Abstraction for Liveness

Abstract

Unlike model checking which is restricted to finite-state systems, there are two methods which can be applied for the verification of arbitrary infinite-state systems. These are the methods of deductive verification and finitary abstraction (FA). Finitary abstraction is the process which provides an abstraction mapping, mapping a potentially infinite-state system into a finite-state one. After obtaining the finite-state abstraction, we may apply model checking in order to verify the property.

In the talk, we will explore some of the relations between the methods of finitary abstraction and deductive verification. One important connection is the recent proof that finitary abstraction is as powerful as deductive verification, thus establishing the completeness (and universality) of the finitary abstraction method. In order to obtain this result, it was necessary to extend the procedure by allowing augmentation of the verified system with auxiliary variables prior to the application of abstraction. With this extension, it is possible to transform the phenomenon of well-founded descent which is essential for proofs of liveness properties into fairness properties of the finite abstracted system.

Since the proof of completeness of the FA method builds upon the proof of completeness of deductive verification, one may get the false impression that, while being as powerful as deductive verification, FA is not much easier to apply. The focus of the talk is aimed at dispelling this false impression, in particular for the case of liveness properties.

We consider first the case of predicate abstraction, which is a special case of FA. We can view predicate abstraction as an effort to find an inductive assertion, where the user does not know the full form of the assertion but can identify a set of atomic formulas under the conjecture that there exists a useful inductive assertion which is some boolean combination of these atomic formulas. In this case, we let the model checker find for us the correct (and best) boolean combination that yields an inductive assertion. In analogy with this view, we will consider the “augmented finitary abstraction” approach as a situation that the user finds it difficult to formulate a full ranking function, as required by deductive verification, but can identify some components of such a ranking function. In that case, we let the model checker arrange and combine these components into a full liveness proof. In both cases, the method relies on the superior ability of model checkers to exhaustively analyze all the combinations of a finite (but possibly large) set of components.

This is work is based on collaboration with Ittai Balaban, Yonit Kesten, and Lenore Zuck.

This research was supported in part by NSF grant CCR-0205571 and ONR grant N00014-99-1-0131.