Abstract. We describe a computer-aided veri cation system which combines deductive with algorithmic (model-checking) veri cation methods. The system, called tlv (for temporal veri cation system), is constructed as an additional layer superimposed on top of the cmu smv system, and can verify nite-state systems relative to linear temporal logic (ltl) as well as ctl speci cations. The systems to be veri ed can be either hardware circuits written in the smv design language or nite-state reactive programs written in a simple programming language (spl). The paper presents a common computational model which can support these two types of applications and a high-level interactive language tlv-Basic, in which temporal veri cation rules, proofs, and complex assertions can be written. We illustrate the e ciency and generality gained by combining deductive with algorithmic techniques on several examples, culminating in veri cation of fragments of the Futurebus+ system. In the analysis of the Futurebus+ system, we even managed to detect a bug that was not discovered in a previous model-checking analysis of this system.
Introduction
As part of the general program for combining deductive with algorithmic methods for the veri cation of reactive systems (see Man94] for a declaration of this manifest, and RSS95] for an important contribution in this direction), we constructed a computer-aided veri cation system, called tlv (a Temporal Logic Veri er), for experimenting with some of these ideas.
Compared to algorithmic veri cation (model checking), deductive veri cation is handicapped by the requirement of user interaction, which necessitates a good understanding of the program and a certain degree of creative ability and high skills. Therefore, any proposal for replacing or even combining algorithmic methods with deductive methods must be accompanied by analysis of the expected gains from such a combination.
The main conceived advantages of combining deduction with model checking are:
proof. In comparison, model checking can only examine the systems for particular values of N.
2. E ciency of Deduction : Most of the model-checking algorithms are based on computation of the closure of the transition relation, which is applied either to the initial state or to some target states. This is an iterative process that may take a large number of steps to converge. In comparison, in the deductive veri cation of the same property, we only have to check the two implications ! p and ^p ! p 0 ;
where is an assertion characterizing the initial condition and is the transition relation. It stands to reason that checking these implications takes less time and requires smaller bdds than the iterative computation of the closure.
Constrained model checking : A possible way of combining deduction
with model checking is to use deduction to establish the invariance of an assertion '. Then, we can carry out regular model checking but use ' to restrict the range of considered states. This amounts to model checking with the transition relation '^ instead of the original . The (tlv) system described here has been constructed on top of the cmu smv system, which supports veri cation of ctl speci cations of nite-state systems ( BCM + 92], McM93]). tlv uses the bdd library and the smv input language parser from smv. The model checking algorithms were replaced by a layer which consists of a high-level interactive language, to which we refer as tlv-Basic. The main data structure of tlv-Basic is a quanti er-free assertion, obeying the smv syntax for state-formulas, and represented internally by a bdd.
The tlv-Basic language is used for three purposes: Temporal veri cation rules, such as the basic invariance rule binv and the single-step response rule resp, as well as algorithms for model-checking invariance and response properties, are written as tlv-Basic procedures. For each particular system to be veri ed, the user usually prepares a proof script le which contains de nitions of the assertions used in the property to be veri ed. The interactive dialog with the user is carried out in a restricted subset of tlv-Basic.
The main running example and one of the motivating drives for our system is the Futurebus+ system considered in CGH + 93]. That paper presented an smv model for the Futurebus+ system and established several properties of the model, using the model-checking techniques of smv. We considered it an interesting challenge to see whether the same properties can be veri ed using deductive techniques, and compare the e ciency and e ectiveness of the two methods.
At its current state of implementation, the tlv system cannot yet consider variable-size systems where the system size is not xed at analysis time. Therefore, we cannot yet demonstrate uniform proofs of such parameterized systems, and all the examples presented in this paper relate to speci c values of the size parameter. To compensate for this temporary de ciency, we developed methods by which the deductive proof of a parametric system can be parameterized itself, so that running a deduction for di erent values of the size parameter n only requires modifying a line in the proof script le from \n = 20" to, say, \n = 40." In particular, we developed a special format by which one can specify an arbitrary con guration of Futurebus+ and generate automatically the proof appropriate for this con guration. Details about these instantiation mechanisms are given in PS96].
Many approaches to the deductive veri cation of reactive systems and hardware circuits were proposed over the years, accompanied by systems supporting their automation. Examples of applications for hardware veri cation are the methods described in Gor86] and ORSS94]. An e ective system for the deductive veri cation of linear temporal logic properties of reactive programs is reported in MAB + 94].
There have been also several approaches which combine deductive and algorithmic veri cation methods. The work in JS93] combines the HOL theorem prover with the Voss system. Another combination of methodologies is reported in KL93] , where tlp, the proof checker for tla, the temporal logic of actions, is combined with the cospan veri er. Perhaps closest to our work is RSS95] which embeds symbolic model-checking into the pvs high-order prover.
The unique feature of our approach is that it is built as the minimal extension of an existing symbolic model checking system (smv) needed in order to handle parametric systems. The speci cation language and associated deductive veri cation approach are based on linear temporal logic MP95]. At present, the only deductive machinery we employ is provided by the bdd capabilities of the underlying smv system. The rest of the paper is organized as follows. In Section 2 we present the underlying computational model and its relation to the fts model of MP95]. In Section 3, we describe the languages that can serve as inputs to the tlv system. These include the tlv-Basic language in which veri cation rules, modelchecking procedures, and proof scripts are written; the smv input languages used to specify systems; and the spl language used to describe simple reactive programs MP95]. In Section 4, we present some of the veri cation rules supported by the system. Section 5 presents several simple examples of deductive and combined veri cation, comparing their e ciency with standard model-checking veri cation of the same properties. In Section 6, we present our main case study, the Futurebus+ veri cation, and identify the bug that has escaped previous model-checking analysis.
The Computational Model
As an underlying computational model, we adopt the notion of an always-enabled fair transition system (ets in then i is taken at ' i -positions in nitely many times. The main di erences between the fts and ets models are the ets requirement that transitions be always enabled, and the implications this requirement has on the requirements of justice and compassion.
The reason for this di erence is that the natural smv representation of transition relations, in particular those which result from spl programs, is such that the transition can always be taken. Under the circumstances in which the corresponding fts transition would be disabled, the ets transition is still enabled but has no e ect on the system variables, i.e., it changes the value of no system variable.
An fts is called a leisurely fair transition system (lfts), if the idling transition I is contained in the justice set of . Thus, every computation of an lfts contains in nitely many idling steps, i.e. steps which preserve the values of all system variables. Obviously, every fts has a corresponding lfts , such that and are equivalent up to stuttering.
The following claim shows that no expressive power is lost in moving from the fts model into the ets model.
Claim 1 A set of models S is the set of computations of an ets i it is the set of computations of some lfts .
In PS96], we provide a proof of this claim.
3 The Languages of tlv 3.1 The smv Input Language Systems to be veri ed by tlv are described using the smv input language McM93], which has been slightly extended to allow for the richer set of fairness requirements associated with the ets model. In Fig. 1 , we present le sem.smv, which contains the smv description of a mutual exclusion algorithm mux-sem, which implements mutual exclusion by semaphores. Note that, standardly in our MODULE main VAR y : boolean; --the semaphore variable. It is assigned by both processes. applications, we do not use the FAIR or SPEC declarations but introduce instead JUSTICE or COMPASSION declarations, wherever necessary. Such an smv speci cation is input into the tlv system which creates internally the ets corresponding to the speci cation. In general, there will be one ets transition for each process. Thus, in the mux-sem.smv example, the system will generate an ets with two transitions, one corresponding to each process. The justice requirement requests that each of the two processes will be activated in nitely many times in every computation of this ets.
The spl Input Language
While direct coding of hardware circuits in the smv input language is a practice to which experienced users of the smv system have resigned themselves, we can o er a higher description level for applications to reactive programming. To represent reactive programs, we adopted the simple programming language (spl) introduced in MP91]. We refer the reader to MP91] or MP95] for details of this language. In Fig. 2 , we present an spl program for the mux-sem algorithm.
Here, we consider the instance n = 2 of this generic program. On reading the spl le with the additional de nition n := 2, the system translates it rst into the smv representation, presented in Fig 
tlv-Basic
The tlv-Basic language is easy to learn and simple to program with. It is used to program rules, model-checking algorithms, and compute assertions. The main (and only) data structure is a function with boolean arguments and integer range. As such, it can represent integers, booleans (a function with range f0; 1g, and assertions, which are represented as boolean functions. The underlying implementation is a bdd, which is manipulated using the smv bdd library. Expressions in the language are constructed out of integer constants and variables to which we apply integer operations, integer comparisons, and all the boolean and quantifying operators available in the smv language.
There are no variable declarations. Like basic, variables are created dynamically, whenever they are assigned values, or mentioned as parameters of a procedure. In addition, all the variables de ned in an smv input le which is loaded into the system can be referenced within tlv-Basic expressions.
Following Load " le-name" | Load le le-name into the system. The loaded le can be a rules le or a proof script le. Run proc-name par 1 ; : : :; par n | Invoke procedure proc-name with the given actual parameters. The last two statements are the main commands that are used in interactive mode.
In Fig. 3 we present a tlv-Basic proof script which computes the assertion it is only necessary to change the rst statement in this le to Let n := 11.
Veri cation Rules
The tlv system comes equipped with a set of deductive veri cation rules as well as various model-checking algorithms. As previously explained, these rules are implemented using the tlv-Basic language. This means that a sophisticated user can easily modify any of the existing rules, as well as write new ones.
In Fig. 4 , we present the two veri cation rules that have been used for verifying the examples presented in this paper. 
Simple Veri cation Examples
In this section we illustrate the use of the tlv system for the veri cation of several simple examples taken from MP95].
Program mux-sem
In Fig. 2 , we presented the general mux-sem program parameterized by n. Fig. 1 illustrated its smv translation for the case n = 2. The main safety property of this program can be speci ed by the invariance of assertion mux presented above. Direct application of rule binv failed (and produced a counter-example). According to the terminology of MP95], this means that assertion mux is invariant but not inductive, i.e., it does not carry su cient information to rule out inaccessible states. The standard remedy is to strengthen assertion mux by additional invariants, which will exclude such states.
Indeed, our next step in the veri cation process, was to formulate the auxiliary invariant assertion This experimentation was carried out for the low value of n = 2. However, once the strategy was established we prepared a proof script for computing the conjunction mux & phi and can now run the veri cation for various values of n, changing only the value of the parameter between successive runs.
To compare the time and space complexity of conventional model checking and the deductive approach, we plot in Fig. 5 the time and space complexity of verifying the invariance of assertion mux by the two approaches for increasing number of processes in program mux-sem. The line labeled smv represents the conventional model-checking approach, while the line labeled tlv represents the deductive approach. Using these strengthening invariants, assertion mux has been proven an invariant of program res-sv.
In Fig. 7 , we plot the time and space complexity of verifying the invariance of assertion mux over program res-sv as a function of the number of processes. Again, the conventional model checking and deductive approaches are compared. 
Constrained Model Checking
In addition to the purely deductive approach, we also implemented and tested a mixed (or combined) approach, in which we use deductively derived invariants to restrict the range of the transition function in computing the backwards closure, usually employed in model checking for invariance properties.
We considered again program res-sv but used the deductive approach to verify only the two rst invariants in the list: ' 1 i] and ' 2 i]. These are very simple invariants, which can be discovered automatically by various heuristics (as explained in MP95]). At this point we ceased using deductive methods, and invoked a special model-checking procedure cmcinv, written in tlv-Basic, with a constraint parameter, which is the conjunction of ' 1 i] and ' 2 i]. This procedure performs regular backwards closure computation, but eliminates all states which do not satisfy the given constraint.
In Fig. 8 , we present plots of time and space complexity which compare regular model checking with constrained model checking for program res-sv. The line representing constrained model checking is labeled by cmc, as compared to regular model checking which is labeled by mc. Both were performed by appropriate tlv-Basic procedures. The IEEE Futurebus+ protocol speci cation is a technology-independent protocol for single-bus and multiple-bus multiprocessor systems. Part of this standard is the cache coherence protocol designed to work in a hierarchically structured multiple-bus system. Coherence is maintained by having the caches observe all bus transactions. Coherence across buses is maintained using bus bridges. A bus bridge is a memory agent/cache agent pair, each of them on a di erent bus, which can communicate. The memory agent represents the memory on its bus. The cache agent represents all the remote caches, caches on the bus of the corresponding memory agent, which may need to get access to the cache line via the bus bridge.
The protocol de nes various transactions which let caches on a bus obtain readable and writable copies of cache lines. A cache line is a series of consecutive memory locations that is treated as a unit for coherence purposes.
We refer the reader to CGH + 93] for additional explanations and details about the smv coding of the Futurebus+.
Specifying and verifying Cache Coherence
The following speci cations are the ones which were proved in CGH + 93]. We repeated their veri cation, using deductive methods. There are four classes of safety properties and one for liveness.
The rst class of safety properties is used to check that no device ever observes an illegal combination of bus signals or an unexpected transaction. for each pair of caches p1 and p2. p1:writable is true when p1 is in the exclusive-modi ed state. Similarly, p2:readable is true when p2 is not in the invalid state.
The consistency property requires that if two caches have copies of a cache line, then they agree on the data in that line: AG (p1:readable^p2:readable ! p1:data = p2:data)
The memory consistency property is similar to the consistency property. It speci es that any cache line that has a readable copy must agree with the memory device on the data. AG (p1:readable^:m:memory-line-modified ! p1:data = m:data)
There is only one class of liveness speci cations. It is used to check that it is always possible for a cache to get read and write accesses to a line. In a sense, it says that the model does not get stuck.
AG EF p:readable AG EF p:writable All these properties were veri ed for small con gurations, using deductive methods. We refer the reader to PS96] for details of the inductive assertions that were used.
A Bug was Found
During our veri cation process, we came across a bug which seems to have escaped the attention of the previous veri ers of this design. In all probability, this is due to the fact that they have not considered the particular con guration in which this particular bug was lurking. We managed to prove the speci cations for this con guration after xing this bug. The bug is manifested under the following circumstances. Consider a bus with a memory agent and three processors. We start from a reachable state where all processors have a shared copy of the cache line and the memory agent is in the remote-shared-unmodified-invalid state which indicates that the current bus has shared copies on it but the memory agent itself does not have a copy. Suppose that process p1 wants an exclusive copy of the cache line. It issues an invalidate transaction on the bus, which tells all other caches to release their copies of the cache line. However, the other two processors, p2 and p3, choose to split the request so they continue to hold a shared copy but they each owe a response. Eventually, p2 responds and enters an invalid state. The memory agent observes this and enters the remote-exclusive-modified state. This means that the memory agent thinks that p1 already has an exclusivemodi ed copy but, in fact, p1 and p3 still hold shared copies. When p3 issues a response the memory agent sets on the error ag since, if only one process has a copy of the cache line, no other process should owe a response indicating a release of its hold on a shared copy.
