Bug hunting with false negatives by Calamé, J.R. (Jens) et al.
C e n t r u m  v o o r  W i s k u n d e  e n  I n f o r m a t i c a
Software ENgineering
Bug hunting with false negatives
J.R. Calamé, N. Ioustinova, J.C. van de Pol, N. Sidorova
REPORT SEN-R0609 JUNE 2006
SEN
Software Engineering
Centrum voor Wiskunde en Informatica (CWI) is the national research institute for Mathematics and 
Computer Science. It is sponsored by the Netherlands Organisation for Scientific Research (NWO).
CWI is a founding member of ERCIM, the European Research Consortium for Informatics and Mathematics.
CWI's research has a theme-oriented structure and is grouped into four clusters. Listed below are the names 
of the clusters and in parentheses their acronyms.
Probability, Networks and Algorithms (PNA)
Software Engineering (SEN)
Modelling, Analysis and Simulation (MAS)
Information Systems (INS)
Copyright © 2006, Stichting Centrum voor Wiskunde en Informatica
P.O. Box 94079, 1090 GB Amsterdam (NL)
Kruislaan 413, 1098 SJ Amsterdam (NL)
Telephone +31 20 592 9333
Telefax +31 20 592 4199
ISSN 1386-369X
Bug hunting with false negatives
ABSTRACT
Safe data abstractions are widely used for verification purposes. Positive verification results can
be transferred to the concrete system. When a property is violated in the abstract system, one
still has to check whether a concrete violation exists. However, even when the violation scenario
is not reproducible in the concrete system (a false negative), it may still contain information on
possible sources of bugs. Here we propose a bug hunting framework based on abstract
violation scenarios. We first extract a violation pattern from an abstract violation scenario. The
violation pattern represents multiple violation scenarios, increasing the chance that a
corresponding concrete violation exists. Then we look for a concrete violation that corresponds
to the violation pattern by using constraint solving techniques.
1998 ACM Computing Classification System: D.2.4; D.2.5
Keywords and Phrases: Data abstractions; verification; false negatives; debugging; abstract vs. concrete
counterexamples

Bug Hunting with False Negatives
Jens R. Calame´1, Natalia Ioustinova1, Jaco van de Pol1, Natalia Sidorova2
1 CWI, P.O. Box 94079, 1090 GB Amsterdam, The Netherlands
2 Eindhoven University of Technology, P.O. Box 513, 5600 MB Eindhoven, The Netherlands
ABSTRACT
Safe data abstractions are widely used for verification purposes. Positive verification results can be transferred
to the concrete system. When a property is violated in the abstract system, one still has to check whether a
concrete violation exists. However, even when the violation scenario is not reproducible in the concrete system
(a false negative), it may still contain information on possible sources of bugs.
Here we propose a bug hunting framework based on abstract violation scenarios. We first extract a violation
pattern from an abstract violation scenario. The violation pattern represents multiple violation scenarios, in-
creasing the chance that a corresponding concrete violation exists. Then we look for a concrete violation that
corresponds to the violation pattern by using constraint solving techniques.
1998 ACM Computing Classification System: D.2.4 [Software/Program Verification], D.2.5 [Testing and De-
bugging].
Keywords and Phrases: Data abstractions, verification, false negatives, debugging, abstract vs. concrete coun-
terexamples.
1. INTRODUCTION
Abstractions [6, 7, 8, 10, 12, 18] are widely used to reduce the state space of complex/parameterized/large
systems for the verication purpose. Abstractions are often constructed in such a way that we can transfer
positive verication results to the concrete model but not the negative ones, i.e. they are mostly used to check
satisfaction rather than falsication of a property. Counterexamples found on the abstract system could have
no counterpart in the concrete system. We further refer to this kind of counterexamples as false negatives.
In this paper we consider false negatives in the context of data abstractions, i.e. abstractions that substitute
actual data values by abstract ones and operations on concrete data by operations on abstract data, depending
on the property being veried. We use the timer abstraction from [9] as an illustrating example in this paper.
This abstraction leaves all values of a discrete timer below k unchanged and maps all other values to the abstract
value k+. Note that the deterministic time progress operation tick (decreasing the values of active timers by
one), becomes nondeterministic on the abstract model (see Fig. 1).
Suppose we use this timer abstraction to verify an LTL property mentioning actions a and b and obtain
the trace a.set(k+).tick3.b.a.set(k+).tick2.d)? as a counterexample for the abstract system. Not that the data
abstraction inuences the number of ticks the system may take. In case the number of consecutive ticks stays
the same along any trace of the concrete system, the abstract trace cannot be reproduced on the concrete system
and is thus a false negative.
Although the obtained counterexample is a false negative, it may still contain a clue for nding a concrete
counterexample, e.g. in case the trace a.set(k).tickk.b. (a.set(k).tickk.d)? is possible in the original system for
some k. We can relax the found abstract counterexample by using the information that the operations on timers
are inuenced by the timer abstraction and check whether the concrete system contains a trace matching the
pattern a.any?.b.(a.any?.d)?, where any represents any action on timers. Note that any such a trace would
violate our property of interest. The pattern is more restrictive than the negation of the property, and moreover,
it contains a cyclic part. Therefore, nding a trace of the concrete system satisfying the pattern is easier





Figure 1: Abstracted timer
In this paper, we propose a framework that supports the bug hunting process described in the above example.
Given an abstract counterexample (which is possibly a false negative) we relax actions inuenced by the data
abstraction and construct a violation pattern that represents a a set of traces violating the property and similar
to the counterexample.
To check whether there is any concrete trace matching the violation pattern, we transform the violation
pattern and the specication of the concrete system into a constraint program. Further a constraint solver is
used to nd a concrete trace matching the violation pattern, if such a trace exists. We tried out our approach by
applying it for debugging µCRL specications [1]. We use Eclipse Prolog [4] to implement constraint solving.
Our rst experiments showed that our framework can be successfully used for counter abstractions.
Related work First, we compare our method with the more traditional CEGAR approach (Counterexample-
Guided Abstraction Renement) [5, 17]. In both methods, abstractions preserve properties in one direction
only: if the abstract system satises the property, so does the concrete system; a counterexample may however
be a real one or a false negative (spurious). In the CEGAR method, a spurious counterexample is used to
iteratively rene the abstraction; subsequently the model checking algorithm is called on the rened abstraction.
Our method is to generalize the spurious counterexample, hoping to directly nd some violation in the concrete
specication, similar to the original spurious counterexample.
Note that in principle both methods can be combined: given a (possibly spurious) counterexample, one could
search for a concrete violation using our method. If this is found, the CEGAR loop can be terminated early. If
a concrete counterexample is not found, one can proceed to rene the abstraction, as in the CEGAR approach
and iterate the verication process.
In [22], the authors address the problem of automating the analysis of counterexamples that have been
produced when model checking the abstract model in order to determine whether they represent real system
defects. They propose two techniques for this purpose: model checking on choose-free paths and abstract
counterexample guided concrete simulation. In [21], an approach based on test generation is proposed for
searching concrete instances of abstract counterexamples. The approach addresses only counterexamples for
safety properties, i.e. works only for nite counterexamples. Unlike these approaches, we look for a concrete
trace matching not a counterexample itself but a driven by it violation pattern.
Works orthogonal to our work are [15] and [23], where the authors propose model checking methods that
rely on a renement of an under-approximation of the system behaviour. These methods are aimed at the
falsication of the desired property, and apply a renement when a counterexample is not found. We aim at
proving the property and try to nd a concrete counterexample when we do not succeed to prove it.
The rest of the paper is organized as follows. We introduce some basic notions in Section 2 and data abstrac-
tions in Section 3. In Section 4, we present our framework . In Section 5 we describe our approach to nding
concrete traces matching the violation pattern and discuss some experimental results. Finally, in Section 6 we
summarise our contribution and discuss directions for further research.
2. PRELIMINARIES
Our operational model is based on synchronously communicating processes with top-level concurrency. This
is a simplication of a model used in [24]. A specication Spec is given as the parallel composition Πni=1Pi of a
nite number of processes. A process denition P is given by a four-tuple (Var,Loc,σ0,→), where Var denotes
a nite set of variables, and Loc denotes a nite set of locations, or control states. A mapping of variables to
values is called a valuation; we denote the set of valuations by Val = {η | η : Var → D}. We assume standard
data domains such as N, Bool, etc. We write D when leaving the data-domain unspecied and silently assume
all expressions to be well-typed. Let Σ = Loc×Val be the set of states, where a process has one designated
3. Safe Data Abstractions 3
initial state σ0 = (l0,η0)∈ Σ. The set→⊆ Loc×Act×Loc denotes the set of edges. An edge describes changes
of congurations specied by an action from a set Act.
As actions, we distinguish (1) input of a signal s containing a value to be assigned to a local variable, (2)
output of a signal s together with a value described by an expression, and (3) internal events. Every action
is guarded by a boolean expression g, its guard. The three classes of actions are written as g.?s(x), g.!s(e),
and gBa,x := e, respectively, and we use α, α′ . . . when leaving the class of actions unspecied. For an edge
(l,α, l) ∈→, we write more suggestively l →α l.
Before we dene the semantics, we introduce the notions of labeled transition system and of trace.
Denition 1 (LTS). A labeled transition system (LTS) is a tuple M = (Σ,Act, →, σinit) where Σ 6= /0 is a set of
states, Act is a set of labels (actions), →⊆ Σ×Act×Σ is a transition relation, σinit ∈ Σ is the initial state.
Denition 2 (Trace). A trace β of M is a mapping β : N −→ Act, where N = {1,2, . . . ,n} or N = N, for which
there exists a mapping βσ : N∪{0} −→ Σ such that βσ(i)→β(i+1) βσ(i+1) for all (i+1) ∈ N. If N = N, trace
β is called an innite trace; otherwise, it is a nite trace. The length |β| of β is dened as |N|.
In the further text, we refer to the set of traces of M as [[M]]trace.
The step semantics is given by an LTS M = (Σ,Lab,→λ,σ0), where →λ ⊆ Σ×Lab×Σ is given as a labelled
transition relation between states. The labels differentiate internal event steps and communication steps, either
input or output, which are labelled by a signal and a value being transmitted, i.e. ?s(v) or !s(v), respectively.
Receiving a signal s with a communication parameter x, l →g.?s(x) l ∈→, results in updating the valuation
η[x 7→v] according to the parameter of the signal and changing current location to l. Output, l →g.!s(e) l ∈→,
is guarded, so sending a message involves evaluating the guard and the expression according to the current
valuation. It leads to the change of the location of the process from l to l.
Assignments, l →gBa,x:=e l ∈→, result in the change of a location and the update of the valuation η[x 7→v],
where [[e]]η = v. Assignment transitions are labelled by the corresponding event label a.
Although we are working with specications containing only one process denition, it does not limit our
approach. Existing linearization techniques [14] allow to obtain a single process denition for a parallel com-
position of a nite number of process denitions by eliminating communication and parallel composition.
3. SAFE DATA ABSTRACTIONS
Abstraction techniques are widely used to make the verication of complex/parameterised/innite systems
feasible. The main requirement for an abstraction is that the abstract system behavior should correctly reect
the behavior of the concrete system with respect to a verication task in the sense that (1) an abstraction should
capture all essential points in the system behavior, i.e., be not too abstract, and (2) an abstraction should be
safe, which means that every property checked to be true on the abstract model, holds for the concrete one as
well. This allows the transfer of positive verication results from the abstract model to the concrete one.
The concept of safe abstraction is well-developed within the Abstract Interpretation framework [7, 8, 10, 18].
Working within this framework guarantees the preservation (in the direction from the abstract to the concrete
model) of the truth of formulas of temporal logics without existential quantication over paths, e.g. 2L+µ (i.e.,
all formulas of the µ-calculus without negation and containing only the 2 operator) or next-free LTL. Since the
negative verication results are usually not preserved, counterexamples can be false negatives.
In practice, a data abstraction is usually applied directly on a system specication rather than on its semantics
model. The requirement that Abstract Interpretation imposes on the relation between the concrete model and its
safe abstraction can be formalized as a requirement on the relation between the data and the operations of the
concrete system and their abstract counterparts as follows: Each value of the concrete domain Σ is mapped by
a description function ρd : Σ−→ αΣ to a value from the abstract domain αΣ. The abstract value describes the
concrete value. We assume an ordering  on the abstract domain αΣ according to the precision of abstract
values: given a concrete value x and its abstract description xα = ρd(x), we say that any yα ∈ αΣ such that
xα  yα is a less precise description of x.
For every operation (function) f on the concrete data domain, an abstract function f α is dened, which
mimics f . (For simplicity, we assume f to be a unary operation.) In general, the abstraction can be nonde-
terministic. This is formally captured by letting f α be a function into the powerset over the domain of abstract
4values. The requirement of mimicking is then formally phrased with the following safety statement:
∀x ∈ Σ ∃y ∈ f α(ρd(x)) : ρd( f (x)) y. (3.1)
A Timer Abstraction We use a timer abstraction as an illustrative example. The timer abstraction has been
proposed in [3, 9]. The concept of timers is often used to specify time constraints imposed on a system or on
a system environment. We use this concept in the context of discrete time where time is modelled as a digital
logical clock and time progress is modelled by an action tick having the least priority in the system [2].
A timer can be either active or deactivated. An active timer keeps a value left until an expiration of the timer.
An active timer with the value 0 expires. We model expiration of a timer t by a boolean guard gt checking
whether the value of the timer is 0. Time progression decreases values of active timers.
For a timer t, the concrete domain of timer values Σ = N∪{−1}, where −1 represents a deactivated timer,
is replaced with the abstract domain αΣt = {−1,0, . . . ,kt −1,k+t }, where the value kt is a positive value dened
by the user, assuming that the property we want to verify still holds even if we do not distinguish between the
values of the timer greater than or equal to kt . We overload the notation by using c (−1≤ c < kt ) as an abstract
value representing the single concrete value c, while c+ describes the set of concrete values {c,c+1,c+2, . . .}.
We do not consider 0+ abstraction here.
The description function ρt is dened as ρt(c) = c if c < kt and ρt(c) = k+t otherwise. Abstract operations on
timers are dened in an intuitive way: setting a timer to value x becomes setting it to value ρt(x); the timeout
guard gαt is true iff [[t]] = 0; and tickα is a nondeterministic operation that changes the value of a timer from a
to b according to the following rules: (1) if a = −1 then b = −1, (2) if 0 ≤ a < kt then b = a− 1 (where −
works on abstract values as on integers), (3) if a = x+ then b ∈ {x+,x− 1}. It is straightforward to show that
the timer abstraction is safe. Applied to a concrete system it yields the safe abstract system [16].
4. BUG-HUNTING WITH FALSE NEGATIVES
Here we provide an overview of our framework for bug hunting with false negatives. The bug hunting process
comprises the following steps.
1. Specify a requirement as a formula φ of action-based next-free LTL [11].
2. Choose and apply a data abstraction to the specication of the concrete system and to the property.
3. Check whether the abstract system satises the abstract property.
If the abstract system satises the property, so does the concrete system and the verication process
stops. Otherwise, proceed with step 4.
4. Generate a violation pattern that species a set of traces similar to the counterexample and violating
the property.
5. Check whether one of the traces of the concrete system matches the violation pattern.
Since steps 1-3 of the framework can be handled by existing data abstraction and model checking techniques,
our contribution concerns steps 4-5 of the framework only.
4.1 Constructing a violation pattern
A counterexample that we obtain in case the property is violated on our abstract model is an innite trace of the
form βpβws where βp is a nite prex and βωs is a cyclic sufx with a nite cycle base βs. For safety properties
(claiming that something bad does not happen), the cycle base will be empty, while for liveness properties
(stating that something good eventually happens) it is not empty.
Although β could have no counterpart in the concrete system, it may contain a clue about a counterexample
present in the concrete system. Therefore we transform a counterexample β into a violation pattern V . We
consider here both nite and innite counterexamples.
A violation pattern is an LTS that accepts all traces leading to the distinguished state Accept that has no
successor states. The violation pattern accepts only traces which are similar to the counterexample and
4. Bug-Hunting With False Negatives 5







Figure 2: A counterexample
violate the property. The actions mentioned in the property and the information about the cyclic base of the
counterexample are essential for the property violation. Therefore we keep this information in the violation
pattern. For actions inuenced by the abstraction, the order and the number of actions in a similar trace may
differ from those of the counterexample.
First we will illustrate the idea of similarity on a simple example and then generalize it.
Assume that we model checked the property 2(a−→3b) and obtained the following abstract counterexam-
ple (see Fig. 2): a.set(k+).tick3.b.(a.set(k+).tick2.d)ω. To guarantee that the property is violated by any trace
accepted by the pattern, we keep at least actions a and b mentioned in the property as they are (see Fig. 3).
Since we are searching for similar traces with an innite cyclic sufx, we also need to keep information about
at least one state of the cycle. Moreover, we specify when the search for a concrete counterexample can stop
by providing a transition to the acceptance state. Here we do it by keeping the last action d of the sufx base
(see Fig. 3). The actions tick and set(k+) are not mentioned in the property and are denitely inuenced by the
timer abstraction. Therefore we relax these actions, meaning, we allow these actions to occur an arbitrary
number of times in an arbitrary order (see states 1 and 3 of the violation pattern in Fig. 3).
We refer to the set of actions that do not want to relax as Actkeep. This set includes at least all the actions
mentioned in the property. In the violation pattern, we distinguish a set of cyclic states that correspond to the
states in the cyclic sufx. The last action of a nite counterexample leads to the accept state in the violation
pattern. For an innite counterexample, the last action of the cyclic base leads to the accept state.
Intuitively, we would like to relax only the actions inuenced by the data abstraction (not necessarily all of
them). These actions can be found by applying static analysis techniques. The more actions we keep, the faster
we can check whether there is a concrete trace matching the pattern. By keeping too much, we may however
end up with a violation pattern that species the traces having no counterparts in the concrete system. Formally:
Denition 3 (Violation Pattern). Given an abstract counterexample β = βpβωs and a set Actkeep of non-relaxed
actions, a violation pattern is an extended LTS V = (Σ, Act, T, σinit , C, Accept) constructed by Algorithm 4,
where C ⊆ Σ is a (possibly empty) set of cycle states and Accept is the nite state.
The set of nite traces ending in the accept state Accept is referred further as the set [[V ]]atrace of accepted
traces. Traces which are not accepted by the pattern are referred further as a set [[V ]]rtrace of refused traces.
Given a counterexample β = βpβws and a set Actkeep of actions to keep, Algorithm 4 constructs the violation
pattern V . The algorithm starts with creating the initial state 0 of V and goes through βpβs. When the algorithm
encounters an action to relax, it adds a self-loop transition labelled by this action to the current state of V . When
it encounters an action to keep or reaches the end of the trace, it adds a transition from the current state to the





Figure 3: The violation pattern
6Algorithm 1 (Build Violation Pattern).
1 inputs β = βpβωs ,Actkeep trace, actions to keep
2 output V = (Σ,Act,T,σinit ,C,Accept) violation pattern
3 σinit : = 0; Σ : = {σinit}; initialization
4 C : = /0;
5 st : = 0; current state st of V
6 for all i = 1..|βpβs| do for all steps of βpβs
7 { if β(i) 6∈ Actkeep then T : = T ∪{(st,β(i),st)}; add a relaxed step
8 if β(i) ∈ Actkeep or i = |βpβs| then if a step to keep
9 { Σ : = Σ∪{st +1}; add a new state,
10 T : = T ∪{(st,β(i),st +1)}; add the step to the new state
11 st : = st +1; proceed with the next state of V
12 }
13 if i = |βp|+1 then C : = {st}; indicate the rst state of the cycle
14 }
15 Accept : = st; the last added state is the accept state
Figure 4: Algorithm constructing violation pattern
(new) next state labelled by this action. The set C of cyclic states is empty if we have a nite counterexample
and contains the state corresponding to the rst state of the cycle base for innite counterexamples.
Clearly, all traces obtained from the traces of [[V ]]atrace by adding a loop going through C for innite coun-
terexamples violate the property φ.
4.2 Looking for a concrete counterexample
After we have constructed the violation pattern V , we check whether there is a concrete counterexample ρ =
ρpρωs such that ρpρs ∈ [[V ]]atrace.
For nite counterexamples (ρs is empty) in non-parameterised nite systems one can build a synchronous
product of V and the concrete system and check whether the Accept state is reachable. For innite counterex-
amples we additionally need to check that some state of ρσ corresponding to the Accept state coincides with
a state of ρσ corresponding to C. We employ constraint solving [20] for nding a concrete counterexample,
which allows us to check this additional condition for innite traces, and also allows us to do it for innite and
parameterised systems.
To nd a concrete trace matching the violation pattern V , we transform the specication of the concrete
system and the violation pattern into a constraint program and formulate a query to nd such a trace. Note
that for a concrete system with an innite state space, it is possible that the constraint solver will not terminate.
Moreover, it is possible that the only traces that match the violation pattern are spiral traces, not cycling
traces (i.e. we do have a loop with respect to actions, but some variable is e.g. innitely growing) and we
will not be able to nd them. This limitation applies however to all known to us methods for identifying
counterexamples.
The transformation of the specication of the concrete system into a rule system R S Spec is dened in Table 1.
Each edge of the specication Spec is mapped into a rule A :−g. In the rule, g is a guard and A is a user dened
constraint of the form name(state(l,Var), state( l, Var′), param(Z)). The rst parameter state of the user dened
constraint describes the source states corresponding to the edge in terms of control locations of a process and
valuations of process variables. The second parameter state describes the destination states in terms of control
locations of a process and valuations of process variables. The third parameter param() contains parameters
representing input and output values. The constraint is satised iff the guard guard is satised.
In ROUTPUT, the name of the constraint coincides with the signal s. Note that the values of the process
variables Var remain unmodied and the output value is represented by the parameter Y whose value is given
by the expression e. In RINPUT, the input leads to the substitution of the value of process variable x by the
4. Bug-Hunting With False Negatives 7
l →g.!s(e) lˆ ∈→
ROUTPUT
s(state(l,Var),state(lˆ,Var),param(Y )) :−g∧Y = e.
l →g.?s(x) lˆ ∈→
RINPUT
s(state(l,Var),state(lˆ,Var[x 7→Y ]),param(Y )) :−g.
l →gBa,x:=e lˆ ∈→
RASSIGN
a(state(l,Var),state(lˆ,Var[x 7→e]),param( )) :−g.
Table 1: From specication Spec to rule system R S Spec
value of the input parameter Y . In RASSIGN, an assignment is represented by substituting the value of the
process variable x by the valuation of the expression e. Event-rules have no local parameters, which is denoted
by the underscore (don’t-care) here.
The transformation of the edges of the violation pattern V = (Σ, Act, T, σ0, C, F) into the rules of the rule
system R SV is dened in Table 2. Note that we provide the transformation for input and output steps only. The
transformation for the event steps is a straightforward simplication of the transformation for input and output
steps. Intuitively, given a step of the violation pattern, a rule of R SV checks whether the concrete system may
make this step. The rules also take into account the information about cyclic states and the data abstraction.
Rules 14 of Table 2 transform the steps of the violation patterns into the rules of the form: B : −A∧B′ ∧
gd∧gc. B is a user dened constraint of the form σ(state(~X),O) specifying a pair of the source state state(~X) of
the concrete system (~X stands for (l,Var)) and the source state O of the violation pattern. B keeps the concrete
states that are possible on a cycle in the set flC.
A is a user constraint of the form a(state(~X),state(~X ′),param(Y )) as dened above. It represents a step on
which the concrete system and the violation pattern can potentially synchronize.
B′ is a user dened constraint that represents pairs of a destination state of the concrete system and a destina-
tion state of the violation pattern that can be reached by the step specied by A. The guard gd checks whether
the data parameter of the concrete action is a concretization of the data parameter of the abstract action. For
the cyclic states, the guard gc also checks whether the destination state of the concrete system has been visited
already, i.e. whether it is in the set flC.
Rule 1 of Table 2 transforms input/output steps of the violation pattern whose destination state σ′ is not
the beginning of the cycle base and not the acceptance state. Therefore, we omit the cyclic guard gc. The step
specied by the s(state(~X),state(~X ′),param(Y )) constraint leads to the change of the state to σ′ in the violation
σ→!s(v) σˆ or σ→?s(v) σˆ σˆ 6∈C σˆ 6= Accept
(1)
σ(state(~X),C¯) :− s(state(~X),state(~X ′),param(Y )) ∧Y ∈ γ(v) ∧ σˆ(state(~X ′),C¯)
σ→!s(v) σˆ or σ→?s(v) σˆ C 6= /0 σˆ = Accept
(2)
σ(state(~X),C¯) :− s(state(~X),state(~X ′),param(Y )) ∧Y ∈ γ(v)
σ→!s(v) σˆ or σ→?s(v) σˆ σˆ ∈C σˆ 6= Accept
(3)
σ(state(~X),C¯) :− s(state(~X),state(~X ′),param(Y )) ∧Y ∈ γ(v) ∧ σˆ(state(~X ′), [state(~X ′) | C¯])
σ→!s(v) σˆ or σ→?s(v) σˆ C 6= /0 σˆ = Accept
(4)
σ(state(~X),C¯) :− s(state(~X),state(~X ′),param(Y )) ∧Y ∈ γ(v) ∧ state(~X ′) ∈ C¯









msg   msg  
Figure 5: PARComponents
pattern and to the state state(~X ′) in the concrete system. That is captured by the constraint σ(state(~X ′),C) in
the rule. The rule is satised only if both the violation pattern and the concrete system can make the specied
input/output step and the action labelling the step of the concrete system satises the constraint Y ∈ γ(v).
Rule 2 of Table 2 is applicable to the steps of the violation pattern built for a nite counterexample which
lead to the acceptance state.
Rule 3 of Table 2 transforms the steps of the violation pattern leading the state which corresponds to the
beginning of the cycle in case it does not coincide with the acceptance state. Since σ is the cyclic state, the
pair of the state of the violation pattern and the state of the concrete system is potentially cyclic. By adding
the constraint σ(state(~X ′), [state(~X ′) |C]), we add the concrete state state(~X ′) satisfying the rule to the set flC of
states which are potentially cyclic.
Rule 4 of Table 2 transforms the step leading to the accept state of the violation pattern. In this case, we
check whether the destination state state(~X ′) of the concrete system has already been encountered before, i.e.
we check whether it is in set flC of potentially cyclic states.
The rule system R SV together with the rule system R S Spec form the constraint program. In order to check
whether we can nd a concrete counterexample matching the violation pattern, we transform the pair of the
initial state of the violation pattern and the initial state of the concrete system into the query σinit(state(~Xinit))
and ask a constraint solver whether it has a solution in the constraint program formed by R S Spec and R S v.
If yes, it provides us a counterexample. Otherwise, we cannot give a conclusive answer and have to use e.g.
abstraction renement techniques to nd out whether the property holds on the concrete system or not.
5. PAR
To check the applicability of our framework we performed a number of verication experiments with µCRL
specications. µCRL (micro Common Representation Language) is a specication language which is essen-
tially an extension of the process algebra ACP with abstract data types and recursive denitions. The µCRL
toolset provides tool support for analysis, abstraction, optimization and state space generation for µCRL speci-
cations (see [13] for details about the language and [1] for details about the toolset). We use Eclipse Prolog [4]
for constraint solving.
In this section we selected the positive acknowledgment retransmission protocol (PAR) [25] to illustrate the
motivation for our work and our approach. The usual scenario for PAR includes a sender, a receiver, a message
channel and an acknowledgment channel (see Fig.5). The channels delay the delivery of messages. Moreover,
they can lose or corrupt messages. The sender receives a message from the upper layer, sends it to the receiver
via the message channel, and waits for an acknowledgment from the receiver via the acknowledgment channel.
When the receiver has delivered the message to the upper layer it sends an acknowledgment to the sender.
After the acknowledgment is received, the sender becomes ready to send a subsequent message. The receiver
needs some time to deliver the received message to an upper layer. The sender handles lost messages by timing
out. If the sender times out, it re-sends the message. The protocol works correctly iff the timer setting of the
sender is larger than the sum of delays on communication channels.
Fig. 6 illustrates the idea of a well-known erroneous scenario for PAR. The sender times out while the
acknowledgment is still on the way. The sender sends a duplicate, then receives the acknowledgment and





















Figure 7: Environment for PAR
However, the sender receives the acknowledgment for the duplicate, which it believes to be the acknowledgment
for the last message. Thus the sender does not retransmit the lost message and the protocol fails. To avoid this
erroneous behavior, the timeout interval must be long enough to prevent a premature timeout, which means
that the timeout interval should be larger than the sum of delays on the message channel, the acknowledgment
channel and the receiver [25].
In order to perform the verication, we specied PAR in µCRL (see App. A and [2] for timed verication with
µCRL). Model checkers usually cannot handle open systems. Therefore we also have specied an environment
for PAR. In the environment, we differentiate only two messages msg1 and msg2, the rest is mapped to msg3.
This environment is sufcient in order to check that no message loss, no duplicated delivery happens and that
the messages are delivered in the same order as they are sent. The environment consists of two processes: one
represents the upper layer for the sender and the other models the upper layer of the receiver. The behavior of
the environment is illustrated in Fig 7. The process representing the upper layer of the sender sends an arbitrary
number of msg3 to the sender, followed by sending msg1. Then it proceeds with sending an arbitrary number of
msg3 followed by sending msg2 and nally sends an arbitrary number of msg3 again. The process representing
the upper layer for the receiver receives the messages in the same fashion.
We tried to verify that for any setting of the sender timer exceeding some value k, all messages sent by
the upper layer to the sender are eventually received by the upper layer from the receiver. To prove that the
property holds for any setting of the sender timer exceeding k, we applied the timer abstraction described in
Section 3 to the sender timer (see App. B for the abstract PAR specication). The property was not satised
on the abstract system (since the k we took was less than the sum of the channel delays) and we obtained a
counterexample (see App. C for the counterexample). The abstract counterexample was not reproducible on
the concrete system, since the number of tick steps from a setting of the sender timer till its expiration varied
along the trace due to the use of the abstraction.
We have transformed the abstract counterexample into the violation pattern (Fig. 8), where
10
A = {msg out(msg1,F), tick,mdelay,msg in(msg1,F),vfvs}
B = {ack out, tick,adelay, retransmit,msg out(msg1,F),ack in}
C = { mchbusy, tick,mdelay,msg in(msg1,F),msg out(msg2,T),vfws,ack out,adelay,ack in}
D = {mlose,msg out(msg3,F), tick,mdelay,msg in(msg3,F),vfws,ack out,adelay}
E = {msg out(msg3,T), tick,mdelay,msg in(msg3,T),vfvs}
F = {ack out, tick,adelay,ack in}
G = {msg out(msg3,F), tick,mdelay,msg in(msg3,F),vfvs}
H = {ack out, tick,adelay}
The violation pattern basically says that after losing message msg2, the receiver will reject delivery of mes-
sage msg3. Further the system gets into the loop where again and again message msg3 is delivered rst with
the sequence bit T and then with the sequence bit F . Thus, the message msg2 has never been delivered. In
Fig. 8, this loop is entered in state 5 of the violation pattern.
We transform the violation pattern and the concrete specication of the system into resp. rule systems R S V
(see App. D) and R S Spec (see App. E). With the Eclipse Prolog constraint solver, we obtain a solution for the
query asking whether there any of the traces of the violation pattern has a concrete counterpart in the concrete
system. The solution is indeed the counterexample for the property we have tried to verify (see App. F).
6. CONCLUSION
We proposed a novel framework for interpreting negative verication results obtained with the help of data
abstractions. Existing approaches to handling abstract counterexamples try to nd an exact counterpart of the
counterexample (e.g. [22]). When no concrete counterpart can be found, the data abstraction is considered to
be not ne enough and an abstraction renement is applied (e.g. [5]).
In our framework we look for the useful information in false negatives. Given a specication of a system
and a system property (formulated as an LTL-X formula), we rst chose and apply a data abstraction to both of
them and then verify the abstract property on the abstract system. If the verication results in a violation of the
abstract property and the obtained counterexample has no counterpart in the concrete system, we transform the
counterexample into a violation pattern, which is further used to guide the search for concrete counterexamples.
The framework allows to handle not only counterexamples obtained when verifying safety properties but also
for liveness properties. Moreover, it can be applied for searching concrete counterexamples in parameterized
and innite state systems. Success is not always guaranteed  the violation pattern can be too strict, concrete
counterexamples can have a spiral form, or there could be no counterexample at all since the property just
holds on the concrete system. Still, our approach can help in nding counterexamples in those cases when a
data abstraction inuences the order and the number of some actions, e.g. as counter abstractions do.
The approach to generate a violation pattern leaves a certain freedom in the sense that the set of actions to
relax can be more/less restrictive. Tuning the violation pattern or using the expertise of system developers to
pick an appropriate set of actions to relax can be potentially less costly than repeating the abstraction/renement
cycle immediately. More case studies comparing both approaches and trying combinations are still needed.













A B C D
Figure 8: Violation Pattern for PAR
11
References
1. S. C. C. Blom, W. J. Fokkink, J. F. Groote, I. A. van Langevelde, B. Lisser, and J. C. van de Pol. µCRL:
a toolset for analysing algebraic specications. In G. Berry, H. Comon, and A. Finkel, editors, 13th
International Conference on Computer Aided Verication, volume 2102 of Lecture Notes in Computer
Science, pages 250254. Springer-Verlag, 2001.
2. S. C. C. Blom, N. Ioustinova, and N. Sidorova. Timed verication with µCRL. In M. Broy and A. Zamulin,
editors, Proc. of the 5th Int. Conf. Perspectives of System Informatics, volume 2890 of Lecture Notes in
Computer Science, pages 178192. Springer, 2003.
3. D. Bosnacki, N. Ioustinova, and N. Sidorova. Using fairness to make abstractions work. In S. Graf and
L. Mounier, editors, Proc. of the 11th Int. Spin Workshop on Model Checking of Software, volume 2989 of
Lecture Notes in Computer Science, pages 198215. Springer, 2004.
4. P. Brisset, H. E. Sakkout, T. Fr¤uhwirth, C. Gervet, W. Harvey, M. Meier, S. Novello, T. L. Provost,
J. Schimpf, K. Shen, and M. Wallace. ECLIPSe Constraint Library Manual, version 5.9 edition, May
2006. http://eclipse.crosscoreop.com/eclipse/doc/libman.pdf.
5. E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction renement
for symbolic model checking. J. ACM, 50(5):752794, 2003.
6. E. M. Clarke, O. Grumberg, and D. E. Long. Model checking and abstraction. ACM Trans. Program.
Lang. Syst., 16(5):15121542, 1994.
7. P. Cousot and R. Cousot. Abstract interpretation: a unied lattice model for static analysis of programs by
construction or approximation of xpoints. In POPL ’77: Proceedings of the 4th ACM SIGACT-SIGPLAN
symposium on Principles of programming languages, pages 238252, New York, NY, USA, 1977. ACM
Press.
8. D. Dams. Abstract Interpretation and Partition Renement for Model Checking. PhD dissertation, Eind-
hoven University of Technology, July 1996.
9. D. Dams and R. Gerth. The bounded retransmission protocol revisited. Electronic Notes in Theoretical
Computer Science, 9:26, 1999.
10. D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Transactions on
Programming Languages and Systems (TOPLAS), 19(2):253291, 1997.
11. D. Giannakopoulou. Model Checking for Concurrent Software Architectures. PhD thesis, Imperial College
of Science Technology and Medicine, University of London, March 1999.
12 References
12. S. Graf and H. Sa¤di. Construction of abstract state graphs with pvs. In O. Grumberg, editor, CAV, volume
1254 of Lecture Notes in Computer Science, pages 7283. Springer, 1997.
13. J. F. Groote. The syntax and semantics of timed µCRL. SEN R9709, CWI, Amsterdam, 1997.
14. J. F. Groote, A. Ponse, and Y. S. Usenko. Linearization in parallel pCRL. Journal of Logic and Algebraic
Programming, 48(1-2):3972, 2001.
15. O. Grumberg, F. Lerda, O. Strichman, and M. Theobald. Proof-guided underapproximation-widening for
multi-process systems. In J. Palsberg and M. Abadi, editors, POPL, pages 122131. ACM, 2005.
16. N. Ioustinova. Abstractions and Static Analysis for Verifying Reactive Systems. PhD thesis, Free University
of Amsterdam, 2004.
17. Y. Lakhnech, S. Bensalem, S. Berezin, and S. Owre. Incremental verication by abstraction. In Margaria
and Yi [19], pages 98112.
18. C. Loiseaux, S. Graf, J. Sifakis, A. Bouajjani, and S. Bensalem. Property preserving abstractions for the
verication of concurrent systems. Formal Methods in System Design, 6(1):1144, 1995.
19. T. Margaria and W. Yi, editors. TACAS 2001, volume 2031 of Lecture Notes in Computer Science. Springer,
2001.
20. K. Marriott and P. J. Stuckey. Programming with Constraints  An Introduction. MIT Press, Cambridge,
1998.
21. G. Pace, N. Halbwachs, and P. Raymond. Counter-example generation in symbolic abstract model-
checking. Int. J. Softw. Tools Technol. Transf., 5(2):158164, 2004.
22. C. S. Pasareanu, M. B. Dwyer, and W. Visser. Finding feasible counter-examples when model checking
abstracted java programs. In Margaria and Yi [19], pages 284298.
23. C. S. Pasareanu, R. Pel·anek, and W. Visser. Concrete model checking with abstract matching and re-
nement. In K. Etessami and S. K. Rajamani, editors, CAV, volume 3576 of Lecture Notes in Computer
Science, pages 5266. Springer, 2005.
24. N. Sidorova and M. Steffen. Embedding chaos. In P. Cousot, editor, Proc. 8th International Static Analysis
Symposium, volume 2126 of Lecture Notes in Computer Science, pages 319334. Springer-Verlag, 2001.
25. A. S. Tanenbaum. Computer Networks. Prentice Hall International, Inc., 1981.
A. µCRL Specification of PAR 13
A. µCRL SPECIFICATION OF PAR
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%






and: Bool#Bool -> Bool
or: Bool#Bool -> Bool
10 not: Bool -> Bool
if: Bool#Bool#Bool -> Bool
eq: Bool#Bool -> Bool































S: Nat -> Nat % 2n+1
50 map
eq: Nat#Nat -> Bool
succ: Nat -> Nat % n+1
pred: Nat -> Nat % n-1 (partial)
55 gt: Nat#Nat -> Bool % greater than












70 pred(S(n))=n % (2n+1)-1=2n+2
pred(0)=0 % (2n+2)-1=2n+1
if(T,n,m)=n if(F,n,m)=m if(b,n,n)=n if(not(b),n,m)=if(b,m,n)
75
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%








85 next: Msg -> Msg









95 intonat(msg3) = S(S(S(0)))
eq(n,m) = eq(intonat(n), intonat(m))
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

















%%% actions and communication %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
act











130 in:Msg _in:Msg __in:Msg
out:Msg _out:Msg __out:Msg
tick _tick
ack_out_rcv ack_in_ch ack_out_ch ack_in_snd ack_in ack_out







in| _in = __in
out| _out = __out
145 ack_out_rcv | ack_in_ch = ack_out
ack_out_ch | ack_in_snd = ack_in
msg_out_snd | msg_in_ch = msg_out
msg_out_ch | msg_in_rcv = msg_in
150 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%























%%% process msg channel %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
180 proc Msg_Chan(mrc:Timer)=
















200 %%% process receiver %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
proc Receiver_Wf(esn:Bool)=
sum(m:Msg, sum(b:Bool , msg_in_rcv(m, b).Receiver_Wf1(m, b, esn)))
+
205 tick.Receiver_Wf(esn)
proc Receiver_Wf1(rm:Msg, rsn:Bool , esn:Bool)=
vfvs.Receiver_Sa1( rsn, rm,esn)<|eq(rsn, esn)|>delta
+
210 vfws.Receiver_Sa(esn)<|not(eq(rsn, esn))|>delta























%%% process environment %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
proc Env1(had1:Bool ,had2:Bool) =













encap({_in, in, out, _out},
B. Abstracted µCRL Specification of PAR 17
255 rename({_tick->tick},
encap({tick, msg_out_ch , msg_in_rcv , ack_out_ch , ack_in_snd},
rename({_tick->tick},encap({tick , msg_in_ch ,msg_out_snd , mchbusy ,_mchbusy}, Sender_Rh(on
(0),F) || Msg_Chan(off)))
||




|| Env1(F,F) || Env2(F,F)
)
)
B. ABSTRACTED µCRL SPECIFICATION OF PAR
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%






and: Bool#Bool -> Bool
or: Bool#Bool -> Bool
10 not: Bool -> Bool
if: Bool#Bool#Bool -> Bool
eq: Bool#Bool -> Bool































x2p1: Nat -> Nat % 2n+1
50 x2p2: Nat -> Nat % 2n+2
18 Appendix
map




37,38: -> Nat % useful abbreviations
x2p0: Nat -> Nat % 2n
60 succ: Nat -> Nat % n+1
pred: Nat -> Nat % n-1 (partial)
gt: Nat#Nat -> Bool % greater than
if: Bool#Nat#Nat -> Nat
var
65 n,m: Nat b:Bool
rew














85 1=x2p1(0) 2=x2p2(0) % 1=2*0+1 2=2*0+2
3=x2p1(1) 4=x2p2(1) % 3=2*1+1 4=2*1+2







19=x2p1(9) 20=x2p2(9) 29=x2p1(14) 30=x2p2(14)
95 21=x2p1(10) 22=x2p2(10) 31=x2p1(15) 32=x2p2(15)
23=x2p1(11) 24=x2p2(11) 33=x2p1(16) 34=x2p2(16)
25=x2p1(12) 26=x2p2(12) 35=x2p1(17) 36=x2p2(17)
27=x2p1(13) 28=x2p2(13) 37=x2p1(18) 38=x2p2(18)









if(T,n,m)=n if(F,n,m)=m if(b,n,n)=n if(not(b),n,m)=if(b,m,n)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
B. Abstracted µCRL Specification of PAR 19








next: Msg -> Msg
intonat: Msg -> Nat









135 eq(n,m) = eq(intonat(n), intonat(m))
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
































% Simulation of nondeterminism on level of rewrite rules.
pred(known(on(n)))=known(on(pred(n)))
pred(known(off))=known(off)





















195 out:Msg _out:Msg __out:Msg
tick _tick
ack_out_rcv ack_in_ch ack_out_ch ack_in_snd ack_in ack_out





205 mchbusy|_mchbusy = __mchbusy
tick|tick =_tick
in| _in = __in
out| _out = __out
ack_out_rcv | ack_in_ch = ack_out
210 ack_out_ch | ack_in_snd = ack_in
msg_out_snd | msg_in_ch = msg_out
msg_out_ch | msg_in_rcv = msg_in
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
215 %%% process sender %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


























B. Abstracted µCRL Specification of PAR 21
tick.Sender_Ws(preda(sc),msg,sn)<|not(expire(sc))|>delta
245 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% process msg channel %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
proc Msg_Chan(mrc:Timer)=


















270 %%% process receiver %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
proc Receiver_Wf(esn:Bool)=





proc Receiver_Wf1(rm:Msg, rsn:Bool , esn:Bool)=
280 vfvs.Receiver_Sa1( rsn, rm,esn)<|eq(rsn, esn)|>delta
+
vfws.Receiver_Sa(esn)<|not(eq(rsn, esn))|>delta

























%%% process environment %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
proc Env1(had1:Bool ,had2:Bool) =
in(msg1).Env1(T,F)<|and(eq(had1 ,F),eq(had2 ,F))|>delta
315 +in(msg2).Env1(T,T)<|and(eq(had1 ,T),eq(had2 ,F))|>delta
+in(msg3).Env1(had1 ,had2)





encap({_in, in, out, _out},
325 rename({_tick->tick},
encap({tick, msg_out_ch , msg_in_rcv , ack_out_ch , ack_in_snd},
rename({_tick->tick},encap({tick , msg_in_ch ,msg_out_snd , mchbusy ,_mchbusy}, Sender_Rh(
known(on(0)),F) || Msg_Chan(off)))
||





















































































ack_in % End of cyclic base
D. RULE SYSTEM FOR PAR SPECIFICATION
:-lib(ic).
:-lib(ic_symbolic).

















eq(msg(V0), msg(V1)) :- V0=V1.
eq(nat(V1),nat(V2)):- V1#=V2.
eq(state(V0), state(V0)) :- bool(t).
25 eq(state(one), state(x2p1(state(V0)))) :- bool(f).
eq(state(one), state(x2p0(state(V0)))) :- bool(f).
eq(state(x2p1(state(V0))), state(one)) :- bool(f).
eq(state(x2p0(state(V0))), state(one)) :- bool(f).
eq(state(x2p1(state(V0))), state(x2p0(state(V1)))) :- bool(f).
30 eq(state(x2p0(state(V0))), state(x2p1(state(V1)))) :- bool(f).
eq(state(x2p0(state(V0))), state(x2p0(state(V1)))) :- bool(eq(state(V0), state(V1))).
eq(state(x2p1(state(V0))), state(x2p1(state(V1)))) :- bool(eq(state(V0), state(V1))).
expire(timer(VInt0)) :- VInt0=off, f.
expire(timer(VInt0)) :- VInt0=on(nat(0)).
35 gt(nat(V1),nat(V2)):- V1#>V2.
intonat(msg(VInt0), nat(Result)) :- VInt0=msg1 , Result#=1.
intonat(msg(VInt0), nat(Result)) :- VInt0=msg2 , Result#=2.
intonat(msg(VInt0), nat(Result)) :- VInt0=msg3 , Result#=3.
neq(nat(V1),nat(V2)):- V1#\=V2.
40 neq(state(V0), state(V0)) :- (bool(t)) -> bool(f) ; bool(t).
neq(state(one), state(x2p1(state(V0)))) :- (bool(f)) -> bool(f) ; bool(t).
neq(state(one), state(x2p0(state(V0)))) :- (bool(f)) -> bool(f) ; bool(t).
neq(state(x2p1(state(V0))), state(one)) :- (bool(f)) -> bool(f) ; bool(t).
neq(state(x2p0(state(V0))), state(one)) :- (bool(f)) -> bool(f) ; bool(t).
45 neq(state(x2p1(state(V0))), state(x2p0(state(V1)))) :- (bool(f)) -> bool(f) ; bool(t).
neq(state(x2p0(state(V0))), state(x2p1(state(V1)))) :- (bool(f)) -> bool(f) ; bool(t).
neq(state(x2p0(state(V0))), state(x2p0(state(V1)))) :- (bool(eq(state(V0), state(V1)))) ->
bool(f) ; bool(t).
neq(state(x2p1(state(V0))), state(x2p1(state(V1)))) :- (bool(eq(state(V0), state(V1)))) ->
bool(f) ; bool(t).
next(msg(VInt0), msg(Result)) :- VInt0=msg1 , Result=msg2.
50 next(msg(VInt0), msg(Result)) :- VInt0=msg2 , Result=msg3.
next(msg(VInt0), msg(Result)) :- VInt0=msg3 , Result=msg1.
ngt(nat(V1),nat(V2)):- V1#=<V2.
pred(nat(VInt0), nat(Result)) :- VInt0#=1+V0, Result#=V0.
pred(nat(VInt0), nat(Result)) :- VInt0#=0, Result#=0.
55 pred(timer(VInt0), timer(Result)) :- VInt0=on(nat(V0)), Result=on(nat(VInt1)), pred(nat(V0
), nat(VInt1)).
pred(timer(VInt0), timer(Result)) :- VInt0=off, Result=off.
succ(nat(VInt0), nat(Result)) :- VInt0#=0, Result#=1.

































































)),local(msg(Vmsg),bool(Vsn))) :- V4=on(nat(VInt0)), VInt0#=2, V3=x2p0(state(one)), V2




















































































D. Rule System for PAR specification 27
:- pred(timer(Varc), timer(V11)), V10=x2p0(state(one)), V9=msg3 , V8=f, V7=x2p0(state(
x2p0(state(one)))), V6=f, V5=msg3 , V4=off, V3=x2p1(state(one)), V2=off, pred(timer(Vsc)










:- V11=off, V10=x2p1(state(one)), V9=msg3 , V8=f, V7=x2p0(state(x2p0(state(one)))), V6=











pred(timer(Varc), timer(V9)), V8=x2p0(state(one)), V7=msg3 , V6=f, V5=x2p0(state(x2p0(
state(one)))), pred(timer(Vmrc), timer(V4)), V3=x2p0(state(one)), V2=off, pred(timer(










V9=off, V8=x2p1(state(one)), V7=msg3 , V6=f, V5=x2p0(state(x2p0(state(one)))), pred(











:- pred(timer(Varc), timer(V11)), V10=x2p0(state(one)), V9=msg3 , V8=f, V7=x2p0(state(
x2p0(state(one)))), V6=f, V5=msg3 , V4=off, V3=x2p1(state(one)), pred(timer(Vt), timer(










:- V11=off, V10=x2p1(state(one)), V9=msg3 , V8=f, V7=x2p0(state(x2p0(state(one)))), V6=












pred(timer(Varc), timer(V9)), V8=x2p0(state(one)), V7=msg3 , V6=f, V5=x2p0(state(x2p0(
state(one)))), pred(timer(Vmrc), timer(V4)), V3=x2p0(state(one)), pred(timer(Vt), timer










V9=off, V8=x2p1(state(one)), V7=msg3 , V6=f, V5=x2p0(state(x2p0(state(one)))), pred(











:- pred(timer(Varc), timer(V12)), V11=x2p0(state(one)), V10=msg3 , V9=f, V8=x2p0(state(
x2p0(state(one)))), V7=f, V6=msg3 , V5=off, V4=x2p1(state(one)), V3=msg3 , V2=off, pred(











:- V12=off, V11=x2p1(state(one)), V10=msg3 , V9=f, V8=x2p0(state(x2p0(state(one)))), V7











pred(timer(Varc), timer(V10)), V9=x2p0(state(one)), V8=msg3 , V7=f, V6=x2p0(state(x2p0
(state(one)))), pred(timer(Vmrc), timer(V5)), V4=x2p0(state(one)), V3=msg3 , V2=off,












V10=off, V9=x2p1(state(one)), V8=msg3, V7=f, V6=x2p0(state(x2p0(state(one)))), pred(



















local) :- V6=off, V5=x2p1(state(one)), not(bool(Vsn),bool(V4)), V3=msg3 , V2=off, V1=on
(nat(VInt0)), VInt0#=0, V0=x2p0(state(x2p0(state(one)))), bool(and(bool(eq(state(Vs0),
state(x2p0(state(one))))),bool(eq(state(Vs3),state(one))))).







5 s0(Global ,data ,Trace):- in(Global ,GlobalPrime ,local(msg(msg1))),s1(GlobalPrime ,data ,[["in(
msg1)",s1]|Trace]).
s1(Global ,data ,Trace):- out(Global ,GlobalPrime ,local(msg(msg1))),s2(GlobalPrime ,data ,[["out
(msg1)",s2]|Trace]).
s1(Global ,data ,Trace):- msg_out(Global ,GlobalPrime ,local(msg(msg1),bool(f))), s1(
GlobalPrime ,data ,[["msg_out(msg1 ,f)",s1]|Trace]).
s1(Global ,data ,Trace):- tick(Global ,GlobalPrime ,local), s1(GlobalPrime ,data ,[["tick",s1]|
Trace]).
10 s1(Global ,data ,Trace):- mdelay(Global ,GlobalPrime ,local), s1(GlobalPrime ,data ,[["mdelay",s1
]|Trace]).
s1(Global ,data ,Trace):- msg_in(Global ,GlobalPrime ,local(msg(msg1),bool(f))), s1(GlobalPrime
,data ,[["msg_in(msg1 ,f)",s1]|Trace]).
s1(Global ,data ,Trace):- vfvs(Global ,GlobalPrime ,local), s1(GlobalPrime ,data ,[["vfvs",s1]|
Trace]).
s2(Global ,data ,Trace):- in(Global ,GlobalPrime ,local(msg(msg2))),s3(GlobalPrime ,data ,[["in(
msg2)",s3]|Trace]).
15 s2(Global ,data ,Trace):- ack_out(Global ,GlobalPrime ,local), s2(GlobalPrime ,data ,[["ack_out",
s2]|Trace]).
s2(Global ,data ,Trace):- tick(Global ,GlobalPrime ,local), s2(GlobalPrime ,data ,[["tick",s2]|
Trace]).
s2(Global ,data ,Trace):- adelay(Global ,GlobalPrime ,local), s2(GlobalPrime ,data ,[["adelay",s2
]|Trace]).
s2(Global ,data ,Trace):- retransmit(Global ,GlobalPrime ,local), s2(GlobalPrime ,data ,[["
retransmit",s2]|Trace]).
30 Appendix
s2(Global ,data ,Trace):- msg_out(Global ,GlobalPrime ,local(msg(msg1),bool(f))), s2(
GlobalPrime ,data ,[["msg_out(msg1 ,f)",s2]|Trace]).
20 s2(Global ,data ,Trace):- ack_in(Global ,GlobalPrime ,local), s2(GlobalPrime ,data ,[["ack_in",s2
]|Trace]).
s3(Global ,data ,Trace):- in(Global ,GlobalPrime ,local(msg(msg3))),s4(GlobalPrime ,data ,[["in(
msg3)",s4]|Trace]).
s3(Global ,data ,Trace):- mchbusy(Global ,GlobalPrime ,local),s3(GlobalPrime ,data ,[["__mchbusy"
,s3]|Trace]).
s3(Global ,data ,Trace):- tick(Global ,GlobalPrime ,local),s3(GlobalPrime ,data ,[["tick",s3]|
Trace]).
25 s3(Global ,data ,Trace):- mdelay(Global ,GlobalPrime ,local),s3(GlobalPrime ,data ,[["mdelay",s3
]|Trace]).
s3(Global ,data ,Trace):- msg_in(Global ,GlobalPrime ,local(msg(msg1),bool(f))),s3(GlobalPrime ,
data ,[["msg_in(msg1,f)",s3]|Trace]).
s3(Global ,data ,Trace):- msg_out(Global ,GlobalPrime ,local(msg(msg2),bool(t))),s3(GlobalPrime
,data ,[["msg_out(msg2 ,t)",s3]|Trace]).
s3(Global ,data ,Trace):- vfws(Global ,GlobalPrime ,local),s3(GlobalPrime ,data ,[["vfws",s3]|
Trace]).
s3(Global ,data ,Trace):- ack_out(Global ,GlobalPrime ,local),s3(GlobalPrime ,data ,[["ack_out",
s3]|Trace]).
30 s3(Global ,data ,Trace):- adelay(Global ,GlobalPrime ,local),s3(GlobalPrime ,data ,[["adelay",s3
]|Trace]).
s3(Global ,data ,Trace):- ack_in(Global ,GlobalPrime ,local),s3(GlobalPrime ,data ,[["ack_in",s3
]|Trace]).
s4(Global ,data ,Trace):- ack_in(Global ,GlobalPrime ,local), s5(GlobalPrime ,data ,[["ack_in",s5
]|Trace]).
s4(Global ,data ,Trace):- mlose(Global ,GlobalPrime ,local), s4(GlobalPrime ,data ,[["mlose",s4]|
Trace]).
35 s4(Global ,data ,Trace):- msg_out(Global ,GlobalPrime ,local(msg(msg3),bool(f))), s4(
GlobalPrime ,data ,[["msg_out(msg3 ,f)",s4]|Trace]).
s4(Global ,data ,Trace):- tick(Global ,GlobalPrime ,local), s4(GlobalPrime ,data ,[["tick",s4]|
Trace]).
s4(Global ,data ,Trace):- mdelay(Global ,GlobalPrime ,local), s4(GlobalPrime ,data ,[["mdelay",s4
]|Trace]).
s4(Global ,data ,Trace):- msg_in(Global ,GlobalPrime ,local(msg(msg3),bool(f))), s4(GlobalPrime
,data ,[["msg_in(msg3 ,f)",s4]|Trace]).
s4(Global ,data ,Trace):- vfws(Global ,GlobalPrime ,local), s4(GlobalPrime ,data ,[["vfws",s4]|
Trace]).
40 s4(Global ,data ,Trace):- ack_out(Global ,GlobalPrime ,local), s4(GlobalPrime ,data ,[["ack_out",
s4]|Trace]).
s4(Global ,data ,Trace):- adelay(Global ,GlobalPrime ,local), s4(GlobalPrime ,data ,[["adelay",s4
]|Trace]).
s5(Global ,data ,Trace):- write(Global),nl,write("----------"),nl,assert(cyclic_state(Global)
),in(Global ,GlobalPrime ,local(msg(msg3))),s6(GlobalPrime ,data ,[["in(msg3)",s6]|Trace]).
45 s6(Global ,data ,Trace):- out(Global ,GlobalPrime ,local(msg(msg3))),s7(GlobalPrime ,data ,[["out
(msg3)",s7]|Trace]).
s6(Global ,data ,Trace):- msg_out(Global ,GlobalPrime ,local(msg(msg3),bool(t))), s6(
GlobalPrime ,data ,[["msg_out(msg3 ,t)",s6]|Trace]).
s6(Global ,data ,Trace):- tick(Global ,GlobalPrime ,local), s6(GlobalPrime ,data ,[["tick",s6]|
Trace]).
s6(Global ,data ,Trace):- mdelay(Global ,GlobalPrime ,local), s6(GlobalPrime ,data ,[["mdelay",s6
]|Trace]).
s6(Global ,data ,Trace):- msg_in(Global ,GlobalPrime ,local(msg(msg3),bool(t))), s6(GlobalPrime
,data ,[["msg_in(msg3 ,t)",s6]|Trace]).
50 s6(Global ,data ,Trace):- vfvs(Global ,GlobalPrime ,local), s6(GlobalPrime ,data ,[["vfvs",s6]|
Trace]).
s7(Global ,data ,Trace):- in(Global ,GlobalPrime ,local(msg(msg3))),s8(GlobalPrime ,data ,[["in(
msg3)",s8]|Trace]).
s7(Global ,data ,Trace):- ack_out(Global ,GlobalPrime ,local), s7(GlobalPrime ,data ,[["ack_out",
F. Prolog Solution: Concrete Counterexample 31
s7]|Trace]).
s7(Global ,data ,Trace):- tick(Global ,GlobalPrime ,local), s7(GlobalPrime ,data ,[["tick",s7]|
Trace]).
55 s7(Global ,data ,Trace):- adelay(Global ,GlobalPrime ,local), s7(GlobalPrime ,data ,[["adelay",s7
]|Trace]).
s7(Global ,data ,Trace):- ack_in(Global ,GlobalPrime ,local), s7(GlobalPrime ,data ,[["ack_in",s7
]|Trace]).
s8(Global ,data ,Trace):- out(Global ,GlobalPrime ,local(msg(msg3))),s9(GlobalPrime ,data ,[["out
(msg3)",s9]|Trace]).
s8(Global ,data ,Trace):- msg_out(Global ,GlobalPrime ,local(msg(msg3),bool(f))), s8(
GlobalPrime ,data ,[["msg_out(msg3 ,f)",s8]|Trace]).
60 s8(Global ,data ,Trace):- tick(Global ,GlobalPrime ,local), s8(GlobalPrime ,data ,[["tick",s8]|
Trace]).
s8(Global ,data ,Trace):- mdelay(Global ,GlobalPrime ,local), s8(GlobalPrime ,data ,[["mdelay",s8
]|Trace]).
s8(Global ,data ,Trace):- msg_in(Global ,GlobalPrime ,local(msg(msg3),bool(f))), s8(GlobalPrime
,data ,[["msg_in(msg3 ,f)",s8]|Trace]).
s8(Global ,data ,Trace):- vfvs(Global ,GlobalPrime ,local), s8(GlobalPrime ,data ,[["vfvs",s8]|
Trace]).




s9(Global ,data ,Trace):- ack_out(Global ,GlobalPrime ,local), s9(GlobalPrime ,data ,[["ack_out",
s9]|Trace]).
s9(Global ,data ,Trace):- tick(Global ,GlobalPrime ,local), s9(GlobalPrime ,data ,[["tick",s9]|
Trace]).
s9(Global ,data ,Trace):- adelay(Global ,GlobalPrime ,local), s9(GlobalPrime ,data ,[["adelay",s9
]|Trace]).
70




75 printtrace([A|B]) :- printtrace(B),!,printcombo(A).
printcombo(["<init >",S]) :- write(S),!.
printcombo([L,S]) :- write(" ->("), write(L), write(") "), write(S), nl, write(S).




global(state(x2p0(state(x2p0(state(one))))), timer(on(nat(0))), timer(off), msg(msg3), bool
(t), state(x2p1(state(one))), timer(off), msg(msg3), bool(f), state(x2p0(state(x2p0(
state(one))))), bool(f), msg(msg3), bool(t), state(x2p1(state(one))), timer(off), bool(
t), bool(t), bool(t), bool(f))
5 ----------
global(state(x2p0(state(x2p0(state(one))))), timer(on(nat(0))), timer(off), msg(msg3), bool
(t), state(x2p1(state(one))), timer(off), msg(msg3), bool(f), state(x2p0(state(x2p0(
state(one))))), bool(f), msg(msg3), bool(t), state(x2p1(state(one))), timer(off), bool(
t), bool(t), bool(t), bool(f))
----------
s0 ->(in(msg1)) s1
s1 ->(msg_out(msg1 ,f)) s1
10 s1 ->(tick) s1
s1 ->(tick) s1
s1 ->(mdelay) s1
s1 ->(msg_in(msg1 ,f)) s1
s1 ->(vfvs) s1






20 s2 ->(retransmit) s2








s3 ->(msg_in(msg1 ,f)) s3














s4 ->(msg_in(msg3 ,f)) s4





50 s4 ->(ack_in) s5
s5 ->(in(msg3)) s6
s6 ->(msg_out(msg3 ,t)) s6
s6 ->(tick) s6
s6 ->(tick) s6
55 s6 ->(mdelay) s6













s8 ->(msg_in(msg3 ,f)) s8





75 s9 ->(adelay) s9
s9 ->(ack_in) s10
s10
Yes (0.16s cpu, solution 1, maybe more) ? _
