Model Checking for tcc Calculus

Transcript

1. Model Checking for tcc Calculus Cali Jaime E. Arias Almeida

   Supervisors: Dr. Carlos Olarte Dr. Eugenio Tamura AVISPA Research Group Pontificia Universidad Javeriana - Cali December, 2012

2. Motivation Concurrent systems are everywhere: • Engineering: Security protocols, mobile

   computing, synchronous systems. • Science: Biological and chemical systems. • Arts: Multimedia interaction. Models of Concurrency Formal models to describe and analyze concurrent systems. They must be: • Simple. • Expressive. • Formal. • Provide reasoning techniques. Some examples: CCS [Mil89], the π calculus [Mil99, SW03], CSP [Hoa85], CCP [Sar93]. 2 / 71

3. Motivation • Concurrent Constraint Programming (ccp) [Sar93] is a formalism

   for con- currency where agents interact with one another by adding (telling) and reading (asking) information represented as constraints in a shared medium (global store). • The type of constraints and the entailment relation is given by a Constraint System (e.g. x > 42 |= x > 0). 3 / 71

4. Motivation • Temporal Concurrent Constraint Programming (tcc) [SJG94] extends ccp

   by adding temporal constructs for modeling timed and reactive systems. • Formal verification plays an important role in detecting errors in concurrent systems. The presence of a system failure in air traffic control systems, medical instruments, aircrafts or in general, reactives systems could be catastrophic. (a) Therac-25 (b) Ariane-5 Figure: Some disasters 4 / 71

5. Motivation • Verification of tcc programs is performed using inductive

   techniques since the model does not provide automatic formal verification tools. • Problems: ◦ Difficult ◦ Error prone ◦ Experts are required. • Hubert Garavel [Gar08]: “...The research agenda for theoretical concur- rency should therefore address the design of efficient algorithms for trans- lating and verifying formal specifications of concurrent systems”. 5 / 71

6. Motivation • Model checking is an automated technique that, given

   a finite-state model of a system and a formal property, systematically checks whether this property holds for (a given state in) that model [CGP99]. • Advantages ◦ Formal technique. ◦ Fully-automatic. ◦ Experts are not required. ◦ Counterexample. • Drawback: ◦ State-space explosion problem. 6 / 71

7. Our Goal • We aim at developing a model checking

   algorithm for tcc calculus to automatically verify digital systems. 7 / 71

8. Our Approach Requirements System Formalizing Modeling Property Specification System Model

   Model Checking Satisfied Violated + Counterexample ntcc LTL tcc Structure Classical approach and prototype Our approach: A model checking algorithm based on the work of Falaschi and Villanueva [FV06]. 8 / 71

9. Our Contributions • A structure for modeling the behavior of

   a tcc program. • An algorithm for constructing the model from the tcc specification. • A method for reducing the size of a model. • A model checking algorithm for verifying tcc programs. • A prototype of the model checking algorithm. 9 / 71

10. Outline 1 The tcc Calculus 2 The Model Checking Technique

    3 A Model for tcc Programs 4 A Logic for the Specification of Properties 5 The Model Checking Algorithm 6 A Prototypical Tool 7 Application 8 Concluding Remarks 10 / 71

11. Outline 1 The tcc Calculus 2 The Model Checking Technique

    3 A Model for tcc Programs 4 A Logic for the Specification of Properties 5 The Model Checking Algorithm 6 A Prototypical Tool 7 Application 8 Concluding Remarks 11 / 71

12. The tcc Calculus [SJG94] Intuitive Description and Operational Semantics temperature

    = ? ask (temperature < 100) then Q tell (temperature < 70) ask (temperature = 50) then P tell (temperature > 45) 12 / 71

13. The tcc Calculus [SJG94] Intuitive Description and Operational Semantics temperature

    = ? ask (temperature < 100) then Q ask (temperature = 50) then P tell (temperature < 70) tell (temperature > 45) 12 / 71

14. The tcc Calculus [SJG94] Intuitive Description and Operational Semantics ask

    (temperature < 100) then Q ask (temperature = 50) then P 42 < temperature < 70 12 / 71

15. The tcc Calculus [SJG94] Intuitive Description and Operational Semantics ask

    (temperature = 50) then P 42 < temperature < 70 ask (temperature < 100) then Q 12 / 71

16. The tcc Calculus [SJG94] Intuitive Description and Operational Semantics ask

    (temperature = 50) then P 42 < temperature < 70 Q Remains Blocked 12 / 71

17. The tcc Calculus [SJG94] Intuitive Description and Operational Semantics Stimulus

    Store Time Unit 1 1. Receives a stimulus (i.e. a constraint) from the environment. 13 / 71

18. The tcc Calculus [SJG94] Intuitive Description and Operational Semantics Stimulus

    Time Unit 1 ccp Process 1. Receives a stimulus (i.e. a constraint) from the environment. 2. Computes a ccp process in the current time unit and wait for stability. 13 / 71

19. The tcc Calculus [SJG94] Intuitive Description and Operational Semantics Stimulus

    Time Unit 1 Resting Point Final Store 1. Receives a stimulus (i.e. a constraint) from the environment. 2. Computes a ccp process in the current time unit and wait for stability. 3. Responds with the resulting store. 13 / 71

20. The tcc Calculus [SJG94] Intuitive Description and Operational Semantics Stimulus

    Time Unit 1 Resting Point Final Store Residual Process Store Time Unit 2 1. Receives a stimulus (i.e. a constraint) from the environment. 2. Computes a ccp process in the current time unit and wait for stability. 3. Responds with the resulting store. 4. Executes the residual process in the next time unit. * Note: Stores are not automatically transferred from a time unit to the next one. 13 / 71

21. The tcc Calculus [SJG94] Syntax Process Description Action within the

    time interval tell (c) telling information add c to the store in the current time interval now c then P asking information executes P if c can be deduced from the current store ∃x (P) hiding executes P with local x P || Q parallelism executes P and Q next P unit-delay executes P in the next time unit now c else P time-out executes P in the next time unit if c cannot be entailed now Syntax SOS 14 / 71

22. The tcc Calculus [SJG94] Example Example p():: now (in=true) then

    next(tell(x=2)) || now (in=true) else tell(x=1) || next(p()) Prototype 15 / 71

23. Outline 1 The tcc Calculus 2 The Model Checking Technique

    3 A Model for tcc Programs 4 A Logic for the Specification of Properties 5 The Model Checking Algorithm 6 A Prototypical Tool 7 Application 8 Concluding Remarks 16 / 71

24. The Model Checking Technique Requirements System Formalizing Modeling Property Specification

    System Model Model Checking Satisfied Violated + Counterexample System Model: Models of systems describe the behavior of systems in a formal way. They are mostly expressed using transition systems. 17 / 71

25. The Model Checking Technique Requirements System Formalizing Modeling Property Specification

    System Model Model Checking Satisfied Violated + Counterexample Property Specification: Properties should be described in a precise and unambiguous manner. Temporal logic is typically used to express properties. 17 / 71

26. The Model Checking Technique Requirements System Formalizing Modeling Property Specification

    System Model Model Checking Satisfied Violated + Counterexample Model Checking: Algorithm which checks the validity of the property in all states of the system model. 17 / 71

27. Outline 1 The tcc Calculus 2 The Model Checking Technique

    3 A Model for tcc Programs 4 A Logic for the Specification of Properties 5 The Model Checking Algorithm 6 A Prototypical Tool 7 Application 8 Concluding Remarks 18 / 71

28. A Model for tcc Programs Program Labeling • The labeling

    process consists in assigning a different label to each occur- rence of an agent in the program. • Labels provide an unique identification for agents in order to know the point of execution of the program during the construction of the model. Example {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) Definition 19 / 71

29. A Model for tcc Programs The tcc Structure • tcc

    Structure is a graph structure which allows to model the behavior of a tcc specification. • It is a variant of a Kripke Structure. current store internal labels temporal labels (a) tcc state Internal Transition Temporal Transition (b) Transitions Figure: Components of a tcc Structure Definition 20 / 71

30. A Model for tcc Programs The tcc Structure Definition (tcc

    Structure) Let AP be a set of atomic propositions, we define a tcc Structure M over AP as a seven tuple M = (S, S0, T, R, C, L, LT) where 1. S is a finite set of states. 2. S0 ⊆ S is the set of initial states. 3. T = {i, t} is the set of possible type of transitions. i denotes an internal transition while t denotes a temporal transition. 4. R ⊆ S × S × T is a transition relation. 5. C : S → 2AP is the function that returns the set of atomic propositions in a given state. 6. L : S → 2L is the function that returns the set of internal labels in a given state. 7. LT : S → 2L is the function that returns the set of temporal labels in a given state. 21 / 71

31. A Model for tcc Programs Construction of the Model •

    Transitions are described according to the operational rules of each tcc process. • For each different declaration we construct a tcc Structure. • Each state is composed of labels associated with agents that can be executed in a step of the construction process. • Each label can be active or disable. • The labels associated with temporal agents cannot be executed before all the labels associated with normal agents are executed. Algorithm 22 / 71

32. A Model for tcc Programs Construction of the Model Procedure

    Call: p0 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

33. A Model for tcc Programs Construction of the Model Procedure

    Call: p0 1 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

34. A Model for tcc Programs Construction of the Model Procedure

    Call: p0 1 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

35. A Model for tcc Programs Construction of the Model Procedure

    Call: p0 ||1 1 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

36. A Model for tcc Programs Construction of the Model Parallel:

    p0 ||1 1 2 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

37. A Model for tcc Programs Construction of the Model Parallel:

    p0 ||1 1 2 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

38. A Model for tcc Programs Construction of the Model Parallel:

    p0 ||1 1 2 nowp2, ||5 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

39. A Model for tcc Programs Construction of the Model Parallel:

    nowp2, nown6, next8 3 p0 ||1 1 2 nowp2, ||5 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

40. A Model for tcc Programs Construction of the Model Timed

    Positive Ask: nowp2, nown6, next8 3 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

41. A Model for tcc Programs Construction of the Model Timed

    Positive Ask: nowp2, nown6, next8 3 4 19 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

42. A Model for tcc Programs Construction of the Model Timed

    Positive Ask: nowp2, nown6, next8 3 4 19 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

43. A Model for tcc Programs Construction of the Model Timed

    Positive Ask: nowp2, nown6, next8 in=true 3 4 19 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

44. A Model for tcc Programs Construction of the Model Timed

    Positive Ask: nowp2, nown6, next8 ~(in=true) in=true 3 4 19 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

45. A Model for tcc Programs Construction of the Model Timed

    Positive Ask: nowp2, nown6, next8 ~(in=true) in=true 3 4 19 next3, nown6, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

46. A Model for tcc Programs Construction of the Model Timed

    Positive Ask: nowp2, nown6, next8 ~(in=true) in=true 3 4 19 next3, nown6, next8 nowp2, nown6, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

47. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

48. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 5 33 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

49. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 5 33 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

50. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 33 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

51. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 in=true,~(in=true) 33 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

52. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

53. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

54. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 34 20 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

55. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 34 20 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

56. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 34 ~(in=true),in=true 20 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

57. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 34 ~(in=true),in=true 20 ~(in=true) {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

58. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 20 ~(in=true) {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

59. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 20 ~(in=true) nowp2, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

60. A Model for tcc Programs Construction of the Model Timed

    Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 20 ~(in=true) nowp2, next8 tell7 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

61. A Model for tcc Programs Construction of the Model Unit

    Delay: 5 next3, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

62. A Model for tcc Programs Construction of the Model Unit

    Delay: in=true 5 next3, next8 6 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

63. A Model for tcc Programs Construction of the Model Unit

    Delay: in=true 5 next3, next8 6 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

64. A Model for tcc Programs Construction of the Model Unit

    Delay: in=true 5 next3, next8 6 in=true {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

65. A Model for tcc Programs Construction of the Model Unit

    Delay: in=true 5 next3, next8 6 tell4, p9 in=true {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

66. A Model for tcc Programs Construction of the Model Passage

    to the Next Time: 6 tell4, p9 in=true {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

67. A Model for tcc Programs Construction of the Model Passage

    to the Next Time: 6 tell4, p9 in=true 7 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

68. A Model for tcc Programs Construction of the Model Passage

    to the Next Time: 6 tell4, p9 in=true 7 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

69. A Model for tcc Programs Construction of the Model Passage

    to the Next Time: 6 tell4, p9 in=true 7 tell4, p9 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

70. A Model for tcc Programs Construction of the Model Equivalent

    States: 6 tell4, p9 in=true 7 tell4, p9 13 tell4, p9 x=2, in=true 14 tell4, p9 24 / 71

71. A Model for tcc Programs Construction of the Model Equivalent

    States: 6 tell4, p9 in=true 7 tell4, p9 13 tell4, p9 x=2, in=true 14 tell4, p9 24 / 71

72. A Model for tcc Programs Construction of the Model Equivalent

    States: 6 tell4, p9 in=true 7 tell4, p9 13 tell4, p9 x=2, in=true 24 / 71

73. A Model for tcc Programs Construction of the Model Equivalent

    States: 6 tell4, p9 in=true 7 tell4, p9 13 tell4, p9 x=2, in=true • Reduction of states is necessary to decrease the state explosion problem. • The store on the quiescent point is defined as the output of the computation. 24 / 71

74. A Model for tcc Programs Simplification of the Model 1

    5 4 1 2 3 4 5 Sequence of internal transitions (a) Reduction of a sequence of internal transitions 2 1 3 4 2 2 1 3 4 (b) Reduction of a branching Figure: Reduction rules 25 / 71

75. Outline 1 The tcc Calculus 2 The Model Checking Technique

    3 A Model for tcc Programs 4 A Logic for the Specification of Properties 5 The Model Checking Algorithm 6 A Prototypical Tool 7 Application 8 Concluding Remarks 26 / 71

76. A Logic for the Specification of Properties The ntcc Logic

    • Linear temporal logic (LTL) named CLTL for reasoning about ntcc processes. • It expresses properties over sequences of constraints. • ntcc is an extension of tcc. Definition (CLTL Syntax) The formulae F, G, . . . ∈ F are built from constraints c ∈ C in the underlying constraint system by F, G, . . . := c | ˙ true | ˙ false | F ˙ ∧ G | F ˙ ∨ G | ˙ ¬F | ˙ ∃x F | ◦ F | F | ♦F Semantics 27 / 71

77. Outline 1 The tcc Calculus 2 The Model Checking Technique

    3 A Model for tcc Programs 4 A Logic for the Specification of Properties 5 The Model Checking Algorithm 6 A Prototypical Tool 7 Application 8 Concluding Remarks 28 / 71

78. The Model Checking Algorithm • Classical tableau algorithm for the

    LTL model checking problem [CGP99, MP95, LP85]. • To prove that a property is satisfied, it is possible to prove that there is no path in the model checking graph satisfying the negation of the formula. 29 / 71

79. The Model Checking Algorithm Definition (Strongly Connected Component) Given a

    graph G, we define a Strongly Connected Component (SCC) S as a maximal subgraph of G such that for every two distinct nodes A, B ∈ S, there exists a path from A to B that passes through nodes of S. We say that S is transient if it consists of a single node that is not connected to itself. Definition (Self-fulfilling SCC) Given a model-checking graph G, a self-fulfilling strongly connected component C is defined as a non-transient strongly connected component in G which satisfies that for every node n in C and for every ♦φ ∈ Qn there exists a node m in C such that φ ∈ Qm . 30 / 71

80. The Model Checking Algorithm Algorithm: 1. To construct the model

    checking graph using the negation of φ (i.e. ¬φ). Definition 31 / 71

81. The Model Checking Algorithm Algorithm: 1. To construct the model

    checking graph using the negation of φ (i.e. ¬φ). Definition ◦ First of all, we have to compute the closure CL(¬φ). This closure is reminiscent to the Fisher Ladner’s one [MP95, FL79]. Definition 31 / 71

82. The Model Checking Algorithm Algorithm: 1. To construct the model

    checking graph using the negation of φ (i.e. ¬φ). Definition ◦ First of all, we have to compute the closure CL(¬φ). This closure is reminiscent to the Fisher Ladner’s one [MP95, FL79]. Definition 2. To look for a sequence such that starting from an initial node of the graph that satisfies the negation of φ, it reaches a self-fulfilling strongly connected component. 31 / 71

83. The Model Checking Algorithm Algorithm: 1. To construct the model

    checking graph using the negation of φ (i.e. ¬φ). Definition ◦ First of all, we have to compute the closure CL(¬φ). This closure is reminiscent to the Fisher Ladner’s one [MP95, FL79]. Definition 2. To look for a sequence such that starting from an initial node of the graph that satisfies the negation of φ, it reaches a self-fulfilling strongly connected component. 3. If we find a self-fulfilling SCC in the graph, then the system satisfies the property represented by the negated formula (i.e. the model does not satisfy the property). 31 / 71

84. Outline 1 The tcc Calculus 2 The Model Checking Technique

    3 A Model for tcc Programs 4 A Logic for the Specification of Properties 5 The Model Checking Algorithm 6 A Prototypical Tool 7 Application 8 Concluding Remarks 32 / 71

85. A Prototypical Tool Property • We represent a temporal formula

    as a binary syntax tree. ♦ ∧ ¬ ◦ x=1 in=true Figure: ♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)) >>> phi = Formula ({"<>": {"^":{"":"in=true","~":{"o":"x=1"}}}}) 33 / 71

86. A Prototypical Tool Model nowp2, ||5 nowp2, nown6, next8 next3,

    nown6, next8 in=true ~(in=true) next3, next8 in=true ~(in=true) tell7, p9 tell4, p9 in=true 2 tell4, p9 tell7, p9 7 X=2 p9 X=1 p9 8 X=2 nowp2, ||5 X=2 nowp2, nown6, next8 next3, nown6, next8 X=2, in=true nowp2, nown6, next8 X=2, ~(in=true) next3, next8 tell7, p9 tell4, p9 tell4, p9 tell7, p9 X=2, in=true X=2, ~(in=true) X=2, in=true 3 4 5 6 9 nowp2, next8 ~(in=true) tell7 19 nowp2, nown6, next8 20 21 22 23 10 11 12 13 14 nowp2, next8 X=2, ~(in=true) tell7 15 16 17 18 ||1 1 p0 nowp2 nowp2 (a) tcc Structure p0 ~(in=true) tell7, p9 tell4, p9 in=true tell7, p9 X=2, ~(in=true) X=2, in=true tell4, p9 tell7, p9 X=1, ~(in=true) X=1, in=true tell4, p9 6 (s1) 13 (s2) 17 (s3) 21 (s4) 28 (s5) 32 (s6) nowp2 nowp2 nowp2 (b) Simplified tcc Structure Figure: Model of the system Results 34 / 71

87. A Prototypical Tool Model • We assume that a tcc

    Structure is a list of tcc nodes. store: (list of Formulas) internal: (list of strings) temporal: (list of strings) edges: (list of integers) initial: (boolean) tcc node Figure: tcc node >>> {"store": [Formula ({"":"in=true"})], "internal": [], "temporal": [" tell4","p9"], "edges": [2,3], "initial": True} 35 / 71

88. A Prototypical Tool Model Checking Algorithm Closure >>> getClosure(phi ,closure)

    {’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}} {’~’: {’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}}} {’o’: {’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}}} ... See Model Checking Nodes >>> atoms = getAllAtoms(closure) >>> model_checking_atoms = getModelCheckingAtoms (tcc_structure ,atoms) tcc State 1 Atom 1 {’o’: {’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}}} {’’: ’in=true ’} ... 36 / 71

89. A Prototypical Tool Model Checking Algorithm Model Checking Graph >>>

    model_checking_graph = getModelCheckingGraph (tcc_structure , model_checking_atoms ) >>> model_checking_graph {1: [], 2: [], 3: [9, 11, 12, 13, 15], 4: [10, 16, 14], 5: [], 6: [], 7: [9, 11, 12, 13, 15], 8: [10, 16, 14], 9: [], 10: [], 11: [9, 11, 12, 13, 15], 12: [10, 16, 14], 13: [25, 27, 28, 29, 31], 14: [26, 32, 30], 15: [], 16: [], 17: [25, 27, 28, 29, 31], 18: [26, 32, 30], 19: [], 20: [], 21: [25, 27, 28, 29, 31], 22: [26, 32, 30], 23: [], 24: [], 25: [], 26: [], 27: [9, 11, 12, 13, 15], 28: [10, 16, 14], 29: [25, 27, 28, 29, 31], 30: [26, 32, 30], 31: [], 32: []} See 37 / 71

90. A Prototypical Tool Model Checking Algorithm Strongly Connected Components >>>

    strongly_connected_components = tarjan( model_checking_graph ) >>> sccGraphs = getModelCheckingSCCSubgraphs ( strongly_connected_components , tcc_structure , model_checking_atoms , model_checking_graph ) >>> sccGraphs [0] [{3: [11, 13], 7: [11, 13], 11: [11, 13], 13: [27, 29], 17: [27, 29], 21: [27, 29], 27: [11, 13], 29: [27, 29]}] See 38 / 71

91. A Prototypical Tool Model Checking Algorithm Self-fulfilling SCC >>> initialNodes

    = getInitialNodes (tcc_structure , model_checking_atoms ) >>> initialNodesEntailFormula (sccGraphs [0], initialNodes , model_checking_atoms ,formula) True >>> isSelfFulfilling (sccGraphs [0], initialNodes , model_checking_atoms ) True Model Checking Algorithm >>> result = modelSatisfiesProperty (phi , tcc_structure ) is Self Fulfilling : True Initial Nodes Entail Formula: True >>> print "Model Satisfies Original Formula: ", not result Model Satisfies Formula: False 39 / 71

92. A Prototypical Tool Results 1. tcc Program: See 2. tcc

    Structure: See 3. Property: ◦ φ = ((in = true) ˙ ⇒ ◦ (x = 1)) ◦ ˙ ¬φ = ♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)) 4. Model Checking Algorithm1: ◦ Self-fulfilling SCC: True ◦ Initial Nodes Entail Formula: True ◦ Model Satisfies Formula: True 5. Conclusion: Model does not satisfy the original formula. 1http://escher.puj.edu.co/~jearias/files/tccModelChecking.zip 40 / 71

93. Outline 1 The tcc Calculus 2 The Model Checking Technique

    3 A Model for tcc Programs 4 A Logic for the Specification of Properties 5 The Model Checking Algorithm 6 A Prototypical Tool 7 Application 8 Concluding Remarks 41 / 71

94. Application Coffee Vending Machine • Model checking is a principal

    technique for verifying finite-state reactive systems, and in particular, digital systems [Kot08a] (e.g. Traffic light controller [BCDM86, Swa97], radar jammer [CEP03], sequence detec- tor [KK09], binary comparator [Kot08b]). • The coffee machine provides the user with a cup of coffee or a cup of hot water (for tea), given that the consumer has inserted the required amount of money. Coffee 10 5 Tea 42 / 71

95. Application Modeling and Verification of Digital Systems • To describe

    the digital system using tcc. • To create the model (tcc Structure) of the system. • To specify the properties to be verified. • Use the model checking algorithm to determine whether the model satisfies the property. 43 / 71

96. Outline 1 The tcc Calculus 2 The Model Checking Technique

    3 A Model for tcc Programs 4 A Logic for the Specification of Properties 5 The Model Checking Algorithm 6 A Prototypical Tool 7 Application 8 Concluding Remarks 44 / 71

97. Concluding Remarks Overview • We proposed a model checking algorithm

    for tcc, an automated formal verification tool. • Model of the system: ◦ Structure (tcc Structure) to model the behavior of a tcc system. ◦ Algorithm to construct the tcc Structure from the tcc specification. ◦ Method to simplify the model. • Temporal logic to specify properties of tcc systems. • Algorithm to determine whether the model of the system satisfies a formula. • Prototype of the model checking algorithm. 45 / 71

98. Concluding Remarks Future Work • Local operator in the model

    construction algorithm. • Automatic tool for constructing the model of the system. • Symbolic and abstract techniques for reducing the state explosion problem. • ntcc model checking. • Prototype improvement (e.g. compute automatically the negated form of the formulas). 46 / 71

99. Thank you!

100. References (1) Michael C. Browne, Edmund M. Clarke, David L.

     Dill, and Bud Mishra. Automatic Verification of Sequential Circuits Using Temporal Logic. IEEE Transactions on Computers, C-35(12):1035–1044, 1986. Luis Alejandro Cort´ es, Petru Eles, and Zebo Peng. Modeling and Formal Verification of Embedded Systems Based On a Petri Net Representation. Journal of Systems Architecture, 49:571–598, 2003. Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. MIT Press, Cambridge, 1999. Michael J. Fischer and Richard E. Ladner. Propositional Dynamic Logic of Regular Programs. Journal of Computer and System Sciences, 18(2):194–211, 1979. 48 / 71

101. References (2) Moreno Falaschi and Alicia Villanueva. Automatic Verification of

     Timed Concurrent Constraint Programs. Theory and Practice of Logic Programming, 6(3):265–300, 2006. Hubert Garavel. Reflections on the Future of Concurrency Theory in General and Process Calculi in Particular. In Proceedings of LIX Colloquium on Emergent Trends in Concurrency Theory, volume 209 of Electronic Notes in Theoretical Computer Science, pages 149–164. Elsevier, 2008. C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985. 49 / 71

102. References (3) Daniela Kotmanov´ a and Milan Koles´ ar. Application

     of Model Checking to the Verification of Digital Systems. Acta Electrotechnica et Informatica, 9(2):30–37, 2009. Daniela Kotmanov´ a. Temporal Logic in Verification of Digital Circuits. Journal of Electrical Engineering, 59(1):14–22, 2008. Daniela Kotmanov´ a. Temporal Logic in Verification of Digital Circuits. Journal of Electrical Engineering, 59(1):14–22, 2008. 50 / 71

103. References (4) Orna Lichtenstein and Amir Pnueli. Checking that Finite

     State Concurrent Programs Satisfy their Linear Specification. In Proceedings of the 12th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pages 97–107, New York, NY, USA, 1985. ACM Press. Robin Milner. Communication and Concurrency. International Series in Computer Science. Prentice Hall, 1989. Robin Milner. Communicating and Mobile Systems: the Pi-Calculus. Cambridge University Press, 1999. 51 / 71

104. References (5) Zohar Manna and Amir Pnueli. Temporal Verification of

     Reactive Systems: Safety. Springer-Verlag New York, Inc., 1995. Vijay A. Saraswat. Concurrent Constraint Programming. The MIT Press, 1993. Vijay A. Saraswat, Radha Jagadeesan, and Vineet Gupta. Programming in Timed Concurrent Constraint Languages. In Constraint Programming: Proceedings 1993, NATO Advanced Science Institute Series, pages 361–410, Berlin, 1994. Springer-Verlag. Davide Sangiorgi and David Walker. The Pi-Calculus: A Theory of Mobile Processes. Cambridge University Press, 2003. 52 / 71

105. References (6) Gitanjali Swamy. Formal Verification of Digital Systems. In

     Proceedings of the 10th International Conference on VLSI Design, pages 213–217, Washington, 1997. IEEE Computer Society. 53 / 71

106. The tcc Calculus [SJG94] Formal Syntax (Agents) A ::= c

     (Tell) | now c then A (Timed Positive Ask) | now c else A (Timed Negative Ask) | next A (Unit Delay) | abort (Abort) | skip (Skip) | A || A (Parallel Composition) | ∃x(A) (Hiding) | g (Procedure Call) (Procedure Calls) g ::= p(t1, . . . , tn) (Declarations) D ::= g :: A (Definition) | D.D (Conjunction) (Programs) P ::= D.A Return 54 / 71

107. The tcc Calculus [SJG94] Formal Operational Semantics Axioms for →.

     The binary relation → on configurations is the least relation satisfying the rules : (?, skip) → ? (?, abort) → abort (?, A || B) → (?, A, B) (?, ∃x(A)) → (?, A[y/x]) (y not free in ?) (?, p(t1, . . . , tn)) → (?, A[x1 → t1, . . . , xn → tn]) σ(?) c (?, now c then A) → (?, A) σ(?) c (?, now c else B) → ? Axioms for . The binary relation is the least relation satisfying the single rule : ∆, {now ci else Ai | i < n} ∆, {now ci else Ai | i < n}, {next Bj | j < m} {Ai | i < n}, {Bj | j < m} Return 55 / 71

108. A Model for tcc Programs Program Labeling Let P be

     a tcc specification, the labeled version Pl of P is defined as follows. The subindex k ∈ N corresponds to the number of labels introduced up to a given point. When the labeling process starts, k = 0 and each time that we introduce a new label, k is incremented by one. • If P = tell c then Pl = {ltellk } tell c. • If P = now c then A then Pl = {lnowpk } now c then Al . • If P = now c else A then Pl = {lnownk } now c else Al . • If P = next A then Pl = {lnextk } next Al . • If P = skip then Pl = {lskipk } skip. • If P = A || B then Pl = {l|| k } (Al || Bl ). • If P = p(t1, . . . , tn ) then Pl = {lpk } p(t1, . . . , tn ). Return 56 / 71

109. A Model for tcc Programs The tcc Structure Definition (tcc

     State) Let AP be the atomic propositions in the tcc syntax and L be the set of all labels generated during the labeling process described above. We define the set of states as S ⊆ 2AP × 2L. Definition (Equivalent States) Given two tcc states s and s , we say that two states are equivalent if 1. the set of labels of s and s coincide, and 2. there exists a renaming γ of variables of the constraints in s which makes them syntactically identical to the set of constraints of s . Return 57 / 71

110. A Model for tcc Programs Construction of the Model Our

     procedure consists in locating an active label and perform the actions associated with such agent. The process is performed while there are active labels. When we reach a state where there is no active labels (quiescent point) we have to pass to the next time unit, and then we continue with the procedure. We represent this passage in our graph as follows: 1. Introduce a new node s related with s by a temporal transition. The state s is a state where there is no active labels. 2. We introduce the temporal labels of s in the labels of s . 3. The store and the temporal labels of s are empty. Return 58 / 71

111. A Model for tcc Programs Construction of the Model Tell

     S ≡ {ltellk } tell c. The new information c is added to the store in the current time. We translate this behavior to our graph structure as follows: 1. Add a new node s related with the node s from which the agent is execute. 2. The store of s is defined as the store of s plus the constraint c (i.e. C(s ) = C(s) ∧ c). 3. The internal labels of s are obtained from those of s by removing {ltellk } (i.e. L(s ) = L(s)\{ltellk }). 4. The temporal labels of s are the same as s (i.e. LT(s ) = LT(s)). Return 59 / 71

112. A Model for tcc Programs Construction of the Model Parallel

     S ≡ {l|| k } (Al || Bl ). The agents A and B are executed in parallel. We translate this behavior to our graph structure as follows: 1. Introduce a new node s related with the node s from which the agent is execute. 2. The internal labels of s are obtained from those of s by adding Al and Bl , and removing {l|| k }. Notice that this corresponds to a concurrent semantics rather than an interleaving interpretation of the parallel operator. 3. The store and the temporal labels of s are the same as s. Return 60 / 71

113. A Model for tcc Programs Construction of the Model Timed

     Positive Ask S ≡ {lnowpk } now c then Al . If the current store entails c then the agent A is executed or does nothing otherwise. Next we describe how to translate this agent to our graph. 1. Add two new nodes s1 , s2 related with the node s from which the agent is execute. This branch corresponds to the two possible behaviors. 2. The store of s1 is defined as the union of the store of s and the constraint c. 3. The store of s2 is defined as the store of s plus the absence of the constraint c (i.e. C(s2 ) = C(s) ∧ ∼ c). 4. The internal labels of s1 are obtained from those of s by adding Al and removing {lnowpk }. 5. The internal labels of s2 are the same as s. 6. The temporal labels of s1 and s2 are the same as s. Return 61 / 71

114. A Model for tcc Programs Construction of the Model Skip

     S ≡ {lskipk } skip. This agent does nothing at every time instant. We translate this agent to our graph as follows: 1. Construct a new node s related with the node s from which the agent is executed. 2. The internal labels of s are obtained from those of s by removing {lskipk }. 3. The store and the temporal labels of s are the same as s. Return 62 / 71

115. A Model for tcc Programs Construction of the Model Procedure

     Call S ≡ {lpk } p(t1, . . . , tn ). This operator refers to another procedure which have different labels and variables. To translate this agent to our graph we create a new node and the label associated to the first agent of p is added to the internal labels of the node. Return 63 / 71

116. A Model for tcc Programs Construction of the Model Timed

     Negative Ask S ≡ {lnownk } now c else Al . If on the quiescent point the store does not entail c then the agent A is executed in the next time instant, or does nothing otherwise. We translate this behavior to our graph as follows: 1. Introduce two new nodes s1 , s2 related with the node s from which the agent is execute. This branch corresponds to the two possible behaviors of the agent. 2. The store of s1 is defined as the union of the store of s and the constraint c. 3. The store of s2 is defined as the store of s plus the absence of the constraint c. 4. The internal labels of s1 and s2 are the same as s by removing {lnownk }. 5. The temporal labels of s1 are the same as s. 6. The temporal labels of s2 are obtained from those of s by adding Al . Return 64 / 71

117. A Model for tcc Programs Construction of the Model Unit

     Delay S ≡ {lnextk } next Al . The agent A is executed in the next time instant. We translate this agent to our graph as follows: 1. Construct a new node s related with the node s from which the agent is execute. 2. The internal labels of s are the same as s but removing {lnextk }. 3. The temporal labels of s are obtained from those of s by adding Al . 4. The store of s is the same as s. Return 65 / 71

118. A Logic for the Specification of Properties The ntcc Logic

     Definition (CLTL Semantics) We say that α ∈ Cω satisfies (or that it is a model of) F in CLTL, written α CLTL F, iff α, 1 CLTL F, where: α, i CLTL ˙ true α, i CLTL ˙ false α, i CLTL c iff α(i) c α, i CLTL ˙ ¬F iff α, i CLTL F α, i CLTL F ˙ ∧ G iff α, i CLTL F and α, i CLTL G α, i CLTL F ˙ ∨ G iff α, i CLTL F or α, i CLTL G α, i CLTL ◦F iff α, i + 1 CLTL F α, i CLTL F iff for all j ≥ i α, j CLTL F α, i CLTL ♦F iff there is a j ≥ i s.t. α, j CLTL F α, i CLTL ˙ ∃x F iff there is an x-variant α of α s.t. α , i CLTL F Define F = {α | α CLTL F}. We say that F is CLTL valid iff F = Cω, and that F is CLTL satisfiable iff F = ∅. Return 66 / 71

119. The Model Checking Algorithm Closure The closure of a formula

     ϕ, CL(ϕ), is the smallest set of formulas satisfying the following conditions: 1. ϕ ∈ CL(ϕ), 2. ˙ ¬ϕ1 ∈ CL(ϕ), iff ϕ1 ∈ CL(ϕ), 3. if ϕ1 ˙ ∧ϕ2 ∈ CL(ϕ), then ϕ1, ϕ2 ∈ CL(ϕ), 4. if ϕ1 ˙ ∨ϕ2 ∈ CL(ϕ), then ϕ1, ϕ2 ∈ CL(ϕ), 5. if ˙ ∃x ϕ1 ∈ CL(ϕ), then ϕ1 ∈ CL(ϕ), 6. if ◦ϕ1 ∈ CL(ϕ), then ϕ1 ∈ CL(ϕ), 7. if ˙ ¬ ◦ ϕ1 ∈ CL(ϕ), then ◦ ˙ ¬ϕ1 ∈ CL(ϕ), 8. if ϕ1 ∈ CL(ϕ), then ϕ1, ◦ ϕ1 ∈ CL(ϕ), 9. if ♦ϕ1 ∈ CL(ϕ), then ϕ1, ◦♦ϕ1 ∈ CL(ϕ) Return 67 / 71

120. The Model Checking Algorithm Model Checking Graph Definition (Model-Checking Graph)

     Let ϕ be a formula, CL(ϕ) be the closure of ϕ and Z the tcc Structure. A node n of the model-checking graph is formed by a pair of the form (sn, Qn) where sn is a state of Z and Qn is a subset of CL(ϕ) and the atomic propositions such that the following conditions are satisfied: 1. for every atomic proposition p, p ∈ Qn iff p ∈ C(sn), 2. for every ˙ ∃x ϕ1 ∈ CL(ϕ), ˙ ∃x ϕ1 ∈ Qn iff ˙ ∃x ϕ1 ∈ C(sn), 3. for every ϕ1 ∈ CL(ϕ), ϕ1 ∈ Qn iff ˙ ¬ϕ1 / ∈ Qn, 4. for every ϕ1 ˙ ∧ϕ2 ∈ CL(ϕ), ϕ1 ˙ ∧ϕ2 ∈ Qn iff ϕ1 ∈ Qn and ϕ2 ∈ Qn, 5. for every ϕ1 ˙ ∨ϕ2 ∈ CL(ϕ), ϕ1 ˙ ∨ϕ2 ∈ Qn iff ϕ1 ∈ Qn or ϕ2 ∈ Qn, 6. for every ˙ ¬ ◦ ϕ1 ∈ CL(ϕ), ˙ ¬ ◦ ϕ1 ∈ Qn iff ◦ ˙ ¬ϕ1 ∈ Qn, 7. for every ϕ1 ∈ CL(ϕ), ϕ1 ∈ Qn iff ϕ1 ∈ Qn and ◦ ϕ1 ∈ Qn, 8. for every ♦ϕ1 ∈ CL(ϕ), ♦ϕ1 ∈ Qn iff ϕ1 ∈ Qn or ◦ ♦ϕ1 ∈ Qn. An edge in the graph is defined as follows: there will be an edge from one node n1 = (s1, Q1) to another node n2 = (s2, Q2) iff there is an arc from the node s1 to the node s2 in Z and for every formula ◦ϕ1 ∈ CL(ϕ), ◦ϕ1 ∈ Q1 iff ϕ1 ∈ Q2. This means that the next state s2 must satisfy φ if s1 satisfies ◦φ. Return 68 / 71

121. A Prototypical Tool Closure CL(¬ϕ) = {♦((in = true) ˙

     ∧ ˙ ¬ ◦ (x = 1)), ˙ ¬♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)), ◦ ♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)), ˙ ¬ ◦ ♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)), ◦ ˙ ¬♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)), (in = true) ˙ ∧ ˙ ¬ ◦ (x = 1), ˙ ¬((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)), ˙ ¬ ◦ (x = 1), ◦ ˙ ¬(x = 1), ◦ (x = 1), (x = 1), ˙ ¬(x = 1), (in = true), ˙ ¬(in = true) } Return 69 / 71

122. A Prototypical Tool Model Checking Graph s3 State s2 State

     s1 State n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n12 n13 n14 n15 n16 s4 State n17 n18 n19 n20 n21 n22 n23 n24 s5 State n25 n26 n27 n28 s6 State n29 n30 n31 n32 n11 Return 70 / 71

123. A Prototypical Tool Strongly Connected Components s3 State s2 State

     s1 State n3 n7 n13 s4 State n17 n21 s5 State n27 s6 State n29 n11 Self-Fulfilling SCC Return 71 / 71