Progress in Theoretical Computer Science Editor Ronald V. Book, University of California Editorial Board Erwin Engeler, ETH Zentrum, Zurich, Switzerland Gerard Huet, INRIA, Le Chesnay, France Jean-Pierre Jouannaud, Universite de Paris-Sud, Orsay, France Robin Milner, University of Edinburgh, Edinburgh, Scotland Maurice Nivat, Universite de Paris VII, Paris, France Martin Wirsing, Universitat Passau, Passau, Germany Julian Charles Bradfield Verifying Temporal Properties of Systems Birkhauser Boston • Basel • Berlin Julian Charles Bradfield Department of Computer Science University of Edinburgh The King's Building Mayfield Road Edinburgh The United Kingdom EH93JZ Printed on acid-free paper. © Julian Charles Bradfield 1992. Softcover reprint of the hardcover 1st edition 1992 Copyright is not claimed for works of U.S. Govermnent employees. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission of the copyright owner. Permission to photocopy for internal or personal use, or the internal or personal use of specific clients, is granted by Birkhiiuser Boston for libraries and other users registered with the Copyright Clearance Center (CCC) , provided that the base fee of $0.00 per copy, plus $0.20 per page is paid directly to CCC, 21 Congress Street, Salem, MA 01970, U.S.A. Special requests should be addressed directly to Birkhiiuser Boston, 675 Massachusetts Avenue, Cambridge, MA 02139, U.S.A. ISBN-13: 978-1-4684-6821-2 e-ISBN-13: 978-1-4684-6819-9 DOl: 10.1007/978-1-4684-6819-9 Camera ready text prepared by the Author. Contents Contents .............................................................. v Preface .............................................................. vii Acknowledgements .................................................. viii Chapter 1. Introduction ................................................ 1 1.1 Infinite state model-checking ...................................... 1 1.2 Background ...................................................... 2 1.2.1 Imperative programs and Hoare logic ......................... 2 1.2.2 Dynamic logic ................................................ 5 1.2.3 Modal and temporal logic ..................................... 7 1.2.4 Modal mu-calculus ........................................... 9 1.2.5 Model checking ............................................... 9 1.3 Local model-checking and infinite systems ....................... 10 1.4 Synopsis ........................................................ 11 Chapter 2. Program Logics and the Mu-Calculus ...................... 14 2.1 Semantics of temporal logics ..................................... 14 2.2 The propositional modal mu-calculus ............................ 16 Chapter 3. The Tableau System ....................................... 30 3.1 Intuition behind the tableau system .............................. 31 3.2 Definition of the tableau system ................................. 33 3.3 Simple examples ................................................. 37 3.4 Soundness of the tableau system ................................. 40 3.5 Completeness of the tableau system .............................. 42 3.6 Variations on the theme ......................................... 44 3.7 The tableau system and Hoare logic ............................. 46 Chapter 4. Applications to Nets ....................................... 51 4.1 Petri nets ....................................................... 51 4.1.1 Basic definitions ............................................. 51 4.1.2 Properties and classes of nets ................................ 53 4.1.3 Nets in systems modelling ................................... 57 4.1.4 Building a reader-writer system by shared places ............ 59 vi CONTENTS 4.1.5 Transition-oriented design ................................... 62 4.2 Basic application to nets ......................................... 64 4.2.1 A simple example ........................................... 65 4.2.2 A slot machine .............................................. 67 4.3 Using schematic tableaux ........................................ 70 4.3.1 A simple parametrized safety proof. ......................... 71 4.3.2 A parametrized liveness proof. ............................... 74 4.4 Using limited reach ability analysis-the coverability graph ....... 77 4.5 Some remarks on compositionality. .............................. 82 Chapter 5. The Complexity of Mu-Formulae on Nets .................. 85 5.1 Beyond semi-linearity. ........................................... 86 5.2 Undecidability of the model-checking problem .................... 89 5.3 Ascending the arithmetical hierarchy. ............................ 91 5.4 Beyond the arithmetical hierarchy. .............................. 96 5.4.1 Proof by inductive definitions ................................ 97 5.4.2 Proof by partially-ordered quantification ..................... 98 Chapter 6. Conclusions and Further Work ............................ 101 6.1 Incorporating reasoning ........................................ 101 6.2 Decidability of model-checking .................................. 102 6.3 Proving success ................................................ 102 References ........................................................... 105 List of Notations ..................................................... 110 Index ................................................................ 112 Preface This monograph aims to provide a powerful general-purpose proof tech nique for the verification of systems, whether finite or infinite. It extends the idea of finite local model-checking, which was introduced by Stirling and Walker: rather than traversing the entire state space of a model, as is done for model-checking in the sense of Emerson, Clarke et ai. (checking whether a (finite) model satisfies a formula), local model-checking asks whether a particular state satisfies a formula, and only explores the nearby states far enough to answer that question. The technique used was a tableau method, constructing a tableau according to the formula and the local structure of the model. This tableau technique is here generalized to the infinite case by considering sets of states, rather than single states; because the logic used, the propositional modal mu-calculus, separates simple modal and boolean connectives from powerful fix-point operators (which make the logic more expressive than many other temporal logics), it is possible to give a rela tively straightforward set of rules for constructing a tableau. Much of the subtlety is removed from the tableau itself, and put into a relation on the state space defined by the tableau-the success of the tableau then depends on the well-foundedness of this relation. The generalized tableau technique is exhibited on Petri nets, and various standard notions from net theory are shown to playa part in the use of the technique on nets-in particular, the invariant calculus has a major role. The requirement for a finite presentation of tableaux for infinite systems raises the question of the expressive power of the mu-calculus. This is studied in some detail, and it is shown that on reasonably powerful models of computation, such as Petri nets, the mu-calculus can express properties that are not merely undecidable, but not even arithmetical. This monograph is based on my doctoral dissertation, examined in May 1991 at the University of Edinburgh; some of the material has been pub lished in [Bra9l], [BrS90] and [BrS91]. Acknowledgements Most of this work was done while I was a research student in the De partment of Computer Science at the University of Edinburgh, supported by an award from the U.K. Science and Engineering Research Council; the remainder was done while I was a research assistant on the SERC grant 'Mathematically Proven Safety Systems' (GR/F 38808) at Edinburgh. I thank especially my thesis supervisor, Colin Stirling, without whose guidance, encouragement and criticism this work would not have appeared. My thesis examiners, Eike Best and Robin Milner, suggested some im provements; Robin Milner suggested producing this monograph. I have benefited from conversations with many people in Edinburgh, particularly Mads Dam and Glenn Bruns. I thank Glynn Winskel, who introduced me to temporal logic and model checking, and suggested that I go to Edinburgh. Finally, I thank Perdita Stevens for moral support throughout. Chapter 1 Introduction 1.1 Infinite state model-checking. This monograph is concerned with the verification of infinite systems. 'Ver ification' has connotations of algorithmic checking, and is chosen for that reason, for the topic is the combination of two areas which have hitherto been considered separately. Verification in its widest sense has been a major research topic since the beginnings of computer science. For some time, effort was directed towards proving properties of programs by means of logical reasoning, with the meaning of programs given either by logic also-whether predicate logic, as with Floyd, de Bakker, Park et al., or temporal logic, as with Manna and Pnueli-or by a denotational or operational semantics. About ten years ago, a new approach was begun by Clarke, Emerson, Sifakis and others. This approach is termed 'model-checking', since the idea is to consider some system as a model for some logic, and check whether the model satisfies a given formula of the logic expressing some desirable prop erty. The distinctive feature is checking: rather than performing proofs, one has an algorithm which takes the model and formula as input and returns a yes/no answer. Clarke et al. developed algorithms for the logic CTL (de scribed later), and their algorithms have been implemented by themselves and others (including an implementation in purely functional ML by this author), and have produced useful results. Also ten years ago, Pratt and Kozen introduced a temporal logic called the 'modal mu-calculus'. This logic combines standard modal logic with least and greatest fix-point operators to produce a remarkably expressive logic. Although it looks 'modal', in that no mention is made of paths, the fix-point operators allow the expression of very complex 'temporal' proper ties, that is, properties involving paths. The modal mu-calculus subsumes many other temporal logics, and so its study is especially useful. Amongst other research, the model-checking idea was transferred to the modal mu calculus by Emerson and Lei. 2 INTRODUCTION However, these model-checking algorithms all proceed by an exhaustive traversal of the state space of the model. Therefore, they are inherently incapable of considering infinite systems. Moreover, this exhaustive traver sal may well be unnecessary--some properties depend only on very small parts of a system. On the other hand, infinite systems and potentially infinite systems, which become more common as interest develops in concurrent and dis tributed systems, are of course amenable to the logical attack mentioned first. The problem here is that even when a complete proof system is avail able, an effective proof system is usually not. The quest for effective proof techniques has produced much interesting research (particularly on Petri nets), but it is a fact of life that there are no general effective techniques for any but a very small class of problems. My purpose here is to bring together the ideas of finite, algorithmic, model-checking and the ability to perform proofs. This is made easier by using the propositional modal mu-calculus, since its connectives fall into two classes. The first class comprises the modal and boolean operators, which are very simple in nature and can be 'checked'. The second com prises the fix-point operators: these, especially the least fix-point, introduce complexity which may require subtle techniques to analyse. 1.2 Background. 1.2.1 Imperative programs and Hoare logic. The formal proof of program correctness began in the late 1960s. Floyd [Fl067) proposed a method of assigning meanings to imperative languages by annotating each point in the control flow with a proposition, in some logic such as predicate calculus, which should hold there, and he gave techniques for doing this. Floyd's work was formalized and developed by Manna, both alone and with Pnueli [MaP69], to turn program properties into questions of satisfiability or validity in first order logic. This was extended by Park [Par70] who considered second order logic and the use of fix-point induction to prove properties. This work considered recursive program schemes, i.e. programs with what amounts to mutually recursively defined functions. By restricting consideration to straightforward programs with loops, but no functions or procedures, Hoare [Hoa69] produced his cel ebrated system of axioms for partial correctness. The language studied by Hoare was an abstraction of the common contemporary languages such as Fortran and Algol, and in its simplest form is thus: