Compositional analysis for verification of parameterized systems  by Basu, Samik & Ramakrishnan, C.R.
Theoretical Computer Science 354 (2006) 211–229
www.elsevier.com/locate/tcs
Compositional analysis for veriﬁcation of parameterized systems
Samik Basua,∗, C.R. Ramakrishnanb
aDepartment of Computer Science, Iowa State University, Ames, IA 50014, USA
bDepartment of Computer Science, Stony Brook University, Stony Brook, NY 11794, USA
Abstract
Many safety-critical systems that have been considered by the veriﬁcation community are parameterized by the number of
concurrent components in the system, and hence describe an inﬁnite family of systems. Traditional model checking techniques can
only be used to verify speciﬁc instances of this family. In this paper, we present a technique based on compositional model checking
and program analysis for automatic veriﬁcation of inﬁnite families of systems. The technique views a parameterized system as an
expression in a process algebra (CCS) and interprets this expression over a domain of formulas (modal mu-calculus), considering
a process as a property transformer. The transformers are constructed using partial model checking techniques. At its core, our
technique solves the veriﬁcation problem by ﬁnding the limit of a chain of formulas. We present a widening operation to ﬁnd such a
limit for properties expressible in a subset of modal mu-calculus.We describe the veriﬁcation of a number of parameterized systems
using our technique to demonstrate its utility.
© 2005 Elsevier B.V. All rights reserved.
Keywords: Parameterized systems; Compositional model checking; Formula equivalence; Acceleration; Widening
1. Introduction
Model checking is awidely used approach for verifyingwhether a system speciﬁcation possesses a property expressed
in temporal logic [13,41]. Many efﬁcient veriﬁcation tools have been developed based on approaches such as explicit-
state [29], symbolic [12] and compositional [4] techniques. Traditionally, model checkers have been restricted to
the veriﬁcation of ﬁnite-state systems, although recent research on constraint-based techniques (e.g. [19]), symmetry
reduction [30], data independence [44], and symbolic checking with rich assertional languages [32] have extended
model checking techniques to certain classes of inﬁnite-state systems.
1.1. The driving problem
In this paper, we focus on an interesting class of inﬁnite state systems, parameterized systems. A parameterized
system describes an inﬁnite family of (typically ﬁnite-state) systems; instances of the family can be obtained by ﬁxing
the parameters. Consider a simple example of parameterized producer–consumer system shown in Fig. 1(a).A producer
process P performs an action a and continues to behave as P. Similarly, the consumer process C repeatedly performs
action a. The processes communicate by synchronization on a and a actions. The parameterized system sys(n) is
∗ Corresponding author.
E-mail addresses: sbasu@cs.iastate.edu (S. Basu), cram@cs.sunysb.edu (C.R. Ramakrishnan).
0304-3975/$ - see front matter © 2005 Elsevier B.V. All rights reserved.
doi:10.1016/j.tcs.2005.11.016
212 S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229
(a) (b)
Fig. 1. (a) Parameterized systemwith one consumer and arbitrary number of producers; (b) deadlock-freedom formula and property transformation
results.
speciﬁed as parallel composition of n producers, denoted by Pn, and a consumers (C). Our objective is to verify
deadlock-freedom property for all instances of the system sys.
Models of many safety-critical systems are parameterized: e.g., resource arbitration protocols, communication pro-
tocols, etc. Traditionally, model checkers have been used to verify speciﬁc instances of the inﬁnite family described
by a parameterized system: e.g., to verify that a mutual exclusion protocol is correct for ﬁxed numbers of objects and
threads [9]. Clearly, this strategy cannot be used to verify all instances of the inﬁnite family of systems.
1.2. Our solution
In this paperwe present an automatic technique for checkingwhether any or all arbitrary instances of an inﬁnite family
of systems possess a given temporal property. At a high level, our solution to the veriﬁcation problem is analogous to
program analysis. Each instance of a parameterized system is viewed as an expression in a process algebra (speciﬁcally,
CCS [38]).We then interpret these process algebraic expressions over a domain consisting of formulas in an expressive
temporal logic (speciﬁcally, the alternation-free modal mu-calculus [33]). The interpretation is based on associating a
property transformer  for each process p in the parameterized system. Given a system s consisting of p concurrently
composed with an arbitrary environment e, captures the relationship between properties that hold in the environment
e and the properties that hold in the system s. For instance, consider the process P in Fig. 1(a), and a system s consisting
of P composed in parallel with an (unknown) environment e. Consider the veriﬁcation of the property that s does an
internal  action. The  action can either be solely due to the environment e, or a result of P making an a action that is
synchronized with an a action of e. Thus, process P can be seen as transforming the property “do a  action” on system
s to the property “do an a or a  action” on the environment e.
The property transformer for a given process is generated using the notion of quotienting due to [3]. Based on the
property transformer, we deﬁne a chain of mu-calculus formulas whose limit characterizes the behavior of an arbitrary
instance of the parameterized system. Consider the problem of verifying deadlock-freedom for the parameterized
system sys(n) for all n1. The formula to be checked for the entire system is given in Fig. 1(b) as .  is a greatest
ﬁxed point formula where the ﬁrst conjunct is satisﬁed by states with at least one outgoing  transition while the second
disjunct requires that  is satisﬁed at every destination states reachable after a  transition.
We ﬁrst compute the property expected of the producers alone, by transforming the property  using the property
transformer for C process. The resulting “quotient” property is the formula c in the ﬁgure. Intuitively, c states that 
can be modeled by an environment composed in parallel to process C if the environment can perform inﬁnitely many a
or  actions. Therefore, if Pn c then sys(n). Next, we transform c using the property transformer for process
P. The resultant property, 1 in the ﬁgure, is the “residue” that captures the property Pn−1 must satisfy, for sys(n) to
satisfy . Repeated applications of the property transformer of P yields a sequence 1,2, . . . , which are “residues”
corresponding to processes Pn−1,Pn−2, . . . . In our example, we see that this sequence converges immediately, with
i = 1 for all i1. We can thus conclude that if 01 then ∀n ∈ N sys(n) (0 denotes a deadlocked process
which does not interact with its environment). The above discussion presents a high level view of the technique used
to verify properties for all or any members of a parameterized system. The actual technique is a little more complex,
keeping track of various restriction and relabeling operations applied to the processes (see Sections 3 and 4 for details).
The sequence of residues can be easily seen as a chain (i.e. the elements of sequence are nondecreasingwith respect to
a partial order). However, the sequence may not have a limit since the domain of interpretation, the modal mu-calculus,
has inﬁnite ascending chains. Nevertheless, we ﬁnd that the iterative computation of the limit does converge for a
number of example parameterized systems. Moreover, we deﬁne a widening operation to accelerate the convergence,
and in some cases guarantee termination.
S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229 213
1.3. Related work
Veriﬁcation of parameterized systems is known to be undecidable in general [5]. A number of techniques have
been proposed with varying degree of user intervention ranging from fully automatic techniques (mostly sound but
incomplete), which focus on domain of representation of systems, to program transformation-based methods capable
of inferring the underlying structure of induction proofs. Other than the degree of dependence on user guidance, the
techniques can also be classiﬁed on the basis of parameterized systems on which they are applicable: (a) systems where
sub-systems interact via shared variables (asynchronous) and (b) systems where communication mechanism depends
on message passing (synchronous).
One of the automatic approaches for synchronously communicating systems involves reduction of the inﬁnite-state
veriﬁcation problem to an equivalent ﬁnite-state one by identifying an appropriate cut-off value for the parameter
corresponding to the system and the temporal property [21,22,31,8]. Cache coherence and unidirectional token ring
protocols have been successfully veriﬁed using these techniques. Another approach focuses on identifying an appro-
priate representation technique for parameterized system: e.g. counting abstraction with arithmetic constraints [18],
covering graphs [23,24], and context-free grammars [14]. Such representation mechanisms have been effectively used
to generate network invariants capturing the common aspects of the members of an inﬁnite family. However, generation
of network invariants can be automated only for a class of systems with restricted communication patterns (ring and
linear topologies [34,43]). Most of these techniques are not applicable directly to systems communicating by shared
variables. In the realm of asynchronous systems, Kesten and Pnueli [32] present the importance of appropriate abstrac-
tions to generate invariants of parameterized systems. Pnueli and Shahar [40] use a representation mechanism based
on regular languages to symbolically verify safety and liveness properties of parameterized systems. More recently,
automatic techniques based on identiﬁcation of cut-off of the parameters have been proposed for verifying a wide range
of parameterized systems using a rich class of data objects and operations [39,7].
In this paperwe focus only on synchronously communicating systems.Our technique, unlike the representation-based
approaches, directly manipulates processes speciﬁed in standard process algebra. Moreover, being based on program
analysis, our technique can be applied with little or no knowledge of the internals of the system and without regard
to the network topology of the system to be veriﬁed. This is in contrast to the representation-based techniques whose
success depends on the clever choice of representations. Our technique is based on applying compositional model
checking techniques for the automatic veriﬁcation of inﬁnite families of systems. Considerable amount of research has
been done on using assume–guarantee reasoning for constructing compositional proofs [35,25,2,36,10,27]. However,
these methods typically need user guidance. Recently, Henzinger et al. [28] developed automatic assume–guarantee
veriﬁcationmethodology in the setting ofmulti-threadedC programswhere appropriate approximations of single thread
behavior is identiﬁed using abstraction-reﬁnement techniques. Another technique, proposed by Cobleigh et al. [16],
aims at automatically identifying the assumptions (obligations of the environment in a 2-process system) by iterative
application of model checker. Closely related to our work are the compositional model checker of [4] and the partial
model checker of [3]. The latter work deﬁnes property transformers for parallel composition of sequential automata,
while we generalize the transformers for arbitrary CCS processes. We also present a simulation-based procedure to
detect equivalence of formulas which is strictly more powerful than the equivalence detection technique proposed
in [3].
1.4. Contributions
We present a technique for automatic veriﬁcation of parameterized systems representing an inﬁnite family of ﬁnite-
state systems.
(1) We develop a compositional model checker for CCS [38] and use this model checker to generate property trans-
formers (Section 3).
(2) Given a veriﬁcation problem over a parameterized system, we use property transformers to deﬁne a sequence of
mu-calculus formulas, whose limit characterizes the property of the parameterized system (Section 4).
(3) Computing the limit of a chain of mu-calculus formulas involves checking the equivalence of formulas.We present
a novel polynomial-time heuristic for the equivalence checking problem based on constructing automata from the
formulas and testing them for simulation (Section 5).
214 S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229
(4) To guarantee convergence of the iterative procedure, we deﬁne acceleration and widening operators (based on
widening techniques used in type analysis) for mu-calculus formulas. (Section 6).
(5) We show the usefulness of the technique by presenting its application in verifying protocols over token passing
rings (Milner’s cycle of schedulers [3]), mutual exclusion protocols (Java meta-lock [1]), and cache coherence
protocols [18] (Section 7).
2. Preliminaries
We brieﬂy outline the syntax of the process algebra CCS [38] and the logic modal mu-calculus [11] used in the rest
of the paper.
2.1. CCS and labeled transition systems
CCS is a simple process algebra that can be used to specify concurrent systems. Below we describe the syntax of
expressions in basic CCS:
P → 0 | A | a.P | P + P | P ′|′P | P\L | P[f ]
In the above, 0 denotes a deadlocked process. A ranges over process names (agents) and a ranges over a set of actions
Act = L ∪ L ∪ , where  represents an internal action and L is a set of labels and L is such that a ∈ L ⇔ a ∈ L.
Finally, L ranges over the powerset of L, and f : L → L. The operators ‘.’, ‘+’, ‘|’, ‘\’ and ‘[·]’ are called preﬁx,
choice, parallel composition, restriction and relabeling respectively. A CCS speciﬁcation consists of a set of process
deﬁnitions, denoted by D, of the form A def= P , where P ∈ P . Each agent used in P, in turn, appears on the left hand
side of some process deﬁnition in D. Note that process deﬁnitions may be recursive.
A labeled transition system (S,→) is speciﬁed by a set of states S and a transition relation →⊆ S × Act × S. The
operational semantics of CCS expressions is given in terms of labeled transition systems where states represent CCS
expressions. See [38] for full treatment of the semantics of CCS.
2.2. The modal mu-calculus
The modal mu-calculus [33] is an expressive temporal logic with explicit greatest and least ﬁxed point operators.
Following [15,3], we use the equational form of mu-calculus. The syntax of formulas in modal mu-calculus over a set
of propositional variables X and actions Act is given by the following grammar:
 → tt | ff | X |  ∨  |  ∧  | 〈〉 | [].
In the above,  speciﬁes a set of actions in positive form (as  ⊆ Act) or negative form (as −, where  ⊆ Act).
〈〉 states that there exists an action in  following which formula  holds true, while [] states that after every
action in ,  is satisﬁed. Propositional constants tt and ff represent true and false, respectively. The variables used
in a mu-calculus formula are deﬁned using a sequence of equations where the ith equation has the form: Xi = i
or Xi = i , where i ∈ . The least and greatest ﬁxed point symbols  and  are said to represent the sign of the
equation. In the remainder of the paper, we use 	, ranging over {, } to denote the sign of an arbitrary equation. We
assume that each variable occurs exactly once on the left hand side of an equation. The variable X1 deﬁned by the ﬁrst
equation is called the top variable. The set of equations representing some property is denoted by E. The set of all
mu-calculus equations is denoted by E .
2.3. Model checking
Given a labeled transition system (S,→), the semantics of mu-calculus formulas are stated such that each formula
denotes a subset of S. Refer to [11] for semantics of mu-calculus. We say that a mu-calculus formula  holds at a state
s, if s is in the model of  (s ).
S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229 215
3. Partial model checking
Our technique for veriﬁcation of parameterized systems is based on viewing a process as a property transformer.
We generate property transformers using a partial model checker [3]. Consider the veriﬁcation of a formula  over
a process expression of the form P |Q. Given  and P we generate the obligation ′ on Q such that P |Q
iff Q′. Thus we view P as transforming the obligation  on P |Q to the obligation ′ on Q. This transfor-
mation is called quotienting in [3], where it is deﬁned for modal mu-calculus properties and systems speciﬁed
by LTSs.
In Fig. 2 we deﬁne the property transformer using a function : (P ×L×F) →  →  where L is 2Act and F is
a set of partial injective functions (relabeling functions) f : Act → Act such that f (x) = x. We use ⊥ to denote empty
relabeling function which is undeﬁned everywhere. We deﬁne the composition of two relabeling functions h = f ◦ g
such that h is undeﬁned if f and g are both undeﬁned, h(x) = f (x) if g is undeﬁned, h(x) = g(x) if f is undeﬁned;
otherwise h(x) = f (g(x)).  is the set of modal mu-calculus formulas. Finally, P is the set of all CCS process
Fig. 2. Partial model checker for CCS.
216 S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229
expressions. A process expression is said to be well-named if all relabeling operations of the form Q[f ] are such that
the set of visible actions of process Q is disjoint from the range of function f.
The transformer Lf (P ) considers process P under a set of restricted actions (L) and a relabeling function (f).
The transformer generates a formula 
 as the obligation of the environment of process P such that (a) modal ac-
tions are suitably relabeled by f and (b) environment is not allowed to synchronize on actions in L. The transformer
Lf (P ) transforms  and generates 
 deﬁned over ﬁxed point variables XP,f,L, where  is deﬁned over variables
in X.
The set of visible actions of process P is denoted by vn(P ). The names of formula  are the set of modal actions in
 and is denoted by n(). Note that, n(X) = n(), where X =	 . Range of relabeling f is the set of actions a such
that f : x → a.
Rules 1–5 (Fig. 2) for the property transformer correspond to propositional constants, boolean connectives, for-
mula variables. The property transformer for the zero/deadlocked process (Rule 6), which is the identity of the
parallel composition operator of CCS, has the identity function as its property transformer. Rule 7 states that the
property transformer for an agent is the property transformer of the process expression used to deﬁne
the agent.
Property transformer of a process with relabeling function fp is property transformer of the process under new rela-
beling function by composing fp with existing relabeling function f (Rule 8). Rule 9 presents the property transformer
for a process with restriction Lp. The restricted actions are mapped to a set of new names (L′). This set is disjoint from
the set of actions in the formula (n()), visible actions of process (vn(P )) and restricted(L) and relabeled(range(f ))
actions of the transformer.
Rule 10 captures the compositionality of property transformers: the property transformer for a parallel composition
of processes is simply the function composition of the individual property transformers with appropriate restrictions
and relabeling.
Rule 11 arises from the fact that a.P |Q may satisfy 〈〉 in one of the following three ways:
(1) Q does an  action toQ′ leaving a.P |Q′ to satisfy . In this case, the obligation on Q is to do an  action, followed
by satisfying the obligation left by a.P due to  (ﬁrst disjunct in the rhs of Rule 11).
(2) a ∈  and P does the a action, leaving P |Q to satisfy . In this case the obligation on Q is simply the obligation
left by P due to  (second disjunct in the rhs of Rule 11).
(3)  ∈ , P does an a action that synchronizes with an a action by Q to produce the necessary  action. This means
that the obligation on Q is to ﬁrst produce an a action and then satisfy whatever obligation is left by P due to 
(third disjunct of Rule 11).
Note that property transformer ofP, under a set of restricted actionsL, does not permit the environmentQ to synchronize
on any action present in L. The third disjunct generates modal obligation for the environment on the action f (a) only
when f (a) ∈ L. Rule 12 is the dual of Rule 11.
Rule 13 presents the property transformer for process with choice operator (P1 + P2). It is deﬁned by consid-
ering three different cases. In the ﬁrst disjunct, selection of the processes P1 and P2 is postponed and the en-
vironment is provided with the obligation to satisfy diamond modality. The second and third disjuncts represent
the cases when the choices are made in favor of process P1 and process P2 respectively. Rule 14 is the dual of
Rule 13.
RulesA and B deﬁne a function : (P ×L×F) → E → E which denote property transformers over mu-calculus
equations. To transform a sequence of equations E, we construct the set of equations as per Rules A and B.
Fig. 3 presents the transformation of the formula  using the property transformer for process C (see Fig. 1(a,b) for
deﬁnition of the process and the formula, respectively).
Theorem 1. Given a well-named process expression P the following identity holds for all process expressions Q and
for all mu-calculus formula :
Q | P  ⇔ Q{}⊥(P )().
Proof. The proof proceeds by induction on the size of the process expression and formula. For details see
Appendix A. 
S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229 217
Fig. 3. Transformation of property  in Fig. 1(b) using process C in Fig. 1(a).
4. Veriﬁcation of parameterized systems
Consider a parameterized system Pn deﬁned by parallel composition of processes P. The parameter (n) represents
the number of processes P present in the system. Consider verifying whether the ith instance of the above system
possesses property : i.e. whether Pi . Let
i = Lf (Pi)(),
where f and L are the relabels and restrictions applied to the process Pi . Therefore, from Theorem 1, 0i ⇔ Pi .
Now consider verifying whether ∀i. Pi . Let ′i be deﬁned as follows:
′i =
{
1 if i = 1,
′i−1 ∧ i if i > 1.
(1)
By deﬁnition of ′i , ∀1j i.0j ⇔ 0′i . Hence, 0′i means that ∀1j i.Pj . If ′ is the limit of
sequence ′1,′2, . . . , then 0′ ⇔ ∀i1.Pi .
A dual method can be used to determine whether ∃i1. Pi  simply by deﬁning
′i =
{
1 if i = 1,
′i−1 ∨ i if i > 1.
(2)
We say that ′i is said to be contracting (Eq. (1)) if ′i ⇒ ′i−1 and relaxing (Eq. (2)) if ′i−1 ⇒ ′i . For systems
indexed by a single parameter, the limit of the sequence of ′is can be computed by a ﬁxed point iteration procedure.
Two problems need to be solved before this method can be implemented. First of all, we need a procedure to check if
the limit  has been reached: that is to determine the equivalence of two mu-calculus formulas. Checking equivalence
between mu-calculus properties is EXPTIME-hard [20] and hence we need an efﬁcient procedure to compute an
approximate equivalence relation. Moreover, as remarked in [3] the formulas resulting from property transformers tend
to be large and effective simpliﬁcation procedures are needed before this method becomes practical. While we use the
simpliﬁcation rules from [3], we use a more powerful procedure to test for equivalence between mu-calculus formulas
by constructing graphs from the formulas and checking for their similarity (Section 5).
The second problem arises due to the existence of inﬁnite ascending chains in the domain of modal mu-calculus
formulas: the iteration procedure may not always terminate. We describe a widening operator (based on deﬁnitions of
wideningoperators over typedomains) to guarantee the terminationof iterationprocedure at the expenseof completeness
in Section 6. In [40], similar idea has been applied on regular transition relations to ensure convergence of transitive
closures of parameterized systems. The distinguishing feature of our work is that widening (acceleration) is tailored to
property representation (mu-calculus) unlike the acceleration on transition relations [40].
218 S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229
The approach presented above can be easily applied to inﬁnite families of systems speciﬁed by two ormore parameters
by considering a multi-parameter system as a nesting of single parameter systems. However, this is not possible if the
parameters are interdependent; a method capable of verifying such inﬁnite families remains to be developed.
5. Formula graph and the equivalence of formulas
A formula graph, called F-graph, is an and/or graph that captures the structure of a mu-calculus formula, and is
deﬁned as follows:
Deﬁnition 1. F-graph for a set of mu-calculus equations representing a formula  is a tuple F = (S, ◦−→, A) where
• S is the set of states such that S ⊆ F × B ×  where F is the set of all sub-formulas of , B = {#,∧,∨} and
 = {, };
• A is the set of labels such that A ⊆ B ×M×  where M = A() ∪ {} ∪ 2Prop, Prop is the set of propositions in
 and A() = {〈a〉 | 〈a〉′ ∈ F} ∪ {[a] | [a]′ ∈ F}; and
• ‘◦−→’ is the set of transitions such that ◦−→ ⊆ S × A × S.
Each state in formula graph is labeled by (i) mu-calculus formula (in F), (ii) a boolean connective (B ∈ B) stating
whether the state is a part of ‘and’ or ‘or’ structure (inherited attribute) and (iii) a ﬁxed point operator (	 ∈ ) keeping
track of ﬁxed point nature of the current state’s ancestor. Note that the top variable X (outermost formula variable),
thus, has no inherited attributes. We use a special symbol # as its B label and synthesize the ﬁxed point attribute from
the deﬁnition of X. Rules 1–5 in Fig. 4 complete the deﬁnition of transition relation for all other cases. Rules 1(a) and
1(b) are deﬁned by transitive closure relation and capture action label m ∈ M present in identical boolean structures
and under same ﬁxed point operators. Note that the special symbol # can match with both ∧ and ∨ boolean operators.
Rule 2 presents the nesting of boolean structures. In this case, we use another special marker  to identify toggling
between boolean operators.  is also used mark the ﬁrst transition from a formula variable (Rule 5). Fig. 5 shows a set
of mu-calculus formula equations with top variable X and the corresponding F-graph.
F-graphs are labeled transition systems (LTSs) representing the syntactic structure of the corresponding formula
equations. Let  and 
 be mu-calculus formulas represented by equation sets with top formula variable X and X
,
respectively; the corresponding F-graphs are F and F
 with start states [X]#,	1 and [X
]#,	2 . We can establish
that if the start states of F simulates that of F
 and vice versa, then the corresponding formulas  and 
 are
equivalent.
Deﬁnition 2 (Simulation). Given a labeled transition system L, simulation is the largest relation R such that for all
states s1 and s2 in L,
s1Rs2 ⇒ ∀a, t2. s2 a−→t2 ⇒ ∃t1. s1 a−→t1 ∧ t1Rt2.
Fig. 4. Transition relation for F -graph.
S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229 219
(a) (b)
Fig. 5. (a) Mu-calculus formula equations and (b) the corresponding F -graph.
Given LTSsL1 andL2 with start states s1 and s2,L1 is said to simulateL2, denoted byL1L2, if s1Rs2. IfL1L2
and L2L1, we will denote the relation as L1L2. 1
Theorem 2 (Safe equivalence). Given the formula graphs F and F
 for sets of mu-calculus equations representing
formulas  and 
, respectively, the following identity holds for all process expressions P:
FF
 ⇒ P  ⇔ P 
.
Proof. The proof proceeds by induction on the size of the formulas. See Appendix A for details. 
5.1. Discussion
In [3], a similar approach is proposed to detect the equivalence between mu-calculus formulas. Informally, in the
setting of [3], two formulas (with similar boolean structure and ﬁxed point nature) are said to be equivalent if for every
modal action present in one formula there is an identical modal action present in the other and vice versa. Furthermore,
the formula to be satisﬁed after matching modal actions must be also equivalent. For example, the following formulas
can be identiﬁed to be equivalent using techniques described in [3] and the technique proposed: in this section:
X = [a]X ∧ Z, Y = [a]Y ∧ [a]X ∧ Z.
The highlight of our technique is to extract syntactic information of formulas by analyzing the corresponding graphical
representations (unlike textual representation). This enhances the ability to effectively detect dependencies between
formula variables. For example, consider the formulas in Fig. 5.Applying our technique,we can successfully identify the
equivalence between X andY and between X and Z. Note that we consider
B,〈〉,	◦−→ can bematched by B,,	◦−→∗ B,〈〉,	◦−→ B,,	◦−→∗;
the reason being  labeling may be caused due to a new ﬁxed point variable (Rule 5 in Fig. 4). On the other hand, [3]
fails to detect any such equivalence because of the absence of modal actions 〈b〉 and 〈a〉 in the textual deﬁnitions of Y
and Z, respectively.
As remarked in [3], the transformation generates redundant formulas. For example, in Fig. 3, the formulas deﬁned
by the ﬁxed point variables XC,⊥,{} and Xa.C,⊥,{} are equivalent. The redundant formulas grow exponentially with the
number of applications of the transformation, and hence redundancy removal is necessary to make our transformation-
based technique usable in practice.
6. Accelerating ﬁxed point iterations
Widening [17] is a well-known technique for accelerating and guaranteeing termination over domains with inﬁnite
ascending chains. We ﬁrst present an acceleration operation, inspired by the widening operators deﬁned over type
graphs in the area of type analysis [26].
1 L1L2 does not imply that L1 and L2 are bisimilar as bisimulation imposes a stronger requirement of two-way simulation on every bisimilar
state [38].
220 S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229
Consider the problem of computing the limit of the sequence 
0,
1, . . . such that 
i+1 = f (
i ) and 
i+1
i .
The acceleration operation,%, is a monotonic function that views mu-calculus formulas as graphs. It determines a new
formula
′ = %(
i ,
i+1) based on the differences between
i and
i+1 such that
′
i+1. Recall that equivalence of
mu-calculus formulas are checked using similarities between their corresponding graphical representations (Section 5);
these graphs are used in the deﬁnition of%.
6.1. Acceleration based on formula graphs
The widening operator over type graphs [37,26] identiﬁes topological differences between two graphs and detects
the state (in the graph to be widened) which leads to such a disparity between the two graphs. This node is termed as
witness to topological clash. In the next step, an ancestor of the witness is selected with some speciﬁc property. Finally,
all the transitions from the witness is directed to the ancestor resulting in a loop. This removes the sub-graph of the
witness and shortens the graph.
Following the same line, we develop an acceleration operator over mu-calculus formulas expressing safety and
reachability properties as follows.We ﬁrst formalize the notion of a topological clash between the formula graphs (F1
and F2 ) of two formulas 1 and 2.
Deﬁnition 3 (Topological clash). Formula 2 clashes with 1 (denoted by 21) if there exists a state N2 in F2
reachable by sequence of transitions (seq) from start state of F2 such that for all states N1 in F1 reachable from the
start state of F1 by the same sequence seq, N2 has an outgoing transition that cannot be matched by any outgoing
transition from N1s. State N2 is said to be a witness to the clash.
Intuitively, the above relation identiﬁes the situation when 2 has an new sub-formula that is not present in 1. This
type of divergence in the formula arises when a formula keeps count of modal actions needed to reach a particular
state. We discard such counts as follows.
Consider the case, where the sequence of i generated is contracting (Eq. (1) in Section 4). Let N2, an ∧-node, be a
witness to the topological clash 21. From Deﬁnition 3, we state thatN2 has at least one outgoing transition toN ′2
which cannot be matched by any transition from N1s. We refer to such a transition as clash-transition. The witness is
detected because of the introduction of new sub-formulas of the form 〈a〉
 (or [a]
) in 2. Acceleration is performed
by merging the nodes N2 and N ′2, i.e. by merging the witness node with all the nodes reachable by clash-transitions.
The F-graph obtained after merging represents a new formula a . Such merging operation leads to shortening of the
F-graph and in terms of abstraction of formula, a restricted a (⇒ 2) is generated (recall that sequence considered is
contracting andN2 is a∧-node). If the sequence ofi is relaxing, then the witnessN2 selected for discarding will be a∨
node. Thus we ensure that the acceleration operator applied to i generates its relaxed approximation. Approximation
results in incompleteness of our technique. Recall from Theorem 1, Q′ ⇔ Q|P  where ′ = {}⊥(P )(). If a
is restricted or relaxed approximation of ′ then either Qa ⇒ Q|P  or Q|P  ⇒ Qa , respectively, holds
true. In other words, if a results from restriction (relaxation) and Q  a (Qa) then it cannot be inferred that
P |Q   (P |Q).
Note, however, that the range of the acceleration operator is not awidening operator. The nodes selected for discarding
are restricted by the deﬁnition of generated formulas (contraction or relaxation) and hence not all disparities between
the formula graphs are even considered for pruning. For instance, sequence may be contracting but a formula can grow
under an ‘∨’node. This factor for divergence disappears when we restrict the mu-calculus formulas under consideration
to those whose F-graphs have all ∧-nodes or all ∨-nodes. Simple reachability and safety properties are of this form.
This restriction on mu-calculus formulas makes the acceleration operation a widening operation.
Fig. 6 presents the pseudo-code of the widening algorithm. Procedure widen is invoked with the start states N1 and
N2 of the graphs F1 and F2; objective is to accelerate F2 using its clashes/differences with F1. In Line 3, procedure
topoclash is invoked which generates a set of witness states Nc paired with the corresponding states Mc such that
there exists a clash-transition between them.Members of each such pair are thenmerged to realize required acceleration
(Lines 5–7). Algorithmic complexity of this naive algorithm is exponential with respect to the number of nodes in the
graphs, as it considers all possible transition sequences (paths) from the start states of each graph. For practical purposes,
we restrict the search in procedure topoclash to detect witness nodes within certain pre-speciﬁed depth from the
start states. A better algorithm in terms of complexity is still to be developed.
S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229 221
Fig. 6. Widening algorithm.
(a) (b) (c)
Fig. 7. Simpliﬁed F -graph in (a) ith and (b) (i + 1)th iteration, (c) accelerated F-graph with the corresponding formulas.
Let us consider a simple formula acceleration example and illustrate the acceleration mechanism. Consider the
formula ′i in Fig. 7(a). It deﬁnes a behavior where a deadlocked state (with no enabled transition) is reached after
a and/or b actions. The box modality [-] corresponds to modality on any action denoted by ‘-’. The formula graph is
shown above the corresponding formula equations. We have simpliﬁed the graph for the sake of clarity and brevity by
only labeling nodes with the ﬁxed point variables. Furthermore, transition labels  (ﬁxed point sign) and ∨ (boolean
connective) are omitted. Let′i+1 (Fig. 7(b)) be the next formula that is generated as a result of transformation using the
process P def= b.a.P (see deﬁnition of X2 in Fig. 7(b)) followed by disjunction with ′i . The witness to the topological
clash ′i+1′i is the node shown with a • and the corresponding clash transition labeled by 〈a〉 leads to the node
Z2. Acceleration is performed by merging the witness node with Z2 and the resultant accelerated formula obtained
after simpliﬁcation is shown in Fig. 7(c). Note that acceleration led to merging of two ∨-structures which in turn led
to relaxation of the formula. Further note that acceleration discards all ordering of modal actions caused by the clash
transition 〈a〉.
7. Case studies
In this section, we discuss the applicability of our technique for automatic veriﬁcation of mu-calculus properties for
single-parameter systems.
222 S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229
(a) (b)
Fig. 8. (a) Simple ring structure. (b) Behavior of single processor in cache coherence protocol.
7.1. Milner Scheduler
Milner’s Scheduler [38] consists of a number of processes (called cells) connected in the form of a cycle where the
ith cell waits on synchronization with (i − 1)th cell and then communicates with the (i + 1)th cell. Each cell is also
capable of performing autonomous actions. Fig. 8(a) shows N cells in a ring topology (a simpliﬁed version of Milner’s
Scheduler where all the autonomous actions are discarded). Initially all cells except the ﬁrst are waiting to synchronize
on a b action from the previous cell in ring.
We consider the veriﬁcation of the following mu-calculus property that encodes the existence of a deadlock:
d : X = [−]ff ∨ 〈−〉X. (3)
Consider a system consisting of N cell processes, denoted by sys(N) (Fig. 8(a)), and the problem of verifying
∃Nsys(N)d , i.e. checking whether deadlock property is satisﬁed by a member of parameterized family sys(N).
The sequence of formulas as deﬁned in Eq. (2) (relaxing sequence in Section 4) does not converge. This is because ′i ,
the ith formula in the sequence, captures all possible interleavings between actions of the ﬁrst cell and the ith cell. In
fact, the interleavings that cause the divergence of the formulas in the sequence are result of infeasible interleaving of
actions of the ﬁrst and the ith cell. More precisely, interleavings where a of the ﬁrst cell appears before a of the ith cell
are represented in the generated formula. Clearly, such sequences are infeasible as the ﬁrst cell can only make a move
on a when the last cell is ready to make the synchronized move on a, which, in turn, is possible after all the actions
of the intermediate cells (e.g. ith cell). Equivalence reduction alone cannot discard such interleavings. However, when
the widening operator (Section 6) is used, the resulting sequence converges after three cells (other than the ﬁrst one)
have been used to transform the formula; the acceleration operator ignores the exact nature of interleaving that causes
divergence. The ﬁxed point after acceleration leaves for the environment the obligation to satisfy f ≡ X = 〈−〉.
As 0 has no outgoing transition, 0  f . This implies ∀N sys(N)  d .
Note here that similar behavior is exhibited by token-ring protocol and queues with two or more buffers. In all these
cases, while the transformation sequence does not converge directly, the widening technique forces termination.
7.2. Cache coherence protocol
Cache coherence protocols [6] are used in multi-processor systems with shared memory, where each processor
possesses its own private cache and maintains its own copy of same memory block in its private cache. The main
concern is to ensure that at any point of time, multiple cached copies of same memory block are consistent in their data
content. Cache coherence protocol deﬁnes four distinct states for each processor—invalid, valid, shared and exclusive.
Invalid processor state implies that the processor’s cached copy of memory block is outdated. Valid and shared states
imply that processor has current copy of memory block in its cache, while exclusive state denotes that the processor is
exclusive owner of the memory block. Each processor can either perform autonomous read (in all states except invalid)
orwrite (only in exclusive state) actions, or can synchronize with another processor using invalidate, copy or ownership
actions (Fig. 8(b)).
S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229 223
(a) (b)
Fig. 9. Speciﬁcation of (a) spin lock and (b) meta-lock.
To prove consistency of data, we need to ensure that each read action to a memory address reads the last value written
to that location. Previous efforts [42,18] to verify data consistency involved abstracting the parameterized system into
a single inﬁnite state system by counting the number of processors in various states. Model checking was performed by
reachability analysis of the system; reachability of any global state, where the number of processors in each of valid,
shared and exclusive states is greater than or equal to 2, implies violation of data consistency. In contrast we model
the processors such that two of them in exclusive state can synchronize and lead to an “error” state—error state can
perform autonomous action err. A least ﬁxed point formula is used to detect an err action as follows:
err : X = 〈err〉tt ∨ 〈−〉X. (4)
We model the components of parameterized system and check ∃N sys(N)err where sys(N) consists of N
processors. The limit of a relaxing sequence of formulas, generated by iterative transformation and disjunction, f is
obtained after three iterations, since at any point of time at most two processors can share the ownership of cached
data. Finally, 0  f implying data consistency is maintained for system consisting of any number of processors.
7.3. Shared-memory mutual exclusion protocols
We consider two protocols that aim to ensuremutually exclusive access to sharedmemory in amulti-threaded system:
(a) spin lock, where each thread can communicate only with the object it is trying to access and (b) a simpliﬁed version
of Java meta-lock, where each thread either communicates with the object of interest or with another thread. We use a
least ﬁxed point formula m to represent the failure of mutual exclusion property:
m ≡ Y = 〈in〉Z ∨ 〈−〉Y
Z = 〈in〉tt ∨ 〈−out〉Z, (5)
where the modal actions in and out denote, respectively, the cases when a thread is accessing and has released the
object. The modal operator 〈−out〉 represents any action other than out. Two in actions with no intermediate out
indicate simultaneous access of the object by two threads—violation of mutual exclusion property.
7.3.1. Spin lock
Spin locks offer a simple mechanism to realize mutually exclusive access of objects by threads (Fig. 9(a)). The
object has two states: not-busy (when it is not accessed by any thread, process NB) and busy (when it accessed by some
thread, process B). A not-busy object, upon receiving a req from a thread, replies back with an ack message and
behaves like a busy object. A busy object, on the other hand, denies all requests from threads using nack message
or goes to a not-busy state on receiving a rel (release) signal from the lock releasing thread. Each thread process
can lock an object if it receives ack in response to a req signal. Once a thread has locked an object, it can perform
224 S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229
autonomous actions in and out indicating it has acquired and is going to release object lock, respectively. Using the
system deﬁnition spin(N) consisting of one object and N thread processes, we veriﬁed the deadlock (d in Eq. (3))
and non mutually exclusive access (m in Eq. (5)) properties; the objective is to check whether ∃N spin(N)d and
∃N spin(N)m.
In both cases, we transform the formulas using the common member of the system, i.e. the object process. The
residue is subsequently iteratively transformed using the thread processes.At each iteration the residue is or-ed with the
transformation result of the previous iteration leading to the generation of a relaxing sequence (Eq. (2) in Section 4).
The result is a diverging sequence of mu-calculus formulas. Widening is employed after two threads are used as
transformers and iterative procedure is forced to terminate. The limit obtained by transformation and widening, l , is
used to check 0l . As 0 does not model the limits obtained in both the cases (deadlock and no mutual exclusion),
we infer ∀N spin(N) does not model d and m.
7.3.2. Simpliﬁed Java meta-lock
The Java meta-lock is a distributed algorithm designed by SUN Microsystems to ensure fast mutually exclusive
access of objects by Java threads. Meta-locking can be viewed as a two-tiered scheme for exclusive access to object
monitor. To ensure fairness and fast access each object maintains a synchronization data, which can be viewed as a
FIFO queue of threads waiting to enter the object’s monitor. Meta-lock is designed to provide exclusive access of
per-object synchronization data by threads.A thread process can communicate with an object process or another thread
processes via dedicated channels identiﬁed by the participating processes’ identiﬁcation numbers. Similar to the spin
lock, the pattern of synchronization involves requests from threads and reply from objects. However, in this case, a
thread can directly communicate with another thread and exchange object lock. For details of the protocol refer to [1].
We consider here a simpliﬁed version 2 of meta-lock (Fig. 9(b)). A thread can either obtain an object lock by a fast
path (getfast) or via a slow path (getslow). In the former case, the object is not accessed by any other thread and
current thread becomes the exclusive owner of the object lock. In the latter case, the thread waits to synchronize with
the lock releasing thread via handoff. Release of object lock also follows similar pattern. A thread can release the
lock following fast path when no other thread is waiting to access the object; , the thread follows slow path, where it
relays the object lock to the waiting thread by synchronizing on handoff.
As in spin lock, we transform the given formulas (d Eq. (3) and m Eq. (5)) using the object process followed
by iterative transformations using the thread processes. The result of each iterative step is or-ed with the result in
the previous iteration leading to the generation of relaxing sequence (similar to spin lock case). The sequences of
mu-calculus formulas generated by iterative transformation of both d and m diverge and widening is used to force
termination. Finally, 0 does not satisfy the accelerated formula obtained as limit of the sequences implying that the
formulas d and m are not satisﬁed by any member of inﬁnite family of systems deﬁned using meta(N).
8. Conclusion
We described an automatic technique for the veriﬁcation of inﬁnite families of concurrent systems. At the core
of the technique is the use of partial model checking for generating property transformers over modal mu-calculus
formulas from system speciﬁcations in CCS. In our technique, the problem of verifying an inﬁnite family is posed as a
problem of ﬁnding the limit of a chain of modal mu-calculus formulas (similar to program analysis techniques).We also
presented a widening operator to guarantee termination of the analysis for a subclass of modal mu-calculus formulas.
We have implemented this technique in the XSB tabled logic programming system [45]. The utility of the technique
has been demonstrated by verifying a number of example parameterized systems with diverse characteristics in a
uniform manner. The widening technique, however, can be too approximate to provide useful results in certain cases.
Development of widening operators which perform more ﬁne-grained approximations is a topic of future research.
2 The actual speciﬁcation of meta-lock [1,9] uses a queue to model list of waiting threads. Speciﬁcally, the process B1 in Fig. 9(b) can receive
getslow requests from threads and record the number of such requests, subsequently requiring an inﬁnite domain variable to keep track of the
number of queued requests. In the current setting we avoid maintaining such queue.
S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229 225
Table 1
Summary of results from the case studies
System Topology Property Result
Milner’s Scheduler Ring Deadlock False
Cache coherence Mesh Data consistency True
Spin lock Star Mutual exclusion True
Deadlock False
Simpliﬁed meta-lock Star-wired ring Mutual exclusion True
Deadlock False
Table 2
Performance of compositional veriﬁcation
System Property Iterations Max. formula size Time (s)
Raw Reduced
Milner’s Scheduler Deadlock 3 12 6 0.30
Cache coherence Data consistency 3 34 9 0.71
Spin lock Mutual exclusion 4 329 56 384.24
Deadlock 4 48 14 7.15
Simpliﬁed meta-lock Mutual exclusion 4 56 10 5.52
Deadlock 4 18 7 1.25
9. Summary
Table 1 summarizes the results of verifying the examples described in this section. Observe from the table that the
veriﬁcation technique has been successfully applied to parameterized systems with different connection topologies
and for different properties. Table 2 summarizes the performance of the technique on these examples. Space and time
measurements reported in this table were taken using an implementation of the technique in XSB Prolog 2.5/Debian
Linux 2.4.25 running on a 1.7GHz Xeon processor with 2GBmemory. The third column in the table shows the number
of compositional analysis iterations (of the common component, e.g. cells, processors or threads) required to reach
the limit of the chain of mu-calculus formulas. The fourth column presents the maximum size of formula (before and
after reduction) in terms of the number of ﬁxed point equations used to represent the formula. Note that the technique
converges within three iterations without the use of acceleration for the cache coherence protocol, while widening was
used to force convergence for the scheduler, spin lock and meta-lock examples. The technique veriﬁes most of the
example systems within 10 s; the only exception being the mutual exclusion property of spin lock. Recall that in spin
lock speciﬁcation (Fig. 9(a)), a thread is allowed to loop forever by sending and receiving req and nack respectively
to and from the object. This phenomenon of starvation increases the number of possible interleaved behavior of threads
in a spin lock. As such large formulas are generated at each iteration of compositional analysis which increases the
reduction and equivalence checking time. Note that such starvation is not present in our speciﬁcation of simpliﬁed
meta-lock protocol.
Acknowledgements
We would like to thank K. Narayan Kumar and Lenore Zuck for their detailed and insightful suggestions. We also
thank the anonymous reviewers for their valuable comments.
This work is supported in part by NSF Grants EIA-9705998, CCR-9876242, EIA-9805735, N000140110967,
IIS-0072927, and CCF-0205376.
226 S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229
Appendix A.
Deﬁnition 4 (Process ordering). ProcessP1 is said to be smaller thanP2, denoted byP1 ≺ P2, if either of the following
conditions hold: (a) P1 is a sub-process expression of P2, (b) for all relabeling f and restriction L, P1 = P [f ] and
P2 = P \L and (c) P2(≡ A) def= P1.
We only allow preﬁx-guarded process deﬁnitions, i.e., A def= A|P is not a permitted process deﬁnition.
Deﬁnition 5 (Formula ordering). Formula 1 is said to be smaller than formula 2, denoted by 1 ≺ 2, if 1 is a
sub-formula of 2.
Theorem 1. Given a well-named process expression P the following identity holds for all process expressions Q and
for all mu-calculus formula :
Q | P  ⇔ Q{}⊥(P )().
Proof. The proof proceeds by induction on the size of the process expression and formula. Below we itemize the proof
for the Rules 1–14 and A, B in Fig. 2.
(1) Rules 1 and 2: The theorem is trivially true when  is a propositional constant (tt or ff ).
(2) Rule 3:  = 1 ∨ 2.
Q | P 1 ∨ 2 ⇔ Q | P 1 ∨ Q | P 2 ⇔ Q{}⊥(P )(1) ∨ Q{}⊥(P )(2)
induction on formula size
⇔ Q{}⊥(P )(1 ∨ 2).
The proof for conjunctive formula (Rule 4) proceeds in identical fashion.
(3) Rule 6: Process expression P = 0. Considering the fact that process 0 is the identity of the parallel composition
operator in CCS, we infer
Q | 0 ⇔ Q ⇔ Q{}⊥(0)().
(4) Rule 7: Process expression P is a process name A. By induction on the size of process expression (D ≺ A if
A
def= D),
Q | A ⇔ Q | D  ⇔ Q{}⊥(D)().
(8) Rule 8: P = R[f ] where f is the relabeling function.
Q | R[f ] ⇔ Q[f−1] | R [f−1].
Recall that we consider well-named process expressions with injective relabeling functions.We deﬁne function f−1
as the inverse of f and [f−1] as the formula obtained from  by replacing modal actions (a ∈ n()) by f−1(a).
By induction on process size (R ≺ R[f ]),
Q[f−1]{}⊥(R)([f−1]) ⇔ Q{}f (R)() ⇔ Q{}⊥(R[f ])().
(6) Rule 9: P = R\L where L is the set of restricted actions.
Q | (R\L) ⇔ Q | R[L′/L] ⇔ Q{}⊥(R[L′/L])(),
where L′ ∩ (L∪ vn(Q)∪ vn(R)∪ n()) = {}. We consider the relabeling [Lr/L′] where Lr ∩ (vn(R)∪ n()) = {}
(see Rule 9 in Fig. 2). Proceeding further,
QLr⊥ (R[Lr/L′] ◦ [L′/L])() ⇔ QLr⊥ (R[Lr/L])().
Note that Lr ∩ vn(Q) may not be empty according to the Rule 9. Process Q is not permitted to synchronize with
R[Lr/L] on any actions ∈ Lr .
S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229 227
(7) Rule 10: P = (P1 | P2)\L. We consider the restricted set of actions L to show the annotations applies to transfor-
mation function  in Rule 10.
Q | (P1 | P2)\L ⇔ Q | (P1 | P2)[L′/L] ⇔ Q | P1[L′/L] | P2[L′/L],
where L′ ∩ (L∪ vn(Q)∪ vn(P1|P2)∪ n()) = {} (see the proof for Rule 9). By induction on the size of the process
expression
Q | P1[L′/L] | P2[L′/L] ⇔ Q | P1[L′/L]{}⊥(P2[L′/L])()
⇔ Q{}⊥(P1[L′/L])({}⊥(P2[L′/L])())
⇔ QLp⊥ (P1[Lp/L])({}⊥(P2[Lp/L])()),
where Lp ∩ (vn(P1|P2) ∪ n()) = {}. Note that the inner transformation function(P2) is not annotated with the
restriction set Lp as P1 is a present in its environment and P2 can synchronize with P1 on actions ∈ Lp.
(8) Rule 11: P = a.R and  = 〈〉
.
Q | a.R  〈〉
 ⇔ Q′ | a.R 
 if Q b−→Q′, b ∈  ∨ Q | R 
 if a ∈ 
∨ Q′′ | R 
 if  ∈ ,Q a−→Q′′.
Next consider each disjunct separately and proceed by induction on the size of the formula (
 ≺ 〈〉
),
Q′ | a.R 
⇔Q′ {}⊥(a.R)(
) ⇔ Q 〈〉{}⊥(a.R)(
). (A.1)
Considering the second disjunct
Q | R 
 ⇔ Q{}⊥(R)(
) (A.2)
and the third disjunct
Q′′ R 
 ⇔ Q 〈a〉{}⊥(R)(
). (A.3)
Finally,
Q a.R〈〉
 ⇔ Q 〈〉{}⊥(a.R)(
) (Eq. (A.1))
∨ Q{}⊥(R)(
) (Eq. (A.2))
∨ Q 〈a〉{}⊥(R)(
) (Eq. (A.3)).
Similarly, we can prove for box modality formula (Rule 12).
(9) Rule 13: P = P1 + P2 and  = 〈〉
.
Q | (P1 + P2) 〈〉
 ⇔ Q′ | (P1 + P2)
 where Q a−→Q′, a ∈  ∨ Q | P1  〈〉
 ∨ Q | P2  〈〉
.
By induction on the size of the formula (ﬁrst disjunct) and induction on the size of the process expressions (second
and third disjuncts),
Q | (P1 + P2) 〈〉
 ⇔ Q 〈〉{}⊥(P1 + P2)(
) ∨ Q{}⊥(P1)(〈〉
) ∨ Q{}⊥(P2)(〈〉
).
The theorem is proved in similar fashion for Rule 14.
(10) Rules 5 and A:  = X where X =	 
. Q | P X iff corresponding state represented by Q | P is present in the
interpretation of equation set E with top variable X. The equation set E is interpreted by the ﬁxed point semantics
of deﬁnitions of equations with appropriate initialization of environments following the sign of the equations. The
result of transforming X using the transformation function for process P isXP,⊥,{} whereXP,⊥,{} =	 {}⊥(P )(
)
(an equation with same sign asX, see RuleA in Fig. 2). From the transformation function for basic formulas (leading
to Q | P 
 ⇔ Q{}⊥(P )(
)), we conclude Q | P X ⇔ Q{}⊥(P )(X). 
228 S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229
Theorem 2 (Safe equivalence). Given the formula graphs F and F
 for sets of mu-calculus equations representing
formulas  and 
, respectively, the following identity holds for all process expressions P
FF
 ⇒ P  ⇔ P 
.
Proof. The proof proceeds by induction on the size of the formulas. We consider below the transition rules presented
in Fig. 4.
(1) Rule 4: This rule corresponds to the case where  and 
 are atomic propositions p and q, respectively.
Fp Fq ⇒ p = q ⇒ ∀P.(P p ⇔ P  q).
(2) Rule 3a:  = 〈a〉′ and 
 = 〈b〉
′. For diamond modality formulas the proof is as follows:
F〈a〉′ F〈b〉
′ ⇒ a = b ∧ F′F
′ ⇒ a = b ∧ ∀P.(P  ⇔ P 
)
induction on formula size
⇒ ∀ P.(P  〈a〉′ ⇔ P  〈b〉
′).
The proof for the box modality formula (Rule 3b) is realized in similar fashion.
(3) Rules 1a, b and 2: Let  =∨i and 
 =∨
j .
F∨iF∨
j ⇒ ∀j∃i.(FiF
j ) ∧ ∀i∃j.(F
jFi )
⇒ ∀P∀j∃i.(P i ⇒ P 
j ) ∧ ∀i∃j.(P 
j ⇒ P i )
⇒ ∀P.(P  ∨i ⇔ P  ∨
j ).
Proof for conjunctive formulas is the same as above.
(4) Special rule for top variable and Rule 5:  = X & 
 = Y where X =	x x & Y =	y 
y , respectively:
FXFY ⇒ 	x = 	y ∧ FxF
y ⇒ 	x = 	y ∧ ∀P.(P x ⇔ P 
y) ⇒ ∀P.(P X ⇔ P Y ). 
References
[1] O.Agesen, D. Detlefs, A. Garthwaite, R. Knippel,Y.S. Ramakrishna, D.White, An efﬁcient meta-lock for ubiquitous synchronization, in: Proc.
ACM SIGPLAN Conf. Object Oriented Programming, Systems, Languages and Applications, 1999.
[2] R. Alur, T. Henzinger, Reactive modules, in: Proc. IEEE Symp. Logic in Computer Science, 1996.
[3] H.R. Andersen, Partial model checking, in: Proc. IEEE Symp. Logic in Computer Science, 1995.
[4] H.R. Andersen, C. Stirling, G. Winskel, A compositional proof system for the modal mu-calculus, in: Proc. IEEE Symp. Logic in Computer
Science, 1994.
[5] K.R. Apt, D. Kozen, Limits for automatic veriﬁcation of ﬁnite-state concurrent systems, Inform. Process. Lett. 22 (1986) 307–309.
[6] J. Archibald, J.-L. Baer, Cache coherence protocols: evaluation using a multiprocessor simulation model, ACM Trans. Comput. Systems 4 (4)
(1986) 273–298.
[7] T. Arons, A. Pnueli, S. Ruah, J. Xu, L. Zuck, Parameterized veriﬁcation with automatically computed inductive assertions, in: Proc. Computer
Aided Veriﬁcation, 2001.
[8] T. Ball, S. Chaki, S.K. Rajamani, Parameterized veriﬁcation of multithreaded software libraries, in: Proc. Tools and Algorithms for the
Construction and Analysis of Systems, 2001.
[9] S. Basu, S.A. Smolka, O.R. Ward, Model checking the Java meta-locking algorithm, in: Proc. Engineering of Computer-Based Systems, 2000.
[10] S. Berezin, D. Gurov, A compositional proof system for the modal mu-calculus and CCS, Technical Report CMU-CS-97-105, CMU, 1997.
[11] J. Bradﬁeld, C. Stirling, Modal logics and mu-calculi: an introduction, in: Handbook of Process Algebra, Elsevier, Amsterdam, 2001.
[12] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, L.J. Hwang, Symbolic model checking: 1020 states and beyond, in: Proc. IEEE Symp.
Logic in Computer Science, 1990.
[13] E.M. Clarke, E.A. Emerson, A.P. Sistla, Automatic veriﬁcation of ﬁnite-state concurrent systems using temporal logic speciﬁcations, ACM
Trans. Programming Languages and Systems 8 (2) (1986).
[14] E.M. Clarke, O. Grumberg, S. Jha, Verifying parameterized networks, ACM Trans. Programming Languages and Systems 19 (5) (1997).
[15] R. Cleaveland, B. Steffen, A linear-time model checking algorithm for the alternation-free modal mu-calculus, Formal Methods in System
Design, 1993.
[16] J.M. Cobleigh, D. Giannakopoulou, C.S. Pasareanu, Learning assumptions for compositional veriﬁcation, in: Proc. Tools and Algorithms for
the Construction and Analysis of Systems, 2003.
[17] P. Cousot, R. Cousot,Abstract interpretation: a uniﬁed latticemodel for static analysis of programs by construction or approximation of ﬁxpoints,
in: Proc. Principles of Programming Languages, 1977.
S. Basu, C.R. Ramakrishnan / Theoretical Computer Science 354 (2006) 211–229 229
[18] G. Delzanno, Automatic veriﬁcation of parameterized cache coherence protocols, in: Proc. Computer Aided Veriﬁcation, 2000.
[19] G. Delzanno, A. Podelski, Model checking in CLP, in: Proc. Tools and algorithms for Construction and Analysis of Systems, 1999.
[20] E.A. Emerson, C.S. Jutla, The complexity of tree automata and logics of programs, in: Proc. Foundations of Computer Science, 1988.
[21] E.A. Emerson, K.S. Namjoshi, Reasoning about rings, in: Proc. Principles of Programming Languages, 1995.
[22] E.A. Emerson, K.S. Namjoshi, Automated veriﬁcation of parameterized synchronous systems, in: Proc. Computer Aided Veriﬁcation, 1996.
[23] E.A. Emerson, K.S. Namjoshi, On model checking for non-deterministic inﬁnite state systems, in: Proc. IEEE Symp. Logic in Computer
Science, 1998.
[24] J. Esparza, A. Finkel, R. Mayr, On the veriﬁcation of broadcast protocols, in: Proc. IEEE Symp. Logic in Computer Science, 1999.
[25] O. Grumberg, D.E. Long, Model checking and modular veriﬁcation, ACM Trans. Programming Languages and Systems 16 (3) (1994)
843–871.
[26] P. Van Hentenryck, A. Cortesi, B. Le Charlier, Type analysis of prolog using type graphs, J. Logic Programming 22 (3) (1994) 179–209.
[27] T. Henzinger, S. Qadeer, S.K. Rajamani, You assume, we guarantee, in: Proc. Computer Aided Veriﬁcation, 1998.
[28] T.A. Henzinger, R. Jhala, R. Majumdar, S. Qadeer, Thread-modular abstraction reﬁnement, in: Proc. Computer Aided Veriﬁcation, 2003.
[29] G.J. Holzmann, The model checker SPIN, Software Engrg. 23 (5) (1997) 279–295.
[30] C.N. Ip, D.L. Dill, Better veriﬁcation through symmetry reduction, Formal Methods in System Design 9 (1/2) (1996) 41–75.
[31] C.N. Ip, D.L. Dill, Verifying systems with replicated components in murphi, Formal Methods in System Design 14 (3) (1999).
[32] Y. Kesten, A. Pnueli, Control and data abstraction: the cornerstones of practical formal veriﬁcation, Internat. J. Software Tools for Technology
Transfer 2 (4) (2000) 328–342.
[33] D. Kozen, Results on the propositional -calculus, Theoret. Comput. Sci. 27 (1983) 333–354.
[34] D.Lesens,N.Halbwachs, P.Raymond,Automatic veriﬁcation of parameterized linear networks of processes, in: Proc. Principles of Programming
Languages, 1997.
[35] D.E. Long, Model checking, abstraction and compositional veriﬁcation, Ph.D. Thesis, CMU, 1993.
[36] K.L. McMillan, Compositional rule for hardware design reﬁnement, in: Proc. Computer Aided Veriﬁcation, 1997.
[37] P. Mildner, Type domains form abstract interpretation: a critical study, Ph.D. Thesis, Uppsala University, 1999.
[38] R. Milner, Communication and concurrency, International Series in Computer Science, Prentice-Hall, Englewood Cliffs, NJ, 1989.
[39] A. Pnueli, S. Ruah, L. Zuck, Automatic deductive veriﬁcation with invisible invariants, in: Proc. Tools and Algorithms for Construction and
Analysis of Systems, 2001.
[40] A. Pnueli, E. Shahar, Liveness and acceleration in parameterized veriﬁcation, in: Proc. Computer Aided Veriﬁcation, 2000.
[41] J.P. Queille, J. Sifakis, Speciﬁcation and veriﬁcation of concurrent systems in Cesar, in: Proc. Internat. Symp. Programming, 1982.
[42] A. Roychoudhury, Program transformations for verifying parameterized systems, Ph.D. Thesis, SUNY Stony Brook, 2000.
[43] A.P. Sistla, V. Gyuris, Parameterized veriﬁcation of linear networks using automata as invariants, Formal Aspects of Comput. 11 (4) (1999)
402–425.
[44] P. Wolper, Expressing interesting properties in propositional temporal logic, in: Proc. Principles of Programming Languages, 1986.
[45] XSB, The XSB logic programming system v2.6, 2003, available from 〈http://xsb.sourceforge.net〉.
