Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Switzerland John C Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Massachusetts Institute of Technology, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Moshe Y Vardi Rice University, Houston, TX, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany CuuDuongThanCong.com 4424 Orna Grumberg Michael Huth (Eds.) Tools and Algorithms for the Construction andAnalysis of Systems 13th International Conference, TACAS 2007 Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2007 Braga, Portugal, March 24 - April 1, 2007 Proceedings 13 CuuDuongThanCong.com Volume Editors Orna Grumberg Technion Israel Institute of Technology Haifa 32000, Israel E-mail: orna@cs.technion.ac.il Michael Huth Imperial College London United Kingdom E-mail: M.Huth@doc.imperial.ac.uk Library of Congress Control Number: 2007922076 CR Subject Classification (1998): F.3, D.2.4, D.2.2, C.2.4, F.2.2 LNCS Sublibrary: SL – Theoretical Computer Science and General Issues ISSN ISBN-10 ISBN-13 0302-9743 3-540-71208-9 Springer Berlin Heidelberg New York 978-3-540-71208-4 Springer Berlin Heidelberg New York This work is subject to copyright All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer Violations are liable to prosecution under the German Copyright Law Springer is a part of Springer Science+Business Media springer.com © Springer-Verlag Berlin Heidelberg 2007 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12029204 06/3142 543210 CuuDuongThanCong.com Foreword ETAPS 2007 is the tenth instance of the European Joint Conferences on Theory and Practice of Software, and thus a cause for celebration The events that comprise ETAPS address various aspects of the system development process, including specification, design, implementation, analysis and improvement The languages, methodologies and tools which support these activities are all well within its scope Different blends of theory and practice are represented, with an inclination towards theory with a practical motivation on the one hand and soundly based practice on the other Many of the issues involved in software design apply to systems in general, including hardware systems, and the emphasis on software is not intended to be exclusive History and Prehistory of ETAPS ETAPS as we know it is an annual federated conference that was established in 1998 by combining five conferences [Compiler Construction (CC), European Symposium on Programming (ESOP), Fundamental Approaches to Software Engineering (FASE), Foundations of Software Science and Computation Structures (FOSSACS), Tools and Algorithms for Construction and Analysis of Systems (TACAS)] with satellite events All five conferences had previously existed in some form and in various colocated combinations: accordingly, the prehistory of ETAPS is complex FOSSACS was earlier known as the Colloquium on Trees in Algebra and Programming (CAAP), being renamed for inclusion in ETAPS as its historical name no longer reflected its contents Indeed CAAP’s history goes back a long way; prior to 1981, it was known as the Colleque de Lille sur les Arbres en Algebre et en Programmation FASE was the indirect successor of a 1985 event known as Colloquium on Software Engineering (CSE), which together with CAAP formed a joint event called TAPSOFT in odd-numbered years Instances of TAPSOFT, all including CAAP plus at least one software engineering event, took place every two years from 1985 to 1997 inclusive In the alternate years, CAAP took place separately from TAPSOFT Meanwhile, ESOP and CC were each taking place every two years from 1986 From 1988, CAAP was colocated with ESOP in even years In 1994, CC became a “conference” rather than a “workshop” and CAAP, CC and ESOP were thereafter all colocated in even years TACAS, the youngest of the ETAPS conferences, was founded as an international workshop in 1995; in its first year, it was colocated with TAPSOFT It took place each year, and became a “conference” when it formed part of ETAPS 1998 It is a telling indication of the importance of tools in the modern field of informatics that TACAS today is the largest of the ETAPS conferences CuuDuongThanCong.com VI Foreword The coming together of these five conferences was due to the vision of a small group of people who saw the potential of a combined event to be more than the sum of its parts Under the leadership of Don Sannella, who became the first ETAPS steering committee chair, they included: Andre Arnold, Egidio Astesiano, Hartmut Ehrig, Peter Fritzson, Marie-Claude Gaudel, Tibor Gyimothy, Paul Klint, Kim Guldstrand Larsen, Peter Mosses, Alan Mycroft, Hanne Riis Nielson, Maurice Nivat, Fernando Orejas, Bernhard Steffen, Wolfgang Thomas and (alphabetically last but in fact one of the ringleaders) Reinhard Wilhelm ETAPS today is a loose confederation in which each event retains its own identity, with a separate programme committee and proceedings Its format is open-ended, allowing it to grow and evolve as time goes by Contributed talks and system demonstrations are in synchronized parallel sessions, with invited lectures in plenary sessions Two of the invited lectures are reserved for “unifying” talks on topics of interest to the whole range of ETAPS attendees The aim of cramming all this activity into a single one-week meeting is to create a strong magnet for academic and industrial researchers working on topics within its scope, giving them the opportunity to learn about research in related areas, and thereby to foster new and existing links between work in areas that were formerly addressed in separate meetings ETAPS 1998–2006 The first ETAPS took place in Lisbon in 1998 Subsequently it visited Amsterdam, Berlin, Genova, Grenoble, Warsaw, Barcelona, Edinburgh and Vienna before arriving in Braga this year During that time it has become established as the major conference in its field, attracting participants and authors from all over the world The number of submissions has more than doubled, and the numbers of satellite events and attendees have also increased dramatically ETAPS 2007 ETAPS 2007 comprises five conferences (CC, ESOP, FASE, FOSSACS, TACAS), 18 satellite workshops (ACCAT, AVIS, Bytecode, COCV, FESCA, FinCo, GTVMT, HAV, HFL, LDTA, MBT, MOMPES, OpenCert, QAPL, SC, SLA++P, TERMGRAPH and WITS), three tutorials, and seven invited lectures (not including those that were specific to the satellite events) We received around 630 submissions to the five conferences this year, giving an overall acceptance rate of 25% To accommodate the unprecedented quantity and quality of submissions, we have four-way parallelism between the main conferences on Wednesday for the first time Congratulations to all the authors who made it to the final programme! I hope that most of the other authors still found a way of participating in this exciting event and I hope you will continue submitting ETAPS 2007 was organized by the Departamento de Inform´ atica of the Universidade Minho, in cooperation with CuuDuongThanCong.com Foreword VII – – – – European Association for Theoretical Computer Science (EATCS) European Association for Programming Languages and Systems (EAPLS) European Association of Software Science and Technology (EASST) The Computer Science and Technology Center (CCTC, Universidade Minho) – Camara Municipal de Braga – CeSIUM/GEMCC (Student Groups) The organizing team comprised: – – – – – – – – – – Jo˜ ao Saraiva (Chair) Jos´e Bacelar Almeida (Web site) Jos´e Jo˜ao Almeida (Publicity) Lu´ıs Soares Barbosa (Satellite Events, Finances) Victor Francisco Fonte (Web site) Pedro Henriques (Local Arrangements) Jos´e Nuno Oliveira (Industrial Liaison) Jorge Sousa Pinto (Publicity) Ant´ onio Nestor Ribeiro (Fundraising) Joost Visser (Satellite Events) ETAPS 2007 received generous sponsorship from Funda¸c˜ao para a Ciˆencia e a Tecnologia (FCT), Enabler (a Wipro Company), Cisco and TAP Air Portugal Overall planning for ETAPS conferences is the responsibility of its Steering Committee, whose current membership is: Perdita Stevens (Edinburgh, Chair), Roberto Amadio (Paris), Luciano Baresi (Milan), Sophia Drossopoulou (London), Matt Dwyer (Nebraska), Hartmut Ehrig (Berlin), Jos´e Fiadeiro (Leicester), Chris Hankin (London), Laurie Hendren (McGill), Mike Hinchey (NASA Goddard), Michael Huth (London), Anna Ing´ olfsd´ ottir (Aalborg), Paola Inverardi (L’Aquila), Joost-Pieter Katoen (Aachen), Paul Klint (Amsterdam), Jens Knoop (Vienna), Shriram Krishnamurthi (Brown), Kim Larsen (Aalborg), Tiziana Margaria (Gă ottingen), Ugo Montanari (Pisa), Rocco de Nicola (Florence), Jakob Rehof (Dortmund), Don Sannella (Edinburgh), Jo˜ ao Saraiva (Minho), Vladimiro Sassone (Southampton), Helmut Seidl (Munich), Daniel Varro (Budapest), Andreas Zeller (Saarbră ucken) I would like to express my sincere gratitude to all of these people and organizations, the programme committee chairs and PC members of the ETAPS conferences, the organizers of the satellite events, the speakers themselves, the many reviewers, and Springer for agreeing to publish the ETAPS proceedings Finally, I would like to thank the organizing chair of ETAPS 2007, Jo˜ ao Saraiva, for arranging for us to have ETAPS in the ancient city of Braga Edinburgh, January 2007 CuuDuongThanCong.com Perdita Stevens ETAPS Steering Committee Chair Preface This volume contains the proceedings of the 13th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2007) which took place in Braga, Portugal, March 26-30, 2007 TACAS is a forum for researchers, developers and users interested in rigorously based tools and algorithms for the construction and analysis of systems The conference serves to bridge the gaps between different communities that share common interests in, and techniques for, tool development and its algorithmic foundations The research areas covered by such communities include but are not limited to formal methods, software and hardware verification, static analysis, programming languages, software engineering, real-time systems, communications protocols and biological systems The TACAS forum provides a venue for such communities at which common problems, heuristics, algorithms, data structures and methodologies can be discussed and explored In doing so, TACAS aims to support researchers in their quest to improve the utility, reliability, flexibility and efficiency of tools and algorithms for building systems The specific topics covered by the conference included, but were not limited to, the following: specification and verification techniques for finite and infinitestate systems; software and hardware verification; theorem-proving and modelchecking; system construction and transformation techniques; static and runtime analysis; abstraction techniques for modeling and validation; compositional and refinement-based methodologies; testing and test-case generation; analytical techniques for secure, real-time, hybrid, critical, biological or dependable systems; integration of formal methods and static analysis in high-level hardware design or software environments; tool environments and tool architectures; SAT solvers; and applications and case studies TACAS traditionally considers two types of papers: research papers that describe in detail novel research within the scope of the TACAS conference; and short tool demonstration papers that give an overview of a particular tool and its applications or evaluation TACAS 2007 received 170 research and 34 tool demonstration submissions (204 submissions in total), and accepted 45 research papers and tool demonstration papers Each submission was evaluated by at least three reviewers Submissions co-authored by a Program Committee member were neither reviewed, discussed nor decided on by any Program Committee member who co-authored a submission After a 35-day reviewing process, the program selection was carried out in a two-week electronic Program Committee meeting We believe that this meeting and its detailed discussions resulted in a strong technical program The TACAS 2007 Program Committee selected K Rustan M Leino (Microsoft Research, USA) as invited speaker, who kindly agreed and gave a talk entitled “Verifying Object-Oriented Software: Lessons and Challenges,” reporting on program verification of modern software from the CuuDuongThanCong.com X Preface perspective of the Spec# programming system These proceedings also include the title and abstract of an ETAPS “unifying” talk entitled “There and Back Again: Lessons Learned on the Way to the Market,” in which Rance Cleaveland reports about his experience of commercializing formal modeling and verification technology, and how this has changed his view of mathematically oriented software research As TACAS 2007 Program Committee Co-chairs we thank the authors and coauthors of all submitted papers, all Program Committee members, subreviewers, and especially our Tool Chair Byron Cook and the TACAS Steering Committee for guaranteeing such a strong technical program Martin Karusseit gave us prompt support in dealing with the online conference management service The help of Anna Kramer at the Springer Editorial Office with the general organization and the production of the proceedings was much appreciated TACAS 2007 was part of the 10th European Joint Conference on Theory and Practice of Software (ETAPS), whose aims, organization and history are detailed in the separate foreword by the ETAPS Steering Committee Chair We would like to express our gratitude to the ETAPS Steering Committee, particularly its Chair Perdita Stevens, and the Organizing Committee — notably Jo˜ ao Saraiva — for their efforts in making ETAPS 2007 a successful event Last, but not least, we acknowledge Microsoft Research Cambridge for kindly agreeing to sponsor seven awards (2000 GBP split into seven parts) for students who co-authored and presented their award-winning paper at TACAS 2007 The quality of these papers, as judged in their discussion period, was the salient selection criterion for these awards January 2007 CuuDuongThanCong.com Orna Grumberg and Michael Huth Organization TACAS Steering Committee Ed Brinksma Rance Cleaveland Kim Larsen Bernhard Steffen Lenore Zuck ESI and University of Twente (The Netherlands) University of Maryland and Fraunhofer USA Inc(USA) Aalborg University (Denmark) University of Dortmund (Germany) University of Illinois (USA) TACAS 2007 Program Committee Christel Baier Armin Biere Jonathan Billington Ed Brinksma Rance Cleaveland TU Dresden, Germany Johannes Kepler University, Linz, Austria University of South Australia, Australia ESI and University of Twente, The Netherlands University of Maryland and Fraunhofer USA Inc, USA Byron Cook Microsoft Research, Cambridge, UK Dennis Dams Bell Labs, Lucent Technologies, Murray Hill, USA Marsha Chechik University of Toronto, Canada Francois Fages INRIA Rocquencourt, France Kathi Fisler Worcester Polytechnic, USA Limor Fix Intel Research Laboratory, Pittsburgh, USA Hubert Garavel INRIA Rhˆ one-Alpes, France Susanne Graf VERIMAG, Grenoble, France Orna Grumberg TECHNION, Israel Institute of Technology, Israel John Hatcliff Kansas State University, USA Holger Hermanns University of Saarland, Germany Michael Huth Imperial College London, UK Daniel Jackson Massachusetts Institute of Technology, USA Somesh Jha University of Wisconsin at Madison, USA Orna Kupferman Hebrew University, Jerusalem, Israel Marta Kwiatkowska University of Birmingham, UK Kim Larsen Aalborg University, Denmark Michael Leuschel University of Dă usseldorf, Germany Andreas Podelski University of Freiburg, Germany Tiziana Margaria-Steffen University of Potsdam, Germany Tom Melham Oxford University, UK CR Ramakrishnan SUNY Stony Brook, USA Jakob Rehof University of Dortmund and Fraunhofer ISST, Germany Natarajan Shankar SRI, Menlo Park, USA Lenore Zuck University of Illinois, USA CuuDuongThanCong.com XII Organization Additional Reviewers Parosh Abdulla Domagoj Babic Bernd Beckert Josh Berdine Christian Bessi`ere Juliana Bowles Manuela L Bujorianu Aziem Chawdhary Christopher Conway Leonardo de Moura Giorgio Delzano Dino Distefano Niklas Een Sandro Etalle Harald Fecher Marc Fontaine Goran Frehse Yuan Gan Mihaela Gheorghiu Michael Greenberg Dimitar Guelev Peter Habermehl Tom Hart Marc Herbstritt Hardi Hungar Florent Jacquemard Thierry J´eron Toni Jussila Joachim Klein Steve Kremer Kelvin Ku Viktor Kuncak Shuvendu Lahiri Fr´ed´eric Lang Axel Legay Nimrod Lilith Angelika Mader Oded Maler Joao Marques-Silva Fr´ed´eric Mesnard Laurent Mounier Ralf Nagel Dejan Nickovic CuuDuongThanCong.com ´ Erika Abrah´ am Marco Bakera Gerd Behrmann Marco Bernardo Per Bjesse Marius Bozga Thomas Chatain Alessandro Cimatti Patrick Cousot Alexandre David Henning Dierks Daniel Dougherty Jochen Eisinger Kousha Etessami Bernd Finkbeiner Martin Fră anzle Joern Freiheit Dan Geiger Georges Gonthier Marcus Groesser Sumit Gulwani R´emy Haemmerl´e Monika Heiner Tamir Heyman Radu Iosif Himanshu Jain Barbara Jobstmann Joost-Pieter Katoen Piotr Kordy Sriram Krishnamachari Hillel Kugler Marcos E Kurb´ an Charles Lakos Rom Langerak Jerome LeRoux Lin Liu Stephen Magill Shahar Maoz Thierry Massart Roland Meyer Anca Muscholl Kedar Namjoshi Brian Nielsen Cyrille Artho Ittai Balaban Jens Bendisposto Tanya Berger-Wolf Dragan Bosnacki Laura Brand´ an Briones Krishnendu Chatterjee Koen Lindstră om Claessen Frank de Boer Conrado Daws Zinovy Diskin Bruno Dutertre Cindy Eisner Azaleh Farzan Maarten Fokkinga Lars Frantzen Guy Gallasch Naghmeh Ghafari Alexey Gotsman Roland Groz Arie Gurfinkel Matt Harren Noomene Ben Henda Josef Hooman Franjo Ivancic David N Jansen Narendra Jussien Victor Khomenko Eric Koskinen Daniel Kroening Wouter Kuijper Marcel Kyas Anna-Lena Lamprecht Richard Lassaigne Tal Lev-Ami Yoad Lustig Thomas Mailund Jelena Marincic Radu Mateescu Marius Mikucionis Alan Mycroft Shiva Nejati Gethin Norman 724 P.A Abdulla et al features such as broadcast communication, rendez-vous communication, and dynamic behaviour Other approaches tailored to snoopy cache protocols modeled with broadcast communication are presented in [13,21] In [12] German’s directory-based protocol is verified via a manual transformation into a snoopy protocol It is important to remark that frameworks for finite-state abstractions [8] and those based on cutoff properties [4,23] can be applied to parameterized systems where each component itself contains counters and other unbounded data structures This allows for instance to deal with a model of the Bakery algorithm which is more concrete (precise) than ours Finally, in [25] a parameterized version of the Java Meta-locking algorithm is verified by means of an induction-based proof technique which requires manual strengthening of the mutual exclusion invariant In summary, our method provides a uniform simple abstraction which allows fully automatic verification of a wide class of systems We have been able to verify all benchmarks available to us from the literature (with the exception of the Bakery protocol, where we can only model an abstraction of the protocol) The benchmarks include some programs, e.g the German protocol and Java Metalocking algorithm, which (to our knowledge) have previously not been possible to verify without user interaction or specialized heuristics On the negative side, the current method only allows the verification of safety properties, while most regular model checking and abstraction-based techniques can also handle liveness properties Outline In the next Section we give some preliminaries and define a basic model for parameterized systems Section describes the induced transition system and introduces the coverability (safety) problem In Section we define the over-approximated transition system on which we run our technique Section presents a generic scheme for deciding coverability In Section we instantiate the scheme on the approximate transition system Section explains how we extend the basic model to cover features such as shared variables, broadcast and binary communications, and dynamic creation and deletion of processes In Section we report the results of our prototype on a number of mutual exclusion and cache coherence examples Finally, in Section 9, we give conclusions and directions for future work A detailed description of the case studies can be found in [2] Preliminaries In this section, we define a basic model of parameterized systems This model will be enriched by additional features in Section For a natural number n, let n denote the set {1, , n} We use B to denote the set {true, false} of Boolean values For a finite set A, we let B(A) denote the set of formulas which have members of A as atomic formulas, and which are closed under the Boolean connectives ¬, ∧, ∨ A quantifier is either universal or existential A universal quantifier is of one of the forms ∀LR , ∀L , ∀R An existential quantifier is of one of the forms ∃L , ∃R , or ∃LR The subscripts L, R, and LR CuuDuongThanCong.com Regular Model Checking Without Transducers 725 stand for Left, Right, and Left-Right respectively A global condition over A is of the form ✷θ where ✷ is a quantifier and θ ∈ B(A) A global condition is said to be universal (resp existential) if its quantifier is universal (resp existential) We use G(A) to denote the set of global conditions over A Parameterized Systems A parameterized system consists of an arbitrary (but finite) number of identical processes, arranged in a linear array Each process is a finite-state automaton which operates on a finite number of Boolean local variables The transitions of the automaton are conditioned by the values of the local variables and by global conditions in which the process checks, for instance, the local states and variables of all processes to its left or to its right A transition may change the value of any local variable inside the process A parameterized system induces an infinite family of finite-state systems, namely one for each size of the array The aim is to verify correctness of the systems for the whole family (regardless of the number of processes inside the system) A parameterized system P is a triple (Q, X, T ), where Q is a set of local states, X is a set of local variables, and T is a set of transition rules A transition rule t is of the form ⎤ ⎡ q (1) t : ⎣ grd → stmt ⎦ q where q, q ∈ Q and grd → stmt is a guarded command Below we give the definition of a guarded command A guard is a formula grd ∈ B(X)∪G(X ∪Q) In other words, the guard grd constraints either the values of local variables inside the process (if grd ∈ B(X)); or the local states and the values of local variables of other processes (if grd ∈ G(X ∪ Q)) A statement is a set of assignments of the form x1 = e1 ; ; xn = en , where xi ∈ X, ei ∈ B, and xi = xj if i = j A guarded command is of the form grd → stmt, where grd is a guard and stmt is a statement Remark We can extend the definition of the transition rule in (1) so that the grd is a conjunction of formulas in B(X) ∪ G(X ∪ Q) All the definitions and algorithms which are later presented in this paper can easily be extended to the more general form However, for simplicity of presentation, we only deal with the current form Transition System In this section, we first describe the transition system induced by a parameterized system Then we introduce the coverability problem Transition System A transition system T is a pair (D, =⇒), where D is an ∗ to (infinite) set of configurations and =⇒ is a binary relation on D We use =⇒ CuuDuongThanCong.com 726 P.A Abdulla et al denote the reflexive transitive closure of =⇒ We will consider several transition systems in this paper First, a parameterized system P = (Q, X, T ) induces a transition system T (P) = (C, −→) as follows A configuration is defined by the local states of the processes, and by the values of the local variables Formally, a local variable state v is a mapping from X to B For a local variable state v, and a formula θ ∈ B(X), we evaluate v |= θ using the standard interpretation of the Boolean connectives A process state u is a pair (q, v) where q ∈ Q and v is a local variable state Sometimes, abusing notation, we view a process state (q, v) as a mapping u : X ∪ Q → B, where u(x) = v(x) for each x ∈ X, u(q) = true, and u(q ) = false for each q ∈ Q − {q} The process state thus agrees with v on the values of local variables, and maps all elements of Q, except q, to false For a formula θ ∈ B(X ∪ Q) and a process state u, the relation u |= θ is then well-defined This is true in particular if θ ∈ B(X) A configuration c ∈ C is a sequence u1 · · · un of process states Intuitively, the above configuration corresponds to an instance of the system with n processes Each pair ui = (qi , vi ) gives the local state and the values of local variables of process i Notice that if c1 and c2 are configurations then their concatenation c1 • c2 is also a configuration Next, we define the transition relation −→ on the set of configurations as follows We will define the semantics of global conditions in terms of two quantifiers ∀ and ∃ For a configuration c = u1 · · · un and a formula θ ∈ B(X ∪ Q), we write c |= ∀θ if ui |= θ for each i : ≤ i ≤ n; and write c |= ∃θ if ui |= θ for some i : ≤ i ≤ n For a statement stmt and a local variable state v, we use stmt(v) to denote the local variable state v such that v (x) = v(x) if x does not occur in stmt; and v (x) = e if x = e occurs in stmt Let t be a transition rule of the form of (1) Consider two configurations c = c1 • u • c2 and c = c1 • u • c2 , where t c to denote that the following three u = (q, v) and u = (q , v ) We write c −→ conditions are satisfied: If grd ∈ B(X) then v |= grd, i.e., the local variables of the process in transition should satisfy grd If grd = ✷θ ∈ G(X ∪ Q) then one of the following conditions is satisfied: – ✷ = ∀L and c1 |= ∀θ – ✷ = ∀R and c2 |= ∀θ – ✷ = ∀LR and c1 |= ∀θ and c2 |= ∀θ – ✷ = ∃L and c1 |= ∃θ – ✷ = ∃R and c2 |= ∃θ – ✷ = ∃LR and either c1 |= ∃θ or c2 |= ∃θ In other words, if grd is a global condition then the rest of the processes should satisfy θ (in a manner which depends on the type of the quantifier) v = stmt(v) t c for some t ∈ T We use c −→ c to denote that c −→ Safety Properties In order to analyze safety properties, we study the coverability problem defined below Given a parameterized system P = (Q, X, T ), CuuDuongThanCong.com Regular Model Checking Without Transducers 727 we assume that, prior to starting the execution of the system, each process is in an (identical) initial process state uinit = (qinit , vinit ) In the induced transition system T (P) = (C, −→), we use Init to denote the set of initial configurations, i.e., configurations of the form uinit · · · uinit (all processes are in their initial states) Notice that this set is infinite We define an ordering on configurations as follows Given two configurations, c to denote the existance of c = u1 · · · um and c = u1 · · · un , we write c a strictly monotonic1 injection h from m to n such that ui = uh(i) for each i : ≤ i ≤ m A set of configurations D ⊆ C is upward closed (with respect to ) if c ∈ D and c c implies c ∈ D For sets of configurations D, D ⊆ C we use D −→ D to denote that there are c ∈ D and c ∈ D with c −→ c The coverability problem for parameterized systems is defined as follows: PAR-COV Instance – A parameterized system P = (Q, X, T ) – An upward closed set CF of configurations ∗ CF ? Question Init −→ It can be shown, using standard techniques (see e.g [28,16]), that checking safety properties (expressed as regular languages) can be translated into instances of the coverability problem Therefore, checking safety properties amounts to solving PAR-COV(i.e., to the reachability of upward closed sets) Approximation In this section, we introduce an over-approximation of the transition relation of a parameterized system In Section 3, we mentioned that each parameterized system P = (Q, X, T ) induces a transition system T (P) = (C, −→) A parameterized system P also induces an approximate transition system A(P) = (C, ❀ ), where the set C of configurations is identical to the one in T (P) We define ❀= (−→ ∪ ❀1 ), where −→ is the transition relation defined in Section 3, and ❀1 , which reflects the approximation of universal quantifiers, is defined as follows For a configuration c, and a formula θ ∈ B(X ∪ Q), we use c θ to denote the maximal configuration c and c |= ∀θ In other words, we derive c (with respect to ) such that c c from c by deleting all process states which not satisfy θ Consider two configurations c = c1 •u•c2 and c = c1 •u •c2 , where u = (q, v) and u = (q , v ) Let t be a transition rule of the form of (1), such that grd = ✷θ is a universal t global condition We write c ❀ c to denote that the following conditions are satisfied: if ✷ = ∀L , then c1 = c1 θ and c2 = c2 if ✷ = ∀R , then c1 = c1 and c2 = c2 θ h : m → n strictly monotonic means: i < j ⇒ h(i) < h(j) for all i, j : ≤ i < j ≤ m CuuDuongThanCong.com 728 P.A Abdulla et al if ✷ = ∀LR , then c1 = c1 v = stmt(v) θ and c2 = c2 θ t c for some t ∈ T We define the coverability We use c ❀ c to denote that c ❀ problem for the approximate system as follows: APRX-PAR-COV Instance – A parameterized system P = (Q, X, T ) – An upward closed set CF of configurations ∗ CF ? Question Init ❀ Since −→⊆❀, a negative answer to APRX-PAR-COV implies a negative answer to PAR-COV Generic Scheme In this section, we recall a generic scheme from [1] for performing symbolic backward reachability analysis Assume a transition system (D, =⇒ ) with a set Init of initial states We will work with a set of constraints defined over D A constraint φ denotes a potentially infinite set of configurations (i.e [[φ]] ⊆ D) For a finite set Φ of constraints, we let [[Φ]] = φ∈Φ [[φ]] We define an entailment relation on constraints, where φ1 φ2 iff [[φ2 ]] ⊆ [[φ1 ]] For sets Φ1 , Φ2 of constraints, abusing notation, we let Φ1 Φ2 denote φ2 Notice that Φ1 Φ2 that for each φ2 ∈ Φ2 there is a φ1 ∈ Φ1 with φ1 implies that [[Φ2 ]] ⊆ [[Φ1 ]] (although the converse is not true in general) For a constraint φ, we let Pre(φ) be a finite set of constraints, such that [[Pre(φ)]] = {c| ∃c ∈ [[φ]] c =⇒ c } In other words Pre(φ) characterizes the set of configurations from which we can reach a configuration in φ through the application of a single transition rule For our class of systems, we will show that such a set always exists and is in fact computable For a set Φ of constraints, we let Pre(Φ) = φ∈Φ Pre(φ) Below we present a scheme for a symbolic algorithm ∗ [[ΦF ]] which, given a finite set ΦF of constraints, checks whether Init =⇒ In the scheme, we perform a backward reachability analysis, generating a sequence Φ0 Φ1 Φ2 · · · of finite sets of constraints such that Φ0 = ΦF , and Φj+1 = Φj ∪ Pre(Φj ) Since [[Φ0 ]] ⊆ [[Φ1 ]] ⊆ [[Φ2 ]] ⊆ · · · , the procedure terminates when we reach a point j where Φj Φj+1 Notice that the termination condition implies that [[Φj ]] = ( 0≤i≤j [[Φi ]]) Consequently, Φj characterizes the set of all ∗ predecessors of [[ΦF ]] This means that Init =⇒ [[ΦF ]] iff (Init [[Φj ]]) = ∅ Observe that, in order to implement the scheme (i.e., transform it into an algorithm), we need to be able to (i) compute Pre; (ii) check for entailment between constraints; and (iii) check for emptiness of Init [[φ]] for a given constraint φ A constraint system satisfying these three conditions is said to be effective Moreover, in [1], it is shown that termination is guaranteed in case CuuDuongThanCong.com Regular Model Checking Without Transducers 729 the constraint system is well quasi-ordered (WQO) with respect to , i.e., for each infinite sequence φ0 , φ1 , φ2 , of constraints, there are i < j with φi φj Algorithm In this section, we instantiate the scheme of Section to derive an algorithm for solving APRX-PAR-COV We that by introducing an effective and well quasi-ordered constraint system Throughout this section, we assume a parameterized system P = (Q, X, T ) and the induced approximate transition system A(P) = (C, ❀ ) We define a constraint to be a finite sequence θ1 · · · θm where θi ∈ B(X ∪ Q) Observe that for any constraints φ1 and φ2 , their concatenation φ1 • φ2 is also a constraint For a constraint φ = θ1 · · · θm and a configuration c = u1 · · · un , we write c |= φ to denote that there is a strictly monotonic injection h from m to n such that uh(i) |= θi for each i : ≤ i ≤ m Given a constraint φ, we let [[φ]] = {c ∈ C| c |= φ} Notice that if φ = θ1 · · · θm and some θi is unsatisfiable then [[φ]] is empty Such a constraint can therefore be safely discarded in the algorithm An aspect of our constraint system is that each constraint characterizes a set of configurations which is upward closed with respect to Conversely (by Higman’s Lemma [17]), any upward closed set CF of configurations can be characterized as [[ΦF ]] where ΦF is a finite set of constraints In this manner, APRXPAR-COV is reduced to checking the reachability of a finite set of constraints Below we show effectiveness and well quasi-ordering of our constraint system, meaning that we obtain an algorithm for solving APRX-PAR-COV Pre For a constraint φ , we define Pre(φ ) = t∈T Pret (φ ), i.e., we compute the set of predecessor constraints with respect to each transition rule t ∈ T In the following, assume t to be a transition rule of the form (1) To compute Pret (φ ), we define first the function [t] on X ∪ Q as follows: for each x ∈ X, [t](x) = stmt(x) if x occurs in stmt and [t](x) = x otherwise For each q ∈ Q, [t](q ) = true if q = q , and false otherwise For θ ∈ B(X ∪ Q), we use θ[t] to denote the formula obtained from θ by substituting all occurrences of elements in θ by their corresponding [t]-images Now, we define two operators, ⊗ and ⊕, which we use to capture the effects of universal and existential quantifiers when computing Pre We use ⊗ to handle universal quantifiers For a constraint φ = θ1 · · · θm and a θ ∈ B(X ∪ Q), we define φ ⊗ θ to be the constraint (θ1 ∧ θ) · · · (θm ∧ θ) We use ⊕ to deal with existential quantifiers For a constraint φ = θ1 · · · θm and a θ ∈ B(X ∪ Q), we define φ ⊕ θ to be the set of constraints which are of one of the following forms: – θ1 · · · θi−1 (θi ∧ θ)θi+1 · · · θm where ≤ i ≤ m; or – (θ1 ∧ ¬θ) · · · (θi ∧ ¬θ)θ(θi+1 ∧ ¬θ) · · · (θm ∧ ¬θ) where ≤ i ≤ m + In the first case, the constraint implies that there is at least one process satisfying θ In the the second case, the constraint does not imply the existence of such a process, and therefore the formula θ is added explicitly to the representation CuuDuongThanCong.com 730 P.A Abdulla et al of the constraint Notice that in the second case the length of the resulting constraint is larger (by one) than the length of φ This means that the lengths of the constraints which arise during the analysis are not a priori fixed Nevertheless, termination is still guaranteed by well quasi-ordering of the constraints For a constraint φ and a rule t of the form (1), we define Pret (φ ) to be the set of all constraints φ such that φ (resp φ ) is of the form φ1 • θ • φ2 (resp φ1 • θ • φ2 ) and the following conditions are satisfied: – If grd ∈ B(X) (i.e grd is a local condition), then θ = θ [t] ∧ grd ∧ q, φ1 = φ1 and φ2 = φ2 ; – If grd = ✷grd , where grd ∈ B(X ∪ Q), then θ = θ [t] ∧ q and depending on ✷ the following conditions hold: • If ✷ = ∀L then φ1 = φ1 ⊗ grd and φ2 = φ2 • If ✷ = ∀R then φ1 = φ1 and φ2 = φ2 ⊗ grd • If ✷ = ∀LR then φ1 = φ1 ⊗ grd and φ2 = φ2 ⊗ grd • If ✷ = ∃L then φ1 ∈ φ1 ⊕ grd and φ2 = φ2 • If ✷ = ∃R then φ1 = φ1 and φ2 ∈ φ2 ⊕ grd • If ✷ = ∃LR then either φ1 ∈ φ1 ⊕ grd and φ2 = φ2 ; or φ1 = φ1 and φ2 ∈ φ2 ⊕ grd Entailment The following Lemma gives a syntactic characterization which allows computing of the entailment relation Lemma For constraints φ = θ1 θm and φ = θ1 θn , we have φ φ iff there exists a strictly monotonic injection h : m → n such that θh(i) ⇒ θi for each i ∈ m Proof (⇒) Assume there is no such injection We derive a configuration c such that c ∈ [[φ ]] and c ∈ [[φ]] To that, we define the function g on n as follows: g(1) = 1, g(i + 1) = g(i) if θi ⇒ θg(i) , and g(i + 1) = g(i) + if θi ⇒ θg(i) Observe that, since the above mentioned injection does not exist, we have either g(n) < m, or g(n) = m and θn ⇒ θm We choose c = u1 · · · un , where ui is defined as follows: (i) if θi ⇒ θg(i) let ui be any process state such that ui |= ¬θg(i) ∧ θi ; and (ii) if θi ⇒ θg(i) let ui be any process state such that ui |= θi (⇐) Assume there exists a strictly monotonic injection h : m → n such that θh(i) ⇒ θi for each i ∈ m Let c = u1 up be a configuration in [[φ ]] It follows that there exists a strictly monotonic injection h : n → p such that uh (i) |= θi for each i ∈ n By assumption, for each j ∈ m, we have θh(j) ⇒ θj Therefore, for each j ∈ m, uh ◦h(j) |= θj It is straightforward to check that h ◦ h is a strictly monotonic injection from m to p It follows that c ∈ [[φ]] Intersection with Initial States For a constraint φ = θ1 θn , we have (Init [[φ]]) = ∅ iff uinit θi for some i ∈ n Termination We show that the constraint system is well quasi-ordered (WQO) with respect to (A, ) is obviously a WQO for any finite set A and any quasiorder on A Let A∗ be the set of words over A, and ∗ be the subword relation CuuDuongThanCong.com Regular Model Checking Without Transducers 731 Higman’s Lemma [17] states that (A∗ , ∗ ) is also a WQO Take A to be the quotient sets of B(X ∪Q) under the equivalence relation Let be the implication relation on formulas in B(X ∪ Q) By lemma 1, the relation coincides with ∗ We conclude that the constraint system is a WQO Extensions In this section, we add a number of features to the model of Section For each additional feature, we show how to modify the constraint system of Section in a corresponding manner Shared Variables We assume the presence of a finite set S of Boolean shared variables that can be read and written by all processes in the system A guard may constraint the values of both the shared and the local variables, and a statement may assign values to the shared variables (together with the local variables) It is straightforward to extend the definitions of the induced transition system and the symbolic algorithm to deal with shared variables Variables over Finite Domains Instead of Boolean variables, we can use variables which range over arbitrary finite domains Below we describe an example of such an extension Let Y be a finite set of variables which range over {0, 1, , k}, for some natural number k Let N(A) be the set of formulas of the form x ∼ y where ∼∈ {, ≥} and x, y ∈ Y ∪ {0, 1, , k} A guard is a formula grd ∈ B(X ∪ N(Y )) ∪ G(X ∪ Q ∪ N(Y )) In other words, the guard grd may also constraint the values of the variables in Y Similarly, a statement may assign values in {0, 1, , k} to variables in Y A local variable state is a mapping from X ∪ Y to B ∪ {0, 1, , k} respecting the types of the variables The definitions of configurations, the transition relation, and constraints are extended in the obvious manner Well quasi-ordering of the constraint system follows in a similar manner to Section 6, using the fact that variables in Y range over finite domains Broadcast In a broadcast transition, an arbitrary number of processes change states simultaneously A broadcast rule is a sequence of transition rules of the following form ¾ q0 grd0 → stmt0 q0 ¿¾ q1 grd1 → stmt1 q1 ¿∗ ¾ q2 grd2 → stmt2 q2 ¿∗ ¾ ··· grdm qm → stmtm qm ¿∗ (2) where grdi ∈ B(X) for each i : ≤ i ≤ m Below, we use ti to refer to the ith rule in the above sequence The broadcast rule is deterministic in the sense that either grdi ∧ grdj is not satisfiable or qi = qj for each i, j : ≤ i = j ≤ m The broadcast is initiated by a process, called the initiator, which is represented by t0 (i.e., the leftmost transition rule) This transition rule has the same interpretation as in Section That is, in order for the broadcast CuuDuongThanCong.com 732 P.A Abdulla et al transition to take place, the initiator should be in local state q0 and its local variables should satisfy the guard grd0 After the completion of the broadcast, the initiator has changed state to q0 and updated its local variables according to stmt0 Together with the initiator, an arbitrary number of processes, called the receptors, change state simultaneously The receptors are modeled by the transition rules t1 , , tm (each rule being marked by a * to emphasize that an arbitrary number of receptors may execute that rule) More precisely, if the local state of a process is qi and its local variables satisfy grdi , then the process changes its local state to qi and updates its local variables according to stmti Notice that since the broadcast rule is deterministic, a receptor satisfies the precondition of at most one of the transition rules Processes which not satisfy the precondition of any of the transition rules remain passive during the broadcast We define a transition relation −→B to reflect broadcast transitions The definition of −→B can be derived in a straightforward manner from the above informal description We extend the transition relation −→ defined in Section 3, by taking its union with −→B In a similar manner, we extend the approximate transition relation ❀ (defined in Section 4) by taking its union with −→B This means that the introduction of broadcast transitions are interpreted exactly, and thus they not add any additional approximation to ❀ We use the same constraint system as the one defined for systems without broadcast; consequently checking entailment, checking intersection with initial states, and proving termination are identical to Section Below we show how to compute Pre Consider a constraint φ = θ1 · · · θn and a broadcast rule b of the above form We define Preb (φ ) to be the set of all constraints of the form θ1 · · · θn such that there is i : ≤ i ≤ n and the following properties are satisfied: – θi = θi [t0 ] ∧ grd0 ∧ q0 This represents the predecessor state of the initiator – For each j : ≤ j = i ≤ n, one of the following properties is satised: ã j = j ơ((q1 grd1 ) ∨ (q2 ∧ grd2 ) ∨ · · · ∨ (qm ∧ grdm )) This represents a passive process (a process other than the initiator, is allowed to be passive if it does not satisfy the preconditions of any of the rules) • θj = θj [tk ]∧grdk ∧qk , for some k : ≤ k ≤ m This represents a receptor Binary Communication In binary communication two processes perform a rendez-vous changing states simultaneously A rendez-vous rule consists of two transition rules of the from ⎤⎡ ⎤ ⎡ q2 q1 ⎣ grd1 → stmt1 ⎦ ⎣ grd2 → stmt2 ⎦ (3) q1 q2 where grd1 , grd2 ∈ B(X) Binary communication can be treated in a similar manner to broadcast transitions (here there is exactly one receptor) The model definition and the symbolic algorithm can be extended in a corresponding way CuuDuongThanCong.com Regular Model Checking Without Transducers 733 Dynamic Creation and Deletion We allow dynamic creation and deletion of processes A process creation rule is of the form ⎡ ⎤ · ⎣ grd → · ⎦ (4) q where q ∈ Q and grd ∈ B(X) The rule creates a new process whose local state is q and whose local variables satisfy grd The newly created processes may be placed anywhere inside the array of processes We define a transition relation −→D to reflect process creation transitions as follows For configurations c and c , and a process creation rule d of the form d of (4), we define c −→ D c to denote that c is of the form c1 • u • c2 where c = c1 • c2 , u = (q , v ) and v |= grd We use the same constraint system as the one defined for systems without process creation and deletion We show how to compute Pre Consider a constraint φ and a creation rule d of the form of (4) We define Pred (φ ) to be the set of all constraints φ such that φ (resp φ) is of the form φ1 • θ • φ2 (resp φ1 • φ2 ) and θ [t] ∧ grd is satisfiable Notice that θ [t] does not change the values of the local variables in θ A process deletion rule is of the form ⎡ ⎤ q ⎣ grd → · ⎦ (5) · where q ∈ Q and grd ∈ B(X) The rule deletes a single process whose local state is q provided that the guard grd is satisfied The definitions of the transition system and the symbolic algorithm can be extended in a similarly to the case with process creation rules We omit the details here due to shortage of space Counters Using deletion, creation, and universal conditions we can simulate counters, i.e., global unbounded variables which range over the natural numbers For each counter c, we use a special local state qc , such that the value of c is encoded by the number of occurrences of qc in the configuration Increment and decrement operations can be simulated using creation and deletion of processes in local state qc Zero-testing can be simulated through universal conditions More precisely, c = is equivalent to the condition that there is no process in state qc This gives a model which is as powerful as Petri nets with inhibitor arcs (or equivalently counter machines) Observe that the approximation introduced by the universal condition means that we replace zero-testing (in the original model) by resetting the counter value to zero (in the approximate model) Thus, we are essentially approximating the counter machine by the corresponding lossy counter machine (see [22] for a description of lossy counter machines) In fact, we can equivalently add counters as a separate feature (without simulation through universal conditions), and approximate zero-testing by resetting as described above CuuDuongThanCong.com 734 P.A Abdulla et al Experimental Results Based on our method, we have implemented a prototype tool and run it on a collection of mutual exclusion and cache coherence protocols The results, using a Pentium M 1.6 Ghz with 1G of memory, are summarized in Tables and For each of the mutual exclusion protocols, we consider two variants; namely one with dynamic creation and deletion of processes (marked with a * in Table 1), and one without Full details of the examples can be found in [2] For each example, Table Mutual exclusion algorithms Bakery Bakery* Burns Burns* Java M-lock Java M-lock* Dijkstra Dijkstra* Szymanski Szymanski* # iter # constr 2 2 14 71 21 24 17 13 150 57 17 334 17 334 t(ms) 4 230 32 30 30 1700 168 3880 4080 Table Cache coherence protocols Synapse Berkeley Mesi Moesi Dec Firefly Xerox P.D Illinois Futurebus German # iter # constr t(ms) 3 8 12 12 11 16 20 52 33 80 153 300 44 14475 3h45mn we give the number of iterations performed by the reachability algorithm, the largest number of constraints maintained at any point during the execution of the algorithm, and the time (in milliseconds) The computation for each example required less than 15MB of memory Conclusion and Future Work We have presented a method for verification of parameterized systems where the components are organized in a linear array We derive an over-approximation of the transition relation which allows the use of symbolic reachability analysis defined on upward closed sets of configurations Based on the method, we have implemented a prototype which performs favorably compared to existing tools on several protocols which implement cache coherence and mutual exclusion One direction for future research is to apply the method to other types of topologies than linear arrays For instance, in the cache coherence protocols we consider, the actual ordering on the processes inside the protocol has no relevance These protocols fall therefore into a special case of our model where the system can be viewed as set of processes (without structure) rather than as a linear array This indicates that the verification algorithm can be optimized even further for such systems Furthermore, since our algorithm relies on a small set of properties of words which are shared by other data structures, we believe that our approach can be lifted to a more general setting In particular we aim CuuDuongThanCong.com Regular Model Checking Without Transducers 735 to develop similar algorithms for systems whose behaviours are captured by relations on trees and on general forms of graphs References ˇ ans, B Jonsson, and T Yih-Kuen General decidability P A Abdulla, K Cer¯ theorems for infinite-state systems In Proc LICS ’96, pages 313–321, 1996 P A Abdulla, N B Henda, G Delzanno, and A Rezine Regular model checking without transducers Technical Report 2006-052, Uppsala University, Dec 2006 P A Abdulla, B Jonsson, M Nilsson, and J d’Orso Regular model checking made simple and efficient In Proc CONCUR ’02, pages 116–130, 2002 T Arons, A Pnueli, S Ruah, J Xu, and L Zuck Parameterized verification with automatically computed inductive assertions In CAV ’01, pages 221–234, 2001 K Baukus, Y Lakhnech, and K Stahl Parameterized verification of a cache coherence protocol: Safety and liveness In VMCAI ’02, pages 317–330, 2002 B Boigelot, A Legay, and P Wolper Iterating transducers in the large In Proc CAV ’03, volume 2725 of LNCS, pages 223–235, 2003 A Bouajjani, P Habermehl, and T Vojnar Abstract regular model checking In Proc CAV ’04, LNCS, pages 372–386, Boston, July 2004 E Clarke, M Talupur, and H Veith Environment abstraction for parameterized verification In Proc VMCAI ’06, volume 3855 of LNCS, pages 126–141, 2006 D Dams, Y Lakhnech, and M Steffen Iterating transducers In Proc CAV’ 01, volume 2102 of LNCS, 2001 10 G Delzanno Automatic verification of cache coherence protocols In Emerson and Sistla, editors, Proc CAV ’00, volume 1855 of LNCS, pages 53–68, 2000 11 G Delzanno Verification of consistency protocols via infinite-state symbolic model checking In Proc FORTE/PSTV 2000, pages 171–186, 2000 12 E Emerson and V Kahlon Exact and efficient verification of parameterized cache coherence protocols In CHARME 2003, pages 247–262, 2003 13 E Emerson and V Kahlon Model checking guarded protocols In Proc LICS ’03, pages 361–370, 2003 14 J Esparza, A Finkel, and R Mayr On the verification of broadcast protocols In Proc LICS ’99, pages 352–359, 1999 15 S M German and A P Sistla Reasoning about systems with many processes Journal of the ACM, 39(3):675–735, 1992 16 P Godefroid and P Wolper Using partial orders for the efficient verification of deadlock freedom and safety properties FMSD, 2(2):149–164, 1993 17 G Higman Ordering by divisibility in abstract algebras Proc London Math Soc., 2:326–336, 1952 18 P Kelb, T Margaria, M Mendler, and C Gsottberger MOSEL: A flexible toolset for monadic second-order logic In Proc TACAS ’97, pages 183–202, 1997 19 Y Kesten, O Maler, M Marcus, A Pnueli, and E Shahar Symbolic model checking with rich assertional languages TCS, Volume 256, pages 93–112, 2001 20 S K Lahiri and R E Bryant Indexed predicate discovery for unbounded system verification In CAV 2004, pages 135–147, 2004 21 M Maidl A unifying model checking approach for safety properties of parameterized systems In Proc CAV ’01, pages 324–336, 2001 22 R Mayr Undecidable problems in unreliable computations Theoretical Computer Science, Volume 297, pages 337–354, 2003 CuuDuongThanCong.com 736 P.A Abdulla et al 23 A Pnueli, S Ruah, and L Zuck Automatic deductive verification with invisible invariants In Proc TACAS ’01, pages 82–97, 2001 24 A Pnueli, J Xu, and L Zuck Liveness with (0,1,infinity)-counter abstraction In Proc CAV ’02, volume 2404 of LNCS, 2002 25 A Roychoudhury and I Ramakrishnan Automated inductive verification of parameterized protocols In Proc CAV ’01, pages 25–37, 2001 26 C Topnik, E Wilhelm, T Margaria, and B Steffen jMosel: A Stand-Alone Tool and jABC Plugin for M2L(Str) In Model Checking Software: 13th International SPIN Workshop, volume 3925 of LNCS, pages 293–298, 2006 27 T Touili Regular Model Checking using Widening Techniques ETCS, 50(4), 2001 Proc VEPAS’01 28 M Y Vardi and P Wolper An automata-theoretic approach to automatic program verification In Proc LICS ’86, pages 332–344, June 1986 CuuDuongThanCong.com Author Index Abdulla, Parosh Aziz 721 Alur, Rajeev 664 Amla, Nina 405 Anand, Saswat 117 134 Armando, Alessandro 373 Eisenbrand, Friedrich 155 Elkind, Edith 420 Etessami, Kousha 50, 66 Farzan, Azadeh 102 Finkbeiner, Bernd 679 Fradet, Pascal 185 Fră anzle, Martin 201 Frias, Marcelo F 587 Batt, Gr´egory 323 Behrmann, Gerd 231 679 Belta, Calin 323 Benerecetti, Massimo 373 Berdine, J Blom, Stefan 683 Bohnenkamp, Henrik 500 Bollig, Benedikt 435 Bouajjani, Ahmed 690 Brady, Bryan 358 Bryant, Randal E 358 Genest, Blaise 420 Gheorghiu, Mihaela 292 Giannakopoulou, Dimitra 292 Girault, Alain 185 Goel, Amit 602 Goessler, Gregor 185 Goldman, Max 308 Gordon, Michael J.C 568 Grundy, Jim 602 Guttman, Joshua D 523 Calam´e, Jens R 683 ˇ Cern´ y, Pavol 664 Chaki, Sagar 276 Chan, Wen-Chin 466 Chatterjee, Krishnendu 261 Chatterjee, Shaunak 19 Chaudhuri, Swarat 664 Chen, Yu-Fang 466 Ciardo, Gianfranco 648 Cimatti, Alessandro 505 Clarke, Edmund 583 Cleaveland, Rance Condrat, Christopher 618 Cook, B Cortier, V´eronique 538 D’Aprile, Davide 216 Dashti, Mohammad Torabi Delzanno, Giorgio 721 Derisavi, Salem 139 Dierks, Henning 679 Doghmi, Shaddin F 523 Donatelli, Susanna 216 Doyen, Laurent 451 Dră ager, Klaus 679 CuuDuongThanCong.com Han, Tingting 72 Hansen, Michael R 201 Harel, David 485 Harrold, Mary Jean 117 Henda, Noomene Ben 721 Henzinger, Thomas A 261 Herbreteau, Fr´ed´eric 706 Hermanns, Holger 155, 500 Hoffmann, Jă org 679 Horn, Florian 472 Hubbard, E Jane Albert 343 683 Jackson, Daniel 632 Jain, Himanshu 583 Jansen, David N 87, 155 Jhala, Ranjit 553 Jurdzi´ nski, Marcin 170 Jurski, Yan 690 Kalla, Priyank 618 Katoen, Joost-Pieter 72, 87, 435, 500 Katz, Shmuel 308 Keighren, Gavin 538 Kemna, Tim 87 Kern, Carsten 435 738 Author Index Khurshid, Sarfraz 34 Krishna, Shankara Narayanan 246 Kroening, Daniel 358, 583 Krsti´c, Sava 602 Kugler, Hillel 343 Kupferschmid, Sebastian 679 Kwiatkowska, M 50 Lahiri, Shuvendu K 19 Laroussinie, Fran¸cois 170 Larsen, Kim G 231 Leino, K Rustan M Leucker, Martin 435 Lisser, Bert 683 Lopez Pombo, Carlos G 587 Loya, Kuntal 246 Lă uttgen, Gerald 648 Lă uttich, Klaus 519 Madhusudan, P 102 Maeder, Christian 519 Majumdar, Rupak 553 Malik, Muhammad Zubair 34 Manevich, R Manolios, Panagiotis 339 Mantovani, Jacopo 373 McMillan, Kenneth L 405 Moscato, Mariano M 587 Mossakowski, Till 519 Myreen, Magnus O 568 Oms, Marc Galceran 339 Orso, Alessandro 117 Orzan, Simona 683 Ouaknine, Joăel 358 Pandya, Paritosh K 246 Pang, Jun 683 P˘ as˘ areanu, Corina S 134, 292 Peled, Doron 420 Pervaiz, Aman 34 Pnueli, Amir 343 Podelski, Andreas 679 Qadeer, Shaz CuuDuongThanCong.com 19 Rakamari´c, Zvonimir 19 Ramalingam, G Raskin, Jean-Fran¸cois 451 Rasmussen, Jacob I 231 Rezine, Ahmed 721 Roveri, Marco 505 Sagiv, M Sangnier, Arnaud 216 Sebastiani, Roberto 389 Segall, Itai 485 Seshia, Sanjit A 358 Sharygina, Natasha 583 Sighireanu, Mihaela 690 Sproston, Jeremy 170, 216 Steel, Graham 538 Stern, Michael J 343 Strichman, Ofer 276, 358 Sutre, Gr´egoire 706 Thayer, F Javier 523 Tinelli, Cesare 602 Tivoli, Massimo 185 Tonetta, Stefano 389, 505 Torlak, Emina 632 Tran, The Quang 706 Tsai, Ming-Hsien 466 Tsay, Yih-Kuen 466 Valls, Sergi Oliva 339 van de Pol, Jaco 683 Vardi, Moshe Y 50, 389 Visser, Willem 134 Weiss, Ron 323 Wijs, Anton J 683 Wojtczak, Dominik 66 Wu, Kang-Nien 466 Xu, Ru-Gang 553 Yannakakis, M 50 Yu, Andy Jinqing 648 Zapreev, Ivan Zhang, Lijun 87 155 ... requires axioms about the theory of pairs and the theory of reachability The axioms for the theory of pairs are fairly intuitive and are given in Figure The axioms for the theory of reachability are...Orna Grumberg Michael Huth (Eds.) Tools and Algorithms for the Construction andAnalysis of Systems 13th International Conference, TACAS 2007 Held as Part of the Joint European Conferences on Theory... consisting of the symbols for the pair constructor Ptr, and the selector functions Obj and Off The theory of the new reachability predicate, consisting of the symbols Rn , Bn , BS and Mem CuuDuongThanCong.com