An Approach to Compositional Model Checking *
Hector Andradet and Beverly Sandersl
February 7, 2002
Technical Report TR02006. Computer and Information Science and Engi
neering Department, U! i i of Florida.
Abstract
A natural trend in most of the engineering disciplines is the construc
tion of systems from components. This has the potential to reduce costs
and increase reliability, provided that the components can be specified and
verified in such a way that it is possible to reason about the composed
system. In this paper, we explore an approach to compositional reasoning
that uses model checking to verify component specifications and deduc
tion to verify the constraints that a component imposes on the system in
which it is embedded. \\ use CTL as the specification language along
with the : IV model checker.
1 Introduction
A natural trend in most of the engineering disciplines is the construction of
 1. i, from components. The basic idea behind this compositional approach
is to use (and reuse) previously constructed components the correctness and
reliability of which have been assessed satisfactorily. This has the potential to
reduce costs and increase reliability, provided that the components can be spec
ified and verified in such a way that it is possible to reason about the composed
S1. It In computer 1 11 there are often multiple components executing
simultaneously. This kind of interaction gives raise to a I I" of composition
called parallel composition. Systems with this kind of interaction are called
reactive  1. 11i [7]. These  1 1i maintain an ongoing interaction with their
environment. Examples of these I. i! include operating 1. i!i network
protocols, process control programs, web servers and concurrent programs in
general. Some of these  i i are considered critical in the sense that a failure
might cause the loss of huge amounts of iii". or even death.
*This work was supported by AFOSR grant 451420912
tComputer Systems Department, Veracruz Institute of !.. ...... Veracruz, Mexico.
email: handrade itver.edu.mx
*Computer and Information Science and Engineering Department, University of Florida,
Gainesville, FL, USA. email: sandersecise.ufl.edu
The goal of this work is to explore the possibility of using a standard logic
(CTL) and its verification tools (model 1 .1: J1 _' for open  . 1 1 1. 1 
that are intended to be used as a component in a larger 1. 11, We develop a
theory that allows us to specify a component with a set of properties expressed
in a basic logichere we use CTLalong with a higherorder property called
guarantees properties originally introduced in [1]. The guarantees properties of
a component something about the behavior of  1. 11 containing the com
ponent, provided the  t. ! themselves satisfy certain constraints. While the
guarantees properties for a component !i be fairly expensive to verify, I I';
cally requiring some deduction along with model checking, this is tolerable since
the verification needs only be done once for the component. The constraints
on the  I. i! need to be verified each time the component is used, and thus
should be easier to verify, usually with model checking only. This . iii,,<. li
is not present in compositional approaches with 1!il, i i I goals, for example re
ducing the state explosion in automatic techniques for verification of temporal
properties. Guarantees properties impose constraints on the entire I. i in
which a component is embedded. In order to facilitate checking these properties,
we identify useful subsets of properties expressed in CTL, called universal and
existential properties that are amenable to compositional checking. Universal
properties hold in a  I. i, if they hold for all components, while existential
properties hold in a  I. i, if they hold for ;.,i component. Constraints ex
pressed using existential and universal properties can be checked separately on
each component of the  1. 1,
The rest of the paper is organized as follows. In section 2 we give a brief
overview of CTL. Section 3 contains results allowing us to apply our approach to
compositional reasoning with CTL and use model checking to verify component
properties. In section 4 we illustrate our approach with an example. I ii !,
we discuss our results and related work.
2 Computation Tree Logic
In this section, we describe Computation Tree Logic (CTL) which we use with
our compositional theory. In section 3.3, we identify useful subsets of properties
expressed in CTL as universal and existential properties that are amenable to
compositional checking.
2.1 Definitions and notation
CTL is a subset of modal tense logic defined by ( '! I !:i and Emerson [2]. In CTL
temporal operators occur in pairs consisting of A or E, followed by F, G, U or
X. Let Z be a set of atomic propositions. CTL is inductively defined as the
class of state formulas (true or false of states) using the following rules:
Sl. Every atomic proposition p E Z is a state formula.
S2. If p and q are state formulas, then, so are p A q, p
S3. If p is a path formula then Ep, Ap, are state formulas
PO. If p,q are state formulas then Xp, p U q are path formulas.
The remaining operators are viewed as being derived from these according
to the following rules:
f V g= (f A g)
f = g = (f A g)
AFg = A(true U g)
EFg = E(true U g)
AGf = E(true U f)
EGf = A(true U f)
The truth or falsehood of a formula in this logic is with respect to a given state in
a given finite model. We use a structure (Z, R) where Z is a finite set of atomic
propositionsI and R, the transition relation, is a total relation R : 2"  2".
Since we are dealing with finite state  l. i a state in this model can be
represented uniquely by a set of atomic propositions, this set contains exactly
those propositions that are true in the state. R is a finite set of pairs of states.
We assume that R is reflexive.
We can represent sets of states with boolean formulas. For example, if
S= {a, b, c} the formula a A b represents the states: {a, b, c} and {a, b} and
the formula (a V b) represents the states, {c} and 0. Thus, a boolean formula
f represents the set of states containing atomic propositions that make f true.
The formula true represents the set of all the states in the structure and the
formula false represents the !il'~ set.
A path of a model M = (E, R) is an ', / sequence of states (so, sl,...) such
that each pair of states (si, si+i) E R.
An atomic proposition can be considered as a boolean variable true or false in any par
ticular state
The semantics of CTL formulas is given below:
s p iff p E Ap is true ins
s 4f iff s f
s =fAg iff s fAs g
so AXYf iff for all paths (so, s1,...) :s s f
so EXf iff for some path (so, i, ...) :s /f
so A(f U g) iff for all paths (so, S1,...):
3i : si g and Vj < i : sj f
so E(f U g) iff for some path (so, S1,...):
3i : si g and Vj < i : sj f
We also use p f where p is a path to denote that path formula f holds along
path p. The notation:
M, f
means that formula f is true in state s in  I. i M. Sometimes, when M is
understood we just write s k f. The notation:
M f
means that f is true of all states in M. That is,
M A f (Vs: s E 2" : s f)
Occasionally, we are interested in CTL formulas in which every atomic propo
sition mentioned is a member of some specific set E. We write C(E) to denote
the set of CTL formulas mentioning exclusively atomic propositions in E.
2.2 Fairness and Initial Conditions
In ifr i, progress properties of concurrent  I i, it is often necessary to
consider only fair execution sequences. For example, in a  1. ii of concurrent
processes, we might want to consider only execution paths in which each process
is executed infinitely often. As discussed in [5], fairness properties in general
cannot be expressed in CTL. For example, the property that some proposition
q should hold infinitely often if some other proposition p holds infinitely often
along a path, would have to be expressed by using nested temporal operators
(GFp = GFq) which is not allowed in CTL. However, a simple I 1,. of
fairness in which certain predicates must hold infinitely often along every fair
path can be easily incorporated to CTL.
CTL can be extended to represent fairness by iili. ii, the semantics and
introducing a set of CTL formulas fairness constraints that must hold in
finitely often along a path. Let M = (E, R) be a finite state I i, F be a set of
CTL formulas and p = (so, sl,...) be a path in M. We define inf(p) = {ss = si
for infinitely i,! i}. We that p is fair iff for every formula f E F there is
a state s E inf(p) such that s = f. The semantics of fair CTL formulas differs
from that of simple CTL formulas in that quantification is now made over fair
paths exclusively.
In addition to fairness, some properties of concurrent , ii, require that
the I ii start in some set of initial states. In fact, in most of the work on
CTL and Model ('I! :I i initial conditions and fairness are considered as part
of the  1 I I, Thus, a formula f is true in  1. Ii, M iff it is true in all the
initial states of the  , i i considering only fair paths. Since we often refer to
properties of a 1 i i with and without restrictions, we found more convenient
to consider a restriction of fairness or initial condition as part of the property
itself.
To introduce fairness and initial condition restrictions on CTL formulas we
add a restriction index r to the satisfaction i1 .1.1 [. Let f be a CTL formula,
M = (Z, R) a  1 i! and r = (I, F) where I is a CTL formula (initial condition)
and F is a set of CTL formulas (fairness constraints). Then,
Ml rf (Vs:: M, s I = f)
where the quantification in f is made over fair paths with respect to F. In the
rest of the paper we will use this semantics of formula satisfaction. For ',i, i 
we will use = to represent the special case (true,{true}).
3 Composition and Computation Tree Logic
In this section, we identify CTL formulas as compositional properties. I ii 1, we
define , 11, composition. Then, we prove some useful lemmas about compo
sition. In most of the proofs, we use the notation described in [3]. In Section
3.3 we identify certain existential, universal and guarantees properties that can
be expressed using CTL.
3.1 System Composition
In this work, we are using the notion of in 1i!, i!!, parallel composition of
two  I i M and '. At ;,~i time, at most one of the process will move from
a state to the next. The first of the two conditions defined below represents a
transition of  I. i, M in which ,i!! subset of the atomic propositions in the
set E' E (e.g., the set of nonlocal variables of .l) remains the same after
the transition. The second condition represents a transition of .I '. Thus, ;,!!
transition from M or .I/' is included in the transition relation (R*) of the com
posed  I. ii This notion of composition is powerful enough to represent, for
example, i !!!i 1!!. .. .,L concurrent execution of several processes in a network.
Let M = (S, R) and ./' = (E', R) be two I, i The composition of M
and ', denoted by:
Mlo I'
is the tuple:
(EU E',R*)
where R* is the smallest reflexive relation 1 i f !i ,_ the following two conditions:
1. If (s, t) E R and r E 2('Z") then (s U r, t U r) E R*
2. If (s', t') E R' and r' E 2""') then (s' U r', t' U r') E R*
The next example shows the composition of two  1 i! (1 ,oii 1). Let
M = (, R) and ./' = (E', R'), where:
E = {}
= {y}
R = {(0, {x}),({x},,, ({x}, {},),(0,,'}
R' = {(0, {y}),({y}, ({y}, {y}), (0,}
Then, M o = (E*, R*), where:
.E* = {x,y}
R* = {(0, {), ({},, ({y}, {x,y}),({,y}, {y}),
(0, {y}), ({y}, (, ({}, {x, y}), ({x, y}, {x}),
(0,. ({x}, {x})({y}, {y})({x,y}, {x,y})}
M: M':
( f X c
1 1: Example of composition
I !,.II 1: Example of I i. i composition
3.2 Lemmas about Composition
In this section, we prove some useful lemmas about the composition operation.
We use these results in the application of the compositional theory to CTL.
Lemma 1 o is commutative and associative.
Lemma 2 1!b transition relation of the composition of two ',,i ..'r with the
same set of atomic propositions is the union of the transition relations of the
(E, R) o (E, R') =(, RU R')
Lemma 3 For given E, (Z,I) is the ",1 ,.'1 element under the composition
operator.
(E, R)o( (, I) =(, R)
When proving properties of composed . i it is often necessary to expand a
 I i i ove a certain set of atomic propositions. The expansion of a  , 1 1 M =
(Z, R) over a set of atomic propositions Z' is a  I' i with atomic propositions
in E U E' and that never modifies atomic propositions in E' E. Formally, the
expansion of the ,I 11 M = (Z, R) over the set of atomic propositions E' is
the  , i, (M o (', I)), where I is the i1. I !lI relation. The next two lemmas
establish important properties of the expansion. Lemma 4 establishes that the
SI, i resulting from composing the expansions of two I, iI over the set
of atomic propositions of each other is equivalent to the 1 ii, resulting from
composing the two original  Ii, I Lemma 5 establishes that i~, property of
the  1 i, is also a property of the expansion.
Lemma 4 1!. composition of two t,!,". .. is equivalent to the composition of
their expansions over each other's set of atomic propositions.
M o = (MIo(Z',I))o (.l' o (E,I))
The following lemma establishes a very important result in the application of
the compositional theory to CTL. Namely, we can expand a , iI, using an
extended set of atomic propositions which includes environment variables.
Lemma 5 A A,!.... M = (XE,R) can be expanded over a set of atomic propo
sitions E' without i... I'f,' ,its properties. F',., "1 .i,,. for ....I CTL formula
f in (X) and a CTL structure M:
M f (M o(E',I)) f
Lemmas (6) and (7) are important in our theory because they establish equiv
alences between properties expressed by CTL formulas and properties of the
structure of the finite state 1. 11 In particular, Lemma 6 is useful in proving
that an important I I of If; property is universal.
Lemma 6 Let M = (E, R) and f,g be two propositional formulas, then
M (f = AXg) (Vs :s f:(Vt:R(s,t):t g))
Lemma 7 Let M = (Z, R) and f,g be two propositional formulas, then,
M = (f = EXg) (Vs:s f:(3t:R(s,t):t g))
Lemmas (8) and (9) establish that an expanded  1. i preserves the truth value
of propositional formulas over local variables of the environment.
Lemma 8 Let M = (E, R), p, q be propositional formulas over the set Z and
p' be a propositional formula over the set of nonlocal variables of M, (A _ ),
for some set of atomic propositions Z'. I .
(MA p = AXq) = (MIo(Z',I) pAp' = AX(qAp'))A
(Ml p = EXq) (o (E', I) pA p' = EX (qA p'))
Proof
Let M o (Z',I) = (Z U Z',R*). Since R* is the smallest relation ,lif in._ the
composition conditions, ;,~ transition in R* either comes from a transition in
R or from a transition in I. Then, for all s* and t* such that R*(s*, t*):
(Vr: r E 2Z ' : r C s* = r C t*) V s* = t*)
Then, every pair of states (s*, t*) in R* have the same set of atomic propo
sitions in Z' Z. Since p' is a formula in (Z' Z), every transition in R*
preserves the truth value of p'. That is,
(Vs*, t* : R*(s*, t*) : s* = p' = t* =p')
== {Lemma 6}
(M o (Z', I) p p' AX p')
= {(M p = AXq) = (MZo(X',I) p = AXq)}
M o(X',I) pAp' = AX(qA p')
Then, the first i .. ,ilm l of the theorem is true. Next, we prove the second
one,
(M o (Z', I) b p' = AXp')
=> {(M =p = EXq) = (Mo(E',I) p == EXq)}
MAo(E',I) pAp' = EX(qAp') 0
Lemma 9 Let M = (Z, R) and p, q be propositional formulas over the set
Z and p' be a propositional formula over C(E' E) for some set of atomic
propositions E'. I !. .
(MA p AXq) = (MAo (Z', ) (pVp') A AY(q Vp'))A
(M p : EXq) ( (Mo (Z',I) (pVp') EX(q Vp'))
Proof
By Lemma 8, making = q = true, we get Mo (Z', I) (p' A AXp'). Since
M A p == AXq, the expansion M o (Z',I) satisfies p : AXq as well.
Therefore, M o (Z',I) (pV p') = AX (p Vp'). A similar reasoning can be
used to prove that M o ("',I) = (pV p') = EX(p V p') O
Lemma 10 Let M = (, R) and /' = (E',R') be two ..... such that
Z C E' and let p be a propositional formula in C(E). 1!,,. for all states
s E 2 and s' E 2' such that s = s' n E:
M,s a p= !',s' pp
Proof
By induction on the structure of p. Let s E 2, s' E 2" be ;i two states such
that s = s' n E. There are three cases to consider:
Case 1 (basis): Ifp is an atomic proposition (p E S)
M,s p
= {def. of formula satisfaction}
pEs
S{s= s' n and p E S}
pE s'
S{def. of formula satisfaction}
/ !',s I p
Case 2: If p is of the form pi A P2, then,
M,s p
M, s pl A p2
M, s pi A M, s P2
S{inductive 1I "'l!' }
I!', s' p, A .l', P2
I ', s' pi Ap2
Case 3: If p is of the form pl, then,
M,s p
M, s 7hp
n(M, s pi)
= {inductive 11'  l i}
((l S',s' pi)
I!',s' pO
.l/',S' p D
Note that since p is a lil..1.._ (i.e., p is true for all interpretations of
variables in ), if p E (Z ) and E C E', then M k p = ./' ~ p.
The next lemma establishes that strengthening the fairness constraints pre
serves an important I I" of f. I property.
Lemma 11 Let M = (Z, R) and r = (true, F) where F is ..., set of fairness
constraints. 1. ..,
M l (f = AXg) = r M (f AXg)
Proof
M h (f => AXg)
= {definition of AX}
(Vs : s f : (Vp = (so, 8l,...) : s = so : p = Xg))
> {the set of all paths includes the set of fair paths}
(Vs : s = f : (Vp = (so, s1,...) : s = so A p is fair : p = Xg))
M r (f = AXXg) O
3.3 Reasoning about Program Composition
In this section, we apply the theory of program composition to CTL by charac
terizing some CTL formulas as universal, existential and guarantees properties.
As we mentioned before, universal properties hold in a i 11, if they hold for
all components, while existential properties hold in a  I 11i if they hold for ;, i
component. Let f be a CTL formula, if f represents an existential property,
then for;, i two 1. i,. M and .I', M r f = Mo.' r f. If f represents
a universal property, then M r f A I' r f : M o .I' rM f. Guarantees
properties express restrictions on the entire  1 11i in order for the component to
guarantee a particular property. If a component M satisfies a guarantees prop
Si =rf guarantees r' g, then for; .! .1/', Mlo.\l' = f => Mo.\l' ',, g.
In contrast to 11i i formulations of traditional relyguarantee specifications,
the meaning f guarantees g is not that if the environment has property f,
then the composed I 11i has property g but that if the composed 1 11 has
property f, then the composed  I. i has property g. Since the composition
operation is associative and commutative, guarantees properties are themselves
existential. Thus, a guarantees property holding for a component is immediately
inherited by ;,i!  1. i! that contains the component. If we know that some
 1 i, has a guarantees property, we just have to prove the left part of this
guarantees property holds for the entire . ii, in order to conclude that the
right part must hold. This is helpful if the left side is much easier to prove than
the right. If possible, we formulate the left side as a combination of existen
tial and universal properties, thus allowing complete compositional verification.
Guarantees properties are based on ideas originally proposed in [8]. Universal
and existential properties were described in [1].
Next, we characterize several properties as universal or existential. While
we do not make ;i claim of completeness, this set of rules is itl!h I! for our
case study. In the following, we assume that p and q are propositional formulas
(i.e., atomic propositions or boolean combination of atomic propositions). The
value of a CTL propositional formula depends only on the atomic propositions
that hold in the state.
Rule 1 Let r = (I, {true}), 1 I r p is an existential J,,,r ,' i i',, ,i,.
for ....., M and . ',
(M r ) = (Mo rP)
Proof
Let M be a finite state . i, Then,
M rP
I {def. of r}
M (I p)
= {since (I = p) is a propositional formula,
Mol (I = p)
Mo .l' irP 0
Rule 2 (p =' AXq) is a universal p,'r, p i
l ':;
by Lemma 10}
F,.,, ,,' ,,1 .,. for ....., M and
M = (p = AXq) A. ~ p = AXq)
Mo I!' (p =a AXq)
Proof
Let M = (Z,R), = (Z',R'), MA = M o (Z',I) = (E U E,,Ri
l' 0 (,I) = (U E', R2), and Ml o M2 = (E*, R*) (E U.E, R, U R
M (p =m AXq) A ./' (p = AXq)
=> {Lemma 5, All and A2 are the expanded l. i of M and .1
MAl (p = AXq) A M 12 (p = AXq)
S{Lemma 6}
(Vs: AI, s p : (Vt : R, (s, t) : A1, t q)) A
(Vs : 2, s p : (Vt : R2 (s, t) : A2, t
By Lemma 10,
(Vs : AI o 112,s k p: Mi, s pA M2,s k p)
= {predicate calculus and formula (1)}
(Vs: a oM2,s p:
(Vtl : Rl(s, t) : : 1,t(, q) A :R2(8,t2): Al2,t2 q ))
= {Lemma 10}
(Vs : a oM2,s P:
(Vit : Rl(s,,tl) : M o 12,tI = q) A ( R'i : R2(s,tl) : Al1 o A2,t2
= {predicate calculus}
(Vs : AlM o A 2,s p: (Vt: R, (s, t) V R2(s, t) : M, o 2,t q))
{R* R U R2}
(Vs : All o 2,s A p: (Vt: R*(s, t) : All o AM2,t [ q))
S{Lemma 6}
MA o M2 (p : AXq)
S{Lemma 4}
M o .' [ (p = AXq) O
), A2 =
2). Then,
'}
q)) (1)
q))
Rule 3 (p ==~ EXq) is an existential 1'.'"!" .'.i, Fi, ,I, l l,,. for ..... M
and .1/ :
M l (p = EXq) = Mo .! (p = EXq)
Proof
Let M = (, R),. = (E', R'), M = M o (E', I) = (E U E', R), Al2 =
.l!'o (,I) = (EU ',R2), and l o M2 = (E*,R*) = (EU ',RI U R2). Then,
M (p = EXq)
{Lemma 5, M1 is the expanded , i!i of M}
Mn (p = EXq)
{Lemma 7}
(Vs : 1i,s I p : (3t : R,(s, t) : M, t q ()) (2)
By Lemma 10,
(Vs : M1 o M, a p P: Mi, s [ P)
= {predicate calculus and formula (2)}
(Vs: M o M2,s p: (3t1 : Ri(s, t) : Mi,t t q))
=> {Lemma 10}
(Vs : AM o A2, s p : (3t1 : Rl(s, l) : aM o Al2, t q))
S{RI C R *}
(Vs o 2,s~ p: (3t : R*(s,t) : Mi o M2,t q))
S{Lemma 7}
AM o 1A I (p EXq)
S{Lemma 4}
Mo I' (p : EXYq) O
The next rule is useful in proving progress properties of 1. i, using weak
fairness assumption. We identify a helpful component M [4] that has a transition
that is always enabled. Then, if the entire 1. 11 never disables this transition
and the scheduler provides weak fairness, that is, every transition continuously
enabled is eventually taken, then M eventually takes the transition. Note that
the helpful component (.Il) guarantees the existence of at least one fair path
that satisfies p = E(p U q).
Rule 4 Let M = (Z, R) such that M A (p =: EXq) and let r
q}), then M satisfies the guarantees property:
(true, {ipV
(p => AX(pV q))
guarantees
r ((p = A(p U q)) A (p E(p U q)))
,/., ',,,, ..il,. let r = (true, {p V q}), then for ..A..M = (Z,R) and .1
(E', R'):
M (p => EXq) A M o ~,
(p =m AX(pVq))
M o _ Cr" (p => A(p U q)) A M o .' Cr" (p = E(p U q))
Proof
Let p =(so,sl,...) be a fair path in M o .l' such that so [ p. Assume
M o .' p == AX(p V q). We can prove by simple induction on the length
of prefixes of p that:
p (G(q) =a G(i.)
= propositionall logic}
p ((G(q) =a G(j. AG(q))
= {temporal logic}
p = (G(q) a G(p A q))
Since G(p A q) contradicts the fairness constraint, namely, si (p V q)
for infinitely i 1, i! i. Then, if p is fair, p k G(q) is false. That is,
P Kr G(q)
= {temporal logic}
p r Fq
= {p (G(q) = G(.') }
P lr (p U q)
S{this is true for all paths p in M o such that p r, p}
Mo.l' r (p = A(pUq))
It is easy to see that r p = E(p U q) also holds in the  . i because
p == EXq holds in M and it is an existential property O
The previous rule requires that the environment does not disable the tran
sition responsible for the progress property. This might be a strong limitation
in :''l' ill the rule to !, iii~ real life I. i! The next rule relaxes this re
striction by allowing the environment to disable the transition provided that it
will enable it later. Using a strong fairness assumption, the helpful process will
eventually execute the transition if it is enabled infinitely often.
Rule 5 Let M = (, R) be a finite state "!, ... p,p,2, ... ,p,q,q propositional
formulas over Z such that p = Vp Vp2 V... Vp, and r = (true, {fipV q}). 1
if M pi == EXq for some i, M satisfies:
Sp = A AX(p q) A (Vj :: pj = EFpj)
guarantees
r ((p = A(p U q)) A (p = E(p U q)))
M o I' (p = AX(p V q)) A (Vj :: M o pj = EFpj)
M o ' rC ((p = A(p U q)) A (p E(p U q)))
Proof
The proof is very similar to the one of Rule 4. Let p = (so, Si,...) be a fair path
in M o .l' such that so p. We can prove by simple induction on the length
of prefixes of p that:
p (G(q) =a G(,.)
_ propositionall logic}
p (G(q) = G(!' A G(q))
= {temporal logic}
p = (G(q) = G(p A q))
The previous statement contradicts the fairness constraint. Furthermore,
there is always a path from ;, i, state f ;i_ p to a state p 11 f 11 pi (p
EFpi), and there is a transition from this state to a state rif i,_ q. Then,
P [r rG(q)
= {temporal logic}
P rFq
=< {p (G(q) =a G6O.') }
P r (P U q)
= {this is true for all paths p in M o such that p 1r p}
Mo.l F r(p = A(pU q))
It is easy to see that r p = E(p U q) also holds in the , i, because
for each j, there is a path from a state 6ilf il,_ pj to a state il;f" i, pi and
Pi == EXq is an existential property that holds in M O
1 ,,i. 2 shows an example of a  i! i which requires a strong fairness
assumption to satisfy the progress property r (p = A(p U q)), where
p = pi V p2 V p Vp4 V p5 V p and r = (true, {p V q}).
I !,, .! 2: System requiring strong fairness to get to state q
3.4 Applying our Results to any Finite State System
In the following section, we apply our theory to the verification of a case study.
An important issue to consider at this point is that we developed our theory for
 I. i! the variables of which were boolean (atomic propositions). This would
be a very strong limitation for the application of our theory to software 1. 11 
in general. However, because we are dealing with finite state  l. i we can
model :I,  I. i, using boolean variables only.2 For example, a I. i,1 with
an integer variable x that can take on ,i!i value in the set {0, 1,2, 3} can be
modeled with a  . i i M = ({xo, x }, R). Each value of x can be mapped to a
pair of values of 0o and xz. The transition relation R preserves the transitions
of the original .I 11 1 i ,oi, 3 shows an example of such mapping.
xo=00 xo=1
x=0 x2 x=01 x1 =0
xo=0 xo01
= x=1 1 x1 =1
Original System M
1 ,!,. 3: Modeling a  , 11i with boolean variables
We see that i,! propositional formula f over x can be mapped to a propo
sitional formula f' over {zo,, z}, such that f holds in the original I. i if and
only if f' holds in M. For example, the propositional formula (x < 2) is mapped
to the formula (zo). Therefore, a formula of the form p = AXq, where p
and q are propositional formulas (e.g., they do not mention I temporal op
erator), is a universal property. We see, then, that we can apply our theory to
:i, finite state * . 1i
In the following sections, we will assume that a mapping from the finite state
i. 1 to a * 1. i1 with boolean variables is performed automatically by the
model checker.
4 Case Study: Cache Coherence Protocols for
Distributed Systems
In this chapter we apply our theory to the verification of the components of a
 ii using the Andrew I I!. System's cache coherence protocol (AFS).
In a distributed  1. i,, I!. servers store !tI. that can be accessed and
modified by clients with the proper permissions. In ii, I cases, the use of local
2In fact, symbolic model checkers perform this transformation automatically.
(cache) copies of those It!i by the clients increases performance, ;, i 1 ,ii and
reliability in case of failures. However, the use of these cached copies imposes
a new problem. It might happen that several clients have copies of the same
i!It and some of these copies might have been modified, causing the copies to
be different. This problem is known as the Cache Coherence Problem. When a
client has the most recently modified copy, the copy is valid; otherwise, the copy
is invalid and must be discarded. Cache coherence protocols, in general, deal
with this problem in two different ways. The client might request a validation
of its copy (validation based), or the server might request an invalidation of the
client's copy (invalidation based).
A cache coherence protocol allows a set of interactions (runs) between the
server and the clients such that only !il. that are considered valid by the server
are considered valid by the clients (the opposite is irrelevant). When a run
starts, a client might have the ti!. already stored locally, but it does not know
whether the !i !. is valid. Therefore, the client suspects that the !i1. is not valid.
It might also happen that the t!l. is not locally stored. During a run, clients
and server communicate through messages that make them change the beliefs
about the !i!. in question.
4.1 Andrew File System Cache Coherence Protocol 1
In this section, we describe an abstraction of the Andrew I i!. System 1 (AFS1)
as presented by Wing and Vaziri [9]. We include only the parts of the compo
nents involved in the protocol, and we !i' no attention to the i! i themselves
or ;oi other function of the components. Furthermore, we only describe the
interaction of one client and the server with one t!d Since we are model check
ing only the parts of the components involved in the protocol, we assume that
all the clients have the same behavior, so we can generalize our results for one
client to an arbitrary number of clients. We are modeling the communication
between the server and the client with a shared variable. We also assume an
interleaving semantics of composition, that is, at most one component executes
at a time, which is compatible with our definition of composition.
The server and the client have a local variable '., 1'. f that represents what the
component believes about the current status of the It!i Server's variable '., V', f
might have some value from the set {valid, invalid none}. The server's belief is
valid if the server believes that the !tI. cached at the client is valid, invalid if
the server believes it is not valid,3 and none if the server has no belief about
the tId. The client's variable '., ', f ranges over the set {suspect, .,,;1. valid}.
The client's belief is suspect if the client holds a copy of the t!d but it has no
information concerning whether the t!!. is valid. The client's belief is .....1, if
the til, is not stored at the client. The client's belief is valid if it believes that its
copy is valid. The server and the client communicate through a shared variable
re (request/response). Requests from the client to the server range over the
I i. details on how the server detects that a file is valid or invalid are not included in the
abstraction.
set {fetch, validate}. the client's request is fetch when the client is requesting
a ti!. either because it does not have a copy or its copy is invalid. The client's
request is validate when the client has a copy of the i!I. and is asking the
server to validate the copy. Responses from the server range over {val, inval}.
The server's response is val when the server believes that the client's copy is
valid and inval otherwise. A null value in the shared variable re represents the
fact that a run has not started yet. To save some space, we use the notation
valuee, value2) to denote the state (', I', f = value A re = value2.
The protocol works as follows: The initial states of the client are (suspect,null)
or ( .. ;1 ..., l) depending on the client's initial belief about its copy. The initial
state of the server is (none, null). Then, the client requests the ti!. (re = fetch)
or a validation (re = validate). If the client requests a I.. the server sends the
i!. and indicates that the copy is valid (re = val). Then, the client changes its
belief to valid. If the client requests a validation, the server might respond with
(re = valid) or (re = invalid) depending on the server's belief about the client's
copy. If the client's copy is invalid, the client discards its copy and starts a new
run. Otherwise, the client changes its belief to valid and the run ends. I ,,.. 4
shows the state transition graphs for the server and the client.
Server fetch
Client
1 1i. 4: '1 I , transition graphs for AFS1
4.2 Specification of AFS1
The AFS1 cache coherence protocol exclusively allows runs in which the client
believes that a cached I. is valid only if the server believes that the client's copy
is valid. All these runs start from a state in which the client suspects that its
copy is valid or it has no ti!l This property can be expressed with the formula:
r AG(('!i. I I, I, f = valid = Serve i 1' I f = valid) (Afsl)
where r = (I, F) and
I = Serve I '.f = none A
(('I!. mI 11 f = ....il, V ('l. I i./ f = suspect) Ar = null
F = {true}
We see that (Afsl) is satisfied trivially by a I' in in which the client never
believes that its copy is valid. A liveness property is needed 1,, irf i;1 that
every run starting from a valid initial state will eventually end in a state in
which the client believes that its copy is valid. This property can be expressed
with the formula:
[r AF(('!i. i I valid) (Afs2)
Where r = (I,F), I was defined before and F contains all the fairness
conditions necessary for the server and the client to eventually execute the non
stuttering transitions.
4.2.1 Server Specification
Once the server believes that the client's copy is valid, its belief does not change
during the rest of the run:
'., I. f = valid = AX (' I ', f = valid) (Srvl)
The server response is val only when the server believes that the client's
copy is valid:
(re = val = I., f = valid) = AX(re = val '.. f = valid) (Srv2)
The server does not change its responses:
re = null = AX(re = null)A
re = val = AX(re = val)A (Srv3)
re = inval = AX (re = inval)
The only possible response for a fetch request is val. Also, the only possible
responses for a validation request are val or inval:
(re = fetch) = AX(re = fetch V re = val)A
(none, validate) = AX ((none, validate) V (valid, val) V (invalid, inval))
(Srv4)
The server guarantees that all the client's requests are satisfied, provided that
the server's responses are the only subsequent actions allowed by the  , 11i
(re = fetch) = AX((re = fetch) V (re = val))A
(none, validate) = AX ((none, validate) V (valid, val) V (invalid, inval))
guarantees (Srv5)
r (re = fetch) = A((re = fetch) U (re = val))A
r (none, validate) > A((none, validate) U ((valid, val) V (invalid, inval)))
where r, the restriction operator, contains the fairness conditions that discard
the infinite stuttering allowed by the left side of (Srv5).
4.2.2 Client Specification
The client does not change its belief to valid if the server's response is not val:
('., V, f # valid A re 4 val) = AX ('., f 4 valid A re 4 val) (Clil)
The client does not change its requests:
re = fetch = AX(re = fetch)A
re = validate = AX(re = validate) (Cli2)
The following properties establish the legal moves of the client. For example,
at the beginning of a run ( .... il null) the only possible transition is for the client
to request a copy of the ti!I ( .... i fetch):
(....l,; null) = AX(( ....l, null) V (.... l fetch))A
(.... ., fetch) = AXY(( .... fetch) V ( .... val)A
( .... l val) = AXY(( .... l val) V (valid, val)A
(suspect, null) = AX ((suspect, null) V (suspect, validate))A
(suspect, val) = AX((suspect, val) V (valid, val))A
(suspect, inval) AX ((suspect, inval) V (.... 'l null)) (Cli3)
The client guarantees that every run that starts in the state ( ....i. null)
will end in a state r if 1_ !,, f = valid if the server always sends the copy
of the t! i when needed and the , it allows only legal moves:
( .... l null) = AX(( ....l, null) V ( ....l fetch))A
r ( '.... fetch) : A(( ....l, fetch) U ( ....l. val))A
( .../1, val) A AX (( .... val) V (valid, val)
guarantees (Cli4)
r ( .... l null) = AF('.,7 f = valid)
where r, the restriction operator, contains the fairness condition (re # fetch V
re = val) in addition to the fairness conditions that discard the infinite stutter
ing allowed by the left side of (('!! li
The client guarantees that every run that starts in the state (suspect, null)
will end in a state ,lif ii_ r ,, 1f = valid if the server always validates the
copy of the ti!. when needed and the  , i i allows only legal moves:
(suspect, null) = AX ((suspect, null) V (suspect, validate))A
(suspect, val) = AX((suspect, val) V (valid, val))A
(suspect, inval) = AX ((suspect, inval) V ( .... i null))A
r (suspect, validate) = A((suspect, validate) U (suspect, val V inval))
guarantees (Cli5)
r (suspect, null) = AF('I. I' f = valid)
where r, the restriction operator, contains the fairness conditions that discard
the infinite stuttering allowed by the left side of (Cli5).
4.2.3 Composing the System
From property (Srvl) of the server and ('!. !I I. / f nonvisible, the expansion
of the server satisfies:
(('!. !i I /l f # valid V Serve i 1, ', f = valid) =
AX(('!!. !I / ., f f valid V Serve i 1.' f = valid)
From property (Srv2) of the server and the property above, we see that the
expansion of the server satisfies:
(('I I = valid = Server.b = valid)
AX(('I!. !LI = valid = Serve i 1 I' f = valid)
Using the server property (Srv2) and the equation above, we get:
(('. !I / f = valid = Serve i 1'.f = valid)A
(re = val = Serve i 1., ', = valid)
AX((('I. !I i, / f = valid = Serve i 1.. '.f = valid)A
(re = val = Serve i 1, '. = valid))
in the expansion of the server. From property (Clil) and the fact that Serve i 1 1 f
is nonvisible to the client, we can prove that the expansion of the client satisfies
the above property as well. Since this property is universal, the entire  I, i
satisfies it. If we define the initial state I as:
Server.. 1., f = none A (C( ~ /, f =.....i, '
( /, ;i /, I f = suspect) A re = null
we see that the property:
(('! I. i, / f = valid = Serve i ,. I',. = valid)A
(re= val t Server.belief = valid)
holds initially and is never falsified by the I, i, That is, it is an invari
ant of the I. Since this invariant implies ('! .I I t,/ f = valid
Serve i 1., ', = valid, we conclude that (Afsl) holds in the entire  I. i,
From property (Cli2) and tha fact that Serve i 1. 1' f is nonvisible to the
client, we see that the expansion of the client satisfies the left part of (Srv5).
From property (Srv4), we also see that the server satisfies the left side of (Srv5).
Since the left side of (Srv5) is universal, the right side of (Srv5) holds in the
By property (Srv4) and the fact that ('I!. !I /w f is nonvisible to the server,
we see that the expansion of the server satisfies the property:
(....l. fetch) = AXY(( ....i, fetch) V (....l. val))
The above property also holds in the client (Cli3). Combining this property
and the right side of (Srv5), the I l, !, satisfies:
(...I, fetch) = AXY((i....l, fetch) U (....l. val))
where r = (true, {r f fetch V r = val}).
From property (Cli3), the client satisfies the first and third ..! ill, I on
the left side of (('!! 1, The expansion of the server also satisfies these proper
ties (Srv3). Since these properties are universal, the entire l, i! satisfies the
left and right sides of (('!i Il
Similarly, properties (Cli3) and (Srv3) satisfy the first three. .~i, lij I of the
left side of (Cli5). Unfortunately, the right side of (Srv5) does not imply the
fourth !.i!iin I on the left side of (Cli5). However, if we introduce the initial
condition I = (re = validate = Serve i 1. I. = none) in the restriction
operator r, the expansion of the client satisfies the property:
(suspect, null) = AX ((suspect, null) V (suspect, validate))A
(suspect, val) = AX((suspect, val) V (valid, val))A
(suspect, inval) = AX ((suspect, inval) V ( .... i null))A
r (suspect, validate) = A((suspect, validate) U (suspect, val V inval))
guarantees (Cli5')
r (suspect, null) = AF('., I' f = valid)
where r, the restriction operator, contains the initial condition I and the the
fairness conditions that discard the infinite stuttering allowed by the left side
of (Cli5').
I ii III, combining the right sides of (Cli4) and (Cli5), we see that the entire
I ii satisfies property (Afs2).
4.2.4 Model Checking the Components of AFS1
In this section we show the implementation, specification and output of model
checking the components of the AFS1. Note that guarantees properties cannot
be model checked; instead, we are using Rule 4 and model checking the CTL
formulas that imply those guarantees properties. i ,!ii. 5 to 10 show the ., IV
code and output of model checking the AFS1.
 SMV implementation of the server in the AFS1
MODULE main
belief : {none,invalid,valid};
r : {null,fetch,validate,val,inval};
validFile : boolean;
ASSIGN
next(validFile) := validFile;
next(belief) :=
case
(belief = none) & (r = fetch) : valid;
(belief = invalid) & (r = fetch) : valid;
(belief = none) & (r = validate) & validFile: valid;
(belief = none) & (r = validate) & !validFile: invalid;
1 : belief;
esac;
next (r)
case
(belief = none) & (r = fetch) : val;
(belief = invalid) & (r = fetch) : val;
(belief = none) & (r = validate) & validFile : val;
(belief = none) & (r = validate) & !validFile : inval;
(belief = valid) & (r = fetch) : val;
1 : r;
esac;
I [,,i.. 5: Implementation of the server of the AFS1
4.3 Andrew File System Cache Coherence Protocol 2
In the Andrew I i!'I System Cache Coherence Protocol 2 (AFS2), clients might
update their copies and detect failures in the  1. i The protocol is based on
callbacks [6]. When the server sends a copy of a t!l. to some client, it promises
to notify that client if the t!l. is ever updated. That is, it establishes a callback
for this client. On the other side, the client updating the copy sends a message
 Specification of the Server of the AFS1
 Srvl
SPEC (belief = valid) > AX(belief = valid)
 Srv2
SPEC (r = val > belief = valid) >
AX(r = val > belief = valid)
Srv3
SPEC r=null > AX r=null &
r=val > AX r=val &
r=inval > AX r=inval
Srv4
SPEC (r=fetch > AX (r=fetch r=val)) &
(r=validate & belief = none) >
AX ((belief = none&r=validate)
(belief = valid&r=val)
(belief = invalid&r=inval))
Srv5
SPEC (r=fetch > EX (r=val))&
(r=validate & belief = none) >
EX ((belief = valid&r=val)
(belief = invalid&r=inval))
1 ,,.11 6: Specification of the server of the AFS1
rain:3% ./smv serverafslc.smv
 spec. belief = valid > AX belief = valid is true
 spec. r = val > belief = valid > AX (r = val... is true
 spec. r = null > AX r = null & r = val > AX ... is true
 spec. (r = fetch > AX (r = fetch Ir = val)) ... is true
 spec. (r = fetch > EX r = val) & r = validate... is true
resources used:
user time: 0.0333333 s, system time: 0.0833333 s
BDD nodes allocated: 403
Bytes allocated: 1245134
BDD nodes representing transition relation: 43 + 7
I 1 !. 7: Output of model checking the server of the AFS1
 SMV implementation of the client in the AFS1
MODULE main
r : {null,fetch,validate,val,inval};
belief : {valid, suspect,nofile};
ASSIGN
next(belief) :=
case
(belief = nofile) & (r = val) : valid;
(belief = suspect) & (r = val) : valid;
(belief = suspect) & (r = inval) :nofile;
1 : belief;
esac;
next(r) :=
case
(belief = nofile) & (r = null) : fetch;
(belief = suspect) & (r = null) : validate;
(belief = suspect) & (r = inval) : null;
1 : r;
esac;
1 . 8: Implementation of the client of the AFS1
1 i, i. 9: Specification of the client of the AFS1
./smv clientafslc.smv
belief != valid & r != val > AX (belief.
r = fetch > AX r = fetch is true
r = validate > AX r
belief = nofile & r =
belief = nofile & r =
belief = suspect & r
= validate is true
null > AX (belief...
null > EX (belief...
= null > EX (belie...
.. is true
true
true
true
resources used:
user time: 0 s, system time: 0.1 s
BDD nodes allocated: 330
Bytes allocated: 1245134
BDD nodes representing transition relation: 34 + 7
1 i,,wi. 10: Output of model checking the client of the AFS1
Specification of the Client of the AFS1
Clil
SPEC (belief!=valid & r != val) >
AX (belief!=valid & r != val)
Cli2
SPEC r=fetch > AX r=fetch
SPEC r=validate > AX r=validate
Cli3
SPEC (belief=nofile&r=null)>
AX((belief=nofile&r=null) (belief=nofile&r=fetch))&
(belief=nofile&r=fetch)>
AX((belief=nofile&r=fetch) (belief=nofile&r=val))&
(belief=nofile&r=val)>
AX((belief=nofile&r=val) (belief=vl idi.Jr= a Il))&
(belief=suspect&r=null)>
AX((belief=suspect&r=null) (belief=suspect&r=validate))&
(belief=suspect&r=val)>
AX((belief=suspect&r=val)l(belief=valid&r=val))&
(belief=suspect&r=inval)>
AX((belief=suspect&r=inval) (belief=nofile&r=null))
Cli4
SPEC (belief=nofile&r=null)>EX(belief=nofile&r=fetch) &
(belief=nofile&r=val)>EX(belief=va I.r= I I)
Cli5
SPEC (belief=suspect&r=null)>EX(belief=suspect&r=validate)&
(belief=suspect&r=val)>EX(belief=valid&r=val)&
(belief=suspect&r=inval)>EX(belief=nofile&r=null)
rain: 14%
 spec.
 spec.
 spec.
 spec.
 spec.
 spec.
to the server indicating that the ti has been updated. Also, a failure might
occur at ;,:i time during a run. The server and the clients detect failures and
change their beliefs accordingly.
The Andrew I !I. System cache coherence protocol 2 is basically an extension
of AFS1 in which failures and updates are handled explicitly. Initially, the client
believes that it has no copy or suspects that its copy is invalid. As in AFS1,
if the client believes that it has no copy, it requests a copy of the t!. (fetch).
The sender sends a copy and establishes a callback on that client. If the client
suspects that its copy is invalid, it requests a validation (validate). Depending
on the server's belief about the copy, the sender responds with val or inval.
However, an update might happen after a validation. In this case, the server
changes its belief to nocall and sends a message to the client indicating that
the t I. must be discarded. Also, a failure might happen in the  . i, during a
run. If a failure occurs and the client believes that its copy is valid, it changes
its belief to suspect and the server discards ;,i belief about this !1 I I,I. 11
shows the state transition graphs for AFS2.
Server
fetch
Client
1 I, i . 11: 'i ,.I transition graphs for AFS2
We model AFS2 with one server and n clients. The communication between
the clients and the server is modeled with the shared variables request and
response (1 < i < n). Variable request of client i contains the last request sent
by client i. the server's variable response contains the last response sent to
client i. Each client has a local variable '., I' f that is nonvisible to the server
and to the other clients. The server also has n local variables '., I', f that are
not visible to the clients.
4.3.1 Specification of AFS2
The specification of the AFS2 consists only of a fE I property (Afsl). This
property is similar to (Afsl) in AFS1. However, the invariant of AFS1 is not
true in AFS2 due to transmission 1. 1 , It might happen that the sender (in
a valid state) sends an inval message to some client that believes that its copy
is valid. During the transmission, the invariant of AFS1 is violated since the
client believes that its copy is valid while the server does not. Therefore, the
invariant for AFS2 must take into account this transmission 1. 1 , We model
the 1. 1 with the shared variable time. When the sender changes its belief
from valid to ;,~i other, it sends a message to all the clients that have a copy
of the t!. The sender also changes the value of time to true, representing the
fact that the allowed time for the transmission has not expired yet. When client
i makes a transition, it changes the value of time to false, indicating that the
time has expired. Thus, the next transition of client i must discard its copy and
change its belief to .. 1,'l
The f. I property of AFS2 considers the variable time as the upper bound
on the transmission l1. 1 Thus, if time is true, the allowed time for the
transmission has expired. The next property establishes that if the client i
believes that its copy is valid, then the server also believes that the copy is valid
or the time allowed for the transmission has not expired yet. For all i, 1 < i < n:
= AG(('!!. !! / ,/, f = valid = (Serve i 1 I. f = valid V timei)) (Afsl)
where r = (I, {true}) and I, the initial condition is defined as follows:
For all i:
('li. ,i t,/ ,f = ...l., V ('I , / f = suspectA
('I! !!I request = nullA
Serve i ,, 1' f = nocallA
Server.responsei = null
Property (Afsl) is neither existential nor universal. However, as we did in
(Afsl), we can establish an invariant that holds initially and is preserved by
all the transitions in the . i This invariant implies (Afsl). Let Inv the
property:
For all i:
('! ,I I I /, f = valid = (Serve i I ,f = valid V timei)A
Server.responsei = valid = Serve i ., 1' f = valid
We want to prove that Inv holds initially (I = Inv) and Inv is preserved
by all the transitions of the I. (Inv = AX(Inv)). If this is true, then
the , ii satisfies:
r AG(Inv) (Afsl')
Since (Afsl') = (Afsl), it is enough to prove that (Afsl') holds in the
4.3.2 Server Specification
For all the clients, either the server believes that the client's copy is valid or the
time allowed for the transmission .1 1 has not expired yet. For all i:
('., V, f = valid V timei) = AXY('.. ', f = valid V timei) (Srvl)
The server's response is val only when the server believes that the client's
copy is valid. For all i:
responsei = valid) = (', '" f = valid) (Srv2)
4.3.3 Client Specification
Each client i satisfies:
(('., If = valid = time) A response # val)
AX(('.1 1', f = valid = itime) A response f val) (Clil)
4.3.4 Composing the System
From server's property (Srvl) and the fact that ('I I '. / f is nonvisible to
the server, the expansion of the server over the set of the variables of the entire
I. II satisfies the following property. For all i:
(('I! !.1 I, / f # valid V '.. ', f = valid V timei)
AX((' !! I .. / f f valid V '.. I, f = valid V timei)
by predicate logic this property is equivalent to:
(('II. I .! Iw f = valid == (' I'. f = valid V timei)) =
AX(('I,. Ii .! / f = valid = ('.. I. f = valid V timei)) (Sl)
Combining (Sl) and the server's property (Srv2), the expansion of the server
satisfies:
Inv == AX (Inv)
where Inv was defined in section 4.3.1.
From property (Clil), the expansion of each client i over the set of variables
of the whole 1. 11 satisfies the property:
(('., ', f # valid V time) A response # val) =
AX (('.. I' f 7 valid V time) A response # val)
Since Serv i f1 I'. f is nonvisible to the client i, the expansion of the client i
satisfies:
(Serve i I'. f = valid V (('., I'. f 7 valid V time) A response # val))
AX (Serve i 1', f = valid V (('., I f 7 valid V time) A response # val))
It is easy to prove that this last property implies Inv = AX(Inv) in
the expansion of client i. Since this property is universal and holds in all the
expansions of the clients and the server, then the whole  I. i, satisfies it.
I i !! since I = Inv, we conclude that Inv is an invariant of the  , i1
and property (Afsl') holds.
4.3.5 Model Checking the Components of the AFS2
In this section we show the implementation, specification and output of model
checking the components of the AFS2. Note that guarantees properties cannot
be model checked; instead, we are using Rule 4 and model checking the CTL
formulas that imply those guarantees properties. I i,'.n 12 to 17 show the
I. !V code and output of model checking the AFS2.
5 Discussion
We have identified a subset of CTL properties as universal, existential and guar
antees properties. We have also applied these results to the specification and
verification of components of a case study. We used our theory to deduce prop
erties of the composed  I, i1 from properties of the components. Since the
properties required from the environment were identified as universal or exis
tential, we were able to isolate the properties needed from each component so
the proofs for each component could be done separately. Our goal was not to
simplify the proof of correctness of the  1. i in fact, the proof might have
been shorter had we done it in a noncompositional manner. However, we believe
that this approach can be useful when the intention is to deliver a component
which can be used in 1!!i I I! environments. Although our approach incurred
some overhead in the proofs, it allowed us to isolate the properties that each
component must provide so the potential customer of the component is only
required to check a simple set of properties. The idea is for the developer of the
component to take a greater part in proving correctness 1 i 1 to minimize the
effort of the users of the component. Although our intention was not to reduce
the '* i i.. .i of model checking the  . ii it is easy to see that this com
I 1' .i is reduced since we have a linear behavior (as opposed to exponential)
in terms of the number of components.
The theory is based on a subset of CTL. Is this ,L t!. i! i in practice? We have
been able to use our results in some case studies for which the  1 i i and the
SMV implementation of the Server of the AFS2
MODULE main
VAR
 variable declarations omitted (see appendix)
 we are showing the code for only one client
ASSIGN
next(validFilel):=validFilel;
next(beliefl):=
case
failure : nocall;
beliefl = nocall) & requestl = fetch) : valid;
beliefl = nocall) & requestl = validate) &
validFilel : valid;
beliefl = nocall) & requestl = validate) &
!validFilel : nocall;
beliefl = valid) & request2 = update) : nocall;
1: belief;
esac;
next(responsel):=
case
: null;
nocall) & requestl
nocall) & requestl
fetch) : val;
validate) &
validFilel : val;
beliefl = nocall) & requestl = validate) &
!validFilel : inval;
beliefl = valid) & request2 = update) : inval;
l:responsel;
esac;
next(timel):=
case
failure : 0;
beliefl = nocall) & requestl = validate) &
!validFilel : 0;
beliefl = valid) & request2 = update) : 0;
1: timel;
esac;
I ,,i 12: Implementation of the server of the AFS2
failure
beliefl =
beliefl =
SMV implementation of the Client of the AFS2
MODULE main
time : boolean;
request : {null,fetch,validate,update};
belief : {valid, suspect,nofile};
response : {null,val,inval};
failure : boolean;
ASSIGN
next(belief):=
case
(belief=nofile)&(response=val): valid;
(belief=suspect)&(response=val):valid;
(belief=suspect)&(response=inval):nofile;
(belief=valid)&failure:suspect;
(belief=valid)&(response=inval):nofile;
1:belief;
esac;
next(request):=
case
(belief=nofile)&(response=null):{fetch,null};
(belief=suspect)&(response=null):{validate,null};
(belief=valid)&(failure):null;
(belief=valid)&(response=inval):null;
(belief=valid)& (response!=inval):update;
1:request;
esac;
next(time):=
case
(belief=nofile)&(response=val): 1;
(belief=suspect)&(response=val):1;
(belief=suspect)&(response=inval):1;
(belief=valid)&failure:1;
(belief=valid)&(response=inval):1;
1:time;
esac;
1 ,oL!. 13: Implementation of the client of the AFS2
Specification of the Server of the AFS2
 Srvl
SPEC beliefl = valid !timel) >
AX beliefl = valid !timel)
Srv2
SPEC responsel = val > belief = valid) >
AX(responsel = val > belief = valid)
,1 .i 14: Specification of the server of the AFS2
rain:34% ./smv ./serverafs2.smv
 spec. belief = valid !timel > AX beliefl ... is true
 spec. response = val > belief = valid > AX... is true
resources used:
user time: 0.0666667 s, system time: 0.05 s
BDD nodes allocated: 2737
Bytes allocated: 1245134
BDD nodes representing transition relation: 1145 + 6
1 ,.i . 15: Output of model checking the server of the AFS2
Specification of the Client of the AFS2
Clil
SPEC ((belief=valid > !time) & response != val) > AX
((belief=valid > !time) & response != val)
,1 i,,. 16: Specification of the client of the AFS2
rain:35% ./smv ./clientafs2.smv
 spec. (belief = valid > !time) & response != ... is true
resources used:
user time: 0.0666667 s, system time: 0.0333333 s
BDD nodes allocated: 592
Bytes allocated: 1245134
BDD nodes representing transition relation: 120 + 6
1 ci. 17: Output of model checking the client of the AFS2
components' specifications (CTL formulas) matched our rules. Unfortunately,
not all the properties can be specified in this form. In fact, not all the possible
properties can be expressed in CTL. There are more expressive logics such as
CTL*, but the model checking algorithms for this kind of logics are much more
complex. However, for a broad class of  1. I important if'. properties can
be expressed using their basic form, namely AGp for some propositional formula
p. The intuitive idea behind this I I " of property is that no component will go
to a state that violates a certain condition (, provided that the component is
in a state that does not violate the condition (p = AXp). If that condition
holds in the initial states, then it will be always true along the paths (e.g., the
condition is an invariant of the I. ii Our theory provides the mathematical
tools for proving this property by i1. i if i;_ the properties needed from each
component and model checking them separately.
On the other side, an important I"' of liveness property generally known
as leads to is usually expressed with the formula (p = AFq). The meaning
of this property is that if p is true at some time, q will eventually be true after
some time. Our theory provides the tools for proving properties of this I *"
by b1. irlif 1 a series of predicates po,PI, . ,P,, such that p = po and p, = q
and then proving a series of basic liveness properties pi = A(!, U pi+)
for 0 < i < n. Based on our own experience on several Ii. in especially
network protocols, we argue that i ii , important properties can be expressed
using these basic i'. and liveness properties.
An important question about the applicability of our theory is as follows:
How 1litli ,il is it to use? Formal methods are not easy. The main benefits of
using formal methods in software specification and verification comes from the
rigors imposed in the description and manipulation of concepts and notations.
This forces us to think and understand the problem deeply. On the other hand,
the use of mathematical notation might cause an intuitively simple concept to
require a 1. i_ 11 definition or proof. Our goal here was to present an approach
in which the developer of a component takes the greater part in the verification
of the I. i, By I,. i f ii components using compositional properties and
including theorems and proofs in the documentation, the developer of a com
ponent might reduce the task of the composer to a simple and automatic proof
(model 1 :i i1.
References
[1] K. M. ('!i ,i11L and B. A. Sanders. Reasoning about program composition
tr96035. Technical report, Uiii i  of Florida, November 1996.
[2] E. M. ('i! !:. E. Emerson, and A. Sistla. Automatic verification of finite
state concurrent 1. 11, using temporal logic specifications. .I .1I I. ....
Program. Lang. Syst., 8(2):244263, 1986.
[3] E. W. Diil:1i and C. S. Scholten. Predicate Calculus and Program Seman
tics. SpringerVerlag, New York, 1990.
[4] E. A. Emerson. Temporal and modal logic. In J. van Leeuwen, editor,
Handbook of I ... ,.,i ,,I/ Computer Science, volume B: Formal Models and
Semantics, chapter 14, pages 9961072. 1.1. . r Science Publishers B.V.:
Amsterdam, The Netherlands, New York, N.Y., 1990.
[5] E. A. Emerson and J. Y. Halpern. .i' i1!i and i i. ii revisited:
On branching versus linear time temporal logic. In Proceedings of Annual
AC [. S,i, ....' .. on Principles of Programming Languages, Austin, Texas,
January 1982.
[6] J. Howard, M. Kazar, S. Menees, D. Ni. i1.1 M. 0S .1, ., .1 ., R. Side
botham, and M. West. Scale and performance in a distributed I!. . 11,
AC(. I1 ....... i ..... of Computer !.,!.. 6(1):5158, Feb 1988.
[7] Z. Manna and A. Pnueli. Temporal V T ';, .'', of Reactive <.!,. .i (Safety).
Springer, New York, 1995.
[8] A. Pnueli. The temporal semantics of concurrent programs. .. .I .i
Computer Science, 13:4560, 1981.
[9] J. M. Wing and M. VaziriFarahani. Model ('I!. !:i!, Software Systems: A
Case 1i 1 In Proceedings of SIGSO! I 'I* !. ,,I A(C f SIGSOFT q,',...
sium on the Foundations of S f/ ....1 Engineering, pages 128139, Washing
ton, D.C., Oct. 1995.
