Addresses - Max Planck Society
33
Transcript of Addresses - Max Planck Society
'$�
�
'$
Æ
��
I N F O R M A T I K
� �
Software Model Che king of
Liveness Properties via Transition
Invariants
Andreas Podelski Andrey Rybal henko
MPI{I{2003{2{004 De ember 2003
FORSCHUNGSBERICHT RESEARCH REPORT
M A X - P L A N C K - I N S T I T U T
F
�
UR
I N F O R M A T I K
Stuhlsatzenhausweg 85 66123 Saarbr�u ken Germany
Authors' Addresses
Andreas Podelski
Max-Plan k-Institut f�ur Informatik
Stuhlsatzenhausweg 85
66123 Saarbr�u ken
podelski�mpi-sb.mpg.de
Andrey Rybal henko
Max-Plan k-Institut f�ur Informatik
Stuhlsatzenhausweg 85
66123 Saarbr�u ken
rybal�mpi-sb.mpg.de
Abstra t
Model he king is an automated method to prove safety and liveness prop-
erties for �nite systems. Software model he king uses predi ate abstra tion
to ompute invariants and thus prove safety properties for in�nite-state pro-
grams. We address the limitation of urrent software model he king meth-
ods to safety properties. Our results are a hara terization of the validity of
a liveness property by the existen e of transition invariants, and a method
that uses transition predi ate abstra tion to ompute transition invariants
and thus prove liveness properties for in�nite-state programs.
Keywords
Transition Invariants, Software Model Che king, Liveness, Predi ate Ab-
stra tion, Termination
1 Introdu tion
Software model he king is an approa h for extending the appli ability of
�nite-state model he king to software systems with in�nite state spa es
(see [1, 14, 15, 16, 18, 22, 27, 29, 35℄). The extension works via an abstra -
tion step, whi h is essentially the onstru tion of a �nite-state system.
1
The
�nite-state abstra tion step restri ts the resulting method to safety proper-
ties. This is be ause it does in general not preserve liveness properties. For
intuition, we take termination as an example of a liveness property; a �nite
system is terminating only if its exe ution tra es do not ontain loops; but
then, it an not simulate exe ution tra es of unbounded length (say, of the
program while (i>0) f i:=i-1; g; see also [19, 24℄.) This paper addresses
the limitation of urrent software model he king methods to safety proper-
ties.
The terminology safety vs. liveness is standard to distinguish two kinds of
program properties in the s ope of model he king. An example of a safety
property is (from the interfa e spe i� ation of an operating system kernel [1℄):
ea h time a lo k is a quired, it will get released before the end of the fun tion
all. An example of a liveness property is: ea h time a lo k is a quired, it
will get released. That is, a liveness property expresses a guarantee, without
�xing a time bound. Termination is the standard example of a liveness
property; its proof is required in the ontext of program orre tness proofs
with intera tive theorem provers. Formally, the di�eren e signi�es whether
the negation of the property an be redu ed to rea hability (of a `bad' state)
or to the existen e of an in�nite tra e (without a `good' state). Thus, the
di�eren e also signi�es whether the property ould in prin iple be he ked
at runtime, or not.
In this paper, we give a hara terization of the validity of a liveness prop-
erty via the existen e of transition invariants. This leads to a dedu tive
proof s hema, where a given transition invariant is he ked for indu tiveness
(i.e. losure under an operator that we introdu e). Roughly, in its restri -
tion to termination, the s hema repla es the well-foundedness argument for
a ranking relation by a weaker argument for the transition invariant. We
show that the s hema is suitable for automatization. For this purpose, we
introdu e transition predi ate abstra tion. This te hnique generalizes predi-
ate abstra tion, the basi abstra t interpretation te hnique of the existing
software model he king methods for safety properties. We use transition
predi ate abstra tion as the parameter in a general method to ompute tran-
1
The abstra tion step is formalized as the de�nition of an over-approximating �xed
point operator over �nitely many (in general in�nite) sets of states in [10℄.
1
sition invariants, whi h again we an use to prove the liveness property of
the in�nite-state program.
As with every automated method for an unde idable problem, the best we
an hope for is a semi-test (for safety but not for liveness, a semi-algorithm
is another option). That is, if the abstra tion is too oarse, the omputed
transition invariant is not `strong enough' (in that ase one re�nes the ab-
stra tion by adding more transition predi ates). We an show, however, that
our method is omplete wrt. a �xed abstra tion. Finally, we determine the
omplexity of the `abstra t model he king problem for LTL' (in the number
of transition predi ates); it is PSPACE- omplete. I.e., it has the same om-
plexity as in the spe ial ase of �nite models (when ea h edge is expressed
by one transition predi ate).
To explain the approa h of this paper, we look at the role that invariants
play in the proof of a safety property. The safety property is translated
to the non-rea hability of a `bad' state from an initial state. Its proof is
phrased as the proof of a `strong enough' invariant (an invariant is a state
assertion that holds for every rea hable state; `strong enough' means that it
does not hold for any bad state). The dedu tive proof s hema onsists of
showing the indu tiveness of a `strong enough' invariant (the indu tiveness
is the losure under the su essor operator post). The approa h of this paper
is to introdu e on epts analogous to [`strong enough', indu tive℄ invariants
and show that they an be used to hara terize the validity of a liveness
property.
Following the abstra t interpretation framework [10℄, an indu tive invari-
ant is obtained me hani ally as the least �xed point of an abstra tion of
the post operator over a subdomain of the domain of sets of states. The
subdomain onsists of equivalen e lasses of states when predi ate abstra -
tion is used, as in software model he king (equivalent states satisfy the
same predi ates). A ordingly, the approa h of this paper is to introdu e the
appropriate least �xed point operator and the appropriate domain and the
appropriate predi ate abstra tion and to use these ingredients of the abstra t
interpretation framework to formulate algorithms omputing transition in-
variants.
2 Examples
This se tion is informal. The formal exposition starts in the next se tion.
Termination We use the following simple program to illustrate the use of
transition invariants for termination.
2
int n,i,j,A[n℄;
i=n;
l1: while (i>=0) {
j=0;
l2: while (j<=i-1) {
if (A[j℄>=A[j+1℄)
swap(A[j℄,A[j+1℄);
j=j+1;
}
i=i-1;
}
l1: if (i>=0) j=0;
l2: if (i-j>=1) {
j=j+1;
goto l2;
} else {
i=i-1;
goto l1;
}
For legibility, we on entrate on the skeleton shown on the right, whi h
onsists of the statements st1, st2, st3.
l1: if (i>=0) { i:=i; j:=0; goto l2; } - st1
l2: if (i-j>=1) { i:=i; j:=j+1; goto l2; } - st2
l2: if (i-j<1) { i:=i-1; j:=j; goto l1; } - st3
Ea h of the abstra t statements below must be read as a one-line program.
l1: if (true) {i:=Any; j:=Any; goto l2; } - a1
l2: if (true) {i:=Any; j:=Any; goto l1; } - a2
l1: if (i>=0) {i:=i-Pos; j:=Any; goto l1; } - a3
l2: if (i>=0) {i:=i-Pos; j:=Any; goto l2; } - a4
l2: if (i-j>=1) {i:=i-Nat; j:=j+Pos; goto l2; } - a5
We noti e that st1 is approximated by a1, st2 by a5 and st3 by a2. In
fa t, every sequen e of program statements is approximated by one of a1,
. . . , a5. This means that the set fa1; : : : ; a5g is a transition invariant in our
terminology.
For example, every sequen e of program statements that leads from l2
to l2 is approximated by a4 if it passes through l1, and by a5 otherwise.
The following table assigns to ea h abstra t statement the set of sequen es
of program statements that it approximates. All non-assigned sequen es are
not feasible.
a1 st1(st2jst3st1)
�
a2 (st2jst3st1)
�
st3
a3 st1(st2jst3st1)
�
st3
a4 (st2jst3st1)
�
st3st1(st2jst3st1)
�
a5 st2
+
3
A ording to our formal development in the following se tions (see Theo-
rem 1), the transition invariant above is `strong enough' to prove termination,
whi h means: ea h of its abstra t statements, viewed in isolation as a one-line
program, is terminating.
To prove that a set of abstra t statements is indeed a transition invariant,
we show that it is indu tive or that it an be strengthened by an indu tive
one. The indu tiveness of the transition invariant means that ea h omposi-
tion of an abstra t statement with a program statement is approximated by
the transition invariant. This is in general weaker than requiring that ea h
omposition of abstra t statements must be approximated by the transition
invariant.
The omposition of the abstra t statement a1 with
the program statement st3 yields the abstra t statement
l1: if (true) f i:=Any; j:=Any; goto l1; g, whi h is not approximated by
the transition invariant. Thus, the transition invariant is not indu tive. We
strengthen it by the indu tive transition invariant given below.
l1: if (i>=0) { i:=i-Nat; j:=Any; goto l2; }
l2: if (true) { i:=i-Pos; j:=Any; goto l1; }
l1: if (i>=0) { i:=i-Pos; j:=Any; goto l1; }
l2: if (i>=0) { i:=i-Pos; j:=Any; goto l2; }
l2: if (i-j>=1) { i:=i-Nat; j:=j+Pos; goto l2; }
This transition invariant is omputed by our method; it orresponds to the
output produ ed by our implementation.
Fairness We use the following simple program \Up-down" to illustrate the
use of transition invariants for fair termination.
int x=0, y=0;
l0: while (x=0) y++;
l1: while (y>0) y--;
l2:
m0: x=1;
m1:
Termination is the inevitability of the lo ation (l2, m1). For formal reason,
the program has a self-loop in this lo ation.
Termination an be proven only under the fairness assumption that the
pro ess on the right-hand side will eventually move from m0 to m1. This
assumption is en oded by the B�u hi automaton below.
q
0
q
1
p =m1
p =m0
4
The transition invariant that we ompute for this problem ontains 49
abstra t statements. Below we give the two riti al ones.
l0_m0_q0: if (true) { x:=Any;
y:=y+Pos; goto l0_m0_q0; } - a1
l1_m1_q1: if (y>0) { x:=Any;
y:=y-Pos; goto l1_m1_q1; } - a2
The abstra t statement a1 does not terminate. However, by the formal
theory that we establish, its termination is not needed be ause its exe utions
do not visit the B�u hi a epting state q
1
in�nitely often. This is where the
fairness assumption omes in; the loop in l0 m0 is not a fair exe ution. The
`fair' abstra t statement a2 terminates.
3 Transition Invariants
Our formal exposition is based on ommand formulas.
Example 1 The ommand formula below represents the statement
if y>=0 then x=x+1;
of a program over variables x and y where l
1
and l
2
are the labels before and
after the statement.
def
= p =l
1
^ y � 0
| {z }
guard
^ x
0
= x + 1 ^ y
0
= y ^ p
0
=l
2
| {z }
a tion
In a ommand formula, the subformula over unprimed variables x
1
; : : : ; x
n
forms the guard (enabling ondition). The remaining onjun ts form the
a tion (update of the variables). Usually, they are of the form x
0
= E, where
E is the update expression over unprimed variables (translating assignments
x := E).
From now on, we assume that the program is given as a set C of ommand
formulas. The translation from programs to sets of ommand formulas is
standard for many programming languages, in luding on urrent ones.
A basi observation is that one an use ommand formulas of a more
general form than the one that orresponds to programs in order to denote
relations between states of a more general kind than the transition relations
denoted by programs. We will next introdu e some notation and de�ne how
general ommand formulas � denote relations between states.
The n-tuple X = (x
1
; : : : ; x
n
) onsists of the variables appearing in the
program. Usually, one or many program ounter variables (\p ") appear
5
among the x
i
's; they range over the program labels. The free variables of
a ommand formula � are among the variables x
1
; : : : ; x
n
and their primed
versions x
0
1
; : : : ; x
0
n
.
A state s is a valuation of the program variables x
1
; : : : ; x
n
. The set of
all states is denoted by S. The value of the program variable x in a state
s is s(x). A pair of program states s and s
0
satis�es a ommand formula �,
formally (s; s
0
) � �, if � evaluates to true after interpreting x
i
by s(x
i
) and x
0
i
by s
0
(x
i
) for all i. The transition relation denoted by the ommand formula
� is the set of all state pairs that satisfy �.
!
�
def
= f(s; s
0
) j (s; s
0
) � �g
Given the program in the form of the ommand formula �, the state s
0
is
rea hable from the state s in one exe ution step if s !
�
s
0
(whi h means
that the pair (s; s
0
) satis�es �), and rea hable in a non-empty sequen e of
exe ution steps if s!
�
+
s
0
. As usual, !
+
denotes the transitive (but not
re exive) losure of the relation !.
A transition formula � is a set of ommand formulas. An example of a
transition formula is the program C. We use the terms disjun tion and set
of ommand formulas inter hangeably. The terminology and notation above
for ommand formulas extend anoni ally to sets.
De�nition 1 Transition Invariant.
A transition invariant of a program C is a transition formula that holds of
every pair of states s and s
0
su h that s
0
is rea hable from s in a non-empty
sequen e of exe ution steps.
That is, the transition relation of a transition invariant ontains the transi-
tive losure of the transition relation of the program C, formally!
C
+
� !
.
Invariants We assume that the given program omes with a state formula
Init denoting the set of initial states. A state formula or state assertion
is a formula whose free variables are the program variables (in luding the
program ounter p ); it denotes a set of states. An invariant Inv is a state
assertion that holds for every rea hable state (rea hable from an initial state).
We onstru t the formula Inv
from a transition invariant as the dis-
jun tion of Init with the formula that denotes the set of dire t su essor
states of initial states of C under statements in (here [X=X
0
℄ refers to the
renaming of the primed by the unprimed version of ea h program variable).
Inv
def
= Init _ (9X (Init ^ ))[X=X
0
℄
6
Remark 1 Given the transition invariant and the state formula Init de-
noting the set of initial states, the formula Inv
is an invariant of the program.
Conversely, given an invariant Inv of the program C, the transition for-
mula Inv^ Inv[X
0
=X℄ is a transition invariant not for the program C itself but
for the program Inv^C obtained by strengthening the guards with informa-
tion about rea hable states. As usual, we extend onjun tion to sets of for-
mulas in the anoni al way, i.e., �
1
^�
2
def
= f�
1
^�
2
j �
1
2 �
1
and �
1
2 �
2
g.
Well-founded Command Formulas The ommand formula � is well-
founded if the transition relation !
�
(stri tly speaking, its inverse) is well-
founded, i.e., there is no in�nite sequen e of states fs
i
g
1
i=1
su h that ea h
onse utive pair of states satis�es the ommand formula, formally (s
i
; s
i+1
) �
� for all i. In terms of program exe utions this means that the one-line
program represented by the ommand formula is terminating whatever its
initial states are (i.e., if its initial ondition is true).
Notation of Meta-Variables We use � for general ommand formulas,
for those in transition invariants, for those in the program, and their
upper ase version to sets thereof, i.e., � for general transition formulas,
for transition invariants and C for the program.
4 Termination
The program is terminating if every exe ution starting in an initial state is
�nite. This is a spe ial ase of an LTL property; te hni ally this se tion is
subsumed by the next one. We single out termination be ause of its singular
importan e. Its treatment is possible without introdu ing B�u hi automata.
Theorem 1 (Transition Invariants and Termination) The program
represented by the set of ommand formulas C is terminating if there exists
a �nite transition invariant su h that all ommand formulas in Inv
^
are well-founded.
Proof. Assume, for a proof by ontraposition, that is a �nite transition
invariant for C, and that C is not terminating. We show that at least one
ommand formula in Inv
^ is not well-founded.
By the assumption that C is not terminating, there exists an in�nite
sequen e of states �
def
= fs
i
g
1
i=1
su h that s
1
is an initial state and s
i
!
i
s
i+1
for all i, where
i
2 C.
7
We de�ne a fun tion f that maps an ordered pair of indi es of elements
in the sequen e � to one of the ommand formulas in the transition invariant
as follows.
f(k; l)
def
= 2 ; where (s
k
; s
l
) �
The fun tion f exists be ause is a transition invariant for C, and thus we
an hoose arbitrarily one ommand formula from the (�nite) set f 2 j
(s
k
; s
l
) � g as the image of the pair (k; l). The range of the fun tion f is
�nite sin e is �nite.
� � � ! s
k
! � � � ! s
l
! : : :
Given �, the fun tion f indu es an equivalen e relation � on pairs of
positive integers (in this proof we always onsider pairs whose �rst element
is smaller than the se ond one).
(k; l) � (k
0
; l
0
)
def
= f(k; l) = f(k
0
; l
0
)
The equivalen e relation � has �nite index, sin e the range of f is �nite.
By Ramsey's theorem [28℄, there exists an in�nite set of positive integers
K su h that all pairs of elements in K belong to the same equivalen e lass,
say [(m;n)℄
�
with m;n 2 K. That is, for all k; l 2 K su h that k < l we
have (k; l) � (m;n). We �x m and n.
Let fk
i
g
1
i=1
be the as ending sequen e of elements ofK. Let the ommand
formula denote the ommand formula f(m;n). Sin e (k
i
; k
i+1
) � (m;n),
the fun tion f maps ea h pair (k
i
; k
i+1
) to .
� � � ! s
k
i
! � � � ! s
k
j
! � � � ! s
k
l
! : : :
Hen e, the in�nite sequen e fs
k
i
g
1
i=1
is indu ed by .
s
k
i
!
s
k
i+1
; for all i � 1
Sin e we assume that s
1
is an initial state, every state s
k
i
satis�es the invari-
ant Inv
, and hen e the in�nite sequen e is indu ed also by Inv
^ . Hen e,
the ommand formula Inv
^ is not well-founded. Therefore at least one
ommand formula in Inv
^ is not well-founded. � The statement of the
theorem still holds when one repla es the invariant Inv
by any other �nite
invariant.
8
The suÆ ient ondition for program termination given in Theorem 1 has
three omponents: the `transitive losure' property of transition invariants,
the �niteness and the `disjun tive well-foundedness'. The examples below
show that the �rst resp. the se ond omponent an not be omitted.
2
Example 2 The transition formula = f
1
;
2
g given by the two ommand
formulas
1
� x > 0 ^ x
0
< x and
2
� y > 0 ^ y
0
< y is �nite
and `disjun tively well-founded'. The transition relation indu ed by is not
terminating, as an be seen from the in�nite sequen e (0; 1); (1; 0); (0; 1); : : :
of states.
Example 3 The program given by the single ommand formula below
(translating \while (x>=0) x++;") does not terminate for initial states
where x � 0.
def
= x � 0 ^ x
0
= x+ 1
The transition formula below denotes a transition invariant for f g that
onsists of in�nitely many well-founded ommand formulas (here Inv
^ is
equivalent to ).
def
= fx = k ^ x
0
> x j k 2 Ng
The strongest transition invariant (whi h denotes the transitive losure of
the transition relation of the program) an in general not be used for the
suÆ ient ondition of termination (sin e it is in�nite in general).
2
To ompare the standard approa h to termination proof and our approa h (in its
restri tion to termination), we view a ranking fun tion (de�ned by the expression e[X ℄ in
the program variables) as a (transitive) ranking relation (the transition formula e[X
0
℄ <
e[X ℄ in primed and unprimed program variables). The ranking relation approximates the
transition relation of the program (and also its transitive losure). Termination follows
from the well-foundedness of the ranking relation. By de�nition, a transition invariant
approximates the transitive losure of the transition relation of the program (in general, a
transition invariant is not transitive, even when it is indu tive as de�ned in De�nition 3).
Termination then follows already from the `disjun tive well-foundedness' of the transition
invariant (by an argument that exploits the ombinatorial property of Ramsey's theorem).
Disjun tive well-foundedness is weaker than well-foundedness (take the disjun tively well-
founded relation given by x
0
< x _ y
0
< y). Theorem 1 states a ondition under whi h
disjun tive well-foundedness does imply well-foundedness. Namely, stated in terms of
relations r and R instead of transition formulas:
If R an be de omposed into a union of well-founded relations (R = R
1
[ : : : [ R
n
, and
R
1
; : : : ; R
n
are well-founded) and r
+
� R, then r (as well as r
+
) is well-founded.
9
5 LTL
We follow the automata-theoreti approa h to veri� ation [34℄ (see [33℄ for
the generalization to in�nite-state systems). We assume that the given LTL
(Linear Temporal Logi [25℄) property ' is represented by a B�u hi automaton
A
:'
for its negation (more pre isely, an LTL formula ' over the �nite set
of atomi propositions AP is represented by a B�u hi automaton A
:'
that
a epts exa tly the in�nite sequen es of program states that do not satisfy ').
We thus need not introdu e the syntax of LTL. We use B�u hi automata and
their syn hronous parallel omposition with programs in the usual way, with
the only di�eren e that atomi propositions denote in�nite sets of program
states (i.e., an atomi proposition is a formula in the program variables X).
The B�u hi automaton A
:'
= (Q;�;�; q
init
; A ) onsists of the �nite
set of states Q, the �nite alphabet � = 2
AP
, the transition relation � �
Q���Q, the initial state q
init
2 Q, and the set of a epting states A � Q.
A run of A
:'
on the in�nite sequen e �
1
; �
2
; : : : is an in�nite sequen e of
states q
1
; q
2
; : : : su h that q
1
is q
init
and (q
i
; �
i
; q
i+1
) 2 � for all i � 1. The
run q
1
; q
2
; : : : is a epting if an a epting state q
a
2 A appears in�nitely
often. An in�nite sequen e w = �
1
; �
2
; : : : is a epted by A
:'
if there exists
an in�nite run on w.
Let L : S ! 2
AP
be a labelling fun tion on program states that provides
the set of all atomi propositions satis�ed by the given program state. An
in�nite sequen e of program states s
1
; s
2
; : : : satis�es :' if and only if the
in�nite sequen e of state labels L(s
1
); L(s
2
); : : : is a epted by A
:'
.
The program C satis�es the LTL property ' if there exists no in�nite
sequen e of program states that is a program tra e of C and satis�es :',
i.e., that is a a epting run of the syn hronous parallel omposition of C and
A
:'
, to be introdu ed next.
We introdu e a new program variable, the program ounter p
A
ranging
over the set of automaton states Q. A state of the produ t program is a
valuation over the tuple of program variables X and the variable p
A
; we
write it as a pair (s; q) of states of C and A
:'
, respe tively.
De�nition 2 Syn hronous Parallel Composition C�A
:'
.
The syn hronous parallel omposition of the program C and the B�u hi au-
tomaton A
:'
(with transition relation �) is the transition formula
C�A
:'
def
= f ^
(q;�;q
0
)
j 2 C and (q; �; q
0
) 2 �g;
10
where
(q;�;q
0
)
def
= p
A
=q ^ p
0
A
=q
0
^
^
p2�
p ^
^
p62�
:p:
A run of C�A
:'
is an in�nite sequen e of state pairs (s
1
; q
1
); (s
2
; q
2
); : : :
that starts in initial states of C resp. A
:'
, and su h that ea h onse utive pair
of state pairs satis�es the transition formula C�A
:'
. The run is a epting
if an a epting state of A
:'
appears in�nitely often in the in�nite sequen e
q
1
; q
2
; : : :.
Remark 2 The run s
1
; s
2
; : : : of the program C does not satisfy the LTL
property ' if and only if (s
1
; q
1
); (s
2
; q
2
); : : : is an a epting run of C�A
:'
.
In the statement below, we an use any other invariant instead of Inv
(whi h
is the invariant obtained from a given transition invariant; see Remark 1).
Theorem 2 (Transition Invariants and LTL) The program C satis�es
the LTL property ' if there exists a �nite transition invariant for C�A
:'
su h that ea h ommand formula of the form
Inv
^ p
A
=q
a
^
is well-founded, where is a ommand formula in and q
a
is an a epting
state of A
:'
.
Proof. For a proof by ontraposition, assume that is a �nite transition
invariant for C�A
:'
, and that the program C does not satisfy the LTL
property '. By Remark 2, there exists an a epting run (s
1
; q
1
); (s
2
; q
2
); : : :
of C�A
:'
(starting in initial states of C resp. A
:'
) and an a epting state
q
a
that appears in the sequen e q
1
; q
2
; : : : in�nitely often, say at ea h index
in the in�nite set of indi es P .
P
def
= fi j q
i
� q
a
g
Sin e is a transition invariant, we an de�ne a fun tion f from the set of
ordered pairs of indi es in P to the set of ommand formulas in as below.
f(k; l)
def
= 2 ; where ((s
k
; q
k
); (s
l
; q
l
)) �
By Ramsey's theorem [28℄, there exists a ommand formula in and
an in�nite set of indi es K that is a subset of P , su h that ea h pair of
onse utive indi es in K is mapped to , formally f(k
i
; k
i+1
) = where k
i
and k
i+1
in K for i � 1.
11
In summary, ea h onse utive pair of state pairs ((s
k
i
; q
k
i
); (s
k
i+1
; q
k
i+1
))
satis�es the ommand formula , ea h state pair satis�es the guard p
A
=
q
a
, and, sin e the �rst element (s
1
; q
1
) of the in�nite sequen e is a pair of
initial states (of C resp. A
:'
), every subsequent element and in parti ular
every element of the form (s
k
i
; q
k
i
) satis�es the invariant Inv
of C � A
:'
.
This means, the in�nite sequen e ((s
k
1
; q
k
1
); ((s
k
2
; q
k
2
) : : : is indu ed by the
ommand formula Inv
^ p
A
=q
a
^ . Whi h is, this ommand formula is
not well-founded. �
6 Synthesis of Indu tive Transition Invari-
ants via Transition Predi ate Abstra tion
We will develop a veri� ation method for LTL properties via the automated
synthesis of indu tive transition invariants by iteration of the best abstra -
tion of a �xed point operator over an abstra t domain de�ned by predi ates.
This is akin to the automated synthesis of indu tive invariants in the soft-
ware model he king method for safety properties; the di�eren e is that the
�xed point operator is based on sequential omposition of ommands and
the predi ates range over transitions instead of states. The program C to
whi h we refer in this se tion is either the program whose termination we
want to he k, or (more generally) its produ t with a B�u hi automaton for
the negation of the LTL formula that we want to he k.
Indu tive Transition Invariants From now on, we use a given logi al
onsequen e ordering j= over transition formulas. If the transition relation
of one transition formula �
2
is a onsequen e of another one �
1
, then its tran-
sition relation ontains the other one (formally, if �
1
j= �
2
then!
�
1
�!
�
2
).
We do not require the onverse. This means that j= is a sound but not ne -
essarily omplete implementation of the validity of impli ation (a sound and
omplete implementation may be too ineÆ ient or not even exist).
We de�ne a omposition operator Æ on ommand formulas that orre-
sponds to the omposition of transition relations, i.e., !
�
1
�
2
=!
�
1
Æ !
�
2
.
�
1
Æ �
2
def
= 9X
00
(�
1
[X
00
=X
0
℄ ^ �
2
[X
00
=X℄)
Here we repla e ea h primed variable in �
1
and ea h unprimed variable in
�
2
by the orresponding double-primed one. The omposition of transition
formulas �
1
Æ �
2
is the set of ommand formulas obtained by pairwise om-
position of those in �
1
and �
2
.
�
1
Æ �
2
= f�
1
Æ �
2
j �
1
2 �
1
and �
2
2 �
2
g (1)
12
The transition formula � is a transition invariant for the program C if the
formula � is a onsequen e of the omposition of every non-empty sequen e
of ommand formulas in C (the onverse is not ne essarily true sin e the
onsequen e relation j= is not ne essarily omplete).
1
Æ : : : Æ
n
j= �; for all n � 1 and
1
; : : : ;
n
2 C
Using the Kleene star operator for the iterative omposition, we an write
the above suÆ ient ondition for transition invariants as C Æ C
?
j= �.
De�nition 3 Indu tion.
The transition formula � is indu tive for the program C if � is a onse-
quen e of C and of � omposed with C.
C _ � Æ C j= �
The ondition in De�nition 3 is weaker (not stronger) than �� j= �, i.e., an
indu tive transition formula is not ne essarily losed under omposition. By
the next statement, we have a suÆ ient ondition for transition invariants
that it is e�e tively testable whenever j= is.
Remark 3 A transition formula is a transition invariant if it is indu tive.
Dedu tive Proof S hema By Remark 3 and Theorem 1, in order to prove
that the program C is terminating it is suÆ ient to provide a �nite set of
well-founded ommand formulas and show that is indu tive for C.
Similarly, we derive an indu tive proof s heme for LTL properties from
Remark 3 and and Theorem 2.
The dedu tive proof s hema is omplete in the sense of dedu tive om-
pleteness investigated e.g. in [19℄. This is be ause the well-founded ranking
relation indu ed by a ranking fun tion is a transition invariant whi h onsists
of one well-founded ommand formula (see Footnote 2).
As with the proofs of safety properties, it is in general not possible to �nd
`strong enough' transition invariants automati ally; thus, we design system-
ati methods that �nd transition invariants `in the best possible way', in the
sense made pre ise in abstra t interpretation [10℄.
Transition Predi ates We will obtain indu tive transition invariants as
least �xed points of abstra tions of the on rete �xed point operator F that
we de�ne as follows.
F (�)
def
= � Æ C
13
We an de�ne the ba kward version by
B(�)
def
= fg ^ �[e=X℄ j� 2 � and 2 C;
where is g ^X
0
=eg;
whi h does not require elimination of existentially quanti�ed variables. Ev-
erything in the following also holds analogously for B. The least �xed points
of F and B are equivalent; this is no longer the ase when we abstra t the
two �xed point operators. That is, in the appli ation of our algorithms to
programs, the result returned may depend on the hoi e of the �xed point
operator, F vs. B.
The (in general in�nite) on rete domain D ontains all transition for-
mulas (i.e., all sets of ommand formulas in the given formalism); its partial
ordering is the given onsequen e relation j=. The least �xed point of the
operator F over the (upwards- omplete) domain D always exists (it is possi-
bly an in�nite set). It is the strongest (indu tive) transition invariant of the
program.
Following [10℄, we may de�ne the abstra t domainD
#
to be a �nite subset
of D su h that D
#
is a Moore family, i.e., D
#
ontains the supremum of D
and is losed under onjun tion. As a onsequen e (Theorem 5.1.0.3 in [10℄),
every formula in D has a minimal onsequen e in D
#
. The abstra t domain
D
#
determines the best abstra tion fun tion from D into D
#
by
�(�)
def
=
^
f 2 D
#
j � j= g: (2)
In the ase of predi ate abstra tion, the abstra t domain D
#
onsists of the
�nite formulas built up from a given �nite subset of D of `atomi ' formu-
las. The atomi formulas de�ne a �nite number of transition predi ates. In
ontrast to predi ates that are de�ned by formulas over unprimed program
variables and apply to states, the (more general) transition predi ates are
de�ned by formulas over primed and unprimed variables and apply to tran-
sitions (i.e., pairs of states).
For example, given the transition predi ates p = l
i
, p
0
=l
i
(for ea h
label l
i
), z � k, and z
0
� z + k for z 2 fx; yg and k 2 f�1; 0; 1g, the
abstra tion of the ommand formula in Example 1 is
�( ) � p =l
1
^ y � 0 ^ x
0
� x+ 1 ^ y
0
� y ^ p
0
=l
2
:
Given the abstra t domain D
#
, the best abstra tion of the �xed point
operator F is the operator F
#
de�ned below (for transition formulas in
14
D
#
).
3
F
#
()
def
= �( Æ C): (3)
The monotoni ity of the �xed point operator F
#
is a dire t onsequen e
of the monotoni ity of the omposition and the abstra tion fun tion. By
Tarski's �xed point theorem, the least �xed point of F
#
exists. We denote
the least �xed point of F
#
above C by lfp(F
#
; C). The �xed point lfp(F
#
; C)
is omputed in the usual fashion.
lfp(F
#
; C) =
1
_ : : : _
n
, where
1
= f�( ) j 2 Cg
i+1
= f�( Æ ) j 2
i
and 2 Cg
n+1
j=
1
_ : : : _
n
Here, we impli itly apply (1) and the additivity of the abstra tion fun tion �.
Sin e D
#
is �nite, the �xed point omputation terminates after �nitely many
iterations.
Strengthening Transition Invariants Given an invariant Inv, we an
obtain a stronger transition invariant by using (an abstra tion of) the
�xed point operator F for the program fInv ^ j 2 Cg where ea h guard
is strengthened by the invariant. The stronger transition invariant an in
turn be used to onstru t a stronger invariant Inv
(see Remark 1).
LTL Software Model Che king The algorithm de�ned in Figure 1 is
a semi-test for the validity of an LTL property for a program. We all
it the `LTL software model he king algorithm' be ause it uses the same
main ingredient of the already ited algorithms known under software model
he king for safety, namely �xed point iteration over an abstra t domain
de�ned by predi ates. The orre tness of a semi-test is the soundness of its
de�nite answers.
Theorem 3 (Soundness) The LTL software model he king algorithm is
orre t, i.e., if the algorithm returns \LTL Property Holds" then the input
LTL property ' holds for the input program C.
3
The asso iativity of the omposition operator Æ is not preserved under predi ate ab-
stra tion. I.e., the abstra t omposition Æ
#
de�ned by
1
Æ
#
2
= �(
1
Æ
2
) is not
asso iative. In other words, the abstra tions of the ommand formulas do not generate
a monoid. This is be ause we use the best possible abstra tions. Similarly, the operator
F
##
de�ned by F
##
() = Æ
#
�(C) is not the best abstra tion of F .
15
input
program C with initial states Init
transition predi ates de�ning abstra t domain D
#
B�u hi automaton A
:'
with initial state q
init
and
a epting states A
begin
C := C�A
:'
Init := Init ^ p
A
=q
init
� := ��:
V
f 2 D
#
j � j= g
F
#
:= �: �( Æ C)
:= lfp(F
#
; C)
Inv
:= Init _ (9X (Init ^))[X=X
0
℄
if forea h in and q
a
2 A
well-founded(Inv
^ p
A
=q
a
^ )
then
return(\LTL Property Holds")
else
return(\Don't Know")
end.
Figure 1: LTL software model he king.
The program is given as a set C of ommand formulas; its set of initial
states is denoted by the state formula Init; the abstra t domain D
#
with
glb operator
V
is given through a �nite set of transition predi ates (D
#
onsists of all Boolean ombinations of those predi ates); the operator Æ
over transition formulas is sequential omposition; the B�u hi automaton
A
:'
represents the negation of the LTL property ' to be he ked; the
operator � is the syn hronous parallel omposition of a program and the
B�u hi automaton.
16
input
program C with initial states Init,
transition predi ates de�ning abstra t domain D
#
begin
� := ��:
V
f 2 D
#
j � j= g
F
#
:= �: �( Æ C)
:= lfp(F
#
; C)
Inv
:= Init _ (9X (Init ^))[X=X
0
℄
if forea h in
well-founded(Inv
^ )
then
return(\Terminating")
else
return(\Don't Know")
end.
Figure 2: Termination algorithm (spe ial ase of LTL algorithm)
Proof. The orre tness follows from the fa t that a �xed point of an
abstra tion of an operator is also a �xed point of that operator [10℄, the fa t
that a �xed point of the omposition operator F is an indu tive transition
formula, Remark 3 and Theorem 2. �
The algorithm in Figure 2 is a semi-test for termination. It is the spe ial
ase of the one in Figure 1 where the B�u hi automaton onsists of one state
(whi h is both initial and a epting, and whi h has a transition to itself). Its
orre tness an be shown using Theorem 1 instead of Theorem 2.
The LTL algorithm (or its restri tion to termination) annot be omplete
(result a de�nite answer always if the program is terminating) for de idability
reasons. Instead, we have a di�erent kind of ompleteness.
Theorem 4 (Abstra tion Completeness) If the abstra t domain D
#
ontains a �nite indu tive transition invariant for the program C �A
:'
that
onsists of well-founded ommand formulas, then the LTL software model
he king algorithm will su eed in proving the LTL property, i.e., it will re-
turn a de�nite answer (\LTL Property Holds").
Proof. [Sket h℄ We use the hara teristi property of best abstra tions in
the same way as for the ompleteness of abstra tion-based proofs for safety
properties (see [2, 9℄). �
17
In this se tion, we have onstru ted one parti ular abstra tion, based on
transition predi ates. Many more onstru tions are possible; see [10, 9℄. The
orre tness of the algorithm will hold for any sound abstra tion F
#
of the
on rete omposition operator F .
Well-foundedness of Command Formulas The algorithms are
parametrized by a test of (a suÆ ient ondition for) the well-foundedness
of the ommand formulas in the abstra t domains D
#
. This test returns
the value of the expression \well-founded( )".
In the implementation of the algorithm that we used for our examples,
the test is based on linear programming. It is a de ision pro edure for a lass
of ommand formulas in linear arithmeti [26℄.
If the repetition Æ Æ : : :Æ of any length is di�erent from false, then the
ommand formula translates a program that onsists of one while loop.
We all it a simple while loop be ause its body onsists of straight-line ode
(without if-then-else bran hing). Given a lass of programs we want to verify,
and given the orresponding abstra t domain, the next step is to determine
good suÆ ient termination onditions for the orresponding lass of simple
while loops.
Complexity We will next show that, in a omplexity-theoreti sense, the
semi-test that we have given is not optimal for the problem that it `solves'.
First we formally de�ne what problem that is. We introdu e the problem to
de ide, given a program and an abstra tion (a set of transition predi ates),
whether `the abstra t program' satis�es the LTL property. Formally, whether
the program has an indu tive transition invariant, with well-founded om-
mand formulas, in the abstra t domain de�ned by the transition predi ates.
(This is in analogy with the setting of Boolean programs with predi ate
abstra tion in [1℄: a Boolean program satis�es the given safety property if
and only if the program has an indu tive invariant, without `bad' states, in
the abstra t domain de�ned by the predi ates. We omit a formalization of
`Boolean transition programs'; their operational semanti s would be based
on sequential omposition.)
We give an optimal algorithm and a lower bound and thus determine
the omplexity of the de ision problem in the size of the set of transition
predi ates (whi h depend on the given program; the program is either the
one whose termination we want to he k, or more generally its produ t with a
B�u hi automaton for the negation of the LTL formula that we want to he k;
the transition predi ates in lude usually the formulas p = l
n
and p
0
= l
n
and p
A
= q and p
0
A
= q for program labels l
n
of the program and states q
18
of the B�u hi automaton).
Theorem 5 (Complexity of Abstra t LTL Model Che king) Given
a �xed program and a set of transition predi ates, the problem to de ide
whether the program has an indu tive transition invariant with well-
founded ommand formulas in the abstra t domain de�ned by the transition
predi ates, is PSPACE- omplete in the number of transition predi ates.
Proof. [Sket h℄ For the upper bound, we use not �xed point iteration but a
non-deterministi algorithm that explores lfp(F
#
; C); again, as in the proof
of Theorem 4, we use the hara teristi property of best abstra tions in
the same way as for the ompleteness of abstra tion-based proofs for safety
properties (see [2, 9℄). The lower bound is obvious from the �nite-state
ase (the only values are the labels of on urrent programs; the strongest
transition invariant is indu tive and �nite, hen e the well-foundedness of
its ommand formulas is a suÆ ient and ne essary ondition for program
orre tness). �
7 Related Work
Our use of Ramsey's theorem in the proofs of Theorems 1 and 2 is reminis ent
of its use in B�u hi's theory of !-regular languages over a �nite alphabet
(see [32℄). This theory is the basis of the automata-theoreti approa h to
LTL model he king [34℄. The equivalen e lasses over segments orrespond
to the transformer fun tions of the B�u hi automaton. We, however, restri t
ourselves to �nite sets of transformers over an in�nite state spa e, as opposed
to restri ting oneself to transformers over a �nite state spa e (in both ases,
the sets of transformers are �nite and thus indu e an equivalen e relation
of �nite index, whi h is the raison d'etre of the �niteness restri tion). As
a onsequen e, we infer the existen e of an ultimately periodi sequen e of
transformers (
0
Æ
!
or, in the notation of [32℄, [v℄
�
� [w℄
�
!
), as opposed
to an ultimately periodi sequen e of states. For a more subtle di�eren e, in
our setting (see Footnote 3), the mapping of ea h �nite segment of an in�nite
tra e to its equivalen e lass is not a monoid homomorphism.
In [23℄, Lee, Jones and Ben-Amram present a termination analysis for
fun tional programs; the analysis is based on the omparison of in�nite paths
in the ontrol ow graph and in `size- hanging graphs'; that omparison an
be redu ed to the in lusion test for B�u hi automata. Our work takes what
we think is the essen e in [23℄, formulates it in a logi -based setting ombined
with abstra t interpretation, onne ts it with predi ate abstra tion and ex-
plores how far one an get, pushing for greater generality. We use a di�erent
19
setting (imperative and on urrent instead of fun tional programs). That
taken aside, a bold way to state the ontribution of our work in omparison
to theirs is that we go from termination to general LTL properties, and that
we go from one �xed abstra tion to generi abstra t domains (spe i�ed by
transition predi ates). The spe i� ation of an abstra t domain allows one
to �ne-tune an abstra tion to the property one tries to prove; in a way, this
possibility turns a program analysis into a veri� ation method.
One an su essively re�ne abstra tion by adding more transition predi-
ates. For example, adding x
0
< x and then x
0
< x � 1 allows one to he k
the termination of the program while(x>=0)fx:=x+1; x:=x-2g.
One pra ti al advantage of our logi -based setup over the graph-based
one of [23℄ is the possibility to take into a ount the spe i� ation of the
initial states of a program (without it, one he ks a|too strong| ondition
for termination, namely under the|too weak|assumption that every state
an be an initial state); we do so in Theorems 1 and 2 by adding an invariant
as a onjun t to ea h ommand formula in the transition invariant (e.g. the
invariant Inv
derived from the transition invariant ).
In [7, 8℄, Colon and Sipma give methods to prove termination that are
highly su essful in pra ti e. The methods are based on linear arithmeti , as
opposed to being parametrized by theorem provers. They work by isolating
strongly onne ted omponents in the ontrol ow graph of a program and
by omputing ranking fun tions for ea h one of them. No omposition of
program statements is onsidered, i.e., the program while (x>=0) fx=x+1;
x=x-2;g annot be proven terminating.
In [33℄, Vardi provides an automata-theoreti framework for veri� ation
of on urrent systems by appying in�nite automata. The system satis�es is
orre t if its parallel omposition with the automaton that a epts ompu-
tations violating the property does not have in�nite omputations. Our LTL
he king setup follows this framework.
In [19℄, Kesten, Pnueli and Vardi `augment' �nite-state abstra tions with
progress monitors to verify liveness properties. They were perhaps the �rst
to point out �nite-state abstra tions as su h are not suÆ ient for automated
liveness proofs. The progress monitors in arnate ranking fun tions that have
to be provided manually. Ranking fun tions are to liveness what invariants
are to safety; in automated methods for safety, invariants are synthesized.
Previous approa hes to automated liveness he king for in�nite-state sys-
tems are based on the iteration of �xpoint operators over sets of states.
When they a ount for fairness assumptions (as e.g. [31℄), they need to under -
approximate sets of states, whi h seems hard. Without fairness assumptions,
liveness proofs for on urrent systems are in general awed (for example, the
non-starvation proofs for integer-valued ommuni ation proto ols in [5, 11℄
20
are based on models where no pro essor is allowed to idle).
We are not aware of previous formalizations of transition invariants. The
notion has appeared impli itely in spe ial instan es. For example, the meta-
transitions of Boigelot and Wolper e.g. in [3℄ are (in fa t, the strongest)
transition invariants for simple loops. They may be useful for showing the
well-foundedness of ommand formulas in transition invariants, as the work
in [4℄ already indi ates. The modifies lauses used by Rustan Leino and
Kun ak e.g. in [20℄; the lause modifies x expresses the the onjun tion of
y
0
= y for all other variable y di�erent from x is a transition invariant.
8 Con lusion, Future Work
Verifying liveness properties of software will always be a hard problem; any
automated method will work at most in examples where no ingeniousness
or reativity is required. We have presented a formal framework that may
serve as a starting point for designing automated methods in a ertain style.
Namely, it suggets using least �xed point iteration in ombination with ab-
stra t interpretation te hniques and in parti ular transition predi ate ab-
stra tion. I.e., this style relies on the same basis as the methods known under
software model he king, whi h have demonstrated their strong potential in
automated tools for verifying safety properties of software systems.
It is not at all obvious, however, whether the su ess of the software model
he king method will extend from safety to liveness. We annot predi t
whether one an a hieve s alability. We still have to develop te hniques for
onstru ting abstra t domains that are as ri h for transition formulas as for
state formulas. These te hniques need to balan e the ost for omputing the
abstra tion with the ost for the test of well-foundedness (see also below).
We have done some preliminary pra ti al experiments with a prototypi-
al implementation in Si stus Prolog [21℄ with a onstraint solver for linear
arithmeti ( lpqr [17℄); we use the CMU BDD pa kage for the eÆ ient im-
plementation of the �xpoint test. We used our tool to prove non-starvation
for the 2-pro ess version of the bakery proto ol. Non-starvation expresses
that ea h time a pro ess requests a resour e it will �nally a ess it. Its proof
requires fairness assumptions (ea h pro ess must make progress, at ertain
program lo ations). We express the fairness assumptions in the LTL formula
\if fair then non-starvation" and use the tool LTL2BA [12℄ to translate its
negation into a B�u hi automaton. We then ompute transition invariants
for the `syn hronous parallel omposition' of the proto ol and the B�u hi au-
tomaton, in the `forward' (F ) and the `ba kward' (B) way. We give some
measurements in Table 1. The experiments indi ate that the size of the
21
time ommand formulas
Program S P (ms) total loop fair
Bakery(B) 218 0 1740 815 17 8
Bakery(F ) 218 0 4480 815 17 8
Table 1: Transition invariants in numbers.
B and F stands for the ba kward and forward �xed point operators; S is
the number of guarded ommands in the omposition of the proto ol with
the B�u hi automaton for the negation of the LTL property \if fair then non-
starvation"; P denotes the number of transition predi ates in the abstra t
domain (ex luding the ones for the program ounters); the three numbers
total, loops and a -loops refer to the total number of ommand formulas
in the transition invariants, the ones that orrespond to loops in the ontrol
ow graph (the others are trivially terminating) and the ones that start from
B�u hi a epting lo ations (i.e. orrespond to fair exe ution paths), respe -
tively.
transition invariants gets too large when one en odes fairness assumptions
by B�u hi automata. We work on more dire t ways to en ode relevant spe i�
kinds of fairness su h as weak fairness.
Predi ate abstra tion is a way to delegate the reativity part of the syn-
thesis of invariants to the hoi e of a set of predi ates and defer the te-
diousness to the omputation over an exponentially large abstra t domain.
The method be omes fully automated (and then the semi-test loses its ter-
mination guarantee) if ombined with an automated pro edure for ounter-
example guided abstra tion re�nement [6, 1, 16, 2℄. In our experiments, we
have generated the transition predi ates using su h a pro edure (whi h we
did not des ribe sin e it is quite analogous to the one for state predi ates
in [2℄). Future work in ludes the investigation of eÆ ient spe ialized pro e-
dures and their fundamental properties as in [13, 2℄.
The interest of transition invariants goes beyond liveness he king. It
may be relevant for interpro edural safety he king, sin e the synthesis of
transition invariants generalizes the fun tional approa h to program analysis
of Sharir/Pnueli [30℄.
A knowledgements This work started with dis ussions with Chin Soon
Lee and Neil Jones during their visit in Saarbr�u ken in September 2002. We
thank Patri k Cousot, Kedar Namjoshi and Amir Pnueli for their remarks
on ranking fun tions and �nite-state abstra tion during VMCAI in January
2003. Amir Pnueli ontributed the insights formulated in Footnote 2. We
22
thank Bernd Finkbeiner for insightful omments and suggestions.
Referen es
[1℄ T. Ball, R. Majumdar, T. Millstein, and S. Rajamani. Automati pred-
i ate abstra tion of C programs. In Pro eedings of the ACM SIGPLAN
'01 Conferen e on Programming Language Design and Implementation
(PLDI-01), volume 36 of ACM SIGPLAN Noti es, pages 203{213. ACM
Press, 2001.
[2℄ T. Ball, A. Podelski, and S. K. Rajamani. Relative Completeness of
Abstra tion Re�nement for Software Model Che king. In J.-P. Katoen
and P. Stevens, editors, Pro eedings of TACAS: Tools and Algorithms
for the Constru tion and Analysis of Systems, volume 2280 of LNCS,
pages 158{172. Springer-Verlag, 2002.
[3℄ B. Boigelot and P. Wolper. Symboli veri� ation with periodi sets. In
D. L. Dill, editor, CAV'94: Computer Aided Veri� ation, volume 818 of
LNCS, pages 55{67. Springer, 1994.
[4℄ A. Bouajjani, A. Collomb-Anni hini, Y. Lakhne h, and M. Sighireanu.
Analyzing fair parametri extended automata. In P. Cousot, editor,
SAS'01: Stati Analysis Symposium, volume 2126 of LNCS, pages 335{
355. Springer, 2001.
[5℄ T. Bultan, R. Gerber, andW. Pugh. Symboli model he king of in�nite-
state systems using Presburger arithmeti s. In O. Grumberg, editor,
Pro eedings of the Ninth Conferen e on Computer Aided Veri� ation
(CAV'97), volume 1254 of LNCS, pages 400{411. Springer-Verlag, 1997.
[6℄ E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith.
Counterexample-guided abstra tion re�nement. In CAV 00: Computer-
Aided Veri� ation, LNCS 1855, pages 154{169. Springer-Verlag, 2000.
[7℄ M. Colon and H. Sipma. Synthesis of linear ranking fun tions. In T. Mar-
garia and W. Yi, editors, Tools and Algorithms for the Constru tion and
Analysis of Systems, 7th International Conferen e, TACAS 2001, Gen-
ova, Italy, April 2-6, 2001, Pro eedings, volume 2031 of LNCS, pages
67{81. Springer-Verlag, 2001.
[8℄ M. Colon and H. Sipma. Pra ti al methods for proving program termi-
nation. In E. Brinksma and K. G. Larsen, editors, Computer Aided Ver-
23
i� ation, 14th International Conferen e, CAV 2002,Copenhagen, Den-
mark, July 27-31, 2002, Pro eedings, volume 2404, pages 442{454.
Springer, 2002.
[9℄ P. Cousot. Partial ompleteness of abstra t �xpoint he king. In B. Y.
Choueiry and T. Walsh, editors, Abstra tion, Reformulation, and Ap-
proximation, 4th International Symposium, SARA 2000, Horseshoe Bay,
Texas, USA, July 26-29, 2000, Pro eedings, volume 1864 of LNCS, pages
1{15. Springer, 2000.
[10℄ P. Cousot and R. Cousot. Systemati design of program analysis frame-
works. In Conferen e Re ord of the Sixth Annual ACM SIGPLAN-
SIGACT Symposium on Prin iples of Programming Languages, pages
269{282, San Antonio, Texas, 1979. ACM Press, New York, NY.
[11℄ G. Delzanno and A. Podelski. Model he king in CLP. In R. Cleave-
land, editor, Pro eedings of TACAS'99: Tools and Algorithms for the
Constru tion and Analysis of Systems, volume 1579 of Springer LNCS,
pages 223{239. Springer-Verlag, 1999.
[12℄ P. Gastin and D. Oddoux. Fast LTL to B�u hi automata translation.
In G. Berry, H. Comon, and A. Finkel, editors, Pro eedings of the 13th
Conferen e on Computer Aided Veri� ation (CAV'01), volume 2102 of
LNCS, pages 53{65. Springer Verlag, 2001.
[13℄ R. Gia obazzi, F. Ranzato, and F. S ozzari. Making abstra t interpre-
tations omplete. Journal of the ACM (JACM), 47(2):361{416, 2000.
[14℄ S. Graf and H. Sa��di. Constru tion of abstra t state graphs with PVS.
In O. Grumberg, editor, CAV'97: Computer Aided Veri� ation, volume
1254 of LNCS, pages 72{83. Springer, 1997.
[15℄ J. Hat li� and M. B. Dwyer. Using the Bandera tool set to model- he k
properties of on urrent Java software. In K. G. Larsen and M. Nielsen,
editors, CONCUR 2001 - Con urren y Theory, 12th International Con-
feren e, Aalborg, Denmark, August 20-25, 2001, Pro eedings, volume
2154 of LNCS, pages 39{58. Springer, 2001.
[16℄ T. A. Henzinger, R. Jhala, R. Majumdar, G. C. Ne ula, G. Sutre, and
W. Weimer. Temporal-safety proofs for systems ode. In E. Brinksma
and K. G. Larsen, editors, Computer Aided Veri� ation, 14th Interna-
tional Conferen e, CAV 2002, Copenhagen, Denmark, July 27-31, 2002,
Pro eedings, volume 2404 of LNCS, pages 526{538. Springer, 2002.
24
[17℄ C. Holzbaur. OFAI lp(q,r) Manual, Edition 1.3.3. Austrian Resear h
Institute for Arti� ial Intelligen e, Vienna, 1995. TR-95-09.
[18℄ G. J. Holzmann. Software analysis and model he king. In E. Brinksma
and K. G. Larsen, editors, Computer Aided Veri� ation, 14th Interna-
tional Conferen e, CAV 2002, Copenhagen, Denmark, July 27-31, 2002,
Pro eedings, volume 2404 of LNCS, pages 1{16. Springer, 2002.
[19℄ Y. Kesten, A. Pnueli, and M. Y. Vardi. Veri� ation by augmented
abstra tion: The automata-theoreti view. Journal of Computer and
System S ien es, 62(4):668{690, 2001.
[20℄ V. Kun ak and R. Leino. In-pla e re�nement for e�e t he king. In
Se ond International Workshop on Automated Veri� ation of In�nite-
State Systems (AVIS'03), Warsaw, Poland, April 2003.
[21℄ T. I. S. Laboratory. SICStus Prolog User's Manual. Swedish Institute
of Computer S ien e, PO Box 1263 SE-164 29 Kista, Sweden, O tober
2001. Release 3.8.7.
[22℄ Y. Lakhne h, S. Bensalem, S. Berezin, and S. Owre. In remental veri-
� ation by abstra tion. In T. Margaria and W. Yi, editors, Tools and
Algorithms for the Constru tion and Analysis of Systems, 7th Interna-
tional Conferen e, TACAS 2001, Genova, Italy, April 2-6, 2001, Pro-
eedings, volume 2031 of LNCS, pages 98{112. Springer-Verlag, 2001.
[23℄ C. S. Lee, N. D. Jones, and A. M. Ben-Amram. The size- hange prin-
iple for program termination. In C. Norris and J. James B. Fenwi k,
editors, Pro eedings of the 28th ACM SIGPLAN-SIGACT Symposium
on Prin iples of Programming Languages (POPL-01), volume 36, 3 of
ACM SIGPLAN Noti es, pages 81{92. ACM Press, 2001.
[24℄ K. S. Namjoshi. Lifting temporal proofs through abstra tions. In L. D.
Zu k, P. C. Attie, A. Cortesi, and S. Mukhopadhyay, editors, Veri� a-
tion, model he king, and abstra t interpretation : 4th International
Conferen e, VMCAI 2003 ; New York, NY, USA, January 9 - 11,
2003, volume 2575 of Le ture notes in omputer s ien e, pages 174{188.
Springer, 2003.
[25℄ A. Pnueli. The temporal logi of programs. In 18th Annual Symposium
on Foundations of Computer S ien e (FOCS '77), pages 46{57. IEEE
Computer So iety Press, 1977.
25
[26℄ A. Podelski and A. Rybal henko. A omplete method for the synthesis
of linear ranking fun tions. In B. Ste�en and G. Levi, editors, Pro . of
VMCAI 2004: Veri� ation, Model Che king, and Abstra t Interpreta-
tion, volume 2937 of LNCS, pages 239{251. Springer-Verlag, 2003.
[27℄ G. Ramalingam, A. Warshavsky, J. Field, D. Goyal, and M. Sagiv. De-
riving spe ialized program analyses for ertifying omponent- lient on-
forman e. In Pro eeding of the ACM SIGPLAN 2002 Conferen e on
Programming language design and implementation, pages 83{94. ACM
Press, 2002.
[28℄ F. P. Ramsey. On a problem of formal logi . In Pro . London Math.
So ., volume 30, pages 264{285, 1930.
[29℄ M. Sagiv, T. Reps, and R. Wilhelm. Parametri shape analysis via
3-valued logi . ACM Transa tions on Programming Languages and Sys-
tems (TOPLAS), 24(3):217{298, 2002.
[30℄ M. Sharir and A. Pnueli. Two approa hes to interpro edural data ow
analysis. In S. S. Mu hni k and N. D. Jones, editors, Program Flow
Analysis: Theory and Appli ations, Prenti e-Hall Software Series, pages
189{233. Prenti e-Hall, Englewood Cli�s , NJ , USA, 1981.
[31℄ H. B. Sipma, T. E. Uribe, and Z. Manna. Dedu tive model he king.
In Pro . of CAV 1996, volume 1102 of LNCS, pages 208{219. Springer-
Verlag, 1996.
[32℄ W. Thomas. Automata on in�nite obje ts. In J. van Leeuwen, editor,
Handbook of Theoreti al Computer S ien e, Volume B: Formal Models
and Semati s, pages 133{192. Elsevier and MIT Press, 1990.
[33℄ M. Y. Vardi. Veri� ation of on urrent programs | the automata-
theoreti framework. Annals of Pure and Applied Logi , 51:79{98, 1991.
[34℄ M. Y. Vardi and P. Wolper. An automata-theoreti approa h to auto-
mati program veri� ation. In Pro . 1st Symp. on Logi in Computer
S ien e, pages 332{344, Cambridge, June 1986.
[35℄ E. Yahav. Verifying safety properties of on urrent Java programs us-
ing 3-valued logi . In H. R. Nielsen, editor, Pro eedings of the 28th
ACM SIGPLAN-SIGACT Symposium on Prin iples of Programming
Languages, pages 27{40. ACM Press, 2001.
26
���
�
��
k
I N F O R M A T I K
Below you �nd a list of the most re ent te hni al reports of the Max-Plan k-Institut f�ur Informatik. They
are available by anonymous ftp from ftp.mpi-sb.mpg.de under the dire tory pub/papers/reports. Most
of the reports are also a essible via WWW using the URL http://www.mpi-sb.mpg.de. If you have any
questions on erning ftp or WWW a ess, please onta t reports�mpi-sb.mpg.de. Paper opies (whi h
are not ne essarily free of harge) an be ordered either by regular mail or by e-mail at the address below.
Max-Plan k-Institut f�ur Informatik
Library
attn. Anja Be ker
Stuhlsatzenhausweg 85
66123 Saarbr�u ken
GERMANY
e-mail: library�mpi-sb.mpg.de
MPI-I-2003-NWG2-002 F. Eisenbrand Fast integer programming in �xed dimension
MPI-I-2003-NWG2-001 L.S. Chandran, C.R. Subramanian Girth and Treewidth
MPI-I-2003-4-009 N. Zakaria Fa eSket h: An Interfa e for Sket hing and Coloring
Cartoon Fa es
MPI-I-2003-4-008 C. Roessl, I. Ivrissimtzis, H. Seidel Tree-based triangle mesh onne tivity en oding
MPI-I-2003-4-007 I. Ivrissimtzis, W. Jeong, H. Seidel Neural Meshes: Statisti al Learning Methods in Surfa e
Re onstru tion
MPI-I-2003-4-006 C. Roessl, F. Zeilfelder, G. Nrnberger,
H. Seidel
Visualization of Volume Data with Quadrati Super
Splines
MPI-I-2003-4-005 T. Hangelbroek, G. Nrnberger,
C. Roessl, H.S. Seidel, F. Zeilfelder
The Dimension of C
1
Splines of Arbitrary Degree on a
Tetrahedral Partition
MPI-I-2003-4-004 P. Bekaert, P. Slusallek, R. Cools,
V. Havran, H. Seidel
A ustom designed density estimation method for light
transport
MPI-I-2003-4-003 R. Zayer, C. Roessl, H. Seidel Convex Boundary Angle Based Flattening
MPI-I-2003-4-002 C. Theobalt, M. Li, M. Magnor,
H. Seidel
A Flexible and Versatile Studio for Syn hronized
Multi-view Video Re ording
MPI-I-2003-4-001 M. Tarini, H.P.A. Lens h, M. Goesele,
H. Seidel
3D A quisition of Mirroring Obje ts
MPI-I-2003-2-004 Software Model Che king of Liveness Properties via
Transition Invariants
MPI-I-2003-2-003 Y. Kazakov, H. Nivelle Subsumption of on epts in DL FL
0
for ( y li )
terminologies with respe t to des riptive semanti s is
PSPACE- omplete
MPI-I-2003-2-002 M. Jaeger A Representation Theorem and Appli ations to
Measure Sele tion and Noninformative Priors
MPI-I-2003-2-001 P. Maier Compositional Cir ular Assume-Guarantee Rules
Cannot Be Sound And Complete
MPI-I-2003-1-018 A Note on the Smoothed Complexity of the
Single-Sour e Shortest Path Problem
MPI-I-2003-1-017 G. S hfer, S. Leonardi Cross-Monotoni Cost Sharing Methods for Conne ted
Fa ility Lo ation Games
MPI-I-2003-1-016 G. S hfer, N. Sivadasan Topology Matters: Smoothed Competitive Analysis of
Metri al Task Systems"
MPI-I-2003-1-015 A. Kov s Sum-Multi oloring on Paths
MPI-I-2003-1-014 G. S hfer, L. Be hetti, S. Leonardi,
A. Mar hetti-Spa amela,
T. Vredeveld
Average Case and Smoothed Competitive Analysis of
the Multi-Level Feedba k Algorithm
MPI-I-2003-1-013 I. Katriel, S. Thiel Fast Bound Consisten y for the Global Cardinality
Constraint
MPI-I-2003-1-012 - not published -
MPI-I-2003-1-011 P. Krysta, A. Czumaj, B. Voe king Sel�sh TraÆ Allo ation for Server Farms
MPI-I-2003-1-010 H. Tamaki A linear time heuristi for the bran h-de omposition of
planar graphs
MPI-I-2003-1-009 B. Csaba On the Bollob�as { Eldridge onje ture for bipartite
graphs
MPI-I-2003-1-008 P. Sanders Polynomial Time Algorithms for Network Information
Flow
MPI-I-2003-1-007 H. Tamaki Alternating y les ontribution: a strategy of
tour-merging for the traveling salesman problem
MPI-I-2003-1-006 M. Dietzfelbinger, H. Tamaki On the probability of rendezvous in graphs
MPI-I-2003-1-005 M. Dietzfelbinger, P. Woelfel Almost Random Graphs with Simple Hash Fun tions
MPI-I-2003-1-004 E. Althaus, T. Polzin,
S.V. Daneshmand
Improving Linear Programming Approa hes for the
Steiner Tree Problem
MPI-I-2003-1-003 R. Beier, B. V king Random Knapsa k in Expe ted Polynomial Time
MPI-I-2003-1-002 P. Krysta, P. Sanders, B. V king S heduling and TraÆ Allo ation for Tasks with
Bounded Splittability
MPI-I-2003-1-001 P. Sanders, R. Dementiev Asyn hronous Parallel Disk Sorting
MPI-I-2002-4-002 F. Drago, W. Martens,
K. Myszkowski, H. Seidel
Per eptual Evaluation of Tone Mapping Operators with
Regard to Similarity and Preferen e
MPI-I-2002-4-001 M. Goesele, J. Kautz, J. Lang,
H.P.A. Lens h, H. Seidel
Tutorial Notes ACM SM 02 A Framework for the
A quisition, Pro essing and Intera tive Display of High
Quality 3D Models
MPI-I-2002-2-008 W. Charatonik, J. Talbot Atomi Set Constraints with Proje tion
MPI-I-2002-2-007 W. Charatonik, H. Ganzinger Symposium on the E�e tiveness of Logi in Computer
S ien e in Honour of Moshe Vardi
MPI-I-2002-1-008 P. Sanders, J.L. Tr� The Fa tor Algorithm for All-to-all Communi ation on
Clusters of SMP Nodes
MPI-I-2002-1-005 M. Hoefer Performan e of heuristi and approximation algorithms
for the un apa itated fa ility lo ation problem
MPI-I-2002-1-004 S. Hert, T. Polzin, L. Kettner,
G. S hfer
Exp Lab A Tool Set for Computational Experiments
MPI-I-2002-1-003 I. Katriel, P. Sanders, J.L. Tr� A Pra ti al Minimum S anning Tree Algorithm Using
the Cy le Property
MPI-I-2002-1-002 F. Grandoni In rementally maintaining the number of l- liques
MPI-I-2002-1-001 T. Polzin, S. Vahdati Using (sub)graphs of small width for solving the Steiner
problem
MPI-I-2001-4-005 H.P.A. Lens h, M. Goesele, H. Seidel A Framework for the A quisition, Pro essing and
Intera tive Display of High Quality 3D Models
MPI-I-2001-4-004 S.W. Choi, H. Seidel Linear One-sided Stability of MAT for Weakly Inje tive
Domain
MPI-I-2001-4-003 K. Daubert, W. Heidri h, J. Kautz,
J. Dis hler, H. Seidel
EÆ ient Light Transport Using Pre omputed Visibility
MPI-I-2001-4-002 H.P.A. Lens h, J. Kautz, M. Goesele,
H. Seidel
A Framework for the A quisition, Pro essing,
Transmission, and Intera tive Display of High Quality
3D Models on the Web
MPI-I-2001-4-001 H.P.A. Lens h, J. Kautz, M. Goesele,
W. Heidri h, H. Seidel
Image-Based Re onstru tion of Spatially Varying
Materials
MPI-I-2001-2-006 H. Nivelle, S. S hulz Pro eeding of the Se ond International Workshop of the
Implementation of Logi s
MPI-I-2001-2-005 V. Sofronie-Stokkermans Resolution-based de ision pro edures for the universal
theory of some lasses of distributive latti es with
operators
MPI-I-2001-2-004 H. de Nivelle Translation of Resolution Proofs into Higher Order
Natural Dedu tion using Type Theory
MPI-I-2001-2-003 S. Vorobyov Experiments with Iterative Improvement Algorithms on
Completely Unimodel Hyper ubes
MPI-I-2001-2-002 P. Maier A Set-Theoreti Framework for Assume-Guarantee
Reasoning
MPI-I-2001-2-001 U. Waldmann Superposition and Chaining for Totally Ordered
Divisible Abelian Groups
MPI-I-2001-1-007 T. Polzin, S. Vahdati Extending Redu tion Te hniques for the Steiner Tree
Problem: A Combination of Alternative-and
Bound-Based Approa hes
