7 5.4. Application to the bakery mutual exclusion protocol The transition system of the Bakery mutual exclusion algorithm over two processes is described in FMona by the following code. Its state space contains two finite-typed variables pc1 and pc2 and two naturals y1 and y2. The state space is thus infinite. type PC = fout,req,mutexg; type Sys = recordfpc1, pc2: PC; y1, y2: nat;g; pred Init(var Sys st) = st.pc1=out & st.pc2=out & st.y1=0 & st.y2=0; pred req1(var Sys st,st ) = st.pc1=out & st =st with fpc1:=req; y1:=st.y2 + 1;g; pred req2(var Sys st,st ) = st.pc2=out & st =st with fpc2:=req; y2:=st.y1 + 1;g; pred enter1(var Sys st,st ) = st.pc1=req & (st.y2=0 j st.y1st.y2) & st =st withfpc1:=mutex;g; pred enter2(var Sys st,st ) = st.pc2=req & (st.y1=0 j st.y2<st.y1) & st =st withfpc2:=mutex;g; pred leave1(var Sys st,st ) = st.pc1=mutex & st =st with fpc1:=out; y1:=0;g; pred leave2(var Sys st,st ) = st.pc2=mutex & st =st with fpc2:=out; y2:=0;g; pred Trans(var Sys st,st ) = st=st j req1(st,st )j enter1(st,st )j leave1(st,st ) j req2(st,st )j enter2(st,st )j leave2(st,st ); We notice that it is not possible to bound the natural variables y1 and y2. Actually, when considering the execution sequence r 1 (e 1 r 2 l 1 e 2 r 1 l 2 ), the sequence of (y1,y2) values is (0; 0) r 1(e 1 r 2 l 1 e 2 r 1 l 2 ) k????????????!(2k +1; 0) where r; e; l respectively abbreviate req,enter,leave. We seek to establish that the mutual exclusion property excl is always true: pred excl(var Sys st) = (st.pc1 = mutex & st.pc2 = mutex); The predicate excl is not an invariant. Actually, it is not preserved by enter1. However, as shown in the following, it is always true, i.e., true in any reachable state. In order to get a finite state space, the fields pc1 and pc2 being finite, it is enough to abstract the fields y1 and y2. We consider the abstraction which consists in coding the comparisons between these two fields. Then, we get the abstract system Sys a and the abstraction relation ' defined as follows: type Cmp=fz1z2,z1,z2,inf12,inf21,eqg; type Sys a=recordfpc1, pc2: PC; y1y2: Cmp;g; pred '(var Sys st, var Sys a a) = a.pc1=st.pc1 & a.pc2=st.pc2 & if st.y1=0 & st.y2=0 then a.y1y2=z1z2 elsif st.y1=0 then a.y1y2=z1 elsif st.y2=0 then a.y1y2=z2 elsif st.y1<st.y2 then a.y1y2=inf12 elsif st.y2<st.y1 then a.y1y2=inf21 else a.y1y2=eq endif; The abstraction through ' of the Bakery system, computed by FMona, is a finite state system of which transitions can be expressed using WS1S and reduced to propositional logic using Mona. Consequently, the computation of the reachable states is possible. Mona validates that any state reachable by this transition system cannot be the image of a state where two processes would not be in mutual exclusion. This is performed by calling the macro method1 of x5.2: method1(init,trans,',excl); It is interesting to note that since the abstraction did not modify the interface fields pc1 and pc2, it also defines a mutual exclusion algorithm over a finite state space similar to Peterson s algorithm [17] comprising apart from the fields pc1 and pc2 a finite field y1y2 that can be encoded by three booleans. 6. Conclusion In this paper, we have illustrated the use of FMona to express first abstraction and iterative techniques and then their applications. Thanks to the higher order features of FMona, the validation steps of the method could be expressed in a generic way and instantiated on specific problems. These methods have been have been applied within FMona to well know problems (mutual exclusion on parameterized rings, parameterized multiprocessor memory protocols, infinite space bakery algorithm). Some first experiments show that the cooperation between propositional solvers (either Stallmark-based ones as HeerHugo[9] or Davis-Putnam-based solvers [14]) and Mona (which is BDD-based) is much more efficient than the exclusive use of Mona. For this purpose, we have connected FMona to such solvers. We also plan to consider the validation of the methods themselves and how to integrate them smoothly into FMona. For instance, we have separately validated the abstraction method in Coq. Another step is to automatically generate FMona code from the Coq development.

8 References [1] P. A. Abdulla, A. Bouajjani, B. Jonsson, and M. Nilsson. Handling Global Conditions in Parameterized System Verification. In Proc. 11th Int. Conf. on Computer Aided Verification, volume 1633 of Lecture Notes in Computer Science, pages Springer Verlag, [2] A. Ayari, D. Basin, and A. Podelski. Lisa: A specification language based on ws2s. In 11th International Conference of the European Association for Computer Science Logic (CSL 97), volume 1414 of LNCS, pages Springer-Verlag, [3] B. Barras, S. Boutin, C. Cornes, J. Courant, J. Filliatre, E. Giménez, H. Herbelin, G. Huet, C. Muñoz, C. Murthy, C. Parent, C. Paulin, A. Saïbi, and B. Werner. The Coq Proof Assistant Reference Manual Version V6.1. Technical Report 0203, INRIA, August [4] S. Bensalem, Y. Lakhnech, and S. Owre. Computing abstractions of infinite state systems compositionnaly and automatically. In Computer-Aided Verification (CAV 98), volume 1427 of Lecture Notes in Computer Science, pages , Vancouver, BC, Canada, june Springer-Verlag. [5] J.-P. Bodeveix and M. Filali. The FMONA tool. Technical Report COS/MF/FMONA, IRIT, may [6] J. Burch, E. Clarke, K. McMillan, and D. Dill. Symbolic model checking: 10E20 states and beyond. In 5th Symposium on Logic in Computer Science, June [7] E. W. Dijkstra, W. H. J. Feijen, and A. J. M. van Gasteren. Derivation of a termination detection algorithm for distributed computations. Information Processing Letters, 16(5): , june [8] M. Gordon and T. Melham. Introduction to HOL. Cambridge University Press, [9] J. Groote and J. Warners. The propositional formula checker HeerHugo. Technical Report SEN-R9905, CWI, january [10] J. Henriksen, J. Jensen, M. Jorgensen, N. Klarlund, R. Paige, T. Rauhe, and A. Sandholm. Mona: Monadic second-order logic in practice. In Workshop on Tools and Algorithms for the Construction and Analysis of Systems, pages 58 73, Aarhus, May [11] G. Holzmann. Design and validation of computer protocols. Prentice Hall, [12] Y. Kesten and A. Pnueli. Modularization and abstraction: the keys to practical formal verification. In 23rd int. symp. of mathematical foundations of computer science, MFCS98, volume 1450 of Lecture Notes in Computer Science, pages Springer-Verlag, [13] Lessens, D. and Saïdi, H. Abstraction of parameterized networks. Electronic notes in theoretical computer science, 9:12, [14] C. M. Li and Anbulagan. Heuristics based on unit propagation for satisfiability problems. In procs. of the 15th int. joint conf. on Artificial Intelligence, pages , Nagoya, Japan, august [15] A. Martin. Distributed mutual exclusion on a ring of processes. Science of Computer Programming, 5(3): , October [16] S. Owre, J. M. Rushby, and N. Shankar. PVS: A Prototype Verification System. In D. Kapur, editor, 11th International Conference on Automated Deduction (CADE), volume 607 of Lecture Notes in Artificial Intelligence, pages , Saratoga, NY, June Springer-Verlag. [17] J. Peterson and A. Silberschatz. Operating system concepts. Addison-Wesley, [18] B. Szymanski. Mutual exclusion revisited. In fifth Jerusalem conference on information technology, pages IEEE Computer Society Press, [19] W. Thomas. Automata on infinite objects. In J. Leeuwen, editor, Handbook of Theoretical Computer Science, pages MIT Press, 1990.